fix: sanitize AWS session tags

[LaurenceGA]

Closes #18

Ensure that alls tags applied to the AWS role session are valid.

For GITHUB_ACTOR, [ and ] must be removed.

For GITHUB_WORKFLOW I've inverted the tag value requirement regex, [\p{L}\p{Z}\p{N}_.:/=+\-@]+, and replaced any characters that don't conform. I've also truncated the value as it has a maximum of 256 chars.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[LaurenceGA]

@clareliguori Thanks for the review!

I've also added another change to sanitise another tag value also.

[LaurenceGA]

Do you think _ is the best character for replacement? I picked it sort of arbitrarily. Maybe * would be more conventional and perhaps look nicer?

[mattsb42-aws]

One thing that worries me here, though I'm not sure if there's a good answer, is collisions.

Back to my original desire to let this provide a useful way to limit what can assume a particular role, there are potentially a lot of values that will sanitize to the same thing. On the other hand, the repo owner controls all of these values, so they can keep them clean if they want to.

Maybe just add something to the readme warning of this?

[LaurenceGA]

I've updated the readme with full(?) documentation about assuming a role. Hopefully it's clarifying.

older commit

[mattsb42-aws]

Other than the points @clareliguori raised, this LGTM. :)

[LaurenceGA]

@clareliguori Well spotted, thanks. Updated :)