Role trust policy is incorrect for environment-based workflows (original) (raw)

Describe the issue

Referring to this error in assuming role using OIDC (issues 1137).

I wonder what's the actual issue? This issue came up when I use environment in my workflow.

I resolve this by making my sub to be more generic and it works.
Was:

"StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:GitHubOrg/GitHubRepo:ref:refs/heads/GitHubBranch"
        }

Now:

"StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:GitHubOrg/GitHubRepo:*"
        }

But I dont' understand how adding environment changes the repo's URL syntax. Can anybody show me how so I can make more specific & least privileged URL syntax. I am expecting something like this

"StringLike": {
          "token.actions.githubusercontent.com:sub": "repo:GitHubOrg/GitHubRepo:environment:*ref:refs/heads/GithubBranch*"
        }