feat(CENG-636): Change OIDC default audience

[BartoszBlizniak]

Breaking changes:

• The default OIDC audience has changed from api://AzureADTokenExchange to https://github.com/{org-name} (using GITHUB_REPOSITORY_OWNER) for better security. Users relying on the old value must update their configuration or explicitly set the previous audience if needed.

Documentation and configuration updates:

• The README.md and action.yml files have been updated to clearly document the new default for the OIDC audience. The oidc-audience input description now explains the dynamic default and how to override it.

[Copilot]

Pull request overview

This PR changes the default OIDC audience from api://AzureADTokenExchange to https://github.com/{org-name} (using the GITHUB_REPOSITORY_OWNER environment variable) to improve security through organization-specific audience claims.

Key Changes:

• Modified the default OIDC audience logic to dynamically construct the audience URL based on the repository owner
• Updated documentation across README, action.yml, and CHANGELOG to reflect the breaking change
• Changed the default parameter value from a hardcoded string to an empty string with fallback logic in the implementation

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/main.js	Implements new fallback logic for OIDC audience using GITHUB_REPOSITORY_OWNER environment variable
src/oidc-auth.js	Changes default parameter from 'api://AzureADTokenExchange' to empty string
dist/index.js	Compiled version with same changes as source files
action.yml	Updates input description and default value to reflect new dynamic default
README.md	Documents breaking change with clear migration guidance in a dedicated notices section
CHANGELOG.md	Records breaking change in version 2.0.0 with explanation of impact

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.