Skip to content

Add CDK app for apiref.phpstan.org infrastructure#5658

Merged
ondrejmirtes merged 1 commit into
2.2.xfrom
apiref-infra-cdk
May 13, 2026
Merged

Add CDK app for apiref.phpstan.org infrastructure#5658
ondrejmirtes merged 1 commit into
2.2.xfrom
apiref-infra-cdk

Conversation

@ondrejmirtes
Copy link
Copy Markdown
Member

@ondrejmirtes ondrejmirtes commented May 13, 2026

Mirror the website infra modernization from phpstan/phpstan: replace the click-configured legacy stack for apiref.phpstan.org with code under apigen/infra/.

  • ApirefStack: private S3 bucket via OAC, CloudFront distribution (HTTP/2+3, TLS 1.2_2021), a single CloudFront Function 2.0 doing the per-version landing-page redirects that the legacy apiref-phpstan-org-viewer-request did (now with / -> 2.2.x as the new latest, and 301s instead of 302s for SEO), a Response Headers Policy replacing the shared secure-headers-response, and a DNS-validated ACM cert for apiref.phpstan.org.
  • OidcRolesStack: phpstan-apiref-infra-deploy role for the new workflow. Reuses the account-wide GitHub OIDC provider (the dist-repo CDK app created it); does not try to create a duplicate.
  • productionAlias context flag controls whether apiref.phpstan.org is attached to the new distribution. Stays false until the manual cutover detaches the alias from the legacy E37G1C2KWNAPBD; then flipped true.
  • New .github/workflows/apiref-infra.yml: test -> diff -> deploy gated on needs:[test,diff], OIDC, sticky PR diff comment. Same shape as the main-site website-infra.yml.
  • apiref.yml: switched off the static APIREF_AWS_* keys to OIDC via vars.APIREF_DEPLOY_ROLE_ARN, vars.APIREF_BUCKET, and vars.APIREF_DISTRIBUTION_ID. Added !apigen/infra/** to the path filter so infra-only edits don't trigger a (slow) ApiGen rebuild.

After merge, set these repository variables in phpstan/phpstan-src:
APIREF_INFRA_DEPLOY_ROLE_ARN (from PhpstanApirefOidcRoles output)
APIREF_DEPLOY_ROLE_ARN (from PhpstanApirefWebsite output)
APIREF_BUCKET phpstan-apiref-web
APIREF_DISTRIBUTION_ID (from PhpstanApirefWebsite output)

Full bootstrap + cutover + cleanup runbook in apigen/infra/README.md. Conventions and edit-this-when guide in apigen/infra/CLAUDE.md.

@phpstan-bot
Copy link
Copy Markdown
Collaborator

phpstan-bot commented May 13, 2026

You've opened the pull request against the latest branch 2.2.x. PHPStan 2.2 is not going to be released for months. If your code is relevant on 2.1.x and you want it to be released sooner, please rebase your pull request and change its target to 2.1.x.

github-advanced-security[bot]
github-advanced-security AI found potential problems May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@github-advanced-security github-advanced-security AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

zizmor found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@ondrejmirtes @claude
Add CDK app for apiref.phpstan.org infrastructure
85e8365 
Mirror the website infra modernization from phpstan/phpstan: replace the
click-configured legacy stack for apiref.phpstan.org with code under
apigen/infra/.

- ApirefStack: private S3 bucket via OAC, CloudFront distribution
  (HTTP/2+3, TLS 1.2_2021), a single CloudFront Function 2.0 doing the
  per-version landing-page redirects that the legacy
  apiref-phpstan-org-viewer-request did (now with `/` -> 2.2.x as the new
  latest, and 301s instead of 302s for SEO), a Response Headers Policy
  replacing the shared secure-headers-response, and a DNS-validated ACM
  cert for apiref.phpstan.org.
- OidcRolesStack: phpstan-apiref-infra-deploy role for the new workflow.
  Reuses the account-wide GitHub OIDC provider (the dist-repo CDK app
  created it); does not try to create a duplicate.
- productionAlias context flag controls whether apiref.phpstan.org is
  attached to the new distribution. Stays false until the manual cutover
  detaches the alias from the legacy E37G1C2KWNAPBD; then flipped true.
- New .github/workflows/apiref-infra.yml: test -> diff -> deploy gated on
  needs:[test,diff], OIDC, sticky PR diff comment. Same shape as the
  main-site website-infra.yml.
- apiref.yml: switched off the static APIREF_AWS_* keys to OIDC via
  vars.APIREF_DEPLOY_ROLE_ARN, vars.APIREF_BUCKET, and
  vars.APIREF_DISTRIBUTION_ID. Added `!apigen/infra/**` to the path
  filter so infra-only edits don't trigger a (slow) ApiGen rebuild.

After merge, set these repository variables in phpstan/phpstan-src:
  APIREF_INFRA_DEPLOY_ROLE_ARN  (from PhpstanApirefOidcRoles output)
  APIREF_DEPLOY_ROLE_ARN        (from PhpstanApirefWebsite output)
  APIREF_BUCKET                 phpstan-apiref-web
  APIREF_DISTRIBUTION_ID        (from PhpstanApirefWebsite output)

Full bootstrap + cutover + cleanup runbook in apigen/infra/README.md.
Conventions and edit-this-when guide in apigen/infra/CLAUDE.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems May 13, 2026
View reviewed changes
Comment thread .github/workflows/apiref.yml
run: |
aws cloudfront create-invalidation \
--distribution-id "${{ vars.APIREF_DISTRIBUTION_ID }}" \
--paths "/${{ github.ref_name }}/*"
Comment thread .github/workflows/apiref.yml

- name: "Sync with S3"
run: |
aws s3 sync ./docs "s3://${{ vars.APIREF_BUCKET }}/${{ github.ref_name }}" \
Comment thread .github/workflows/apiref.yml
run: |
aws cloudfront create-invalidation \
--distribution-id "${{ vars.APIREF_DISTRIBUTION_ID }}" \
--paths "/${{ github.ref_name }}/*"
Comment thread .github/workflows/apiref.yml
AWS_SECRET_ACCESS_KEY: ${{ secrets.APIREF_AWS_SECRET_ACCESS_KEY }}
run: |
aws cloudfront create-invalidation \
--distribution-id "${{ vars.APIREF_DISTRIBUTION_ID }}" \
Comment thread .github/workflows/apiref.yml

- name: "Sync with S3"
run: |
aws s3 sync ./docs "s3://${{ vars.APIREF_BUCKET }}/${{ github.ref_name }}" \
Comment thread .github/workflows/apiref-infra.yml

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
Comment thread .github/workflows/apiref-infra.yml

steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
Comment thread .github/workflows/apiref-infra.yml
- '.github/workflows/apiref-infra.yml'
- 'apigen/infra/**'

concurrency: apiref-infra
Comment thread .github/workflows/apiref.yml

- name: "Sync with S3"
run: |
aws s3 sync ./docs "s3://${{ vars.APIREF_BUCKET }}/${{ github.ref_name }}" \
Comment thread .github/workflows/apiref.yml
AWS_SECRET_ACCESS_KEY: ${{ secrets.APIREF_AWS_SECRET_ACCESS_KEY }}
run: |
aws cloudfront create-invalidation \
--distribution-id "${{ vars.APIREF_DISTRIBUTION_ID }}" \
@ondrejmirtes ondrejmirtes merged commit 74703f0 into 2.2.x May 13, 2026
377 of 380 checks passed
@ondrejmirtes ondrejmirtes deleted the apiref-infra-cdk branch May 13, 2026 19:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ondrejmirtes @phpstan-bot @github-advanced-security