fix(github): use API-resolved org login for OIDC subject claims

Use data.github_organization.alz.login instead of var.organization_name when constructing OIDC subject claims for federated credentials.

This preserves exact org casing in the repo: segment to match GitHub token assertions and avoid AADSTS7002138 case-sensitive matching failures.

Also lower-case the org in job_workflow_ref template composition to align with observed GitHub token behavior for reusable workflow refs.

Author: DanielBoring

modules/github/locals.tf

@@ -18,14 +18,14 @@ locals {
 
 locals {
   repository_name_templates = var.use_template_repository ? var.repository_name_templates : var.repository_name
-  template_claim_structure  = "${var.organization_name}/${local.repository_name_templates}/%s@refs/heads/main"
+  template_claim_structure  = "${lower(data.github_organization.alz.login)}/${local.repository_name_templates}/%s@refs/heads/main"
 
   oidc_subjects_flattened = flatten([for key, value in var.workflows : [
     for environment_user_assigned_managed_identity_mapping in value.environment_user_assigned_managed_identity_mappings :
     {
       subject_key                        = "${key}-${environment_user_assigned_managed_identity_mapping.user_assigned_managed_identity_key}"
       user_assigned_managed_identity_key = environment_user_assigned_managed_identity_mapping.user_assigned_managed_identity_key
-      subject                            = "repo:${var.organization_name}/${var.repository_name}:environment:${var.environments[environment_user_assigned_managed_identity_mapping.environment_key]}:job_workflow_ref:${format(local.template_claim_structure, value.workflow_file_name)}"
+      subject                            = "repo:${data.github_organization.alz.login}/${var.repository_name}:environment:${var.environments[environment_user_assigned_managed_identity_mapping.environment_key]}:job_workflow_ref:${format(local.template_claim_structure, value.workflow_file_name)}"
     }
     ]
   ])