@cloudsnorkel/cdk-github-runners 0.14.18 → 0.14.20

package/.jsii

@@ -3858,7 +3858,7 @@
   },
   "name": "@cloudsnorkel/cdk-github-runners",
   "readme": {
-    "markdown": "# GitHub Self-Hosted Runners CDK Constructs\n\n[![NPM](https://img.shields.io/npm/v/@cloudsnorkel/cdk-github-runners?label=npm&logo=npm)][7]\n[![PyPI](https://img.shields.io/pypi/v/cloudsnorkel.cdk-github-runners?label=pypi&logo=pypi)][6]\n[![Maven Central](https://img.shields.io/maven-central/v/com.cloudsnorkel/cdk.github.runners.svg?label=Maven%20Central&logo=apachemaven)][8]\n[![Go](https://img.shields.io/github/v/tag/CloudSnorkel/cdk-github-runners?color=red&label=go&logo=go)][11]\n[![Nuget](https://img.shields.io/nuget/v/CloudSnorkel.Cdk.Github.Runners?color=red&&logo=nuget)][12]\n[![Release](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml/badge.svg)](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/CloudSnorkel/cdk-github-runners/blob/main/LICENSE)\n\nUse this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.\n\n* 🧩 Easy to configure GitHub integration with a web-based interface\n* 🧠 Customizable runners with decent defaults\n* 🏃🏻 Multiple runner configurations controlled by labels\n* 🔐 Everything fully hosted in your account\n* 🔃 Automatically updated build environment with latest runner version\n\nSelf-hosted runners in AWS are useful when:\n\n* You need easy access to internal resources in your actions\n* You want to pre-install some software for your actions\n* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)\n* You are using GitHub Enterprise Server\n\nEphemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.\n\n## API\n\nThe best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.\n\n## Providers\n\nA runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.\n\n|                  | EC2               | CodeBuild                  | Fargate        | ECS            | Lambda        |\n|------------------|-------------------|----------------------------|----------------|----------------|---------------|\n| **Time limit**   | Unlimited         | 8 hours                    | Unlimited      | Unlimited      | 15 minutes    |\n| **vCPUs**        | Unlimited         | 2, 4, 8, or 72             | 0.25 to 4      | Unlimited      | 1 to 6        |\n| **RAM**          | Unlimited         | 3gb, 7gb, 15gb, or 145gb   | 512mb to 30gb  | Unlimited      | 128mb to 10gb |\n| **Storage**      | Unlimited         | 50gb to 824gb              | 20gb to 200gb  | Unlimited      | Up to 10gb    |\n| **Architecture** | x86_64, ARM64     | x86_64, ARM64              | x86_64, ARM64  | x86_64, ARM64  | x86_64, ARM64 |\n| **sudo**         | ✔                 | ✔                         | ✔              | ✔              | ❌           |\n| **Docker**       | ✔                 | ✔ (Linux only)            | ❌              | ✔              | ❌           |\n| **Spot pricing** | ✔                 | ❌                         | ✔              | ✔              | ❌           |\n| **OS**           | Linux, Windows    | Linux, Windows             | Linux, Windows | Linux, Windows | Linux         |\n\nThe best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.\n\n* EC2 is useful when you want runners to have complete access to the host\n* ECS is useful when you want to control the infrastructure, like leaving the runner host running for faster startups\n* Lambda is useful for short jobs that can work within time, size and readonly system constraints\n\nYou can also create your own provider by implementing `IRunnerProvider`.\n\n## Installation\n\n1. Install and use the appropriate package\n   <details><summary>Python</summary>\n\n   ### Install\n   Available on [PyPI][6].\n   ```bash\n   pip install cloudsnorkel.cdk-github-runners\n   ```\n   ### Use\n   ```python\n   from aws_cdk import App, Stack\n   from cloudsnorkel.cdk_github_runners import GitHubRunners\n\n   app = App()\n   stack = Stack(app, \"github-runners\")\n   GitHubRunners(stack, \"runners\")\n\n   app.synth()\n   ```\n   </details>\n   <details><summary>TypeScript or JavaScript</summary>\n\n   ### Install\n   Available on [npm][7].\n   ```bash\n   npm i @cloudsnorkel/cdk-github-runners\n   ```\n   ### Use\n   ```typescript\n   import { App, Stack } from 'aws-cdk-lib';\n   import { GitHubRunners } from '@cloudsnorkel/cdk-github-runners';\n\n   const app = new App();\n   const stack = new Stack(app, 'github-runners');\n   new GitHubRunners(stack, 'runners');\n\n   app.synth();\n   ```\n   </details>\n   <details><summary>Java</summary>\n\n   ### Install\n   Available on [Maven][8].\n   ```xml\n   <dependency>\n      <groupId>com.cloudsnorkel</groupId>\n      <artifactId>cdk.github.runners</artifactId>\n   </dependency>\n   ```\n   ### Use\n   ```java\n   import software.amazon.awscdk.App;\n   import software.amazon.awscdk.Stack;\n   import com.cloudsnorkel.cdk.github.runners.GitHubRunners;\n\n   public class Example {\n     public static void main(String[] args){\n       App app = new App();\n       Stack stack = new Stack(app, \"github-runners\");\n       GitHubRunners.Builder.create(stack, \"runners\").build();\n\n       app.synth();\n     }\n   }\n   ```\n   </details>\n   <details><summary>Go</summary>\n\n   ### Install\n   Available on [GitHub][11].\n   ```bash\n   go get github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n   ```\n   ### Use\n   ```go\n   package main\n\n   import (\n     \"github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\"\n     \"github.com/aws/aws-cdk-go/awscdk/v2\"\n     \"github.com/aws/jsii-runtime-go\"\n   )\n\n   func main() {\n     app := awscdk.NewApp(nil)\n     stack := awscdk.NewStack(app, jsii.String(\"github-runners\"), &awscdk.StackProps{})\n     cloudsnorkelcdkgithubrunners.NewGitHubRunners(stack, jsii.String(\"runners\"), &cloudsnorkelcdkgithubrunners.GitHubRunnersProps{})\n\n     app.Synth(nil)\n   }\n   ```\n   </details>\n   <details><summary>.NET</summary>\n\n   ### Install\n   Available on [Nuget][12].\n   ```bash\n   dotnet add package CloudSnorkel.Cdk.Github.Runners\n   ```\n   ### Use\n   ```csharp\n   using Amazon.CDK;\n   using CloudSnorkel;\n\n   namespace Example\n   {\n     sealed class Program\n     {\n       public static void Main(string[] args)\n       {\n         var app = new App();\n         var stack = new Stack(app, \"github-runners\");\n         new GitHubRunners(stack, \"runners\");\n         app.Synth();\n       }\n     }\n   }\n   ```\n   </details>\n2. Use `GitHubRunners` construct in your code (starting with default arguments is fine)\n3. Deploy your stack\n4. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`\n   ```\n    ✅  github-runners-test\n\n   ✨  Deployment time: 260.01s\n\n   Outputs:\n   github-runners-test.runnersstatuscommand4A30F0F5 = aws --region us-east-1 lambda invoke --function-name github-runners-test-runnersstatus1A5771C0-mvttg8oPQnQS status.json\n   ```\n5. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file\n6. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token\n7. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK\n8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, codebuild]` (or non-default labels you set in step 2)\n9. If the action is not successful, see [troubleshooting](#Troubleshooting)\n\n[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)\n\n## Customizing\n\nThe default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.\n\nFor example:\n\n```typescript\nlet vpc: ec2.Vpc;\nlet runnerSg: ec2.SecurityGroup;\nlet dbSg: ec2.SecurityGroup;\nlet bucket: s3.Bucket;\n\n// create a custom CodeBuild provider\nconst myProvider = new CodeBuildRunnerProvider(this, 'codebuild runner', {\n   labels: ['my-codebuild'],\n   vpc: vpc,\n   securityGroups: [runnerSg],\n});\n// grant some permissions to the provider\nbucket.grantReadWrite(myProvider);\ndbSg.connections.allowFrom(runnerSg, ec2.Port.tcp(3306), 'allow runners to connect to MySQL database');\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nAnother way to customize runners is by modifying the image used to spin them up. The image contains the [runner][5], any required dependencies, and integration code with the provider. You may choose to customize this image by adding more packages, for example.\n\n```typescript\nconst myBuilder = FargateRunnerProvider.imageBuilder(this, 'image builder');\nmyBuilder.addComponent(\n  RunnerImageComponent.custom({ commands: ['apt install -y nginx xz-utils'] }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-fargate'],\n   imageBuilder: myBuilder,\n});\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nYour workflow will then look like:\n\n```yaml\nname: self-hosted example\non: push\njobs:\n  self-hosted:\n    runs-on: [self-hosted, customized-fargate]\n    steps:\n      - run: echo hello world\n```\n\nWindows images can also be customized the same way.\n\n```typescript\nconst myWindowsBuilder = FargateRunnerProvider.imageBuilder(this, 'Windows image builder', {\n   architecture: Architecture.X86_64,\n   os: Os.WINDOWS,\n});\nmyWindowsBuilder.addComponent(\n   RunnerImageComponent.custom({\n     name: 'Ninja',\n     commands: [\n       'Invoke-WebRequest -UseBasicParsing -Uri \"https://github.com/ninja-build/ninja/releases/download/v1.11.1/ninja-win.zip\" -OutFile ninja.zip',\n       'Expand-Archive ninja.zip -DestinationPath C:\\\\actions',\n       'del ninja.zip',\n     ],\n   }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-windows-fargate'],\n   imageBuilder: myWindowsBuilder,\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nThe runner OS and architecture is determined by the image it is set to use. For example, to create a Fargate runner provider for ARM64 set the `architecture` property for the image builder to `Architecture.ARM64` in the image builder properties.\n\n```typescript\nnew GitHubRunners(this, 'runners', {\n   providers: [\n      new FargateRunnerProvider(this, 'fargate runner', {\n         labels: ['arm64', 'fargate'],\n         imageBuilder: FargateRunnerProvider.imageBuilder(this, 'image builder', {\n            architecture: Architecture.ARM64,\n            os: Os.LINUX_UBUNTU,\n         }),\n      }),\n   ],\n});\n```\n\n### Composite Providers\n\nComposite providers allow you to combine multiple runner providers with different strategies. There are two types:\n\n**Fallback Strategy**: Try providers in order until one succeeds. Useful for trying spot instances first, then falling back to on-demand if spot capacity is unavailable.\n\n```typescript\n// Try spot instances first, fall back to on-demand if spot is unavailable\nconst ecsFallback = CompositeProvider.fallback(this, 'ECS Fallback', [\n  new EcsRunnerProvider(this, 'ECS Spot', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: true,\n    // ... other config\n  }),\n  new EcsRunnerProvider(this, 'ECS On-Demand', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: false,\n    // ... other config\n  }),\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [ecsFallback],\n});\n```\n\n**Weighted Distribution Strategy**: Randomly select a provider based on weights. Useful for distributing load across multiple availability zones or instance types.\n\n```typescript\n// Distribute 60% of traffic to AZ-1, 40% to AZ-2\nconst distributedProvider = CompositeProvider.distribute(this, 'Fargate Distribution', [\n  {\n    weight: 3, // 3/(3+2) = 60%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-1', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[0]],\n      }),\n      // ... other config\n    }),\n  },\n  {\n    weight: 2, // 2/(3+2) = 40%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-2', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[1]],\n      }),\n      // ... other config\n    }),\n  },\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [distributedProvider],\n});\n```\n\n**Important**: All providers in a composite must have the exact same labels. This ensures any provisioned runner can match the labels requested by the GitHub workflow job.\n\n### Custom Provider Selection\n\nBy default, providers are selected based on label matching: the first provider that has all the labels requested by the job is selected. You can customize this behavior using a provider selector Lambda function to:\n\n* Filter out certain jobs (prevent runner provisioning)\n* Dynamically select a provider based on job characteristics (repository, branch, time of day, etc.)\n* Customize labels for the runner (add, remove, or modify labels dynamically)\n\nThe selector function receives the full GitHub webhook payload, a map of all available providers and their labels, and the default provider/labels that would have been selected. It returns the provider to use (or `undefined` to skip runner creation) and the labels to assign to the runner.\n\n**Example: Route jobs to different providers based on repository**\n\n```typescript\nimport { ComputeType } from 'aws-cdk-lib/aws-codebuild';\nimport { Function, Code, Runtime } from 'aws-cdk-lib/aws-lambda';\nimport { GitHubRunners, CodeBuildRunnerProvider } from '@cloudsnorkel/cdk-github-runners';\n\nconst defaultProvider = new CodeBuildRunnerProvider(this, 'default', {\n  labels: ['custom-runner', 'default'],\n});\nconst productionProvider = new CodeBuildRunnerProvider(this, 'production', {\n  labels: ['custom-runner', 'production'],\n  computeType: ComputeType.LARGE,\n});\n\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, providers, defaultProvider, defaultLabels } = event;\n\n      // Route production repos to dedicated provider\n      if (payload.repository.name.includes('prod')) {\n        return {\n          provider: '${productionProvider.node.path}',\n          labels: ['custom-runner', 'production', 'modified-via-selector'],\n        };\n      }\n\n      // Filter out draft PRs\n      if (payload.workflow_job.head_branch?.startsWith('draft/')) {\n        return { provider: undefined }; // Skip runner provisioning\n      }\n\n      // Use default for everything else\n      return {\n        provider: defaultProvider,\n        labels: defaultLabels,\n      };\n    };\n  `),\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [defaultProvider, productionProvider],\n   providerSelector: providerSelector,\n});\n```\n\n**Example: Add dynamic labels based on job metadata**\n\n```typescript\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, defaultProvider, defaultLabels } = event;\n\n      // Add branch name as a label\n      const branch = payload.workflow_job.head_branch || 'unknown';\n      const labels = [...(defaultLabels || []), 'branch:' + branch];\n\n      return {\n        provider: defaultProvider,\n        labels: labels,\n      };\n    };\n  `),\n});\n```\n\n**Important considerations:**\n\n* ⚠️ **Label matching responsibility**: You are responsible for ensuring the selected provider's labels match what the job requires. If labels don't match, the runner will be provisioned but GitHub Actions won't assign the job to it.\n* ⚠️ **No guarantee of assignment**: Provider selection only determines which provider will provision a runner. GitHub Actions may still route the job to any available runner with matching labels. For reliable provider assignment, consider repo-level runner registration (the default).\n* ⚡ **Performance**: The selector runs synchronously during webhook processing. Keep it fast and efficient—the webhook has a 30-second timeout total.\n\n## Examples\n\nBeyond the code snippets above, the fullest example available is the [integration test](test/default.integ.ts).\n\nIf you have more to share, please open a PR adding them to the `examples` folder.\n\n## Architecture\n\n![Architecture diagram](architecture.svg)\n\n## Troubleshooting\n\nRunners are started in response to a webhook coming in from GitHub. If there are any issues starting the runner like missing capacity or transient API issues, the provider will keep retrying for 24 hours. Configuration issue related errors like pointing to a missing AMI will not be retried. GitHub itself will cancel the job if it can't find a runner for 24 hours. If your jobs don't start, follow the steps below to examine all parts of this workflow.\n\n1. Always start with the status function, make sure no errors are reported, and confirm all status codes are OK\n2. Make sure `runs-on` in the workflow matches the expected labels set in the runner provider\n3. Diagnose relevant executions of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`\n   1. If the execution failed, check your runner provider configuration for errors\n   2. If the execution is still running for a long time, check the execution events to see why runner starting is being retried\n   3. If there are no relevant executions, move to the next step\n4. Confirm the webhook Lambda was called by visiting the URL in `troubleshooting.webhookHandlerUrl` from `status.json`\n   1. If it's not called or logs errors, confirm the webhook settings on the GitHub side\n   2. If you see too many errors, make sure you're only sending `workflow_job` events\n5. When using GitHub app, make sure there are active installations in `github.auth.app.installations`\n\nAll logs are saved in CloudWatch.\n* Log group names can be found in `status.json` for each provider, image builder, and other parts of the system\n* Some useful Logs Insights queries can be enabled with `GitHubRunners.createLogsInsightsQueries()`\n\nTo get `status.json`, check out the CloudFormation stack output for a command that generates it. The command looks like:\n\n```\naws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json\n```\n\n## Monitoring\n\nThere are two important ways to monitor your runners:\n\n1. Make sure runners don't fail to start. When that happens, jobs may sit and wait. Use `GitHubRunners.metricFailed()` to get a metric for the number of failed runner starts. You should use this metric to trigger an alarm.\n2. Make sure runner images don't fail to build. Failed runner image builds mean you will get stuck with out-of-date software on your runners. It may lead to security vulnerabilities, or it may lead to slower runner start-ups as the runner software itself needs to be updated. Use `GitHubRunners.failedImageBuildsTopic()` to get SNS topic that gets notified of failed runner image builds. You should subscribe to this topic.\n\nOther useful metrics to track:\n\n1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.\n2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.\n\n## Contributing\n\nIf you use and love this project, please consider contributing.\n\n1. 🪳 If you see something, say something. [Issues][16] help improve the quality of the project.\n   * Include relevant logs and package versions for bugs.\n   * When possible, describe the use-case behind feature requests.\n1. 🛠️ [Pull requests][17] are welcome.\n   * Run `npm run build` before submitting to make sure all tests pass.\n   * Allow edits from maintainers so small adjustments can be made easily.\n1. 💵 Consider [sponsoring][15] the project to show your support and optionally get your name listed below.\n\n## Other Options\n\n1. [philips-labs/terraform-aws-github-runner][3] if you're using Terraform\n2. [actions/actions-runner-controller][4] if you're using Kubernetes\n\n\n[1]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners\n[2]: https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions\n[3]: https://github.com/philips-labs/terraform-aws-github-runner\n[4]: https://github.com/actions/actions-runner-controller\n[5]: https://github.com/actions/runner\n[6]: https://pypi.org/project/cloudsnorkel.cdk-github-runners\n[7]: https://www.npmjs.com/package/@cloudsnorkel/cdk-github-runners\n[8]: https://central.sonatype.com/artifact/com.cloudsnorkel/cdk.github.runners/\n[9]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps\n[10]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[11]: https://pkg.go.dev/github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n[12]: https://www.nuget.org/packages/CloudSnorkel.Cdk.Github.Runners/\n[13]: https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/\n[14]: https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling\n[15]: https://github.com/sponsors/CloudSnorkel\n[16]: https://github.com/CloudSnorkel/cdk-github-runners/issues\n[17]: https://github.com/CloudSnorkel/cdk-github-runners/pulls\n"
+    "markdown": "# GitHub Self-Hosted Runners CDK Constructs\n\n[![NPM](https://img.shields.io/npm/v/@cloudsnorkel/cdk-github-runners?label=npm&logo=npm)][7]\n[![PyPI](https://img.shields.io/pypi/v/cloudsnorkel.cdk-github-runners?label=pypi&logo=pypi)][6]\n[![Maven Central](https://img.shields.io/maven-central/v/com.cloudsnorkel/cdk.github.runners.svg?label=Maven%20Central&logo=apachemaven)][8]\n[![Go](https://img.shields.io/github/v/tag/CloudSnorkel/cdk-github-runners?color=red&label=go&logo=go)][11]\n[![Nuget](https://img.shields.io/nuget/v/CloudSnorkel.Cdk.Github.Runners?color=red&&logo=nuget)][12]\n[![Release](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml/badge.svg)](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/CloudSnorkel/cdk-github-runners/blob/main/LICENSE)\n\nUse this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.\n\n* 🧩 Easy to configure GitHub integration with a web-based interface\n* 🧠 Customizable runners with decent defaults\n* 🏃🏻 Multiple runner configurations controlled by labels\n* 🔐 Everything fully hosted in your account\n* 🔃 Automatically updated build environment with latest runner version\n\nSelf-hosted runners in AWS are useful when:\n\n* You need easy access to internal resources in your actions\n* You want to pre-install some software for your actions\n* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)\n* You are using GitHub Enterprise Server\n\nEphemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.\n\n## API\n\nThe best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.\n\n## Providers\n\nA runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.\n\n|                  | EC2               | CodeBuild                  | Fargate        | ECS            | Lambda        |\n|------------------|-------------------|----------------------------|----------------|----------------|---------------|\n| **Time limit**   | Unlimited         | 8 hours                    | Unlimited      | Unlimited      | 15 minutes    |\n| **vCPUs**        | Unlimited         | 2, 4, 8, or 72             | 0.25 to 4      | Unlimited      | 1 to 6        |\n| **RAM**          | Unlimited         | 3gb, 7gb, 15gb, or 145gb   | 512mb to 30gb  | Unlimited      | 128mb to 10gb |\n| **Storage**      | Unlimited         | 50gb to 824gb              | 20gb to 200gb  | Unlimited      | Up to 10gb    |\n| **Architecture** | x86_64, ARM64     | x86_64, ARM64              | x86_64, ARM64  | x86_64, ARM64  | x86_64, ARM64 |\n| **sudo**         | ✔                 | ✔                         | ✔              | ✔              | ❌           |\n| **Docker**       | ✔                 | ✔ (Linux only)            | ❌              | ✔              | ❌           |\n| **Spot pricing** | ✔                 | ❌                         | ✔              | ✔              | ❌           |\n| **OS**           | Linux, Windows    | Linux, Windows             | Linux, Windows | Linux, Windows | Linux         |\n\nThe best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.\n\n* EC2 is useful when you want runners to have complete access to the host\n* ECS is useful when you want to control the infrastructure, like leaving the runner host running for faster startups\n* Lambda is useful for short jobs that can work within time, size and readonly system constraints\n\nYou can also create your own provider by implementing `IRunnerProvider`.\n\n## Installation\n\n1. Install and use the appropriate package\n   <details><summary>Python</summary>\n\n   ### Install\n   Available on [PyPI][6].\n   ```bash\n   pip install cloudsnorkel.cdk-github-runners\n   ```\n   ### Use\n   ```python\n   from aws_cdk import App, Stack\n   from cloudsnorkel.cdk_github_runners import GitHubRunners\n\n   app = App()\n   stack = Stack(app, \"github-runners\")\n   GitHubRunners(stack, \"runners\")\n\n   app.synth()\n   ```\n   </details>\n   <details><summary>TypeScript or JavaScript</summary>\n\n   ### Install\n   Available on [npm][7].\n   ```bash\n   npm i @cloudsnorkel/cdk-github-runners\n   ```\n   ### Use\n   ```typescript\n   import { App, Stack } from 'aws-cdk-lib';\n   import { GitHubRunners } from '@cloudsnorkel/cdk-github-runners';\n\n   const app = new App();\n   const stack = new Stack(app, 'github-runners');\n   new GitHubRunners(stack, 'runners');\n\n   app.synth();\n   ```\n   </details>\n   <details><summary>Java</summary>\n\n   ### Install\n   Available on [Maven][8].\n   ```xml\n   <dependency>\n      <groupId>com.cloudsnorkel</groupId>\n      <artifactId>cdk.github.runners</artifactId>\n   </dependency>\n   ```\n   ### Use\n   ```java\n   import software.amazon.awscdk.App;\n   import software.amazon.awscdk.Stack;\n   import com.cloudsnorkel.cdk.github.runners.GitHubRunners;\n\n   public class Example {\n     public static void main(String[] args){\n       App app = new App();\n       Stack stack = new Stack(app, \"github-runners\");\n       GitHubRunners.Builder.create(stack, \"runners\").build();\n\n       app.synth();\n     }\n   }\n   ```\n   </details>\n   <details><summary>Go</summary>\n\n   ### Install\n   Available on [GitHub][11].\n   ```bash\n   go get github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n   ```\n   ### Use\n   ```go\n   package main\n\n   import (\n     \"github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\"\n     \"github.com/aws/aws-cdk-go/awscdk/v2\"\n     \"github.com/aws/jsii-runtime-go\"\n   )\n\n   func main() {\n     app := awscdk.NewApp(nil)\n     stack := awscdk.NewStack(app, jsii.String(\"github-runners\"), &awscdk.StackProps{})\n     cloudsnorkelcdkgithubrunners.NewGitHubRunners(stack, jsii.String(\"runners\"), &cloudsnorkelcdkgithubrunners.GitHubRunnersProps{})\n\n     app.Synth(nil)\n   }\n   ```\n   </details>\n   <details><summary>.NET</summary>\n\n   ### Install\n   Available on [Nuget][12].\n   ```bash\n   dotnet add package CloudSnorkel.Cdk.Github.Runners\n   ```\n   ### Use\n   ```csharp\n   using Amazon.CDK;\n   using CloudSnorkel;\n\n   namespace Example\n   {\n     sealed class Program\n     {\n       public static void Main(string[] args)\n       {\n         var app = new App();\n         var stack = new Stack(app, \"github-runners\");\n         new GitHubRunners(stack, \"runners\");\n         app.Synth();\n       }\n     }\n   }\n   ```\n   </details>\n2. Use `GitHubRunners` construct in your code (starting with default arguments is fine)\n3. Deploy your stack\n4. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`\n   ```\n    ✅  github-runners-test\n\n   ✨  Deployment time: 260.01s\n\n   Outputs:\n   github-runners-test.runnersstatuscommand4A30F0F5 = aws --region us-east-1 lambda invoke --function-name github-runners-test-runnersstatus1A5771C0-mvttg8oPQnQS status.json\n   ```\n5. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file\n6. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token\n7. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK\n8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, codebuild]` (or non-default labels you set in step 2)\n9. If the action is not successful, see [troubleshooting](#Troubleshooting)\n\n[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)\n\n## Customizing\n\nThe default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.\n\nFor example:\n\n```typescript\nlet vpc: ec2.Vpc;\nlet runnerSg: ec2.SecurityGroup;\nlet dbSg: ec2.SecurityGroup;\nlet bucket: s3.Bucket;\n\n// create a custom CodeBuild provider\nconst myProvider = new CodeBuildRunnerProvider(this, 'codebuild runner', {\n   labels: ['my-codebuild'],\n   vpc: vpc,\n   securityGroups: [runnerSg],\n});\n// grant some permissions to the provider\nbucket.grantReadWrite(myProvider);\ndbSg.connections.allowFrom(runnerSg, ec2.Port.tcp(3306), 'allow runners to connect to MySQL database');\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nAnother way to customize runners is by modifying the image used to spin them up. The image contains the [runner][5], any required dependencies, and integration code with the provider. You may choose to customize this image by adding more packages, for example.\n\n```typescript\nconst myBuilder = FargateRunnerProvider.imageBuilder(this, 'image builder');\nmyBuilder.addComponent(\n  RunnerImageComponent.custom({ commands: ['apt install -y nginx xz-utils'] }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-fargate'],\n   imageBuilder: myBuilder,\n});\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nYour workflow will then look like:\n\n```yaml\nname: self-hosted example\non: push\njobs:\n  self-hosted:\n    runs-on: [self-hosted, customized-fargate]\n    steps:\n      - run: echo hello world\n```\n\nWindows images can also be customized the same way.\n\n```typescript\nconst myWindowsBuilder = FargateRunnerProvider.imageBuilder(this, 'Windows image builder', {\n   architecture: Architecture.X86_64,\n   os: Os.WINDOWS,\n});\nmyWindowsBuilder.addComponent(\n   RunnerImageComponent.custom({\n     name: 'Ninja',\n     commands: [\n       'Invoke-WebRequest -UseBasicParsing -Uri \"https://github.com/ninja-build/ninja/releases/download/v1.11.1/ninja-win.zip\" -OutFile ninja.zip',\n       'Expand-Archive ninja.zip -DestinationPath C:\\\\actions',\n       'del ninja.zip',\n     ],\n   }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-windows-fargate'],\n   imageBuilder: myWindowsBuilder,\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nThe runner OS and architecture is determined by the image it is set to use. For example, to create a Fargate runner provider for ARM64 set the `architecture` property for the image builder to `Architecture.ARM64` in the image builder properties.\n\n```typescript\nnew GitHubRunners(this, 'runners', {\n   providers: [\n      new FargateRunnerProvider(this, 'fargate runner', {\n         labels: ['arm64', 'fargate'],\n         imageBuilder: FargateRunnerProvider.imageBuilder(this, 'image builder', {\n            architecture: Architecture.ARM64,\n            os: Os.LINUX_UBUNTU,\n         }),\n      }),\n   ],\n});\n```\n\n### Composite Providers\n\nComposite providers allow you to combine multiple runner providers with different strategies. There are two types:\n\n**Fallback Strategy**: Try providers in order until one succeeds. Useful for trying spot instances first, then falling back to on-demand if spot capacity is unavailable.\n\n```typescript\n// Try spot instances first, fall back to on-demand if spot is unavailable\nconst ecsFallback = CompositeProvider.fallback(this, 'ECS Fallback', [\n  new EcsRunnerProvider(this, 'ECS Spot', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: true,\n    // ... other config\n  }),\n  new EcsRunnerProvider(this, 'ECS On-Demand', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: false,\n    // ... other config\n  }),\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [ecsFallback],\n});\n```\n\n**Weighted Distribution Strategy**: Randomly select a provider based on weights. Useful for distributing load across multiple availability zones or instance types.\n\n```typescript\n// Distribute 60% of traffic to AZ-1, 40% to AZ-2\nconst distributedProvider = CompositeProvider.distribute(this, 'Fargate Distribution', [\n  {\n    weight: 3, // 3/(3+2) = 60%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-1', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[0]],\n      }),\n      // ... other config\n    }),\n  },\n  {\n    weight: 2, // 2/(3+2) = 40%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-2', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[1]],\n      }),\n      // ... other config\n    }),\n  },\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [distributedProvider],\n});\n```\n\n**Important**: All providers in a composite must have the exact same labels. This ensures any provisioned runner can match the labels requested by the GitHub workflow job.\n\n### Custom Provider Selection\n\nBy default, providers are selected based on label matching: the first provider that has all the labels requested by the job is selected. You can customize this behavior using a provider selector Lambda function to:\n\n* Filter out certain jobs (prevent runner provisioning)\n* Dynamically select a provider based on job characteristics (repository, branch, time of day, etc.)\n* Customize labels for the runner (add, remove, or modify labels dynamically)\n\nThe selector function receives the full GitHub webhook payload, a map of all available providers and their labels, and the default provider/labels that would have been selected. It returns the provider to use (or `undefined` to skip runner creation) and the labels to assign to the runner.\n\n**Example: Route jobs to different providers based on repository**\n\n```typescript\nimport { ComputeType } from 'aws-cdk-lib/aws-codebuild';\nimport { Function, Code, Runtime } from 'aws-cdk-lib/aws-lambda';\nimport { GitHubRunners, CodeBuildRunnerProvider } from '@cloudsnorkel/cdk-github-runners';\n\nconst defaultProvider = new CodeBuildRunnerProvider(this, 'default', {\n  labels: ['custom-runner', 'default'],\n});\nconst productionProvider = new CodeBuildRunnerProvider(this, 'production', {\n  labels: ['custom-runner', 'production'],\n  computeType: ComputeType.LARGE,\n});\n\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, providers, defaultProvider, defaultLabels } = event;\n\n      // Route production repos to dedicated provider\n      if (payload.repository.name.includes('prod')) {\n        return {\n          provider: '${productionProvider.node.path}',\n          labels: ['custom-runner', 'production', 'modified-via-selector'],\n        };\n      }\n\n      // Filter out draft PRs\n      if (payload.workflow_job.head_branch?.startsWith('draft/')) {\n        return { provider: undefined }; // Skip runner provisioning\n      }\n\n      // Use default for everything else\n      return {\n        provider: defaultProvider,\n        labels: defaultLabels,\n      };\n    };\n  `),\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [defaultProvider, productionProvider],\n   providerSelector: providerSelector,\n});\n```\n\n**Example: Add dynamic labels based on job metadata**\n\n```typescript\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, defaultProvider, defaultLabels } = event;\n\n      // Add branch name as a label\n      const branch = payload.workflow_job.head_branch || 'unknown';\n      const labels = [...(defaultLabels || []), 'branch:' + branch];\n\n      return {\n        provider: defaultProvider,\n        labels: labels,\n      };\n    };\n  `),\n});\n```\n\n**Important considerations:**\n\n* ⚠️ **Label matching responsibility**: You are responsible for ensuring the selected provider's labels match what the job requires. If labels don't match, the runner will be provisioned but GitHub Actions won't assign the job to it.\n* ⚠️ **No guarantee of assignment**: Provider selection only determines which provider will provision a runner. GitHub Actions may still route the job to any available runner with matching labels. For reliable provider assignment, consider repo-level runner registration (the default).\n* ⚡ **Performance**: The selector runs synchronously during webhook processing. Keep it fast and efficient—the webhook has a 30-second timeout total.\n\n## Examples\n\nWe provide comprehensive examples in the [`examples/`](examples/) folder to help you get started quickly:\n\n### Getting Started\n- **[Simple CodeBuild](examples/typescript/simple-codebuild/)** - Basic setup with just a CodeBuild provider (also available in [Python](examples/python/simple-codebuild/))\n\n### Provider Configuration\n- **[Composite Provider](examples/typescript/composite-provider/)** - Fallback and weighted distribution strategies (also available in [Python](examples/python/composite-provider/))\n- **[Provider Selector](examples/typescript/provider-selector/)** - Custom provider selection with Lambda function (also available in [Python](examples/python/provider-selector/))\n- **[EC2 Windows Provider](examples/typescript/ec2-windows-provider/)** - EC2 configuration for Windows runners (also available in [Python](examples/python/ec2-windows-provider/))\n\n### Compute & Performance\n- **[Compute Options](examples/typescript/compute-options/)** - Configure CPU, memory, and instance types for different providers (also available in [Python](examples/python/compute-options/))\n- **[Spot Instances](examples/typescript/spot-instances/)** - Use spot instances for cost savings across EC2, Fargate, and ECS (also available in [Python](examples/python/spot-instances/))\n- **[Storage Options](examples/typescript/storage-options/)** - Custom EBS storage options for EC2 runners (also available in [Python](examples/python/storage-options/))\n- **[ECS Scaling](examples/typescript/ecs-scaling/)** - Custom autoscaling group scaling policies for ECS providers (also available in [Python](examples/python/ecs-scaling/))\n\n### Security & Access\n- **[IAM Permissions](examples/typescript/iam-permissions/)** - Grant AWS IAM permissions to runners (also available in [Python](examples/python/iam-permissions/))\n- **[Network Access](examples/typescript/network-access/)** - Configure network access with VPCs and security groups (also available in [Python](examples/python/network-access/))\n- **[Access Control](examples/typescript/access-control/)** - Configure access control for webhook and setup functions (also available in [Python](examples/python/access-control/))\n\n### Customization\n- **[Add Software](examples/typescript/add-software/)** - Add custom software to runner images (also available in [Python](examples/python/add-software/))\n\n### Enterprise & Monitoring\n- **[GHES](examples/typescript/ghes/)** - Configure runners for GitHub Enterprise Server (also available in [Python](examples/python/ghes/))\n- **[Monitoring](examples/typescript/monitoring/)** - Set up CloudWatch alarms and SNS notifications (also available in [Python](examples/python/monitoring/))\n\nEach example is self-contained with its own dependencies and README. Start with the simple examples and work your way up to more advanced configurations.\n\nAnother good and very full example is the [integration test](test/default.integ.ts).\n\nIf you have more to share, please open a PR adding examples to the `examples` folder.\n\n## Architecture\n\n![Architecture diagram](architecture.svg)\n\n## Troubleshooting\n\nRunners are started in response to a webhook coming in from GitHub. If there are any issues starting the runner like missing capacity or transient API issues, the provider will keep retrying for 24 hours. Configuration issue related errors like pointing to a missing AMI will not be retried. GitHub itself will cancel the job if it can't find a runner for 24 hours. If your jobs don't start, follow the steps below to examine all parts of this workflow.\n\n1. Always start with the status function, make sure no errors are reported, and confirm all status codes are OK\n2. Make sure `runs-on` in the workflow matches the expected labels set in the runner provider\n3. Diagnose relevant executions of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`\n   1. If the execution failed, check your runner provider configuration for errors\n   2. If the execution is still running for a long time, check the execution events to see why runner starting is being retried\n   3. If there are no relevant executions, move to the next step\n4. Confirm the webhook Lambda was called by visiting the URL in `troubleshooting.webhookHandlerUrl` from `status.json`\n   1. If it's not called or logs errors, confirm the webhook settings on the GitHub side\n   2. If you see too many errors, make sure you're only sending `workflow_job` events\n5. When using GitHub app, make sure there are active installations in `github.auth.app.installations`\n\nAll logs are saved in CloudWatch.\n* Log group names can be found in `status.json` for each provider, image builder, and other parts of the system\n* Some useful Logs Insights queries can be enabled with `GitHubRunners.createLogsInsightsQueries()`\n\nTo get `status.json`, check out the CloudFormation stack output for a command that generates it. The command looks like:\n\n```\naws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json\n```\n\n## Monitoring\n\nThere are two important ways to monitor your runners:\n\n1. Make sure runners don't fail to start. When that happens, jobs may sit and wait. Use `GitHubRunners.metricFailed()` to get a metric for the number of failed runner starts. You should use this metric to trigger an alarm.\n2. Make sure runner images don't fail to build. Failed runner image builds mean you will get stuck with out-of-date software on your runners. It may lead to security vulnerabilities, or it may lead to slower runner start-ups as the runner software itself needs to be updated. Use `GitHubRunners.failedImageBuildsTopic()` to get SNS topic that gets notified of failed runner image builds. You should subscribe to this topic.\n\nOther useful metrics to track:\n\n1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.\n2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.\n\n## Contributing\n\nIf you use and love this project, please consider contributing.\n\n1. 🪳 If you see something, say something. [Issues][16] help improve the quality of the project.\n   * Include relevant logs and package versions for bugs.\n   * When possible, describe the use-case behind feature requests.\n1. 🛠️ [Pull requests][17] are welcome.\n   * Run `npm run build` before submitting to make sure all tests pass.\n   * Allow edits from maintainers so small adjustments can be made easily.\n1. 💵 Consider [sponsoring][15] the project to show your support and optionally get your name listed below.\n\n## Other Options\n\n1. [github-aws-runners/terraform-aws-github-runner][3] if you're using Terraform\n2. [actions/actions-runner-controller][4] if you're using Kubernetes\n\n\n[1]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners\n[2]: https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions\n[3]: https://github.com/github-aws-runners/terraform-aws-github-runner\n[4]: https://github.com/actions/actions-runner-controller\n[5]: https://github.com/actions/runner\n[6]: https://pypi.org/project/cloudsnorkel.cdk-github-runners\n[7]: https://www.npmjs.com/package/@cloudsnorkel/cdk-github-runners\n[8]: https://central.sonatype.com/artifact/com.cloudsnorkel/cdk.github.runners/\n[9]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps\n[10]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[11]: https://pkg.go.dev/github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n[12]: https://www.nuget.org/packages/CloudSnorkel.Cdk.Github.Runners/\n[13]: https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/\n[14]: https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling\n[15]: https://github.com/sponsors/CloudSnorkel\n[16]: https://github.com/CloudSnorkel/cdk-github-runners/issues\n[17]: https://github.com/CloudSnorkel/cdk-github-runners/pulls\n"
   },
   "repository": {
     "type": "git",
@@ -4813,7 +4813,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/aws-image-builder/builder.ts",
-        "line": 33
+        "line": 34
       },
       "name": "AwsImageBuilderRunnerImageBuilderProps",
       "properties": [
@@ -4828,7 +4828,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 57
+            "line": 58
           },
           "name": "fastLaunchOptions",
           "optional": true,
@@ -4837,44 +4837,512 @@
           }
         },
         {
-          "abstract": true,
+          "abstract": true,
+          "docs": {
+            "default": "m6i.large",
+            "stability": "experimental",
+            "summary": "The instance type used to build the image."
+          },
+          "immutable": true,
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/builder.ts",
+            "line": 40
+          },
+          "name": "instanceType",
+          "optional": true,
+          "type": {
+            "fqn": "aws-cdk-lib.aws_ec2.InstanceType"
+          }
+        },
+        {
+          "abstract": true,
+          "docs": {
+            "default": "default size for AMI (usually 30GB for Linux and 50GB for Windows)",
+            "remarks": "Use this if you're building images with big components and need more space.",
+            "stability": "experimental",
+            "summary": "Size of volume available for builder instances. This modifies the boot volume size and doesn't add any additional volumes."
+          },
+          "immutable": true,
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/builder.ts",
+            "line": 49
+          },
+          "name": "storageSize",
+          "optional": true,
+          "type": {
+            "fqn": "aws-cdk-lib.Size"
+          }
+        }
+      ],
+      "symbolId": "src/image-builders/aws-image-builder/builder:AwsImageBuilderRunnerImageBuilderProps"
+    },
+    "@cloudsnorkel/cdk-github-runners.BaseContainerImage": {
+      "assembly": "@cloudsnorkel/cdk-github-runners",
+      "docs": {
+        "remarks": "This class is adapted from AWS CDK's BaseContainerImage class to support both string and object inputs.",
+        "stability": "experimental",
+        "summary": "Represents a base container image that is used to start from in EC2 Image Builder container builds."
+      },
+      "fqn": "@cloudsnorkel/cdk-github-runners.BaseContainerImage",
+      "initializer": {
+        "docs": {
+          "stability": "experimental"
+        },
+        "locationInModule": {
+          "filename": "src/image-builders/aws-image-builder/base-image.ts",
+          "line": 163
+        },
+        "parameters": [
+          {
+            "name": "image",
+            "type": {
+              "primitive": "string"
+            }
+          },
+          {
+            "name": "ecrRepository",
+            "optional": true,
+            "type": {
+              "fqn": "aws-cdk-lib.aws_ecr.IRepository"
+            }
+          }
+        ],
+        "protected": true
+      },
+      "kind": "class",
+      "locationInModule": {
+        "filename": "src/image-builders/aws-image-builder/base-image.ts",
+        "line": 110
+      },
+      "methods": [
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The DockerHub image to use as the base image in a container recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 117
+          },
+          "name": "fromDockerHub",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The DockerHub repository where the base image resides in."
+              },
+              "name": "repository",
+              "type": {
+                "primitive": "string"
+              }
+            },
+            {
+              "docs": {
+                "summary": "The tag of the base image in the DockerHub repository."
+              },
+              "name": "tag",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseContainerImage"
+            }
+          },
+          "static": true
+        },
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The ECR container image to use as the base image in a container recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 127
+          },
+          "name": "fromEcr",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The ECR repository where the base image resides in."
+              },
+              "name": "repository",
+              "type": {
+                "fqn": "aws-cdk-lib.aws_ecr.IRepository"
+              }
+            },
+            {
+              "docs": {
+                "summary": "The tag of the base image in the ECR repository."
+              },
+              "name": "tag",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseContainerImage"
+            }
+          },
+          "static": true
+        },
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The ECR public container image to use as the base image in a container recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 138
+          },
+          "name": "fromEcrPublic",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The alias of the ECR public registry where the base image resides in."
+              },
+              "name": "registryAlias",
+              "type": {
+                "primitive": "string"
+              }
+            },
+            {
+              "docs": {
+                "summary": "The name of the ECR public repository, where the base image resides in."
+              },
+              "name": "repositoryName",
+              "type": {
+                "primitive": "string"
+              }
+            },
+            {
+              "docs": {
+                "summary": "The tag of the base image in the ECR public repository."
+              },
+              "name": "tag",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseContainerImage"
+            }
+          },
+          "static": true
+        },
+        {
+          "docs": {
+            "remarks": "This can be an EC2 Image Builder image ARN,\nan ECR or ECR public image, or a container URI sourced from a third-party container registry such as DockerHub.",
+            "stability": "experimental",
+            "summary": "The string value of the base image to use in a container recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 148
+          },
+          "name": "fromString",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The base image as a direct string value."
+              },
+              "name": "baseContainerImageString",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseContainerImage"
+            }
+          },
+          "static": true
+        }
+      ],
+      "name": "BaseContainerImage",
+      "properties": [
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The rendered base image to use."
+          },
+          "immutable": true,
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 155
+          },
+          "name": "image",
+          "type": {
+            "primitive": "string"
+          }
+        },
+        {
+          "docs": {
+            "remarks": "This allows automatic permission granting for CodeBuild.",
+            "stability": "experimental",
+            "summary": "The ECR repository if this image was created from an ECR repository."
+          },
+          "immutable": true,
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 161
+          },
+          "name": "ecrRepository",
+          "optional": true,
+          "type": {
+            "fqn": "aws-cdk-lib.aws_ecr.IRepository"
+          }
+        }
+      ],
+      "symbolId": "src/image-builders/aws-image-builder/base-image:BaseContainerImage"
+    },
+    "@cloudsnorkel/cdk-github-runners.BaseImage": {
+      "assembly": "@cloudsnorkel/cdk-github-runners",
+      "docs": {
+        "remarks": "This class is adapted from AWS CDK's BaseImage class to support both string and object inputs.",
+        "stability": "experimental",
+        "summary": "Represents a base image that is used to start from in EC2 Image Builder image builds."
+      },
+      "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage",
+      "initializer": {
+        "docs": {
+          "stability": "experimental"
+        },
+        "locationInModule": {
+          "filename": "src/image-builders/aws-image-builder/base-image.ts",
+          "line": 91
+        },
+        "parameters": [
+          {
+            "name": "image",
+            "type": {
+              "primitive": "string"
+            }
+          }
+        ],
+        "protected": true
+      },
+      "kind": "class",
+      "locationInModule": {
+        "filename": "src/image-builders/aws-image-builder/base-image.ts",
+        "line": 20
+      },
+      "methods": [
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The AMI ID to use as a base image in an image recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 26
+          },
+          "name": "fromAmiId",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The AMI ID to use as the base image."
+              },
+              "name": "amiId",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage"
+            }
+          },
+          "static": true
+        },
+        {
+          "docs": {
+            "remarks": "This constructs an Image Builder ARN for AWS-provided images like `ubuntu-server-22-lts-x86/x.x.x`.",
+            "stability": "experimental",
+            "summary": "An AWS-provided EC2 Image Builder image to use as a base image in an image recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 39
+          },
+          "name": "fromImageBuilder",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The construct scope (used to determine the stack and region)."
+              },
+              "name": "scope",
+              "type": {
+                "fqn": "constructs.Construct"
+              }
+            },
+            {
+              "docs": {
+                "summary": "The Image Builder resource name pattern (e.g., `ubuntu-server-22-lts-x86` or `ubuntu-server-22-lts-${arch}`)."
+              },
+              "name": "resourceName",
+              "type": {
+                "primitive": "string"
+              }
+            },
+            {
+              "docs": {
+                "summary": "The version pattern (defaults to `x.x.x` to use the latest version)."
+              },
+              "name": "version",
+              "optional": true,
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage"
+            }
+          },
+          "static": true
+        },
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The marketplace product ID for an AMI product to use as the base image in an image recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 54
+          },
+          "name": "fromMarketplaceProductId",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The Marketplace AMI product ID to use as the base image."
+              },
+              "name": "productId",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage"
+            }
+          },
+          "static": true
+        },
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The SSM parameter to use as the base image in an image recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 63
+          },
+          "name": "fromSsmParameter",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The SSM parameter to use as the base image."
+              },
+              "name": "parameter",
+              "type": {
+                "fqn": "aws-cdk-lib.aws_ssm.IParameter"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage"
+            }
+          },
+          "static": true
+        },
+        {
+          "docs": {
+            "stability": "experimental",
+            "summary": "The parameter name for the SSM parameter to use as the base image in an image recipe."
+          },
+          "locationInModule": {
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 72
+          },
+          "name": "fromSsmParameterName",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The name of the SSM parameter to use as the base image."
+              },
+              "name": "parameterName",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage"
+            }
+          },
+          "static": true
+        },
+        {
           "docs": {
-            "default": "m6i.large",
+            "remarks": "This can be an EC2 Image Builder image ARN,\nan SSM parameter, an AWS Marketplace product ID, or an AMI ID.",
             "stability": "experimental",
-            "summary": "The instance type used to build the image."
+            "summary": "The direct string value of the base image to use in an image recipe."
           },
-          "immutable": true,
           "locationInModule": {
-            "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 39
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 82
           },
-          "name": "instanceType",
-          "optional": true,
-          "type": {
-            "fqn": "aws-cdk-lib.aws_ec2.InstanceType"
-          }
-        },
+          "name": "fromString",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "The base image as a direct string value."
+              },
+              "name": "baseImageString",
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
+          "returns": {
+            "type": {
+              "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage"
+            }
+          },
+          "static": true
+        }
+      ],
+      "name": "BaseImage",
+      "properties": [
         {
-          "abstract": true,
           "docs": {
-            "default": "default size for AMI (usually 30GB for Linux and 50GB for Windows)",
-            "remarks": "Use this if you're building images with big components and need more space.",
             "stability": "experimental",
-            "summary": "Size of volume available for builder instances. This modifies the boot volume size and doesn't add any additional volumes."
+            "summary": "The rendered base image to use."
           },
           "immutable": true,
           "locationInModule": {
-            "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 48
+            "filename": "src/image-builders/aws-image-builder/base-image.ts",
+            "line": 89
           },
-          "name": "storageSize",
-          "optional": true,
+          "name": "image",
           "type": {
-            "fqn": "aws-cdk-lib.Size"
+            "primitive": "string"
           }
         }
       ],
-      "symbolId": "src/image-builders/aws-image-builder/builder:AwsImageBuilderRunnerImageBuilderProps"
+      "symbolId": "src/image-builders/aws-image-builder/base-image:BaseImage"
     },
     "@cloudsnorkel/cdk-github-runners.CodeBuildImageBuilder": {
       "assembly": "@cloudsnorkel/cdk-github-runners",
@@ -5416,7 +5884,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/codebuild.ts",
-          "line": 244
+          "line": 256
         },
         "parameters": [
           {
@@ -5443,7 +5911,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/providers/codebuild.ts",
-        "line": 481
+        "line": 493
       },
       "name": "CodeBuildRunner",
       "symbolId": "src/providers/codebuild:CodeBuildRunner"
@@ -5458,7 +5926,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/codebuild.ts",
-        "line": 32
+        "line": 33
       },
       "name": "CodeBuildRunnerImageBuilderProps",
       "properties": [
@@ -5473,7 +5941,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/codebuild.ts",
-            "line": 48
+            "line": 59
           },
           "name": "buildImage",
           "optional": true,
@@ -5485,14 +5953,14 @@
           "abstract": true,
           "docs": {
             "default": "{@link ComputeType#SMALL }",
-            "remarks": "See the {@link ComputeType} enum for the possible values.",
+            "remarks": "The compute type determines CPU, memory, and disk space:\n- SMALL: 2 vCPU, 3 GB RAM, 64 GB disk\n- MEDIUM: 4 vCPU, 7 GB RAM, 128 GB disk\n- LARGE: 8 vCPU, 15 GB RAM, 128 GB disk\n- X2_LARGE: 72 vCPU, 145 GB RAM, 256 GB disk (Linux) or 824 GB disk (Windows)\n\nUse a larger compute type when you need more disk space for building larger Docker images.\n\nFor more details, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html#environment.types",
             "stability": "experimental",
-            "summary": "The type of compute to use for this build."
+            "summary": "The type of compute to use for this build. See the {@link ComputeType} enum for the possible values."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/codebuild.ts",
-            "line": 39
+            "line": 50
           },
           "name": "computeType",
           "optional": true,
@@ -5511,7 +5979,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/codebuild.ts",
-            "line": 57
+            "line": 68
           },
           "name": "timeout",
           "optional": true,
@@ -5537,7 +6005,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/codebuild.ts",
-          "line": 244
+          "line": 256
         },
         "parameters": [
           {
@@ -5567,7 +6035,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/providers/codebuild.ts",
-        "line": 140
+        "line": 150
       },
       "methods": [
         {
@@ -5578,7 +6046,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 189
+            "line": 199
           },
           "name": "imageBuilder",
           "parameters": [
@@ -5617,7 +6085,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 394
+            "line": 406
           },
           "name": "getStepFunctionTask",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -5646,7 +6114,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 448
+            "line": 460
           },
           "name": "grantStateMachine",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -5715,7 +6183,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 451
+            "line": 463
           },
           "name": "status",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -5747,7 +6215,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 169
+            "line": 179
           },
           "name": "LINUX_ARM64_DOCKERFILE_PATH",
           "static": true,
@@ -5766,7 +6234,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 154
+            "line": 164
           },
           "name": "LINUX_X64_DOCKERFILE_PATH",
           "static": true,
@@ -5782,7 +6250,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 473
+            "line": 485
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -5798,7 +6266,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 219
+            "line": 229
           },
           "name": "grantPrincipal",
           "overrides": "aws-cdk-lib.aws_iam.IGrantable",
@@ -5808,14 +6276,15 @@
         },
         {
           "docs": {
+            "deprecated": "This field is internal and should not be accessed directly.",
             "remarks": "The image is built by an image builder and is specific to CodeBuild.",
-            "stability": "experimental",
+            "stability": "deprecated",
             "summary": "Docker image loaded with GitHub Actions Runner and its prerequisites."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 224
+            "line": 236
           },
           "name": "image",
           "type": {
@@ -5830,7 +6299,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 214
+            "line": 224
           },
           "name": "labels",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -5852,7 +6321,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 231
+            "line": 243
           },
           "name": "logGroup",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -5868,7 +6337,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 209
+            "line": 219
           },
           "name": "project",
           "type": {
@@ -5883,7 +6352,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 233
+            "line": 245
           },
           "name": "retryableErrors",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -5920,14 +6389,14 @@
           "abstract": true,
           "docs": {
             "default": "{@link ComputeType#SMALL }",
-            "remarks": "See the {@link ComputeType} enum for the possible values.",
+            "remarks": "The compute type determines CPU, memory, and disk space:\n- SMALL: 2 vCPU, 3 GB RAM, 64 GB disk\n- MEDIUM: 4 vCPU, 7 GB RAM, 128 GB disk\n- LARGE: 8 vCPU, 15 GB RAM, 128 GB disk\n- X2_LARGE: 72 vCPU, 145 GB RAM, 256 GB disk (Linux) or 824 GB disk (Windows)\n\nUse a larger compute type when you need more disk space for building larger Docker images.\n\nFor more details, see https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-compute-types.html#environment.types",
             "stability": "experimental",
-            "summary": "The type of compute to use for this build."
+            "summary": "The type of compute to use for this build. See the {@link ComputeType} enum for the possible values."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 113
+            "line": 123
           },
           "name": "computeType",
           "optional": true,
@@ -5946,7 +6415,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 130
+            "line": 140
           },
           "name": "dockerInDocker",
           "optional": true,
@@ -6106,7 +6575,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/codebuild.ts",
-            "line": 122
+            "line": 132
           },
           "name": "timeout",
           "optional": true,
@@ -7591,7 +8060,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/ecs.ts",
-          "line": 395
+          "line": 397
         },
         "parameters": [
           {
@@ -7671,7 +8140,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 619
+            "line": 621
           },
           "name": "getStepFunctionTask",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -7700,7 +8169,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 686
+            "line": 688
           },
           "name": "grantStateMachine",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -7769,7 +8238,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 689
+            "line": 691
           },
           "name": "status",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -7790,6 +8259,22 @@
       ],
       "name": "EcsRunnerProvider",
       "properties": [
+        {
+          "docs": {
+            "remarks": "Use capacityProvider.autoScalingGroup to access the auto scaling group. This can help set up custom scaling policies.",
+            "stability": "experimental",
+            "summary": "Capacity provider used to scale the cluster."
+          },
+          "immutable": true,
+          "locationInModule": {
+            "filename": "src/providers/ecs.ts",
+            "line": 306
+          },
+          "name": "capacityProvider",
+          "type": {
+            "fqn": "aws-cdk-lib.aws_ecs.AsgCapacityProvider"
+          }
+        },
         {
           "docs": {
             "stability": "experimental",
@@ -7798,7 +8283,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 344
+            "line": 346
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -7814,7 +8299,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 339
+            "line": 341
           },
           "name": "grantPrincipal",
           "overrides": "aws-cdk-lib.aws_iam.IGrantable",
@@ -7830,7 +8315,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 319
+            "line": 321
           },
           "name": "labels",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -7852,7 +8337,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 356
+            "line": 358
           },
           "name": "logGroup",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -7868,7 +8353,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/ecs.ts",
-            "line": 388
+            "line": 390
           },
           "name": "retryableErrors",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -8346,7 +8831,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/fargate.ts",
-          "line": 385
+          "line": 399
         },
         "parameters": [
           {
@@ -8373,7 +8858,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/providers/fargate.ts",
-        "line": 567
+        "line": 581
       },
       "name": "FargateRunner",
       "symbolId": "src/providers/fargate:FargateRunner"
@@ -8393,7 +8878,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/fargate.ts",
-          "line": 385
+          "line": 399
         },
         "parameters": [
           {
@@ -8473,7 +8958,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 474
+            "line": 488
           },
           "name": "getStepFunctionTask",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -8502,7 +8987,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 541
+            "line": 555
           },
           "name": "grantStateMachine",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -8571,7 +9056,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 544
+            "line": 558
           },
           "name": "status",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -8632,13 +9117,14 @@
         },
         {
           "docs": {
-            "stability": "experimental",
+            "deprecated": "This field is internal and should not be accessed directly.",
+            "stability": "deprecated",
             "summary": "Whether runner task will have a public IP."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 346
+            "line": 356
           },
           "name": "assignPublicIp",
           "type": {
@@ -8668,7 +9154,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 356
+            "line": 366
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -8678,13 +9164,14 @@
         },
         {
           "docs": {
-            "stability": "experimental",
+            "deprecated": "This field is internal and should not be accessed directly.",
+            "stability": "deprecated",
             "summary": "Container definition hosting the runner."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 326
+            "line": 330
           },
           "name": "container",
           "type": {
@@ -8699,7 +9186,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 351
+            "line": 361
           },
           "name": "grantPrincipal",
           "overrides": "aws-cdk-lib.aws_iam.IGrantable",
@@ -8709,14 +9196,15 @@
         },
         {
           "docs": {
+            "deprecated": "This field is internal and should not be accessed directly.",
             "remarks": "The image is built by an image builder and is specific to Fargate tasks.",
-            "stability": "experimental",
+            "stability": "deprecated",
             "summary": "Docker image loaded with GitHub Actions Runner and its prerequisites."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 366
+            "line": 380
           },
           "name": "image",
           "type": {
@@ -8731,7 +9219,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 331
+            "line": 335
           },
           "name": "labels",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -8753,7 +9241,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 373
+            "line": 387
           },
           "name": "logGroup",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -8769,7 +9257,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 375
+            "line": 389
           },
           "name": "retryableErrors",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -8784,13 +9272,14 @@
         },
         {
           "docs": {
-            "stability": "experimental",
+            "deprecated": "This field is internal and should not be accessed directly.",
+            "stability": "deprecated",
             "summary": "Use spot pricing for Fargate tasks."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 361
+            "line": 373
           },
           "name": "spot",
           "type": {
@@ -8799,13 +9288,14 @@
         },
         {
           "docs": {
-            "stability": "experimental",
+            "deprecated": "This field is internal and should not be accessed directly.",
+            "stability": "deprecated",
             "summary": "Fargate task hosting the runner."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 321
+            "line": 323
           },
           "name": "task",
           "type": {
@@ -8814,13 +9304,14 @@
         },
         {
           "docs": {
-            "stability": "experimental",
+            "deprecated": "This field is internal and should not be accessed directly.",
+            "stability": "deprecated",
             "summary": "Subnets used for hosting the runner task."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 341
+            "line": 349
           },
           "name": "subnetSelection",
           "optional": true,
@@ -8830,13 +9321,14 @@
         },
         {
           "docs": {
-            "stability": "experimental",
+            "deprecated": "This field is internal and should not be accessed directly.",
+            "stability": "deprecated",
             "summary": "VPC used for hosting the runner task."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/fargate.ts",
-            "line": 336
+            "line": 342
           },
           "name": "vpc",
           "optional": true,
@@ -9151,7 +9643,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/aws-image-builder/builder.ts",
-        "line": 63
+        "line": 64
       },
       "name": "FastLaunchOptions",
       "properties": [
@@ -9169,7 +9661,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 74
+            "line": 75
           },
           "name": "enabled",
           "optional": true,
@@ -9188,7 +9680,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 83
+            "line": 84
           },
           "name": "maxParallelLaunches",
           "optional": true,
@@ -9206,7 +9698,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 90
+            "line": 91
           },
           "name": "targetResourceCount",
           "optional": true,
@@ -9232,7 +9724,7 @@
         },
         "locationInModule": {
           "filename": "src/runner.ts",
-          "line": 290
+          "line": 308
         },
         "parameters": [
           {
@@ -9262,7 +9754,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/runner.ts",
-        "line": 263
+        "line": 281
       },
       "methods": [
         {
@@ -9273,7 +9765,7 @@
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 842
+            "line": 902
           },
           "name": "createLogsInsightsQueries"
         },
@@ -9285,7 +9777,7 @@
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 822
+            "line": 882
           },
           "name": "failedImageBuildsTopic",
           "returns": {
@@ -9302,7 +9794,7 @@
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 804
+            "line": 864
           },
           "name": "metricFailed",
           "parameters": [
@@ -9328,7 +9820,7 @@
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 748
+            "line": 808
           },
           "name": "metricJobCompleted",
           "parameters": [
@@ -9354,7 +9846,7 @@
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 795
+            "line": 855
           },
           "name": "metricSucceeded",
           "parameters": [
@@ -9380,7 +9872,7 @@
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 811
+            "line": 871
           },
           "name": "metricTime",
           "parameters": [
@@ -9410,7 +9902,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 279
+            "line": 297
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -9426,7 +9918,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 267
+            "line": 285
           },
           "name": "providers",
           "type": {
@@ -9455,7 +9947,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 272
+            "line": 290
           },
           "name": "secrets",
           "type": {
@@ -9469,7 +9961,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 290
+            "line": 308
           },
           "name": "props",
           "optional": true,
@@ -9491,7 +9983,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/runner.ts",
-        "line": 40
+        "line": 43
       },
       "name": "GitHubRunnersProps",
       "properties": [
@@ -9499,14 +9991,14 @@
           "abstract": true,
           "docs": {
             "default": "false",
-            "remarks": "Lambda Functions in a public subnet can NOT access the internet.",
+            "remarks": "**Note:** This only affects management functions that interact with GitHub. Lambda functions that help with runner image building and don't interact with GitHub are NOT affected by this setting.",
             "stability": "experimental",
-            "summary": "Allow management functions to run in public subnets."
+            "summary": "Allow management functions to run in public subnets. Lambda Functions in a public subnet can NOT access the internet."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 81
+            "line": 90
           },
           "name": "allowPublicSubnet",
           "optional": true,
@@ -9517,14 +10009,14 @@
         {
           "abstract": true,
           "docs": {
-            "remarks": "You may also want to use custom images for your runner providers that contain the same certificates. See {@link CodeBuildImageBuilder.addCertificates }.\n\n```typescript\nconst imageBuilder = CodeBuildRunnerProvider.imageBuilder(this, 'Image Builder with Certs');\nimageBuilder.addComponent(RunnerImageComponent.extraCertificates('path-to-my-extra-certs-folder/certs.pem', 'private-ca');\n\nconst provider = new CodeBuildRunnerProvider(this, 'CodeBuild', {\n    imageBuilder: imageBuilder,\n});\n\nnew GitHubRunners(\n  this,\n  'runners',\n  {\n    providers: [provider],\n    extraCertificates: 'path-to-my-extra-certs-folder',\n  }\n);\n```",
+            "remarks": "If a directory is provided, all .pem and .crt files in that directory will be used. The certificates will be concatenated into a single file for use by Node.js.\n\nYou may also want to use custom images for your runner providers that contain the same certificates. See {@link RunnerImageComponent.extraCertificates }.\n\n```typescript\nconst selfSignedCertificates = 'certs/ghes.pem'; // or 'path-to-my-extra-certs-folder' for a directory\nconst imageBuilder = CodeBuildRunnerProvider.imageBuilder(this, 'Image Builder with Certs');\nimageBuilder.addComponent(RunnerImageComponent.extraCertificates(selfSignedCertificates, 'private-ca'));\n\nconst provider = new CodeBuildRunnerProvider(this, 'CodeBuild', {\n    imageBuilder: imageBuilder,\n});\n\nnew GitHubRunners(\n  this,\n  'runners',\n  {\n    providers: [provider],\n    extraCertificates: selfSignedCertificates,\n  }\n);\n```",
             "stability": "experimental",
-            "summary": "Path to a directory containing a file named certs.pem containing any additional certificates required to trust GitHub Enterprise Server. Use this when GitHub Enterprise Server certificates are self-signed."
+            "summary": "Path to a certificate file (.pem or .crt) or a directory containing certificate files (.pem or .crt) required to trust GitHub Enterprise Server. Use this when GitHub Enterprise Server certificates are self-signed."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 118
+            "line": 136
           },
           "name": "extraCertificates",
           "optional": true,
@@ -9543,7 +10035,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 125
+            "line": 143
           },
           "name": "idleTimeout",
           "optional": true,
@@ -9561,7 +10053,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 132
+            "line": 150
           },
           "name": "logOptions",
           "optional": true,
@@ -9580,7 +10072,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 46
+            "line": 49
           },
           "name": "providers",
           "optional": true,
@@ -9612,7 +10104,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 187
+            "line": 205
           },
           "name": "providerSelector",
           "optional": true,
@@ -9631,7 +10123,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 55
+            "line": 58
           },
           "name": "requireSelfHostedLabel",
           "optional": true,
@@ -9650,7 +10142,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 169
+            "line": 187
           },
           "name": "retryOptions",
           "optional": true,
@@ -9662,14 +10154,14 @@
           "abstract": true,
           "docs": {
             "deprecated": "use {@link securityGroups } instead",
-            "remarks": "Use this with to provide access to GitHub Enterprise Server hosted inside a VPC.",
+            "remarks": "Use this with to provide access to GitHub Enterprise Server hosted inside a VPC.\n\n**Note:** This only affects management functions that interact with GitHub. Lambda functions that help with runner image building and don't interact with GitHub are NOT affected by this setting.",
             "stability": "deprecated",
             "summary": "Security group attached to all management functions."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 88
+            "line": 99
           },
           "name": "securityGroup",
           "optional": true,
@@ -9680,14 +10172,14 @@
         {
           "abstract": true,
           "docs": {
-            "remarks": "Use this with to provide access to GitHub Enterprise Server hosted inside a VPC.",
+            "remarks": "Use this to provide outbound access from management functions to GitHub Enterprise Server hosted inside a VPC.\n\n**Note:** This only affects management functions that interact with GitHub. Lambda functions that help with runner image building and don't interact with GitHub are NOT affected by this setting.\n\n**Note:** Defining inbound rules on this security group does nothing. This security group only controls outbound access FROM the management functions. To limit access TO the webhook or setup functions, use {@link webhookAccess} and {@link setupAccess} instead.",
             "stability": "experimental",
             "summary": "Security groups attached to all management functions."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 93
+            "line": 108
           },
           "name": "securityGroups",
           "optional": true,
@@ -9711,7 +10203,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 139
+            "line": 157
           },
           "name": "setupAccess",
           "optional": true,
@@ -9730,7 +10222,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 158
+            "line": 176
           },
           "name": "statusAccess",
           "optional": true,
@@ -9741,14 +10233,14 @@
         {
           "abstract": true,
           "docs": {
-            "remarks": "Make sure the selected VPC and subnets have access to the following with either NAT Gateway or VPC Endpoints:\n* GitHub Enterprise Server\n* Secrets Manager\n* SQS\n* Step Functions\n* CloudFormation (status function only)\n* EC2 (status function only)\n* ECR (status function only)",
+            "remarks": "**Note:** This only affects management functions that interact with GitHub. Lambda functions that help with runner image building and don't interact with GitHub are NOT affected by this setting and will run outside the VPC.\n\nMake sure the selected VPC and subnets have access to the following with either NAT Gateway or VPC Endpoints:\n* GitHub Enterprise Server\n* Secrets Manager\n* SQS\n* Step Functions\n* CloudFormation (status function only)\n* EC2 (status function only)\n* ECR (status function only)",
             "stability": "experimental",
             "summary": "VPC used for all management functions. Use this with GitHub Enterprise Server hosted that's inaccessible from outside the VPC."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 69
+            "line": 74
           },
           "name": "vpc",
           "optional": true,
@@ -9759,14 +10251,14 @@
         {
           "abstract": true,
           "docs": {
-            "remarks": "Use this with GitHub Enterprise Server hosted that's inaccessible from outside the VPC.",
+            "remarks": "Use this with GitHub Enterprise Server hosted that's inaccessible from outside the VPC.\n\n**Note:** This only affects management functions that interact with GitHub. Lambda functions that help with runner image building and don't interact with GitHub are NOT affected by this setting.",
             "stability": "experimental",
             "summary": "VPC subnets used for all management functions."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 74
+            "line": 81
           },
           "name": "vpcSubnets",
           "optional": true,
@@ -9785,7 +10277,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 151
+            "line": 169
           },
           "name": "webhookAccess",
           "optional": true,
@@ -9966,7 +10458,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/common.ts",
-        "line": 308
+        "line": 327
       },
       "methods": [
         {
@@ -9978,7 +10470,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 314
+            "line": 333
           },
           "name": "addComponent",
           "parameters": [
@@ -10002,7 +10494,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 321
+            "line": 340
           },
           "name": "removeComponent",
           "parameters": [
@@ -10082,7 +10574,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/common.ts",
-        "line": 281
+        "line": 300
       },
       "methods": [
         {
@@ -10094,7 +10586,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 300
+            "line": 319
           },
           "name": "bindAmi",
           "returns": {
@@ -10112,7 +10604,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 291
+            "line": 310
           },
           "name": "bindDockerImage",
           "returns": {
@@ -10548,7 +11040,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/aws-image-builder/builder.ts",
-        "line": 96
+        "line": 97
       },
       "name": "ImageBuilderAsset",
       "properties": [
@@ -10561,7 +11053,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 105
+            "line": 106
           },
           "name": "asset",
           "type": {
@@ -10577,7 +11069,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 100
+            "line": 101
           },
           "name": "path",
           "type": {
@@ -10603,7 +11095,7 @@
         },
         "locationInModule": {
           "filename": "src/image-builders/aws-image-builder/builder.ts",
-          "line": 179
+          "line": 180
         },
         "parameters": [
           {
@@ -10629,7 +11121,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/image-builders/aws-image-builder/builder.ts",
-        "line": 166
+        "line": 167
       },
       "methods": [
         {
@@ -10639,7 +11131,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 277
+            "line": 278
           },
           "name": "grantAssetsRead",
           "parameters": [
@@ -10657,7 +11149,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 283
+            "line": 284
           },
           "name": "prefixCommandsWithErrorHandling",
           "parameters": [
@@ -10701,7 +11193,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 170
+            "line": 171
           },
           "name": "arn",
           "type": {
@@ -10716,7 +11208,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 175
+            "line": 176
           },
           "name": "platform",
           "type": {
@@ -10737,7 +11229,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/aws-image-builder/builder.ts",
-        "line": 111
+        "line": 112
       },
       "name": "ImageBuilderComponentProperties",
       "properties": [
@@ -10751,7 +11243,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 132
+            "line": 133
           },
           "name": "commands",
           "type": {
@@ -10772,7 +11264,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 125
+            "line": 126
           },
           "name": "description",
           "type": {
@@ -10788,7 +11280,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 120
+            "line": 121
           },
           "name": "displayName",
           "type": {
@@ -10805,7 +11297,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 115
+            "line": 116
           },
           "name": "platform",
           "type": {
@@ -10821,7 +11313,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 137
+            "line": 138
           },
           "name": "assets",
           "optional": true,
@@ -10844,7 +11336,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/aws-image-builder/builder.ts",
-            "line": 144
+            "line": 145
           },
           "name": "reboot",
           "optional": true,
@@ -11017,7 +11509,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/lambda.ts",
-          "line": 239
+          "line": 241
         },
         "parameters": [
           {
@@ -11044,7 +11536,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/providers/lambda.ts",
-        "line": 481
+        "line": 483
       },
       "name": "LambdaRunner",
       "symbolId": "src/providers/lambda:LambdaRunner"
@@ -11064,7 +11556,7 @@
         },
         "locationInModule": {
           "filename": "src/providers/lambda.ts",
-          "line": 239
+          "line": 241
         },
         "parameters": [
           {
@@ -11144,7 +11636,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 333
+            "line": 335
           },
           "name": "getStepFunctionTask",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -11173,7 +11665,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 397
+            "line": 399
           },
           "name": "grantStateMachine",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -11242,7 +11734,7 @@
           },
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 400
+            "line": 402
           },
           "name": "status",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -11309,7 +11801,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 322
+            "line": 324
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -11350,14 +11842,15 @@
         },
         {
           "docs": {
+            "deprecated": "This field is internal and should not be accessed directly.",
             "remarks": "The image is built by an image builder and is specific to Lambda.",
-            "stability": "experimental",
+            "stability": "deprecated",
             "summary": "Docker image loaded with GitHub Actions Runner and its prerequisites."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 217
+            "line": 219
           },
           "name": "image",
           "type": {
@@ -11394,7 +11887,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 224
+            "line": 226
           },
           "name": "logGroup",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -11410,7 +11903,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/providers/lambda.ts",
-            "line": 226
+            "line": 228
           },
           "name": "retryableErrors",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerProvider",
@@ -11990,7 +12483,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/runner.ts",
-        "line": 193
+        "line": 211
       },
       "name": "LogOptions",
       "properties": [
@@ -12004,7 +12497,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 204
+            "line": 222
           },
           "name": "includeExecutionData",
           "optional": true,
@@ -12022,7 +12515,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 211
+            "line": 229
           },
           "name": "level",
           "optional": true,
@@ -12039,7 +12532,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 197
+            "line": 215
           },
           "name": "logGroupName",
           "optional": true,
@@ -12058,7 +12551,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 220
+            "line": 238
           },
           "name": "logRetention",
           "optional": true,
@@ -12763,7 +13256,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/common.ts",
-        "line": 119
+        "line": 120
       },
       "name": "RunnerImageAsset",
       "properties": [
@@ -12777,7 +13270,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 123
+            "line": 124
           },
           "name": "source",
           "type": {
@@ -12793,7 +13286,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 128
+            "line": 129
           },
           "name": "target",
           "type": {
@@ -12819,7 +13312,7 @@
         },
         "locationInModule": {
           "filename": "src/image-builders/common.ts",
-          "line": 330
+          "line": 349
         },
         "parameters": [
           {
@@ -12900,7 +13393,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 345
+            "line": 364
           },
           "name": "addComponent",
           "overrides": "@cloudsnorkel/cdk-github-runners.IConfigurableRunnerImageBuilder",
@@ -12922,7 +13415,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 340
+            "line": 359
           },
           "name": "bindAmi",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerImageBuilder",
@@ -12941,7 +13434,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 338
+            "line": 357
           },
           "name": "bindDockerImage",
           "overrides": "@cloudsnorkel/cdk-github-runners.IRunnerImageBuilder",
@@ -12959,7 +13452,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 349
+            "line": 368
           },
           "name": "removeComponent",
           "overrides": "@cloudsnorkel/cdk-github-runners.IConfigurableRunnerImageBuilder",
@@ -12984,7 +13477,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 342
+            "line": 361
           },
           "name": "connections",
           "overrides": "aws-cdk-lib.aws_ec2.IConnectable",
@@ -13001,7 +13494,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 343
+            "line": 362
           },
           "name": "grantPrincipal",
           "overrides": "aws-cdk-lib.aws_iam.IGrantable",
@@ -13015,7 +13508,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 328
+            "line": 347
           },
           "name": "components",
           "protected": true,
@@ -13041,7 +13534,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/common.ts",
-        "line": 131
+        "line": 132
       },
       "name": "RunnerImageBuilderProps",
       "properties": [
@@ -13055,7 +13548,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 137
+            "line": 138
           },
           "name": "architecture",
           "optional": true,
@@ -13073,7 +13566,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 246
+            "line": 265
           },
           "name": "awsImageBuilderOptions",
           "optional": true,
@@ -13085,38 +13578,56 @@
           "abstract": true,
           "docs": {
             "default": "latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS",
-            "remarks": "This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example `arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace `x.x.x` with that version.",
+            "remarks": "This can be:\n- A string (AMI ID, Image Builder ARN, SSM parameter reference, or Marketplace product ID) - deprecated, use BaseImage static factory methods instead\n- A BaseImage instance created using static factory methods:\n  - `BaseImage.fromAmiId('ami-12345')` - Use an AMI ID\n  - `BaseImage.fromString('arn:aws:imagebuilder:...')` - Use any string (ARN, AMI ID, etc.)\n  - `BaseImage.fromSsmParameter(parameter)` - Use an SSM parameter object\n  - `BaseImage.fromSsmParameterName('/aws/service/ami/...')` - Use an SSM parameter by name\n  - `BaseImage.fromMarketplaceProductId('product-id')` - Use a Marketplace product ID\n  - `BaseImage.fromImageBuilder(scope, 'ubuntu-server-22-lts-x86')` - Use an AWS-provided Image Builder image\n\nFor example `BaseImage.fromImageBuilder(scope, 'ubuntu-server-22-lts-x86')` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can pass the version as the third parameter.",
             "stability": "experimental",
             "summary": "Base AMI from which runner AMIs will be built."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 171
+            "line": 190
           },
           "name": "baseAmi",
           "optional": true,
           "type": {
-            "primitive": "string"
+            "union": {
+              "types": [
+                {
+                  "primitive": "string"
+                },
+                {
+                  "fqn": "@cloudsnorkel/cdk-github-runners.BaseImage"
+                }
+              ]
+            }
           }
         },
         {
           "abstract": true,
           "docs": {
             "default": "public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS",
-            "remarks": "When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}.",
+            "remarks": "This can be:\n- A string (ECR/ECR public image URI, DockerHub image, or Image Builder ARN) - deprecated, use BaseContainerImage static factory methods instead\n- A BaseContainerImage instance created using static factory methods:\n  - `BaseContainerImage.fromDockerHub('ubuntu', '22.04')` - Use DockerHub\n  - `BaseContainerImage.fromEcr(repo, 'latest')` - Use ECR (automatically grants permissions with CodeBuild)\n  - `BaseContainerImage.fromEcrPublic('lts', 'ubuntu', '22.04')` - Use ECR Public\n  - `BaseContainerImage.fromString('public.ecr.aws/lts/ubuntu:22.04')` - Use any string\n\nWhen using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}.",
             "stability": "experimental",
             "summary": "Base image from which Docker runner images will be built."
           },
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 153
+            "line": 162
           },
           "name": "baseDockerImage",
           "optional": true,
           "type": {
-            "primitive": "string"
+            "union": {
+              "types": [
+                {
+                  "primitive": "string"
+                },
+                {
+                  "fqn": "@cloudsnorkel/cdk-github-runners.BaseContainerImage"
+                }
+              ]
+            }
           }
         },
         {
@@ -13128,7 +13639,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 236
+            "line": 255
           },
           "name": "builderType",
           "optional": true,
@@ -13146,7 +13657,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 241
+            "line": 260
           },
           "name": "codeBuildOptions",
           "optional": true,
@@ -13164,7 +13675,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 185
+            "line": 204
           },
           "name": "components",
           "optional": true,
@@ -13188,7 +13699,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 162
+            "line": 171
           },
           "name": "dockerSetupCommands",
           "optional": true,
@@ -13212,7 +13723,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 231
+            "line": 250
           },
           "name": "logRemovalPolicy",
           "optional": true,
@@ -13231,7 +13742,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 222
+            "line": 241
           },
           "name": "logRetention",
           "optional": true,
@@ -13249,7 +13760,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 144
+            "line": 145
           },
           "name": "os",
           "optional": true,
@@ -13268,7 +13779,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 194
+            "line": 213
           },
           "name": "rebuildInterval",
           "optional": true,
@@ -13286,7 +13797,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 178
+            "line": 197
           },
           "name": "runnerVersion",
           "optional": true,
@@ -13303,7 +13814,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 206
+            "line": 225
           },
           "name": "securityGroups",
           "optional": true,
@@ -13326,7 +13837,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 213
+            "line": 232
           },
           "name": "subnetSelection",
           "optional": true,
@@ -13344,7 +13855,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 201
+            "line": 220
           },
           "name": "vpc",
           "optional": true,
@@ -13363,7 +13874,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/common.ts",
-            "line": 257
+            "line": 276
           },
           "name": "waitOnDeploy",
           "optional": true,
@@ -13383,7 +13894,7 @@
       "kind": "enum",
       "locationInModule": {
         "filename": "src/image-builders/common.ts",
-        "line": 260
+        "line": 279
       },
       "members": [
         {
@@ -13423,7 +13934,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/image-builders/components.ts",
-        "line": 39
+        "line": 40
       },
       "methods": [
         {
@@ -13433,7 +13944,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 181
+            "line": 182
           },
           "name": "awsCli",
           "returns": {
@@ -13450,7 +13961,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 107
+            "line": 108
           },
           "name": "cloudWatchAgent",
           "returns": {
@@ -13468,7 +13979,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 49
+            "line": 50
           },
           "name": "custom",
           "parameters": [
@@ -13494,7 +14005,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 399
+            "line": 400
           },
           "name": "docker",
           "returns": {
@@ -13512,7 +14023,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 477
+            "line": 478
           },
           "name": "dockerInDocker",
           "returns": {
@@ -13530,7 +14041,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 580
+            "line": 595
           },
           "name": "environmentVariables",
           "parameters": [
@@ -13561,13 +14072,13 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 487
+            "line": 488
           },
           "name": "extraCertificates",
           "parameters": [
             {
               "docs": {
-                "summary": "path to certificate file in PEM format."
+                "summary": "path to certificate file in PEM format, or a directory containing certificate files (.pem or .crt)."
               },
               "name": "source",
               "type": {
@@ -13598,7 +14109,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 260
+            "line": 261
           },
           "name": "git",
           "returns": {
@@ -13615,7 +14126,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 217
+            "line": 218
           },
           "name": "githubCli",
           "returns": {
@@ -13633,7 +14144,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 304
+            "line": 305
           },
           "name": "githubRunner",
           "parameters": [
@@ -13662,7 +14173,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 537
+            "line": 552
           },
           "name": "lambdaEntrypoint",
           "returns": {
@@ -13679,7 +14190,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 74
+            "line": 75
           },
           "name": "requiredPackages",
           "returns": {
@@ -13696,7 +14207,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 150
+            "line": 151
           },
           "name": "runnerUser",
           "returns": {
@@ -13714,7 +14225,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 617
+            "line": 632
           },
           "name": "getAssets",
           "parameters": [
@@ -13751,7 +14262,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 612
+            "line": 627
           },
           "name": "getCommands",
           "parameters": [
@@ -13787,7 +14298,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 626
+            "line": 641
           },
           "name": "getDockerCommands",
           "parameters": [
@@ -13822,7 +14333,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 633
+            "line": 648
           },
           "name": "shouldReboot",
           "parameters": [
@@ -13858,7 +14369,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 607
+            "line": 622
           },
           "name": "name",
           "type": {
@@ -13878,7 +14389,7 @@
       "kind": "interface",
       "locationInModule": {
         "filename": "src/image-builders/components.ts",
-        "line": 8
+        "line": 9
       },
       "name": "RunnerImageComponentCustomProps",
       "properties": [
@@ -13891,7 +14402,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 24
+            "line": 25
           },
           "name": "assets",
           "optional": true,
@@ -13913,7 +14424,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 19
+            "line": 20
           },
           "name": "commands",
           "optional": true,
@@ -13936,7 +14447,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 33
+            "line": 34
           },
           "name": "dockerCommands",
           "optional": true,
@@ -13959,7 +14470,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 14
+            "line": 15
           },
           "name": "name",
           "optional": true,
@@ -14419,7 +14930,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/image-builders/static.ts",
-        "line": 10
+        "line": 11
       },
       "methods": [
         {
@@ -14430,7 +14941,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/static.ts",
-            "line": 49
+            "line": 50
           },
           "name": "fromDockerHub",
           "parameters": [
@@ -14491,7 +15002,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/static.ts",
-            "line": 19
+            "line": 20
           },
           "name": "fromEcrRepository",
           "parameters": [
@@ -14920,6 +15431,6 @@
       "symbolId": "src/image-builders/aws-image-builder/deprecated/windows-components:WindowsComponents"
     }
   },
-  "version": "0.14.18",
-  "fingerprint": "78faIxcJg8nT4vHotUHZaPgQK8EkmIk1Pw2k6eNcPPg="
+  "version": "0.14.20",
+  "fingerprint": "jNhuwh6BSEpn806TlB8ApZ7QQE5V+Ljvf1mdWH43Ubw="
 }