failing with 403 on push to main but working in PR workflows

[bcheidemann]

I have configured the allowed subjects in the Infisical dashboard as repo:my-org/my-repo:*.

By convention, this should allow both repo:my-org/my-repo:pull_request and repo:my-org/my-repo:ref:refs/heads/main. However, it only works for the former.

I wasn't able to find any documentation detailing exactly how subject filters are evaluated (just a comment in the dashboard that "This field supports glob patterns").

I've tried a few approaches and all have failed so far...

subject filter	PR trigger	push to main trigger
repo:my-org/my-repo:pull_request	✓	❌ (403)
repo:my-org/my-repo:ref:refs/heads/main	❌ (403)	✓
repo:my-org/my-repo:*	✓	❌ (403)
repo:my-org/my-repo:**	✓	❌ (403)
repo:my-org/my-repo:**/*	❌ (403)	❌ (403)
repo:my-org/my-repo:pull_request,repo:my-org/my-repo:ref:refs/heads/main	❌ (403)	❌ (403)

Is there any documentation for the evaluation behavior? Alternatively, is there a solution for this problem or is this considered a bug?

[josh-writer]

+1

A workaround here is to have 2 separate machine identities (one for PR, one for pushes to main) with different oidc subjects.

However, this is not ideal given machine identities are limited based on tier...

[josh-writer]

For OP and anyone else that runs into this issue, correct pattern to match on both PRs and pushes to main is:
repo:my-org/my-repo:{pull_request,ref:refs/heads/main}
with a single machine identity

[bcheidemann]

For OP and anyone else that runs into this issue, correct pattern to match on both PRs and pushes to main is: repo:my-org/my-repo:{pull_request,ref:refs/heads/main} with a single machine identity

Thanks! How did you find that? Just trial and error or was it documented somewhere?