Auto merge of #29303 - servo:invalidate-latest-nightly-from-cloudfront, r=mrobinson

Invalidate latest nightly files in CloudFront.

After a new nightly build is uploaded to S3, bust the cache in CloudFront Edge servers with the CreateInvalidation AWS API.

For each platform we use the `/nightly/<platform>/servo-latest.<ext>*` pattern to invalidate both package and sha256 files. As part of this change, a new policy has been attached to the "download.servo.org-uploads-from-travis" IAM user
to allow the "cloudfront:CreateInvalidation" action.

Since CloudFront [invalidates every version][1] of the cached file, regardless of the headers used for that version, this change should invalidate the different caches for 'Accept-Encoding' header.

[1]: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html#invalidation-specifying-objects

---
<!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `___` with appropriate data: -->
- [x] `./mach build -d` does not report any errors
- [x] `./mach test-tidy` does not report any errors
- [x] These changes fix #29034

<!-- Either: -->
- [ ] There are tests for these changes OR
- [x] These changes do not require tests because they update nightly upload process. Changes have been *partially* validated using [manual run ](https://github.com/servo/servo/actions/runs/4012975660/jobs/6892315365)

<!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.-->

<!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. -->

python/servo/package_commands.py

@@ -633,7 +633,15 @@ class PackageCommands(CommandBase):
                 aws_access_key_id=aws_access_key,
                 aws_secret_access_key=aws_secret_access_key
             )
+
+            cloudfront = boto3.client(
+                'cloudfront',
+                aws_access_key_id=aws_access_key,
+                aws_secret_access_key=aws_secret_access_key
+            )
+
             BUCKET = 'servo-builds2'
+            DISTRIBUTION_ID = 'EJ8ZWSJKFCJS2'
 
             nightly_dir = 'nightly/{}'.format(platform)
             filename = nightly_filename(package, timestamp)
@@ -652,7 +660,7 @@ class PackageCommands(CommandBase):
                     sha256_digest.update(data)
             package_hash = sha256_digest.hexdigest()
             package_hash_fileobj = io.BytesIO(package_hash.encode('utf-8'))
-            latest_hash_upload_key = '{}/servo-latest.{}.sha256'.format(nightly_dir, extension)
+            latest_hash_upload_key = f'{latest_upload_key}.sha256'
 
             s3.upload_file(package, BUCKET, package_upload_key)
 
@@ -665,6 +673,21 @@ class PackageCommands(CommandBase):
                 package_hash_fileobj, BUCKET, latest_hash_upload_key, ExtraArgs={'ContentType': 'text/plain'}
             )
 
+            # Invalidate previous "latest" nightly files from
+            # CloudFront edge caches
+            cloudfront.create_invalidation(
+                DistributionId=DISTRIBUTION_ID,
+                InvalidationBatch={
+                    'CallerReference': f'{latest_upload_key}-{timestamp}',
+                    'Paths': {
+                        'Quantity': 1,
+                        'Items': [
+                            f'/{latest_upload_key}*'
+                        ]
+                    }
+                }
+            )
+
         def update_maven(directory):
             (aws_access_key, aws_secret_access_key) = get_s3_secret()
             s3 = boto3.client(