The current publishing flow fails after a PR is merged because the reusable workflow publish-mcp.yml requires id-token: write for OIDC authentication.
Since this workflow is called transitively via publish.yml from release-please.yml, and the top-level workflow does not grant id-token permissions, GitHub rejects the workflow during validation. REusable workflows cannot request permissions that exceed those explicitly allowed by their callers.
The current publishing flow fails after a PR is merged because the reusable workflow publish-mcp.yml requires id-token: write for OIDC authentication.
Since this workflow is called transitively via publish.yml from release-please.yml, and the top-level workflow does not grant id-token permissions, GitHub rejects the workflow during validation. REusable workflows cannot request permissions that exceed those explicitly allowed by their callers.