Fix/aws static site cli and dnszone#283
Merged
Merged
Conversation
`pkg/clouds/pulumi/aws/static_website.go` shells out to `aws s3 sync` via Pulumi `local.NewCommand`, but neither the prod nor staging Dockerfile installed the AWS CLI — every static-site stack run under the simplecontainer/github-actions image failed with `/bin/sh: aws: not found`. Adding the alpine `aws-cli` package (community repo, python-based) to the runtime layer of both images + extending the build-time smoke test to cover `aws --version`. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ured aws.StaticSiteInput embeds api.StackConfigStatic (which carries Site. BaseDnsZone) but never exposed an OverriddenBaseZone() method, so the type assertion in pulumi/deploy.go fell through and the Cloudflare registrar fell back to the parent stack's default zone. Records intended for e.g. simple-forge.com landed in the simple-container.com zone and Cloudflare appended the suffix → simple-forge.com.simple- container.com. GCP, Lambda and ECS Fargate inputs already implement the interface; this just restores parity. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Security Scan ResultsRepository:
Scanned at 2026-05-20 22:34 UTC |
Semgrep Scan ResultsRepository:
Scanned at 2026-05-20 22:34 UTC |
smecsia
approved these changes
May 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two independent bugs in the AWS static-website path; both surfaced on the
landing/forge-landingstacks aftersimple-container-com/landing@374bce6switched them totemplate: static-site.1.
aws-climissing fromsimplecontainer/github-actionsrunner imagepkg/clouds/pulumi/aws/static_website.go:174shells out toaws s3 syncvia Pulumilocal.NewCommand, but neither Dockerfile installed the AWS CLI — every static-site stack run under the image failed with/bin/sh: aws: not found. Example: https://github.com/simple-container-com/landing/actions/runs/26192421479aws-cli(community repo) to the runtime layer ofgithub-actions.Dockerfileandgithub-actions-staging.Dockerfile.aws --version.2.
baseDnsZoneignored for AWS static-site stacks (Cloudflare appends parent zone)aws.StaticSiteInputembedsapi.StackConfigStatic(which carriesSite.BaseDnsZone) but never implemented theapi.DnsConfigAwareinterface, so the assertion atpkg/clouds/pulumi/deploy.go:142fell through. The Cloudflare registrar then fell back to the parent stack's defaultcfg.ZoneName(simple-container.com) — Cloudflare appended that suffix, turning intended apex records intosimple-forge.com.simple-container.com.OverriddenBaseZone()onaws.StaticSiteInput, returningi.Site.BaseDnsZone. Restores parity withgcloud.StaticSiteInput,aws.LambdaInput,aws.EcsFargateInput.Test plan
github-actions-staging.Dockerfilelocally → new smoke step prints aws versionstaging→build-staging.ymlpromotes the imageaws s3 syncsucceeds under the action runnerforge-landing/landing→ Cloudflare record name stays at the apex (e.g.simple-forge.com), no parent-zone suffix🤖 Generated with Claude Code