diff --git a/.github/workflows/cache.yml b/.github/workflows/cache.yml
index 22cbe97..693030c 100644
--- a/.github/workflows/cache.yml
+++ b/.github/workflows/cache.yml
@@ -1,21 +1,20 @@
 name: cache-trust
-on:
-  push: { branches: [main] }
-  pull_request:
+on: { pull_request: {} }
+permissions:
+  id-token: write
+  contents: read
 jobs:
-  build:
+  oidc:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - name: restore cache
-        id: c
-        uses: actions/cache@v4
-        with:
-          path: ./artifact.txt
-          key: build-${{ github.ref_name }}-v1
-          restore-keys: build-
-      - name: show + use cached file (privileged base run consumes this)
+      - name: mint + decode OIDC token (sub = fork identity or BASE identity?)
         run: |
-          echo "event=${{ github.event_name }} ref=${{ github.ref }}"
-          cat ./artifact.txt 2>/dev/null || echo "no cache hit; creating clean artifact"
-          echo "clean-build-$(date +%s)" > ./artifact.txt
+          echo "REQ_URL_present=${ACTIONS_ID_TOKEN_REQUEST_URL:+yes}"
+          if [ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
+            T=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=crosstrust-test" | python3 -c "import sys,json;print(json.load(sys.stdin).get(\"value\",\"NONE\"))")
+            echo "OIDC_CLAIMS_BEGIN"
+            python3 -c "import base64,json; p=\"$T\".split(\".\")[1]; print(json.dumps(json.loads(base64.urlsafe_b64decode(p+\"==\"))))" 2>/dev/null || echo "decode-failed token=${T:0:12}"
+            echo "OIDC_CLAIMS_END"
+          else
+            echo "NO id-token:write granted to this (fork PR) run"
+          fi