diff --git a/modules/github-wif-provider/README.md b/modules/github-wif-provider/README.md
index ba612836..ef0fadc3 100644
--- a/modules/github-wif-provider/README.md
+++ b/modules/github-wif-provider/README.md
@@ -31,6 +31,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [github\_org](#input\_github\_org) | The GitHub organizantion to grant access to. Eg: 'chainguard-dev'. | `string` | n/a | yes |
| [name](#input\_name) | The name to give the provider pool. | `string` | n/a | yes |
| [notification\_channels](#input\_notification\_channels) | The list of notification channels to alert when this policy fires. | `list(string)` | n/a | yes |
| [project\_id](#input\_project\_id) | n/a | `string` | n/a | yes |
diff --git a/modules/github-wif-provider/main.tf b/modules/github-wif-provider/main.tf
index 4acea7fb..6ca851fd 100644
--- a/modules/github-wif-provider/main.tf
+++ b/modules/github-wif-provider/main.tf
@@ -43,4 +43,6 @@ resource "google_iam_workload_identity_pool_provider" "this" {
"attribute.versiontags" = "assertion.repository + '|' + (assertion.ref.matches('^refs/tags/v[0-9]+([.][0-9]+([.][0-9]+)?)?$') ? 'true' : 'false') + '|' + assertion.workflow_ref.split('@')[0]"
"attribute.versiontagsanyworkflow" = "assertion.repository + '|' + (assertion.ref.matches('^refs/tags/v[0-9]+([.][0-9]+([.][0-9]+)?)?$') ? 'true' : 'false')"
}
+
+ attribute_condition = "assertion.repository_owner == '${var.github_org}'"
}
diff --git a/modules/github-wif-provider/variables.tf b/modules/github-wif-provider/variables.tf
index bbba2337..9a4403d9 100644
--- a/modules/github-wif-provider/variables.tf
+++ b/modules/github-wif-provider/variables.tf
@@ -11,3 +11,8 @@ variable "notification_channels" {
description = "The list of notification channels to alert when this policy fires."
type = list(string)
}
+
+variable "github_org" {
+ description = "The GitHub organizantion to grant access to. Eg: 'chainguard-dev'."
+ type = string
+}