The ForAllValues operator is used. It should be removed, since it applies only to multi-valued condition keys. In this case, the GH “tokens.action.githubusercontent.com:aud/sub” condition keys only have a single value. This will indicate IAM policy warnings to the customer in AWS’s Access Analyzer service since this is incorrect.
The ForAllValues operator is used. It should be removed, since it applies only to multi-valued condition keys. In this case, the GH “tokens.action.githubusercontent.com:aud/sub” condition keys only have a single value. This will indicate IAM policy warnings to the customer in AWS’s Access Analyzer service since this is incorrect.
* Deprecate 3.0
* 3.0 deprecation: remove 3.0 markup (#25647)
* Remove liquid conditionals and content for 3.0 deprecation
* Remove manually, no longer versioned in a supported version
* Remove translations manually, no longer versioned in a supported version
* Remove 'if', now in all supported versions
* Remove dangling 'elseif', now in all supported versions
* Remove dangling 'elseif' and 3.0 screenshot reference, now in all supported versions
* Nudge to latest supported GHES version
* Nudge to latest supported release GHES version
* Bump all the version for the liquid tests
* Bump first deprecated version for linting tests
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Prefer double quotes
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra newline
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra newline
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra newline
Co-authored-by: Laura Coursen <lecoursen@github.com>
* One reusable per line
Co-authored-by: Laura Coursen <lecoursen@github.com>
* One reusable per line
Co-authored-by: Laura Coursen <lecoursen@github.com>
* One reusable per line
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Stray whitespace ✂️
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Version check not needed anymore
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Just 'ghes' since we're deprecating 3.0
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Don't depend on hardcoded versions
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove static files for 3.0 deprecation (#25649)
Co-authored-by: Laura Coursen <lecoursen@github.com>
* Remove extra liquid tags
Reusable contains the same tags that it is wrapped in
* update Using environments for deployment article
* Version Releasing and maintaining actions
* Version Adding self-hosted runners
* Version Removing self-hosted runners
* Version reusables
* Version Managing access to self hosted runners using groups
* Update Adding selfhosted runners
* Update Managing access to selfhosted runners using groups
* Remove enterprise from fpt version
* Update Removing selfhosted runners
* Update reusables
* Tweak AWS OIDC instructions
* Only contents: read is necessary
* Remove :aud filter because it's set to "sts.amazonaws.com" when using aws-actions/configure-aws-credentials
* Update to be valid JSON, and actually remove :aud
Co-authored-by: hubwriter <hubwriter@github.com>
* Update reusable workflows docs
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
* Update content/actions/learn-github-actions/reusing-workflows.md
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Apply review suggestion from Lucas
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Update content/actions/learn-github-actions/reusing-workflows.md
Co-authored-by: Martin Lopes <martin389@github.com>
* Add information about use of runners
As per review comment from Ajay Krishna Nalisetty
* Update content/actions/learn-github-actions/workflow-syntax-for-github-actions.md
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
* Update content/actions/learn-github-actions/workflow-syntax-for-github-actions.md
* Fix version as per Lucas's review comment
* Explain using environment secrets
* Add workflow diagram
* Move explanation of diagram above it
* Slight change to job_workflow-ref description
Include the syntax of the response data, as per
https://github.slack.com/archives/C01SMLA6MNY/p1637731982336700
* Clarify difference between repo and job_workflow_ref
Co-authored-by: Lucas Costi <lucascosti@users.noreply.github.com>
Co-authored-by: Martin Lopes <martin389@github.com>
Co-authored-by: Octomerger Bot <63058869+Octomerger@users.noreply.github.com>
I've tested a wide variety of cases and compared to Cloudtrail Events.
only `sub` is currently sent to and compared in AWS open-id connector for GitHub.
`aud` will *always* be sts.amazonaws.com
So, the IAM trust relationship policy (GitHub OIDC -> AWS) for the role-to-be-assumed should perform conditional checks on `sub` which contains this information:
`"token.actions.githubusercontent.com:sub": "repo:organization-name/repository-name:ref:refs/heads/branch-name"`
If the conditional StringLike is used, wildcard can be used for `branch-name`
There might be other things to touch up on in this README.md to reflect this information
