OIDC hardening and defining trust misses some values from subject claims

[janbrasna]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#example-subject-claims

What part(s) of the article would you like to see updated?

"instructs your cloud provider that access token requests may only be granted for requests from workflows running in specific branches, environments. The following sections describe some common subjects you can use."

And then the following chapter demonstrates filtering for branches, environments, tags, and pull_request events.

That would lead me to expecting the tags and events in the quoted paragraph as well.

Additional information

Adding the tags seems straightforward, including the pull request events will need a bit more verbosity or changing that sentence around a bit.

Or, the sentence can be reworded to be taken as an example only, not providing the complete list of options.

[janbrasna]

(I won't even attempt at fixing this myself as the -bot will tell me not to touch anything there, so I'll leave that to others to decide/fixup…)

[nguyenalex836]

@janbrasna Thanks so much for opening an issue! I'll get this triaged for review ✨

[sunbrye]

@janbrasna Thank you for bringing up this source of confusion regarding the documentation about "Example subject claims".
Since this article is restricted by a CODEOWNERS file, we will transfer this internally and work on this fix.

[docs-bot]

Thank you for opening this issue! Updates to this documentation must be made internally. I have copied your issue to an internal issue, so I will close this issue.