A GitHub Workflow Action for invalidating CloudFront distribution paths with enhanced validation and error handling.
- Enhanced Validation: Comprehensive input validation for distribution IDs, paths, and AWS credentials
- Structured Logging: Detailed logging with timestamps for better debugging and monitoring
- Security Improvements: Input sanitization and validation to prevent injection attacks
- Error Handling: Proper error handling with specific error messages
- Path Validation: Validation of path format, length, and quantity limits
- AWS Region Support: Automatic region detection and validation
- Debug Mode: Enhanced debugging capabilities with detailed output
- name: Invalidate CloudFront
uses: chetan/invalidate-cloudfront-action@v2
env:
DISTRIBUTION: ${{ secrets.DISTRIBUTION }}
PATHS: "/index.html"
AWS_REGION: "us-east-1"
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}- name: Invalidate CloudFront with Debug
uses: chetan/invalidate-cloudfront-action@v2
env:
DISTRIBUTION: ${{ secrets.DISTRIBUTION }}
PATHS: "/ /index.html /css/* /js/*"
AWS_REGION: "us-east-1"
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
DEBUG: "1"See also a sample workflow which illustrates a static site build and deploy.
| Param | Required? | Description |
|---|---|---|
| PATHS | yes* | A list of one or more space-separated paths to invalidate |
| PATHS_FROM | yes* | Filename to read list of paths from |
| DISTRIBUTION | yes | CloudFront distribution ID to operate on, e.g., 'EDFDVBD6EXAMPLE' |
| AWS_REGION | yes | AWS Region to operate in |
| AWS_ACCESS_KEY_ID | yes | Access key with necessary permissions to invalidate objects in the target distribution (see below) |
| AWS_SECRET_ACCESS_KEY | yes | Secret key |
| DEBUG | no | When set to "1", prints detailed debug information for troubleshooting purposes |
Note: either PATHS or PATHS_FROM is required. PATHS_FROM will
overwrite PATHS if both are set.
The action now includes comprehensive validation:
- Distribution ID: Must be a valid CloudFront distribution ID format (E + 13 alphanumeric characters)
- AWS Region: Must be a valid AWS region format (e.g., us-east-1, eu-west-1)
- Paths:
- Must start with
/ - Maximum 255 characters per path
- Maximum 3000 paths per invalidation
- Cannot be empty
- Must start with
- AWS Credentials: Both access key and secret key must be provided
See also: AWS CLI reference
Paths are passed directly to the aws cli create-invalidation command and so
must be a proper space-separated list of paths. Examples:
PATHS=/index.html
PATHS=/ /index.html /foo/bar/bazAlternatively, you can write the list of files to invalidate to a file which will then be slurped into the PATHS variable. This lets you use some other method to dynamically generate the list of files based on the commit, etc. Example workflow steps:
- name: checkout dist
uses: actions/checkout@master
with:
ref: dist
# need at least 2 here so we can get a proper log in next step
fetch-depth: 2
- name: get updated files
run: |
# allow grep to fail
set +e
FILES=$(git log --stat="1000" -1 | grep '|' | awk '{print "/"$1}' | grep -e '\.html$')
set -e
[ -z "$FILES" ] && touch .updated_files && exit 0
for file in $FILES; do
echo $file
# add bare directory to list of updated paths when we see index.html
[[ "$file" == *"/index.html" ]] && echo $file | sed -e 's/\/index.html$/\//'
done | sort | uniq | tr '\n' ' ' > .updated_files
- name: invalidate
uses: chetan/invalidate-cloudfront-action@v2
env:
PATHS_FROM: .updated_files
AWS_REGION: 'us-east-1'
DISTRIBUTION: ${{ secrets.DISTRIBUTION }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}The recommended way to pass AWS credentials to your GitHub actions is to use OpenID Connect.
Once configured, you can use the aws-actions/configure-aws-credentials action to properly authentication and supply AWS credentials to subsequent steps in your workflow.
Note that your workflow will need the following permission when using OIDC:
permissions:
id-token: writeThe action now provides comprehensive error handling:
- Validation Errors: Clear error messages for invalid inputs
- AWS Errors: Proper handling of AWS API errors
- Network Issues: Connection and timeout handling
- Path Validation: Ensures paths meet CloudFront requirements
- Credential Validation: Validates AWS credentials are provided
The action provides structured logging with timestamps:
- INFO: General information about the process
- ERROR: Error messages with details
- DEBUG: Detailed debug information when DEBUG=1
- Input Sanitization: All inputs are validated and sanitized
- Path Validation: Prevents injection attacks through path manipulation
- Credential Protection: Sensitive information is not logged
- Error Handling: Secure error messages that don't expose sensitive data
- Use OIDC: Prefer OpenID Connect over long-term AWS credentials
- Validate Inputs: Ensure all required parameters are properly set
- Monitor Logs: Use structured logging for debugging and monitoring
- Limit Paths: Keep invalidation paths focused and minimal
- Test in Staging: Test invalidations in a staging environment first
- Use Debug Mode: Enable DEBUG=1 for troubleshooting
- Invalid Distribution ID: Ensure the distribution ID is in the correct format (E + 13 characters)
- Invalid Paths: Paths must start with
/and be properly formatted - Too Many Paths: Maximum 3000 paths per invalidation
- AWS Credentials: Ensure both access key and secret key are provided
- Region Issues: Use a valid AWS region format
Enable debug mode by setting DEBUG=1 to get detailed information about the invalidation process.
This project is licensed under the MIT License - see the LICENSE file for details.