fix: refactor to support multiple thumbprints and add second intermediary thumbprint

[jharley]

↪️ Pull Request

• [X] Make sure you are opening from a feature/feat/docs/fix/bug/hotfix/stable/chore (right side) and not your master branch!
• [X] Ensure that the pull request title represents the desired changelog entry

📒 Description

As of June 27, 2023 there are two possible intermediary certificates for the Actions SSL certificate (link).

This makes a breaking change to simply rename the github_thumbprint variable to github_thumbprints and change the type to list(string). This approach would require releasing as 3.x but it seemed the most straight forward.

🕶️ Types of changes

• [ ] Core
• [X] Bugfix
• [ ] New feature
• [ ] Enhancement/optimization
• [ ] Documentation
• [ ] Dependencies

Checklist

• [X] My code follows the code style of this project.
• [X] I have read the CONTRIBUTING document.
• [ ] Added/updated unit tests for this change
• [X] I have tested the changes and verified that they work and don't break anything (as well as I can manage).
• [X] Filled out test instructions (In case there aren't any unit tests)
• [X] I followed the existing code standards and didn't mess up the formatting.
• [X] My change requires a change to the documentation.
• [X] I did my best to add documentation to any public classes or methods I added.
• [X] Included links to related issues/PRs

[jharley]

I received an email from AWS Support this morning with the following notice:

We are sending this notification because you have configured a GitHub OpenID Connect (OIDC) identity provider (IdP) in your AWS account. GitHub uses a cross-signed TLS server certificate for GitHub’s OIDC servers which can have two intermediate certificates. Each of these intermediate certificates has a unique thumbprint. If you configured the GitHub IdP in your account using only one thumbprint, you may have encountered “Error: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint” when attempting to access AWS resources using GitHub as the identity provider. This would occur when the certificate thumbprint configured in AWS does not match the one presented by the GitHub server. No action is required from you. Starting July 6, 2023, AWS began securing communication with GitHub’s OIDC identity provider (IdP) using our library of trusted root Certificate Authorities instead of using a certificate thumbprint to verify the IdP’s server certificate. This approach ensures that your GitHub OIDC configuration behaves correctly without disruption during future certificate rotations and changes. With this new validation approach in place, your legacy thumbprint(s) will remain in your configuration but will no longer be needed for validation purposes.

And confirmed that a-not-yet-updated OIDC provider in AWS worked when I manually triggered a run.