Add GitHub Actions workflow and IAM policies

.github/workflows/deploy.yaml

@@ -0,0 +1,33 @@
+name: "☁️ CDN › Deploy"
+
+on:
+  push:
+    branches: [ main ]
+    paths:
+      - 'content/**'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    name: "📦 Sync to S3"
+    runs-on: ubuntu-latest
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: "Sync to S3"
+        run: |
+          aws s3 sync content/ s3://${{ secrets.S3_BUCKET_NAME }}/ --delete --cache-control "public, max-age=31536000"
+
+      - name: "Invalidate CloudFront"
+        run: |
+          aws cloudfront create-invalidation --distribution-id ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} --paths "/*"