Things & stuff

GitHub Actions

Set Up

Start by creating the workflow action document in .github/workflow

Provide a name for the action. This will be visible in GitHub’s dashboard.

Define the event for which the action should trigger.

In other cases a job would be included to build, lint, and test the code base. In the case of static assets the build and deploy steps are achieved in a single step for simplicity.

name: Deploy to S3
on:
  push:
    branches:
    - main

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:

    - name: Checkout Repository
      uses: actions/checkout@main

    - name: Configure AWS Credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
        aws-region: us-east-1

    - name: Deploy Notes
      run: aws s3 sync dist s3://${{ secrets.BUCKET }} --acl public-read --delete
    
    - name: Invalidate Cache
      run:  aws cloudfront create-invalidation --distribution-id  ${{ secrets.DIST_ID }} --paths "/*"

Storing Secrets

This example syncs the contents of the distribution directory with Amazon S3. After deploying the static assets the action then invalidates the distribution’s cache.

Secrets are kept per repository. To add secrets, navigate to the repository’s settings. From the left side menu click on the secrets tab.

Add secrets to support the access key id and secret access key provided by AWS Identity and Access Management.

Add secrets for the bucket name and distribution id.

Least Privilege

The secret access key and id should be associated to a user with limited permissions. Below is an example policy that allows GitHub Actions to sync with a bucket in S3 and invalidate an AWS CloudFront distribution.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StaticAssetDeployment",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "cloudfront:CreateInvalidation"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET/*",
                "arn:aws:cloudfront::ACCOUNT:distribution/DISTRIBUTION_ID"
            ]
        }
    ]
}
Last updated on 18 Nov 2020
Published on 18 Nov 2020