update OIDC issuer logic

Signed-off-by: Meredith Lancaster <malancas@github.com>

pkg/cmd/attestation/verify/policy.go

@@ -74,12 +74,16 @@ func newEnforcementCriteria(opts *Options) (verification.EnforcementCriteria, er
 		c.Certificate.SourceRepositoryOwnerURI = fmt.Sprintf("https://github.com/%s", opts.Owner)
 	}
 
-	// if tenant is provided, select the appropriate default based on the tenant
-	if opts.Tenant != "" {
-		c.Certificate.Issuer = fmt.Sprintf(verification.GitHubTenantOIDCIssuer, opts.Tenant)
-	} else {
-		// otherwise, use the provided OIDCIssuer
+	// If the OIDCIssuer option has been set, use that custom value
+	// Otherwise check if tenant is provided, select the appropriate default based on that
+	if opts.OIDCIssuer != verification.GitHubOIDCIssuer {
 		c.Certificate.Issuer = opts.OIDCIssuer
+	} else {
+		if opts.Tenant != "" {
+			c.Certificate.Issuer = fmt.Sprintf(verification.GitHubTenantOIDCIssuer, opts.Tenant)
+		} else {
+			c.Certificate.Issuer = verification.GitHubOIDCIssuer
+		}
 	}
 
 	c.PredicateType = opts.PredicateType

pkg/cmd/attestation/verify/policy_test.go

@@ -132,13 +132,13 @@ func TestNewEnforcementCriteria(t *testing.T) {
 		require.Equal(t, "https://github.com/foo", c.Certificate.SourceRepositoryOwnerURI)
 	})
 
-	t.Run("sets OIDCIssuer using opts.OIDCIssuer and opts.Tenant", func(t *testing.T) {
+	t.Run("sets OIDCIssuer using opts.Tenant", func(t *testing.T) {
 		opts := &Options{
 			ArtifactPath: artifactPath,
 			Owner:        "foo",
 			Repo:         "foo/bar",
 			Tenant:       "baz",
-			OIDCIssuer:   "https://foo.com",
+			OIDCIssuer:   verification.GitHubOIDCIssuer,
 		}
 
 		c, err := newEnforcementCriteria(opts)
@@ -152,6 +152,7 @@ func TestNewEnforcementCriteria(t *testing.T) {
 			Owner:        "foo",
 			Repo:         "foo/bar",
 			OIDCIssuer:   "https://foo.com",
+			Tenant:       "baz",
 		}
 
 		c, err := newEnforcementCriteria(opts)