From 8345f6ef149dfbf5645ab76749e3d7d6dbfdf541 Mon Sep 17 00:00:00 2001
From: Daniel Boring <30814950+DanielBoring@users.noreply.github.com>
Date: Fri, 24 Apr 2026 17:22:45 -0400
Subject: [PATCH] fix(github): use API-resolved org login for OIDC subject
 claims

Use data.github_organization.alz.login instead of var.organization_name when constructing OIDC subject claims for federated credentials.

This preserves exact org casing in the repo: segment to match GitHub token assertions and avoid AADSTS7002138 case-sensitive matching failures.

Also lower-case the org in job_workflow_ref template composition to align with observed GitHub token behavior for reusable workflow refs.
---
 modules/github/locals.tf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/github/locals.tf b/modules/github/locals.tf
index b8d5b9a7..dd745f15 100644
--- a/modules/github/locals.tf
+++ b/modules/github/locals.tf
@@ -18,14 +18,14 @@ locals {
 
 locals {
   repository_name_templates = var.use_template_repository ? var.repository_name_templates : var.repository_name
-  template_claim_structure  = "${var.organization_name}/${local.repository_name_templates}/%s@refs/heads/main"
+  template_claim_structure  = "${lower(data.github_organization.alz.login)}/${local.repository_name_templates}/%s@refs/heads/main"
 
   oidc_subjects_flattened = flatten([for key, value in var.workflows : [
     for environment_user_assigned_managed_identity_mapping in value.environment_user_assigned_managed_identity_mappings :
     {
       subject_key                        = "${key}-${environment_user_assigned_managed_identity_mapping.user_assigned_managed_identity_key}"
       user_assigned_managed_identity_key = environment_user_assigned_managed_identity_mapping.user_assigned_managed_identity_key
-      subject                            = "repo:${var.organization_name}/${var.repository_name}:environment:${var.environments[environment_user_assigned_managed_identity_mapping.environment_key]}:job_workflow_ref:${format(local.template_claim_structure, value.workflow_file_name)}"
+      subject                            = "repo:${data.github_organization.alz.login}/${var.repository_name}:environment:${var.environments[environment_user_assigned_managed_identity_mapping.environment_key]}:job_workflow_ref:${format(local.template_claim_structure, value.workflow_file_name)}"
     }
     ]
   ])