diff --git a/.github/workflows/bump-tcgc-csharp.lock.yml b/.github/workflows/bump-tcgc-csharp.lock.yml
index 38f6de03532..ff5cb8bd6cb 100644
--- a/.github/workflows/bump-tcgc-csharp.lock.yml
+++ b/.github/workflows/bump-tcgc-csharp.lock.yml
@@ -345,7 +345,7 @@ jobs:
       copilot-requests: write
       deployments: read
       discussions: read
-      id-token: read
+      id-token: none
       issues: read
       models: read
       packages: read
diff --git a/.github/workflows/check-agentic-workflows.yml b/.github/workflows/check-agentic-workflows.yml
index 6f86ffd7835..4147bc2a9f4 100644
--- a/.github/workflows/check-agentic-workflows.yml
+++ b/.github/workflows/check-agentic-workflows.yml
@@ -24,6 +24,9 @@ jobs:
           gh aw compile
           # Restore dependabot.yml — gh aw compile reformats it even without --dependabot (known bug)
           git checkout -- .github/dependabot.yml 2>/dev/null || true
+          # gh aw compile expands 'all: read' to include 'id-token: read', which GitHub Actions
+          # rejects as invalid (id-token only accepts 'none' or 'write'). Replace it after compile.
+          sed -i 's/      id-token: read$/      id-token: none/' .github/workflows/*.lock.yml
           if ! git diff --exit-code .github/workflows/*.lock.yml; then
             echo "::error::Lock files are out of date. Run 'gh aw compile' locally and commit the changes."
             exit 1
diff --git a/.github/workflows/issue-triage.lock.yml b/.github/workflows/issue-triage.lock.yml
index dcf2c8ab350..ae2cdef57dd 100644
--- a/.github/workflows/issue-triage.lock.yml
+++ b/.github/workflows/issue-triage.lock.yml
@@ -385,7 +385,7 @@ jobs:
       copilot-requests: write
       deployments: read
       discussions: read
-      id-token: read
+      id-token: none
       issues: read
       models: read
       packages: read