TL;DR

https://cloud.google.com/iam/docs/manage-workload-identity-pools-providers discusses how to restrict which workload identity pool providers may be permitted, but doesn't go into a detailed example for when it's GitHub.

Detailed design

No response

Additional information

Please enhance https://github.com/google-github-actions/auth#setting-up-workload-identity-federation to also discuss what needs to be set for the iam.workloadIdentityPoolProviders organization policy constraint.