From 583fcee87a68e276d3a6bfb9da351e3a56b68d48 Mon Sep 17 00:00:00 2001
From: James Shaw <js102@zepler.net>
Date: Fri, 13 Oct 2023 21:59:56 +0100
Subject: [PATCH] feat: add GitHubActionRoleProps.subjectClaims

to allow custom subject claims, not just repositories
---
 src/oidc-provider.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/oidc-provider.ts b/src/oidc-provider.ts
index 6d54415e..08e2e66d 100644
--- a/src/oidc-provider.ts
+++ b/src/oidc-provider.ts
@@ -23,7 +23,15 @@ export interface GitHubActionRoleProps {
    *
    * For example, `['owner/repo1', 'owner/repo2'].
    */
-  readonly repos: string[];
+  readonly repos?: string[];
+
+  /**
+   * A list of subject claims.
+   * See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+   *
+   * For example, `['repo:owner/repo1:ref:refs/heads/branch1', 'repo:owner/repo1:environment:prod']`
+   */
+  readonly subjectClaims?: string[];
 
   /**
    * The name of the Oidc role.
@@ -110,7 +118,7 @@ export class GitHubActionRole extends Construct {
       provider.openIdConnectProviderArn,
       {
         StringLike: {
-          [`${rawEndpoint}:sub`]: formatRepos(props.repos),
+          [`${rawEndpoint}:sub`]: formatRepos(props.repos ?? []).concat(props.subjectClaims ?? []),
         },
       },
       'sts:AssumeRoleWithWebIdentity',