diff --git a/data/features/restricted-permissions-oidc.yml b/data/features/restricted-permissions-oidc.yml
new file mode 100644
index 0000000000..bdb565772c
--- /dev/null
+++ b/data/features/restricted-permissions-oidc.yml
@@ -0,0 +1,6 @@
+# Issue 10918
+# Stricter permissions for securely enabling OpenID Connect (OIDC) in a reusable workflows
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.10'
diff --git a/data/reusables/actions/oidc-permissions-token.md b/data/reusables/actions/oidc-permissions-token.md
index 60bb103d45..204b76b365 100644
--- a/data/reusables/actions/oidc-permissions-token.md
+++ b/data/reusables/actions/oidc-permissions-token.md
@@ -20,6 +20,7 @@ permissions:
   id-token: write # This is required for requesting the JWT
 ```
 
+{% ifversion restricted-permissions-oidc %}
 You may need to specify additional permissions here, depending on your workflow's requirements.
 
 For reusable workflows that are owned by the same user, organization, or enterprise as the caller workflow, the OIDC token generated in the reusable workflow can be accessed from the caller's context. 
@@ -27,3 +28,4 @@ For reusable workflows outside your enterprise or organization, the `permissions
 This ensures that the OIDC token generated in the reusable workflow is only allowed to be consumed in the caller workflows when intended.
 
 For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)."
+{% endif %}
\ No newline at end of file