Proposed edits to oidc-github guide

themes/default/content/docs/pulumi-cloud/oidc/client/github.md

@@ -10,7 +10,7 @@ menu:
         weight: 1
 ---
 
-This document outlines the steps required to configure Pulumi to accept Github id_tokens to be exchanged by Organization access tokens
+This document outlines the steps required to configure Pulumi to accept Github id_tokens to be exchanged by Organization access tokens.
 
 ## Prerequisites
 
@@ -27,12 +27,14 @@ Please note that this guide provides step-by-step instructions based on the offi
    ![Register Github](../register-github.png)
 1. Submit the form
 
-## Conrigure the Authorization Policies
+## Configure the Authorization Policies
 
 1. Click on the issuer name
 1. Change the policy decision to `Allow`
 1. Change the token type to `Organization`
-1. Add a new rule and configure it to verify the token audience to match your github organization url: `aud: https://github.com/octo-org`. For further information about Github token claims refer to the [official Github documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).
+1. Add some rules to protect your account. 
+  1. Add a rule to allow calls only from your GH repository: `repository: octo-org/octo-repo`. For further information about Github token claims refer to the [official Github documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token).
+  1. Add a rule to ensure that the tokens are intended for your Pulumi organization: `aud: urn:pulumi:org:octo-org`.
    ![Github policy example](../github-policies.png)
 1. Click on update