github actions S3 sync --exclude "*" does not work when authenticated with OIDC #9834
Description
Describe the bug
name: (Reusable) Deploy Website to S3 + CloudFront with OIDC
on:
workflow_call:
inputs:
environment:
required: true
type: string
jobs:
deploy:
environment: ${{ inputs.environment }}
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Configure AWS credentials (OIDC)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ vars.AWS_REGION }}
- name: Upload files to S3
run: >
aws s3 sync ./ ${{ vars.S3_PATH }}
--delete
--exclude "*"
--include "css/*"
--include "font/*"
--include "icons/*"
--include "images/*"
--include "js/*"
--include "robots.txt"
--include "sitemap.xml"
--include "404.html"
--include "index.html"
--include "privacy-policy.html"
--include "terms-and-conditions.html"
--include "terms-of-use.html"
- name: Invalidate CloudFront cache
run: |
aws cloudfront create-invalidation \
--distribution-id ${{ vars.CLOUDFRONT_DISTRIBUTION_ID }} \
--paths "/*"
the --exclude "*" did not work when I tried authenticating with OIDC. However it works fine when using Iam access key
Regression Issue
- Select this option if this issue appears to be a regression.
Expected Behavior
the --exclude "*" should exclude all files and folders, then with the --include command helps decide what needs to be synced.
Current Behavior
the --exclude "*" did not work when I tried authenticating with OIDC. However it works fine when using Iam access key
Reproduction Steps
connect github to aws using OIDC, then trigger the github job above
Possible Solution
No response
Additional Information/Context
No response
CLI version used
aws-cli/2.31.25 Python/3.13.9 Linux/6.11.0-1018-azure exe/x86_64.ubuntu.24
Environment details (OS name and version, etc.)
Ubuntu 24.04.3 LTS