diff --git a/0-bootstrap/README.md b/0-bootstrap/README.md
index 21c7dabf0..2d2982765 100644
--- a/0-bootstrap/README.md
+++ b/0-bootstrap/README.md
@@ -515,6 +515,7 @@ The following steps will guide you through deploying without using Cloud Build.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| attribute\_condition | Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition) | `string` | `null` | no |
 | billing\_account | The ID of the billing account to associate projects with. | `string` | n/a | yes |
 | bucket\_force\_destroy | When deleting a bucket, this boolean option will delete all contained objects. If false, Terraform will fail to delete buckets which contain objects. | `bool` | `false` | no |
 | bucket\_prefix | Name prefix to use for state bucket created. | `string` | `"bkt"` | no |
diff --git a/0-bootstrap/github.tf.example b/0-bootstrap/github.tf.example
index df996af94..b08406844 100644
--- a/0-bootstrap/github.tf.example
+++ b/0-bootstrap/github.tf.example
@@ -93,12 +93,13 @@ module "gh_cicd" {
 
 module "gh_oidc" {
   source  = "terraform-google-modules/github-actions-runners/google//modules/gh-oidc"
-  version = "~> 3.1"
+  version = "~> 4.0"
 
   project_id  = module.gh_cicd.project_id
   pool_id     = "foundation-pool"
   provider_id = "foundation-gh-provider"
   sa_mapping  = local.sa_mapping
+  attribute_condition = "assertion.repository_owner=='${var.gh_repos.owner}'"
 }
 
 resource "github_actions_secret" "secrets" {
@@ -116,3 +117,20 @@ resource "google_service_account_iam_member" "self_impersonate" {
   role               = "roles/iam.serviceAccountTokenCreator"
   member             = "serviceAccount:${google_service_account.terraform-env-sa[each.key].email}"
 }
+
+module "gcp_projects_state_bucket" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~> 8.0"
+
+  name          = "${var.bucket_prefix}-${module.seed_bootstrap.seed_project_id}-gcp-projects-tfstate"
+  project_id    = module.seed_bootstrap.seed_project_id
+  location      = var.default_region
+  force_destroy = var.bucket_force_destroy
+
+  encryption = {
+    default_kms_key_name = local.state_bucket_kms_key
+  }
+
+  depends_on = [module.seed_bootstrap.gcs_bucket_tfstate]
+}
+
diff --git a/0-bootstrap/variables.tf b/0-bootstrap/variables.tf
index db7e27c65..599ca7e4a 100644
--- a/0-bootstrap/variables.tf
+++ b/0-bootstrap/variables.tf
@@ -14,6 +14,12 @@
  * limitations under the License.
  */
 
+variable "attribute_condition" {
+  type        = string
+  description = "Workload Identity Pool Provider attribute condition expression. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_workload_identity_pool_provider#attribute_condition)"
+  default     = null
+}
+
 variable "org_id" {
   description = "GCP Organization ID"
   type        = string