Only invalidate cloudfront once for restock ops

2024-11-10 02:25:18 +03:00 · 2024-01-06 07:07:56 -05:00 · 2024-01-06 07:07:56 -05:00 · ce5a5d4054
parent e4872f02d1
commit ce5a5d4054
3 changed files with 34 additions and 1 deletions
--- a/.github/workflows/pkg-platform.yml
+++ b/.github/workflows/pkg-platform.yml
@ -37,6 +37,9 @@ on:
      complain:
        type: boolean
        default: false
+      invalidate-cloudfront:
+        type: boolean
+        default: true
    secrets:
      APPLE_CERTIFICATE_P12: { required: false }
      APPLE_CERTIFICATE_P12_PASSWORD: { required: false }
@ -222,7 +225,7 @@ jobs:
          --distribution-id ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
          --paths
          /$DIRNAME/versions.txt
-        if: ${{ ! inputs.dry-run }}
+        if: ${{ ! inputs.dry-run && inputs.invalidate-cloudfront }}

  complain:
    needs: bottle
--- a/.github/workflows/pkg.yml
+++ b/.github/workflows/pkg.yml
@ -13,6 +13,9 @@ on:
      complain:
        type: boolean
        default: false
+      invalidate-cloudfront:
+        type: boolean
+        default: true

 jobs:
  plan:
@ -50,4 +53,5 @@ jobs:
      dry-run: ${{ inputs.dry-run }}
      tinyname: ${{ matrix.platform.tinyname }}
      complain: ${{ inputs.complain }}
+      invalidate-cloudfront: ${{ inputs.invalidate-cloudfront }}
    secrets: inherit
--- a/.github/workflows/restock.yml
+++ b/.github/workflows/restock.yml
@ -31,4 +31,30 @@ jobs:
      issues: write  #FIXME we don’t want this but I don’t think we can alter the way permissions are inherited
    with:
      pkg: ${{inputs.project}}=${{ matrix.version }}
+      invalidate-cloudfront: false  # we do it all at once below otherwise
    secrets: inherit
+
+  invalidate-cloudfront:
+    needs: pkg
+    runs-on: ubuntu-latest
+
+    if: always()
+    # ^^ not ideal but often <5% builds fail because we have modified the build script
+    # in a non backward compatible way over time and we still want to invalidate cloudfront
+    # for most of the builds.
+
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      # FIXME ideally we would get the exact path list from the above matrix
+      # but GitHub Actions has no clean way to do that. This is more ideal as
+      # we don’t want to invalidate paths that failed and certainly want to
+      # avoid invalidations if all failed
+      - name: invalidate cloudfront
+        run: aws cloudfront create-invalidation
+          --distribution-id ${{ secrets.AWS_CF_DISTRIBUTION_ID }}
+          --paths /${{inputs.project}}/*