I've tested a wide variety of cases and compared to Cloudtrail Events.
only `sub` is currently sent to and compared in AWS open-id connector for GitHub.
`aud` will *always* be sts.amazonaws.com
So, the IAM trust relationship policy (GitHub OIDC -> AWS) for the role-to-be-assumed should perform conditional checks on `sub` which contains this information:
`"token.actions.githubusercontent.com:sub": "repo:organization-name/repository-name:ref:refs/heads/branch-name"`
If the conditional StringLike is used, wildcard can be used for `branch-name`
There might be other things to touch up on in this README.md to reflect this information
b092ab95b9