refactor: s3 endpoint+bucket as action inputs, secrets stay in env

S3_BUCKET and S3_ENDPOINT are config, not secrets. Move them to inputs with defaults (s3.toph.so / nix-cache). Calling workflows only need to supply AWS credentials, NIX_SIGNING_KEY, NOMAD_TOKEN. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-18 13:09:47 +01:00 · 2026-02-18 13:09:47 +01:00 · 644dfc4978
commit 644dfc4978
parent f0b9c9b904
1 changed files with 22 additions and 19 deletions
--- a/deploy-static-site/action.yaml
+++ b/deploy-static-site/action.yaml
@ -1,6 +1,11 @@
 name: Deploy Static Site
 description: Build site with Nix, push tarball to S3, deploy via Nomad with shared static-server image

+# Expected env vars (set by calling workflow from secrets):
+#   AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
+#   NIX_SIGNING_KEY
+#   NOMAD_TOKEN
+
 inputs:
  domain:
    description: 'Domain the site is served at (e.g. toph.so)'
@ -21,6 +26,16 @@ inputs:
    required: false
    default: 'contabo'

+  s3-endpoint:
+    description: 'S3 endpoint URL'
+    required: false
+    default: 'https://s3.toph.so'
+
+  s3-bucket:
+    description: 'S3 bucket for site tarballs and Nix cache'
+    required: false
+    default: 'nix-cache'
+
  smoke-test:
    description: 'Run a smoke test against the domain after deploy'
    required: false
@ -31,22 +46,7 @@ runs:
  steps:
    - name: Install tools
      shell: bash
-      run: nix profile install nixpkgs#nomad nixpkgs#awscli2 nixpkgs#jq
-
-    - name: Read Nomad vars
-      shell: bash
-      run: |
-        S3_VARS=$(nomad var get -out json static-sites/s3)
-        echo "AWS_ACCESS_KEY_ID=$(echo "$S3_VARS"    | jq -r '.Items.access_key')" >> $GITHUB_ENV
-        echo "AWS_SECRET_ACCESS_KEY=$(echo "$S3_VARS" | jq -r '.Items.secret_key')" >> $GITHUB_ENV
-        echo "AWS_ENDPOINT_URL=$(echo "$S3_VARS"     | jq -r '.Items.endpoint')"    >> $GITHUB_ENV
-        echo "S3_BUCKET=$(echo "$S3_VARS"            | jq -r '.Items.bucket')"      >> $GITHUB_ENV
-
-        NIX_VARS=$(nomad var get -out json static-sites/nix)
-        echo "NIX_SIGNING_KEY=$(echo "$NIX_VARS" | jq -r '.Items.signing_key')" >> $GITHUB_ENV
-      env:
-        NOMAD_ADDR: ${{ inputs.nomad-addr }}
-        NOMAD_TOKEN: ${{ env.NOMAD_TOKEN }}
+      run: nix profile install nixpkgs#nomad nixpkgs#awscli2

    - name: Build site
      shell: bash
@ -58,7 +58,7 @@ runs:
        echo "${NIX_SIGNING_KEY}" > /tmp/nix-key
        nix store sign -k /tmp/nix-key --recursive ./result-site
        nix copy \
-          --to "s3://${S3_BUCKET}?endpoint=${AWS_ENDPOINT_URL}&access-key-id=${AWS_ACCESS_KEY_ID}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \
+          --to "s3://${{ inputs.s3-bucket }}?endpoint=${{ inputs.s3-endpoint }}&access-key-id=${AWS_ACCESS_KEY_ID}&secret-access-key=${AWS_SECRET_ACCESS_KEY}" \
          ./result-site
        rm /tmp/nix-key

@ -68,7 +68,10 @@ runs:
        SITE_HASH=$(git rev-parse --short=12 HEAD)
        echo "SITE_HASH=${SITE_HASH}" >> $GITHUB_ENV
        tar czf /tmp/site.tar.gz -C result-site .
-        aws s3 cp /tmp/site.tar.gz "s3://${S3_BUCKET}/sites/${{ inputs.domain }}/${SITE_HASH}.tar.gz"
+        aws s3 cp \
+          --endpoint-url "${{ inputs.s3-endpoint }}" \
+          /tmp/site.tar.gz \
+          "s3://${{ inputs.s3-bucket }}/sites/${{ inputs.domain }}/${SITE_HASH}.tar.gz"

    - name: Deploy Nomad job
      shell: bash
@ -76,10 +79,10 @@ runs:
        python3 "${{ github.action_path }}/generate-job.py" | nomad job run -json -
      env:
        NOMAD_ADDR: ${{ inputs.nomad-addr }}
-        NOMAD_TOKEN: ${{ env.NOMAD_TOKEN }}
        DOMAIN: ${{ inputs.domain }}
        SERVER_IMAGE: ${{ inputs.server-image }}
        DATACENTER: ${{ inputs.datacenter }}
+        S3_BUCKET: ${{ inputs.s3-bucket }}

    - name: Smoke test
      if: inputs.smoke-test == 'true'