From 32e189ed8251f05431633eda5703e986cb1f89db Mon Sep 17 00:00:00 2001 From: Carlos Polop Date: Mon, 26 Jan 2026 15:46:25 +0100 Subject: [PATCH] Pin mdBook in image and add CloudFront invalidation workflow --- .github/workflows/build_master.yml | 2 +- .../cloudfront_invalidate_assets.yml | 99 +++++++++++++++++++ Dockerfile | 3 +- theme/css/general.css | 1 + 4 files changed, 102 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/cloudfront_invalidate_assets.yml diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml index 605db74b1..b1209bb83 100644 --- a/.github/workflows/build_master.yml +++ b/.github/workflows/build_master.yml @@ -133,4 +133,4 @@ jobs: # Sync the build to S3 - name: Sync to S3 run: aws s3 sync ./book s3://hacktricks-cloud/en --delete - \ No newline at end of file + diff --git a/.github/workflows/cloudfront_invalidate_assets.yml b/.github/workflows/cloudfront_invalidate_assets.yml new file mode 100644 index 000000000..a4ab787ea --- /dev/null +++ b/.github/workflows/cloudfront_invalidate_assets.yml @@ -0,0 +1,99 @@ +name: Invalidate CloudFront on Asset Changes + +on: + push: + branches: + - master + paths: + - 'theme/**/*.css' + - 'theme/**/*.js' + - 'theme/**/*.hbs' + paths-ignore: + - '.github/**' + - 'book/**' + workflow_dispatch: + +permissions: + id-token: write + contents: read + +jobs: + invalidate: + runs-on: ubuntu-latest + environment: prod + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 2 + + - name: Configure AWS credentials using OIDC + uses: aws-actions/configure-aws-credentials@v3 + with: + role-to-assume: ${{ secrets.AWS_ROLE_ARN }} + aws-region: us-east-1 + + - name: Compute invalidation paths + id: paths + shell: bash + run: | + set -euo pipefail + + BEFORE="${{ github.event.before }}" + AFTER="${{ github.sha }}" + + if [ -z "$BEFORE" ] || [ "$BEFORE" = "0000000000000000000000000000000000000000" ]; then + if git rev-parse "${AFTER}^" >/dev/null 2>&1; then + BEFORE="${AFTER}^" + else + BEFORE="" + fi + fi + + if [ -n "$BEFORE" ]; then + git diff --name-only "$BEFORE" "$AFTER" > /tmp/changed_files.txt + else + git ls-tree --name-only -r "$AFTER" > /tmp/changed_files.txt + fi + + mapfile -t files < <(grep -E '^theme/.*\.(css|js|hbs)$' /tmp/changed_files.txt || true) + if [ ${#files[@]} -eq 0 ]; then + echo "paths=" >> "$GITHUB_OUTPUT" + exit 0 + fi + + invalidate_paths=() + hbs_changed=false + + for f in "${files[@]}"; do + if [[ "$f" == theme/* ]]; then + rel="${f#theme/}" + if [[ "$f" == *.hbs ]]; then + hbs_changed=true + else + invalidate_paths+=("/$rel") + fi + fi + done + + if [ "$hbs_changed" = true ]; then + invalidate_paths+=("/*") + fi + + printf "%s\n" "${invalidate_paths[@]}" | awk 'NF' | sort -u > /tmp/invalidate_paths.txt + + if [ ! -s /tmp/invalidate_paths.txt ]; then + echo "paths=" >> "$GITHUB_OUTPUT" + exit 0 + fi + + paths=$(paste -sd' ' /tmp/invalidate_paths.txt) + echo "paths=$paths" >> "$GITHUB_OUTPUT" + + - name: Create CloudFront invalidation + if: steps.paths.outputs.paths != '' + run: | + aws cloudfront create-invalidation \ + --distribution-id "${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }}" \ + --paths ${{ steps.paths.outputs.paths }} diff --git a/Dockerfile b/Dockerfile index e262d9f97..e1103837d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,7 +19,7 @@ RUN curl https://sh.rustup.rs -sSf | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" # Install mdBook & plugins -RUN cargo install mdbook +RUN cargo install mdbook --version 0.5.2 RUN cargo install mdbook-alerts RUN cargo install mdbook-reading-time RUN cargo install mdbook-pagetoc @@ -28,4 +28,3 @@ RUN cargo install mdbook-codename # Set the working directory WORKDIR /app - diff --git a/theme/css/general.css b/theme/css/general.css index e1e2364bc..85ed9250e 100644 --- a/theme/css/general.css +++ b/theme/css/general.css @@ -327,3 +327,4 @@ sup { .result-no-output { font-style: italic; } +/* Cache invalidation test: keep in sync with HackTricks */