diff --git a/modules/products/static-site/iam.tf b/modules/products/static-site/iam.tf
index 2631196..20c2737 100644
--- a/modules/products/static-site/iam.tf
+++ b/modules/products/static-site/iam.tf
@@ -18,7 +18,7 @@ resource "aws_iam_role" "static_site_actions_push" {
         }
         Condition = {
           StringLike = {
-            "token.actions.githubusercontent.com:sub" : "repo:${var.tenant_vars.repository}:${var.tenant_vars.gitbranch}"
+            "token.actions.githubusercontent.com:sub" : "repo:${var.tenant_vars.repository}:ref:refs/heads/${var.tenant_vars.gitbranch}"
             "sts:RoleSessionName" : "GitHubActions"
           }
           StringEquals = {
diff --git a/modules/products/static-site/variables.tf b/modules/products/static-site/variables.tf
index 6eef495..39aa81f 100644
--- a/modules/products/static-site/variables.tf
+++ b/modules/products/static-site/variables.tf
@@ -9,13 +9,3 @@ variable "cloud_front_default_vars" {
 variable "aws_region" {
   type = string
 }
-
-variable "git_branch" {
-  type        = string
-  description = "git branches which can push to S3 from "
-
-  validation {
-    condition     = contains(var.git_branch, "main") || contains(var.git_branch, "master") || contains(var.git_branch, "CCL-509")
-    error_message = "valid push branches are [main,master,CCL-509]"
-  }
-}