From 43fc1791a216a32d9c822d915cfb868f2ace1179 Mon Sep 17 00:00:00 2001
From: Tushar Mudi <tushar03122@gmail.com>
Date: Thu, 5 Mar 2026 16:22:32 +0530
Subject: [PATCH 1/2] fix: switch "pull_request_target" to "pull_request" and
 remove unused "id-token:write" permission

Addressing two issues in the CI workflow:

1. **`pull_request_target` > `pull_request`**: Fork PRs currently run in the base repo's
   execution context. Switching to pull_request runs fork PRs in the fork's context, which matches the workflow's declared read-only permissions and is the recommended trigger for CI jobs that don't need write access to the base repo.

2. **Remove `id-token: write`**: No active job uses OIDC. This permission is a leftover
   from the commented-out `online-test` job and grants unnecessary token-minting capability.

No CI behavior change. All active jobs (`check`, `format`, `offline-test`) only need
`contents: read` and `pull-requests: read`, which work identically with `pull_request`.
---
 .github/workflows/ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 63cc33e..138f91f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,7 +4,7 @@ name: CI
 on:
   push:
     branches: [ "main" ]
-  pull_request_target:
+  pull_request:     # changed from pull_request_target. fork PRs now run in fork context
     branches: [ "main" ]
   workflow_dispatch:     # manual run
 
@@ -15,7 +15,7 @@ concurrency:
 permissions:
   pull-requests: read
   contents: read
-  id-token: write
+  # id-token: write     #  removed. no active job needs OIDC; was a leftover from commented-out online-test
   actions: read
 
 jobs:

From 627b2874dafcb759c42c3f88f8acf90a62f6adf8 Mon Sep 17 00:00:00 2001
From: Tushar Mudi <tushar03122@gmail.com>
Date: Thu, 5 Mar 2026 22:33:56 +0530
Subject: [PATCH 2/2] Update ci.yml

1. Removed the comment from  "pull_request: "
2. Removed the "id-token: write" line
---
 .github/workflows/ci.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 138f91f..2d2dfd0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,7 +4,7 @@ name: CI
 on:
   push:
     branches: [ "main" ]
-  pull_request:     # changed from pull_request_target. fork PRs now run in fork context
+  pull_request:
     branches: [ "main" ]
   workflow_dispatch:     # manual run
 
@@ -15,7 +15,6 @@ concurrency:
 permissions:
   pull-requests: read
   contents: read
-  # id-token: write     #  removed. no active job needs OIDC; was a leftover from commented-out online-test
   actions: read
 
 jobs: