Best strategy to deploy static site to s3 on github push?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
A reliable strategy for deploying a static site to S3 on every GitHub push is to automate build and sync in GitHub Actions with least-privilege AWS access. This removes manual deploy steps and keeps production aligned with main branch commits. For most teams, the best baseline is S3 for storage and optional CloudFront for caching and TLS.
Recommended Deployment Architecture
A practical production setup includes:
- one S3 bucket for site assets
- optional CloudFront distribution in front of S3
- GitHub Actions workflow on push to main
- OIDC-based role assumption instead of long-lived AWS keys
This gives secure CI authentication and repeatable deployments.
GitHub Actions Workflow Example
The workflow below builds a static site, syncs files to S3, and invalidates CloudFront cache.
This is runnable with your own bucket and distribution identifiers.
IAM and Security Baseline
Use a dedicated IAM role with minimum permissions:
s3:PutObject,s3:DeleteObject,s3:ListBucketon the target bucketcloudfront:CreateInvalidationif using CloudFront- trust policy restricted to your repository and branch via OIDC conditions
Least privilege limits blast radius if CI configuration is changed accidentally.
Deployment Quality Controls
Add simple quality gates before upload:
- fail build on lint or test failure
- keep artifact path explicit such as
distorbuild - include cache-control headers for static assets
Example for cache headers after sync:
This helps ensure fresh HTML while allowing long cache on hashed assets.
Branch Strategy and Environment Isolation
Teams usually need preview, staging, and production environments. Use branch-to-bucket mapping so each environment remains isolated and safe.
In GitHub Actions, you can map target bucket by branch name and avoid accidental production deploys from non-main branches.
This pattern keeps release flow predictable and allows safer verification before production promotion.
For rollback, keep recent build artifacts so you can redeploy a known good version quickly without rebuilding from a changed dependency graph. A simple artifact retention policy in CI is usually enough to support this.
Version your deployment workflow changes carefully so rollback automation stays trustworthy over time.
Common Pitfalls
A common issue is storing long-lived AWS keys in GitHub secrets instead of using OIDC. Key rotation becomes painful and risk increases.
Another pitfall is forgetting --delete during sync, which leaves stale files in S3 after refactors.
Teams also invalidate CloudFront on every file for every push. That works but can increase cost and hide poor cache strategy.
Finally, avoid deploying directly from feature branches to production bucket unless branch isolation is explicitly designed.
Summary
- Use GitHub Actions with OIDC role assumption for secure automated deploys.
- Sync built assets to S3 and optionally invalidate CloudFront.
- Apply least-privilege IAM policies scoped to one site.
- Add quality checks before deployment to reduce broken releases.
- Manage caching intentionally for predictable freshness and performance.

