S3 Backup

A GitHub action to mirror a repository to S3 compatible object storage.

Usage

This example will mirror your repository to an S3 bucket called repo-backup-bucket and at the optional key /at/some/path. Objects at the target will be overwritten, and extraneous objects will be removed. This default usage keeps your S3 backup in sync with GitHub.

    - name: S3 Backup
      uses: peter-evans/s3-backup@v1
      env:
        ACCESS_KEY_ID: ${{ secrets.ACCESS_KEY_ID }}
        SECRET_ACCESS_KEY: ${{ secrets.SECRET_ACCESS_KEY }}
        MIRROR_TARGET: repo-backup-bucket/at/some/path
      with:
        args: --overwrite --remove

S3 Backup uses the mirror command of MinIO Client. Additional arguments may be passed to the action via the args parameter.

Secrets and environment variables

The following variables may be passed to the action as secrets or environment variables. MIRROR_TARGET, for example, if considered sensitive should be passed as a secret.

• ACCESS_KEY_ID (required) - The storage service access key id.
• SECRET_ACCESS_KEY (required) - The storage service secret access key.
• MIRROR_TARGET (required) - The target bucket, and optionally, the key within the bucket.
• AWS_SESSION_TOKEN - When using temporary credentials (Amazon S3)
• AWS_REGION (required with AWS_SESSION_TOKEN) - the region where the s3 bucket is located for Amazon S3. Mandatory when using SESSION_TOKEN.
• MIRROR_SOURCE - The source defaults to the repository root. If required a path relative to the root can be set.
• STORAGE_SERVICE_URL - The URL to the object storage service. Defaults to https://s3.amazonaws.com for Amazon S3.
• STORAGE_SERVICE_ALIAS - Defaults to s3. See MinIO Client for other options such as S3 compatible minio, and gcs for Google Cloud Storage.

IAM user policy

The IAM user associated with the ACCESS_KEY_ID and SECRET_ACCESS_KEY should have s3:* policy access.

If required you can create a policy to restrict access to specific resources. The following policy grants the user access to the bucket my-restricted-bucket and its contents.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBucketStat",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::my-restricted-bucket"
        },
        {
            "Sid": "AllowThisBucketOnly",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-restricted-bucket/*",
                "arn:aws:s3:::my-restricted-bucket"
            ]
        }
    ]
}

Complete workflow example

The workflow below filters push events for the master branch before mirroring to S3.

name: Mirror repo to S3
on:
  push:
    branches:
      - master
jobs:
  s3Backup:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: S3 Backup
        uses: peter-evans/s3-backup@v1
        env:
          ACCESS_KEY_ID: ${{ secrets.ACCESS_KEY_ID }}
          MIRROR_TARGET: ${{ secrets.MIRROR_TARGET }}
          SECRET_ACCESS_KEY: ${{ secrets.SECRET_ACCESS_KEY }}
        with:
          args: --overwrite --remove

License

MIT