GitHub Actions for This Site

Posted on January 05, 2026

I've been deploying this site manually with a Makefile that syncs to S3 and invalidates CloudFront cache. It works but requires running the command locally and relies on AWS credentials on my machine. Time to automate.

Setting up GitHub Actions turned out to be straightforward. The interesting part is the authentication. Instead of storing AWS credentials as secrets, I went with OIDC. The idea is that GitHub generates a short-lived token for each workflow run, and AWS trusts GitHub as an identity provider. No long-lived credentials to rotate.

The setup involves creating an IAM OIDC provider, an IAM role with a trust policy scoped to my repo, and attaching S3/CloudFront permissions. A bit of one-time ceremony but cleaner in the long run.

One thing I added is conditional CloudFront invalidation. The workflow checks if aws s3 sync actually uploaded anything before invalidating. Most pushes probably don't need a cache bust anyway - just saves some API calls and a few cents here and there.

The workflow also fetches the latest Zola version automatically. This might break things one day but I'll deal with it when it happens.