@cloudsnorkel/cdk-github-runners 0.1.0 → 0.3.0

package/README.md

@@ -10,32 +10,37 @@
 
 Use this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.
 
-* Easy to configure GitHub integration
+* Easy to configure GitHub integration with a web-based interface
 * Customizable runners with decent defaults
-* Supports multiple runner configurations controlled by labels
+* Multiple runner configurations controlled by labels
 * Everything fully hosted in your account
 
 Self-hosted runners in AWS are useful when:
 
 * You need easy access to internal resources in your actions
 * You want to pre-install some software for your actions
-* You want to provide some basic AWS API access ([aws-actions/configure-aws-credentials][2] has more security controls)
+* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)
 
-Ephemeral runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.
+Ephemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.
 
 ## API
 
-Documentation of available constructs and their interface is available on [Constructs Hub][13] in all supported programming languages.
+The best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.
 
 ## Providers
 
 A runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.
 
-| Provider  | Time limit               | vCPUs                    | RAM                               | Storage                      | sudo | Docker |
-|-----------|--------------------------|--------------------------|-----------------------------------|------------------------------|------|--------|
-| CodeBuild | 8 hours (default 1 hour) | 2 (default), 4, 8, or 72 | 3gb (default), 7gb, 15gb or 145gb | 50gb to 824gb (default 64gb) | ✔    | ✔     |
-| Fargate   | Unlimited                | 0.25 to 4 (default 1)    | 512mb to 30gb (default 2gb)       | 20gb to 200gb (default 25gb) | ✔    | ❌    |
-| Lambda    | 15 minutes               | 1 to 6 (default 2)       | 128mb to 10gb (default 2gb)       | Up to 10gb (default 10gb)    | ❌    | ❌     |
+|                  | CodeBuild                | Fargate        | Lambda         |
+|------------------|--------------------------|----------------|----------------|
+| **Time limit**   | 8 hours                  | Unlimited      | 15 minutes     |
+| **vCPUs**        | 2, 4, 8, or 72           | 0.25 to 4      | 1 to 6         |
+| **RAM**          | 3gb, 7gb, 15gb, or 145gb | 512mb to 30gb  | 128mb to 10gb  |
+| **Storage**      | 50gb to 824gb            | 20gb to 200gb  | Up to 10gb     |
+| **Architecture** | x86_64, ARM64            | x86_64, ARM64  | x86_64, ARM64  |
+| **sudo**         | ✔                        | ✔              | ❌              |
+| **Docker**       | ✔                        | ❌              | ❌              |
+| **Spot pricing** | ❌                        | ✔              | ❌              |
 
 The best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.
 
@@ -72,63 +77,73 @@ You can also create your own provider by implementing `IRunnerProvider`.
 4. Deploy your stack
 5. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`
 6. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file
-7. [Setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token
+7. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token
 8. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK
 9. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, linux, codebuild]` or similar
 10. If the action is not successful, see [troubleshooting](#Troubleshooting)
 
+[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)
+
 ## Customizing
 
-The default providers configured by [`GitHubRunners`](https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/v/0.0.11/api/GitHubRunners?lang=typescript) are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.
+The default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.
 
 For example:
 
 ```typescript
-import * as cdk from 'aws-cdk-lib';
-import { aws_ec2 as ec2, aws_s3 as s3 } from 'aws-cdk-lib';
-import { GitHubRunners, CodeBuildRunner } from '@cloudsnorkel/cdk-github-runners';
-
-const app = new cdk.App();
-const stack = new cdk.Stack(
-  app,
-  'github-runners-test',
-  {
-     env: {
-        account: process.env.CDK_DEFAULT_ACCOUNT,
-        region: process.env.CDK_DEFAULT_REGION,
-     },
-  },
-);
-
-const vpc = ec2.Vpc.fromLookup(stack, 'vpc', { vpcId: 'vpc-1234567' });
-const runnerSg = new ec2.SecurityGroup(stack, 'runner security group', { vpc: vpc });
-const dbSg = ec2.SecurityGroup.fromSecurityGroupId(stack, 'database security group', 'sg-1234567');
-const bucket = new s3.Bucket(stack, 'runner bucket');
+let vpc: ec2.Vpc;
+let runnerSg: ec2.SecurityGroup;
+let dbSg: ec2.SecurityGroup;
+let bucket: s3.Bucket;
 
 // create a custom CodeBuild provider
-const myProvider = new CodeBuildRunner(
-  stack, 'codebuild runner',
-  {
-     label: 'my-codebuild',
-     vpc: vpc,
-     securityGroup: runnerSg,
-  },
-);
+const myProvider = new CodeBuildRunner(this, 'codebuild runner', { 
+    label: 'my-codebuild',
+    vpc: vpc,
+    securityGroup: runnerSg,
+});
 // grant some permissions to the provider
 bucket.grantReadWrite(myProvider);
 dbSg.connections.allowFrom(runnerSg, ec2.Port.tcp(3306), 'allow runners to connect to MySQL database');
 
 // create the runner infrastructure
-new GitHubRunners(
-  stack,
-  'runners',
-  {
+new GitHubRunners(this, 'runners', {
     providers: [myProvider],
-    defaultProviderLabel: 'my-codebuild',
-  }
-);
+});
+```
+
+Another way to customize runners is by modifying the image used to spin them up. The image contains the [runner][5], any required dependencies, and integration code with the provider. You may choose to customize this image by adding more packages, for example.
+
+```typescript
+const myBuilder = new CodeBuildImageBuilder(this, 'image builder', {
+   dockerfilePath: FargateProvider.LINUX_X64_DOCKERFILE_PATH,
+   runnerVersion: RunnerVersion.specific('2.291.0'),
+   rebuildInterval: Duration.days(14),    
+});
+myBuilder.setBuildArg('EXTRA_PACKAGES', 'nginx xz-utils');
+
+const myProvider = new FargateProvider(this, 'fargate runner', {
+   label: 'my-codebuild',
+   vpc: vpc,
+   securityGroup: runnerSg,
+});
+
+// create the runner infrastructure
+new GitHubRunners(stack, 'runners', {
+   providers: [myProvider],
+});
+```
+
+Your workflow will then look like:
 
-app.synth();
+```yaml
+name: self-hosted example
+on: push
+jobs:
+  self-hosted:
+    runs-on: [self-hosted, my-codebuild]
+    steps:
+      - run: echo hello world
 ```
 
 ## Architecture

package/SETUP_GITHUB.md

@@ -1,9 +1,23 @@
 # Setup GitHub
 
-Integration with GitHub can be done using an [app](#app-authentication) or [personal access token](#personal-access-token). Using an app allows more fine-grained access control. Personal access tokens are easier to set up but belong to a user instead of an organization.
+Integration with GitHub can be done using an [app](#app-authentication) or [personal access token](#personal-access-token). Using an app allows more fine-grained access control. Using an app is easier with the setup wizard.
 
 ## App Authentication
 
+### Setup Wizard
+
+1. Open the URL in `github.setup.url` from `status.json`
+2. If you want to create an app for your personal repositories, click the Create button under New Personal App
+3. If you want to create an app for your organization:
+   1. Find the New Organization App section
+   2. Type in the organization name in organization slug (ORGANIZATION from https://github.com/ORGANIZATION/REPO)
+   3. Click the Create button
+4. Follow the instructions on GitHub
+5. When brought back to the setup wizard, click the install link
+6. Install the new app on your desired repositories
+
+### Manually
+
 1. Decide if you want to create a personal app or an organization app
     1. For a personal app use https://github.com/settings/apps/new
     2. For an organization app use https://github.com/organizations/MY_ORG/settings/apps/new after replacing `MY_ORG` with your GitHub organization name
@@ -30,21 +44,44 @@ Integration with GitHub can be done using an [app](#app-authentication) or [pers
 
 ## Personal Access Token
 
-1. Create a new token
-    1. Go to https://github.com/settings/tokens/new
-    2. Choose your expiration date (you will need to replace the token if it expires)
-    3. Under scopes select `repo`
-    4. Copy the generated token
-2. Open the URL in `github.auth.secretUrl` from `status.json` and edit the secret value
-    1. If you're using a self-hosted GitHub instance, put its domain in `domain` (e.g. `github.mycompany.com`)
-    2. Put the generated token in `personalAuthToken`
-    3. Ignore all other values
-3. Create a webhook
-    1. For organizations go to https://github.com/organizations/MY_ORG/settings/hooks after replacing `MY_ORG` with your GitHub organization name
-    2. For enterprise go to https://github.com/enterprises/MY_ENTERPRISE/settings/hooks after replacing `MY_ENTERPRISE` with your GitHub enterprise name
-    3. Otherwise, you can create one per repository in your repository settings under Webhooks
-    4. Configure the webhook:
-        1. For Webhook URL use the value of `github.webhook.url` from `status.json`
-        2. Open the URL in `github.webhook.secretUrl` from `status.json`, retrieve the secret value, and use it for webhook secret
-        3. Make sure content type is set to JSON
-        4. Select individual jobs and select only Workflow jobs
+### Create Token
+
+1. Go to https://github.com/settings/tokens/new
+2. Choose your expiration date (you will need to replace the token if it expires)
+3. Under scopes select `repo`
+4. Copy the generated token
+
+### Set Token
+
+#### Setup Wizard
+
+1. Open the URL in `github.setup.url` from `status.json`
+2. Enter your personal access token under Using Personal Access Token
+3. Click the Set button
+
+#### Manually
+
+1. Open the URL in `github.auth.secretUrl` from `status.json` and edit the secret value
+2. If you're using a self-hosted GitHub instance, put its domain in `domain` (e.g. `github.mycompany.com`)
+3. Put the generated token in `personalAuthToken`
+4. Ignore all other values
+
+### Setup Webhook
+
+1. For organizations go to https://github.com/organizations/MY_ORG/settings/hooks after replacing `MY_ORG` with your GitHub organization name
+2. For enterprise go to https://github.com/enterprises/MY_ENTERPRISE/settings/hooks after replacing `MY_ENTERPRISE` with your GitHub enterprise name
+3. Otherwise, you can create one per repository in your repository settings under Webhooks
+4. Configure the webhook:
+    1. For Webhook URL use the value of `github.webhook.url` from `status.json`
+    2. Open the URL in `github.webhook.secretUrl` from `status.json`, retrieve the secret value, and use it for webhook secret
+    3. Make sure content type is set to JSON
+    4. Select individual jobs and select only Workflow jobs
+
+## Resetting Setup Wizard
+
+If the setup wizard tells you setup has already been completed or if `github.setup.status` is completed, or if `github.setup.url` is empty:
+
+1. Open the URL in `github.setup.secretUrl` from `status.json`
+2. Edit the secret
+3. Put a new random value in `token`
+4. Run status function again to get the new URL

package/lib/index.d.ts

@@ -3,5 +3,6 @@ export { GitHubRunners, GitHubRunnersProps } from './runner';
 export { CodeBuildRunner, CodeBuildRunnerProps } from './providers/codebuild';
 export { LambdaRunner, LambdaRunnerProps } from './providers/lambda';
 export { FargateRunner, FargateRunnerProps } from './providers/fargate';
-export { IRunnerProvider, RunnerProviderProps, RunnerVersion, RunnerRuntimeParameters } from './providers/common';
-//# sourceMappingURL=index.d.ts.map
+export { IRunnerProvider, RunnerProviderProps, RunnerVersion, RunnerRuntimeParameters, RunnerImage, IImageBuilder, Architecture, Os } from './providers/common';
+export { CodeBuildImageBuilder, CodeBuildImageBuilderProps } from './providers/image-builders/codebuild';
+export { StaticRunnerImage } from './providers/image-builders/static';

package/lib/index.js

@@ -12,4 +12,10 @@ var fargate_1 = require("./providers/fargate");
 Object.defineProperty(exports, "FargateRunner", { enumerable: true, get: function () { return fargate_1.FargateRunner; } });
 var common_1 = require("./providers/common");
 Object.defineProperty(exports, "RunnerVersion", { enumerable: true, get: function () { return common_1.RunnerVersion; } });
-//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSxxQ0FBb0M7QUFBM0Isa0dBQUEsT0FBTyxPQUFBO0FBQ2hCLG1DQUE2RDtBQUFwRCx1R0FBQSxhQUFhLE9BQUE7QUFDdEIsbURBQThFO0FBQXJFLDRHQUFBLGVBQWUsT0FBQTtBQUN4Qiw2Q0FBcUU7QUFBNUQsc0dBQUEsWUFBWSxPQUFBO0FBQ3JCLCtDQUF3RTtBQUEvRCx3R0FBQSxhQUFhLE9BQUE7QUFDdEIsNkNBQWtIO0FBQW5FLHVHQUFBLGFBQWEsT0FBQSIsInNvdXJjZXNDb250ZW50IjpbImV4cG9ydCB7IFNlY3JldHMgfSBmcm9tICcuL3NlY3JldHMnO1xuZXhwb3J0IHsgR2l0SHViUnVubmVycywgR2l0SHViUnVubmVyc1Byb3BzIH0gZnJvbSAnLi9ydW5uZXInO1xuZXhwb3J0IHsgQ29kZUJ1aWxkUnVubmVyLCBDb2RlQnVpbGRSdW5uZXJQcm9wcyB9IGZyb20gJy4vcHJvdmlkZXJzL2NvZGVidWlsZCc7XG5leHBvcnQgeyBMYW1iZGFSdW5uZXIsIExhbWJkYVJ1bm5lclByb3BzIH0gZnJvbSAnLi9wcm92aWRlcnMvbGFtYmRhJztcbmV4cG9ydCB7IEZhcmdhdGVSdW5uZXIsIEZhcmdhdGVSdW5uZXJQcm9wcyB9IGZyb20gJy4vcHJvdmlkZXJzL2ZhcmdhdGUnO1xuZXhwb3J0IHsgSVJ1bm5lclByb3ZpZGVyLCBSdW5uZXJQcm92aWRlclByb3BzLCBSdW5uZXJWZXJzaW9uLCBSdW5uZXJSdW50aW1lUGFyYW1ldGVycyB9IGZyb20gJy4vcHJvdmlkZXJzL2NvbW1vbic7XG4iXX0=
+Object.defineProperty(exports, "Architecture", { enumerable: true, get: function () { return common_1.Architecture; } });
+Object.defineProperty(exports, "Os", { enumerable: true, get: function () { return common_1.Os; } });
+var codebuild_2 = require("./providers/image-builders/codebuild");
+Object.defineProperty(exports, "CodeBuildImageBuilder", { enumerable: true, get: function () { return codebuild_2.CodeBuildImageBuilder; } });
+var static_1 = require("./providers/image-builders/static");
+Object.defineProperty(exports, "StaticRunnerImage", { enumerable: true, get: function () { return static_1.StaticRunnerImage; } });
+//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiaW5kZXguanMiLCJzb3VyY2VSb290IjoiIiwic291cmNlcyI6WyIuLi9zcmMvaW5kZXgudHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6Ijs7QUFBQSxxQ0FBb0M7QUFBM0Isa0dBQUEsT0FBTyxPQUFBO0FBQ2hCLG1DQUE2RDtBQUFwRCx1R0FBQSxhQUFhLE9BQUE7QUFDdEIsbURBQThFO0FBQXJFLDRHQUFBLGVBQWUsT0FBQTtBQUN4Qiw2Q0FBcUU7QUFBNUQsc0dBQUEsWUFBWSxPQUFBO0FBQ3JCLCtDQUF3RTtBQUEvRCx3R0FBQSxhQUFhLE9BQUE7QUFDdEIsNkNBQWdLO0FBQWpILHVHQUFBLGFBQWEsT0FBQTtBQUF1RCxzR0FBQSxZQUFZLE9BQUE7QUFBRSw0RkFBQSxFQUFFLE9BQUE7QUFDbkksa0VBQXlHO0FBQWhHLGtIQUFBLHFCQUFxQixPQUFBO0FBQzlCLDREQUFzRTtBQUE3RCwyR0FBQSxpQkFBaUIsT0FBQSIsInNvdXJjZXNDb250ZW50IjpbImV4cG9ydCB7IFNlY3JldHMgfSBmcm9tICcuL3NlY3JldHMnO1xuZXhwb3J0IHsgR2l0SHViUnVubmVycywgR2l0SHViUnVubmVyc1Byb3BzIH0gZnJvbSAnLi9ydW5uZXInO1xuZXhwb3J0IHsgQ29kZUJ1aWxkUnVubmVyLCBDb2RlQnVpbGRSdW5uZXJQcm9wcyB9IGZyb20gJy4vcHJvdmlkZXJzL2NvZGVidWlsZCc7XG5leHBvcnQgeyBMYW1iZGFSdW5uZXIsIExhbWJkYVJ1bm5lclByb3BzIH0gZnJvbSAnLi9wcm92aWRlcnMvbGFtYmRhJztcbmV4cG9ydCB7IEZhcmdhdGVSdW5uZXIsIEZhcmdhdGVSdW5uZXJQcm9wcyB9IGZyb20gJy4vcHJvdmlkZXJzL2ZhcmdhdGUnO1xuZXhwb3J0IHsgSVJ1bm5lclByb3ZpZGVyLCBSdW5uZXJQcm92aWRlclByb3BzLCBSdW5uZXJWZXJzaW9uLCBSdW5uZXJSdW50aW1lUGFyYW1ldGVycywgUnVubmVySW1hZ2UsIElJbWFnZUJ1aWxkZXIsIEFyY2hpdGVjdHVyZSwgT3MgfSBmcm9tICcuL3Byb3ZpZGVycy9jb21tb24nO1xuZXhwb3J0IHsgQ29kZUJ1aWxkSW1hZ2VCdWlsZGVyLCBDb2RlQnVpbGRJbWFnZUJ1aWxkZXJQcm9wcyB9IGZyb20gJy4vcHJvdmlkZXJzL2ltYWdlLWJ1aWxkZXJzL2NvZGVidWlsZCc7XG5leHBvcnQgeyBTdGF0aWNSdW5uZXJJbWFnZSB9IGZyb20gJy4vcHJvdmlkZXJzL2ltYWdlLWJ1aWxkZXJzL3N0YXRpYyc7XG4iXX0=

package/lib/lambdas/build-image/index.js

@@ -0,0 +1,121 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target, mod));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/lambdas/build-image/index.ts
+var build_image_exports = {};
+__export(build_image_exports, {
+  handler: () => handler
+});
+module.exports = __toCommonJS(build_image_exports);
+var AWS = __toESM(require("aws-sdk"));
+var codebuild = new AWS.CodeBuild();
+var ecr = new AWS.ECR();
+async function handler(event, context) {
+  try {
+    console.log(JSON.stringify(event));
+    const repoName = event.ResourceProperties.RepoName;
+    const projectName = event.ResourceProperties.ProjectName;
+    switch (event.RequestType) {
+      case "Create":
+      case "Update":
+        console.log(`Starting CodeBuild project ${projectName}`);
+        await codebuild.startBuild({
+          projectName,
+          environmentVariablesOverride: [
+            {
+              type: "PLAINTEXT",
+              name: "STACK_ID",
+              value: event.StackId
+            },
+            {
+              type: "PLAINTEXT",
+              name: "REQUEST_ID",
+              value: event.RequestId
+            },
+            {
+              type: "PLAINTEXT",
+              name: "LOGICAL_RESOURCE_ID",
+              value: event.LogicalResourceId
+            },
+            {
+              type: "PLAINTEXT",
+              name: "RESPONSE_URL",
+              value: event.ResponseURL
+            }
+          ]
+        }).promise();
+        break;
+      case "Delete":
+        const images = await ecr.listImages({ repositoryName: repoName, maxResults: 100 }).promise();
+        if (images.imageIds && images.imageIds.length > 0) {
+          await ecr.batchDeleteImage({
+            imageIds: images.imageIds.map((i) => {
+              return { imageDigest: i.imageDigest };
+            }),
+            repositoryName: repoName
+          }).promise();
+        }
+        await respond("SUCCESS", "OK", event.PhysicalResourceId, {});
+        break;
+    }
+  } catch (e) {
+    console.log(e);
+    await respond("FAILED", e.message || "Internal Error", context.logStreamName, {});
+  }
+  function respond(responseStatus, reason, physicalResourceId, data) {
+    const responseBody = JSON.stringify({
+      Status: responseStatus,
+      Reason: reason,
+      PhysicalResourceId: physicalResourceId,
+      StackId: event.StackId,
+      RequestId: event.RequestId,
+      LogicalResourceId: event.LogicalResourceId,
+      NoEcho: false,
+      Data: data
+    });
+    console.log("Responding", responseBody);
+    const parsedUrl = require("url").parse(event.ResponseURL);
+    const requestOptions = {
+      hostname: parsedUrl.hostname,
+      path: parsedUrl.path,
+      method: "PUT",
+      headers: {
+        "content-type": "",
+        "content-length": responseBody.length
+      }
+    };
+    return new Promise((resolve, reject) => {
+      try {
+        const request = require("https").request(requestOptions, resolve);
+        request.on("error", reject);
+        request.write(responseBody);
+        request.end();
+      } catch (e) {
+        reject(e);
+      }
+    });
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  handler
+});

package/lib/lambdas/delete-runner/index.js

@@ -1,3 +1,4 @@
+"use strict";
 var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -12509,8 +12510,25 @@ var require_dist_node15 = __commonJS({
 // src/lambdas/github.ts
 var import_auth_app = __toESM(require_dist_node12());
 var import_core = __toESM(require_dist_node15());
+
+// src/lambdas/helpers.ts
 var AWS = __toESM(require("aws-sdk"));
 var sm = new AWS.SecretsManager();
+async function getSecretValue(arn) {
+  if (!arn) {
+    throw new Error("Missing secret ARN");
+  }
+  const secret = await sm.getSecretValue({ SecretId: arn }).promise();
+  if (!secret.SecretString) {
+    throw new Error(`No SecretString in ${arn}`);
+  }
+  return secret.SecretString;
+}
+async function getSecretJsonValue(arn) {
+  return JSON.parse(await getSecretValue(arn));
+}
+
+// src/lambdas/github.ts
 function baseUrlFromDomain(domain) {
   if (domain == "github.com") {
     return "https://api.github.com";
@@ -12521,21 +12539,13 @@ async function getOctokit(installationId) {
   if (!process.env.GITHUB_SECRET_ARN || !process.env.GITHUB_PRIVATE_KEY_SECRET_ARN) {
     throw new Error("Missing environment variables");
   }
-  const secret = await sm.getSecretValue({
-    SecretId: process.env.GITHUB_SECRET_ARN
-  }).promise();
-  if (!secret.SecretString) {
-    throw new Error(`No secret string in ${process.env.GITHUB_SECRET_ARN}`);
-  }
-  const githubSecrets = JSON.parse(secret.SecretString);
+  const githubSecrets = await getSecretJsonValue(process.env.GITHUB_SECRET_ARN);
   let baseUrl = baseUrlFromDomain(githubSecrets.domain);
   let token;
   if (githubSecrets.personalAuthToken) {
     token = githubSecrets.personalAuthToken;
   } else {
-    const privateKey = (await sm.getSecretValue({
-      SecretId: process.env.GITHUB_PRIVATE_KEY_SECRET_ARN
-    }).promise()).SecretString;
+    const privateKey = await getSecretValue(process.env.GITHUB_PRIVATE_KEY_SECRET_ARN);
     const appOctokit = new import_core.Octokit({
       baseUrl,
       authStrategy: import_auth_app.createAppAuth,
@@ -12581,11 +12591,15 @@ async function getRunnerId(octokit, owner, repo, name) {
 }
 exports.handler = async function(event) {
   const { octokit } = await getOctokit(event.installationId);
-  await octokit.request("POST /repos/{owner}/{repo}/actions/runs/{runId}/cancel", {
-    owner: event.owner,
-    repo: event.repo,
-    runId: event.runId
-  });
+  try {
+    await octokit.request("POST /repos/{owner}/{repo}/actions/runs/{runId}/cancel", {
+      owner: event.owner,
+      repo: event.repo,
+      runId: event.runId
+    });
+  } catch (e) {
+    console.error(`Unable to cancel workflow: ${e}`);
+  }
   const runnerId = await getRunnerId(octokit, event.owner, event.repo, event.runnerName);
   if (!runnerId) {
     console.error(`Unable to find runner id for ${event.owner}/${event.repo}:${event.runnerName}`);