For securely enabling OpenID Connect (OIDC) in your reusable workflows, we are now making the permissions more restrictive.
If you need to fetch an OIDC token generated within a reusable (called) workflow that is outside your enterprise/organization, then the permissions setting for
id-token should now be explicitly set to
write at the caller workflow level or in the specific job that calls the reusable workflow.
permissions: id-token: write # This is required for requesting the JWT
This change would ensure that the OIDC token generated in the called workflow is allowed to be consumed in the caller workflows only when intended.
Learn more about permission settings to enable OIDC in your workflows