From c0e329819eb62c2cfb5611a56289a2017066b1e7 Mon Sep 17 00:00:00 2001
From: Guilherme Caulada <guilherme.caulada@gmail.com>
Date: Thu, 29 Aug 2024 17:53:04 -0300
Subject: [PATCH] feat(aws-auth): add workflow_ref claim (#227)

* Add workflow_ref claim to aws-auth

* Update readme

* Run prettier
---
 actions/aws-auth/README.md   | 16 ++++++++--------
 actions/aws-auth/action.yaml |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/actions/aws-auth/README.md b/actions/aws-auth/README.md
index 79123852..c989cca4 100644
--- a/actions/aws-auth/README.md
+++ b/actions/aws-auth/README.md
@@ -22,7 +22,7 @@ jobs:
         with:
           aws-region: "us-west-1"
           role-arn: "arn:aws:iam::366620023056:role/github-actions/s3-test-access"
-          pass-claims: "repository_owner, repository_name, job_workflow_ref, event_name"
+          pass-claims: "repository_owner, repository_name, job_workflow_ref, workflow_ref, event_name"
           set-creds-in-environment: true
 
       - id: cat-file-from-s3-bucket
@@ -35,13 +35,13 @@ jobs:
 
 <!-- markdownlint-disable no-space-in-code -->
 
-| Name                       | Type   | Description                                                                                                                                                                                                                                                                                                                                                                |
-| -------------------------- | ------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `aws-region`               | String | Specify AWS region to use that contain your resources (default: `us-east-2`)                                                                                                                                                                                                                                                                                               |
-| `role-arn`                 | String | Specify custom workload role. Role ARN must be prefixed with `github-actions` e.g. `arn:aws:iam::366620023056:role/github-actions/s3-test-access` [^1]                                                                                                                                                                                                                     |
-| `pass-claims`              | String | `, `-separated list of [GitHub Actions claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) (session tags) to make available to `role-arn`. Currently supported claims (default): `"repository_owner, repository_name, job_workflow_ref, event_name"` [^2] |
-| `set-creds-in-environment` | Bool   | Set environment variables for AWS CLI and SDKs (default: `true`)                                                                                                                                                                                                                                                                                                           |
-| `role-duration-seconds`    | String | Role duration in seconds (default: `"3600"`)                                                                                                                                                                                                                                                                                                                               |
+| Name                       | Type   | Description                                                                                                                                                                                                                                                                                                                                                                              |
+| -------------------------- | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `aws-region`               | String | Specify AWS region to use that contain your resources (default: `us-east-2`)                                                                                                                                                                                                                                                                                                             |
+| `role-arn`                 | String | Specify custom workload role. Role ARN must be prefixed with `github-actions` e.g. `arn:aws:iam::366620023056:role/github-actions/s3-test-access` [^1]                                                                                                                                                                                                                                   |
+| `pass-claims`              | String | `, `-separated list of [GitHub Actions claims](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token) (session tags) to make available to `role-arn`. Currently supported claims (default): `"repository_owner, repository_name, job_workflow_ref, workflow_ref, event_name"` [^2] |
+| `set-creds-in-environment` | Bool   | Set environment variables for AWS CLI and SDKs (default: `true`)                                                                                                                                                                                                                                                                                                                         |
+| `role-duration-seconds`    | String | Role duration in seconds (default: `"3600"`)                                                                                                                                                                                                                                                                                                                                             |
 
 <!-- markdownlint-restore -->
 
diff --git a/actions/aws-auth/action.yaml b/actions/aws-auth/action.yaml
index 64c874c2..c63fc97b 100644
--- a/actions/aws-auth/action.yaml
+++ b/actions/aws-auth/action.yaml
@@ -11,7 +11,7 @@ inputs:
     required: true
     description: "ARN of workload role"
   pass-claims:
-    default: "event_name, repository_owner, repository_name, job_workflow_ref"
+    default: "event_name, repository_owner, repository_name, job_workflow_ref, workflow_ref"
     required: true
     description: "`, `-separated claims from GitHub ID token to make available to `role-arn`"
   set-creds-in-environment: