Github action for mirroring repository content to an S3 bucket #47
Conversation
|
Here's a bash script you can use to make sure that all files are actually available on S3 (you could actually use it against any host, it's not S3-specific). If you run it in your local checkout of For simplicity I did not make it use git ignore rules so make sure you have no stray unversioned files in there (e.g. #!/usr/bin/env bash
set -e
s3_url="https://solc-bin.s3.eu-central-1.amazonaws.com"
tmp_dir="$(mktemp --directory)"
readarray -t files < <(find . -type f,l -regex '\./[^._].*' -printf "%P\n" | sort)
missing_file_count=0
different_file_count=0
file_count=0
mkdir -p "$tmp_dir"
for file in "${files[@]}"; do
printf "%s: " "$file"
if ! curl "${s3_url}/${file}" --output "${tmp_dir}/${file}" --fail --silent --no-progress-meter --create-dirs; then
echo MISSING
((++missing_file_count))
else
if ! cmp --silent -- "$file" "${tmp_dir}/${file}"; then
echo DIFFERENT
((++different_file_count))
else
echo OK
fi
fi
rm "${tmp_dir}/${file}"
((++file_count))
done
rm -r "$tmp_dir"
echo "Total files: ${file_count}"
echo "Missing: ${missing_file_count}"
echo "Different: ${different_file_count}" |
|
You can see the script in action in my fork of It's actually surprisingly fast. Even the full multi-GB upload takes only 5 min (plus another 5 for I have the action in my fork hooked up to the |
|
Looks like the nightly action committing a new build does not trigger the S3 sync action. That's a limitation of github actions. I see two possible workarounds:
|
|
I think scheduling at roughly the right time is the better solution. We do not depend on this having a small delay - even 24 hours would be acceptable short-term. |
cameel
force-pushed
the
github-action-s3-mirror
branch
5 times, most recently
from
9008acd to
27cdb4b
Compare
|
Fine. Scheduled to run at 1:00 now. And two more changes to account for S3 bucket updates not being atomic:
|
| - name: Wait for other instances of this workflow to finish | ||
| # It's not safe to run two S3 sync operations concurrently with different files | ||
| uses: softprops/turnstyle@v1 | ||
| with: | ||
| same-branch-only: no |
There was a problem hiding this comment.
Unfortunately there's no way to tell github to run only one instance of the action at a time. As a workaround I used the turnstyle action.
Is it OK to use it? I looked at its code briefly and I didn't see anything nefarious. The docs say that giving it GITHUB_TOKEN is required but seems to work without it just fine. So this PR should be completely safe (turnstyle can't access any secrets) but it's a third-party action so if we ever update it without reviewing the new code and we start putting any secrets (GITHUB_TOKEN or S3 keys) in env variables it could theoretically steal them and use them to modify files on github or in S3.
cameel
force-pushed
the
github-action-s3-mirror
branch
4 times, most recently
from
97d87a8 to
517e31c
Compare
cameel
force-pushed
the
github-action-s3-mirror
branch
from
517e31c to
4894a0f
Compare
|
Just one minor change: added |
|
Below is our current S3/cloudfront config. I don't have a better place to put it and it's not important enough to be preserved in the repo but I'd like to be able to point someone at it if we ever need to revisit the configuration. There's nothing here that could not be recreated with some trial and error but some values I set were different from defaults so having a record of it may make things easier for us in the future. S3 bucket
Bucket policy{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::solc-bin/*"
},
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::solc-bin"
}
]
}EDIT 2021-01-07: originally the policy did not contain a permission for listing bucket contents and this made the server return HTTP 403 Forbidden (rather than 404) for missing files. CORS configuration[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET",
"HEAD"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]CloudfrontValues in bold differ from defaults or values pre-filled by Amazon. General
EDIT 2021-03-12: we're serving Origins and Origin Groups
EDIT 2021-09-14: Added Behaviors
All behaviors have these settings in common:
EDIT 2021-09-06: Removed the behavior that disabled caching for list files. |
Part of ethereum/solidity#9258.
The action is configured to run on every push to
gh-pagesand use AWS CLI tool to sync modified files (which is determined by timestamps and file sizes).Secrets
This action requires two secrets to be added in repository settings:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYTo get them:
solc-bin-mirror-github-action> Security credentials.It will show you the key ID and secret. You can't see them again once you close the dialog - in that case just generate a new pair and delete the old one.
I created this user specifically for this action and its privileges are limited to reading/writing S3 buckets (note: all buckets, not just
solc-bin). It can't access any other AWS services.