Get all these changes in

Dockerfile

@@ -1,19 +1,4 @@
-FROM python:3.8-alpine
-
-LABEL "com.github.actions.name"="S3 Sync"
-LABEL "com.github.actions.description"="Sync a directory to an AWS S3 repository"
-LABEL "com.github.actions.icon"="refresh-cw"
-LABEL "com.github.actions.color"="green"
-
-LABEL version="0.5.1"
-LABEL repository="https://github.com/jakejarvis/s3-sync-action"
-LABEL homepage="https://jarv.is/"
-LABEL maintainer="Jake Jarvis <jake@jarv.is>"
-
-# https://github.com/aws/aws-cli/blob/master/CHANGELOG.rst
-ENV AWSCLI_VERSION='1.18.14'
-
-RUN pip install --quiet --no-cache-dir awscli==${AWSCLI_VERSION}
+FROM amazon/aws-cli:2.7.3
 
 ADD entrypoint.sh /entrypoint.sh
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -40,24 +40,52 @@ jobs:
         AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         AWS_REGION: 'us-west-1'   # optional: defaults to us-east-1
         SOURCE_DIR: 'public'      # optional: defaults to entire repository
+        AWS_S3_SSE_KMS_KEY_ID: ${{ secrets.AWS_S3_SSE_KMS_KEY_ID }} # optional: defaults to None
 ```
 
 
 ### Configuration
 
-The following settings must be passed as environment variables as shown in the example. Sensitive information, especially `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, should be [set as encrypted secrets](https://help.github.com/en/articles/virtual-environments-for-github-actions#creating-and-using-secrets-encrypted-variables) — otherwise, they'll be public to anyone browsing your repository's source code and CI logs.
+The following settings must be passed as environment variables as shown in the example. Sensitive information, especially `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`, should be [set as encrypted secrets](https://docs.github.com/en/actions/security-guides/encrypted-secrets) — otherwise, they'll be public to anyone browsing your repository's source code and CI logs.
 
 | Key | Value | Suggested Type | Required | Default |
-| ------------- | ------------- | ------------- | ------------- | ------------- |
-| `AWS_ACCESS_KEY_ID` | Your AWS Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A |
-| `AWS_SECRET_ACCESS_KEY` | Your AWS Secret Access Key. [More info here.](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `secret env` | **Yes** | N/A |
-| `AWS_S3_BUCKET` | The name of the bucket you're syncing to. For example, `jarv.is` or `my-app-releases`. | `secret env` | **Yes** | N/A |
-| `AWS_REGION` | The region where you created your bucket. Set to `us-east-1` by default. [Full list of regions here.](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` |
-| `AWS_S3_ENDPOINT` | The endpoint URL of the bucket you're syncing to. Can be used for [VPC scenarios](https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/) or for non-AWS services using the S3 API, like [DigitalOcean Spaces](https://www.digitalocean.com/community/tools/adapting-an-existing-aws-s3-application-to-digitalocean-spaces). | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) |
-| `SOURCE_DIR` | The local directory (or file) you wish to sync/upload to S3. For example, `public`. Defaults to your entire repository. | `env` | No | `./` (root of cloned repository) |
-| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync/upload to. For example, `my_project/assets`. Defaults to the root of the bucket. | `env` | No | `/` (root of bucket) |
+| --- | ----- | -------------- |--------- | ------- |
+| `AWS_ACCESS_KEY_ID` | [AWS Access Key](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `${{ secrets.AWS_ACCESS_KEY_ID }}` | **Yes** | N/A |
+| `AWS_SECRET_ACCESS_KEY` | [AWS Secret Access Key](https://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html) | `${{ secrets.AWS_SECRET_ACCESS_KEY }}` | **Yes** | N/A |
+| `AWS_S3_BUCKET` | bucket-name | `secret env` | **Yes** | N/A |
+| `AWS_REGION` | [bucket region](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions) | `env` | No | `us-east-1` |
+| `AWS_S3_ENDPOINT` | sync endpoint | `env` | No | Automatic (`s3.amazonaws.com` or AWS's region-specific equivalent) |
+| `AWS_DOWNSTREAM` | synchronize downstream with your local directory | `env` | No | `us-east-1` |
+| `AWS_ASSUME_ROLE_ARN` | role ARN. | `env` | No | N/A |
+| `SOURCE_DIR` | The local directory (or file) you wish to sync with S3. For example, `public` | `env` | No | `./` (root of cloned repository) |
+| `DEST_DIR` | The directory inside of the S3 bucket you wish to sync with. For example, `my_project/assets` | `env` | No | `/` (root of bucket) |
+| `AWS_S3_SSE_KMS_KEY_ID` | [SSE-KMS id](https://docs.aws.amazon.com/AmazonS3/latest/userguide/serv-side-encryption.html) | `${{ secrets.AWS_S3_SSE_KMS_KEY_ID }}` | No | N/A |
 
 
+### AWS ROLE config
+
+```
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "s3actionsync",
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:ListBucket",
+                "s3:DeleteObject",
+                "s3:PutObjectAcl"
+            ],
+            "Resource": [
+                "arn:aws:s3:::YOUR_BUCKET_NAME",
+                "arn:aws:s3:::YOUR_BUCKET_NAME/*"
+            ]
+        }
+    ]
+```
+
 ## License
 
 This project is distributed under the [MIT license](LICENSE.md).

action.yml

@@ -1,5 +1,5 @@
 name: "S3 Sync"
-description: "Sync a directory to an AWS S3 repository"
+description: "Sync a directory to an AWS S3"
 author: jakejarvis
 runs:
   using: docker

entrypoint.sh

@@ -27,28 +27,59 @@ if [ -n "$AWS_S3_ENDPOINT" ]; then
   ENDPOINT_APPEND="--endpoint-url $AWS_S3_ENDPOINT"
 fi
 
+# Use the AWS directory as source to sync downstream.
+# Default to false if AWS_DOWNSTREAM not set.
+if [ "$AWS_DOWNSTREAM" = true ]; then
+  SOURCE_PATH="s3://${AWS_S3_BUCKET}/${DEST_DIR}" # AWS S3 directory as source
+  DEST_PATH="${SOURCE_DIR:-.}"                    # Local directory as destination
+else
+  SOURCE_PATH="${SOURCE_DIR:-.}"                # Local directory as source
+  DEST_PATH="s3://${AWS_S3_BUCKET}/${DEST_DIR}" # AWS S3 directory as destination
+fi
+
+AWS_PROFILE=s3-sync-action
+
 # Create a dedicated profile for this action to avoid conflicts
 # with past/future actions.
 # https://github.com/jakejarvis/s3-sync-action/issues/1
-aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1
+aws configure --profile ${AWS_PROFILE} <<- EOF > /dev/null 2>&1
 ${AWS_ACCESS_KEY_ID}
 ${AWS_SECRET_ACCESS_KEY}
 ${AWS_REGION}
 text
 EOF
 
+if [ -n "$AWS_ASSUME_ROLE_ARN" ]; then
+  echo "Assuming role: ${AWS_ASSUME_ROLE_ARN}"
+
+  # Create a profile to assume the role with.
+  # https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html
+  {
+    echo "[profile s3-sync-action-assume]"
+    "role_arn = ${AWS_ASSUME_ROLE_ARN}"
+    "source_profile = ${AWS_PROFILE}"
+  } >> ~/.aws/config
+
+  AWS_PROFILE=s3-sync-action-assume
+fi
+
 # Sync using our dedicated profile and suppress verbose messages.
 # All other flags are optional via the `args:` directive.
-sh -c "aws s3 sync ${SOURCE_DIR:-.} s3://${AWS_S3_BUCKET}/${DEST_DIR} \
-              --profile s3-sync-action \
-              --no-progress \
-              ${ENDPOINT_APPEND} $*"
+CMD_PREFIX="aws s3 sync"
+if [ -n "$AWS_S3_SSE_KMS_KEY_ID" ]; then
+  CMD_PREFIX="${CMD_PREFIX} --sse aws:kms --sse-kms-key-id ${AWS_S3_SSE_KMS_KEY_ID}"
+fi
+
+sh -c "${CMD_PREFIX} ${SOURCE_PATH} ${DEST_PATH} \
+  --profile ${AWS_PROFILE} \
+  --no-progress \
+  ${ENDPOINT_APPEND} $*"
 
 # Clear out credentials after we're done.
 # We need to re-run `aws configure` with bogus input instead of
 # deleting ~/.aws in case there are other credentials living there.
 # https://forums.aws.amazon.com/thread.jspa?threadID=148833
-aws configure --profile s3-sync-action <<-EOF > /dev/null 2>&1
+aws configure --profile s3-sync-action <<- EOF > /dev/null 2>&1
 null
 null
 null

requirements.txt

@@ -0,0 +1 @@
+awscli==1.23.7