Modernize deploy workflow (#942)

Switches to OIDC provider, replaces very old S3 and CloudFront actions with modern CLI usage, de-hardcodes region and S3 bucket name, unlocks pin of old version of CloudFormation deploy action, add concurrency safety.
vapor · Nov 11, 2023 · 7da0d44 · 7da0d44
1 parent 882b8a5
commit 7da0d44
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 51 deletions.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -1,5 +1,7 @@
 name: Build docs and check cloudformation and dead links
-
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
 on:
  pull_request:
  branches:

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -1,60 +1,49 @@
 name: Build and deploy the Vapor documentation
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
 on:
  push:
  branches:
  - main
+
 jobs:
  deploy:
  name: Build and deploy
  runs-on: ubuntu-latest
+ permissions: { id-token: write, contents: read }
+ env: { AWS_PAGER: '' }
  steps:
- - name: Checkout repository 
- uses: actions/checkout@v4
- - name: Install dependencies
- run: |
- pip install -r requirements.txt
- - name: Build the website
- run: |
- mkdocs build
- swift fixSearchIndex.swift
- cp googlefc012e5d94cfa05f.html site/googlefc012e5d94cfa05f.html;
- swift setUpRedirects.swift
- - name: Configure AWS credentials
- id: cred
- uses: aws-actions/configure-aws-credentials@v4
- with:
- aws-access-key-id: ${{ secrets.DOCS_DEPLOYER_AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.DOCS_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
- aws-region: 'eu-west-2'
- - name: Deploy to AWS Cloudformation
- id: clouddeploy
- if: steps.cred.outcome == 'success'
- uses: aws-actions/[email protected]
- with:
- name: vapor-docs-stack
- template: stack.yml
- no-fail-on-empty-changeset: "1"
- parameter-overrides: >-
- DomainName=docs.vapor.codes,
- S3BucketName=vapor-docs-site,
- AcmCertificateArn=${{ secrets.CERTIFICATE_ARN }}
- - name: Deploy to S3 
- id: s3deploy
- if: steps.clouddeploy.outcome == 'success'
- uses: jakejarvis/s3-sync-action@master
- with:
- args: --acl public-read --follow-symlinks --delete
- env:
- AWS_S3_BUCKET: 'vapor-docs-site'
- AWS_ACCESS_KEY_ID: ${{ secrets.DOCS_DEPLOYER_AWS_ACCESS_KEY_ID }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.DOCS_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
- AWS_REGION: 'eu-west-2'
- SOURCE_DIR: 'site'
- - name: Invalidate CloudFront 
- uses: awact/cloudfront-action@master 
- env:
- SOURCE_PATH: '/*'
- AWS_REGION: 'eu-west-2'
- AWS_ACCESS_KEY_ID: ${{ secrets.DOCS_DEPLOYER_AWS_ACCESS_KEY_ID }}
- AWS_SECRET_ACCESS_KEY: ${{ secrets.DOCS_DEPLOYER_AWS_SECRET_ACCESS_KEY }}
- DISTRIBUTION_ID: ${{ secrets.DOCS_DISTRIBUTION_ID }}
+ - name: Checkout repository 
+ uses: actions/checkout@v4
+
+ - name: Install dependencies
+ run: pip install -r requirements.txt
+ - name: Build the website
+ run: |
+ mkdocs build
+ swift fixSearchIndex.swift
+ cp googlefc012e5d94cfa05f.html site/googlefc012e5d94cfa05f.html
+ swift setUpRedirects.swift
+ 
+ - name: Configure AWS credentials
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ role-to-assume: ${{ vars.OIDC_ROLE_ARN }}
+ aws-region: ${{ vars.OIDC_ROLE_REGION }}
+ - name: Deploy CloudFormation stack
+ uses: aws-actions/aws-cloudformation-github-deploy@v1
+ with:
+ name: vapor-docs-stack
+ template: stack.yml
+ no-fail-on-empty-changeset: '1'
+ parameter-overrides: >-
+ DomainName=docs.vapor.codes,
+ S3BucketName=${{ secrets.DOCS_S3_BUCKET_NAME }},
+ AcmCertificateArn=${{ secrets.CERTIFICATE_ARN }}
+ - name: Upload data to S3
+ run: |
+ aws s3 sync ./site 's3:https://${{ secrets.DOCS_S3_BUCKET_NAME }}' --no-progress --acl public-read
+ - name: Invalidate CloudFront
+ run: |
+ aws cloudfront create-invalidation --distribution-id '${{ secrets.DOCS_DISTRIBUTION_ID }}' --paths '/*'