feat(CENG-636): Change OIDC default audience

CHANGELOG.md

@@ -8,15 +8,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ---
 
+## [2.0.0] - 2025-12-19
+---
 ### Breaking Changes
 
 - **Node.js requirement updated to 24+** - The action now requires Node.js 24 or higher. If you're using this action, GitHub Actions will automatically use Node 24 runtime. For development and testing, ensure you have Node 24+ installed.
+- **OIDC audience default changed** - The `oidc-audience` input now defaults to `https://github.com/{org-name}` (using `GITHUB_REPOSITORY_OWNER`) instead of the generic `api://AzureADTokenExchange`. This provides organization-specific audience claims for better security. If you are currently relying on the old default and using the `aud` claim for validation, you must either update your validation logic or explicitly set `oidc-audience: 'api://AzureADTokenExchange'` to maintain the previous behavior.
 
 ### Changed
 
 - Updated `action.yml` to use `node24` runtime
 - Updated test workflows to run on Node 24
 - Updated documentation to v2
+- OIDC Audience defaults to `https://github.com/{org-name}` from `api://AzureADTokenExchange`
 
 ## [1.0.0] - 2024
 ---

README.md

@@ -8,9 +8,14 @@
 
 This GitHub Action installs the Cloudsmith CLI and pre-authenticates it using OIDC or API Key. 🚀
 
-**⚠️ Notice:** The `@v2` of the cloudsmith cli action now runs on Node24 as a minimum requirement. If you still rely on Node20, please use `@v1` and plan for future migration.
+## ⚠️ Important Notices for v2
+
+**Breaking Changes:**
+- **Node.js 24 Required:** `@v2` requires Node.js 24 as a minimum. If you still rely on Node.js 20, please use `@v1` and plan for future migration.
+- **OIDC Audience Default Changed:** The default OIDC audience has changed from `api://AzureADTokenExchange` to `https://github.com/{org-name}` (using `GITHUB_REPOSITORY_OWNER`) for improved security. If you're using OIDC with audience claim validation, you may need to update your configuration or explicitly set `oidc-audience: 'api://AzureADTokenExchange'` to maintain the previous behavior.
+
+> **⚠️ Notice:** If you are running on self-hosted runners, Python version 3.9 or higher is required. Please ensure your runner meets this requirement to avoid any issues. We recommend using [setup-python](https://github.com/actions/setup-python) action for installing Python. 🐍
 
-**⚠️ Notice:** If you are running on self-hosted runners, Python version 3.9 or higher is required. Please ensure your runner meets this requirement to avoid any issues. We recommend using [setup-python](https://github.com/actions/setup-python) action for installing Python. 🐍
 
 ## Inputs
 
@@ -24,7 +29,7 @@ This GitHub Action installs the Cloudsmith CLI and pre-authenticates it using OI
 | `oidc-service-slug` | Cloudsmith service account slug for OIDC | No | - |
 | `oidc-auth-only` | Only perform OIDC authentication without installing the CLI | No | `false` |
 | `oidc-auth-retry` | Number of retry attempts for OIDC authentication (0-10), 5 seconds delay between retries | No | `3` |
-| `oidc-audience` | Audience to request when retrieving the GitHub OIDC token. Use `https://github.com/<org-name>` for standard GitHub audience | No | `api://AzureADTokenExchange` |
+| `oidc-audience` | Audience to request when retrieving the GitHub OIDC token. Defaults to `https://github.com/{org-name}` using GITHUB_REPOSITORY_OWNER. You can override with a custom value like `api://AzureADTokenExchange` if needed. | No | `https://github.com/{org-name}` (dynamic) |
 | `pip-install` | Install the Cloudsmith CLI via pip | No | - |
 | `executable-path` | Path to the Cloudsmith CLI executable | No | `GITHUB_WORKSPACE/bin/` |
 

action.yml

@@ -31,8 +31,8 @@ inputs:
     default: 'true'
     required: false
   oidc-audience:
-    description: 'Audience to request when retrieving the GitHub OIDC token (defaults to api://AzureADTokenExchange). Set to https://github.com/<org-name> for the standard GitHub audience.'
-    default: 'api://AzureADTokenExchange'
+    description: 'Audience to request when retrieving the GitHub OIDC token. Defaults to https://github.com/{org-name} using GITHUB_REPOSITORY_OWNER. You can override this with a custom value like api://AzureADTokenExchange if needed.'
+    default: ''
     required: false
   pip-install:
     description: 'Install the Cloudsmith CLI via pip'

dist/index.js

@@ -35835,7 +35835,7 @@ async function authenticate(
   apiHost,
   retryAttempts = 3,
   validateToken = true,
-  oidcAudience = 'api://AzureADTokenExchange',
+  oidcAudience = '',
 ) {
   const baseUrl = `https://${apiHost || DEFAULT_API_HOST}`;
   let idToken;
@@ -45712,7 +45712,8 @@ async function run() {
       10,
     );
     const oidcTokenValidate = core.getBooleanInput("oidc-token-validate");
-  const oidcAudience = core.getInput("oidc-audience");
+  const oidcAudienceInput = core.getInput("oidc-audience");
+  const oidcAudience = oidcAudienceInput || `https://github.com/${process.env.GITHUB_REPOSITORY_OWNER || ''}`;
 
     // Cloudsmith CLI optional inputs
     const apiHost = core.getInput("api-host");

src/main.js

@@ -14,7 +14,8 @@ async function run() {
       10,
     );
     const oidcTokenValidate = core.getBooleanInput("oidc-token-validate");
-  const oidcAudience = core.getInput("oidc-audience");
+  const oidcAudienceInput = core.getInput("oidc-audience");
+  const oidcAudience = oidcAudienceInput || `https://github.com/${process.env.GITHUB_REPOSITORY_OWNER || ''}`;
 
     // Cloudsmith CLI optional inputs
     const apiHost = core.getInput("api-host");

src/oidc-auth.js

@@ -135,7 +135,7 @@ async function authenticate(
   apiHost,
   retryAttempts = 3,
   validateToken = true,
-  oidcAudience = 'api://AzureADTokenExchange',
+  oidcAudience = '',
 ) {
   const baseUrl = `https://${apiHost || DEFAULT_API_HOST}`;
   let idToken;