From f3c254bf54c52e3527773743610ffa24d6586d87 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 25 Jun 2026 18:00:45 +0000
Subject: [PATCH 1/2] fix: change id-token: read to id-token: none in lock
 workflows

Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
---
 .github/workflows/bump-tcgc-csharp.lock.yml | 2 +-
 .github/workflows/issue-triage.lock.yml     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/bump-tcgc-csharp.lock.yml b/.github/workflows/bump-tcgc-csharp.lock.yml
index 38f6de03532..ff5cb8bd6cb 100644
--- a/.github/workflows/bump-tcgc-csharp.lock.yml
+++ b/.github/workflows/bump-tcgc-csharp.lock.yml
@@ -345,7 +345,7 @@ jobs:
       copilot-requests: write
       deployments: read
       discussions: read
-      id-token: read
+      id-token: none
       issues: read
       models: read
       packages: read
diff --git a/.github/workflows/issue-triage.lock.yml b/.github/workflows/issue-triage.lock.yml
index dcf2c8ab350..ae2cdef57dd 100644
--- a/.github/workflows/issue-triage.lock.yml
+++ b/.github/workflows/issue-triage.lock.yml
@@ -385,7 +385,7 @@ jobs:
       copilot-requests: write
       deployments: read
       discussions: read
-      id-token: read
+      id-token: none
       issues: read
       models: read
       packages: read

From 6f39a35421f129b9b5196bf041b09f0289db8f49 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 25 Jun 2026 19:24:11 +0000
Subject: [PATCH 2/2] fix: update check-agentic-workflows to replace id-token:
 read with none after compile

Co-authored-by: timotheeguerin <1031227+timotheeguerin@users.noreply.github.com>
---
 .github/workflows/check-agentic-workflows.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/check-agentic-workflows.yml b/.github/workflows/check-agentic-workflows.yml
index 6f86ffd7835..4147bc2a9f4 100644
--- a/.github/workflows/check-agentic-workflows.yml
+++ b/.github/workflows/check-agentic-workflows.yml
@@ -24,6 +24,9 @@ jobs:
           gh aw compile
           # Restore dependabot.yml — gh aw compile reformats it even without --dependabot (known bug)
           git checkout -- .github/dependabot.yml 2>/dev/null || true
+          # gh aw compile expands 'all: read' to include 'id-token: read', which GitHub Actions
+          # rejects as invalid (id-token only accepts 'none' or 'write'). Replace it after compile.
+          sed -i 's/      id-token: read$/      id-token: none/' .github/workflows/*.lock.yml
           if ! git diff --exit-code .github/workflows/*.lock.yml; then
             echo "::error::Lock files are out of date. Run 'gh aw compile' locally and commit the changes."
             exit 1