From f8b94662ea368b407b0fcddde207588ee5105abf Mon Sep 17 00:00:00 2001
From: Bartosz Blizniak <bblizniak@cloudsmith.io>
Date: Fri, 19 Dec 2025 15:52:54 +0000
Subject: [PATCH 1/2] change default audience for oidc

---
 CHANGELOG.md     |  4 ++++
 README.md        | 11 ++++++++---
 action.yml       |  4 ++--
 dist/index.js    |  6 ++++--
 src/main.js      |  3 ++-
 src/oidc-auth.js |  2 +-
 6 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4903e6d..a142da9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,15 +8,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ---
 
+## [2.0.0] - 2025-12-19
+---
 ### Breaking Changes
 
 - **Node.js requirement updated to 24+** - The action now requires Node.js 24 or higher. If you're using this action, GitHub Actions will automatically use Node 24 runtime. For development and testing, ensure you have Node 24+ installed.
+- **OIDC audience default changed** - The `oidc-audience` input now defaults to `https://github.com/{org-name}` (using `GITHUB_REPOSITORY_OWNER`) instead of the generic `api://AzureADTokenExchange`. This provides organization-specific audience claims for better security. If you are currently relying on the old default and using the `aud` claim for validation, you must either update your validation logic or explicitly set `oidc-audience: 'api://AzureADTokenExchange'` to maintain the previous behavior.
 
 ### Changed
 
 - Updated `action.yml` to use `node24` runtime
 - Updated test workflows to run on Node 24
 - Updated documentation to v2
+- OIDC Audience defaults to `https://github.com/{org-name}` from `api://AzureADTokenExchange`
 
 ## [1.0.0] - 2024
 ---
diff --git a/README.md b/README.md
index f352de1..8b432c3 100644
--- a/README.md
+++ b/README.md
@@ -8,9 +8,14 @@
 
 This GitHub Action installs the Cloudsmith CLI and pre-authenticates it using OIDC or API Key. 🚀
 
-**⚠️ Notice:** The `@v2` of the cloudsmith cli action now runs on Node24 as a minimum requirement. If you still rely on Node20, please use `@v1` and plan for future migration.
+## ⚠️ Important Notices for v2
+
+**Breaking Changes:**
+- **Node.js 24 Required:** `@v2` requires Node.js 24 as a minimum. If you still rely on Node.js 20, please use `@v1` and plan for future migration.
+- **OIDC Audience Default Changed:** The default OIDC audience has changed from `api://AzureADTokenExchange` to `https://github.com/{org-name}` (using `GITHUB_REPOSITORY_OWNER`) for improved security. If you're using OIDC with audience claim validation, you may need to update your configuration or explicitly set `oidc-audience: 'api://AzureADTokenExchange'` to maintain the previous behavior.
+
+> **⚠️ Notice:** If you are running on self-hosted runners, Python version 3.9 or higher is required. Please ensure your runner meets this requirement to avoid any issues. We recommend using [setup-python](https://github.com/actions/setup-python) action for installing Python. 🐍
 
-**⚠️ Notice:** If you are running on self-hosted runners, Python version 3.9 or higher is required. Please ensure your runner meets this requirement to avoid any issues. We recommend using [setup-python](https://github.com/actions/setup-python) action for installing Python. 🐍
 
 ## Inputs
 
@@ -24,7 +29,7 @@ This GitHub Action installs the Cloudsmith CLI and pre-authenticates it using OI
 | `oidc-service-slug` | Cloudsmith service account slug for OIDC | No | - |
 | `oidc-auth-only` | Only perform OIDC authentication without installing the CLI | No | `false` |
 | `oidc-auth-retry` | Number of retry attempts for OIDC authentication (0-10), 5 seconds delay between retries | No | `3` |
-| `oidc-audience` | Audience to request when retrieving the GitHub OIDC token. Use `https://github.com/<org-name>` for standard GitHub audience | No | `api://AzureADTokenExchange` |
+| `oidc-audience` | Audience to request when retrieving the GitHub OIDC token. Defaults to `https://github.com/{org-name}` using GITHUB_REPOSITORY_OWNER. You can override with a custom value like `api://AzureADTokenExchange` if needed. | No | `https://github.com/{org-name}` (dynamic) |
 | `pip-install` | Install the Cloudsmith CLI via pip | No | - |
 | `executable-path` | Path to the Cloudsmith CLI executable | No | `GITHUB_WORKSPACE/bin/` |
 
diff --git a/action.yml b/action.yml
index 74c9b38..d73d24b 100644
--- a/action.yml
+++ b/action.yml
@@ -31,8 +31,8 @@ inputs:
     default: 'true'
     required: false
   oidc-audience:
-    description: 'Audience to request when retrieving the GitHub OIDC token (defaults to api://AzureADTokenExchange). Set to https://github.com/<org-name> for the standard GitHub audience.'
-    default: 'api://AzureADTokenExchange'
+    description: 'Audience to request when retrieving the GitHub OIDC token. Defaults to https://github.com/{org-name} using GITHUB_REPOSITORY_OWNER. You can override this with a custom value like api://AzureADTokenExchange if needed.'
+    default: ''
     required: false
   pip-install:
     description: 'Install the Cloudsmith CLI via pip'
diff --git a/dist/index.js b/dist/index.js
index 5a59b77..58c684f 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -35835,7 +35835,7 @@ async function authenticate(
   apiHost,
   retryAttempts = 3,
   validateToken = true,
-  oidcAudience = 'api://AzureADTokenExchange',
+  oidcAudience = '',
 ) {
   const baseUrl = `https://${apiHost || DEFAULT_API_HOST}`;
   let idToken;
@@ -45712,7 +45712,9 @@ async function run() {
       10,
     );
     const oidcTokenValidate = core.getBooleanInput("oidc-token-validate");
-  const oidcAudience = core.getInput("oidc-audience");
+  const oidcAudienceInput = core.getInput("oidc-audience");
+  // Default to https://github.com/{org-name} format for better security
+  const oidcAudience = oidcAudienceInput || `https://github.com/${process.env.GITHUB_REPOSITORY_OWNER || ''}`;
 
     // Cloudsmith CLI optional inputs
     const apiHost = core.getInput("api-host");
diff --git a/src/main.js b/src/main.js
index 231ab39..b5049eb 100644
--- a/src/main.js
+++ b/src/main.js
@@ -14,7 +14,8 @@ async function run() {
       10,
     );
     const oidcTokenValidate = core.getBooleanInput("oidc-token-validate");
-  const oidcAudience = core.getInput("oidc-audience");
+  const oidcAudienceInput = core.getInput("oidc-audience");
+  const oidcAudience = oidcAudienceInput || `https://github.com/${process.env.GITHUB_REPOSITORY_OWNER || ''}`;
 
     // Cloudsmith CLI optional inputs
     const apiHost = core.getInput("api-host");
diff --git a/src/oidc-auth.js b/src/oidc-auth.js
index 7ebe78f..105e1a3 100644
--- a/src/oidc-auth.js
+++ b/src/oidc-auth.js
@@ -135,7 +135,7 @@ async function authenticate(
   apiHost,
   retryAttempts = 3,
   validateToken = true,
-  oidcAudience = 'api://AzureADTokenExchange',
+  oidcAudience = '',
 ) {
   const baseUrl = `https://${apiHost || DEFAULT_API_HOST}`;
   let idToken;

From 68a5514eed32579b0840be6cb7e31a0150c6bd9e Mon Sep 17 00:00:00 2001
From: Bartosz Blizniak <bblizniak@cloudsmith.io>
Date: Fri, 19 Dec 2025 15:53:56 +0000
Subject: [PATCH 2/2] npm build

---
 dist/index.js | 1 -
 1 file changed, 1 deletion(-)

diff --git a/dist/index.js b/dist/index.js
index 58c684f..759f996 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -45713,7 +45713,6 @@ async function run() {
     );
     const oidcTokenValidate = core.getBooleanInput("oidc-token-validate");
   const oidcAudienceInput = core.getInput("oidc-audience");
-  // Default to https://github.com/{org-name} format for better security
   const oidcAudience = oidcAudienceInput || `https://github.com/${process.env.GITHUB_REPOSITORY_OWNER || ''}`;
 
     // Cloudsmith CLI optional inputs