From 0b848f0049c405888b8e321744dad1ef95dd8620 Mon Sep 17 00:00:00 2001
From: Will Simpson <wsimpson@etsy.com>
Date: Mon, 13 Apr 2026 12:56:39 -0700
Subject: [PATCH 1/2] docs: fix misleading claims.workflow example in
 policies.md

The `workflow` OIDC claim contains the workflow's `name:` field (e.g.,
"Deploy Production"), not the filename. This means
`claims.workflow == "deploy.yml"` only works when the workflow omits
the `name:` field entirely.

Replace with `claims.workflow_ref` which contains the full canonical
path and is reliable for security pinning.

Fixes #18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 docs/policies.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/policies.md b/docs/policies.md
index 642874f..dd7cc92 100644
--- a/docs/policies.md
+++ b/docs/policies.md
@@ -115,8 +115,9 @@ condition: claims.ref == "refs/heads/main"
 # Ensure the subject claim contains the target repository
 condition: claims.sub.matches("^repo:" + repository + ":.*$")
 
-# Restrict to a specific workflow
-condition: claims.workflow == "deploy.yml" && claims.ref == "refs/heads/main"
+# Restrict to a specific workflow (use workflow_ref, not workflow — the workflow
+# claim contains the workflow's name: field, not the filename)
+condition: claims.workflow_ref == "my-org/my-repo/.github/workflows/deploy.yml@refs/heads/main"
 ```
 
 ### `permissions` (required)

From 0f883a0ad1d3b87be70b7f5e12a91db7f25d15ec Mon Sep 17 00:00:00 2001
From: Will Simpson <wsimpson@etsy.com>
Date: Mon, 13 Apr 2026 13:21:13 -0700
Subject: [PATCH 2/2] fix: simplify workflow comment

It doesn't really make sense to tell the user the wrong way to do things
---
 docs/policies.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/docs/policies.md b/docs/policies.md
index dd7cc92..891ead1 100644
--- a/docs/policies.md
+++ b/docs/policies.md
@@ -115,8 +115,7 @@ condition: claims.ref == "refs/heads/main"
 # Ensure the subject claim contains the target repository
 condition: claims.sub.matches("^repo:" + repository + ":.*$")
 
-# Restrict to a specific workflow (use workflow_ref, not workflow — the workflow
-# claim contains the workflow's name: field, not the filename)
+# Restrict to a specific workflow
 condition: claims.workflow_ref == "my-org/my-repo/.github/workflows/deploy.yml@refs/heads/main"
 ```