@cloudsnorkel/cdk-github-runners 0.0.14 → 0.2.0

package/API.md

@@ -322,6 +322,7 @@ Any object.
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunner.property.container">container</a></code> | <code>aws-cdk-lib.aws_ecs.ContainerDefinition</code> | Container definition hosting the runner. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunner.property.grantPrincipal">grantPrincipal</a></code> | <code>aws-cdk-lib.aws_iam.IPrincipal</code> | Grant principal used to add permissions to the runner role. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunner.property.label">label</a></code> | <code>string</code> | Label associated with this provider. |
+| <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunner.property.spot">spot</a></code> | <code>boolean</code> | Use spot pricing for Fargate tasks. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunner.property.task">task</a></code> | <code>aws-cdk-lib.aws_ecs.FargateTaskDefinition</code> | Fargate task hosting the runner. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunner.property.securityGroup">securityGroup</a></code> | <code>aws-cdk-lib.aws_ec2.ISecurityGroup</code> | Security group attached to the task. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunner.property.vpc">vpc</a></code> | <code>aws-cdk-lib.aws_ec2.IVpc</code> | VPC used for hosting the task. |
@@ -412,6 +413,18 @@ Label associated with this provider.
 
 ---
 
+##### `spot`<sup>Required</sup> <a name="spot" id="@cloudsnorkel/cdk-github-runners.FargateRunner.property.spot"></a>
+
+```typescript
+public readonly spot: boolean;
+```
+
+- *Type:* boolean
+
+Use spot pricing for Fargate tasks.
+
+---
+
 ##### `task`<sup>Required</sup> <a name="task" id="@cloudsnorkel/cdk-github-runners.FargateRunner.property.task"></a>
 
 ```typescript
@@ -488,7 +501,6 @@ new GitHubRunners(
    'runners',
    {
      providers: [myProvider],
-     defaultProviderLabel: 'my-codebuild',
    }
 );
 ```
@@ -574,7 +586,6 @@ Any object.
 | **Name** | **Type** | **Description** |
 | --- | --- | --- |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunners.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
-| <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunners.property.defaultProvider">defaultProvider</a></code> | <code><a href="#@cloudsnorkel/cdk-github-runners.IRunnerProvider">IRunnerProvider</a></code> | Default provider as set by {@link GitHubRunnersProps.defaultProviderLabel}. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunners.property.props">props</a></code> | <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunnersProps">GitHubRunnersProps</a></code> | *No description.* |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunners.property.providers">providers</a></code> | <code><a href="#@cloudsnorkel/cdk-github-runners.IRunnerProvider">IRunnerProvider</a>[]</code> | Configured runner providers. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunners.property.secrets">secrets</a></code> | <code><a href="#@cloudsnorkel/cdk-github-runners.Secrets">Secrets</a></code> | Secrets for GitHub communication including webhook secret and runner authentication. |
@@ -593,18 +604,6 @@ The tree node.
 
 ---
 
-##### `defaultProvider`<sup>Required</sup> <a name="defaultProvider" id="@cloudsnorkel/cdk-github-runners.GitHubRunners.property.defaultProvider"></a>
-
-```typescript
-public readonly defaultProvider: IRunnerProvider;
-```
-
-- *Type:* <a href="#@cloudsnorkel/cdk-github-runners.IRunnerProvider">IRunnerProvider</a>
-
-Default provider as set by {@link GitHubRunnersProps.defaultProviderLabel}.
-
----
-
 ##### `props`<sup>Required</sup> <a name="props" id="@cloudsnorkel/cdk-github-runners.GitHubRunners.property.props"></a>
 
 ```typescript
@@ -924,6 +923,7 @@ Any object.
 | <code><a href="#@cloudsnorkel/cdk-github-runners.Secrets.property.node">node</a></code> | <code>constructs.Node</code> | The tree node. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.Secrets.property.github">github</a></code> | <code>aws-cdk-lib.aws_secretsmanager.Secret</code> | Authentication secret for GitHub containing either app details or personal authentication token. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.Secrets.property.githubPrivateKey">githubPrivateKey</a></code> | <code>aws-cdk-lib.aws_secretsmanager.Secret</code> | GitHub app private key. Not needed when using personal authentication tokens. |
+| <code><a href="#@cloudsnorkel/cdk-github-runners.Secrets.property.setup">setup</a></code> | <code>aws-cdk-lib.aws_secretsmanager.Secret</code> | Setup secret used to authenticate user for our setup wizard. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.Secrets.property.webhook">webhook</a></code> | <code>aws-cdk-lib.aws_secretsmanager.Secret</code> | Webhook secret used to confirm events are coming from GitHub and nowhere else. |
 
 ---
@@ -967,7 +967,21 @@ public readonly githubPrivateKey: Secret;
 
 GitHub app private key. Not needed when using personal authentication tokens.
 
-This secret is meant to be edited by the user after being created.
+This secret is meant to be edited by the user after being created. It is separate than the main GitHub secret because inserting private keys into JSON is hard.
+
+---
+
+##### `setup`<sup>Required</sup> <a name="setup" id="@cloudsnorkel/cdk-github-runners.Secrets.property.setup"></a>
+
+```typescript
+public readonly setup: Secret;
+```
+
+- *Type:* aws-cdk-lib.aws_secretsmanager.Secret
+
+Setup secret used to authenticate user for our setup wizard.
+
+Should be empty after setup has been completed.
 
 ---
 
@@ -1149,6 +1163,7 @@ const fargateRunnerProps: FargateRunnerProps = { ... }
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunnerProps.property.label">label</a></code> | <code>string</code> | GitHub Actions label used for this provider. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunnerProps.property.memoryLimitMiB">memoryLimitMiB</a></code> | <code>number</code> | The amount (in MiB) of memory used by the task. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunnerProps.property.securityGroup">securityGroup</a></code> | <code>aws-cdk-lib.aws_ec2.ISecurityGroup</code> | Security Group to assign to the task. |
+| <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunnerProps.property.spot">spot</a></code> | <code>boolean</code> | Use Fargate spot capacity provider to save money. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.FargateRunnerProps.property.vpc">vpc</a></code> | <code>aws-cdk-lib.aws_ec2.IVpc</code> | VPC to launch the runners in. |
 
 ---
@@ -1307,6 +1322,22 @@ Security Group to assign to the task.
 
 ---
 
+##### `spot`<sup>Optional</sup> <a name="spot" id="@cloudsnorkel/cdk-github-runners.FargateRunnerProps.property.spot"></a>
+
+```typescript
+public readonly spot: boolean;
+```
+
+- *Type:* boolean
+- *Default:* false
+
+Use Fargate spot capacity provider to save money.
+
+* Runners may fail to start due to missing capacity.
+* Runners might be stopped prematurely with spot pricing.
+
+---
+
 ##### `vpc`<sup>Optional</sup> <a name="vpc" id="@cloudsnorkel/cdk-github-runners.FargateRunnerProps.property.vpc"></a>
 
 ```typescript
@@ -1336,26 +1367,10 @@ const gitHubRunnersProps: GitHubRunnersProps = { ... }
 
 | **Name** | **Type** | **Description** |
 | --- | --- | --- |
-| <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunnersProps.property.defaultProviderLabel">defaultProviderLabel</a></code> | <code>string</code> | Label of default provider in case the workflow job doesn't specify any known label. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.GitHubRunnersProps.property.providers">providers</a></code> | <code><a href="#@cloudsnorkel/cdk-github-runners.IRunnerProvider">IRunnerProvider</a>[]</code> | List of runner providers to use. |
 
 ---
 
-##### `defaultProviderLabel`<sup>Optional</sup> <a name="defaultProviderLabel" id="@cloudsnorkel/cdk-github-runners.GitHubRunnersProps.property.defaultProviderLabel"></a>
-
-```typescript
-public readonly defaultProviderLabel: string;
-```
-
-- *Type:* string
-- *Default:* 'codebuild'
-
-Label of default provider in case the workflow job doesn't specify any known label.
-
-A provider with that label must be configured.
-
----
-
 ##### `providers`<sup>Optional</sup> <a name="providers" id="@cloudsnorkel/cdk-github-runners.GitHubRunnersProps.property.providers"></a>
 
 ```typescript

package/README.md

@@ -10,32 +10,36 @@
 
 Use this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.
 
-* Easy to configure GitHub integration
+* Easy to configure GitHub integration with a web-based interface
 * Customizable runners with decent defaults
-* Supports multiple runner configurations controlled by labels
+* Multiple runner configurations controlled by labels
 * Everything fully hosted in your account
 
 Self-hosted runners in AWS are useful when:
 
 * You need easy access to internal resources in your actions
 * You want to pre-install some software for your actions
-* You want to provide some basic AWS API access ([aws-actions/configure-aws-credentials][2] has more security controls)
+* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)
 
-Ephemeral runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.
+Ephemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.
 
 ## API
 
-Documentation of available constructs and their interface is available on [Constructs Hub][13] in all supported programming languages.
+The best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.
 
 ## Providers
 
 A runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.
 
-| Provider  | Time limit               | vCPUs                    | RAM                               | Storage                      | sudo | Docker |
-|-----------|--------------------------|--------------------------|-----------------------------------|------------------------------|------|--------|
-| CodeBuild | 8 hours (default 1 hour) | 2 (default), 4, 8, or 72 | 3gb (default), 7gb, 15gb or 145gb | 50gb to 824gb (default 64gb) | ✔    | ✔     |
-| Fargate   | Unlimited                | 0.25 to 4 (default 1)    | 512mb to 30gb (default 2gb)       | 20gb to 200gb (default 25gb) | ✔    | ❌    |
-| Lambda    | 15 minutes               | 1 to 6 (default 2)       | 128mb to 10gb (default 2gb)       | Up to 10gb (default 10gb)    | ❌    | ❌     |
+|                | CodeBuild                | Fargate       | Lambda        |
+|----------------|--------------------------|---------------|---------------|
+| **Time limit** | 8 hours                  | Unlimited     | 15 minutes    |
+| **vCPUs**      | 2, 4, 8, or 72           | 0.25 to 4     | 1 to 6        |
+| **RAM**        | 3gb, 7gb, 15gb, or 145gb | 512mb to 30gb | 128mb to 10gb |
+| **Storage**    | 50gb to 824gb            | 20gb to 200gb | Up to 10gb    |
+| **sudo**       | ✔                        | ✔             | ❌             |
+| **Docker**     | ✔                        | ❌             | ❌             |
+| **Spot**       | ❌                        | ✔             | ❌             |
 
 The best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.
 
@@ -72,14 +76,16 @@ You can also create your own provider by implementing `IRunnerProvider`.
 4. Deploy your stack
 5. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`
 6. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file
-7. [Setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token
+7. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token
 8. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK
 9. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, linux, codebuild]` or similar
 10. If the action is not successful, see [troubleshooting](#Troubleshooting)
 
+[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)
+
 ## Customizing
 
-The default providers configured by [`GitHubRunners`](https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/v/0.0.11/api/GitHubRunners?lang=typescript) are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.
+The default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.
 
 For example:
 
@@ -124,7 +130,6 @@ new GitHubRunners(
   'runners',
   {
     providers: [myProvider],
-    defaultProviderLabel: 'my-codebuild',
   }
 );
 
@@ -140,8 +145,9 @@ app.synth();
 1. Always start with the status function, make sure no errors are reported, and confirm all status codes are OK
 2. Confirm the webhook Lambda was called by visiting the URL in `troubleshooting.webhookHandlerUrl` from `status.json`
    1. If it's not called or logs errors, confirm the webhook settings on the GitHub side
-   2. If you see too many errors, make sure you're only sending `workflow_job` events 
-3. Check execution details of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`
+   2. If you see too many errors, make sure you're only sending `workflow_job` events
+3. When using GitHub app, make sure there are active installation in `github.auth.app.installations`
+4. Check execution details of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`
    1. Use the details tab to find the specific execution of the provider (Lambda, CodeBuild, Fargate, etc.)
    2. Every step function execution should be successful, even if the runner action inside it failed
 

package/SETUP_GITHUB.md

@@ -1,9 +1,23 @@
 # Setup GitHub
 
-Integration with GitHub can be done using an [app][9] or [personal access token][10]. Using an app allows more fine-grained access control. Personal access tokens are easier to set up but belong to a user instead of an organization.
+Integration with GitHub can be done using an [app](#app-authentication) or [personal access token](#personal-access-token). Using an app allows more fine-grained access control. Using an app is easier with the setup wizard.
 
 ## App Authentication
 
+### Setup Wizard
+
+1. Open the URL in `github.setup.url` from `status.json`
+2. If you want to create an app for your personal repositories, click the Create button under New Personal App
+3. If you want to create an app for your organization:
+   1. Find the New Organization App section
+   2. Type in the organization name in organization slug (ORGANIZATION from https://github.com/ORGANIZATION/REPO)
+   3. Click the Create button
+4. Follow the instructions on GitHub
+5. When brought back to the setup wizard, click the install link
+6. Install the new app on your desired repositories
+
+### Manually
+
 1. Decide if you want to create a personal app or an organization app
     1. For a personal app use https://github.com/settings/apps/new
     2. For an organization app use https://github.com/organizations/MY_ORG/settings/apps/new after replacing `MY_ORG` with your GitHub organization name
@@ -18,19 +32,11 @@ Integration with GitHub can be done using an [app][9] or [personal access token]
     1. Workflow job
 6. Under "Where can this GitHub App be installed?" select "Only on this account"
 7. Click the Create button
-8. From the new app page:
-    1. Write down the app id and client id
-    2. Click generate new client secret and write it down
-    3. Generate a private key and save the downloaded key
-9. On the top left go to Install App page and:
-    1. Install the app on the desired account or organization
-    2. Copy the installation id number from the URL and write it down (e.g. if the URL is https://github.com/settings/installations/123456, your installation id is 123456)
+8. From the new app page generate a private key and save the downloaded key
+9. On the top left go to Install App page and install the app on the desired account or organization
 10. Open the URL in `github.auth.secretUrl` from `status.json` and edit the secret value
     1. If you're using a self-hosted GitHub instance, put its domain in `domain` (e.g. `github.mycompany.com`)
     2. Put the new application id in `appId` (e.g. `34789562`)
-    3. Put the client id in `clientId` (e.g. `Iv1.0beef123456`)
-    4. Put the client secret in `clientSecret` (e.g. `4e2b66fab69065001500697b0d751beb033a3deb`)
-    5. Put the installation id you copied from the URL in `installationId` (e.g. `123456`)
     6. Ignore/delete `dummy` and **leave `personalAuthToken` empty**
 11. Open the URL in `github.auth.privateKeySecretUrl` from `status.json` and edit the secret value
     1. Open the downloaded private key with any text editor
@@ -38,21 +44,44 @@ Integration with GitHub can be done using an [app][9] or [personal access token]
 
 ## Personal Access Token
 
-1. Create a new token
-    1. Go to https://github.com/settings/tokens/new
-    2. Choose your expiration date (you will need to replace the token if it expires)
-    3. Under scopes select `repo`
-    4. Copy the generated token
-2. Open the URL in `github.auth.secretUrl` from `status.json` and edit the secret value
-    1. If you're using a self-hosted GitHub instance, put its domain in `domain` (e.g. `github.mycompany.com`)
-    2. Put the generated token in `personalAuthToken`
-    3. Ignore all other values
-3. Create a webhook
-    1. For organizations go to https://github.com/organizations/MY_ORG/settings/hooks after replacing `MY_ORG` with your GitHub organization name
-    2. For enterprise go to https://github.com/enterprises/MY_ENTERPRISE/settings/hooks after replacing `MY_ENTERPRISE` with your GitHub enterprise name
-    3. Otherwise, you can create one per repository in your repository settings under Webhooks
-    4. Configure the webhook:
-        1. For Webhook URL use the value of `github.webhook.url` from `status.json`
-        2. Open the URL in `github.webhook.secretUrl` from `status.json`, retrieve the secret value, and use it for webhook secret
-        3. Make sure content type is set to JSON
-        4. Select individual jobs and select only Workflow jobs
+### Create Token
+
+1. Go to https://github.com/settings/tokens/new
+2. Choose your expiration date (you will need to replace the token if it expires)
+3. Under scopes select `repo`
+4. Copy the generated token
+
+### Set Token
+
+#### Setup Wizard
+
+1. Open the URL in `github.setup.url` from `status.json`
+2. Enter your personal access token under Using Personal Access Token
+3. Click the Set button
+
+#### Manually
+
+1. Open the URL in `github.auth.secretUrl` from `status.json` and edit the secret value
+2. If you're using a self-hosted GitHub instance, put its domain in `domain` (e.g. `github.mycompany.com`)
+3. Put the generated token in `personalAuthToken`
+4. Ignore all other values
+
+### Setup Webhook
+
+1. For organizations go to https://github.com/organizations/MY_ORG/settings/hooks after replacing `MY_ORG` with your GitHub organization name
+2. For enterprise go to https://github.com/enterprises/MY_ENTERPRISE/settings/hooks after replacing `MY_ENTERPRISE` with your GitHub enterprise name
+3. Otherwise, you can create one per repository in your repository settings under Webhooks
+4. Configure the webhook:
+    1. For Webhook URL use the value of `github.webhook.url` from `status.json`
+    2. Open the URL in `github.webhook.secretUrl` from `status.json`, retrieve the secret value, and use it for webhook secret
+    3. Make sure content type is set to JSON
+    4. Select individual jobs and select only Workflow jobs
+
+## Resetting Setup Wizard
+
+If the setup wizard tells you setup has already been completed or if `github.setup.status` is completed, or if `github.setup.url` is empty:
+
+1. Open the URL in `github.setup.secretUrl` from `status.json`
+2. Edit the secret
+3. Put a new random value in `token`
+4. Run status function again to get the new URL

package/lib/index.d.ts

@@ -4,4 +4,3 @@ export { CodeBuildRunner, CodeBuildRunnerProps } from './providers/codebuild';
 export { LambdaRunner, LambdaRunnerProps } from './providers/lambda';
 export { FargateRunner, FargateRunnerProps } from './providers/fargate';
 export { IRunnerProvider, RunnerProviderProps, RunnerVersion, RunnerRuntimeParameters } from './providers/common';
-//# sourceMappingURL=index.d.ts.map

package/lib/lambdas/delete-runner/index.js

@@ -1,3 +1,4 @@
+"use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -12509,33 +12510,42 @@ var require_dist_node15 = __commonJS({
 // src/lambdas/github.ts
 var import_auth_app = __toESM(require_dist_node12());
 var import_core = __toESM(require_dist_node15());
+
+// src/lambdas/helpers.ts
 var AWS = __toESM(require("aws-sdk"));
 var sm = new AWS.SecretsManager();
+async function getSecretValue(arn) {
+  if (!arn) {
+    throw new Error("Missing secret ARN");
+  }
+  const secret = await sm.getSecretValue({ SecretId: arn }).promise();
+  if (!secret.SecretString) {
+    throw new Error(`No SecretString in ${arn}`);
+  }
+  return secret.SecretString;
+}
+async function getSecretJsonValue(arn) {
+  return JSON.parse(await getSecretValue(arn));
+}
+
+// src/lambdas/github.ts
 function baseUrlFromDomain(domain) {
   if (domain == "github.com") {
     return "https://api.github.com";
   }
   return `https://${domain}/api/v3`;
 }
-async function getOctokit() {
+async function getOctokit(installationId) {
   if (!process.env.GITHUB_SECRET_ARN || !process.env.GITHUB_PRIVATE_KEY_SECRET_ARN) {
     throw new Error("Missing environment variables");
   }
-  const secret = await sm.getSecretValue({
-    SecretId: process.env.GITHUB_SECRET_ARN
-  }).promise();
-  if (!secret.SecretString) {
-    throw new Error(`No secret string in ${process.env.GITHUB_SECRET_ARN}`);
-  }
-  const githubSecrets = JSON.parse(secret.SecretString);
+  const githubSecrets = await getSecretJsonValue(process.env.GITHUB_SECRET_ARN);
   let baseUrl = baseUrlFromDomain(githubSecrets.domain);
   let token;
   if (githubSecrets.personalAuthToken) {
     token = githubSecrets.personalAuthToken;
   } else {
-    const privateKey = (await sm.getSecretValue({
-      SecretId: process.env.GITHUB_PRIVATE_KEY_SECRET_ARN
-    }).promise()).SecretString;
+    const privateKey = await getSecretValue(process.env.GITHUB_PRIVATE_KEY_SECRET_ARN);
     const appOctokit = new import_core.Octokit({
       baseUrl,
       authStrategy: import_auth_app.createAppAuth,
@@ -12546,7 +12556,7 @@ async function getOctokit() {
     });
     token = (await appOctokit.auth({
       type: "installation",
-      installationId: githubSecrets.installationId
+      installationId
     })).token;
   }
   const octokit = new import_core.Octokit({
@@ -12580,12 +12590,16 @@ async function getRunnerId(octokit, owner, repo, name) {
   }
 }
 exports.handler = async function(event) {
-  const { octokit } = await getOctokit();
-  await octokit.request("POST /repos/{owner}/{repo}/actions/runs/{runId}/cancel", {
-    owner: event.owner,
-    repo: event.repo,
-    runId: event.runId
-  });
+  const { octokit } = await getOctokit(event.installationId);
+  try {
+    await octokit.request("POST /repos/{owner}/{repo}/actions/runs/{runId}/cancel", {
+      owner: event.owner,
+      repo: event.repo,
+      runId: event.runId
+    });
+  } catch (e) {
+    console.error(`Unable to cancel workflow: ${e}`);
+  }
   const runnerId = await getRunnerId(octokit, event.owner, event.repo, event.runnerName);
   if (!runnerId) {
     console.error(`Unable to find runner id for ${event.owner}/${event.repo}:${event.runnerName}`);