From 89c3d729e158c00fbf5056a1cf98717f797811c0 Mon Sep 17 00:00:00 2001
From: Yuriy Demidov <d3m1d0v@yandex-team.ru>
Date: Wed, 21 Jan 2026 18:58:54 +0300
Subject: [PATCH] ci(publish): grant write permission for id-token

---
 .github/workflows/publish.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 443c4aed..3ad28821 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -26,6 +26,10 @@ on:
         type: boolean
         default: true
 
+permissions:
+  contents: read
+  id-token: write  # Required for OIDC
+
 jobs:
   publish:
     name: Publish
@@ -65,5 +69,6 @@ jobs:
           NODE_AUTH_TOKEN: ${{ secrets.GRAVITY_UI_BOT_NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true
 
-      - name: Show publish report
+      - name: Show publish summary
+        if: ${{ github.event.inputs.dry_run == 'false' }}
         run: cat pnpm-publish-summary.json