Change trust policies for bors app

Mark-Simulacrum · Jun 29, 2024 · dcd6e13 · dcd6e13
1 parent 77efa8a
commit dcd6e13
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 1 deletion.
diff --git a/terragrunt/accounts/bors-prod/app/terragrunt.hcl b/terragrunt/accounts/bors-prod/app/terragrunt.hcl
@@ -10,4 +10,5 @@ include {
 inputs = {
   domain = "bors-prod.rust-lang.net"
   gh_app_id = "278306"
+  trusted_sub = "repo:rust-lang/bors:environment:production"
 }
diff --git a/terragrunt/accounts/bors-staging/app/terragrunt.hcl b/terragrunt/accounts/bors-staging/app/terragrunt.hcl
@@ -10,4 +10,5 @@ include {
 inputs = {
   domain = "bors-staging.rust-lang.net"
   gh_app_id = "343095"
+  trusted_sub = "repo:rust-lang/bors:environment:staging"
 }
diff --git a/terragrunt/modules/bors/main.tf b/terragrunt/modules/bors/main.tf
@@ -70,7 +70,7 @@ resource "aws_iam_role" "gha" {
         }
         Condition = {
           StringLike = {
-            "token.actions.githubusercontent.com:sub" : "repo:rust-lang/bors:ref:refs/heads/main"
+            "token.actions.githubusercontent.com:sub" : "${var.trusted_sub}"
           }
           StringEquals = {
             "token.actions.githubusercontent.com:aud" : "sts.amazonaws.com"
@@ -498,3 +498,7 @@ variable "domain" {
 variable "gh_app_id" {
   description = "GitHub App ID"
 }
+
+variable "trusted_sub" {
+  description = "GitHub OIDC claim"
+}