@cloudsnorkel/cdk-github-runners 0.13.3 → 0.14.0

package/.jsii

@@ -3675,7 +3675,7 @@
     "stability": "experimental"
   },
   "homepage": "https://github.com/CloudSnorkel/cdk-github-runners.git",
-  "jsiiVersion": "5.3.34 (build f4c2317)",
+  "jsiiVersion": "5.3.36 (build 0087b04)",
   "keywords": [
     "aws",
     "aws-cdk",
@@ -3699,7 +3699,7 @@
   },
   "name": "@cloudsnorkel/cdk-github-runners",
   "readme": {
-    "markdown": "# GitHub Self-Hosted Runners CDK Constructs\n\n[![NPM](https://img.shields.io/npm/v/@cloudsnorkel/cdk-github-runners?label=npm&logo=npm)][7]\n[![PyPI](https://img.shields.io/pypi/v/cloudsnorkel.cdk-github-runners?label=pypi&logo=pypi)][6]\n[![Maven Central](https://img.shields.io/maven-central/v/com.cloudsnorkel/cdk.github.runners.svg?label=Maven%20Central&logo=apachemaven)][8]\n[![Go](https://img.shields.io/github/v/tag/CloudSnorkel/cdk-github-runners?color=red&label=go&logo=go)][11]\n[![Nuget](https://img.shields.io/nuget/v/CloudSnorkel.Cdk.Github.Runners?color=red&&logo=nuget)][12]\n[![Release](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml/badge.svg)](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/CloudSnorkel/cdk-github-runners/blob/main/LICENSE)\n\nUse this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.\n\n* Easy to configure GitHub integration with a web-based interface\n* Customizable runners with decent defaults\n* Multiple runner configurations controlled by labels\n* Everything fully hosted in your account\n* Automatically updated build environment with latest runner version\n\nSelf-hosted runners in AWS are useful when:\n\n* You need easy access to internal resources in your actions\n* You want to pre-install some software for your actions\n* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)\n* You are using GitHub Enterprise Server\n\nEphemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.\n\n## API\n\nThe best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.\n\n## Providers\n\nA runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.\n\n|                  | EC2               | CodeBuild                  | Fargate        | ECS            | Lambda        |\n|------------------|-------------------|----------------------------|----------------|----------------|---------------|\n| **Time limit**   | Unlimited         | 8 hours                    | Unlimited      | Unlimited      | 15 minutes    |\n| **vCPUs**        | Unlimited         | 2, 4, 8, or 72             | 0.25 to 4      | Unlimited      | 1 to 6        |\n| **RAM**          | Unlimited         | 3gb, 7gb, 15gb, or 145gb   | 512mb to 30gb  | Unlimited      | 128mb to 10gb |\n| **Storage**      | Unlimited         | 50gb to 824gb              | 20gb to 200gb  | Unlimited      | Up to 10gb    |\n| **Architecture** | x86_64, ARM64     | x86_64, ARM64              | x86_64, ARM64  | x86_64, ARM64  | x86_64, ARM64 |\n| **sudo**         | ✔                 | ✔                         | ✔              | ✔              | ❌           |\n| **Docker**       | ✔                 | ✔ (Linux only)            | ❌              | ✔              | ❌           |\n| **Spot pricing** | ✔                 | ❌                         | ✔              | ✔              | ❌           |\n| **OS**           | Linux, Windows    | Linux, Windows             | Linux, Windows | Linux, Windows | Linux         |\n\nThe best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.\n\n* EC2 is useful when you want runners to have complete access to the host\n* ECS is useful when you want to control the infrastructure, like leaving the runner host running for faster startups\n* Lambda is useful for short jobs that can work within time, size and readonly system constraints\n\nYou can also create your own provider by implementing `IRunnerProvider`.\n\n## Installation\n\n1. Install and use the appropriate package\n   <details><summary>Python</summary>\n\n   ### Install\n   Available on [PyPI][6].\n   ```bash\n   pip install cloudsnorkel.cdk-github-runners\n   ```\n   ### Use\n   ```python\n   from cloudsnorkel.cdk_github_runners import GitHubRunners\n\n   GitHubRunners(self, \"runners\")\n   ```\n   </details>\n   <details><summary>TypeScript or JavaScript</summary>\n\n   ### Install\n   Available on [npm][7].\n   ```bash\n   npm i @cloudsnorkel/cdk-github-runners\n   ```\n   ### Use\n   ```typescript\n   import { GitHubRunners } from '@cloudsnorkel/cdk-github-runners';\n\n   new GitHubRunners(this, \"runners\");\n   ```\n   </details>\n   <details><summary>Java</summary>\n\n   ### Install\n   Available on [Maven][8].\n   ```xml\n   <dependency>\n      <groupId>com.cloudsnorkel</groupId>\n      <artifactId>cdk.github.runners</artifactId>\n   </dependency>\n   ```\n   ### Use\n   ```java\n   import com.cloudsnorkel.cdk.github.runners.GitHubRunners;\n\n   GitHubRunners.Builder.create(this, \"runners\").build();\n   ```\n   </details>\n   <details><summary>Go</summary>\n\n   ### Install\n   Available on [GitHub][11].\n   ```bash\n   go get github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n   ```\n   ### Use\n   ```go\n   import \"github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\"\n\n   NewGitHubRunners(this, jsii.String(\"runners\"))\n   ```\n   </details>\n   <details><summary>.NET</summary>\n\n   ### Install\n   Available on [Nuget][12].\n   ```bash\n   dotnet add package CloudSnorkel.Cdk.Github.Runners\n   ```\n   ### Use\n   ```csharp\n   using CloudSnorkel;\n\n   new GitHubRunners(this, \"runners\");\n   ```\n   </details>\n2. Use `GitHubRunners` construct in your code (starting with default arguments is fine)\n3. Deploy your stack\n4. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`\n   ```\n    ✅  github-runners-test\n\n   ✨  Deployment time: 260.01s\n\n   Outputs:\n   github-runners-test.runnersstatuscommand4A30F0F5 = aws --region us-east-1 lambda invoke --function-name github-runners-test-runnersstatus1A5771C0-mvttg8oPQnQS status.json\n   ```\n5. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file\n6. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token\n7. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK\n8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, linux, codebuild]` or similar\n9. If the action is not successful, see [troubleshooting](#Troubleshooting)\n\n[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)\n\n## Customizing\n\nThe default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.\n\nFor example:\n\n```typescript\nlet vpc: ec2.Vpc;\nlet runnerSg: ec2.SecurityGroup;\nlet dbSg: ec2.SecurityGroup;\nlet bucket: s3.Bucket;\n\n// create a custom CodeBuild provider\nconst myProvider = new CodeBuildRunnerProvider(this, 'codebuild runner', {\n   labels: ['my-codebuild'],\n   vpc: vpc,\n   securityGroups: [runnerSg],\n});\n// grant some permissions to the provider\nbucket.grantReadWrite(myProvider);\ndbSg.connections.allowFrom(runnerSg, ec2.Port.tcp(3306), 'allow runners to connect to MySQL database');\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nAnother way to customize runners is by modifying the image used to spin them up. The image contains the [runner][5], any required dependencies, and integration code with the provider. You may choose to customize this image by adding more packages, for example.\n\n```typescript\nconst myBuilder = FargateRunnerProvider.imageBuilder(this, 'image builder');\nmyBuilder.addComponent(\n  RunnerImageComponent.custom({ commands: ['apt install -y nginx xz-utils'] }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-fargate'],\n   imageBuilder: myBuilder,\n});\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nYour workflow will then look like:\n\n```yaml\nname: self-hosted example\non: push\njobs:\n  self-hosted:\n    runs-on: [self-hosted, customized-fargate]\n    steps:\n      - run: echo hello world\n```\n\nWindows images can also be customized the same way.\n\n```typescript\nconst myWindowsBuilder = FargateRunnerProvider.imageBuilder(this, 'Windows image builder', {\n   architecture: Architecture.X86_64,\n   os: Os.WINDOWS,\n});\nmyWindowsBuilder.addComponent(\n   RunnerImageComponent.custom({\n     name: 'Ninja',\n     commands: [\n       'Invoke-WebRequest -UseBasicParsing -Uri \"https://github.com/ninja-build/ninja/releases/download/v1.11.1/ninja-win.zip\" -OutFile ninja.zip',\n       'Expand-Archive ninja.zip -DestinationPath C:\\\\actions',\n       'del ninja.zip',\n     ],\n   }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-windows-fargate'],\n   imageBuilder: myWindowsBuilder,\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nThe runner OS and architecture is determined by the image it is set to use. For example, to create a Fargate runner provider for ARM64 set the `architecture` property for the image builder to `Architecture.ARM64` in the image builder properties.\n\n```typescript\nnew GitHubRunners(this, 'runners', {\n   providers: [\n      new FargateRunnerProvider(this, 'fargate runner', {\n         labels: ['arm64', 'fargate'],\n         imageBuilder: FargateRunnerProvider.imageBuilder(this, 'image builder', {\n            architecture: Architecture.ARM64,\n            os: Os.LINUX_UBUNTU,\n         }),\n      }),\n   ],\n});\n```\n\n## Architecture\n\n![Architecture diagram](architecture.svg)\n\n## Troubleshooting\n\nRunners are started in response to a webhook coming in from GitHub. If there are any issues starting the runner like missing capacity or transient API issues, the provider will keep retrying for 24 hours. Configuration issue related errors like pointing to a missing AMI will not be retried. GitHub itself will cancel the job if it can't find a runner for 24 hours. If your jobs don't start, follow the steps below to examine all parts of this workflow.\n\n1. Always start with the status function, make sure no errors are reported, and confirm all status codes are OK\n2. Make sure `runs-on` in the workflow matches the expected labels set in the runner provider\n3. Diagnose relevant executions of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`\n   1. If the execution failed, check your runner provider configuration for errors\n   2. If the execution is still running for a long time, check the execution events to see why runner starting is being retried\n   3. If there are no relevant executions, move to the next step\n4. Confirm the webhook Lambda was called by visiting the URL in `troubleshooting.webhookHandlerUrl` from `status.json`\n   1. If it's not called or logs errors, confirm the webhook settings on the GitHub side\n   2. If you see too many errors, make sure you're only sending `workflow_job` events\n5. When using GitHub app, make sure there are active installations in `github.auth.app.installations`\n\nAll logs are saved in CloudWatch.\n* Log group names can be found in `status.json` for each provider, image builder, and other parts of the system\n* Some useful Logs Insights queries can be enabled with `GitHubRunners.createLogsInsightsQueries()`\n\nTo get `status.json`, check out the CloudFormation stack output for a command that generates it. The command looks like:\n\n```\naws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json\n```\n\n## Monitoring\n\nThere are two important ways to monitor your runners:\n\n1. Make sure runners don't fail to start. When that happens, jobs may sit and wait. Use `GitHubRunners.metricFailed()` to get a metric for the number of failed runner starts. You should use this metric to trigger an alarm.\n2. Make sure runner images don't fail to build. Failed runner image builds mean you will get stuck with out-of-date software on your runners. It may lead to security vulnerabilities, or it may lead to slower runner start-ups as the runner software itself needs to be updated. Use `GitHubRunners.failedImageBuildsTopic()` to get SNS topic that gets notified of failed runner image builds. You should subscribe to this topic.\n\nOther useful metrics to track:\n\n1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.\n2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.\n\n## Other Options\n\n1. [philips-labs/terraform-aws-github-runner][3] if you're using Terraform\n2. [actions/actions-runner-controller][4] if you're using Kubernetes\n\n\n[1]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners\n[2]: https://github.com/marketplace/actions/configure-aws-credentials-for-github-actions\n[3]: https://github.com/philips-labs/terraform-aws-github-runner\n[4]: https://github.com/actions/actions-runner-controller\n[5]: https://github.com/actions/runner\n[6]: https://pypi.org/project/cloudsnorkel.cdk-github-runners\n[7]: https://www.npmjs.com/package/@cloudsnorkel/cdk-github-runners\n[8]: https://central.sonatype.com/artifact/com.cloudsnorkel/cdk.github.runners/\n[9]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps\n[10]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[11]: https://pkg.go.dev/github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n[12]: https://www.nuget.org/packages/CloudSnorkel.Cdk.Github.Runners/\n[13]: https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/\n[14]: https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling\n"
+    "markdown": "# GitHub Self-Hosted Runners CDK Constructs\n\n[![NPM](https://img.shields.io/npm/v/@cloudsnorkel/cdk-github-runners?label=npm&logo=npm)][7]\n[![PyPI](https://img.shields.io/pypi/v/cloudsnorkel.cdk-github-runners?label=pypi&logo=pypi)][6]\n[![Maven Central](https://img.shields.io/maven-central/v/com.cloudsnorkel/cdk.github.runners.svg?label=Maven%20Central&logo=apachemaven)][8]\n[![Go](https://img.shields.io/github/v/tag/CloudSnorkel/cdk-github-runners?color=red&label=go&logo=go)][11]\n[![Nuget](https://img.shields.io/nuget/v/CloudSnorkel.Cdk.Github.Runners?color=red&&logo=nuget)][12]\n[![Release](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml/badge.svg)](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/CloudSnorkel/cdk-github-runners/blob/main/LICENSE)\n\nUse this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.\n\n* 🧩 Easy to configure GitHub integration with a web-based interface\n* 🧠 Customizable runners with decent defaults\n* 🏃🏻 Multiple runner configurations controlled by labels\n* 🔐 Everything fully hosted in your account\n* 🔃 Automatically updated build environment with latest runner version\n\nSelf-hosted runners in AWS are useful when:\n\n* You need easy access to internal resources in your actions\n* You want to pre-install some software for your actions\n* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)\n* You are using GitHub Enterprise Server\n\nEphemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.\n\n## API\n\nThe best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.\n\n## Providers\n\nA runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.\n\n|                  | EC2               | CodeBuild                  | Fargate        | ECS            | Lambda        |\n|------------------|-------------------|----------------------------|----------------|----------------|---------------|\n| **Time limit**   | Unlimited         | 8 hours                    | Unlimited      | Unlimited      | 15 minutes    |\n| **vCPUs**        | Unlimited         | 2, 4, 8, or 72             | 0.25 to 4      | Unlimited      | 1 to 6        |\n| **RAM**          | Unlimited         | 3gb, 7gb, 15gb, or 145gb   | 512mb to 30gb  | Unlimited      | 128mb to 10gb |\n| **Storage**      | Unlimited         | 50gb to 824gb              | 20gb to 200gb  | Unlimited      | Up to 10gb    |\n| **Architecture** | x86_64, ARM64     | x86_64, ARM64              | x86_64, ARM64  | x86_64, ARM64  | x86_64, ARM64 |\n| **sudo**         | ✔                 | ✔                         | ✔              | ✔              | ❌           |\n| **Docker**       | ✔                 | ✔ (Linux only)            | ❌              | ✔              | ❌           |\n| **Spot pricing** | ✔                 | ❌                         | ✔              | ✔              | ❌           |\n| **OS**           | Linux, Windows    | Linux, Windows             | Linux, Windows | Linux, Windows | Linux         |\n\nThe best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.\n\n* EC2 is useful when you want runners to have complete access to the host\n* ECS is useful when you want to control the infrastructure, like leaving the runner host running for faster startups\n* Lambda is useful for short jobs that can work within time, size and readonly system constraints\n\nYou can also create your own provider by implementing `IRunnerProvider`.\n\n## Installation\n\n1. Install and use the appropriate package\n   <details><summary>Python</summary>\n\n   ### Install\n   Available on [PyPI][6].\n   ```bash\n   pip install cloudsnorkel.cdk-github-runners\n   ```\n   ### Use\n   ```python\n   from cloudsnorkel.cdk_github_runners import GitHubRunners\n\n   GitHubRunners(self, \"runners\")\n   ```\n   </details>\n   <details><summary>TypeScript or JavaScript</summary>\n\n   ### Install\n   Available on [npm][7].\n   ```bash\n   npm i @cloudsnorkel/cdk-github-runners\n   ```\n   ### Use\n   ```typescript\n   import { GitHubRunners } from '@cloudsnorkel/cdk-github-runners';\n\n   new GitHubRunners(this, \"runners\");\n   ```\n   </details>\n   <details><summary>Java</summary>\n\n   ### Install\n   Available on [Maven][8].\n   ```xml\n   <dependency>\n      <groupId>com.cloudsnorkel</groupId>\n      <artifactId>cdk.github.runners</artifactId>\n   </dependency>\n   ```\n   ### Use\n   ```java\n   import com.cloudsnorkel.cdk.github.runners.GitHubRunners;\n\n   GitHubRunners.Builder.create(this, \"runners\").build();\n   ```\n   </details>\n   <details><summary>Go</summary>\n\n   ### Install\n   Available on [GitHub][11].\n   ```bash\n   go get github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n   ```\n   ### Use\n   ```go\n   import \"github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\"\n\n   NewGitHubRunners(this, jsii.String(\"runners\"))\n   ```\n   </details>\n   <details><summary>.NET</summary>\n\n   ### Install\n   Available on [Nuget][12].\n   ```bash\n   dotnet add package CloudSnorkel.Cdk.Github.Runners\n   ```\n   ### Use\n   ```csharp\n   using CloudSnorkel;\n\n   new GitHubRunners(this, \"runners\");\n   ```\n   </details>\n2. Use `GitHubRunners` construct in your code (starting with default arguments is fine)\n3. Deploy your stack\n4. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`\n   ```\n    ✅  github-runners-test\n\n   ✨  Deployment time: 260.01s\n\n   Outputs:\n   github-runners-test.runnersstatuscommand4A30F0F5 = aws --region us-east-1 lambda invoke --function-name github-runners-test-runnersstatus1A5771C0-mvttg8oPQnQS status.json\n   ```\n5. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file\n6. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token\n7. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK\n8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, linux, codebuild]` or similar\n9. If the action is not successful, see [troubleshooting](#Troubleshooting)\n\n[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)\n\n## Customizing\n\nThe default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.\n\nFor example:\n\n```typescript\nlet vpc: ec2.Vpc;\nlet runnerSg: ec2.SecurityGroup;\nlet dbSg: ec2.SecurityGroup;\nlet bucket: s3.Bucket;\n\n// create a custom CodeBuild provider\nconst myProvider = new CodeBuildRunnerProvider(this, 'codebuild runner', {\n   labels: ['my-codebuild'],\n   vpc: vpc,\n   securityGroups: [runnerSg],\n});\n// grant some permissions to the provider\nbucket.grantReadWrite(myProvider);\ndbSg.connections.allowFrom(runnerSg, ec2.Port.tcp(3306), 'allow runners to connect to MySQL database');\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nAnother way to customize runners is by modifying the image used to spin them up. The image contains the [runner][5], any required dependencies, and integration code with the provider. You may choose to customize this image by adding more packages, for example.\n\n```typescript\nconst myBuilder = FargateRunnerProvider.imageBuilder(this, 'image builder');\nmyBuilder.addComponent(\n  RunnerImageComponent.custom({ commands: ['apt install -y nginx xz-utils'] }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-fargate'],\n   imageBuilder: myBuilder,\n});\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nYour workflow will then look like:\n\n```yaml\nname: self-hosted example\non: push\njobs:\n  self-hosted:\n    runs-on: [self-hosted, customized-fargate]\n    steps:\n      - run: echo hello world\n```\n\nWindows images can also be customized the same way.\n\n```typescript\nconst myWindowsBuilder = FargateRunnerProvider.imageBuilder(this, 'Windows image builder', {\n   architecture: Architecture.X86_64,\n   os: Os.WINDOWS,\n});\nmyWindowsBuilder.addComponent(\n   RunnerImageComponent.custom({\n     name: 'Ninja',\n     commands: [\n       'Invoke-WebRequest -UseBasicParsing -Uri \"https://github.com/ninja-build/ninja/releases/download/v1.11.1/ninja-win.zip\" -OutFile ninja.zip',\n       'Expand-Archive ninja.zip -DestinationPath C:\\\\actions',\n       'del ninja.zip',\n     ],\n   }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-windows-fargate'],\n   imageBuilder: myWindowsBuilder,\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nThe runner OS and architecture is determined by the image it is set to use. For example, to create a Fargate runner provider for ARM64 set the `architecture` property for the image builder to `Architecture.ARM64` in the image builder properties.\n\n```typescript\nnew GitHubRunners(this, 'runners', {\n   providers: [\n      new FargateRunnerProvider(this, 'fargate runner', {\n         labels: ['arm64', 'fargate'],\n         imageBuilder: FargateRunnerProvider.imageBuilder(this, 'image builder', {\n            architecture: Architecture.ARM64,\n            os: Os.LINUX_UBUNTU,\n         }),\n      }),\n   ],\n});\n```\n\n## Architecture\n\n![Architecture diagram](architecture.svg)\n\n## Troubleshooting\n\nRunners are started in response to a webhook coming in from GitHub. If there are any issues starting the runner like missing capacity or transient API issues, the provider will keep retrying for 24 hours. Configuration issue related errors like pointing to a missing AMI will not be retried. GitHub itself will cancel the job if it can't find a runner for 24 hours. If your jobs don't start, follow the steps below to examine all parts of this workflow.\n\n1. Always start with the status function, make sure no errors are reported, and confirm all status codes are OK\n2. Make sure `runs-on` in the workflow matches the expected labels set in the runner provider\n3. Diagnose relevant executions of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`\n   1. If the execution failed, check your runner provider configuration for errors\n   2. If the execution is still running for a long time, check the execution events to see why runner starting is being retried\n   3. If there are no relevant executions, move to the next step\n4. Confirm the webhook Lambda was called by visiting the URL in `troubleshooting.webhookHandlerUrl` from `status.json`\n   1. If it's not called or logs errors, confirm the webhook settings on the GitHub side\n   2. If you see too many errors, make sure you're only sending `workflow_job` events\n5. When using GitHub app, make sure there are active installations in `github.auth.app.installations`\n\nAll logs are saved in CloudWatch.\n* Log group names can be found in `status.json` for each provider, image builder, and other parts of the system\n* Some useful Logs Insights queries can be enabled with `GitHubRunners.createLogsInsightsQueries()`\n\nTo get `status.json`, check out the CloudFormation stack output for a command that generates it. The command looks like:\n\n```\naws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json\n```\n\n## Monitoring\n\nThere are two important ways to monitor your runners:\n\n1. Make sure runners don't fail to start. When that happens, jobs may sit and wait. Use `GitHubRunners.metricFailed()` to get a metric for the number of failed runner starts. You should use this metric to trigger an alarm.\n2. Make sure runner images don't fail to build. Failed runner image builds mean you will get stuck with out-of-date software on your runners. It may lead to security vulnerabilities, or it may lead to slower runner start-ups as the runner software itself needs to be updated. Use `GitHubRunners.failedImageBuildsTopic()` to get SNS topic that gets notified of failed runner image builds. You should subscribe to this topic.\n\nOther useful metrics to track:\n\n1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.\n2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.\n\n## Contributing\n\nIf you use and love this project, please consider contributing.\n\n1. 🪳 If you see something, say something. [Issues][16] help improve the quality of the project.\n   * Include relevant logs and package versions for bugs.\n   * When possible, describe the use-case behind feature requests.\n1. 🛠️ [Pull requests][17] are welcome.\n   * Run `npm run build` before submitting to make sure all tests pass.\n   * Allow edits from maintainers so small adjustments can be made easily.\n1. 💵 Consider [sponsoring][15] the project to show your support and optionally get your name listed below.\n\n## Other Options\n\n1. [philips-labs/terraform-aws-github-runner][3] if you're using Terraform\n2. [actions/actions-runner-controller][4] if you're using Kubernetes\n\n\n[1]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners\n[2]: https://github.com/marketplace/actions/configure-aws-credentials-for-github-actions\n[3]: https://github.com/philips-labs/terraform-aws-github-runner\n[4]: https://github.com/actions/actions-runner-controller\n[5]: https://github.com/actions/runner\n[6]: https://pypi.org/project/cloudsnorkel.cdk-github-runners\n[7]: https://www.npmjs.com/package/@cloudsnorkel/cdk-github-runners\n[8]: https://central.sonatype.com/artifact/com.cloudsnorkel/cdk.github.runners/\n[9]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps\n[10]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[11]: https://pkg.go.dev/github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n[12]: https://www.nuget.org/packages/CloudSnorkel.Cdk.Github.Runners/\n[13]: https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/\n[14]: https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling\n[15]: https://github.com/sponsors/CloudSnorkel\n[16]: https://github.com/CloudSnorkel/cdk-github-runners/issues\n[17]: https://github.com/CloudSnorkel/cdk-github-runners/pulls\n"
   },
   "repository": {
     "type": "git",
@@ -4198,7 +4198,7 @@
         {
           "abstract": true,
           "docs": {
-            "default": "m5.large",
+            "default": "m6i.large",
             "stability": "experimental",
             "summary": "The instance type used to build the image."
           },
@@ -4680,7 +4680,7 @@
         {
           "abstract": true,
           "docs": {
-            "default": "m5.large",
+            "default": "m6i.large",
             "stability": "experimental",
             "summary": "The instance type used to build the image."
           },
@@ -5487,7 +5487,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/common.ts",
-            "line": 490
+            "line": 492
           },
           "name": "labelsFromProperties",
           "parameters": [
@@ -6402,7 +6402,7 @@
         {
           "abstract": true,
           "docs": {
-            "default": "m5.large",
+            "default": "m6i.large",
             "stability": "experimental",
             "summary": "The instance type used to build the image."
           },
@@ -6651,7 +6651,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/providers/ec2.ts",
-        "line": 562
+        "line": 578
       },
       "name": "Ec2Runner",
       "symbolId": "src/providers/ec2:Ec2Runner"
@@ -6780,7 +6780,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/ec2.ts",
-            "line": 502
+            "line": 518
           },
           "name": "grantStateMachine",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -6799,7 +6799,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/common.ts",
-            "line": 490
+            "line": 492
           },
           "name": "labelsFromProperties",
           "parameters": [
@@ -6849,7 +6849,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/ec2.ts",
-            "line": 532
+            "line": 548
           },
           "name": "status",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -6878,7 +6878,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/ec2.ts",
-            "line": 554
+            "line": 570
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -7021,7 +7021,7 @@
         {
           "abstract": true,
           "docs": {
-            "default": "m5.large",
+            "default": "m6i.large",
             "stability": "experimental",
             "summary": "Instance type for launched runner instances."
           },
@@ -7360,7 +7360,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/common.ts",
-            "line": 490
+            "line": 492
           },
           "name": "labelsFromProperties",
           "parameters": [
@@ -7659,7 +7659,7 @@
         {
           "abstract": true,
           "docs": {
-            "default": "m5.large or m6g.large",
+            "default": "m6i.large or m6g.large",
             "remarks": "Only used when creating a new cluster.",
             "stability": "experimental",
             "summary": "Instance type of ECS cluster instances."
@@ -8078,7 +8078,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/common.ts",
-            "line": 490
+            "line": 492
           },
           "name": "labelsFromProperties",
           "parameters": [
@@ -10384,7 +10384,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/lambda.ts",
-          "line": 235
+          "line": 222
         },
         "parameters": [
           {
@@ -10411,7 +10411,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/providers/lambda.ts",
-        "line": 471
+        "line": 458
       },
       "name": "LambdaRunner",
       "symbolId": "src/providers/lambda:LambdaRunner"
@@ -10431,7 +10431,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/lambda.ts",
-          "line": 235
+          "line": 222
         },
         "parameters": [
           {
@@ -10466,13 +10466,13 @@
       "methods": [
         {
           "docs": {
-            "remarks": "You can customize the OS, architecture, VPC, subnet, security groups, etc. by passing in props.\n\nYou can add components to the image builder by calling `imageBuilder.addComponent()`.\n\nThe default OS is Amazon Linux 2 running on x64 architecture.\n\nIncluded components:\n * `RunnerImageComponent.requiredPackages()`\n * `RunnerImageComponent.runnerUser()`\n * `RunnerImageComponent.git()`\n * `RunnerImageComponent.githubCli()`\n * `RunnerImageComponent.awsCli()`\n * `RunnerImageComponent.githubRunner()`\n * `RunnerImageComponent.lambdaEntrypoint()`\n\n Base Docker image: `public.ecr.aws/lambda/nodejs:20-x86_64` or `public.ecr.aws/lambda/nodejs:20-arm64`",
+            "remarks": "You can customize the OS, architecture, VPC, subnet, security groups, etc. by passing in props.\n\nYou can add components to the image builder by calling `imageBuilder.addComponent()`.\n\nThe default OS is Amazon Linux 2023 running on x64 architecture.\n\nIncluded components:\n * `RunnerImageComponent.requiredPackages()`\n * `RunnerImageComponent.runnerUser()`\n * `RunnerImageComponent.git()`\n * `RunnerImageComponent.githubCli()`\n * `RunnerImageComponent.awsCli()`\n * `RunnerImageComponent.githubRunner()`\n * `RunnerImageComponent.lambdaEntrypoint()`",
             "stability": "experimental",
             "summary": "Create new image builder that builds Lambda specific runner images."
           },
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 169
+            "line": 167
           },
           "name": "imageBuilder",
           "parameters": [
@@ -10511,7 +10511,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 327
+            "line": 314
           },
           "name": "getStepFunctionTask",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -10540,7 +10540,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 388
+            "line": 375
           },
           "name": "grantStateMachine",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -10559,7 +10559,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/common.ts",
-            "line": 490
+            "line": 492
           },
           "name": "labelsFromProperties",
           "parameters": [
@@ -10609,7 +10609,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 391
+            "line": 378
           },
           "name": "status",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -10676,7 +10676,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 316
+            "line": 303
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -10692,7 +10692,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 200
+            "line": 187
           },
           "name": "function",
           "type": {
@@ -10707,7 +10707,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 210
+            "line": 197
           },
           "name": "grantPrincipal",
           "overrides": "aws-cdk-lib.aws_iam.IGrantable",
@@ -10724,7 +10724,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 215
+            "line": 202
           },
           "name": "image",
           "type": {
@@ -10739,7 +10739,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 205
+            "line": 192
           },
           "name": "labels",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -10761,7 +10761,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 222
+            "line": 209
           },
           "name": "logGroup",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -10777,7 +10777,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 224
+            "line": 211
           },
           "name": "retryableErrors",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -12629,7 +12629,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 355
+            "line": 371
           },
           "name": "docker",
           "returns": {
@@ -12647,7 +12647,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 431
+            "line": 447
           },
           "name": "dockerInDocker",
           "returns": {
@@ -12665,7 +12665,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 534
+            "line": 549
           },
           "name": "environmentVariables",
           "parameters": [
@@ -12696,7 +12696,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 441
+            "line": 457
           },
           "name": "extraCertificates",
           "parameters": [
@@ -12797,7 +12797,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 491
+            "line": 507
           },
           "name": "lambdaEntrypoint",
           "returns": {
@@ -12849,7 +12849,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 571
+            "line": 586
           },
           "name": "getAssets",
           "parameters": [
@@ -12886,7 +12886,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 566
+            "line": 581
           },
           "name": "getCommands",
           "parameters": [
@@ -12922,7 +12922,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 580
+            "line": 595
           },
           "name": "getDockerCommands",
           "parameters": [
@@ -12957,7 +12957,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 587
+            "line": 602
           },
           "name": "shouldReboot",
           "parameters": [
@@ -12993,7 +12993,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 561
+            "line": 576
           },
           "name": "name",
           "type": {
@@ -13893,6 +13893,6 @@
       "symbolId": "src/image-builders/aws-image-builder/deprecated/windows-components:WindowsComponents"
     }
   },
-  "version": "0.13.3",
-  "fingerprint": "dfYaDfyN7mD42+MHXxkTOor/4hjDsb6hFKCY0wh7b14="
+  "version": "0.14.0",
+  "fingerprint": "7BoZGUvfCNHNp7iRKhLHLvclapxTdkc7B5vqkzJ0rwg="
 }

package/API.md

@@ -3876,7 +3876,7 @@ You can customize the OS, architecture, VPC, subnet, security groups, etc. by pa
 
 You can add components to the image builder by calling `imageBuilder.addComponent()`.
 
-The default OS is Amazon Linux 2 running on x64 architecture.
+The default OS is Amazon Linux 2023 running on x64 architecture.
 
 Included components:
  * `RunnerImageComponent.requiredPackages()`
@@ -3887,8 +3887,6 @@ Included components:
  * `RunnerImageComponent.githubRunner()`
  * `RunnerImageComponent.lambdaEntrypoint()`
 
- Base Docker image: `public.ecr.aws/lambda/nodejs:20-x86_64` or `public.ecr.aws/lambda/nodejs:20-arm64`
-
 ###### `scope`<sup>Required</sup> <a name="scope" id="@cloudsnorkel/cdk-github-runners.LambdaRunner.imageBuilder.parameter.scope"></a>
 
 - *Type:* constructs.Construct
@@ -4242,7 +4240,7 @@ You can customize the OS, architecture, VPC, subnet, security groups, etc. by pa
 
 You can add components to the image builder by calling `imageBuilder.addComponent()`.
 
-The default OS is Amazon Linux 2 running on x64 architecture.
+The default OS is Amazon Linux 2023 running on x64 architecture.
 
 Included components:
  * `RunnerImageComponent.requiredPackages()`
@@ -4253,8 +4251,6 @@ Included components:
  * `RunnerImageComponent.githubRunner()`
  * `RunnerImageComponent.lambdaEntrypoint()`
 
- Base Docker image: `public.ecr.aws/lambda/nodejs:20-x86_64` or `public.ecr.aws/lambda/nodejs:20-arm64`
-
 ###### `scope`<sup>Required</sup> <a name="scope" id="@cloudsnorkel/cdk-github-runners.LambdaRunnerProvider.imageBuilder.parameter.scope"></a>
 
 - *Type:* constructs.Construct
@@ -4884,7 +4880,7 @@ public readonly instanceType: InstanceType;
 ```
 
 - *Type:* aws-cdk-lib.aws_ec2.InstanceType
-- *Default:* m5.large
+- *Default:* m6i.large
 
 The instance type used to build the image.
 
@@ -5145,7 +5141,7 @@ public readonly instanceType: InstanceType;
 ```
 
 - *Type:* aws-cdk-lib.aws_ec2.InstanceType
-- *Default:* m5.large
+- *Default:* m6i.large
 
 The instance type used to build the image.
 
@@ -5701,7 +5697,7 @@ public readonly instanceType: InstanceType;
 ```
 
 - *Type:* aws-cdk-lib.aws_ec2.InstanceType
-- *Default:* m5.large
+- *Default:* m6i.large
 
 The instance type used to build the image.
 
@@ -5949,7 +5945,7 @@ public readonly instanceType: InstanceType;
 ```
 
 - *Type:* aws-cdk-lib.aws_ec2.InstanceType
-- *Default:* m5.large
+- *Default:* m6i.large
 
 Instance type for launched runner instances.
 
@@ -6250,7 +6246,7 @@ public readonly instanceType: InstanceType;
 ```
 
 - *Type:* aws-cdk-lib.aws_ec2.InstanceType
-- *Default:* m5.large or m6g.large
+- *Default:* m6i.large or m6g.large
 
 Instance type of ECS cluster instances.
 

package/README.md

@@ -10,11 +10,11 @@
 
 Use this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.
 
-* Easy to configure GitHub integration with a web-based interface
-* Customizable runners with decent defaults
-* Multiple runner configurations controlled by labels
-* Everything fully hosted in your account
-* Automatically updated build environment with latest runner version
+* 🧩 Easy to configure GitHub integration with a web-based interface
+* 🧠 Customizable runners with decent defaults
+* 🏃🏻 Multiple runner configurations controlled by labels
+* 🔐 Everything fully hosted in your account
+* 🔃 Automatically updated build environment with latest runner version
 
 Self-hosted runners in AWS are useful when:
 
@@ -292,6 +292,18 @@ Other useful metrics to track:
 1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.
 2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.
 
+## Contributing
+
+If you use and love this project, please consider contributing.
+
+1. 🪳 If you see something, say something. [Issues][16] help improve the quality of the project.
+   * Include relevant logs and package versions for bugs.
+   * When possible, describe the use-case behind feature requests.
+1. 🛠️ [Pull requests][17] are welcome.
+   * Run `npm run build` before submitting to make sure all tests pass.
+   * Allow edits from maintainers so small adjustments can be made easily.
+1. 💵 Consider [sponsoring][15] the project to show your support and optionally get your name listed below.
+
 ## Other Options
 
 1. [philips-labs/terraform-aws-github-runner][3] if you're using Terraform
@@ -312,3 +324,6 @@ Other useful metrics to track:
 [12]: https://www.nuget.org/packages/CloudSnorkel.Cdk.Github.Runners/
 [13]: https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/
 [14]: https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling
+[15]: https://github.com/sponsors/CloudSnorkel
+[16]: https://github.com/CloudSnorkel/cdk-github-runners/issues
+[17]: https://github.com/CloudSnorkel/cdk-github-runners/pulls

package/assets/providers/lambda-bootstrap.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -euo pipefail
+
+while true
+do
+  # get data from lambda
+  HEADERS="$(mktemp)"
+  EVENT_DATA=$(curl -sS -LD "$HEADERS" "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/next")
+  REQUEST_ID=$(grep -Fi Lambda-Runtime-Aws-Request-Id "$HEADERS" | tr -d '[:space:]' | cut -d: -f2)
+
+  # execute runner and respond
+  if bash /runner.sh "$EVENT_DATA"; then
+    curl "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/$REQUEST_ID/response" -d ""
+  else
+    curl "http://${AWS_LAMBDA_RUNTIME_API}/2018-06-01/runtime/invocation/$REQUEST_ID/error" -d "{\"errorMessage\": \"Runner failed with exit code $?\", \"errorType\": \"Error\", \"stackTrace\": []}"
+  fi
+
+  # cleanup
+  find /tmp -mindepth 1 -maxdepth 1 -exec rm -rf '{}' \;
+done

package/assets/providers/lambda-runner.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -euo pipefail
+
+# workaround for "Cannot get required symbol EVP_rc2_cbc from libssl"
+# lambda docker image for node.js comes with stripped down libssl.so pushed in LD_LIBRARY_PATH
+if [ -f /var/lang/lib/libssl.so ]; then
+  export LD_LIBRARY_PATH=/usr/lib64:$LD_LIBRARY_PATH
+fi
+
+# extract parameters
+OWNER=$(echo "$1" | jq -r .owner)
+REPO=$(echo "$1" | jq -r .repo)
+GITHUB_DOMAIN=$(echo "$1" | jq -r .githubDomain)
+RUNNER_TOKEN=$(echo "$1" | jq -r .token)
+RUNNER_NAME=$(echo "$1" | jq -r .runnerName)
+RUNNER_LABEL=$(echo "$1" | jq -r .label)
+REGISTRATION_URL=$(echo "$1" | jq -r .registrationUrl)
+
+# copy runner code (it needs a writable directory)
+cp -r /home/runner /tmp/
+cd /tmp/runner
+
+# setup home directory
+mkdir /tmp/home
+export HOME=/tmp/home
+
+# start runner
+if [ "${RUNNER_VERSION}" = "latest" ]; then RUNNER_FLAGS=""; else RUNNER_FLAGS="--disableupdate"; fi
+./config.sh --unattended --url "${REGISTRATION_URL}" --token "${RUNNER_TOKEN}" --ephemeral --work _work --labels "${RUNNER_LABEL},cdkghr:started:`date +%s`" --name "${RUNNER_NAME}" ${RUNNER_FLAGS}
+echo Config done
+./run.sh
+echo Run done
+
+# print status for metrics
+STATUS=$(grep -Phors "finish job request for job [0-9a-f\-]+ with result: \K.*" _diag/ | tail -n1)
+[ -n "$STATUS" ] && echo CDKGHA JOB DONE "$RUNNER_LABEL" "$STATUS"

package/lib/access.js

@@ -59,7 +59,7 @@ class LambdaAccess {
 }
 exports.LambdaAccess = LambdaAccess;
 _a = JSII_RTTI_SYMBOL_1;
-LambdaAccess[_a] = { fqn: "@cloudsnorkel/cdk-github-runners.LambdaAccess", version: "0.13.3" };
+LambdaAccess[_a] = { fqn: "@cloudsnorkel/cdk-github-runners.LambdaAccess", version: "0.14.0" };
 /**
  * @internal
  */

package/lib/image-builders/api.js

@@ -43,5 +43,5 @@ class RunnerImageBuilder extends common_1.RunnerImageBuilderBase {
 }
 exports.RunnerImageBuilder = RunnerImageBuilder;
 _a = JSII_RTTI_SYMBOL_1;
-RunnerImageBuilder[_a] = { fqn: "@cloudsnorkel/cdk-github-runners.RunnerImageBuilder", version: "0.13.3" };
+RunnerImageBuilder[_a] = { fqn: "@cloudsnorkel/cdk-github-runners.RunnerImageBuilder", version: "0.14.0" };
 //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiYXBpLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL2ltYWdlLWJ1aWxkZXJzL2FwaS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiOzs7OztBQUFBLDZDQUEwQztBQUUxQywyREFBd0U7QUFDeEUsMkNBQTBEO0FBQzFELHFDQUFvSTtBQUNwSSw0Q0FBa0M7QUFFbEM7Ozs7OztHQU1HO0FBQ0gsTUFBc0Isa0JBQW1CLFNBQVEsK0JBQXNCO0lBQ3JFOztPQUVHO0lBQ0gsTUFBTSxDQUFDLEdBQUcsQ0FBQyxLQUFnQixFQUFFLEVBQVUsRUFBRSxLQUErQjtRQUN0RSxJQUFJLEtBQUssRUFBRSxVQUFVLElBQUksS0FBSyxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQzdDLHlCQUFXLENBQUMsRUFBRSxDQUFDLEtBQUssQ0FBQyxDQUFDLFVBQVUsQ0FBQyxrSEFBa0gsQ0FBQyxDQUFDO1FBQ3ZKLENBQUM7UUFFRCxJQUFJLEtBQUssRUFBRSxXQUFXLEtBQUssK0JBQXNCLENBQUMsVUFBVSxFQUFFLENBQUM7WUFDN0QsT0FBTyxJQUFJLHVDQUEyQixDQUFDLEtBQUssRUFBRSxFQUFFLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDM0QsQ0FBQzthQUFNLElBQUksS0FBSyxFQUFFLFdBQVcsS0FBSywrQkFBc0IsQ0FBQyxpQkFBaUIsRUFBRSxDQUFDO1lBQzNFLE9BQU8sSUFBSSxxREFBaUMsQ0FBQyxLQUFLLEVBQUUsRUFBRSxFQUFFLEtBQUssQ0FBQyxDQUFDO1FBQ2pFLENBQUM7UUFFRCxNQUFNLEVBQUUsR0FBRyxLQUFLLEVBQUUsRUFBRSxJQUFJLGNBQUUsQ0FBQyxZQUFZLENBQUM7UUFDeEMsSUFBSSxFQUFFLENBQUMsSUFBSSxDQUFDLGNBQUUsQ0FBQyxtQkFBbUIsQ0FBQyxFQUFFLENBQUM7WUFDcEMsT0FBTyxJQUFJLHVDQUEyQixDQUFDLEtBQUssRUFBRSxFQUFFLEVBQUUsS0FBSyxDQUFDLENBQUM7UUFDM0QsQ0FBQzthQUFNLElBQUksRUFBRSxDQUFDLEVBQUUsQ0FBQyxjQUFFLENBQUMsT0FBTyxDQUFDLEVBQUUsQ0FBQztZQUM3QixPQUFPLElBQUkscURBQWlDLENBQUMsS0FBSyxFQUFFLEVBQUUsRUFBRSxLQUFLLENBQUMsQ0FBQztRQUNqRSxDQUFDO2FBQU0sQ0FBQztZQUNOLE1BQU0sSUFBSSxLQUFLLENBQUMsMERBQTBELEVBQUUsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxDQUFDO1FBQ3ZGLENBQUM7SUFDSCxDQUFDOztBQXZCSCxnREF3QkMiLCJzb3VyY2VzQ29udGVudCI6WyJpbXBvcnQgeyBBbm5vdGF0aW9ucyB9IGZyb20gJ2F3cy1jZGstbGliJztcbmltcG9ydCB7IENvbnN0cnVjdCB9IGZyb20gJ2NvbnN0cnVjdHMnO1xuaW1wb3J0IHsgQXdzSW1hZ2VCdWlsZGVyUnVubmVySW1hZ2VCdWlsZGVyIH0gZnJvbSAnLi9hd3MtaW1hZ2UtYnVpbGRlcic7XG5pbXBvcnQgeyBDb2RlQnVpbGRSdW5uZXJJbWFnZUJ1aWxkZXIgfSBmcm9tICcuL2NvZGVidWlsZCc7XG5pbXBvcnQgeyBJQ29uZmlndXJhYmxlUnVubmVySW1hZ2VCdWlsZGVyLCBSdW5uZXJJbWFnZUJ1aWxkZXJCYXNlLCBSdW5uZXJJbWFnZUJ1aWxkZXJQcm9wcywgUnVubmVySW1hZ2VCdWlsZGVyVHlwZSB9IGZyb20gJy4vY29tbW9uJztcbmltcG9ydCB7IE9zIH0gZnJvbSAnLi4vcHJvdmlkZXJzJztcblxuLyoqXG4gKiBHaXRIdWIgUnVubmVyIGltYWdlIGJ1aWxkZXIuIEJ1aWxkcyBhIERvY2tlciBpbWFnZSBvciBBTUkgd2l0aCBHaXRIdWIgUnVubmVyIGFuZCBvdGhlciByZXF1aXJlbWVudHMgaW5zdGFsbGVkLlxuICpcbiAqIEltYWdlcyBjYW4gYmUgY3VzdG9taXplZCBiZWZvcmUgcGFzc2VkIGludG8gdGhlIHByb3ZpZGVyIGJ5IGFkZGluZyBvciByZW1vdmluZyBjb21wb25lbnRzIHRvIGJlIGluc3RhbGxlZC5cbiAqXG4gKiBJbWFnZXMgYXJlIHJlYnVpbHQgZXZlcnkgd2VlayBieSBkZWZhdWx0IHRvIGVuc3VyZSB0aGF0IHRoZSBsYXRlc3Qgc2VjdXJpdHkgcGF0Y2hlcyBhcmUgYXBwbGllZC5cbiAqL1xuZXhwb3J0IGFic3RyYWN0IGNsYXNzIFJ1bm5lckltYWdlQnVpbGRlciBleHRlbmRzIFJ1bm5lckltYWdlQnVpbGRlckJhc2Uge1xuICAvKipcbiAgICogQ3JlYXRlIGEgbmV3IGltYWdlIGJ1aWxkZXIgYmFzZWQgb24gdGhlIHByb3ZpZGVkIHByb3BlcnRpZXMuIFRoZSBpbXBsZW1lbnRhdGlvbiB3aWxsIGRpZmZlciBiYXNlZCBvbiB0aGUgT1MsIGFyY2hpdGVjdHVyZSwgYW5kIHJlcXVlc3RlZCBidWlsZGVyIHR5cGUuXG4gICAqL1xuICBzdGF0aWMgbmV3KHNjb3BlOiBDb25zdHJ1Y3QsIGlkOiBzdHJpbmcsIHByb3BzPzogUnVubmVySW1hZ2VCdWlsZGVyUHJvcHMpOiBJQ29uZmlndXJhYmxlUnVubmVySW1hZ2VCdWlsZGVyIHtcbiAgICBpZiAocHJvcHM/LmNvbXBvbmVudHMgJiYgcHJvcHMucnVubmVyVmVyc2lvbikge1xuICAgICAgQW5ub3RhdGlvbnMub2Yoc2NvcGUpLmFkZFdhcm5pbmcoJ3J1bm5lclZlcnNpb24gaXMgaWdub3JlZCB3aGVuIGNvbXBvbmVudHMgYXJlIHNwZWNpZmllZC4gVGhlIHJ1bm5lciB2ZXJzaW9uIHdpbGwgYmUgZGV0ZXJtaW5lZCBieSB0aGUgY29tcG9uZW50cy4nKTtcbiAgICB9XG5cbiAgICBpZiAocHJvcHM/LmJ1aWxkZXJUeXBlID09PSBSdW5uZXJJbWFnZUJ1aWxkZXJUeXBlLkNPREVfQlVJTEQpIHtcbiAgICAgIHJldHVybiBuZXcgQ29kZUJ1aWxkUnVubmVySW1hZ2VCdWlsZGVyKHNjb3BlLCBpZCwgcHJvcHMpO1xuICAgIH0gZWxzZSBpZiAocHJvcHM/LmJ1aWxkZXJUeXBlID09PSBSdW5uZXJJbWFnZUJ1aWxkZXJUeXBlLkFXU19JTUFHRV9CVUlMREVSKSB7XG4gICAgICByZXR1cm4gbmV3IEF3c0ltYWdlQnVpbGRlclJ1bm5lckltYWdlQnVpbGRlcihzY29wZSwgaWQsIHByb3BzKTtcbiAgICB9XG5cbiAgICBjb25zdCBvcyA9IHByb3BzPy5vcyA/PyBPcy5MSU5VWF9VQlVOVFU7XG4gICAgaWYgKG9zLmlzSW4oT3MuX0FMTF9MSU5VWF9WRVJTSU9OUykpIHtcbiAgICAgIHJldHVybiBuZXcgQ29kZUJ1aWxkUnVubmVySW1hZ2VCdWlsZGVyKHNjb3BlLCBpZCwgcHJvcHMpO1xuICAgIH0gZWxzZSBpZiAob3MuaXMoT3MuV0lORE9XUykpIHtcbiAgICAgIHJldHVybiBuZXcgQXdzSW1hZ2VCdWlsZGVyUnVubmVySW1hZ2VCdWlsZGVyKHNjb3BlLCBpZCwgcHJvcHMpO1xuICAgIH0gZWxzZSB7XG4gICAgICB0aHJvdyBuZXcgRXJyb3IoYFVuYWJsZSB0byBmaW5kIHJ1bm5lciBpbWFnZSBidWlsZGVyIGltcGxlbWVudGF0aW9uIGZvciAke29zLm5hbWV9YCk7XG4gICAgfVxuICB9XG59XG4iXX0=

package/lib/image-builders/aws-image-builder/builder.d.ts

@@ -8,7 +8,7 @@ export interface AwsImageBuilderRunnerImageBuilderProps {
     /**
      * The instance type used to build the image.
      *
-     * @default m5.large
+     * @default m6i.large
      */
     readonly instanceType?: ec2.InstanceType;
     /**