I’m using GitHub Actions with OIDC to connect to AWS. I want to restrict the role I am assuming so it can only be assumed when certain people trigger the workflow.
I see that the OIDC token has an actor claim (per this and this). I was reading about differentiating triggering actor from executing actor in workflows, so at least in the github context these are differentiated. But what about in the token claim? There is no triggering_actor claim (at present).
If a workflow is re-run, does the actor claim in the OIDC token show the initial executing actor or the triggering actor?