Restrict OIDC role assumption to debugger-* tag

Mark R. Tuttle · Mark R. Tuttle · commit 6a48f72dd1bc · 2022-11-11T12:13:08.000-05:00
diff --git a/.github/cloudformation/token.yaml b/.github/cloudformation/token.yaml
@@ -13,6 +13,10 @@ Parameters:
     Type: String
     Description: GitHub repository for the cbmc-proof-debugger
     Default: cbmc-proof-debugger
+  PublicationTag:
+    Type: String
+    Description: GitHub tag triggering the GitHub publication workflow
+    Default: debugger-*
 
 Resources:
 
@@ -44,7 +48,7 @@ Resources:
                 token.actions.githubusercontent.com:aud: sts.amazonaws.com
               StringLike:
                 token.actions.githubusercontent.com:sub:
-                  !Sub repo:${GithubRepoOrganization}/${GithubRepoName}:*
+                  !Sub repo:${GithubRepoOrganization}/${GithubRepoName}:refref:refs/tags/${PublicationTag}
 
       Policies:
         - PolicyName: PublisherTokenAccess
