Skip to content

ci: run all workflows on CodeBuild-hosted runners#1715

Open
notgitika wants to merge 5 commits into
mainfrom
ci/codebuild-all-workflows
Open

ci: run all workflows on CodeBuild-hosted runners#1715
notgitika wants to merge 5 commits into
mainfrom
ci/codebuild-all-workflows

Conversation

@notgitika

@notgitika notgitika commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Moves every job off ubuntu-latest onto our CodeBuild-hosted runner (agentcore-e2e, CI account us-east-1). Fixes the 5-10min GitHub-hosted runner pickup we've been hitting in the aws/ org, plus WAF 403s on AWS-calling jobs.

Runners are ephemeral/per-job, bounded by the 300 Linux/Small concurrency quota, so parallelism is preserved.

Follow-up: migrate the webhook from my PAT to the managed GitHub App connection once org admin scopes the repo.

edit: based on harness comment, keeping ci failure one still based on GH ubuntu runner

Move every job off ubuntu-latest onto our AWS CodeBuild-hosted GitHub
Actions runner (project agentcore-e2e in the CI account, us-east-1).

Motivation (E2E infra doc, Section 1): GitHub-hosted runner pickup in the
aws/ org has been taking 5-10 min lately, and shared runner IPs trip the
service WAF (403s) on AWS-calling jobs. CodeBuild ephemeral runners spin
up per job in ~5s and run inside AWS, fixing both.

Every runs-on: ubuntu-latest -> the codebuild label. Runners are
ephemeral and per-job (each WORKFLOW_JOB_QUEUED event gets its own),
bounded by the account concurrent-build quota (300 Linux/Small), so
parallelism is preserved.

Follow-up: the runner webhook is currently authed via a personal PAT
because the AWS Connector GitHub App isn't scoped to this repo yet;
migrate to the managed App connection once an org admin adds the repo.
@notgitika notgitika requested a review from a team July 8, 2026 20:45
@github-actions github-actions Bot added the size/s PR size: S label Jul 8, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jul 8, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.23.0.tgz

How to install

gh release download pr-1715-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.23.0.tgz

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Broad sweep looks good and the rationale (WAF 403s + GHA runner pickup latency) is well-motivated. One concern about a monitoring blind spot; the rest is fine to merge as-is.

Comment thread .github/workflows/ci-failure-issue.yml Outdated
create-issue:
concurrency: ci-failure-issue-${{ github.event.workflow_run.name }}
runs-on: ubuntu-latest
runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moving this workflow onto the same CodeBuild-hosted runner it's supposed to alarm on creates a monitoring blind spot: ci-failure-issue.yml is the safety net that opens a GitHub issue when Build and Test / Quality and Safety Checks / E2E Tests (Full Suite) / CodeQL fail on main. If those workflows fail because the CodeBuild project is misconfigured, its webhook has drifted (which the PR description already flags as a follow-up when migrating from your PAT to the GitHub App), the 300 Linux/Small quota is exhausted, or the runner image is broken — this workflow won't be able to spin up a runner either, so the failure is silently swallowed and nobody gets paged.

Since this workflow only calls the GitHub API (npx tsx create-failure-issue.ts + gh via App token) and has no AWS calls, it doesn't benefit from being inside the AWS network. Options:

  1. Leave this one on ubuntu-latest so it can still fire when CodeBuild is unhealthy (recommended — smallest change, preserves the alarm's independence).
  2. Add a runs-on fallback / second job that also runs on ubuntu-latest as a backup.
  3. Add an external heartbeat check (e.g., CloudWatch alarm on missing CodeBuild runs) so this workflow being unable to run itself gets surfaced elsewhere.

Option 1 is the cheapest and matches the intent of an alarm workflow (independence from the thing it monitors).

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label Jul 8, 2026
CodeQL query evaluation ran out of Java heap on the CodeBuild
general1.small runner (3 GB cgroup limit; 'CodeQL is out of memory. Try
running CodeQL on a larger runner'). CodeQL makes no AWS/service calls,
so it has no WAF exposure and gains nothing from CodeBuild — revert this
one workflow to ubuntu-latest. All other workflows stay on CodeBuild.
@github-actions github-actions Bot added size/s PR size: S and removed size/s PR size: S labels Jul 8, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
Now that agentcore-e2e is general1.medium (7 GB, up from the 3 GB small
that OOMed), retry CodeQL on the CodeBuild runner. Reverts the temporary
ubuntu-latest pin; if CodeQL still OOMs at 7 GB we'll bump to large or
re-pin.
@github-actions github-actions Bot added size/s PR size: S and removed size/s PR size: S labels Jul 8, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
Per review: ci-failure-issue.yml opens a GitHub issue when main CI fails.
Running it on the same CodeBuild runner it may need to report on creates a
monitoring blind spot — if CodeBuild is unhealthy (webhook drift, quota
exhaustion, broken image) the alarm couldn't start either and the failure
is silently swallowed. It's GitHub-API-only (no AWS calls), so it gains
nothing from CodeBuild. Keep it on ubuntu-latest for independence.
@notgitika

Copy link
Copy Markdown
Contributor Author

investigating the failing merge-reports CI

@github-actions github-actions Bot added size/s PR size: S and removed size/s PR size: S labels Jul 8, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
…CodeBuild)

Vitest blob reports store absolute test-file paths tied to the runner's
working directory. On GitHub-hosted runners every job shares
/home/runner/work/agentcore-cli/agentcore-cli, so merge-reports resolves the
shard blobs fine. On CodeBuild-hosted runners each job gets a unique
/codebuild/output/src<N>/... directory, so the merge job cannot find the
shard-recorded paths and vitest exits 'No test files found, exiting with
code 1' — deterministically red on CodeBuild, green on ubuntu-latest.

Add a normalization step that rewrites each shard blob's recorded repo root
to the merge job's own workspace before merging. The regex is anchored to the
CodeBuild src<N> path so it cannot touch test titles or other blob content,
and is a no-op on GitHub-hosted runners.

Verified locally: a blob with a mismatched /codebuild/... path reproduces
'No test files found' (exit 1); after normalization the same merge passes
(97 tests).
@github-actions github-actions Bot added size/m PR size: M and removed size/s PR size: S labels Jul 8, 2026
@notgitika

Copy link
Copy Markdown
Contributor Author

A "Normalize blob report paths" step in the merge-reports job rewrites each shard blob's /codebuild/output/src<N>/.../agentcore-cli prefix → the merge job's own workspace before merging. Anchored regex, so it can't touch test titles; no-op on GitHub-hosted runners.

Verified locally and it should not see the No test files found, exiting with code 1. error anymore on that workflow

@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 39.58% 14652 / 37014
🔵 Statements 38.85% 15615 / 40192
🔵 Functions 33.67% 2495 / 7408
🔵 Branches 33.08% 9729 / 29407
Generated in workflow #4046 for commit 64e879e by the Vitest Coverage Report Action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/m PR size: M

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants