diff --git a/.github/workflows/demo.yml b/.github/workflows/demo.yml
index 9edb697..c904518 100644
--- a/.github/workflows/demo.yml
+++ b/.github/workflows/demo.yml
@@ -7,7 +7,7 @@ on:
 
 permissions:
   id-token: write
-  content: read
+  contents: read
 
 env:
   AWS_REGION : "eu-west-3"
diff --git a/terraform/layers/main/iam.tf b/terraform/layers/main/iam.tf
index 02ceaee..19928c7 100644
--- a/terraform/layers/main/iam.tf
+++ b/terraform/layers/main/iam.tf
@@ -39,10 +39,8 @@ resource "aws_iam_role" "github" {
                 },
                 "Action": "sts:AssumeRoleWithWebIdentity",
                 "Condition": {
-                    "StringLike": {
-                        "token.actions.githubusercontent.com:sub": "repo:padok-team/demo-github-actions-oidc:*"
-                    },
                     "StringEquals": {
+                        "token.actions.githubusercontent.com:sub": "repo:padok-team/demo-github-actions-oidc:ref:refs/heads/main",
                         "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                     }
                 }