npm - @cloudsnorkel/cdk-github-runners - Versions diffs - 0.14.22 → 0.14.23 - Mend

@cloudsnorkel/cdk-github-runners 0.14.22 → 0.14.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/.jsii +98 -26
package/API.md +60 -8
package/README.md +65 -0
package/assets/setup.lambda/index.html +7 -7
package/lib/access.js +1 -1
package/lib/image-builders/api.js +1 -1
package/lib/image-builders/aws-image-builder/base-image.js +2 -2
package/lib/image-builders/aws-image-builder/builder.js +1 -1
package/lib/image-builders/aws-image-builder/deprecated/ami.js +1 -1
package/lib/image-builders/aws-image-builder/deprecated/container.js +1 -1
package/lib/image-builders/aws-image-builder/deprecated/linux-components.js +1 -1
package/lib/image-builders/aws-image-builder/deprecated/windows-components.js +1 -1
package/lib/image-builders/codebuild-deprecated.js +1 -1
package/lib/image-builders/components.d.ts +15 -6
package/lib/image-builders/components.js +101 -14
package/lib/image-builders/static.js +1 -1
package/lib/providers/codebuild.js +2 -2
package/lib/providers/common.js +3 -3
package/lib/providers/composite.js +1 -1
package/lib/providers/ec2.js +2 -2
package/lib/providers/ecs.js +1 -1
package/lib/providers/fargate.js +2 -2
package/lib/providers/lambda.js +2 -2
package/lib/runner.d.ts +7 -1
package/lib/runner.js +13 -6
package/lib/secrets.js +6 -2
package/package.json +15 -15

package/.jsii CHANGED Viewed

@@ -3858,7 +3858,7 @@
   },
   "name": "@cloudsnorkel/cdk-github-runners",
   "readme": {
-    "markdown": "# GitHub Self-Hosted Runners CDK Constructs\n\n[![NPM](https://img.shields.io/npm/v/@cloudsnorkel/cdk-github-runners?label=npm&logo=npm)][7]\n[![PyPI](https://img.shields.io/pypi/v/cloudsnorkel.cdk-github-runners?label=pypi&logo=pypi)][6]\n[![Maven Central](https://img.shields.io/maven-central/v/com.cloudsnorkel/cdk.github.runners.svg?label=Maven%20Central&logo=apachemaven)][8]\n[![Go](https://img.shields.io/github/v/tag/CloudSnorkel/cdk-github-runners?color=red&label=go&logo=go)][11]\n[![Nuget](https://img.shields.io/nuget/v/CloudSnorkel.Cdk.Github.Runners?color=red&&logo=nuget)][12]\n[![Release](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml/badge.svg)](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/CloudSnorkel/cdk-github-runners/blob/main/LICENSE)\n\nUse this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.\n\n* 🧩 Easy to configure GitHub integration with a web-based interface\n* 🧠 Customizable runners with decent defaults\n* 🏃🏻 Multiple runner configurations controlled by labels\n* 🔐 Everything fully hosted in your account\n* 🔃 Automatically updated build environment with latest runner version\n\nSelf-hosted runners in AWS are useful when:\n\n* You need easy access to internal resources in your actions\n* You want to pre-install some software for your actions\n* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)\n* You are using GitHub Enterprise Server\n\nEphemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.\n\n## API\n\nThe best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.\n\n## Providers\n\nA runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.\n\n|                  | EC2               | CodeBuild                  | Fargate        | ECS            | Lambda        |\n|------------------|-------------------|----------------------------|----------------|----------------|---------------|\n| **Time limit**   | Unlimited         | 8 hours                    | Unlimited      | Unlimited      | 15 minutes    |\n| **vCPUs**        | Unlimited         | 2, 4, 8, or 72             | 0.25 to 4      | Unlimited      | 1 to 6        |\n| **RAM**          | Unlimited         | 3gb, 7gb, 15gb, or 145gb   | 512mb to 30gb  | Unlimited      | 128mb to 10gb |\n| **Storage**      | Unlimited         | 50gb to 824gb              | 20gb to 200gb  | Unlimited      | Up to 10gb    |\n| **Architecture** | x86_64, ARM64     | x86_64, ARM64              | x86_64, ARM64  | x86_64, ARM64  | x86_64, ARM64 |\n| **sudo**         | ✔                 | ✔                         | ✔              | ✔              | ❌           |\n| **Docker**       | ✔                 | ✔ (Linux only)            | ❌              | ✔              | ❌           |\n| **Spot pricing** | ✔                 | ❌                         | ✔              | ✔              | ❌           |\n| **OS**           | Linux, Windows    | Linux, Windows             | Linux, Windows | Linux, Windows | Linux         |\n\nThe best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.\n\n* EC2 is useful when you want runners to have complete access to the host\n* ECS is useful when you want to control the infrastructure, like leaving the runner host running for faster startups\n* Lambda is useful for short jobs that can work within time, size and readonly system constraints\n\nYou can also create your own provider by implementing `IRunnerProvider`.\n\n## Installation\n\n1. Install and use the appropriate package\n   <details><summary>Python</summary>\n\n   ### Install\n   Available on [PyPI][6].\n   ```bash\n   pip install cloudsnorkel.cdk-github-runners\n   ```\n   ### Use\n   ```python\n   from aws_cdk import App, Stack\n   from cloudsnorkel.cdk_github_runners import GitHubRunners\n\n   app = App()\n   stack = Stack(app, \"github-runners\")\n   GitHubRunners(stack, \"runners\")\n\n   app.synth()\n   ```\n   </details>\n   <details><summary>TypeScript or JavaScript</summary>\n\n   ### Install\n   Available on [npm][7].\n   ```bash\n   npm i @cloudsnorkel/cdk-github-runners\n   ```\n   ### Use\n   ```typescript\n   import { App, Stack } from 'aws-cdk-lib';\n   import { GitHubRunners } from '@cloudsnorkel/cdk-github-runners';\n\n   const app = new App();\n   const stack = new Stack(app, 'github-runners');\n   new GitHubRunners(stack, 'runners');\n\n   app.synth();\n   ```\n   </details>\n   <details><summary>Java</summary>\n\n   ### Install\n   Available on [Maven][8].\n   ```xml\n   <dependency>\n      <groupId>com.cloudsnorkel</groupId>\n      <artifactId>cdk.github.runners</artifactId>\n   </dependency>\n   ```\n   ### Use\n   ```java\n   import software.amazon.awscdk.App;\n   import software.amazon.awscdk.Stack;\n   import com.cloudsnorkel.cdk.github.runners.GitHubRunners;\n\n   public class Example {\n     public static void main(String[] args){\n       App app = new App();\n       Stack stack = new Stack(app, \"github-runners\");\n       GitHubRunners.Builder.create(stack, \"runners\").build();\n\n       app.synth();\n     }\n   }\n   ```\n   </details>\n   <details><summary>Go</summary>\n\n   ### Install\n   Available on [GitHub][11].\n   ```bash\n   go get github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n   ```\n   ### Use\n   ```go\n   package main\n\n   import (\n     \"github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\"\n     \"github.com/aws/aws-cdk-go/awscdk/v2\"\n     \"github.com/aws/jsii-runtime-go\"\n   )\n\n   func main() {\n     app := awscdk.NewApp(nil)\n     stack := awscdk.NewStack(app, jsii.String(\"github-runners\"), &awscdk.StackProps{})\n     cloudsnorkelcdkgithubrunners.NewGitHubRunners(stack, jsii.String(\"runners\"), &cloudsnorkelcdkgithubrunners.GitHubRunnersProps{})\n\n     app.Synth(nil)\n   }\n   ```\n   </details>\n   <details><summary>.NET</summary>\n\n   ### Install\n   Available on [Nuget][12].\n   ```bash\n   dotnet add package CloudSnorkel.Cdk.Github.Runners\n   ```\n   ### Use\n   ```csharp\n   using Amazon.CDK;\n   using CloudSnorkel;\n\n   namespace Example\n   {\n     sealed class Program\n     {\n       public static void Main(string[] args)\n       {\n         var app = new App();\n         var stack = new Stack(app, \"github-runners\");\n         new GitHubRunners(stack, \"runners\");\n         app.Synth();\n       }\n     }\n   }\n   ```\n   </details>\n2. Use `GitHubRunners` construct in your code (starting with default arguments is fine)\n3. Deploy your stack\n4. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`\n   ```\n    ✅  github-runners-test\n\n   ✨  Deployment time: 260.01s\n\n   Outputs:\n   github-runners-test.runnersstatuscommand4A30F0F5 = aws --region us-east-1 lambda invoke --function-name github-runners-test-runnersstatus1A5771C0-mvttg8oPQnQS status.json\n   ```\n5. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file\n6. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token\n7. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK\n8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, codebuild]` (or non-default labels you set in step 2)\n9. If the action is not successful, see [troubleshooting](#Troubleshooting)\n\n[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)\n\n## Customizing\n\nThe default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.\n\nFor example:\n\n```typescript\nlet vpc: ec2.Vpc;\nlet runnerSg: ec2.SecurityGroup;\nlet dbSg: ec2.SecurityGroup;\nlet bucket: s3.Bucket;\n\n// create a custom CodeBuild provider\nconst myProvider = new CodeBuildRunnerProvider(this, 'codebuild runner', {\n   labels: ['my-codebuild'],\n   vpc: vpc,\n   securityGroups: [runnerSg],\n});\n// grant some permissions to the provider\nbucket.grantReadWrite(myProvider);\ndbSg.connections.allowFrom(runnerSg, ec2.Port.tcp(3306), 'allow runners to connect to MySQL database');\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nAnother way to customize runners is by modifying the image used to spin them up. The image contains the [runner][5], any required dependencies, and integration code with the provider. You may choose to customize this image by adding more packages, for example.\n\n```typescript\nconst myBuilder = FargateRunnerProvider.imageBuilder(this, 'image builder');\nmyBuilder.addComponent(\n  RunnerImageComponent.custom({ commands: ['apt install -y nginx xz-utils'] }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-fargate'],\n   imageBuilder: myBuilder,\n});\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nYour workflow will then look like:\n\n```yaml\nname: self-hosted example\non: push\njobs:\n  self-hosted:\n    runs-on: [self-hosted, customized-fargate]\n    steps:\n      - run: echo hello world\n```\n\nWindows images can also be customized the same way.\n\n```typescript\nconst myWindowsBuilder = FargateRunnerProvider.imageBuilder(this, 'Windows image builder', {\n   architecture: Architecture.X86_64,\n   os: Os.WINDOWS,\n});\nmyWindowsBuilder.addComponent(\n   RunnerImageComponent.custom({\n     name: 'Ninja',\n     commands: [\n       'Invoke-WebRequest -UseBasicParsing -Uri \"https://github.com/ninja-build/ninja/releases/download/v1.11.1/ninja-win.zip\" -OutFile ninja.zip',\n       'Expand-Archive ninja.zip -DestinationPath C:\\\\actions',\n       'del ninja.zip',\n     ],\n   }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-windows-fargate'],\n   imageBuilder: myWindowsBuilder,\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nThe runner OS and architecture is determined by the image it is set to use. For example, to create a Fargate runner provider for ARM64 set the `architecture` property for the image builder to `Architecture.ARM64` in the image builder properties.\n\n```typescript\nnew GitHubRunners(this, 'runners', {\n   providers: [\n      new FargateRunnerProvider(this, 'fargate runner', {\n         labels: ['arm64', 'fargate'],\n         imageBuilder: FargateRunnerProvider.imageBuilder(this, 'image builder', {\n            architecture: Architecture.ARM64,\n            os: Os.LINUX_UBUNTU,\n         }),\n      }),\n   ],\n});\n```\n\n### Composite Providers\n\nComposite providers allow you to combine multiple runner providers with different strategies. There are two types:\n\n**Fallback Strategy**: Try providers in order until one succeeds. Useful for trying spot instances first, then falling back to on-demand if spot capacity is unavailable.\n\n```typescript\n// Try spot instances first, fall back to on-demand if spot is unavailable\nconst ecsFallback = CompositeProvider.fallback(this, 'ECS Fallback', [\n  new EcsRunnerProvider(this, 'ECS Spot', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: true,\n    // ... other config\n  }),\n  new EcsRunnerProvider(this, 'ECS On-Demand', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: false,\n    // ... other config\n  }),\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [ecsFallback],\n});\n```\n\n**Weighted Distribution Strategy**: Randomly select a provider based on weights. Useful for distributing load across multiple availability zones or instance types.\n\n```typescript\n// Distribute 60% of traffic to AZ-1, 40% to AZ-2\nconst distributedProvider = CompositeProvider.distribute(this, 'Fargate Distribution', [\n  {\n    weight: 3, // 3/(3+2) = 60%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-1', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[0]],\n      }),\n      // ... other config\n    }),\n  },\n  {\n    weight: 2, // 2/(3+2) = 40%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-2', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[1]],\n      }),\n      // ... other config\n    }),\n  },\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [distributedProvider],\n});\n```\n\n**Important**: All providers in a composite must have the exact same labels. This ensures any provisioned runner can match the labels requested by the GitHub workflow job.\n\n### Custom Provider Selection\n\nBy default, providers are selected based on label matching: the first provider that has all the labels requested by the job is selected. You can customize this behavior using a provider selector Lambda function to:\n\n* Filter out certain jobs (prevent runner provisioning)\n* Dynamically select a provider based on job characteristics (repository, branch, time of day, etc.)\n* Customize labels for the runner (add, remove, or modify labels dynamically)\n\nThe selector function receives the full GitHub webhook payload, a map of all available providers and their labels, and the default provider/labels that would have been selected. It returns the provider to use (or `undefined` to skip runner creation) and the labels to assign to the runner.\n\n**Example: Route jobs to different providers based on repository**\n\n```typescript\nimport { ComputeType } from 'aws-cdk-lib/aws-codebuild';\nimport { Function, Code, Runtime } from 'aws-cdk-lib/aws-lambda';\nimport { GitHubRunners, CodeBuildRunnerProvider } from '@cloudsnorkel/cdk-github-runners';\n\nconst defaultProvider = new CodeBuildRunnerProvider(this, 'default', {\n  labels: ['custom-runner', 'default'],\n});\nconst productionProvider = new CodeBuildRunnerProvider(this, 'production', {\n  labels: ['custom-runner', 'production'],\n  computeType: ComputeType.LARGE,\n});\n\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, providers, defaultProvider, defaultLabels } = event;\n\n      // Route production repos to dedicated provider\n      if (payload.repository.name.includes('prod')) {\n        return {\n          provider: '${productionProvider.node.path}',\n          labels: ['custom-runner', 'production', 'modified-via-selector'],\n        };\n      }\n\n      // Filter out draft PRs\n      if (payload.workflow_job.head_branch?.startsWith('draft/')) {\n        return { provider: undefined }; // Skip runner provisioning\n      }\n\n      // Use default for everything else\n      return {\n        provider: defaultProvider,\n        labels: defaultLabels,\n      };\n    };\n  `),\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [defaultProvider, productionProvider],\n   providerSelector: providerSelector,\n});\n```\n\n**Example: Add dynamic labels based on job metadata**\n\n```typescript\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, defaultProvider, defaultLabels } = event;\n\n      // Add branch name as a label\n      const branch = payload.workflow_job.head_branch || 'unknown';\n      const labels = [...(defaultLabels || []), 'branch:' + branch];\n\n      return {\n        provider: defaultProvider,\n        labels: labels,\n      };\n    };\n  `),\n});\n```\n\n**Important considerations:**\n\n* ⚠️ **Label matching responsibility**: You are responsible for ensuring the selected provider's labels match what the job requires. If labels don't match, the runner will be provisioned but GitHub Actions won't assign the job to it.\n* ⚠️ **No guarantee of assignment**: Provider selection only determines which provider will provision a runner. GitHub Actions may still route the job to any available runner with matching labels. For reliable provider assignment, consider repo-level runner registration (the default).\n* ⚡ **Performance**: The selector runs synchronously during webhook processing. Keep it fast and efficient—the webhook has a 30-second timeout total.\n\n## Examples\n\nWe provide comprehensive examples in the [`examples/`](examples/) folder to help you get started quickly:\n\n### Getting Started\n- **[Simple CodeBuild](examples/typescript/simple-codebuild/)** - Basic setup with just a CodeBuild provider (also available in [Python](examples/python/simple-codebuild/))\n\n### Provider Configuration\n- **[Composite Provider](examples/typescript/composite-provider/)** - Fallback and weighted distribution strategies (also available in [Python](examples/python/composite-provider/))\n- **[Provider Selector](examples/typescript/provider-selector/)** - Custom provider selection with Lambda function (also available in [Python](examples/python/provider-selector/))\n- **[EC2 Windows Provider](examples/typescript/ec2-windows-provider/)** - EC2 configuration for Windows runners (also available in [Python](examples/python/ec2-windows-provider/))\n- **[Split Stacks](examples/typescript/split-stacks/)** - Split image builders and providers across multiple stacks (also available in [Python](examples/python/split-stacks/))\n\n### Compute & Performance\n- **[Compute Options](examples/typescript/compute-options/)** - Configure CPU, memory, and instance types for different providers (also available in [Python](examples/python/compute-options/))\n- **[Spot Instances](examples/typescript/spot-instances/)** - Use spot instances for cost savings across EC2, Fargate, and ECS (also available in [Python](examples/python/spot-instances/))\n- **[Storage Options](examples/typescript/storage-options/)** - Custom EBS storage options for EC2 runners (also available in [Python](examples/python/storage-options/))\n- **[ECS Scaling](examples/typescript/ecs-scaling/)** - Custom autoscaling group scaling policies for ECS providers (also available in [Python](examples/python/ecs-scaling/))\n\n### Security & Access\n- **[IAM Permissions](examples/typescript/iam-permissions/)** - Grant AWS IAM permissions to runners (also available in [Python](examples/python/iam-permissions/))\n- **[Network Access](examples/typescript/network-access/)** - Configure network access with VPCs and security groups (also available in [Python](examples/python/network-access/))\n- **[Access Control](examples/typescript/access-control/)** - Configure access control for webhook and setup functions (also available in [Python](examples/python/access-control/))\n\n### Customization\n- **[Add Software](examples/typescript/add-software/)** - Add custom software to runner images (also available in [Python](examples/python/add-software/))\n\n### Enterprise & Monitoring\n- **[GHES](examples/typescript/ghes/)** - Configure runners for GitHub Enterprise Server (also available in [Python](examples/python/ghes/))\n- **[Monitoring](examples/typescript/monitoring/)** - Set up CloudWatch alarms and SNS notifications (also available in [Python](examples/python/monitoring/))\n\nEach example is self-contained with its own dependencies and README. Start with the simple examples and work your way up to more advanced configurations.\n\nAnother good and very full example is the [integration test](test/default.integ.ts).\n\nIf you have more to share, please open a PR adding examples to the `examples` folder.\n\n## Architecture\n\n![Architecture diagram](architecture.svg)\n\n## Troubleshooting\n\nRunners are started in response to a webhook coming in from GitHub. If there are any issues starting the runner like missing capacity or transient API issues, the provider will keep retrying for 24 hours. Configuration issue related errors like pointing to a missing AMI will not be retried. GitHub itself will cancel the job if it can't find a runner for 24 hours. If your jobs don't start, follow the steps below to examine all parts of this workflow.\n\n1. Always start with the status function, make sure no errors are reported, and confirm all status codes are OK\n2. Make sure `runs-on` in the workflow matches the expected labels set in the runner provider\n3. Diagnose relevant executions of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`\n   1. If the execution failed, check your runner provider configuration for errors\n   2. If the execution is still running for a long time, check the execution events to see why runner starting is being retried\n   3. If there are no relevant executions, move to the next step\n4. Confirm the webhook Lambda was called by visiting the URL in `troubleshooting.webhookHandlerUrl` from `status.json`\n   1. If it's not called or logs errors, confirm the webhook settings on the GitHub side\n   2. If you see too many errors, make sure you're only sending `workflow_job` events\n5. When using GitHub app, make sure there are active installations in `github.auth.app.installations`\n\nAll logs are saved in CloudWatch.\n* Log group names can be found in `status.json` for each provider, image builder, and other parts of the system\n* Some useful Logs Insights queries can be enabled with `GitHubRunners.createLogsInsightsQueries()`\n\nTo get `status.json`, check out the CloudFormation stack output for a command that generates it. The command looks like:\n\n```\naws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json\n```\n\n## Monitoring\n\nThere are two important ways to monitor your runners:\n\n1. Make sure runners don't fail to start. When that happens, jobs may sit and wait. Use `GitHubRunners.metricFailed()` to get a metric for the number of failed runner starts. You should use this metric to trigger an alarm.\n2. Make sure runner images don't fail to build. Failed runner image builds mean you will get stuck with out-of-date software on your runners. It may lead to security vulnerabilities, or it may lead to slower runner start-ups as the runner software itself needs to be updated. Use `GitHubRunners.failedImageBuildsTopic()` to get SNS topic that gets notified of failed runner image builds. You should subscribe to this topic.\n\nOther useful metrics to track:\n\n1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.\n2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.\n\n## Contributing\n\nIf you use and love this project, please consider contributing.\n\n1. 🪳 If you see something, say something. [Issues][16] help improve the quality of the project.\n   * Include relevant logs and package versions for bugs.\n   * When possible, describe the use-case behind feature requests.\n1. 🛠️ [Pull requests][17] are welcome.\n   * Run `npm run build` before submitting to make sure all tests pass.\n   * Allow edits from maintainers so small adjustments can be made easily.\n1. 💵 Consider [sponsoring][15] the project to show your support and optionally get your name listed below.\n\n## Other Options\n\n1. [github-aws-runners/terraform-aws-github-runner][3] if you're using Terraform\n2. [actions/actions-runner-controller][4] if you're using Kubernetes\n\n\n[1]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners\n[2]: https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions\n[3]: https://github.com/github-aws-runners/terraform-aws-github-runner\n[4]: https://github.com/actions/actions-runner-controller\n[5]: https://github.com/actions/runner\n[6]: https://pypi.org/project/cloudsnorkel.cdk-github-runners\n[7]: https://www.npmjs.com/package/@cloudsnorkel/cdk-github-runners\n[8]: https://central.sonatype.com/artifact/com.cloudsnorkel/cdk.github.runners/\n[9]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps\n[10]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[11]: https://pkg.go.dev/github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n[12]: https://www.nuget.org/packages/CloudSnorkel.Cdk.Github.Runners/\n[13]: https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/\n[14]: https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling\n[15]: https://github.com/sponsors/CloudSnorkel\n[16]: https://github.com/CloudSnorkel/cdk-github-runners/issues\n[17]: https://github.com/CloudSnorkel/cdk-github-runners/pulls\n"
+    "markdown": "# GitHub Self-Hosted Runners CDK Constructs\n\n[![NPM](https://img.shields.io/npm/v/@cloudsnorkel/cdk-github-runners?label=npm&logo=npm)][7]\n[![PyPI](https://img.shields.io/pypi/v/cloudsnorkel.cdk-github-runners?label=pypi&logo=pypi)][6]\n[![Maven Central](https://img.shields.io/maven-central/v/com.cloudsnorkel/cdk.github.runners.svg?label=Maven%20Central&logo=apachemaven)][8]\n[![Go](https://img.shields.io/github/v/tag/CloudSnorkel/cdk-github-runners?color=red&label=go&logo=go)][11]\n[![Nuget](https://img.shields.io/nuget/v/CloudSnorkel.Cdk.Github.Runners?color=red&&logo=nuget)][12]\n[![Release](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml/badge.svg)](https://github.com/CloudSnorkel/cdk-github-runners/actions/workflows/release.yml)\n[![Discord](https://img.shields.io/badge/Discord-5865F2?logo=discord&logoColor=white)][20]\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue)](https://github.com/CloudSnorkel/cdk-github-runners/blob/main/LICENSE)\n\nUse this CDK construct to create ephemeral [self-hosted GitHub runners][1] on-demand inside your AWS account.\n\n* 🧩 Easy to configure GitHub integration with a web-based interface\n* 🧠 Customizable runners with decent defaults\n* 🏃🏻 Multiple runner configurations controlled by labels\n* 🔐 Everything fully hosted in your account\n* 🔃 Automatically updated build environment with latest runner version\n\nSelf-hosted runners in AWS are useful when:\n\n* You need easy access to internal resources in your actions\n* You want to pre-install some software for your actions\n* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials][2] has more security controls)\n* You are using GitHub Enterprise Server\n\nEphemeral (or on-demand) runners are the [recommended way by GitHub][14] for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.\n\n## Table of Contents\n\n- [API](#api)\n- [Providers](#providers)\n- [Installation](#installation)\n- [Customizing](#customizing)\n  - [Composite Providers](#composite-providers)\n  - [Custom Provider Selection](#custom-provider-selection)\n- [Examples](#examples)\n- [Architecture](#architecture)\n- [Troubleshooting](#troubleshooting)\n- [Monitoring](#monitoring)\n- [Getting Help](#getting-help)\n- [Contributing](#contributing)\n- [Sponsors](#sponsors)\n- [Other Options](#other-options)\n\n## API\n\nThe best way to browse API documentation is on [Constructs Hub][13]. It is available in all supported programming languages.\n\n## Providers\n\nA runner provider creates compute resources on-demand and uses [actions/runner][5] to start a runner.\n\n|                  | EC2               | CodeBuild                  | Fargate        | ECS            | Lambda        |\n|------------------|-------------------|----------------------------|----------------|----------------|---------------|\n| **Time limit**   | Unlimited         | 8 hours                    | Unlimited      | Unlimited      | 15 minutes    |\n| **vCPUs**        | Unlimited         | 2, 4, 8, or 72             | 0.25 to 4      | Unlimited      | 1 to 6        |\n| **RAM**          | Unlimited         | 3gb, 7gb, 15gb, or 145gb   | 512mb to 30gb  | Unlimited      | 128mb to 10gb |\n| **Storage**      | Unlimited         | 50gb to 824gb              | 20gb to 200gb  | Unlimited      | Up to 10gb    |\n| **Architecture** | x86_64, ARM64     | x86_64, ARM64              | x86_64, ARM64  | x86_64, ARM64  | x86_64, ARM64 |\n| **sudo**         | ✔                 | ✔                         | ✔              | ✔              | ❌           |\n| **Docker**       | ✔                 | ✔ (Linux only)            | ❌              | ✔              | ❌           |\n| **Spot pricing** | ✔                 | ❌                         | ✔              | ✔              | ❌           |\n| **OS**           | Linux, Windows    | Linux, Windows             | Linux, Windows | Linux, Windows | Linux         |\n\nThe best provider to use mostly depends on your current infrastructure. When in doubt, CodeBuild is always a good choice. Execution history and logs are easy to view, and it has no restrictive limits unless you need to run for more than 8 hours.\n\n* EC2 is useful when you want runners to have complete access to the host\n* ECS is useful when you want to control the infrastructure, like leaving the runner host running for faster startups\n* Lambda is useful for short jobs that can work within time, size and readonly system constraints\n\nYou can also create your own provider by implementing `IRunnerProvider`.\n\n## Installation\n\n1. Install and use the appropriate package\n   <details><summary>Python</summary>\n\n   ### Install\n   Available on [PyPI][6].\n   ```bash\n   pip install cloudsnorkel.cdk-github-runners\n   ```\n   ### Use\n   ```python\n   from aws_cdk import App, Stack\n   from cloudsnorkel.cdk_github_runners import GitHubRunners\n\n   app = App()\n   stack = Stack(app, \"github-runners\")\n   GitHubRunners(stack, \"runners\")\n\n   app.synth()\n   ```\n   </details>\n   <details><summary>TypeScript or JavaScript</summary>\n\n   ### Install\n   Available on [npm][7].\n   ```bash\n   npm i @cloudsnorkel/cdk-github-runners\n   ```\n   ### Use\n   ```typescript\n   import { App, Stack } from 'aws-cdk-lib';\n   import { GitHubRunners } from '@cloudsnorkel/cdk-github-runners';\n\n   const app = new App();\n   const stack = new Stack(app, 'github-runners');\n   new GitHubRunners(stack, 'runners');\n\n   app.synth();\n   ```\n   </details>\n   <details><summary>Java</summary>\n\n   ### Install\n   Available on [Maven][8].\n   ```xml\n   <dependency>\n      <groupId>com.cloudsnorkel</groupId>\n      <artifactId>cdk.github.runners</artifactId>\n   </dependency>\n   ```\n   ### Use\n   ```java\n   import software.amazon.awscdk.App;\n   import software.amazon.awscdk.Stack;\n   import com.cloudsnorkel.cdk.github.runners.GitHubRunners;\n\n   public class Example {\n     public static void main(String[] args){\n       App app = new App();\n       Stack stack = new Stack(app, \"github-runners\");\n       GitHubRunners.Builder.create(stack, \"runners\").build();\n\n       app.synth();\n     }\n   }\n   ```\n   </details>\n   <details><summary>Go</summary>\n\n   ### Install\n   Available on [GitHub][11].\n   ```bash\n   go get github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n   ```\n   ### Use\n   ```go\n   package main\n\n   import (\n     \"github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\"\n     \"github.com/aws/aws-cdk-go/awscdk/v2\"\n     \"github.com/aws/jsii-runtime-go\"\n   )\n\n   func main() {\n     app := awscdk.NewApp(nil)\n     stack := awscdk.NewStack(app, jsii.String(\"github-runners\"), &awscdk.StackProps{})\n     cloudsnorkelcdkgithubrunners.NewGitHubRunners(stack, jsii.String(\"runners\"), &cloudsnorkelcdkgithubrunners.GitHubRunnersProps{})\n\n     app.Synth(nil)\n   }\n   ```\n   </details>\n   <details><summary>.NET</summary>\n\n   ### Install\n   Available on [Nuget][12].\n   ```bash\n   dotnet add package CloudSnorkel.Cdk.Github.Runners\n   ```\n   ### Use\n   ```csharp\n   using Amazon.CDK;\n   using CloudSnorkel;\n\n   namespace Example\n   {\n     sealed class Program\n     {\n       public static void Main(string[] args)\n       {\n         var app = new App();\n         var stack = new Stack(app, \"github-runners\");\n         new GitHubRunners(stack, \"runners\");\n         app.Synth();\n       }\n     }\n   }\n   ```\n   </details>\n2. Use `GitHubRunners` construct in your code (starting with default arguments is fine)\n3. Deploy your stack\n4. Look for the status command output similar to `aws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json`\n   ```\n    ✅  github-runners-test\n\n   ✨  Deployment time: 260.01s\n\n   Outputs:\n   github-runners-test.runnersstatuscommand4A30F0F5 = aws --region us-east-1 lambda invoke --function-name github-runners-test-runnersstatus1A5771C0-mvttg8oPQnQS status.json\n   ```\n5. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file\n6. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token\n7. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK\n8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, codebuild]` (or non-default labels you set in step 2)\n9. If the action is not successful, see [troubleshooting](#Troubleshooting)\n\n[![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)\n\n## Customizing\n\nThe default providers configured by `GitHubRunners` are useful for testing but probably not too much for actual production work. They run in the default VPC or no VPC and have no added IAM permissions. You would usually want to configure the providers yourself.\n\nFor example:\n\n```typescript\nlet vpc: ec2.Vpc;\nlet runnerSg: ec2.SecurityGroup;\nlet dbSg: ec2.SecurityGroup;\nlet bucket: s3.Bucket;\n\n// create a custom CodeBuild provider\nconst myProvider = new CodeBuildRunnerProvider(this, 'codebuild runner', {\n   labels: ['my-codebuild'],\n   vpc: vpc,\n   securityGroups: [runnerSg],\n});\n// grant some permissions to the provider\nbucket.grantReadWrite(myProvider);\ndbSg.connections.allowFrom(runnerSg, ec2.Port.tcp(3306), 'allow runners to connect to MySQL database');\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nAnother way to customize runners is by modifying the image used to spin them up. The image contains the [runner][5], any required dependencies, and integration code with the provider. You may choose to customize this image by adding more packages, for example.\n\n```typescript\nconst myBuilder = FargateRunnerProvider.imageBuilder(this, 'image builder');\nmyBuilder.addComponent(\n  RunnerImageComponent.custom({ commands: ['apt install -y nginx xz-utils'] }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-fargate'],\n   imageBuilder: myBuilder,\n});\n\n// create the runner infrastructure\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nYour workflow will then look like:\n\n```yaml\nname: self-hosted example\non: push\njobs:\n  self-hosted:\n    runs-on: [self-hosted, customized-fargate]\n    steps:\n      - run: echo hello world\n```\n\nWindows images can also be customized the same way.\n\n```typescript\nconst myWindowsBuilder = FargateRunnerProvider.imageBuilder(this, 'Windows image builder', {\n   architecture: Architecture.X86_64,\n   os: Os.WINDOWS,\n});\nmyWindowsBuilder.addComponent(\n   RunnerImageComponent.custom({\n     name: 'Ninja',\n     commands: [\n       'Invoke-WebRequest -UseBasicParsing -Uri \"https://github.com/ninja-build/ninja/releases/download/v1.11.1/ninja-win.zip\" -OutFile ninja.zip',\n       'Expand-Archive ninja.zip -DestinationPath C:\\\\actions',\n       'del ninja.zip',\n     ],\n   }),\n);\n\nconst myProvider = new FargateRunnerProvider(this, 'fargate runner', {\n   labels: ['customized-windows-fargate'],\n   imageBuilder: myWindowsBuilder,\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [myProvider],\n});\n```\n\nThe runner OS and architecture is determined by the image it is set to use. For example, to create a Fargate runner provider for ARM64 set the `architecture` property for the image builder to `Architecture.ARM64` in the image builder properties.\n\n```typescript\nnew GitHubRunners(this, 'runners', {\n   providers: [\n      new FargateRunnerProvider(this, 'fargate runner', {\n         labels: ['arm64', 'fargate'],\n         imageBuilder: FargateRunnerProvider.imageBuilder(this, 'image builder', {\n            architecture: Architecture.ARM64,\n            os: Os.LINUX_UBUNTU,\n         }),\n      }),\n   ],\n});\n```\n\n### Composite Providers\n\nComposite providers allow you to combine multiple runner providers with different strategies. There are two types:\n\n**Fallback Strategy**: Try providers in order until one succeeds. Useful for trying spot instances first, then falling back to on-demand if spot capacity is unavailable.\n\n```typescript\n// Try spot instances first, fall back to on-demand if spot is unavailable\nconst ecsFallback = CompositeProvider.fallback(this, 'ECS Fallback', [\n  new EcsRunnerProvider(this, 'ECS Spot', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: true,\n    // ... other config\n  }),\n  new EcsRunnerProvider(this, 'ECS On-Demand', {\n    labels: ['ecs', 'linux', 'x64'],\n    spot: false,\n    // ... other config\n  }),\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [ecsFallback],\n});\n```\n\n**Weighted Distribution Strategy**: Randomly select a provider based on weights. Useful for distributing load across multiple availability zones or instance types.\n\n```typescript\n// Distribute 60% of traffic to AZ-1, 40% to AZ-2\nconst distributedProvider = CompositeProvider.distribute(this, 'Fargate Distribution', [\n  {\n    weight: 3, // 3/(3+2) = 60%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-1', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[0]],\n      }),\n      // ... other config\n    }),\n  },\n  {\n    weight: 2, // 2/(3+2) = 40%\n    provider: new FargateRunnerProvider(this, 'Fargate AZ-2', {\n      labels: ['fargate', 'linux', 'x64'],\n      subnetSelection: vpc.selectSubnets({\n        availabilityZones: [vpc.availabilityZones[1]],\n      }),\n      // ... other config\n    }),\n  },\n]);\n\nnew GitHubRunners(this, 'runners', {\n  providers: [distributedProvider],\n});\n```\n\n**Important**: All providers in a composite must have the exact same labels. This ensures any provisioned runner can match the labels requested by the GitHub workflow job.\n\n### Custom Provider Selection\n\nBy default, providers are selected based on label matching: the first provider that has all the labels requested by the job is selected. You can customize this behavior using a provider selector Lambda function to:\n\n* Filter out certain jobs (prevent runner provisioning)\n* Dynamically select a provider based on job characteristics (repository, branch, time of day, etc.)\n* Customize labels for the runner (add, remove, or modify labels dynamically)\n\nThe selector function receives the full GitHub webhook payload, a map of all available providers and their labels, and the default provider/labels that would have been selected. It returns the provider to use (or `undefined` to skip runner creation) and the labels to assign to the runner.\n\n**Example: Route jobs to different providers based on repository**\n\n```typescript\nimport { ComputeType } from 'aws-cdk-lib/aws-codebuild';\nimport { Function, Code, Runtime } from 'aws-cdk-lib/aws-lambda';\nimport { GitHubRunners, CodeBuildRunnerProvider } from '@cloudsnorkel/cdk-github-runners';\n\nconst defaultProvider = new CodeBuildRunnerProvider(this, 'default', {\n  labels: ['custom-runner', 'default'],\n});\nconst productionProvider = new CodeBuildRunnerProvider(this, 'production', {\n  labels: ['custom-runner', 'production'],\n  computeType: ComputeType.LARGE,\n});\n\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, providers, defaultProvider, defaultLabels } = event;\n\n      // Route production repos to dedicated provider\n      if (payload.repository.name.includes('prod')) {\n        return {\n          provider: '${productionProvider.node.path}',\n          labels: ['custom-runner', 'production', 'modified-via-selector'],\n        };\n      }\n\n      // Filter out draft PRs\n      if (payload.workflow_job.head_branch?.startsWith('draft/')) {\n        return { provider: undefined }; // Skip runner provisioning\n      }\n\n      // Use default for everything else\n      return {\n        provider: defaultProvider,\n        labels: defaultLabels,\n      };\n    };\n  `),\n});\n\nnew GitHubRunners(this, 'runners', {\n   providers: [defaultProvider, productionProvider],\n   providerSelector: providerSelector,\n});\n```\n\n**Example: Add dynamic labels based on job metadata**\n\n```typescript\nconst providerSelector = new Function(this, 'provider-selector', {\n  runtime: Runtime.NODEJS_LATEST,\n  handler: 'index.handler',\n  code: Code.fromInline(`\n    exports.handler = async (event) => {\n      const { payload, defaultProvider, defaultLabels } = event;\n\n      // Add branch name as a label\n      const branch = payload.workflow_job.head_branch || 'unknown';\n      const labels = [...(defaultLabels || []), 'branch:' + branch];\n\n      return {\n        provider: defaultProvider,\n        labels: labels,\n      };\n    };\n  `),\n});\n```\n\n**Important considerations:**\n\n* ⚠️ **Label matching responsibility**: You are responsible for ensuring the selected provider's labels match what the job requires. If labels don't match, the runner will be provisioned but GitHub Actions won't assign the job to it.\n* ⚠️ **No guarantee of assignment**: Provider selection only determines which provider will provision a runner. GitHub Actions may still route the job to any available runner with matching labels. For reliable provider assignment, consider repo-level runner registration (the default).\n* ⚡ **Performance**: The selector runs synchronously during webhook processing. Keep it fast and efficient—the webhook has a 30-second timeout total.\n\n## Examples\n\nWe provide comprehensive examples in the [`examples/`](examples/) folder to help you get started quickly:\n\n### Getting Started\n- **[Simple CodeBuild](examples/typescript/simple-codebuild/)** - Basic setup with just a CodeBuild provider (also available in [Python](examples/python/simple-codebuild/))\n\n### Provider Configuration\n- **[Composite Provider](examples/typescript/composite-provider/)** - Fallback and weighted distribution strategies (also available in [Python](examples/python/composite-provider/))\n- **[Provider Selector](examples/typescript/provider-selector/)** - Custom provider selection with Lambda function (also available in [Python](examples/python/provider-selector/))\n- **[EC2 Windows Provider](examples/typescript/ec2-windows-provider/)** - EC2 configuration for Windows runners (also available in [Python](examples/python/ec2-windows-provider/))\n- **[Split Stacks](examples/typescript/split-stacks/)** - Split image builders and providers across multiple stacks (also available in [Python](examples/python/split-stacks/))\n\n### Compute & Performance\n- **[Compute Options](examples/typescript/compute-options/)** - Configure CPU, memory, and instance types for different providers (also available in [Python](examples/python/compute-options/))\n- **[Spot Instances](examples/typescript/spot-instances/)** - Use spot instances for cost savings across EC2, Fargate, and ECS (also available in [Python](examples/python/spot-instances/))\n- **[Storage Options](examples/typescript/storage-options/)** - Custom EBS storage options for EC2 runners (also available in [Python](examples/python/storage-options/))\n- **[ECS Scaling](examples/typescript/ecs-scaling/)** - Custom autoscaling group scaling policies for ECS providers (also available in [Python](examples/python/ecs-scaling/))\n\n### Security & Access\n- **[IAM Permissions](examples/typescript/iam-permissions/)** - Grant AWS IAM permissions to runners (also available in [Python](examples/python/iam-permissions/))\n- **[Network Access](examples/typescript/network-access/)** - Configure network access with VPCs and security groups (also available in [Python](examples/python/network-access/))\n- **[Access Control](examples/typescript/access-control/)** - Configure access control for webhook and setup functions (also available in [Python](examples/python/access-control/))\n\n### Customization\n- **[Add Software](examples/typescript/add-software/)** - Add custom software to runner images (also available in [Python](examples/python/add-software/))\n\n### Enterprise & Monitoring\n- **[GHES](examples/typescript/ghes/)** - Configure runners for GitHub Enterprise Server (also available in [Python](examples/python/ghes/))\n- **[Monitoring](examples/typescript/monitoring/)** - Set up CloudWatch alarms and SNS notifications (also available in [Python](examples/python/monitoring/))\n\nEach example is self-contained with its own dependencies and README. Start with the simple examples and work your way up to more advanced configurations.\n\nAnother good and very full example is the [integration test](test/default.integ.ts).\n\nIf you have more to share, please open a PR adding examples to the `examples` folder.\n\n## Architecture\n\n![Architecture diagram](architecture.svg)\n\n## Troubleshooting\n\nRunners are started in response to a webhook coming in from GitHub. If there are any issues starting the runner like missing capacity or transient API issues, the provider will keep retrying for 24 hours. Configuration issue related errors like pointing to a missing AMI will not be retried. GitHub itself will cancel the job if it can't find a runner for 24 hours. If your jobs don't start, follow the steps below to examine all parts of this workflow.\n\n1. Always start with the status function, make sure no errors are reported, and confirm all status codes are OK\n2. Make sure `runs-on` in the workflow matches the expected labels set in the runner provider\n3. Diagnose relevant executions of the orchestrator step function by visiting the URL in `troubleshooting.stepFunctionUrl` from `status.json`\n   1. If the execution failed, check your runner provider configuration for errors\n   2. If the execution is still running for a long time, check the execution events to see why runner starting is being retried\n   3. If there are no relevant executions, move to the next step\n4. Confirm the webhook Lambda was called by visiting the URL in `troubleshooting.webhookHandlerUrl` from `status.json`\n   1. If it's not called or logs errors, confirm the webhook settings on the GitHub side\n   2. If you see too many errors, make sure you're only sending `workflow_job` events\n5. When using GitHub app, make sure there are active installations in `github.auth.app.installations`\n\nAll logs are saved in CloudWatch.\n* Log group names can be found in `status.json` for each provider, image builder, and other parts of the system\n* Some useful Logs Insights queries can be enabled with `GitHubRunners.createLogsInsightsQueries()`\n\nTo get `status.json`, check out the CloudFormation stack output for a command that generates it. The command looks like:\n\n```\naws --region us-east-1 lambda invoke --function-name status-XYZ123 status.json\n```\n\n## Monitoring\n\nThere are two important ways to monitor your runners:\n\n1. Make sure runners don't fail to start. When that happens, jobs may sit and wait. Use `GitHubRunners.metricFailed()` to get a metric for the number of failed runner starts. You should use this metric to trigger an alarm.\n2. Make sure runner images don't fail to build. Failed runner image builds mean you will get stuck with out-of-date software on your runners. It may lead to security vulnerabilities, or it may lead to slower runner start-ups as the runner software itself needs to be updated. Use `GitHubRunners.failedImageBuildsTopic()` to get SNS topic that gets notified of failed runner image builds. You should subscribe to this topic.\n\nOther useful metrics to track:\n\n1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.\n2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.\n\n## Getting Help\n\nNeed help? We're here for you!\n\n* 💬 **GitHub Discussions**: Ask questions, share ideas, or get help from the community by opening a [discussion][18]\n* 🐛 **GitHub Issues**: Report bugs or request features by opening an [issue][16]\n* 💬 **Discord**: Join our [Discord community][20] for real-time help and discussions\n\n## Contributing\n\nIf you use and love this project, please consider contributing.\n\n1. 🪳 If you see something, say something. [Issues][16] help improve the quality of the project.\n   * Include relevant logs and package versions for bugs.\n   * When possible, describe the use-case behind feature requests.\n1. 🛠️ [Pull requests][17] are welcome.\n   * Run `npm run build` before submitting to make sure all tests pass.\n   * Allow edits from maintainers so small adjustments can be made easily.\n1. 💵 Consider [sponsoring][15] the project to show your support and optionally get your name listed below.\n\n## Sponsors\n\nThanks to our generous sponsors who helped make this project possible!\n\n<table>\n  <tr>\n    <td align=\"center\">\n      <a href=\"https://github.com/threat-down\">\n        <img src=\"https://github.com/threat-down.png?size=100\" width=\"100\" height=\"100\" alt=\"ThreatDown\" />\n        <br />\n        <sub><b>ThreatDown</b></sub>\n      </a>\n    </td>\n    <td align=\"center\">\n      <a href=\"https://github.com/magicbell\">\n        <img src=\"https://github.com/magicbell.png?size=100\" width=\"100\" height=\"100\" alt=\"MagicBell\" />\n        <br />\n        <sub><b>MagicBell</b></sub>\n      </a>\n    </td>\n    <td align=\"center\">\n      <a href=\"https://github.com/fragment-dev\">\n        <img src=\"https://github.com/fragment-dev.png?size=100\" width=\"100\" height=\"100\" alt=\"Fragment\" />\n        <br />\n        <sub><b>Fragment</b></sub>\n      </a>\n    </td>\n    <td align=\"center\">\n      <a href=\"https://github.com/andresionek91\">\n        <img src=\"https://github.com/andresionek91.png?size=100\" width=\"100\" height=\"100\" alt=\"Andre Sionek\" />\n        <br />\n        <sub><b>Andre Sionek</b></sub>\n      </a>\n    </td>\n  </tr>\n</table>\n\n## Other Options\n\n1. [github-aws-runners/terraform-aws-github-runner][3] if you're using Terraform\n2. [actions/actions-runner-controller][4] if you're using Kubernetes\n\n\n[1]: https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners\n[2]: https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions\n[3]: https://github.com/github-aws-runners/terraform-aws-github-runner\n[4]: https://github.com/actions/actions-runner-controller\n[5]: https://github.com/actions/runner\n[6]: https://pypi.org/project/cloudsnorkel.cdk-github-runners\n[7]: https://www.npmjs.com/package/@cloudsnorkel/cdk-github-runners\n[8]: https://central.sonatype.com/artifact/com.cloudsnorkel/cdk.github.runners/\n[9]: https://docs.github.com/en/developers/apps/getting-started-with-apps/about-apps\n[10]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[11]: https://pkg.go.dev/github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners\n[12]: https://www.nuget.org/packages/CloudSnorkel.Cdk.Github.Runners/\n[13]: https://constructs.dev/packages/@cloudsnorkel/cdk-github-runners/\n[14]: https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling\n[15]: https://github.com/sponsors/CloudSnorkel\n[16]: https://github.com/CloudSnorkel/cdk-github-runners/issues\n[17]: https://github.com/CloudSnorkel/cdk-github-runners/pulls\n[18]: https://github.com/CloudSnorkel/cdk-github-runners/discussions\n[20]: https://discord.gg/vdrTUTqQKv\n"
   },
   "repository": {
     "type": "git",
@@ -9765,21 +9765,33 @@
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 902
+            "line": 909
           },
           "name": "createLogsInsightsQueries"
         },
         {
           "docs": {
-            "remarks": "Runner images are rebuilt every week by default. This provides the latest GitHub Runner version and software updates.\n\nIf you want to be sure you are using the latest runner version, you can use this topic to be notified when a build fails.",
+            "remarks": "Runner images are rebuilt every week by default. This provides the latest GitHub Runner version and software updates.\n\nIf you want to be sure you are using the latest runner version, you can use this topic to be notified when a build fails.\n\nWhen the image builder is defined in a separate stack (e.g. in a split-stacks setup), pass that stack or construct\nas the optional scope so the topic and failure-notification aspects are created in the same stack as the image\nbuilder. Otherwise the aspects may not find the image builder resources.",
             "stability": "experimental",
             "summary": "Creates a topic for notifications when a runner image build fails."
           },
           "locationInModule": {
             "filename": "src/runner.ts",
-            "line": 882
+            "line": 888
           },
           "name": "failedImageBuildsTopic",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "Optional scope (e.g. the image builder stack) where the topic and aspects will be created. Defaults to this construct."
+              },
+              "name": "scope",
+              "optional": true,
+              "type": {
+                "fqn": "constructs.Construct"
+              }
+            }
+          ],
           "returns": {
             "type": {
               "fqn": "aws-cdk-lib.aws_sns.Topic"
@@ -13934,7 +13946,7 @@
       "kind": "class",
       "locationInModule": {
         "filename": "src/image-builders/components.ts",
-        "line": 42
+        "line": 73
       },
       "methods": [
         {
@@ -13944,9 +13956,21 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 184
+            "line": 217
           },
           "name": "awsCli",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "Software version to install (e.g. '2.15.0'). Default: latest."
+              },
+              "name": "version",
+              "optional": true,
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
           "returns": {
             "type": {
               "fqn": "@cloudsnorkel/cdk-github-runners.RunnerImageComponent"
@@ -13961,7 +13985,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 110
+            "line": 141
           },
           "name": "cloudWatchAgent",
           "returns": {
@@ -13979,7 +14003,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 52
+            "line": 83
           },
           "name": "custom",
           "parameters": [
@@ -14005,9 +14029,21 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 402
+            "line": 477
           },
           "name": "docker",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "Software version to install (e.g. '29.1.5'). Default: latest. Only used on Windows; on Linux (Ubuntu, Amazon Linux 2 and Amazon Linux 2023) the package version format is not reliably predictable so latest is always used."
+              },
+              "name": "version",
+              "optional": true,
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
           "returns": {
             "type": {
               "fqn": "@cloudsnorkel/cdk-github-runners.RunnerImageComponent"
@@ -14023,9 +14059,21 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 480
+            "line": 576
           },
           "name": "dockerInDocker",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "Software version to install (e.g. '29.1.5'). Default: latest."
+              },
+              "name": "version",
+              "optional": true,
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
           "returns": {
             "type": {
               "fqn": "@cloudsnorkel/cdk-github-runners.RunnerImageComponent"
@@ -14041,7 +14089,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 597
+            "line": 693
           },
           "name": "environmentVariables",
           "parameters": [
@@ -14072,7 +14120,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 490
+            "line": 586
           },
           "name": "extraCertificates",
           "parameters": [
@@ -14105,13 +14153,25 @@
         {
           "docs": {
             "stability": "experimental",
-            "summary": "A component to install the GitHub CLI."
+            "summary": "A component to install Git."
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 263
+            "line": 321
           },
           "name": "git",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "Software version to install (e.g. '2.43.0.windows.1'). Default: latest. Only used on Windows; on Linux the package manager is used."
+              },
+              "name": "version",
+              "optional": true,
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
           "returns": {
             "type": {
               "fqn": "@cloudsnorkel/cdk-github-runners.RunnerImageComponent"
@@ -14126,9 +14186,21 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 220
+            "line": 262
           },
           "name": "githubCli",
+          "parameters": [
+            {
+              "docs": {
+                "summary": "Software version to install (e.g. '2.40.0'). Default: latest. Only used on Windows (x64/windows_amd64); on Linux the package manager is used."
+              },
+              "name": "version",
+              "optional": true,
+              "type": {
+                "primitive": "string"
+              }
+            }
+          ],
           "returns": {
             "type": {
               "fqn": "@cloudsnorkel/cdk-github-runners.RunnerImageComponent"
@@ -14144,7 +14216,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 307
+            "line": 380
           },
           "name": "githubRunner",
           "parameters": [
@@ -14173,7 +14245,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 554
+            "line": 650
           },
           "name": "lambdaEntrypoint",
           "returns": {
@@ -14190,7 +14262,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 77
+            "line": 108
           },
           "name": "requiredPackages",
           "returns": {
@@ -14207,7 +14279,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 153
+            "line": 184
           },
           "name": "runnerUser",
           "returns": {
@@ -14225,7 +14297,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 634
+            "line": 730
           },
           "name": "getAssets",
           "parameters": [
@@ -14262,7 +14334,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 629
+            "line": 725
           },
           "name": "getCommands",
           "parameters": [
@@ -14298,7 +14370,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 643
+            "line": 739
           },
           "name": "getDockerCommands",
           "parameters": [
@@ -14333,7 +14405,7 @@
           },
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 650
+            "line": 746
           },
           "name": "shouldReboot",
           "parameters": [
@@ -14369,7 +14441,7 @@
           "immutable": true,
           "locationInModule": {
             "filename": "src/image-builders/components.ts",
-            "line": 624
+            "line": 720
           },
           "name": "name",
           "type": {
@@ -15431,6 +15503,6 @@
       "symbolId": "src/image-builders/aws-image-builder/deprecated/windows-components:WindowsComponents"
     }
   },
-  "version": "0.14.22",
-  "fingerprint": "mCYvlyOxAFOZMBmW79uTiGH8rhQ9x1oCJpBAET46Zjo="
+  "version": "0.14.23",
+  "fingerprint": "k/cf/LtmtGrjO9Wb3LPmW/SG5vve+R83JPKDGMJvZus="
 }

package/API.md CHANGED Viewed

@@ -3447,7 +3447,7 @@ Creates CloudWatch Logs Insights saved queries that can be used to debug issues
 ##### `failedImageBuildsTopic` <a name="failedImageBuildsTopic" id="@cloudsnorkel/cdk-github-runners.GitHubRunners.failedImageBuildsTopic"></a>
 ```typescript
-public failedImageBuildsTopic(): Topic
+public failedImageBuildsTopic(scope?: Construct): Topic
 ```
 Creates a topic for notifications when a runner image build fails.
@@ -3456,6 +3456,18 @@ Runner images are rebuilt every week by default. This provides the latest GitHub
 If you want to be sure you are using the latest runner version, you can use this topic to be notified when a build fails.
+When the image builder is defined in a separate stack (e.g. in a split-stacks setup), pass that stack or construct
+as the optional scope so the topic and failure-notification aspects are created in the same stack as the image
+builder. Otherwise the aspects may not find the image builder resources.
+###### `scope`<sup>Optional</sup> <a name="scope" id="@cloudsnorkel/cdk-github-runners.GitHubRunners.failedImageBuildsTopic.parameter.scope"></a>
+- *Type:* constructs.Construct
+Optional scope (e.g. the image builder stack) where the topic and aspects will be created. Defaults to this construct.
+---
 ##### `metricFailed` <a name="metricFailed" id="@cloudsnorkel/cdk-github-runners.GitHubRunners.metricFailed"></a>
 ```typescript
@@ -10437,7 +10449,7 @@ Returns true if the image builder should be rebooted after this component is ins
 | <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.dockerInDocker">dockerInDocker</a></code> | A component to install Docker-in-Docker. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.environmentVariables">environmentVariables</a></code> | A component to add environment variables for jobs the runner executes. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.extraCertificates">extraCertificates</a></code> | A component to add a trusted certificate authority. |
-| <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.git">git</a></code> | A component to install the GitHub CLI. |
+| <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.git">git</a></code> | A component to install Git. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.githubCli">githubCli</a></code> | A component to install the GitHub CLI. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.githubRunner">githubRunner</a></code> | A component to install the GitHub Actions Runner. |
 | <code><a href="#@cloudsnorkel/cdk-github-runners.RunnerImageComponent.lambdaEntrypoint">lambdaEntrypoint</a></code> | A component to set up the required Lambda entrypoint for Lambda runners. |
@@ -10451,11 +10463,19 @@ Returns true if the image builder should be rebooted after this component is ins
 ```typescript
 import { RunnerImageComponent } from '@cloudsnorkel/cdk-github-runners'
-RunnerImageComponent.awsCli()
+RunnerImageComponent.awsCli(version?: string)
 ```
 A component to install the AWS CLI.
+###### `version`<sup>Optional</sup> <a name="version" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.awsCli.parameter.version"></a>
+- *Type:* string
+Software version to install (e.g. '2.15.0'). Default: latest.
+---
 ##### `cloudWatchAgent` <a name="cloudWatchAgent" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.cloudWatchAgent"></a>
 ```typescript
@@ -10493,23 +10513,39 @@ Use this to customize the image for the runner.
 ```typescript
 import { RunnerImageComponent } from '@cloudsnorkel/cdk-github-runners'
-RunnerImageComponent.docker()
+RunnerImageComponent.docker(version?: string)
 ```
 A component to install Docker.
 On Windows this sets up dockerd for Windows containers without Docker Desktop. If you need Linux containers on Windows, you'll need to install Docker Desktop which doesn't seem to play well with servers (PRs welcome).
+###### `version`<sup>Optional</sup> <a name="version" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.docker.parameter.version"></a>
+- *Type:* string
+Software version to install (e.g. '29.1.5'). Default: latest. Only used on Windows; on Linux (Ubuntu, Amazon Linux 2 and Amazon Linux 2023) the package version format is not reliably predictable so latest is always used.
+---
 ##### ~~`dockerInDocker`~~ <a name="dockerInDocker" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.dockerInDocker"></a>
 ```typescript
 import { RunnerImageComponent } from '@cloudsnorkel/cdk-github-runners'
-RunnerImageComponent.dockerInDocker()
+RunnerImageComponent.dockerInDocker(version?: string)
 ```
 A component to install Docker-in-Docker.
+###### `version`<sup>Optional</sup> <a name="version" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.dockerInDocker.parameter.version"></a>
+- *Type:* string
+Software version to install (e.g. '29.1.5'). Default: latest.
+---
 ##### `environmentVariables` <a name="environmentVariables" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.environmentVariables"></a>
 ```typescript
@@ -10565,21 +10601,37 @@ unique certificate name to be used on runner file system.
 ```typescript
 import { RunnerImageComponent } from '@cloudsnorkel/cdk-github-runners'
-RunnerImageComponent.git()
+RunnerImageComponent.git(version?: string)
 ```
-A component to install the GitHub CLI.
+A component to install Git.
+###### `version`<sup>Optional</sup> <a name="version" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.git.parameter.version"></a>
+- *Type:* string
+Software version to install (e.g. '2.43.0.windows.1'). Default: latest. Only used on Windows; on Linux the package manager is used.
+---
 ##### `githubCli` <a name="githubCli" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.githubCli"></a>
 ```typescript
 import { RunnerImageComponent } from '@cloudsnorkel/cdk-github-runners'
-RunnerImageComponent.githubCli()
+RunnerImageComponent.githubCli(version?: string)
 ```
 A component to install the GitHub CLI.
+###### `version`<sup>Optional</sup> <a name="version" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.githubCli.parameter.version"></a>
+- *Type:* string
+Software version to install (e.g. '2.40.0'). Default: latest. Only used on Windows (x64/windows_amd64); on Linux the package manager is used.
+---
 ##### `githubRunner` <a name="githubRunner" id="@cloudsnorkel/cdk-github-runners.RunnerImageComponent.githubRunner"></a>
 ```typescript