Remove secrets, use OIDC with AWS instead

Author: prognostikos

.github/workflows/publish.yml

@@ -1,10 +1,13 @@
 name: Publish to developers.betternow.org
 on: [push]
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
   build:
+    name: Build and Deploy
     runs-on: ubuntu-latest
-    environment: deploy
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -17,16 +20,12 @@ jobs:
       - name: Build site
         run: |
           bin/build
-      - name: Sync to S3 & Invalidate Cloudfront Distribution
-        uses: raulanatol/aws-s3-docker-action@51bf48df23ad1577542b86c6541dcaaec4d8df31
-        env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          AWS_REGION: "eu-west-1"
-          AWS_BUCKET_NAME: "developer-betternow-site"
-          SOURCE: build
-          TARGET: ""
-          WITH_DELETE: true
-          WITH_CLOUD_FRONT_INVALIDATION: true
-          AWS_CLOUDFRONT_DISTRIBUTION_ID: ${{ secrets.AWS_CLOUDFRONT_DISTRIBUTION_ID }}
-          AWS_CLOUDFRONT_INVALIDATION_PATH: /
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: arn:aws:iam::357932486739:role/developer-docs-deployer
+          role-session-name: deploydeveloperdocs
+          aws-region: eu-west-1
+      - name: Deploy the site
+        run: |
+          bin/deploy

bin/deploy

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -e
+set -o pipefail
+
+SOURCE_DIR=${SOURCE_DIR:-build}
+BUCKET=${BUCKET:-s3://developer-betternow-site/}
+AWS_CLOUDFRONT_DISTRIBUTION_ID=${AWS_CLOUDFRONT_DISTRIBUTION_ID:-E1GR0YW1J3YFRL}
+INVALIDATION_PATHS=${INVALIDATION_PATHS:-/}
+
+aws s3 sync "${SOURCE_DIR}" "${BUCKET}" --with-delete
+
+aws cloudfront create-invalidation \
+  --distribution-id "${AWS_CLOUDFRONT_DISTRIBUTION_ID}" \
+  --paths "${INVALIDATION_PATHS}"