AC
A Wildcard in Your OIDC Trust Policy Trusts Every Repo in the Org. CloudTrail Logs the One That Used It
GitHub-to-AWS keyless auth moved secrets out of your CI, but the sub-claim wildcard most trust policies ship with trusts far more than the author intended. Here is what the detection actually looks like in CloudTrail, and why your allowlist breaks in July 2026.