Invalidate CloudFront cache on deploy to avoid serving stale HTML#518
Closed
externl wants to merge 1 commit into
Closed
Invalidate CloudFront cache on deploy to avoid serving stale HTML#518externl wants to merge 1 commit into
externl wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds a CloudFront invalidation step to the existing deploy workflow to prevent CloudFront from serving stale cached HTML that references removed Next.js chunk assets after a container swap deploy.
Changes:
- Adds an “Invalidate CloudFront cache” step after the SSH-based deploy completes.
- Configures AWS credentials/region and runs
aws cloudfront create-invalidation --paths '/*'for the target distribution.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+109
to
+113
| # the container along with its content-hashed /_next/static chunks, so a | ||
| # stale cached page would keep referencing chunk files the new build no | ||
| # longer has — a 404 that breaks hydration (e.g. the top-nav search stops | ||
| # working). Purge the edge cache so pages are re-fetched with the new | ||
| # build's asset URLs. Immutable /_next/static assets are unaffected. |
Comment on lines
+114
to
+118
| env: | ||
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | ||
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | ||
| AWS_DEFAULT_REGION: us-east-1 | ||
| DISTRIBUTION_ID: ${{ secrets.CLOUDFRONT_DISTRIBUTION_ID }} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds a CloudFront invalidation step to the deploy job so a release can't leave stale HTML in the CDN.
The homepage search bar recently broke because CloudFront was serving a ~9-day-old cached copy of
/whose HTML referenced a content-hashed/_next/staticchunk that a later deploy had already removed. The browser 404'd on that chunk, the page never finished hydrating, and the shared top-nav DocSearch button went dead — no ⌘K keys, and clicking did nothing — while other pages, whose cached HTML happened to reference chunks that still existed, kept working. Next.js serves prerendered pages withCache-Control: s-maxage=31536000, so without a purge on deploy CloudFront can keep serving a page for up to a year after its assets are gone.Because we deploy by swapping the container (which discards the previous build's chunks), the fix is to purge the edge cache once the new container is up. The content-hashed
/_next/staticassets are immutable and unaffected; only the HTML documents need refreshing.aws cloudfront create-invalidation --paths '/*'right afterdocker compose up -d(the AWS CLI is preinstalled on the runner, so there's no new action to SHA-pin).AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY, andCLOUDFRONT_DISTRIBUTION_ID, backed by an IAM identity allowed tocloudfront:CreateInvalidationon the distribution. If you'd prefer GitHub OIDC over static keys, I can switch it to a role-assume step instead.