🚀 [Feature]: OIDC subject claim customization now available for organizations and repositories

[Copilot]

GitHub Actions OIDC token subject claims can now be customized per organization and repository directly from the module. Three new commands provide full control over which claim keys are included in the sub field of OIDC tokens issued to workflows, enabling fine-grained identity configuration for cloud provider trust policies.

• Fixes Add support for OIDC subject claim customization on organizations and repositories #562

New: Discover available OIDC claim keys

Get-GitHubOidcClaim queries the OpenID Connect discovery endpoint for a GitHub instance and returns the list of supported claim keys. No authentication is required.

Get-GitHubOidcClaim
# sub, aud, ref, sha, repository, repository_owner, ...

For GitHub Enterprise instances, pass a Context parameter to target the correct hostname.

New: Retrieve current OIDC subject claim template

Get-GitHubOidcSubjectClaim returns the current customization template at the organization or repository level.

# Organization level
Get-GitHubOidcSubjectClaim -Owner 'PSModule'

# Repository level
Get-GitHubOidcSubjectClaim -Owner 'PSModule' -Repository 'GitHub'

New: Set OIDC subject claim template

Set-GitHubOidcSubjectClaim creates or updates the claim template. Use -UseDefault at the repository level to reset to the organization default.

# Set custom claim keys for an organization
Set-GitHubOidcSubjectClaim -Owner 'PSModule' -IncludeClaimKeys @('repo', 'context', 'ref')

# Set custom claim keys for a repository
Set-GitHubOidcSubjectClaim -Owner 'PSModule' -Repository 'GitHub' -IncludeClaimKeys @('repo', 'ref')

# Reset repository to default template
Set-GitHubOidcSubjectClaim -Owner 'PSModule' -Repository 'GitHub' -UseDefault -IncludeClaimKeys @('repo')

The IncludeClaimKeys parameter supports argument completion powered by Get-GitHubOidcClaim.

Technical Details

• Private functions (one per API endpoint): Get-GitHubOidcSubjectClaimForOrganization, Get-GitHubOidcSubjectClaimForRepository, Set-GitHubOidcSubjectClaimForOrganization, Set-GitHubOidcSubjectClaimForRepository
• API endpoints covered: GET/PUT /orgs/{org}/actions/oidc/customization/sub, GET/PUT /repos/{owner}/{repo}/actions/oidc/customization/sub
• ShouldProcess is delegated from the public Set- function to private functions, consistent with the Set-GitHubSecret pattern
• Argument completer registered in completers.ps1 using Register-ArgumentCompleter with CompletionMode support
• Tests added in Actions.Tests.ps1

[Copilot]

Pull request overview

Adds GitHub Actions OIDC subject claim customization support to the module, enabling users to discover available OIDC claim keys and get/set OIDC subject claim templates at the organization or repository level (fixes #562).

Changes:

• Introduces Get-GitHubOidcClaim, Get-GitHubOidcSubjectClaim, and Set-GitHubOidcSubjectClaim public commands.
• Adds private per-endpoint implementations for org/repo GET + PUT OIDC subject-claim customization.
• Registers an argument completer for Set-GitHubOidcSubjectClaim -IncludeClaimKeys and adds Pester coverage in Actions.Tests.ps1.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/Actions.Tests.ps1	Adds integration-style tests for OIDC claim discovery and org/repo get/set operations.
src/functions/public/Actions/OIDC/completers.ps1	Adds argument completion for IncludeClaimKeys using Get-GitHubOidcClaim.
src/functions/public/Actions/OIDC/Set-GitHubOidcSubjectClaim.ps1	Public setter routing to org/repo private endpoints with ShouldProcess delegated to private functions.
src/functions/public/Actions/OIDC/Get-GitHubOidcSubjectClaim.ps1	Public getter routing to org/repo private endpoints.
src/functions/public/Actions/OIDC/Get-GitHubOidcClaim.ps1	Implements OIDC discovery endpoint query to list supported claim keys.
src/functions/private/Actions/OIDC/Set-GitHubOidcSubjectClaimForRepository.ps1	PUT repo-level subject claim customization endpoint.
src/functions/private/Actions/OIDC/Set-GitHubOidcSubjectClaimForOrganization.ps1	PUT org-level subject claim customization endpoint.
src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForRepository.ps1	GET repo-level subject claim customization endpoint.
src/functions/private/Actions/OIDC/Get-GitHubOidcSubjectClaimForOrganization.ps1	GET org-level subject claim customization endpoint.

[Copilot]

Get-GitHubOidcClaim silently falls back to github.com when a string -Context is provided but no matching saved context is found (Get-GitHubContext is called with -ErrorAction SilentlyContinue). This can return claim keys for the wrong host without any error, which is especially problematic for GHE instances. Consider resolving context via Resolve-GitHubContext (it already handles string/null contexts and errors consistently), or explicitly throwing when the named context cannot be resolved instead of defaulting to github.com.

Suggested change

	}
	process {
	$hostName = 'github.com'
	if ($Context) {
	if ($Context -is [string]) {
	$resolved = Get-GitHubContext -Context $Context -ErrorAction SilentlyContinue
	if ($resolved) {
	$hostName = $resolved.HostName
	}
	} elseif ($Context.HostName) {
	$hostName = $Context.HostName
	}
	if ($PSBoundParameters.ContainsKey('Context')) {
	$Context = Resolve-GitHubContext -Context $Context
	}
	}
	process {
	$hostName = 'github.com'
	if ($Context -and $Context.HostName) {
	$hostName = $Context.HostName