GitHub Actions OIDC sub-claim wildcards TL;DR: Mis-scoped sub constraints on AWS/Azure/GCP trust policies let any fork or branch assume the role via GHA OIDC. Stub — to be filled in. What it is TODO Preconditions / where it applies TODO Technique TODO Detection and defence TODO References https://medium.com/tinder/identifying-vulnerabilities-in-github-actions-aws-oidc-configurations-8067c400d5b8