diff --git a/.github/workflows/workflow-deploy-to-s3.yml b/.github/workflows/workflow-deploy-to-s3.yml index 8b233d2..d5a45e9 100644 --- a/.github/workflows/workflow-deploy-to-s3.yml +++ b/.github/workflows/workflow-deploy-to-s3.yml @@ -3,6 +3,16 @@ name: Deploy Static Site to S3 on: workflow_call: inputs: + target-branch: + description: "Branch to check out before syncing." + required: false + default: master + type: string + ref: + description: "Optional explicit git ref (commit SHA/tag/branch) to deploy; overrides target-branch when set." + required: false + default: "" + type: string bucket: description: "Destination S3 bucket name (without the s3:// prefix)." required: true @@ -32,11 +42,6 @@ on: required: false default: true type: boolean - cloudflare-api-token: - description: "Optional Cloudflare API token with purge_cache permission." - required: false - default: "" - type: string email-subject: description: "Subject for the SES notification email (defaults to bucket name)." required: false @@ -47,16 +52,6 @@ on: required: false default: "" type: string - email-from: - description: "Sender address for SES notifications." - required: false - default: "" - type: string - email-to: - description: "Recipient address for SES notifications." - required: false - default: "" - type: string secrets: aws_access_key_id: description: "AWS access key for S3/SES." @@ -67,6 +62,15 @@ on: aws_session_token: description: "Optional session token for temporary credentials." required: false + cloudflare_api_token: + description: "Token with purge_cache permission." + required: false + email_from: + description: "Sender address for SES notifications." + required: false + email_to: + description: "Recipient address for SES notifications." + required: false outputs: deployed: description: "True when the sync step completed." @@ -88,6 +92,9 @@ jobs: steps: - name: Check out repository uses: actions/checkout@v4 + with: + ref: ${{ inputs.ref != '' && inputs.ref || inputs.target-branch }} + fetch-depth: 0 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 @@ -117,10 +124,10 @@ jobs: echo "deployed=true" >> "$GITHUB_OUTPUT" - name: Purge Cloudflare cache - if: ${{ inputs.purge-cloudflare && inputs.cloudflare-zone-id != '' && inputs.cloudflare-api-token != '' }} + if: ${{ inputs.purge-cloudflare && inputs.cloudflare-zone-id != '' && env.CLOUDFLARE_API_TOKEN != '' }} env: CLOUDFLARE_ZONE_ID: ${{ inputs.cloudflare-zone-id }} - CLOUDFLARE_API_TOKEN: ${{ inputs.cloudflare-api-token }} + CLOUDFLARE_API_TOKEN: ${{ secrets.cloudflare_api_token }} run: | set -euo pipefail curl -X POST "https://api.cloudflare.com/client/v4/zones/${CLOUDFLARE_ZONE_ID}/purge_cache" \ @@ -129,10 +136,10 @@ jobs: --data '{"purge_everything":true}' - name: Send SES notification - if: ${{ inputs.email-from != '' && inputs.email-to != '' }} + if: ${{ env.EMAIL_FROM != '' && env.EMAIL_TO != '' }} env: - EMAIL_FROM: ${{ inputs.email-from }} - EMAIL_TO: ${{ inputs.email-to }} + EMAIL_FROM: ${{ secrets.email_from }} + EMAIL_TO: ${{ secrets.email_to }} CUSTOM_SUBJECT: ${{ inputs.email-subject }} CUSTOM_BODY: ${{ inputs.email-body }} run: | diff --git a/README.md b/README.md index c20d0fd..306fee1 100644 --- a/README.md +++ b/README.md @@ -141,18 +141,20 @@ Syncs a directory to an S3 bucket with optional Cloudflare cache purge and SES n - `source` (default `public`): local directory to sync. - `aws-region` (default `us-west-2`): region for S3/SES calls. - `delete-extra-files` (default `true`): remove objects not present locally. +- `target-branch` (default `master`): branch to check out before syncing. +- `ref` (optional): explicit git ref (commit SHA/tag/branch) to deploy; overrides `target-branch` when set. - `cloudflare-zone-id` (optional): zone to purge after deploy. - `purge-cloudflare` (default `true`): whether to purge the zone when credentials are provided. -- `cloudflare-api-token` (optional): Cloudflare token (pass a secret from the caller). - `email-subject` (optional): SES email subject (defaults to the bucket name). - `email-body` (optional): SES email body (defaults to an auto-generated message). -- `email-from` (optional): sender address for SES notifications (pass a secret from the caller). -- `email-to` (optional): recipient address for SES notifications (pass a secret from the caller). **Secrets** - `aws_access_key_id` (required) - `aws_secret_access_key` (required) - `aws_session_token` (optional) +- `cloudflare_api_token` (optional) +- `email_from` (optional) +- `email_to` (optional) **Outputs** - `deployed`: `true` when the S3 sync completes. @@ -164,18 +166,19 @@ jobs: needs: tests uses: vinitu-net/github-workflows/.github/workflows/workflow-deploy-to-s3.yml@vX.Y.Z with: + ref: ${{ github.sha }} bucket: www.example.com source: public aws-region: us-west-2 delete-extra-files: true cloudflare-zone-id: ${{ secrets.CLOUDFLARE_ZONE_ID }} - cloudflare-api-token: ${{ secrets.CLOUDFLARE_API_TOKEN }} email-subject: "Site deployed" - email-from: ${{ secrets.EMAIL_FROM }} - email-to: ${{ secrets.EMAIL_TO }} secrets: aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + cloudflare_api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }} + email_from: ${{ secrets.EMAIL_FROM }} + email_to: ${{ secrets.EMAIL_TO }} ``` ### End-to-end usage in a caller repo