From be080cf5938b5674e8e2415cce7957430e1d660f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 9 Mar 2026 12:02:53 +0000
Subject: [PATCH 1/3] Initial plan


From 27a9a0ac9d92ef9bab1d7ac05efe8d5479f96b62 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 9 Mar 2026 12:04:53 +0000
Subject: [PATCH 2/3] Add documentation for az-sync action and
 nginx.org-make-aws workflow

Co-authored-by: eepifanova <3909992+eepifanova@users.noreply.github.com>
---
 README.md | 117 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 117 insertions(+)

diff --git a/README.md b/README.md
index 76cdeef..0b82062 100644
--- a/README.md
+++ b/README.md
@@ -140,3 +140,120 @@ on:
     paths:
       - docsDirectory/**
 .......
+```
+
+## nginx.org branch
+
+The `nginx.org` branch contains additional workflows and actions for building and deploying the [nginx.org](https://nginx.org) website to AWS S3.
+
+### az-sync action
+
+**Path:** `.github/actions/az-sync/action.yml`
+
+A reusable composite action that logs into Azure, retrieves secrets from an Azure Key Vault, and exports them as environment variables for use in subsequent workflow steps. After all secrets are synced, it logs out of Azure automatically.
+
+#### Inputs
+
+| Input | Description | Required | Default |
+|---|---|---|---|
+| `az_client_id` | Azure Client ID (for OIDC federated login) | Yes | — |
+| `az_tenant_id` | Azure Tenant ID | Yes | — |
+| `az_subscription_id` | Azure Subscription ID | Yes | — |
+| `keyvault` | Name of the Azure Key Vault to read secrets from | Yes | — |
+| `secrets-filter` | Comma-separated list of secret name patterns to sync | Yes | `*` |
+
+#### Usage example
+
+```yml
+- name: Get Secrets from Azure Key Vault
+  uses: nginxinc/docs-actions/.github/actions/az-sync@nginx.org
+  with:
+    az_client_id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+    az_tenant_id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+    az_subscription_id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+    keyvault: ${{ secrets.DOCS_VAULTNAME }}
+    secrets-filter: 'MySecret1,MySecret2'
+```
+
+Each matched secret is exported as an environment variable named after the secret (e.g. `MySecret1`). Multiline secret values are handled using the heredoc syntax supported by `$GITHUB_ENV`.
+
+---
+
+### nginx.org-make-aws workflow
+
+**Path:** `.github/workflows/nginx.org-make-aws.yml`
+
+A reusable (`workflow_call`) workflow that builds the nginx.org website using `make` and deploys it to AWS S3. It supports two separate jobs controlled by the `deployment_env` input:
+
+- **`build-staging`** — Builds the site from source and syncs the output to a versioned staging path in S3 (`staging/<sha>/`). Also uploads a `.deployed.txt` marker file used by the production job.
+- **`build-prod`** — Waits for the staging marker to be present for the current commit SHA, then promotes the staged build to the production S3 path (`prod/`).
+
+Both jobs use the [az-sync](#az-sync-action) action to retrieve AWS credentials from Azure Key Vault before assuming an AWS IAM role via OIDC.
+
+#### Secrets
+
+| Secret | Description | Required |
+|---|---|---|
+| `AZURE_VAULT_CLIENT_ID` | Azure Client ID for Key Vault access | Yes |
+| `AZURE_VAULT_SUBSCRIPTION_ID` | Azure Subscription ID | Yes |
+| `AZURE_VAULT_TENANT_ID` | Azure Tenant ID | Yes |
+| `DOCS_VAULTNAME` | Name of the Azure Key Vault containing AWS credentials | Yes |
+
+The Key Vault referenced by `DOCS_VAULTNAME` must contain the following secrets:
+
+| Key Vault secret | Description |
+|---|---|
+| `NginxOrgAwsAccountID` | AWS account ID used to construct the IAM role ARN |
+| `NginxOrgAwsRoleName` | AWS IAM role name to assume via OIDC |
+| `NginxOrgAllowedUsers` | Comma-separated list of GitHub usernames allowed to trigger production deployments |
+
+#### Inputs
+
+| Input | Description | Required | Default |
+|---|---|---|---|
+| `deployment_env` | Target environment: `staging` or `prod` | No | `staging` |
+| `url_prod` | Public hostname for the production site | No | `nginx.org` |
+| `url_staging` | Public hostname for the staging site | No | `staging.nginx.org` |
+| `s3_bucket` | S3 bucket name for deployments | No | `nginx-org-staging` |
+| `aws_region` | AWS region for S3 operations | No | `eu-central-1` |
+
+#### Access controls
+
+Both jobs verify that the workflow is triggered from an allowed context before proceeding:
+
+- **Organization**: `nginx` or `nginxinc`
+- **Event**: `push` or `workflow_dispatch`
+- **Ref** (prod only): `refs/heads/main`
+- **Actor** (prod only): must be listed in the `NginxOrgAllowedUsers` Key Vault secret
+
+#### Caller example
+
+```yml
+name: nginx.org build and deploy
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      deployment_env:
+        description: 'Target environment'
+        required: false
+        default: staging
+        type: choice
+        options:
+          - staging
+          - prod
+
+jobs:
+  call-nginx-org-build:
+    uses: nginxinc/docs-actions/.github/workflows/nginx.org-make-aws.yml@nginx.org
+    with:
+      deployment_env: ${{ inputs.deployment_env || 'staging' }}
+    secrets:
+      AZURE_VAULT_CLIENT_ID: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+      AZURE_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+      AZURE_VAULT_TENANT_ID: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+      DOCS_VAULTNAME: ${{ secrets.DOCS_VAULTNAME }}
+```

From b0311c7772e4dfccfc8887db3ea6241786e28192 Mon Sep 17 00:00:00 2001
From: Ekaterina Kukushkina <epifanova.ekaterina@gmail.com>
Date: Mon, 9 Mar 2026 12:12:25 +0000
Subject: [PATCH 3/3] remove excessive notes

---
 README.md | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 0b82062..d6539c3 100644
--- a/README.md
+++ b/README.md
@@ -142,10 +142,6 @@ on:
 .......
 ```
 
-## nginx.org branch
-
-The `nginx.org` branch contains additional workflows and actions for building and deploying the [nginx.org](https://nginx.org) website to AWS S3.
-
 ### az-sync action
 
 **Path:** `.github/actions/az-sync/action.yml`
@@ -160,7 +156,7 @@ A reusable composite action that logs into Azure, retrieves secrets from an Azur
 | `az_tenant_id` | Azure Tenant ID | Yes | — |
 | `az_subscription_id` | Azure Subscription ID | Yes | — |
 | `keyvault` | Name of the Azure Key Vault to read secrets from | Yes | — |
-| `secrets-filter` | Comma-separated list of secret name patterns to sync | Yes | `*` |
+| `secrets-filter` | Comma-separated list (no spaces) of secret name patterns to sync | Yes | `*` |
 
 #### Usage example
 
@@ -248,7 +244,7 @@ on:
 
 jobs:
   call-nginx-org-build:
-    uses: nginxinc/docs-actions/.github/workflows/nginx.org-make-aws.yml@nginx.org
+    uses: nginxinc/docs-actions/.github/workflows/nginx.org-make-aws.yml@main
     with:
       deployment_env: ${{ inputs.deployment_env || 'staging' }}
     secrets: