Electron Releases

Sudowoodo's /token endpoint (electron/sudowoodo#375) now validates the caller via a GitHub Actions OIDC token instead of the static SUDOWOODO_EXCHANGE_TOKEN secret. The broker checks the token's repository/ref/workflow_ref/actor/event_name/run_id claims against its allowlist and additionally verifies the run_id belongs to an active sudowoodo-dispatched release before minting a scoped upload token.

• script/release/github-token.ts: mint an OIDC token with audience sudowoodo-broker via the raw ACTIONS_ID_TOKEN_REQUEST_URL/_TOKEN env (so it works from any node script) and send it as Authorization: Bearer <jwt>. Fails with a clear message if the job lacks id-token: write. ELECTRON_GITHUB_TOKEN fallback kept.
• pipeline-segment-electron-build.yml (→ autogenerated -publish.yml): drop SUDOWOODO_EXCHANGE_TOKEN from the env block. SUDOWOODO_EXCHANGE_URL stays.

id-token: write was already present on the publish segment's job (for attestations) and on every {linux,macos,windows}-publish.yml caller, so no permission additions were needed.

Notes: none