From 945ce5993a10cf5cba6c5990ad56f03616597585 Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 14:50:42 +0900 Subject: [PATCH 1/8] Support s3 sync with kms-sse --- Dockerfile | 2 +- entrypoint.sh | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b272826..d91a618 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ LABEL "com.github.actions.description"="Sync a directory to an AWS S3 repository LABEL "com.github.actions.icon"="refresh-cw" LABEL "com.github.actions.color"="green" -LABEL version="0.5.1" +LABEL version="0.5.2" LABEL repository="https://github.com/jakejarvis/s3-sync-action" LABEL homepage="https://jarv.is/" LABEL maintainer="Jake Jarvis " diff --git a/entrypoint.sh b/entrypoint.sh index 466e69c..204831c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -39,7 +39,12 @@ EOF # Sync using our dedicated profile and suppress verbose messages. # All other flags are optional via the `args:` directive. -sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ +CMD_PREFIX="aws s3 sync" +if [ -z "$AWS_S3_SSE_KMS_KEY_ID" ]; then + CMD_PREFIX="${CMD_PREFIX} --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}" +fi + +sh -c "${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ --profile s3-sync-action \ --no-progress \ ${ENDPOINT_APPEND} $*" From bd6fbe0521f36deee23cd7cae251217a1019ffb0 Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 14:57:30 +0900 Subject: [PATCH 2/8] Revise readme --- README.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index ecd0d31..7b788a4 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,7 @@ jobs: AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} AWS_REGION: 'us-west-1' # optional: defaults to us-east-1 SOURCE_DIR: 'public' # optional: defaults to entire repository + AWS_S3_SSE_KMS_KEY_ID: ${{ secrets.AWS_S3_SSE_KMS_KEY_ID }} # optional: defaults to None ``` @@ -47,15 +48,16 @@ jobs: The following settings must be passed as environment variables as shown in the example. Sensitive information, especially `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, should be [set as encrypted secrets](https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) — otherwise, they'll be public to anyone browsing your repository's source code and CI logs. -| Key | Value | Suggested Type | Required | Default | -| ------------- | ------------- | ------------- | ------------- | ------------- | -| `AWS_ACCESS_KEY_ID` | Your AWS Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | -| `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | -| `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A | -| `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` | +| Key | Value | Suggested Type | Required | Default | +| ------------- |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------- | ------------- |--------------------------------------------------------------------| +| `AWS_ACCESS_KEY_ID` | Your AWS Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | +| `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A | +| `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A | +| `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` | | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) | -| `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | -| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | +| `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | +| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | +| `AWS_S3_SSE_KMS_KEY_ID` | Your sse kms id to upload to S3 with encryption. For example, `aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`. Defaults to None which means no encryption. | `env` | No | N/A | ## License From 44505b2a79fc31a6f23013edea55dd64e0cdb222 Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 14:59:29 +0900 Subject: [PATCH 3/8] Add link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b788a4..188f799 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ The following settings must be passed as environment variables as shown in the e | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) | | `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | | `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | -| `AWS_S3_SSE_KMS_KEY_ID` | Your sse kms id to upload to S3 with encryption. For example, `aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`. Defaults to None which means no encryption. | `env` | No | N/A | +| `AWS_S3_SSE_KMS_KEY_ID` | Your sse kms id to upload to S3 with [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html). For example, `aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`. Defaults to None which means no encryption. | `env` | No | N/A | ## License From ab8939548ce881940cbdae7ece0329629f9b9e4a Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 15:03:01 +0900 Subject: [PATCH 4/8] test github action build --- Dockerfile | 6 +++--- action.yml | 2 +- entrypoint.sh | 7 ++++++- 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index b272826..dd8aae2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,9 +6,9 @@ LABEL "com.github.actions.icon"="refresh-cw" LABEL "com.github.actions.color"="green" LABEL version="0.5.1" -LABEL repository="https://github.com/jakejarvis/s3-sync-action" -LABEL homepage="https://jarv.is/" -LABEL maintainer="Jake Jarvis " +LABEL repository="https://github.com/lks21c/s3-sync-action" +LABEL homepage="http://www.kwangsiklee.com/" +LABEL maintainer="Kwangsik Lee " # https://github.com/aws/aws-cli/blob/master/CHANGELOG.rst ENV AWSCLI_VERSION='1.18.14' diff --git a/action.yml b/action.yml index a7d6253..772a467 100644 --- a/action.yml +++ b/action.yml @@ -1,6 +1,6 @@ name: "S3 Sync" description: "Sync a directory to an AWS S3 repository" -author: jakejarvis +author: kwangsik runs: using: docker image: Dockerfile diff --git a/entrypoint.sh b/entrypoint.sh index 466e69c..204831c 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -39,7 +39,12 @@ EOF # Sync using our dedicated profile and suppress verbose messages. # All other flags are optional via the `args:` directive. -sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ +CMD_PREFIX="aws s3 sync" +if [ -z "$AWS_S3_SSE_KMS_KEY_ID" ]; then + CMD_PREFIX="${CMD_PREFIX} --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}" +fi + +sh -c "${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ --profile s3-sync-action \ --no-progress \ ${ENDPOINT_APPEND} $*" From facabca77ffd38a872d4b4596ee2a3f4ae35111c Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 15:39:20 +0900 Subject: [PATCH 5/8] change name --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 772a467..bf88e9f 100644 --- a/action.yml +++ b/action.yml @@ -1,5 +1,5 @@ -name: "S3 Sync" -description: "Sync a directory to an AWS S3 repository" +name: "S3 Sync With KMS" +description: "Sync a directory to an AWS S3 repository using sse-kms" author: kwangsik runs: using: docker From 5e4f0fdaf520f7328c59639ed12cd54aa1267d99 Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 16:21:43 +0900 Subject: [PATCH 6/8] Fix bug --- README.md | 2 +- entrypoint.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 188f799..d05c245 100644 --- a/README.md +++ b/README.md @@ -57,7 +57,7 @@ The following settings must be passed as environment variables as shown in the e | `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) | | `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) | | `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) | -| `AWS_S3_SSE_KMS_KEY_ID` | Your sse kms id to upload to S3 with [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html). For example, `aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`. Defaults to None which means no encryption. | `env` | No | N/A | +| `AWS_S3_SSE_KMS_KEY_ID` | Your customer managed sse kms id to upload to S3 with [SSE-KMS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html). For example, `aaaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`. Defaults to None which means no encryption. | `env` | No | N/A | ## License diff --git a/entrypoint.sh b/entrypoint.sh index 204831c..c8a6403 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -41,7 +41,7 @@ EOF # All other flags are optional via the `args:` directive. CMD_PREFIX="aws s3 sync" if [ -z "$AWS_S3_SSE_KMS_KEY_ID" ]; then - CMD_PREFIX="${CMD_PREFIX} --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}" + CMD_PREFIX="${CMD_PREFIX} --sse aws:kms --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}" fi sh -c "${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ From c3e6348d2ea660eac7ad2e564e53fe5976080f1b Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 19:48:16 +0900 Subject: [PATCH 7/8] Correct bug --- entrypoint.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index c8a6403..2e3f75d 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -40,14 +40,15 @@ EOF # Sync using our dedicated profile and suppress verbose messages. # All other flags are optional via the `args:` directive. CMD_PREFIX="aws s3 sync" -if [ -z "$AWS_S3_SSE_KMS_KEY_ID" ]; then +if [ -n "$AWS_S3_SSE_KMS_KEY_ID" ]; then CMD_PREFIX="${CMD_PREFIX} --sse aws:kms --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}" fi -sh -c "${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ +CMD="${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ --profile s3-sync-action \ --no-progress \ ${ENDPOINT_APPEND} $*" +sh -c $CMD # Clear out credentials after we're done. # We need to re-run `aws configure` with bogus input instead of From 51bcdbef69819ef8a87aecb738c4b50c0e45ede7 Mon Sep 17 00:00:00 2001 From: Kwangsik Lee Date: Fri, 11 Mar 2022 19:52:18 +0900 Subject: [PATCH 8/8] fix bug finally --- entrypoint.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 2e3f75d..09ce025 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -44,11 +44,10 @@ if [ -n "$AWS_S3_SSE_KMS_KEY_ID" ]; then CMD_PREFIX="${CMD_PREFIX} --sse aws:kms --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}" fi -CMD="${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ +sh -c "${CMD_PREFIX} ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \ --profile s3-sync-action \ --no-progress \ ${ENDPOINT_APPEND} $*" -sh -c $CMD # Clear out credentials after we're done. # We need to re-run `aws configure` with bogus input instead of