Mad-Pixels
diff --git a/‎actions/aws-cloudfront-invalidation/examples/base.yml‎
Lines changed: 20 additions & 0 deletions b/‎actions/aws-cloudfront-invalidation/examples/base.yml‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎actions/aws-cloudfront-invalidation/readme.md‎
Lines changed: 63 additions & 0 deletions b/‎actions/aws-cloudfront-invalidation/readme.md‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎actions/aws-lambda-restart/examples/base.yml‎
Lines changed: 22 additions & 0 deletions b/‎actions/aws-lambda-restart/examples/base.yml‎
Lines changed: 22 additions & 0 deletions
diff --git a/‎actions/aws-lambda-restart/readme.md‎
Lines changed: 83 additions & 0 deletions b/‎actions/aws-lambda-restart/readme.md‎
Lines changed: 83 additions & 0 deletions
diff --git a/‎actions/aws-s3-sync/examples/base.yml‎
Lines changed: 46 additions & 0 deletions b/‎actions/aws-s3-sync/examples/base.yml‎
Lines changed: 46 additions & 0 deletions
diff --git a/‎actions/aws-s3-sync/readme.md‎
Lines changed: 72 additions & 0 deletions b/‎actions/aws-s3-sync/readme.md‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎actions/aws-terraform-runner/action.yml‎
Lines changed: 21 additions & 5 deletions b/‎actions/aws-terraform-runner/action.yml‎
Lines changed: 21 additions & 5 deletions
@@ -0,0 +1,20 @@
+---
+name: Invalidate CloudFront Cache
+
+on:
+  workflow_dispatch:
+
+jobs:
+  invalidate:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Invalidate CloudFront Cache
+        uses: Mad-Pixels/github-workflows/actions/cloudfront-invalidation@v1
+        with:
+          aws_region: us-east-1
+          role_to_assume: arn:aws:iam::123456789012:role/GHA-OIDC
+          distribution_id: E1234567890ABC
+          paths: "/* /index.html /assets/*"
@@ -0,0 +1,63 @@
+# ⚡️ CloudFront Invalidation
+Create a CloudFront invalidation to purge cached content after deploys. Supports OIDC or static AWS credentials, multiple paths (space‑separated), optional custom caller reference, and rich summary output.
+
+## ✅ Features
+- Create invalidations for one or many paths (supports wildcards)
+- Auto‑generated caller reference (or provide your own)
+- OIDC role assumption or static AWS credentials
+- Input validation (distribution ID format, path count, path prefixes)
+- Summary output with invalidation ID, status, and paths
+
+## 📖 Related Documentation
+- CloudFront Invalidation API: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html
+- AWS CLI cloudfront create‑invalidation: https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-invalidation.html
+- GitHub OIDC for AWS: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
+
+## 🚀 Prerequisites
+Your workflow must:
+- Run on `ubuntu-latest` with AWS CLI and `jq` available
+- Provide AWS credentials (static keys) or OIDC role assumption
+- Have a valid CloudFront distribution ID
+
+## 🔧 Quick Example
+```yaml
+name: Invalidate CloudFront Cache
+
+on:
+  workflow_dispatch:
+
+jobs:
+  invalidate:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Create invalidation via OIDC
+        uses: Mad-Pixels/github-workflows/actions/cloudfront-invalidation@v1
+        with:
+          aws_region: us-east-1
+          role_to_assume: arn:aws:iam::123456789012:role/GHA-OIDC
+          distribution_id: E1234567890ABC
+          paths: "/* /index.html /assets/*"
+```
+
+## 📥 Inputs
+| **Name**           | **Required** | **Description**                                                                                         | **Default** |
+|--------------------|--------------|---------------------------------------------------------------------------------------------------------|-------------|
+| `aws_access_key`   | ❌ No        | AWS access key ID (optional if using OIDC)                                                               | -           |
+| `aws_secret_key`   | ❌ No        | AWS secret access key (optional if using OIDC)                                                           | -           |
+| `aws_region`       | ✅ Yes       | AWS region (used by the CLI)                                                                             | -           |
+| `role_to_assume`   | ❌ No        | AWS IAM role ARN to assume (OIDC)                                                                        | -           |
+| `distribution_id`  | ✅ Yes       | CloudFront distribution ID (format: E + 13 alphanumeric chars, e.g. `E1234567890ABC`)                   | -           |
+| `paths`            | ❌ No        | Space‑separated list of paths to invalidate (must start with `/`; max 1000 entries; wildcards allowed)   | `/*`        |
+| `caller_reference` | ❌ No        | Custom caller reference for idempotency (auto‑generated if not provided)                                 | -           |
+
+## 📤 Outputs
+| **Name**          | **Description**                   |
+|-------------------|-----------------------------------|
+| `invalidation_id` | ID of the created invalidation    |
+| `status`          | Status returned by CloudFront     |
+
+## 📋 Examples
+[View example →](./examples/base.yml)
@@ -0,0 +1,22 @@
+name: Restart Lambda
+
+on:
+  workflow_dispatch:
+
+jobs:
+  lambda-restart:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Restart Lambda with specific image
+        uses: Mad-Pixels/github-workflows/actions/lambda-restart@v1
+        with:
+          aws_region: us-east-1
+          aws_account_id: 123456789012
+          role_to_assume: arn:aws:iam::123456789012:role/GHA-OIDC
+          function_name: my-service-prod
+          repository: my-service
+          image_tag: latest
+          wait_for_update: 'true'
@@ -0,0 +1,83 @@
+# 🚀 Lambda Restart
+Update an AWS Lambda function to a new container image (ECR). Supports direct `image_uri` or `repository` + `image_tag`, OIDC or static AWS credentials, and optional wait for completion.
+
+## ✅ Features
+- Update Lambda to a specific container image (ECR)
+- Accept either full `image_uri` or `repository` + `image_tag`
+- AWS auth via OIDC role assumption or static credentials
+- Validates Lambda existence before update
+- Optional wait until function update completes
+- Summary output with key details
+
+## 📖 Related Documentation
+- AWS Lambda container images: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html
+- Update function code (CLI): https://docs.aws.amazon.com/cli/latest/reference/lambda/update-function-code.html
+- ECR repositories and images: https://docs.aws.amazon.com/AmazonECR/latest/userguide/what-is-ecr.html
+- GitHub OIDC for AWS: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
+
+## 🚀 Prerequisites
+Your workflow must:
+- Run on `ubuntu-latest` with AWS CLI and `jq` available
+- Provide AWS credentials or an assumable IAM role
+- Ensure the target ECR image exists and the Lambda function is configured for images
+
+## 🔧 Quick Example
+```yaml
+name: Restart Lambda
+
+on:
+  workflow_dispatch:
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Update Lambda to specific image URI (OIDC)
+        uses: Mad-Pixels/github-workflows/actions/lambda-restart@v1
+        with:
+          aws_region: us-east-1
+          aws_account_id: 123456789012
+          role_to_assume: arn:aws:iam::123456789012:role/GHA-OIDC
+          function_name: my-service-prod
+          image_uri: 123456789012.dkr.ecr.us-east-1.amazonaws.com/my-service@sha256:deadbeef
+          wait_for_update: 'true'
+
+      # Alternative: use repository + tag instead of full image_uri
+      # - name: Update Lambda with repository/tag
+      #   uses: Mad-Pixels/github-workflows/actions/lambda-restart@v1
+      #   with:
+      #     aws_region: us-east-1
+      #     aws_account_id: 123456789012
+      #     role_to_assume: arn:aws:iam::123456789012:role/GHA-OIDC
+      #     function_name: my-service-prod
+      #     repository: my-service
+      #     image_tag: latest
+      #     wait_for_update: 'true'
+```
+
+## 📥 Inputs
+| **Name**                 | **Required** | **Description**                                                                      | **Default** |
+|--------------------------|--------------|--------------------------------------------------------------------------------------|-------------|
+| `aws_access_key_id`      | ❌ No        | AWS access key ID (optional if using OIDC)                                           | -           |
+| `aws_secret_access_key`  | ❌ No        | AWS secret access key (optional if using OIDC)                                       | -           |
+| `aws_region`             | ✅ Yes       | AWS region                                                                           | -           |
+| `aws_account_id`         | ✅ Yes       | AWS account ID (12 digits)                                                           | -           |
+| `role_to_assume`         | ❌ No        | AWS IAM role ARN to assume (for OIDC authentication)                                 | -           |
+| `function_name`          | ✅ Yes       | Full Lambda function name                                                            | -           |
+| `image_uri`              | ❌ No        | Full ECR image URI (overrides `repository`/`image_tag` when provided)                | -           |
+| `repository`             | ❌ No        | ECR repository name (used if `image_uri` not provided)                               | -           |
+| `image_tag`              | ❌ No        | ECR image tag (used with `repository`)                                               | `latest`    |
+| `wait_for_update`        | ❌ No        | Wait for function update to complete (`true`/`false`)                                 | `true`      |
+
+## 📤 Outputs
+| **Name**         | **Description**                         |
+|------------------|-----------------------------------------|
+| `function_arn`   | Lambda function ARN                     |
+| `last_modified`  | Function last modified timestamp        |
+| `code_sha256`    | Lambda code SHA256                      |
+
+## 📋 Examples
+[View example →](./examples/base.yml)
@@ -0,0 +1,46 @@
+name: Sync Directory to S3
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  sync-to-s3:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write   # required if using role_to_assume (OIDC)
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      # Example: build static site into ./dist (optional)
+      # - name: Build site
+      #   run: |
+      #     npm ci
+      #     npm run build
+
+      - name: Sync ./dist to S3 via OIDC
+        uses: Mad-Pixels/github-workflows/actions/s3-sync@v1
+        with:
+          aws_region: us-east-1
+          role_to_assume: arn:aws:iam::123456789012:role/GHA-OIDC-Deploy
+          bucket_name: my-static-site-bucket
+          source_dir: dist
+          bucket_prefix: web
+          delete_removed: 'true'
+          exclude_patterns: ".git/* .github/* .DS_Store"
+          cache_control: "public, max-age=31536000, immutable"
+
+      # Example for static credentials instead of OIDC:
+      # - name: Sync using static keys
+      #   uses: Mad-Pixels/github-workflows/actions/s3-sync@v1
+      #   with:
+      #     aws_access_key: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      #     aws_secret_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      #     aws_region: us-east-1
+      #     bucket_name: my-static-site-bucket
+      #     source_dir: dist
+      #     bucket_prefix: web
+      #     delete_removed: 'true'
@@ -0,0 +1,72 @@
+# ☁️ Sync Directory to S3
+Upload a local directory to an Amazon S3 bucket with optional key prefix, deletion of removed files, exclude patterns, and cache headers.
+
+## ✅ Features
+- Sync any local directory to S3 with optional prefix subpath
+- Optional deletion of objects missing in source (keep destination clean)
+- Exclude files via space‑separated patterns (e.g., ".git/* *.tmp")
+- Optional Cache-Control header applied to uploaded objects
+- Works with AWS OIDC role assumption or static credentials
+- Summary with counts (uploaded/deleted) and total size
+
+## 📖 Related Documentation
+- AWS CLI S3 sync: https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html
+- S3 bucket naming rules: https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html
+- GitHub OIDC for AWS: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
+
+## 🚀 Prerequisites
+Your workflow must:
+- Run on `ubuntu-latest` with AWS CLI available
+- Provide AWS credentials (static keys) or OIDC role assumption
+- Ensure the target S3 bucket already exists and is accessible
+
+## 🔧 Quick Example
+name: Sync Web Assets to S3
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  s3-sync:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write      # required only if using role_to_assume (OIDC)
+      contents: read
+    steps:
+      - name: Sync dist/ to S3 (OIDC)
+        uses: Mad-Pixels/github-workflows/actions/s3-sync@v1
+        with:
+          aws_region: us-east-1
+          role_to_assume: arn:aws:iam::123456789012:role/GHA-OIDC-Deploy
+          bucket_name: my-static-site-bucket
+          source_dir: dist
+          bucket_prefix: web
+          delete_removed: 'true'
+          exclude_patterns: ".git/* .github/* .DS_Store"
+          cache_control: "public, max-age=31536000, immutable"
+
+## 📥 Inputs
+| **Name**           | **Required** | **Description**                                                                                  | **Default**                                |
+|--------------------|--------------|--------------------------------------------------------------------------------------------------|--------------------------------------------|
+| `aws_access_key`   | ❌ No        | AWS access key ID (optional if using OIDC)                                                       | -                                          |
+| `aws_secret_key`   | ❌ No        | AWS secret access key (optional if using OIDC)                                                   | -                                          |
+| `role_to_assume`   | ❌ No        | AWS IAM role ARN to assume (OIDC)                                                                | -                                          |
+| `aws_region`       | ✅ Yes       | AWS region                                                                                        | -                                          |
+| `bucket_name`      | ✅ Yes       | Target S3 bucket name                                                                             | -                                          |
+| `source_dir`       | ✅ Yes       | Local path to sync                                                                                | -                                          |
+| `bucket_prefix`    | ❌ No        | Optional subpath prefix inside the bucket (trimmed of leading/trailing slashes)                  | `""`                                       |
+| `delete_removed`   | ❌ No        | Remove objects in S3 that are not present in `source_dir` (`true`/`false`)                       | `true`                                     |
+| `exclude_patterns` | ❌ No        | Space‑separated exclude patterns passed to `aws s3 sync --exclude`                               | `.git/* .github/* .gitignore .gitattributes` |
+| `cache_control`    | ❌ No        | Value for `Cache-Control` header applied to uploads                                              | -                                          |
+
+## 📤 Outputs
+| **Name**          | **Description**                          |
+|-------------------|------------------------------------------|
+| `files_uploaded`  | Number of uploaded files                 |
+| `files_deleted`   | Number of deleted files                  |
+| `total_size`      | Total size in bytes of local files synced |
+| `s3_url`          | Final S3 sync URL (e.g., `s3://bucket/prefix`) |
+
+## 📋 Examples
+[View example →](./examples/base.yml)
@@ -1,6 +1,6 @@
 ---
 name: 'Terraform Runner'
-description: 'Invoke terraform actions'
+description: 'Invoke terraform actions with S3 backend and optional AWS OIDC authentication'
 
 inputs:
   aws_access_key_id:
@@ -54,7 +54,7 @@ runs:
         fetch-depth: 1
 
     - name: Configure AWS authentication
-      uses: Mad-Pixels/github-workflows/internal/aws-auth@main
+      uses: Mad-Pixels/github-workflows/internal/aws-auth@v1
       with:
         aws_secret_key: ${{ inputs.aws_secret_access_key }}
         aws_access_key: ${{ inputs.aws_access_key_id }}
@@ -107,24 +107,34 @@ runs:
       run: terraform validate
 
     - name: Run Terraform Command
+      id: tf-run
       shell: bash
       working-directory: ${{ inputs.tf_dir }}
       run: |
         case "${{ inputs.tf_command }}" in
           plan)
-            terraform plan -input=false ${{ inputs.tf_vars }}
+            terraform plan -input=false -lock-timeout=300s -out=tfplan ${{ inputs.tf_vars }}
             ;;
           apply)
-            terraform apply -input=false -auto-approve ${{ inputs.tf_vars }}
+            terraform apply -input=false -auto-approve -lock-timeout=300s ${{ inputs.tf_vars }}
             ;;
           destroy)
-            terraform destroy -input=false -auto-approve ${{ inputs.tf_vars }}
+            terraform destroy -input=false -auto-approve -lock-timeout=300s ${{ inputs.tf_vars }}
             ;;
           *)
             echo "❌ Unknown tf_command: ${{ inputs.tf_command }}" >&2
             exit 1
             ;;
         esac
+
+    - name: Upload plan artifact
+      if: inputs.tf_command == 'plan'
+      uses: actions/upload-artifact@v4
+      with:
+        name: terraform-plan
+        path: ${{ inputs.tf_dir }}/tfplan
+        if-no-files-found: error
+
     - name: Terraform Summary
       shell: bash
       run: |
@@ -135,3 +145,9 @@ runs:
         echo "- Directory: \`${{ inputs.tf_dir }}\`" >> "$GITHUB_STEP_SUMMARY"
         echo "- Workspace: \`$WORKSPACE\`" >> "$GITHUB_STEP_SUMMARY"
         echo "- Terraform version: \`${{ inputs.tf_version }}\`" >> "$GITHUB_STEP_SUMMARY"
+
+        if [ "${{ inputs.tf_command }}" = "plan" ]; then
+          echo "" >> "$GITHUB_STEP_SUMMARY"
+          echo "### 📄 Plan Diff" >> "$GITHUB_STEP_SUMMARY"
+          terraform show -no-color ${{ inputs.tf_dir }}/tfplan >> "$GITHUB_STEP_SUMMARY"
+        fi