From 1003488ffd74fe2a026edcf5d188f3cbf84e28c4 Mon Sep 17 00:00:00 2001
From: Isaac Brown <101839405+isaacmbrown@users.noreply.github.com>
Date: Mon, 31 Jul 2023 09:57:12 +0100
Subject: [PATCH] Update versioning for secure OIDC in reusable workflows
 (#39793)

Co-authored-by: Joe Clark <31087804+jc-clark@users.noreply.github.com>
---
 data/features/restricted-permissions-oidc.yml    | 6 ++++++
 data/reusables/actions/oidc-permissions-token.md | 2 ++
 2 files changed, 8 insertions(+)
 create mode 100644 data/features/restricted-permissions-oidc.yml

diff --git a/data/features/restricted-permissions-oidc.yml b/data/features/restricted-permissions-oidc.yml
new file mode 100644
index 0000000000..bdb565772c
--- /dev/null
+++ b/data/features/restricted-permissions-oidc.yml
@@ -0,0 +1,6 @@
+# Issue 10918
+# Stricter permissions for securely enabling OpenID Connect (OIDC) in a reusable workflows
+versions:
+  fpt: '*'
+  ghec: '*'
+  ghes: '>=3.10'
diff --git a/data/reusables/actions/oidc-permissions-token.md b/data/reusables/actions/oidc-permissions-token.md
index 60bb103d45..204b76b365 100644
--- a/data/reusables/actions/oidc-permissions-token.md
+++ b/data/reusables/actions/oidc-permissions-token.md
@@ -20,6 +20,7 @@ permissions:
   id-token: write # This is required for requesting the JWT
 ```
 
+{% ifversion restricted-permissions-oidc %}
 You may need to specify additional permissions here, depending on your workflow's requirements.
 
 For reusable workflows that are owned by the same user, organization, or enterprise as the caller workflow, the OIDC token generated in the reusable workflow can be accessed from the caller's context. 
@@ -27,3 +28,4 @@ For reusable workflows outside your enterprise or organization, the `permissions
 This ensures that the OIDC token generated in the reusable workflow is only allowed to be consumed in the caller workflows when intended.
 
 For more information, see "[AUTOTITLE](/actions/using-workflows/reusing-workflows)."
+{% endif %}
\ No newline at end of file