From 013e0fdf1d6948e401b124bb8c0d521e92cd5ab7 Mon Sep 17 00:00:00 2001
From: greg <greg@hndrx.co>
Date: Sun, 21 Dec 2025 19:51:39 -0800
Subject: [PATCH] Add GitHub Actions workflow and IAM policies

---
 .github/workflows/deploy.yaml           | 33 +++++++++++++++++++++++++
 terraform/github-role-policy.json       | 27 ++++++++++++++++++++
 terraform/github-role-trust-policy.json | 20 +++++++++++++++
 3 files changed, 80 insertions(+)
 create mode 100644 .github/workflows/deploy.yaml
 create mode 100644 terraform/github-role-policy.json
 create mode 100644 terraform/github-role-trust-policy.json

diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
new file mode 100644
index 0000000..4880c27
--- /dev/null
+++ b/.github/workflows/deploy.yaml
@@ -0,0 +1,33 @@
+name: "☁️ CDN › Deploy"
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'content/**'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    name: "📦 Sync to S3"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: "Sync to S3"
+        run: |
+          aws s3 sync content/ s3://${{ secrets.S3_BUCKET_NAME }}/ --delete --cache-control "public, max-age=31536000"
+
+      - name: "Invalidate CloudFront"
+        run: |
+          aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} --paths "/*"
diff --git a/terraform/github-role-policy.json b/terraform/github-role-policy.json
new file mode 100644
index 0000000..2e2df7d
--- /dev/null
+++ b/terraform/github-role-policy.json
@@ -0,0 +1,27 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::cdn.cloud.gregh.dev",
+        "arn:aws:s3:::cdn.cloud.gregh.dev/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "cloudfront:CreateInvalidation",
+        "cloudfront:GetInvalidation",
+        "cloudfront:ListInvalidations"
+      ],
+      "Resource": "arn:aws:cloudfront::471112517070:distribution/E31WM23A8TGWZM"
+    }
+  ]
+}
diff --git a/terraform/github-role-trust-policy.json b/terraform/github-role-trust-policy.json
new file mode 100644
index 0000000..1fbcf9f
--- /dev/null
+++ b/terraform/github-role-trust-policy.json
@@ -0,0 +1,20 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::471112517070:oidc-provider/token.actions.githubusercontent.com"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
+        },
+        "StringLike": {
+          "token.actions.githubusercontent.com:sub": "repo:ghndrx/cdn-gregh-dev:*"
+        }
+      }
+    }
+  ]
+}