GitHub OIDC trust condition

[drey0143143]

I would like to create a Trust relationship for an AWS Role Federated from GitHub via OIDC
that restrict access to request token based on the 2 conditions below.
a pull request to master in this repo
a push to master in this repo

I currently have the below condition working but struggling to restrict the permissions to the Role in AWS to only a pull request to master (and not to any branch)

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "ForAnyValue:StringLike": {
                    "token.actions.githubusercontent.com:sub": [
                        "repo:opeville/identity-opeville:ref:refs/heads/master",
                        "repo:opeville/identity-opeville:pull_request"
                    ]
                }
            }
        }
    ]
}

[VariableExp0rt]

I might be way off with this suggestion, but would it be worth doing this on the GH actions side? Something like

on:
  pull_request_target:
    types:
      - opened
    branches:    
      - 'master'
  push:
    branches:    
      - 'master'

Reference: GH docs

[peterwoodworth]

Closing in favor of #390, thanks for the issue submission!

[github-actions]

⚠️Comment Visibility Warning⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[peterwoodworth]

Sorry, there's another related issue I meant to link to. #454

The last issue I linked isn't a direct duplicate since that feature request won't work for OIDC