Summary
The condition examples in docs/policies.md include this example:
# Restrict to a specific workflow
condition: claims.workflow == "deploy.yml" && claims.ref == "refs/heads/main"
This is misleading because the workflow OIDC claim contains the workflow's name: field (from the YAML frontmatter), not the filename. Per GitHub's docs, github.workflow is "The name of the workflow. If the workflow file doesn't specify a name, the value of this property is the full path of the workflow file in the repository."
This means:
- A workflow with
name: Deploy Production would have claims.workflow == "Deploy Production", not "deploy.yml"
- The example only works for workflows that omit the
name: field entirely (uncommon)
- Two different workflow files could share the same
name:, making this check ambiguous
Suggested fix
Replace the example with one using claims.workflow_ref, which contains the full canonical path and is reliable for security pinning:
# Restrict to a specific workflow
condition: claims.workflow_ref == "my-org/my-repo/.github/workflows/deploy.yml@refs/heads/main"
This is the pattern used in the actual production policy in etsy/github-app-sts-policies.
Summary
The
conditionexamples indocs/policies.mdinclude this example:This is misleading because the
workflowOIDC claim contains the workflow'sname:field (from the YAML frontmatter), not the filename. Per GitHub's docs,github.workflowis "The name of the workflow. If the workflow file doesn't specify a name, the value of this property is the full path of the workflow file in the repository."This means:
name: Deploy Productionwould haveclaims.workflow == "Deploy Production", not"deploy.yml"name:field entirely (uncommon)name:, making this check ambiguousSuggested fix
Replace the example with one using
claims.workflow_ref, which contains the full canonical path and is reliable for security pinning:This is the pattern used in the actual production policy in
etsy/github-app-sts-policies.