diff --git a/main.tf b/main.tf
index e6974e2..15b0f63 100644
--- a/main.tf
+++ b/main.tf
@@ -13,9 +13,15 @@
 // limitations under the License.
 
 locals {
-  github_organizations = toset([for repo in var.github_repositories : split("/", repo)[0]])
-  oidc_provider_arn    = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
-  partition            = data.aws_partition.current.partition
+  github_organizations = toset([
+    for repo in var.github_repositories : split("/", repo)[0]
+  ])
+  known_thumbprints = [
+    "1c58a3a8518e8759bf075b76b750d4f2df264fcd",
+    "6938fd4d98bab03faadb97b34396831e3780aea1",
+  ]
+  oidc_provider_arn = var.enabled ? (var.create_oidc_provider ? aws_iam_openid_connect_provider.github[0].arn : data.aws_iam_openid_connect_provider.github[0].arn) : ""
+  partition         = data.aws_partition.current.partition
 }
 
 resource "aws_iam_role" "github" {
@@ -71,10 +77,16 @@ resource "aws_iam_openid_connect_provider" "github" {
 
   tags = var.tags
   url  = "https://token.actions.githubusercontent.com%{if var.enterprise_slug != ""}/${var.enterprise_slug}%{endif}"
-  thumbprint_list = var.additional_thumbprints != null ? distinct(
+  thumbprint_list = var.additional_thumbprints != null ? toset(
     concat(
+      local.known_thumbprints,
       [data.tls_certificate.github.certificates[0].sha1_fingerprint],
-      [for thumbprint in var.additional_thumbprints : thumbprint]
+      [for thumbprint in var.additional_thumbprints : thumbprint],
     )
-  ) : [data.tls_certificate.github.certificates[0].sha1_fingerprint]
+    ) : toset(
+    concat(
+      local.known_thumbprints,
+      [data.tls_certificate.github.certificates[0].sha1_fingerprint],
+    )
+  )
 }