From f322a0d1e2c22a84ebc9356dc234f5df49e238d4 Mon Sep 17 00:00:00 2001
From: Seth Vargo <seth@sethvargo.com>
Date: Mon, 16 May 2022 09:48:11 -0400
Subject: [PATCH] fix: only emit warning if the lifetime exceeds 1 hour

---
 README.md               | 7 +++++--
 docs/TROUBLESHOOTING.md | 2 +-
 src/main.ts             | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 9e96cb69..ab131123 100644
--- a/README.md
+++ b/README.md
@@ -158,14 +158,17 @@ workflow. By default, this action does not generate any tokens.
     [`constraints/iam.allowServiceAccountCredentialLifetimeExtension`
     organization policy][orgpolicy-creds-lifetime] is enabled.
 
-    Note: In order to support Domain-Wide Delegation via Workload Identity
-    Federation, you must grant the external identity ("principalSet")
+    In order to support Domain-Wide Delegation via Workload Identity Federation,
+    you must grant the external identity ("principalSet")
     `roles/iam.serviceAccountTokenCreator` in addition to
     `roles/iam.workloadIdentityUser`. The default Workload Identity setup will
     only grant the latter role. If you want to use this GitHub Action with
     Domain-Wide Delegation, you must manually add the "Service Account Token
     Creator" role onto the external identity.
 
+    You will also need to customize the `access_token_scopes` value to
+    correspond to the OAuth scopes required for the API(s) you will access.
+
 ### Generating ID tokens
 
 The following inputs are for _generating_ ID tokens for authenticating to Google
diff --git a/docs/TROUBLESHOOTING.md b/docs/TROUBLESHOOTING.md
index c441bfbf..20ad644f 100644
--- a/docs/TROUBLESHOOTING.md
+++ b/docs/TROUBLESHOOTING.md
@@ -91,7 +91,7 @@ If you get an error like:
 The size of mapped attribute exceeds the 127 bytes limit.
 ```
 
-it means  that the GitHub OIDC token had a claim that exceeded the maximum
+it means that the GitHub OIDC token had a claim that exceeded the maximum
 allowed value of 127 bytes. In general, 1 byte = 1 character. This most common
 reason this occurs is due to long repo names or long branch names.
 
diff --git a/src/main.ts b/src/main.ts
index 760f2a8b..5f828097 100644
--- a/src/main.ts
+++ b/src/main.ts
@@ -210,7 +210,7 @@ async function run(): Promise<void> {
         // perform Domain-Wide Delegation. Otherwise, use the modern IAM
         // Credentials endpoints.
         let accessToken, expiration;
-        if (accessTokenSubject) {
+        if (accessTokenSubject && accessTokenLifetime > 3600) {
           logInfo(
             `An access token subject was specified, triggering Domain-Wide ` +
               `Delegation flow. This flow does not support specifying an ` +