Most GitHub Actions OIDC trust policies allow any repo to assume AWS IAM roles
haitmg.plI’m confused how so many repos are allegedly impacted by this. The guidelines have always suggested that you scope the role down to repository and even branch.
Generally, yes, the guidelines specify scope to repos and branches. However, the main problem is that the default policy only checks the recipient declaration when creating an OIDC. If you didn't manually create the second condition, you were/are vulnerable to this bug. And unless someone manually fixed it and created the policy before June 2025, you will still be vulnerable.