Update versioning for oidc custom claims (#30244)

2022-08-25 10:19:58 +10:00 · 2022-08-25 10:19:58 +10:00 · 7892db7cc9
--- a/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
+++ b/content/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect.md
@ -243,10 +243,12 @@ curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOK
 {% ifversion actions-oidc-hardening-config %}
 ## Customizing the token claims

-You can security harden your OIDC configuration by customizing the claims that are included with the JWT. This allows your cloud provider to apply more granular trust conditions when determining whether to grant access to its resources. For example, you can customize the issuer (`iss`) claim to only allow access from a specific enterprise URL, and you can customize the subject (`sub`) value to require that requests originate from a specific repository, reusable workflow, or other source.
+You can security harden your OIDC configuration by customizing the claims that are included with the JWT. This allows your cloud provider to apply more granular trust conditions when determining whether to grant access to its resources. For example, {% ifversion ghec %}you can customize the issuer (`iss`) claim to only allow access from a specific enterprise URL, and {% endif %}you can customize the subject (`sub`) value to require that requests originate from a specific repository, reusable workflow, or other source.

 To configure the claim conditions on {% data variables.product.prodname_dotcom %}, you can use the REST API endpoints described in the following sections.

+{% ifversion ghec %}
+
 ### Switching to a unique token URL

 By default, the JWT is issued by {% data variables.product.prodname_dotcom %}'s OIDC provider at `https://token.actions.githubusercontent.com`. This path is presented to your cloud provider using the `iss` value in the JWT.
@ -272,6 +274,8 @@ After this setting is applied, the JWT will contain the updated `iss` value. In
 }
 ```

+{% endif %}
+
 ### Customizing the subject claims for an organization

 To configure organization-wide security, compliance, and standardization, you can customize the standard claims to suit your required access conditions. If your cloud provider supports conditions on subject claims, you can create a condition that checks whether the `sub` value matches the path of the reusable workflow, such as `"job_workflow_ref: "octo-org/octo-automation/.github/workflows/oidc.yml@refs/heads/main""`. The exact format will vary depending on your cloud provider's OIDC configuration. To configure the matching condition on {% data variables.product.prodname_dotcom %}, you can can use the REST API to require that the `sub` claim must always include a specific custom claim, such as `job_workflow_ref`. For more information, see "[Set the customization template for an OIDC subject claim for an organization](/rest/actions/oidc#set-the-customization-template-for-an-oidc-subject-claim-for-an-organization)."
--- a/data/features/actions-oidc-hardening-config.yml
+++ b/data/features/actions-oidc-hardening-config.yml
@ -1,5 +1,6 @@
 # Reference: #7336
 # General versioning for oidc hardening options
 versions:
+  fpt: '*'
  ghec: '*'
  ghes: '>=3.7'