From df85d6745fed9014a1a4347ea20fede0dc01cd2d Mon Sep 17 00:00:00 2001 From: notgitika Date: Wed, 8 Jul 2026 16:43:39 -0400 Subject: [PATCH 1/5] ci: run all workflows on CodeBuild-hosted runners Move every job off ubuntu-latest onto our AWS CodeBuild-hosted GitHub Actions runner (project agentcore-e2e in the CI account, us-east-1). Motivation (E2E infra doc, Section 1): GitHub-hosted runner pickup in the aws/ org has been taking 5-10 min lately, and shared runner IPs trip the service WAF (403s) on AWS-calling jobs. CodeBuild ephemeral runners spin up per job in ~5s and run inside AWS, fixing both. Every runs-on: ubuntu-latest -> the codebuild label. Runners are ephemeral and per-job (each WORKFLOW_JOB_QUEUED event gets its own), bounded by the account concurrent-build quota (300 Linux/Small), so parallelism is preserved. Follow-up: the runner webhook is currently authed via a personal PAT because the AWS Connector GitHub App isn't scoped to this repo yet; migrate to the managed App connection once an org admin adds the repo. --- .github/workflows/agent-restricted.yml | 2 +- .github/workflows/build-and-test.yml | 10 +++++----- .github/workflows/canary.yml | 2 +- .github/workflows/ci-failure-issue.yml | 2 +- .github/workflows/cleanup-pr-tarballs.yml | 2 +- .github/workflows/codeql.yml | 2 +- .github/workflows/e2e-tests-full.yml | 4 ++-- .github/workflows/e2e-tests.yml | 2 +- .github/workflows/github-slack-notifications.yml | 4 ++-- .github/workflows/lint.yml | 14 +++++++------- .github/workflows/pr-ai-review.yml | 4 ++-- .github/workflows/pr-security-review.yml | 4 ++-- .github/workflows/pr-size.yml | 2 +- .github/workflows/pr-tarball.yml | 4 ++-- .github/workflows/pr-title.yml | 2 +- .github/workflows/prerelease-tarball.yml | 2 +- .github/workflows/publish-api-docs.yml | 2 +- .github/workflows/release-main-and-preview.yml | 12 ++++++------ .github/workflows/release.yml | 8 ++++---- .github/workflows/slack-open-prs-notification.yml | 2 +- .github/workflows/strands-command.yml | 2 +- 21 files changed, 44 insertions(+), 44 deletions(-) diff --git a/.github/workflows/agent-restricted.yml b/.github/workflows/agent-restricted.yml index ab62ebe56..4e0468449 100644 --- a/.github/workflows/agent-restricted.yml +++ b/.github/workflows/agent-restricted.yml @@ -53,7 +53,7 @@ permissions: jobs: agent: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Check authorization run: | diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 3f8a0f73d..58c0e4d0c 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -19,7 +19,7 @@ concurrency: jobs: build: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 15 strategy: @@ -63,7 +63,7 @@ jobs: path: '*.tgz' integ-test: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 15 strategy: @@ -92,7 +92,7 @@ jobs: run: npx vitest run --project integ --shard=${{ matrix.shard }} unit-test: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 15 strategy: @@ -131,7 +131,7 @@ jobs: merge-reports: needs: unit-test - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} if: always() steps: @@ -157,7 +157,7 @@ jobs: coverage: needs: merge-reports - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} if: github.event_name == 'pull_request' permissions: contents: read diff --git a/.github/workflows/canary.yml b/.github/workflows/canary.yml index e6dea289b..afe271fe7 100644 --- a/.github/workflows/canary.yml +++ b/.github/workflows/canary.yml @@ -28,7 +28,7 @@ env: jobs: canary: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: e2e-testing timeout-minutes: 30 strategy: diff --git a/.github/workflows/ci-failure-issue.yml b/.github/workflows/ci-failure-issue.yml index d56791cb3..00b4ab1a8 100644 --- a/.github/workflows/ci-failure-issue.yml +++ b/.github/workflows/ci-failure-issue.yml @@ -13,7 +13,7 @@ on: jobs: create-issue: concurrency: ci-failure-issue-${{ github.event.workflow_run.name }} - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 5 if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.head_branch == 'main' }} permissions: diff --git a/.github/workflows/cleanup-pr-tarballs.yml b/.github/workflows/cleanup-pr-tarballs.yml index 93572f737..ce043d9d0 100644 --- a/.github/workflows/cleanup-pr-tarballs.yml +++ b/.github/workflows/cleanup-pr-tarballs.yml @@ -11,7 +11,7 @@ permissions: jobs: cleanup: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Generate GitHub App Token diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0e4c30351..b3da74a68 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,7 +16,7 @@ concurrency: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 15 permissions: actions: read diff --git a/.github/workflows/e2e-tests-full.yml b/.github/workflows/e2e-tests-full.yml index 8a168fd8e..9129f5be1 100644 --- a/.github/workflows/e2e-tests-full.yml +++ b/.github/workflows/e2e-tests-full.yml @@ -24,7 +24,7 @@ permissions: jobs: e2e: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: e2e-testing timeout-minutes: 60 strategy: @@ -111,7 +111,7 @@ jobs: CDP_WALLET_SECRET: ${{ env.E2E_CDP_WALLET_SECRET }} run: npx vitest run --project e2e --shard=${{ matrix.shard }} browser-tests: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: e2e-testing timeout-minutes: 30 steps: diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 2c005c0c5..12f26a4a1 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -40,7 +40,7 @@ permissions: jobs: authorize: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} if: github.event_name == 'workflow_dispatch' || github.event_name == 'pull_request_target' outputs: is_authorized: ${{ steps.check.outputs.is_authorized }} diff --git a/.github/workflows/github-slack-notifications.yml b/.github/workflows/github-slack-notifications.yml index 54e16d818..0beee2f59 100644 --- a/.github/workflows/github-slack-notifications.yml +++ b/.github/workflows/github-slack-notifications.yml @@ -18,7 +18,7 @@ on: jobs: notify-issue-opened: if: github.event_name == 'issues' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} permissions: {} steps: - name: Send issue details to Slack @@ -67,7 +67,7 @@ jobs: if: >- github.event_name == 'issue_comment' && github.event.issue.pull_request != null && github.event.issue.state == 'closed' && github.event.comment.user.type != 'Bot' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} permissions: pull-requests: write issues: read diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 13d73495e..9a0b3b625 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,7 +16,7 @@ concurrency: jobs: setup: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 - name: Setup Node.js @@ -33,7 +33,7 @@ jobs: format: needs: setup - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 - uses: actions/setup-node@v6 @@ -47,7 +47,7 @@ jobs: lint: needs: setup - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 - uses: actions/setup-node@v6 @@ -61,7 +61,7 @@ jobs: security: needs: setup - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 - uses: actions/setup-node@v6 @@ -75,7 +75,7 @@ jobs: secrets: needs: setup - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 - uses: actions/setup-node@v6 @@ -89,7 +89,7 @@ jobs: typecheck: needs: setup - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 - uses: actions/setup-node@v6 @@ -103,7 +103,7 @@ jobs: schema-check: if: ${{ !contains(github.event.pull_request.labels.*.name, 'release') }} - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 with: diff --git a/.github/workflows/pr-ai-review.yml b/.github/workflows/pr-ai-review.yml index db37f5f15..28737eb17 100644 --- a/.github/workflows/pr-ai-review.yml +++ b/.github/workflows/pr-ai-review.yml @@ -17,7 +17,7 @@ permissions: jobs: authorize: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} # explicitly require the PR to be open to avoid old events triggering a review on closed PRs: https://github.com/aws/agentcore-cli/issues/1463 if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request_target' && @@ -71,7 +71,7 @@ jobs: ai-review: needs: authorize if: needs.authorize.outputs.authorized == 'true' || github.event_name == 'workflow_dispatch' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Determine PR URL id: pr-url diff --git a/.github/workflows/pr-security-review.yml b/.github/workflows/pr-security-review.yml index bac101a83..6807c0249 100644 --- a/.github/workflows/pr-security-review.yml +++ b/.github/workflows/pr-security-review.yml @@ -43,7 +43,7 @@ concurrency: jobs: authorize: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} # On 'labeled' events, only proceed when the label is exactly 'safe-to-review'. # Other labels (e.g. size/m) are filtered out so we don't spawn API calls. if: | @@ -91,7 +91,7 @@ jobs: review: needs: authorize if: needs.authorize.outputs.authorized == 'true' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 30 env: AWS_REGION: us-west-2 diff --git a/.github/workflows/pr-size.yml b/.github/workflows/pr-size.yml index 2f3e588e3..2c8e59063 100644 --- a/.github/workflows/pr-size.yml +++ b/.github/workflows/pr-size.yml @@ -8,7 +8,7 @@ on: jobs: label-size: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} permissions: pull-requests: write steps: diff --git a/.github/workflows/pr-tarball.yml b/.github/workflows/pr-tarball.yml index 5221b7884..f53981a9c 100644 --- a/.github/workflows/pr-tarball.yml +++ b/.github/workflows/pr-tarball.yml @@ -9,7 +9,7 @@ permissions: jobs: authorize: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} outputs: is_authorized: ${{ steps.check.outputs.is_authorized }} steps: @@ -30,7 +30,7 @@ jobs: pr-tarball: needs: authorize if: needs.authorize.outputs.is_authorized == 'true' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 with: diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 873becbd3..eb2bb34e7 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -10,7 +10,7 @@ permissions: jobs: validate-pr-title: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} permissions: pull-requests: read steps: diff --git a/.github/workflows/prerelease-tarball.yml b/.github/workflows/prerelease-tarball.yml index 9aa185fbe..1664eb5d4 100644 --- a/.github/workflows/prerelease-tarball.yml +++ b/.github/workflows/prerelease-tarball.yml @@ -15,7 +15,7 @@ concurrency: jobs: prerelease-tarball: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 15 env: TARBALL_BASE: agentcore-cli-prerelease diff --git a/.github/workflows/publish-api-docs.yml b/.github/workflows/publish-api-docs.yml index e54e45cc9..4a2e5da42 100644 --- a/.github/workflows/publish-api-docs.yml +++ b/.github/workflows/publish-api-docs.yml @@ -27,7 +27,7 @@ env: jobs: generate: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Checkout uses: actions/checkout@v7 diff --git a/.github/workflows/release-main-and-preview.yml b/.github/workflows/release-main-and-preview.yml index efa65f926..63358bb38 100644 --- a/.github/workflows/release-main-and-preview.yml +++ b/.github/workflows/release-main-and-preview.yml @@ -54,7 +54,7 @@ jobs: # ═══════════════════════════════════════════════════════════════════ prepare-release: name: Prepare Release - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} outputs: main_version: ${{ steps.bump-main.outputs.version || steps.current-main.outputs.version }} preview_version: ${{ steps.bump-preview.outputs.version }} @@ -216,7 +216,7 @@ jobs: release-approval: name: Release Approval needs: [prepare-release] - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: name: npm-publish-approval steps: @@ -242,7 +242,7 @@ jobs: name: Verify PR Merged needs: [prepare-release, release-approval] if: ${{ !inputs.dry_run }} - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Checkout uses: actions/checkout@v7 @@ -284,7 +284,7 @@ jobs: name: Publish Main (@latest) needs: [prepare-release, verify-merge] if: inputs.release_target != 'preview-only' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: name: npm-publish url: https://www.npmjs.com/package/@aws/agentcore @@ -341,7 +341,7 @@ jobs: name: Publish Preview (@preview) needs: [prepare-release, verify-merge] if: inputs.release_target != 'main-only' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: name: npm-publish url: https://www.npmjs.com/package/@aws/agentcore @@ -412,7 +412,7 @@ jobs: name: Release Summary needs: [prepare-release, publish-main, publish-preview] if: always() && !cancelled() - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Summary env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3d9387abd..2187e2d08 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ permissions: jobs: prepare-release: name: Prepare Release - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} outputs: version: ${{ steps.bump.outputs.version }} branch: ${{ steps.bump.outputs.branch }} @@ -211,7 +211,7 @@ jobs: test-and-build: name: Test and Build needs: prepare-release - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - uses: actions/checkout@v7 @@ -276,7 +276,7 @@ jobs: release-approval: name: Release Approval needs: test-and-build - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: name: npm-publish-approval @@ -298,7 +298,7 @@ jobs: publish-npm: name: Publish to npm needs: [prepare-release, release-approval] - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} environment: name: npm-publish url: https://www.npmjs.com/package/@aws/agentcore diff --git a/.github/workflows/slack-open-prs-notification.yml b/.github/workflows/slack-open-prs-notification.yml index be684d4b3..208412b65 100644 --- a/.github/workflows/slack-open-prs-notification.yml +++ b/.github/workflows/slack-open-prs-notification.yml @@ -10,7 +10,7 @@ permissions: jobs: notify-slack: - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Get open PRs id: open-prs diff --git a/.github/workflows/strands-command.yml b/.github/workflows/strands-command.yml index 4837560bb..b76ea3eab 100644 --- a/.github/workflows/strands-command.yml +++ b/.github/workflows/strands-command.yml @@ -31,7 +31,7 @@ permissions: jobs: strands-agent: if: startsWith(github.event.comment.body, '/strands') || github.event_name == 'workflow_dispatch' - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Check authorization uses: actions/github-script@v9 From e9261addb58095e083cca0652ad48db2a4a12882 Mon Sep 17 00:00:00 2001 From: notgitika Date: Wed, 8 Jul 2026 16:53:15 -0400 Subject: [PATCH 2/5] ci: keep CodeQL on GitHub-hosted runner (OOMs on CodeBuild small) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CodeQL query evaluation ran out of Java heap on the CodeBuild general1.small runner (3 GB cgroup limit; 'CodeQL is out of memory. Try running CodeQL on a larger runner'). CodeQL makes no AWS/service calls, so it has no WAF exposure and gains nothing from CodeBuild — revert this one workflow to ubuntu-latest. All other workflows stay on CodeBuild. --- .github/workflows/codeql.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b3da74a68..82c641148 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,7 +16,10 @@ concurrency: jobs: analyze: name: Analyze - runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} + # Stays on a GitHub-hosted runner: CodeQL's query evaluation OOMs on the + # CodeBuild general1.small runner (3 GB; CodeQL needs more). CodeQL does no + # AWS/service calls, so it has no WAF exposure and gains nothing from CodeBuild. + runs-on: ubuntu-latest timeout-minutes: 15 permissions: actions: read From e6d6f6367ae619e98914774a3029e1b2d8539214 Mon Sep 17 00:00:00 2001 From: notgitika Date: Wed, 8 Jul 2026 17:00:20 -0400 Subject: [PATCH 3/5] ci: move CodeQL back to CodeBuild runner Now that agentcore-e2e is general1.medium (7 GB, up from the 3 GB small that OOMed), retry CodeQL on the CodeBuild runner. Reverts the temporary ubuntu-latest pin; if CodeQL still OOMs at 7 GB we'll bump to large or re-pin. --- .github/workflows/codeql.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 82c641148..b3da74a68 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,10 +16,7 @@ concurrency: jobs: analyze: name: Analyze - # Stays on a GitHub-hosted runner: CodeQL's query evaluation OOMs on the - # CodeBuild general1.small runner (3 GB; CodeQL needs more). CodeQL does no - # AWS/service calls, so it has no WAF exposure and gains nothing from CodeBuild. - runs-on: ubuntu-latest + runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} timeout-minutes: 15 permissions: actions: read From 7ca14b645c2658ad41d04b3e4f9658fae7188466 Mon Sep 17 00:00:00 2001 From: notgitika Date: Wed, 8 Jul 2026 17:33:53 -0400 Subject: [PATCH 4/5] ci: keep ci-failure-issue on GitHub-hosted runner (alarm independence) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per review: ci-failure-issue.yml opens a GitHub issue when main CI fails. Running it on the same CodeBuild runner it may need to report on creates a monitoring blind spot — if CodeBuild is unhealthy (webhook drift, quota exhaustion, broken image) the alarm couldn't start either and the failure is silently swallowed. It's GitHub-API-only (no AWS calls), so it gains nothing from CodeBuild. Keep it on ubuntu-latest for independence. --- .github/workflows/ci-failure-issue.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-failure-issue.yml b/.github/workflows/ci-failure-issue.yml index 00b4ab1a8..c75a1b0a5 100644 --- a/.github/workflows/ci-failure-issue.yml +++ b/.github/workflows/ci-failure-issue.yml @@ -13,7 +13,13 @@ on: jobs: create-issue: concurrency: ci-failure-issue-${{ github.event.workflow_run.name }} - runs-on: codebuild-agentcore-e2e-${{ github.run_id }}-${{ github.run_attempt }} + # Stays on a GitHub-hosted runner on purpose: this workflow is the alarm that + # opens an issue when main CI fails, so it must not depend on the CodeBuild + # runner it may need to report on. If CodeBuild is unhealthy (webhook drift, + # quota exhaustion, broken image), a CodeBuild-hosted alarm couldn't start + # either and the failure would be silently swallowed. It's GitHub-API-only + # (no AWS calls), so it gains nothing from running inside the AWS network. + runs-on: ubuntu-latest timeout-minutes: 5 if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.workflow_run.head_branch == 'main' }} permissions: From 64e879e283f460bf008856b6b8247a445d4eb778 Mon Sep 17 00:00:00 2001 From: notgitika Date: Wed, 8 Jul 2026 18:43:57 -0400 Subject: [PATCH 5/5] ci: normalize vitest blob paths before merge (fixes merge-reports on CodeBuild) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Vitest blob reports store absolute test-file paths tied to the runner's working directory. On GitHub-hosted runners every job shares /home/runner/work/agentcore-cli/agentcore-cli, so merge-reports resolves the shard blobs fine. On CodeBuild-hosted runners each job gets a unique /codebuild/output/src/... directory, so the merge job cannot find the shard-recorded paths and vitest exits 'No test files found, exiting with code 1' — deterministically red on CodeBuild, green on ubuntu-latest. Add a normalization step that rewrites each shard blob's recorded repo root to the merge job's own workspace before merging. The regex is anchored to the CodeBuild src path so it cannot touch test titles or other blob content, and is a no-op on GitHub-hosted runners. Verified locally: a blob with a mismatched /codebuild/... path reproduces 'No test files found' (exit 1); after normalization the same merge passes (97 tests). --- .github/workflows/build-and-test.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 58c0e4d0c..3731a5250 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -147,6 +147,32 @@ jobs: pattern: blob-20.x-* merge-multiple: true path: .vitest-reports/ + - name: Normalize blob report paths + # Vitest blob reports store absolute test-file paths tied to the runner's + # working directory. On GitHub-hosted runners every job shares + # /home/runner/work/agentcore-cli/agentcore-cli, so the merge resolves fine. + # On CodeBuild-hosted runners each job gets a unique + # /codebuild/output/src/... dir, so the merge job can't find the + # shard-recorded paths and vitest exits with "No test files found". + # Rewrite each shard's recorded repo root to this job's workspace before + # merging. The regex is anchored to the CodeBuild src path so it can't + # touch test titles or other blob content; it is a no-op on GitHub runners. + run: | + node -e ' + const fs = require("node:fs"); + const dir = ".vitest-reports"; + const cwd = process.cwd(); + const re = /\/codebuild\/output\/src[0-9]+\/src\/actions-runner\/_work\/agentcore-cli\/agentcore-cli/g; + for (const f of fs.readdirSync(dir)) { + const p = `${dir}/${f}`; + const before = fs.readFileSync(p, "utf8"); + const after = before.replace(re, () => cwd); + if (after !== before) { + fs.writeFileSync(p, after); + console.log(`normalized paths in ${f}`); + } + } + ' - name: Merge reports run: npx vitest --mergeReports=.vitest-reports/ --project unit --coverage - name: Upload coverage artifact