ci: grant id-token permission for PyPI publish

Made-with: Cursor

Author: Sayeem3051

.github/workflows/ci.yml

@@ -17,6 +17,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test (Python ${{ matrix.python-version }})
@@ -66,6 +69,10 @@ jobs:
         (github.event_name == 'workflow_dispatch' && github.event.inputs.publish_to_pypi == 'true')
       )
 
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
       - uses: actions/checkout@v4
 
@@ -82,4 +89,7 @@ jobs:
       - name: Publish to PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
+          # If PYPI_API_TOKEN is set, token-based upload is used.
+          # If it's missing, the action falls back to trusted publishing (OIDC),
+          # which requires `id-token: write` permissions.
           password: ${{ secrets.PYPI_API_TOKEN }}