v2.0.0

New Features

• Tag-based targeting — new targets input to target instances by EC2 tags or resource groups instead of instance IDs (Key=tag:env,Values=prod)
• Command output streaming — new wait-for-output input polls SSM and streams stdout/stderr per instance directly into the Actions log
• Wait timeout — new wait-timeout input (1–3600s) controls how long to wait for output
• Custom SSM documents — new document-name input supports AWS-RunPowerShellScript for Windows, custom documents, and full document ARNs
• GovCloud & ISO region support — aws-region now accepts GovCloud, ISO, and ISO-B regions
• New output action output — combined stdout from all instances when wait-for-output is true

Improvements

• Strict input validation for all fields before any AWS API call
• Unit tests covering all validation paths
• Ready-to-use example workflows in examples/ (OIDC, tag targeting, multi-instance, Windows PowerShell, static credentials)

Breaking Changes

• instance-ids is no longer required — exactly one of instance-ids or targets must be provided

v1.0.2

What's changed

This is the initial stable release of aws-ssm-action — a ground-up rewrite with modern tooling, OIDC-first authentication, and a strong security baseline.

Features

• OIDC authentication — works natively with aws-actions/configure-aws-credentials; no long-lived secrets required
• Static credential fallback — pass aws-access-key-id, aws-secret-access-key, and optionally aws-session-token when OIDC is not available
• Credential masking — all static credentials are immediately masked via core.setSecret() before any logging occurs
• Multi-line commands — use YAML block scalars (command: |) to run multiple commands sequentially; SSM stops on first non-zero exit
• Multi-instance targeting — newline-separated instance-ids with a hard cap of 50 instances per dispatch
• Strict input validation — region, instance IDs, and working directory are validated with tight regex patterns before any AWS call is made
• command-id output — exposes the SSM Run Command UUID for downstream steps (status polling, audit trails)
• Node 24 runtime — runs on node24, GitHub's latest supported Actions runtime
• AWS SDK v3 — uses @aws-sdk/client-ssm v3 (modular, tree-shakeable, actively maintained)
• Self-contained bundle — built with Bun; dist/index.js ships as a single minified file with no runtime dependencies
• Supply chain protection — all workflows install safe-chain (SHA256-verified) before bun install to block newly published packages
• Immutable releases — every release is tagged and the floating v1 major tag is force-pushed; pin by commit SHA for fully reproducible builds

Usage

Pin to this exact release:

uses: zAbuQasem/aws-ssm-action@0aec02fd68b1c7fe1af3f3d49bc375487ba01c27 # v1.0.2

v1.0.1

Usage

Pin to this exact release:

uses: zAbuQasem/aws-ssm-action@3b8e465c00205ecdcee3a55db53b4d6de1177244 # v1.0.1

Or use the floating major tag (updates automatically):

uses: zAbuQasem/aws-ssm-action@v1

What's changed

Bug Fixes

• remove dist/index.js release asset — not needed for GitHub Actions (3b8e465)

v1.0.0

Usage

Pin to this exact release:

uses: zAbuQasem/aws-ssm-action@41b322cd1a20c1c55760faa110ca9d54ecfe550a # v1.0.0

Or use the floating major tag (updates automatically):

uses: zAbuQasem/aws-ssm-action@v1

What's changed

Features

• Enhance AWS SSM command execution with session token support and input validation (9c86dc4)

Bug Fixes

• reset MINIMUM_PACKAGE_AGE_HOURS to 0 in release workflow (41b322c)
• correct env var syntax for SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS (699b5c3)
• standardize SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS usage across workflows (b9880f1)
• standardize MINIMUM_PACKAGE_AGE_HOURS usage across workflows (b261d33)
• standardize SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS usage across workflows (b4fda5a)
• update safe-chain installation in tester.yml (bca8180)
• remove invalid safe-chain installer flag, set age check to 0 in test workflow (9906c2b)

Chores

• set FORCE_JAVASCRIPT_ACTIONS_TO_NODE24 across all workflows (56792c7)

This is the first release.

latest

What's changed

This is the initial stable release of aws-ssm-action — a ground-up rewrite with modern tooling, OIDC-first authentication, and a strong security baseline.

Features

• OIDC authentication — works natively with aws-actions/configure-aws-credentials; no long-lived secrets required
• Static credential fallback — pass aws-access-key-id, aws-secret-access-key, and optionally aws-session-token when OIDC is not available
• Credential masking — all static credentials are immediately masked via core.setSecret() before any logging occurs
• Multi-line commands — use YAML block scalars (command: |) to run multiple commands sequentially; SSM stops on first non-zero exit
• Multi-instance targeting — newline-separated instance-ids with a hard cap of 50 instances per dispatch
• Strict input validation — region, instance IDs, and working directory are validated with tight regex patterns before any AWS call is made
• command-id output — exposes the SSM Run Command UUID for downstream steps (status polling, audit trails)
• Node 24 runtime — runs on node24, GitHub's latest supported Actions runtime
• AWS SDK v3 — uses @aws-sdk/client-ssm v3 (modular, tree-shakeable, actively maintained)
• Self-contained bundle — built with Bun; dist/index.js ships as a single minified file with no runtime dependencies
• Supply chain protection — all workflows install safe-chain (SHA256-verified) before bun install to block newly published packages
• Immutable releases — every release is tagged and the floating v1 major tag is force-pushed; pin by commit SHA for fully reproducible builds