Default to us-east-1 region and clear credentials after sync is done.

Author: jakejarvis

Dockerfile

@@ -5,13 +5,13 @@ LABEL "com.github.actions.description"="Sync a directory to an AWS S3 repository
 LABEL "com.github.actions.icon"="refresh-cw"
 LABEL "com.github.actions.color"="green"
 
-LABEL version="0.4.0"
+LABEL version="0.5.0"
 LABEL repository="https://github.com/jakejarvis/s3-sync-action"
 LABEL homepage="https://jarv.is/"
 LABEL maintainer="Jake Jarvis <[email protected]>"
 
 # https://github.com/aws/aws-cli/blob/master/CHANGELOG.rst
-ENV AWSCLI_VERSION='1.16.262'
+ENV AWSCLI_VERSION='1.16.265'
 
 RUN pip install --quiet --no-cache-dir awscli==${AWSCLI_VERSION}
 

README.md

@@ -11,11 +11,20 @@ This simple action uses the [vanilla AWS CLI](https://docs.aws.amazon.com/cli/in
 
 Place in a `.yml` file such as this one in your `.github/workflows` folder. [Refer to the documentation on workflow YAML syntax here.](https://help.github.com/en/articles/workflow-syntax-for-github-actions)
 
-As of v0.3.0, all [`aws s3 sync` flags](https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html) are optional to allow for maximum customizability (that's a word, I promise) and must be provided by you via `args:`. The optimal defaults for a static website are set in this example: `--acl public-read` makes your files publicly readable, `--follow-symlinks` won't hurt and fixes some weird symbolic link problems that may come up, and most importantly, `--delete` **permanently deletes** files in the S3 bucket that are **not** present in the latest version of your repository/build.
+As of v0.3.0, all [`aws s3 sync` flags](https://docs.aws.amazon.com/cli/latest/reference/s3/sync.html) are optional to allow for maximum customizability (that's a word, I promise) and must be provided by you via `args:`. The optimal defaults for a static website are set in this example:
+
+- `--acl public-read` makes your files publicly readable (make sure your [bucket settings are also set to public](https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteAccessPermissionsReqd.html)).
+- `--follow-symlinks` won't hurt and fixes some weird symbolic link problems that may come up.
+- Most importantly, `--delete` **permanently deletes** files in the S3 bucket that are **not** present in the latest version of your repository/build.
+- If you're syncing the root of your repository, `--exclude '.git/*'` prevents your `.git` folder from syncing, which would expose your source code history if your project is closed-source.
 
 ```yaml
-name: Sync Bucket
-on: push
+name: Upload Website
+
+on:
+  push:
+    branches:
+    - master
 
 jobs:
   deploy:
@@ -24,13 +33,13 @@ jobs:
     - uses: actions/checkout@master
     - uses: jakejarvis/s3-sync-action@master
       with:
-        args: --acl public-read --follow-symlinks --delete
+        args: --acl public-read --follow-symlinks --delete --exclude '.git/*'
       env:
-        SOURCE_DIR: './public'
-        AWS_REGION: 'us-east-1'
         AWS_S3_BUCKET: ${{ secrets.AWS_S3_BUCKET }}
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        AWS_REGION: 'us-west-1'   # optional: defaults to us-east-1
+        SOURCE_DIR: 'public'    # optional: defaults to entire repository
 ```
 
 
@@ -42,11 +51,11 @@ The following settings must be passed as environment variables as shown in the e
 | ------------- | ------------- | ------------- | ------------- | ------------- |
 | `AWS_ACCESS_KEY_ID` | Your AWS Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret` | **Yes** | N/A |
 | `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret` | **Yes** | N/A |
-| `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is`. | `secret` | **Yes** | N/A |
-| `AWS_REGION` | The region where you created your bucket in. For example, `us-east-1`. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | **Yes** | N/A |
-| `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for VPC scenarios or for S3 compliant products like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | AWS |
-| `SOURCE_DIR` | The local directory you wish to sync/upload to S3. For example, `./public` | `env` | No | `.` |
-| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. Eg: `my_project/assets`.  | `env` | No | `/` |
+| `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret` | **Yes** | N/A |
+| `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` |
+| `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) |
+| `SOURCE_DIR` | The local directory you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) |
+| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` |
 
 
 ## License

entrypoint.sh

@@ -17,22 +17,18 @@ if [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
   exit 1
 fi
 
+# Default to us-east-1 if AWS_REGION not set.
 if [ -z "$AWS_REGION" ]; then
-  echo "AWS_REGION is not set. Quitting."
-  exit 1
+  AWS_REGION="us-east-1"
 fi
 
-# Default to CLI defined AWS endpoint
-ENDPOINT_APPEND=""
-if [ "$AWS_S3_ENDPOINT" ]; then
+# Override default AWS endpoint if user sets AWS_S3_ENDPOINT.
+if [ -n "$AWS_S3_ENDPOINT" ]; then
   ENDPOINT_APPEND="--endpoint-url $AWS_S3_ENDPOINT"
 fi
 
-# Default to syncing entire repo if SOURCE_DIR not set.
-SOURCE_DIR=${SOURCE_DIR:-.}
-
-# Create a dedicated profile for this action to avoid
-# conflicts with other actions.
+# Create a dedicated profile for this action to avoid conflicts
+# with past/future actions.
 # https://github.com/jakejarvis/s3-sync-action/issues/1
 aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1
 ${AWS_ACCESS_KEY_ID}
@@ -41,8 +37,20 @@ ${AWS_REGION}
 text
 EOF
 
-# Use our dedicated profile and suppress verbose messages.
-# All other flags are optional via `args:` directive.
-sh -c "aws s3 sync ${SOURCE_DIR} s3://${AWS_S3_BUCKET}/${DEST_DIR} \
-              --profile s3-sync-action ${ENDPOINT_APPEND} \
-              --no-progress $*"
+# Sync using our dedicated profile and suppress verbose messages.
+# All other flags are optional via the `args:` directive.
+sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \
+              --profile s3-sync-action \
+              --no-progress \
+              ${ENDPOINT_APPEND} $*"
+
+# Clear out credentials after we're done.
+# We need to re-run `aws configure` with bogus input instead of
+# deleting ~/.aws in case there are other credentials living there.
+# https://forums.aws.amazon.com/thread.jspa?threadID=148833
+aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1
+null
+null
+null
+text
+EOF