The ForAllValues operator is used. It should be removed, since it applies only to multi-valued condition keys. In this case, the GH “tokens.action.githubusercontent.com:aud/sub” condition keys only have a single value. This will indicate IAM policy warnings to the customer in AWS’s Access Analyzer service since this is incorrect.
* Deprecate 3.0
* 3.0 deprecation: remove 3.0 markup (#25647)
* Remove liquid conditionals and content for 3.0 deprecation
* Remove manually, no longer versioned in a supported version
* Remove translations manually, no longer versioned in a supported version
* Remove 'if', now in all supported versions
* Remove dangling 'elseif', now in all supported versions
* Remove dangling 'elseif' and 3.0 screenshot reference, now in all supported versions
* Nudge to latest supported GHES version
* Nudge to latest supported release GHES version
* Bump all the version for the liquid tests
* Bump first deprecated version for linting tests
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra newline
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra newline
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra newline
Co-authored-by: Laura Coursen <lecoursen@github.com>
* One reusable per line
Co-authored-by: Laura Coursen <lecoursen@github.com>
* One reusable per line
Co-authored-by: Laura Coursen <lecoursen@github.com>
* One reusable per line
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Don't depend on hardcoded versions
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove static files for 3.0 deprecation (#25649)
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra liquid tags
Reusable contains the same tags that it is wrapped in
* update Using environments for deployment article
* Version Releasing and maintaining actions
* Version Adding self-hosted runners
* Version Removing self-hosted runners
* Version reusables
* Version Managing access to self hosted runners using groups
* Update Adding selfhosted runners
* Update Managing access to selfhosted runners using groups
* Remove enterprise from fpt version
* Update Removing selfhosted runners
* Update reusables
* Tweak AWS OIDC instructions
* Only contents: read is necessary
* Remove :aud filter because it's set to "sts.amazonaws.com" when using aws-actions/configure-aws-credentials
* Update to be valid JSON, and actually remove :aud
Co-authored-by: hubwriter <hubwriter@github.com>
* Update reusable workflows docs
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
* Update content/actions/learn-github-actions/reusing-workflows.md
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Apply review suggestion from Lucas
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Add information about use of runners
As per review comment from Ajay Krishna Nalisetty
* Update content/actions/learn-github-actions/workflow-syntax-for-github-actions.md
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
* Update content/actions/learn-github-actions/workflow-syntax-for-github-actions.md
* Fix version as per Lucas's review comment
* Explain using environment secrets
* Add workflow diagram
* Move explanation of diagram above it
* Slight change to job_workflow-ref description
Include the syntax of the response data, as per
https://github.slack.com/archives/C01SMLA6MNY/p1637731982336700
* Clarify difference between repo and job_workflow_ref
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
Co-authored-by: Martin Lopes <martin389@github.com>
Co-authored-by: Octomerger Bot <63058869+Octomerger@users.noreply.github.com>
I've tested a wide variety of cases and compared to Cloudtrail Events.
only `sub` is currently sent to and compared in AWS open-id connector for GitHub.
`aud` will *always* be sts.amazonaws.com
So, the IAM trust relationship policy (GitHub OIDC -> AWS) for the role-to-be-assumed should perform conditional checks on `sub` which contains this information:
`"token.actions.githubusercontent.com:sub": "repo:organization-name/repository-name:ref:refs/heads/branch-name"`
If the conditional StringLike is used, wildcard can be used for `branch-name`
There might be other things to touch up on in this README.md to reflect this information
