Skip to content

Commit af18434

Browse files
tonytony
committed
feat(ci[docs]) migrate to OIDC authentication
why: Eliminate long-lived IAM credentials in favor of secure OIDC tokens what: - Replace jakejarvis/s3-sync-action with aws-actions/configure-aws-credentials - Add environment: docs for OIDC trust policy - Add CloudFront invalidation for key paths (index.html, objects.inv, searchindex.js) - Keep existing Cloudflare cache purge
1 parent c8b4a91 commit af18434

File tree

1 file changed

+22
-9
lines changed

1 file changed

+22
-9
lines changed

.github/workflows/docs.yml

Lines changed: 22 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,14 @@ on:
55
branches:
66
- master
77

8+
permissions:
9+
contents: read
10+
id-token: write
11+
812
jobs:
913
build:
1014
runs-on: ubuntu-latest
15+
environment: docs
1116
strategy:
1217
matrix:
1318
python-version: ['3.14']
@@ -59,17 +64,25 @@ jobs:
5964
run: |
6065
pushd docs; make SPHINXBUILD='uv run sphinx-build' html; popd
6166
62-
- name: Push documentation to S3
63-
uses: jakejarvis/[email protected]
67+
- name: Configure AWS Credentials
6468
if: env.PUBLISH == 'true'
69+
uses: aws-actions/configure-aws-credentials@v4
6570
with:
66-
args: --follow-symlinks --delete
67-
env:
68-
AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
69-
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
70-
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
71-
AWS_REGION: 'us-west-1' # optional: defaults to us-east-1
72-
SOURCE_DIR: 'docs/_build/html' # optional: defaults to entire repository
71+
role-to-assume: ${{ secrets.LIBTMUX_DOCS_ROLE_ARN }}
72+
aws-region: us-east-1
73+
74+
- name: Push documentation to S3
75+
if: env.PUBLISH == 'true'
76+
run: |
77+
aws s3 sync docs/_build/html "s3://${{ secrets.LIBTMUX_DOCS_BUCKET }}" \
78+
--delete --follow-symlinks
79+
80+
- name: Invalidate CloudFront
81+
if: env.PUBLISH == 'true'
82+
run: |
83+
aws cloudfront create-invalidation \
84+
--distribution-id "${{ secrets.LIBTMUX_DOCS_DISTRIBUTION }}" \
85+
--paths "/index.html" "/objects.inv" "/searchindex.js"
7386
7487
- name: Purge cache on Cloudflare
7588
if: env.PUBLISH == 'true'

0 commit comments

Comments
 (0)