cloudsnorkel.cdk-github-runners 0.12.0__py3-none-any.whl → 0.14.15__py3-none-any.whl

cloudsnorkel/cdk_github_runners/__init__.py

@@ -1,4 +1,4 @@
-'''
+r'''
 # GitHub Self-Hosted Runners CDK Constructs
 
 [![NPM](https://img.shields.io/npm/v/@cloudsnorkel/cdk-github-runners?label=npm&logo=npm)](https://www.npmjs.com/package/@cloudsnorkel/cdk-github-runners)
@@ -11,17 +11,17 @@
 
 Use this CDK construct to create ephemeral [self-hosted GitHub runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) on-demand inside your AWS account.
 
-* Easy to configure GitHub integration with a web-based interface
-* Customizable runners with decent defaults
-* Multiple runner configurations controlled by labels
-* Everything fully hosted in your account
-* Automatically updated build environment with latest runner version
+* 🧩 Easy to configure GitHub integration with a web-based interface
+* 🧠 Customizable runners with decent defaults
+* 🏃🏻 Multiple runner configurations controlled by labels
+* 🔐 Everything fully hosted in your account
+* 🔃 Automatically updated build environment with latest runner version
 
 Self-hosted runners in AWS are useful when:
 
 * You need easy access to internal resources in your actions
 * You want to pre-install some software for your actions
-* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials](https://github.com/marketplace/actions/configure-aws-credentials-for-github-actions) has more security controls)
+* You want to provide some basic AWS API access (but [aws-actions/configure-aws-credentials](https://github.com/marketplace/actions/configure-aws-credentials-action-for-github-actions) has more security controls)
 * You are using GitHub Enterprise Server
 
 Ephemeral (or on-demand) runners are the [recommended way by GitHub](https://docs.github.com/en/actions/hosting-your-own-runners/autoscaling-with-self-hosted-runners#using-ephemeral-runners-for-autoscaling) for auto-scaling, and they make sure all jobs run with a clean image. Runners are started on-demand. You don't pay unless a job is running.
@@ -71,9 +71,14 @@ You can also create your own provider by implementing `IRunnerProvider`.
    ### Use
 
    ```python
+   from aws_cdk import App, Stack
    from cloudsnorkel.cdk_github_runners import GitHubRunners
 
-   GitHubRunners(self, "runners")
+   app = App()
+   stack = Stack(app, "github-runners")
+   GitHubRunners(stack, "runners")
+
+   app.synth()
    ```
 
    </details>
@@ -90,9 +95,14 @@ You can also create your own provider by implementing `IRunnerProvider`.
    ### Use
 
    ```python
+   import { App, Stack } from 'aws-cdk-lib';
    import { GitHubRunners } from '@cloudsnorkel/cdk-github-runners';
 
-   new GitHubRunners(this, "runners");
+   const app = new App();
+   const stack = new Stack(app, 'github-runners');
+   new GitHubRunners(stack, 'runners');
+
+   app.synth();
    ```
 
    </details>
@@ -112,9 +122,19 @@ You can also create your own provider by implementing `IRunnerProvider`.
    ### Use
 
    ```java
+   import software.amazon.awscdk.App;
+   import software.amazon.awscdk.Stack;
    import com.cloudsnorkel.cdk.github.runners.GitHubRunners;
 
-   GitHubRunners.Builder.create(this, "runners").build();
+   public class Example {
+     public static void main(String[] args){
+       App app = new App();
+       Stack stack = new Stack(app, "github-runners");
+       GitHubRunners.Builder.create(stack, "runners").build();
+
+       app.synth();
+     }
+   }
    ```
 
    </details>
@@ -131,9 +151,21 @@ You can also create your own provider by implementing `IRunnerProvider`.
    ### Use
 
    ```go
-   import "github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners"
+   package main
+
+   import (
+     "github.com/CloudSnorkel/cdk-github-runners-go/cloudsnorkelcdkgithubrunners"
+     "github.com/aws/aws-cdk-go/awscdk/v2"
+     "github.com/aws/jsii-runtime-go"
+   )
+
+   func main() {
+     app := awscdk.NewApp(nil)
+     stack := awscdk.NewStack(app, jsii.String("github-runners"), &awscdk.StackProps{})
+     cloudsnorkelcdkgithubrunners.NewGitHubRunners(stack, jsii.String("runners"), &cloudsnorkelcdkgithubrunners.GitHubRunnersProps{})
 
-   NewGitHubRunners(this, jsii.String("runners"))
+     app.Synth(nil)
+   }
    ```
 
    </details>
@@ -150,9 +182,22 @@ You can also create your own provider by implementing `IRunnerProvider`.
    ### Use
 
    ```csharp
+   using Amazon.CDK;
    using CloudSnorkel;
 
-   new GitHubRunners(this, "runners");
+   namespace Example
+   {
+     sealed class Program
+     {
+       public static void Main(string[] args)
+       {
+         var app = new App();
+         var stack = new Stack(app, "github-runners");
+         new GitHubRunners(stack, "runners");
+         app.Synth();
+       }
+     }
+   }
    ```
 
    </details>
@@ -171,7 +216,7 @@ You can also create your own provider by implementing `IRunnerProvider`.
 5. Execute the status command (you may need to specify `--profile` too) and open the resulting `status.json` file
 6. Open the URL in `github.setup.url` from `status.json` or [manually setup GitHub](SETUP_GITHUB.md) integration as an app or with personal access token
 7. Run status command again to confirm `github.auth.status` and `github.webhook.status` are OK
-8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, linux, codebuild]` or similar
+8. Trigger a GitHub action that has a `self-hosted` label with `runs-on: [self-hosted, codebuild]` (or non-default labels you set in step 2)
 9. If the action is not successful, see [troubleshooting](#Troubleshooting)
 
 [![Demo](demo-thumbnail.jpg)](https://youtu.be/wlyv_3V8lIw)
@@ -279,6 +324,12 @@ new GitHubRunners(this, 'runners', {
 });
 ```
 
+## Examples
+
+Beyond the code snippets above, the fullest example available is the [integration test](test/default.integ.ts).
+
+If you have more to share, please open a PR adding them to the `examples` folder.
+
 ## Architecture
 
 ![Architecture diagram](architecture.svg)
@@ -323,11 +374,28 @@ Other useful metrics to track:
 1. Use `GitHubRunners.metricJobCompleted()` to get a metric for the number of completed jobs broken down by labels and job success.
 2. Use `GitHubRunners.metricTime()` to get a metric for the total time a runner is running. This includes the overhead of starting the runner.
 
+## Contributing
+
+If you use and love this project, please consider contributing.
+
+1. 🪳 If you see something, say something. [Issues](https://github.com/CloudSnorkel/cdk-github-runners/issues) help improve the quality of the project.
+
+   * Include relevant logs and package versions for bugs.
+   * When possible, describe the use-case behind feature requests.
+2. 🛠️ [Pull requests](https://github.com/CloudSnorkel/cdk-github-runners/pulls) are welcome.
+
+   * Run `npm run build` before submitting to make sure all tests pass.
+   * Allow edits from maintainers so small adjustments can be made easily.
+3. 💵 Consider [sponsoring](https://github.com/sponsors/CloudSnorkel) the project to show your support and optionally get your name listed below.
+
 ## Other Options
 
 1. [philips-labs/terraform-aws-github-runner](https://github.com/philips-labs/terraform-aws-github-runner) if you're using Terraform
 2. [actions/actions-runner-controller](https://github.com/actions/actions-runner-controller) if you're using Kubernetes
 '''
+from pkgutil import extend_path
+__path__ = extend_path(__path__, __name__)
+
 import abc
 import builtins
 import datetime
@@ -338,7 +406,22 @@ import jsii
 import publication
 import typing_extensions
 
-from typeguard import check_type
+import typeguard
+from importlib.metadata import version as _metadata_package_version
+TYPEGUARD_MAJOR_VERSION = int(_metadata_package_version('typeguard').split('.')[0])
+
+def check_type(argname: str, value: object, expected_type: typing.Any) -> typing.Any:
+    if TYPEGUARD_MAJOR_VERSION <= 2:
+        return typeguard.check_type(argname=argname, value=value, expected_type=expected_type) # type:ignore
+    else:
+        if isinstance(value, jsii._reference_map.InterfaceDynamicProxy): # pyright: ignore [reportAttributeAccessIssue]
+           pass
+        else:
+            if TYPEGUARD_MAJOR_VERSION == 3:
+                typeguard.config.collection_check_strategy = typeguard.CollectionCheckStrategy.ALL_ITEMS # type:ignore
+                typeguard.check_type(value=value, expected_type=expected_type) # type:ignore
+            else:
+                typeguard.check_type(value=value, expected_type=expected_type, collection_check_strategy=typeguard.CollectionCheckStrategy.ALL_ITEMS) # type:ignore
 
 from ._jsii import *
 
@@ -398,7 +481,7 @@ class AmiBuilderProps:
 
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param install_docker: (experimental) Install Docker inside the image, so it can be used by the runner. Default: true
-        :param instance_type: (experimental) The instance type used to build the image. Default: m5.large
+        :param instance_type: (experimental) The instance type used to build the image. Default: m6i.large
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX
@@ -479,7 +562,7 @@ class AmiBuilderProps:
     def instance_type(self) -> typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType]:
         '''(experimental) The instance type used to build the image.
 
-        :default: m5.large
+        :default: m6i.large
 
         :stability: experimental
         '''
@@ -809,37 +892,79 @@ class Architecture(
 @jsii.data_type(
     jsii_type="@cloudsnorkel/cdk-github-runners.AwsImageBuilderRunnerImageBuilderProps",
     jsii_struct_bases=[],
-    name_mapping={"instance_type": "instanceType"},
+    name_mapping={
+        "fast_launch_options": "fastLaunchOptions",
+        "instance_type": "instanceType",
+        "storage_size": "storageSize",
+    },
 )
 class AwsImageBuilderRunnerImageBuilderProps:
     def __init__(
         self,
         *,
+        fast_launch_options: typing.Optional[typing.Union["FastLaunchOptions", typing.Dict[builtins.str, typing.Any]]] = None,
         instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
+        storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
     ) -> None:
         '''
-        :param instance_type: (experimental) The instance type used to build the image. Default: m5.large
+        :param fast_launch_options: (experimental) Options for fast launch. This is only supported for Windows AMIs. Default: disabled
+        :param instance_type: (experimental) The instance type used to build the image. Default: m6i.large
+        :param storage_size: (experimental) Size of volume available for builder instances. This modifies the boot volume size and doesn't add any additional volumes. Use this if you're building images with big components and need more space. Default: default size for AMI (usually 30GB for Linux and 50GB for Windows)
 
         :stability: experimental
         '''
+        if isinstance(fast_launch_options, dict):
+            fast_launch_options = FastLaunchOptions(**fast_launch_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__fe17585d38b67015c3f03db2aefab095f171e0e0900c9a4564679bbc5a29fd07)
+            check_type(argname="argument fast_launch_options", value=fast_launch_options, expected_type=type_hints["fast_launch_options"])
             check_type(argname="argument instance_type", value=instance_type, expected_type=type_hints["instance_type"])
+            check_type(argname="argument storage_size", value=storage_size, expected_type=type_hints["storage_size"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if fast_launch_options is not None:
+            self._values["fast_launch_options"] = fast_launch_options
         if instance_type is not None:
             self._values["instance_type"] = instance_type
+        if storage_size is not None:
+            self._values["storage_size"] = storage_size
+
+    @builtins.property
+    def fast_launch_options(self) -> typing.Optional["FastLaunchOptions"]:
+        '''(experimental) Options for fast launch.
+
+        This is only supported for Windows AMIs.
+
+        :default: disabled
+
+        :stability: experimental
+        '''
+        result = self._values.get("fast_launch_options")
+        return typing.cast(typing.Optional["FastLaunchOptions"], result)
 
     @builtins.property
     def instance_type(self) -> typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType]:
         '''(experimental) The instance type used to build the image.
 
-        :default: m5.large
+        :default: m6i.large
 
         :stability: experimental
         '''
         result = self._values.get("instance_type")
         return typing.cast(typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType], result)
 
+    @builtins.property
+    def storage_size(self) -> typing.Optional[_aws_cdk_ceddda9d.Size]:
+        '''(experimental) Size of volume available for builder instances. This modifies the boot volume size and doesn't add any additional volumes.
+
+        Use this if you're building images with big components and need more space.
+
+        :default: default size for AMI (usually 30GB for Linux and 50GB for Windows)
+
+        :stability: experimental
+        '''
+        result = self._values.get("storage_size")
+        return typing.cast(typing.Optional[_aws_cdk_ceddda9d.Size], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -1157,7 +1282,7 @@ class CodeBuildRunnerImageBuilderProps:
         timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     ) -> None:
         '''
-        :param build_image: (experimental) Build image to use in CodeBuild. This is the image that's going to run the code that builds the runner image. The only action taken in CodeBuild is running ``docker build``. You would therefore not need to change this setting often. Default: Ubuntu 22.04 for x64 and Amazon Linux 2 for ARM64
+        :param build_image: (experimental) Build image to use in CodeBuild. This is the image that's going to run the code that builds the runner image. The only action taken in CodeBuild is running ``docker build``. You would therefore not need to change this setting often. Default: Amazon Linux 2023
         :param compute_type: (experimental) The type of compute to use for this build. See the {@link ComputeType} enum for the possible values. Default: {@link ComputeType#SMALL }
         :param timeout: (experimental) The number of minutes after which AWS CodeBuild stops the build if it's not complete. For valid values, see the timeoutInMinutes field in the AWS CodeBuild User Guide. Default: Duration.hours(1)
 
@@ -1186,7 +1311,7 @@ class CodeBuildRunnerImageBuilderProps:
 
         The only action taken in CodeBuild is running ``docker build``. You would therefore not need to change this setting often.
 
-        :default: Ubuntu 22.04 for x64 and Amazon Linux 2 for ARM64
+        :default: Amazon Linux 2023
 
         :stability: experimental
         '''
@@ -1272,7 +1397,7 @@ class ContainerImageBuilderProps:
         '''(experimental) Properties for ContainerImageBuilder construct.
 
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
-        :param instance_type: (experimental) The instance type used to build the image. Default: m5.large
+        :param instance_type: (experimental) The instance type used to build the image. Default: m6i.large
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX
@@ -1343,7 +1468,7 @@ class ContainerImageBuilderProps:
     def instance_type(self) -> typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType]:
         '''(experimental) The instance type used to build the image.
 
-        :default: m5.large
+        :default: m6i.large
 
         :stability: experimental
         '''
@@ -1496,6 +1621,96 @@ class ContainerImageBuilderProps:
         )
 
 
+@jsii.data_type(
+    jsii_type="@cloudsnorkel/cdk-github-runners.FastLaunchOptions",
+    jsii_struct_bases=[],
+    name_mapping={
+        "enabled": "enabled",
+        "max_parallel_launches": "maxParallelLaunches",
+        "target_resource_count": "targetResourceCount",
+    },
+)
+class FastLaunchOptions:
+    def __init__(
+        self,
+        *,
+        enabled: typing.Optional[builtins.bool] = None,
+        max_parallel_launches: typing.Optional[jsii.Number] = None,
+        target_resource_count: typing.Optional[jsii.Number] = None,
+    ) -> None:
+        '''(experimental) Options for fast launch.
+
+        :param enabled: (experimental) Enable fast launch for AMIs generated by this builder. It creates a snapshot of the root volume and uses it to launch new instances faster. This is only supported for Windows AMIs. Default: false
+        :param max_parallel_launches: (experimental) The maximum number of parallel instances that are launched for creating resources. Must be at least 6. Default: 6
+        :param target_resource_count: (experimental) The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI. Default: 1
+
+        :stability: experimental
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__d2952ae322a0fd40b480084b183be9e7179337af84efb30a496aa331a22fa562)
+            check_type(argname="argument enabled", value=enabled, expected_type=type_hints["enabled"])
+            check_type(argname="argument max_parallel_launches", value=max_parallel_launches, expected_type=type_hints["max_parallel_launches"])
+            check_type(argname="argument target_resource_count", value=target_resource_count, expected_type=type_hints["target_resource_count"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if enabled is not None:
+            self._values["enabled"] = enabled
+        if max_parallel_launches is not None:
+            self._values["max_parallel_launches"] = max_parallel_launches
+        if target_resource_count is not None:
+            self._values["target_resource_count"] = target_resource_count
+
+    @builtins.property
+    def enabled(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Enable fast launch for AMIs generated by this builder.
+
+        It creates a snapshot of the root volume and uses it to launch new instances faster.
+
+        This is only supported for Windows AMIs.
+
+        :default: false
+
+        :stability: experimental
+        :note: enabling fast launch on an existing builder will not enable it for existing AMIs. It will only affect new AMIs. If you want immediate effect, trigger a new image build. Alternatively, you can create a new builder with fast launch enabled and use it for new AMIs.
+        '''
+        result = self._values.get("enabled")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
+    @builtins.property
+    def max_parallel_launches(self) -> typing.Optional[jsii.Number]:
+        '''(experimental) The maximum number of parallel instances that are launched for creating resources.
+
+        Must be at least 6.
+
+        :default: 6
+
+        :stability: experimental
+        '''
+        result = self._values.get("max_parallel_launches")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def target_resource_count(self) -> typing.Optional[jsii.Number]:
+        '''(experimental) The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI.
+
+        :default: 1
+
+        :stability: experimental
+        '''
+        result = self._values.get("target_resource_count")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "FastLaunchOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 @jsii.implements(_aws_cdk_aws_ec2_ceddda9d.IConnectable)
 class GitHubRunners(
     _constructs_77d1e7e8.Construct,
@@ -3280,6 +3495,7 @@ class LambdaRunnerProvider(
         id: builtins.str,
         *,
         ephemeral_storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -3289,6 +3505,7 @@ class LambdaRunnerProvider(
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union["ProviderRetryOptions", typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -3296,6 +3513,7 @@ class LambdaRunnerProvider(
         :param scope: -
         :param id: -
         :param ephemeral_storage_size: (experimental) The size of the function’s /tmp directory in MiB. Default: 10 GiB
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder must contain the {@link RunnerImageComponent.lambdaEntrypoint} component. The image builder determines the OS and architecture of the runner. Default: LambdaRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['lambda']
@@ -3305,6 +3523,7 @@ class LambdaRunnerProvider(
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param timeout: (experimental) The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.minutes(15)
         :param vpc: (experimental) VPC to launch the runners in. Default: no VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -3316,6 +3535,7 @@ class LambdaRunnerProvider(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = LambdaRunnerProviderProps(
             ephemeral_storage_size=ephemeral_storage_size,
+            group=group,
             image_builder=image_builder,
             label=label,
             labels=labels,
@@ -3325,6 +3545,7 @@ class LambdaRunnerProvider(
             subnet_selection=subnet_selection,
             timeout=timeout,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -3345,6 +3566,7 @@ class LambdaRunnerProvider(
         builder_type: typing.Optional["RunnerImageBuilderType"] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence["RunnerImageComponent"]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional["Os"] = None,
@@ -3353,6 +3575,7 @@ class LambdaRunnerProvider(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> "IConfigurableRunnerImageBuilder":
         '''(experimental) Create new image builder that builds Lambda specific runner images.
 
@@ -3360,7 +3583,7 @@ class LambdaRunnerProvider(
 
         You can add components to the image builder by calling ``imageBuilder.addComponent()``.
 
-        The default OS is Amazon Linux 2 running on x64 architecture.
+        The default OS is Amazon Linux 2023 running on x64 architecture.
 
         Included components:
 
@@ -3372,17 +3595,16 @@ class LambdaRunnerProvider(
         - ``RunnerImageComponent.githubRunner()``
         - ``RunnerImageComponent.lambdaEntrypoint()``
 
-        Base Docker image: ``public.ecr.aws/lambda/nodejs:16-x86_64`` or ``public.ecr.aws/lambda/nodejs:16-arm64``
-
         :param scope: -
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -3391,6 +3613,7 @@ class LambdaRunnerProvider(
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -3406,6 +3629,7 @@ class LambdaRunnerProvider(
             builder_type=builder_type,
             code_build_options=code_build_options,
             components=components,
+            docker_setup_commands=docker_setup_commands,
             log_removal_policy=log_removal_policy,
             log_retention=log_retention,
             os=os,
@@ -3414,6 +3638,7 @@ class LambdaRunnerProvider(
             security_groups=security_groups,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            wait_on_deploy=wait_on_deploy,
         )
 
         return typing.cast("IConfigurableRunnerImageBuilder", jsii.sinvoke(cls, "imageBuilder", [scope, id, props]))
@@ -3952,7 +4177,7 @@ class Os(metaclass=jsii.JSIIMeta, jsii_type="@cloudsnorkel/cdk-github-runners.Os
     def LINUX(cls) -> "Os":
         '''(deprecated) Linux.
 
-        :deprecated: use {@link LINUX_UBUNTU } or {@link LINUX_AMAZON_2 }
+        :deprecated: use {@link LINUX_UBUNTU }, {@link LINUX_UBUNTU_2404 }, {@link LINUX_AMAZON_2 } or {@link LINUX_AMAZON_2023 }
 
         :stability: deprecated
         '''
@@ -3967,6 +4192,15 @@ class Os(metaclass=jsii.JSIIMeta, jsii_type="@cloudsnorkel/cdk-github-runners.Os
         '''
         return typing.cast("Os", jsii.sget(cls, "LINUX_AMAZON_2"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="LINUX_AMAZON_2023")
+    def LINUX_AMAZON_2023(cls) -> "Os":
+        '''(experimental) Amazon Linux 2023.
+
+        :stability: experimental
+        '''
+        return typing.cast("Os", jsii.sget(cls, "LINUX_AMAZON_2023"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="LINUX_UBUNTU")
     def LINUX_UBUNTU(cls) -> "Os":
@@ -3976,6 +4210,24 @@ class Os(metaclass=jsii.JSIIMeta, jsii_type="@cloudsnorkel/cdk-github-runners.Os
         '''
         return typing.cast("Os", jsii.sget(cls, "LINUX_UBUNTU"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="LINUX_UBUNTU_2204")
+    def LINUX_UBUNTU_2204(cls) -> "Os":
+        '''(experimental) Ubuntu Linux 22.04.
+
+        :stability: experimental
+        '''
+        return typing.cast("Os", jsii.sget(cls, "LINUX_UBUNTU_2204"))
+
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="LINUX_UBUNTU_2404")
+    def LINUX_UBUNTU_2404(cls) -> "Os":
+        '''(experimental) Ubuntu Linux 24.04.
+
+        :stability: experimental
+        '''
+        return typing.cast("Os", jsii.sget(cls, "LINUX_UBUNTU_2404"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="WINDOWS")
     def WINDOWS(cls) -> "Os":
@@ -4403,6 +4655,7 @@ class RunnerImageAsset:
         "builder_type": "builderType",
         "code_build_options": "codeBuildOptions",
         "components": "components",
+        "docker_setup_commands": "dockerSetupCommands",
         "log_removal_policy": "logRemovalPolicy",
         "log_retention": "logRetention",
         "os": "os",
@@ -4411,6 +4664,7 @@ class RunnerImageAsset:
         "security_groups": "securityGroups",
         "subnet_selection": "subnetSelection",
         "vpc": "vpc",
+        "wait_on_deploy": "waitOnDeploy",
     },
 )
 class RunnerImageBuilderProps:
@@ -4424,6 +4678,7 @@ class RunnerImageBuilderProps:
         builder_type: typing.Optional["RunnerImageBuilderType"] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence["RunnerImageComponent"]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional[Os] = None,
@@ -4432,15 +4687,17 @@ class RunnerImageBuilderProps:
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -4449,6 +4706,7 @@ class RunnerImageBuilderProps:
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -4467,6 +4725,7 @@ class RunnerImageBuilderProps:
             check_type(argname="argument builder_type", value=builder_type, expected_type=type_hints["builder_type"])
             check_type(argname="argument code_build_options", value=code_build_options, expected_type=type_hints["code_build_options"])
             check_type(argname="argument components", value=components, expected_type=type_hints["components"])
+            check_type(argname="argument docker_setup_commands", value=docker_setup_commands, expected_type=type_hints["docker_setup_commands"])
             check_type(argname="argument log_removal_policy", value=log_removal_policy, expected_type=type_hints["log_removal_policy"])
             check_type(argname="argument log_retention", value=log_retention, expected_type=type_hints["log_retention"])
             check_type(argname="argument os", value=os, expected_type=type_hints["os"])
@@ -4475,6 +4734,7 @@ class RunnerImageBuilderProps:
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
             check_type(argname="argument subnet_selection", value=subnet_selection, expected_type=type_hints["subnet_selection"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
+            check_type(argname="argument wait_on_deploy", value=wait_on_deploy, expected_type=type_hints["wait_on_deploy"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
         if architecture is not None:
             self._values["architecture"] = architecture
@@ -4490,6 +4750,8 @@ class RunnerImageBuilderProps:
             self._values["code_build_options"] = code_build_options
         if components is not None:
             self._values["components"] = components
+        if docker_setup_commands is not None:
+            self._values["docker_setup_commands"] = docker_setup_commands
         if log_removal_policy is not None:
             self._values["log_removal_policy"] = log_removal_policy
         if log_retention is not None:
@@ -4506,6 +4768,8 @@ class RunnerImageBuilderProps:
             self._values["subnet_selection"] = subnet_selection
         if vpc is not None:
             self._values["vpc"] = vpc
+        if wait_on_deploy is not None:
+            self._values["wait_on_deploy"] = wait_on_deploy
 
     @builtins.property
     def architecture(self) -> typing.Optional[Architecture]:
@@ -4537,7 +4801,7 @@ class RunnerImageBuilderProps:
 
         This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version.
 
-        :default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
 
         :stability: experimental
         '''
@@ -4548,7 +4812,9 @@ class RunnerImageBuilderProps:
     def base_docker_image(self) -> typing.Optional[builtins.str]:
         '''(experimental) Base image from which Docker runner images will be built.
 
-        :default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}.
+
+        :default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
 
         :stability: experimental
         '''
@@ -4587,6 +4853,19 @@ class RunnerImageBuilderProps:
         result = self._values.get("components")
         return typing.cast(typing.Optional[typing.List["RunnerImageComponent"]], result)
 
+    @builtins.property
+    def docker_setup_commands(self) -> typing.Optional[typing.List[builtins.str]]:
+        '''(experimental) Additional commands to run on the build host before starting the Docker runner image build.
+
+        Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images.
+
+        :default: []
+
+        :stability: experimental
+        '''
+        result = self._values.get("docker_setup_commands")
+        return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
     @builtins.property
     def log_removal_policy(self) -> typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy]:
         '''(experimental) Removal policy for logs of image builds.
@@ -4691,6 +4970,23 @@ class RunnerImageBuilderProps:
         result = self._values.get("vpc")
         return typing.cast(typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc], result)
 
+    @builtins.property
+    def wait_on_deploy(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Wait for image to finish building during deployment.
+
+        It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build.
+
+        Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used.
+
+        Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect.
+
+        :default: true
+
+        :stability: experimental
+        '''
+        result = self._values.get("wait_on_deploy")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -4751,6 +5047,15 @@ class RunnerImageComponent(
         '''
         return typing.cast("RunnerImageComponent", jsii.sinvoke(cls, "awsCli", []))
 
+    @jsii.member(jsii_name="cloudWatchAgent")
+    @builtins.classmethod
+    def cloud_watch_agent(cls) -> "RunnerImageComponent":
+        '''(experimental) A component to install CloudWatch Agent for the runner so we can send logs.
+
+        :stability: experimental
+        '''
+        return typing.cast("RunnerImageComponent", jsii.sinvoke(cls, "cloudWatchAgent", []))
+
     @jsii.member(jsii_name="custom")
     @builtins.classmethod
     def custom(
@@ -4807,6 +5112,29 @@ class RunnerImageComponent(
         '''
         return typing.cast("RunnerImageComponent", jsii.sinvoke(cls, "dockerInDocker", []))
 
+    @jsii.member(jsii_name="environmentVariables")
+    @builtins.classmethod
+    def environment_variables(
+        cls,
+        vars: typing.Mapping[builtins.str, builtins.str],
+    ) -> "RunnerImageComponent":
+        '''(experimental) A component to add environment variables for jobs the runner executes.
+
+        These variables only affect the jobs ran by the runner. They are not global. They do not affect other components.
+
+        It is not recommended to use this component to pass secrets. Instead, use GitHub Secrets or AWS Secrets Manager.
+
+        Must be used after the {@link githubRunner} component.
+
+        :param vars: -
+
+        :stability: experimental
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__604cc9b160ccf839230b5f673dff20a8c9722aa81c88ef3ccadcdfcec778ec1a)
+            check_type(argname="argument vars", value=vars, expected_type=type_hints["vars"])
+        return typing.cast("RunnerImageComponent", jsii.sinvoke(cls, "environmentVariables", [vars]))
+
     @jsii.member(jsii_name="extraCertificates")
     @builtins.classmethod
     def extra_certificates(
@@ -5117,17 +5445,23 @@ class RunnerImageComponentCustomProps:
 @jsii.data_type(
     jsii_type="@cloudsnorkel/cdk-github-runners.RunnerProviderProps",
     jsii_struct_bases=[],
-    name_mapping={"log_retention": "logRetention", "retry_options": "retryOptions"},
+    name_mapping={
+        "default_labels": "defaultLabels",
+        "log_retention": "logRetention",
+        "retry_options": "retryOptions",
+    },
 )
 class RunnerProviderProps:
     def __init__(
         self,
         *,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
         '''(experimental) Common properties for all runner providers.
 
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -5137,14 +5471,30 @@ class RunnerProviderProps:
             retry_options = ProviderRetryOptions(**retry_options)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__faa1323116edff475c54eafc82f7af57dd73527c022a54b6210c5a490a80a1d3)
+            check_type(argname="argument default_labels", value=default_labels, expected_type=type_hints["default_labels"])
             check_type(argname="argument log_retention", value=log_retention, expected_type=type_hints["log_retention"])
             check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if default_labels is not None:
+            self._values["default_labels"] = default_labels
         if log_retention is not None:
             self._values["log_retention"] = log_retention
         if retry_options is not None:
             self._values["retry_options"] = retry_options
 
+    @builtins.property
+    def default_labels(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Add default labels based on OS and architecture of the runner.
+
+        This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``.
+
+        :default: true
+
+        :stability: experimental
+        '''
+        result = self._values.get("default_labels")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def log_retention(
         self,
@@ -5529,6 +5879,99 @@ class StaticRunnerImage(
         return typing.cast(IRunnerImageBuilder, jsii.sinvoke(cls, "fromEcrRepository", [repository, tag, architecture, os]))
 
 
+@jsii.data_type(
+    jsii_type="@cloudsnorkel/cdk-github-runners.StorageOptions",
+    jsii_struct_bases=[],
+    name_mapping={
+        "iops": "iops",
+        "throughput": "throughput",
+        "volume_type": "volumeType",
+    },
+)
+class StorageOptions:
+    def __init__(
+        self,
+        *,
+        iops: typing.Optional[jsii.Number] = None,
+        throughput: typing.Optional[jsii.Number] = None,
+        volume_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.EbsDeviceVolumeType] = None,
+    ) -> None:
+        '''(experimental) Storage options for the runner instance.
+
+        :param iops: (experimental) The number of I/O operations per second (IOPS) to provision for the volume. Must only be set for ``volumeType``: ``EbsDeviceVolumeType.IO1`` The maximum ratio of IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS, you need at least 100 GiB storage on the volume. Default: - none, required for ``EbsDeviceVolumeType.IO1``
+        :param throughput: (experimental) The throughput that the volume supports, in MiB/s Takes a minimum of 125 and maximum of 1000. Default: - 125 MiB/s. Only valid on gp3 volumes.
+        :param volume_type: (experimental) The EBS volume type. Default: ``EbsDeviceVolumeType.GP2``
+
+        :stability: experimental
+        '''
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__ec3b766929d3a048d89c7dc502f77bbbfc7357735093ebc66695a13b92f9bf82)
+            check_type(argname="argument iops", value=iops, expected_type=type_hints["iops"])
+            check_type(argname="argument throughput", value=throughput, expected_type=type_hints["throughput"])
+            check_type(argname="argument volume_type", value=volume_type, expected_type=type_hints["volume_type"])
+        self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if iops is not None:
+            self._values["iops"] = iops
+        if throughput is not None:
+            self._values["throughput"] = throughput
+        if volume_type is not None:
+            self._values["volume_type"] = volume_type
+
+    @builtins.property
+    def iops(self) -> typing.Optional[jsii.Number]:
+        '''(experimental) The number of I/O operations per second (IOPS) to provision for the volume.
+
+        Must only be set for ``volumeType``: ``EbsDeviceVolumeType.IO1``
+
+        The maximum ratio of IOPS to volume size (in GiB) is 50:1, so for 5,000 provisioned IOPS,
+        you need at least 100 GiB storage on the volume.
+
+        :default: - none, required for ``EbsDeviceVolumeType.IO1``
+
+        :see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
+        :stability: experimental
+        '''
+        result = self._values.get("iops")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def throughput(self) -> typing.Optional[jsii.Number]:
+        '''(experimental) The throughput that the volume supports, in MiB/s Takes a minimum of 125 and maximum of 1000.
+
+        :default: - 125 MiB/s. Only valid on gp3 volumes.
+
+        :see: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-volume.html#cfn-ec2-volume-throughput
+        :stability: experimental
+        '''
+        result = self._values.get("throughput")
+        return typing.cast(typing.Optional[jsii.Number], result)
+
+    @builtins.property
+    def volume_type(
+        self,
+    ) -> typing.Optional[_aws_cdk_aws_ec2_ceddda9d.EbsDeviceVolumeType]:
+        '''(experimental) The EBS volume type.
+
+        :default: ``EbsDeviceVolumeType.GP2``
+
+        :see: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html
+        :stability: experimental
+        '''
+        result = self._values.get("volume_type")
+        return typing.cast(typing.Optional[_aws_cdk_aws_ec2_ceddda9d.EbsDeviceVolumeType], result)
+
+    def __eq__(self, rhs: typing.Any) -> builtins.bool:
+        return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+    def __ne__(self, rhs: typing.Any) -> builtins.bool:
+        return not (rhs == self)
+
+    def __repr__(self) -> str:
+        return "StorageOptions(%s)" % ", ".join(
+            k + "=" + repr(v) for k, v in self._values.items()
+        )
+
+
 class WindowsComponents(
     metaclass=jsii.JSIIMeta,
     jsii_type="@cloudsnorkel/cdk-github-runners.WindowsComponents",
@@ -5696,7 +6139,7 @@ class AmiBuilder(
 ):
     '''(deprecated) An AMI builder that uses AWS Image Builder to build AMIs pre-baked with all the GitHub Actions runner requirements.
 
-    Builders can be used with {@link Ec2Runner }.
+    Builders can be used with {@link Ec2RunnerProvider }.
 
     Each builder re-runs automatically at a set interval to make sure the AMIs contain the latest versions of everything.
 
@@ -5721,7 +6164,7 @@ class AmiBuilder(
            amiBuilder: builder,
        });
 
-    :deprecated: use RunnerImageBuilder
+    :deprecated: use RunnerImageBuilder, e.g. with Ec2RunnerProvider.imageBuilder()
 
     :stability: deprecated
     '''
@@ -5749,7 +6192,7 @@ class AmiBuilder(
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param install_docker: (experimental) Install Docker inside the image, so it can be used by the runner. Default: true
-        :param instance_type: (experimental) The instance type used to build the image. Default: m5.large
+        :param instance_type: (experimental) The instance type used to build the image. Default: m6i.large
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX
@@ -5994,7 +6437,7 @@ class AmiBuilder(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8088868062a70621aab7b900883cf52d9c930de8a458039564d69a7d0cc80f52)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "components", value)
+        jsii.set(self, "components", value) # pyright: ignore[reportArgumentType]
 
 
 @jsii.implements(IRunnerImageBuilder)
@@ -6237,6 +6680,7 @@ class CodeBuildRunnerProvider(
         *,
         compute_type: typing.Optional[_aws_cdk_aws_codebuild_ceddda9d.ComputeType] = None,
         docker_in_docker: typing.Optional[builtins.bool] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -6245,6 +6689,7 @@ class CodeBuildRunnerProvider(
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -6253,6 +6698,7 @@ class CodeBuildRunnerProvider(
         :param id: -
         :param compute_type: (experimental) The type of compute to use for this build. See the {@link ComputeType} enum for the possible values. Default: {@link ComputeType#SMALL }
         :param docker_in_docker: (experimental) Support building and running Docker images by enabling Docker-in-Docker (dind) and the required CodeBuild privileged mode. Disabling this can speed up provisioning of CodeBuild runners. If you don't intend on running or building Docker images, disable this for faster start-up times. Default: true
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder must contain the {@link RunnerImageComponent.docker} component unless ``dockerInDocker`` is set to false. The image builder determines the OS and architecture of the runner. Default: CodeBuildRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['codebuild']
@@ -6261,6 +6707,7 @@ class CodeBuildRunnerProvider(
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param timeout: (experimental) The number of minutes after which AWS CodeBuild stops the build if it's not complete. For valid values, see the timeoutInMinutes field in the AWS CodeBuild User Guide. Default: Duration.hours(1)
         :param vpc: (experimental) VPC to launch the runners in. Default: no VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -6273,6 +6720,7 @@ class CodeBuildRunnerProvider(
         props = CodeBuildRunnerProviderProps(
             compute_type=compute_type,
             docker_in_docker=docker_in_docker,
+            group=group,
             image_builder=image_builder,
             label=label,
             labels=labels,
@@ -6281,6 +6729,7 @@ class CodeBuildRunnerProvider(
             subnet_selection=subnet_selection,
             timeout=timeout,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -6301,6 +6750,7 @@ class CodeBuildRunnerProvider(
         builder_type: typing.Optional[RunnerImageBuilderType] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional[Os] = None,
@@ -6309,6 +6759,7 @@ class CodeBuildRunnerProvider(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> "IConfigurableRunnerImageBuilder":
         '''(experimental) Create new image builder that builds CodeBuild specific runner images.
 
@@ -6332,11 +6783,12 @@ class CodeBuildRunnerProvider(
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -6345,6 +6797,7 @@ class CodeBuildRunnerProvider(
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -6360,6 +6813,7 @@ class CodeBuildRunnerProvider(
             builder_type=builder_type,
             code_build_options=code_build_options,
             components=components,
+            docker_setup_commands=docker_setup_commands,
             log_removal_policy=log_removal_policy,
             log_retention=log_retention,
             os=os,
@@ -6368,6 +6822,7 @@ class CodeBuildRunnerProvider(
             security_groups=security_groups,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            wait_on_deploy=wait_on_deploy,
         )
 
         return typing.cast("IConfigurableRunnerImageBuilder", jsii.sinvoke(cls, "imageBuilder", [scope, id, props]))
@@ -6578,10 +7033,12 @@ class CodeBuildRunnerProvider(
     jsii_type="@cloudsnorkel/cdk-github-runners.CodeBuildRunnerProviderProps",
     jsii_struct_bases=[RunnerProviderProps],
     name_mapping={
+        "default_labels": "defaultLabels",
         "log_retention": "logRetention",
         "retry_options": "retryOptions",
         "compute_type": "computeType",
         "docker_in_docker": "dockerInDocker",
+        "group": "group",
         "image_builder": "imageBuilder",
         "label": "label",
         "labels": "labels",
@@ -6596,10 +7053,12 @@ class CodeBuildRunnerProviderProps(RunnerProviderProps):
     def __init__(
         self,
         *,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         compute_type: typing.Optional[_aws_cdk_aws_codebuild_ceddda9d.ComputeType] = None,
         docker_in_docker: typing.Optional[builtins.bool] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -6610,10 +7069,12 @@ class CodeBuildRunnerProviderProps(RunnerProviderProps):
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
     ) -> None:
         '''
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
         :param compute_type: (experimental) The type of compute to use for this build. See the {@link ComputeType} enum for the possible values. Default: {@link ComputeType#SMALL }
         :param docker_in_docker: (experimental) Support building and running Docker images by enabling Docker-in-Docker (dind) and the required CodeBuild privileged mode. Disabling this can speed up provisioning of CodeBuild runners. If you don't intend on running or building Docker images, disable this for faster start-up times. Default: true
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder must contain the {@link RunnerImageComponent.docker} component unless ``dockerInDocker`` is set to false. The image builder determines the OS and architecture of the runner. Default: CodeBuildRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['codebuild']
@@ -6631,10 +7092,12 @@ class CodeBuildRunnerProviderProps(RunnerProviderProps):
             subnet_selection = _aws_cdk_aws_ec2_ceddda9d.SubnetSelection(**subnet_selection)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__9377dcf4cd4dae74730635bdaf02246acb473843cea2856cf9a64295df964eb6)
+            check_type(argname="argument default_labels", value=default_labels, expected_type=type_hints["default_labels"])
             check_type(argname="argument log_retention", value=log_retention, expected_type=type_hints["log_retention"])
             check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
             check_type(argname="argument compute_type", value=compute_type, expected_type=type_hints["compute_type"])
             check_type(argname="argument docker_in_docker", value=docker_in_docker, expected_type=type_hints["docker_in_docker"])
+            check_type(argname="argument group", value=group, expected_type=type_hints["group"])
             check_type(argname="argument image_builder", value=image_builder, expected_type=type_hints["image_builder"])
             check_type(argname="argument label", value=label, expected_type=type_hints["label"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
@@ -6644,6 +7107,8 @@ class CodeBuildRunnerProviderProps(RunnerProviderProps):
             check_type(argname="argument timeout", value=timeout, expected_type=type_hints["timeout"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if default_labels is not None:
+            self._values["default_labels"] = default_labels
         if log_retention is not None:
             self._values["log_retention"] = log_retention
         if retry_options is not None:
@@ -6652,6 +7117,8 @@ class CodeBuildRunnerProviderProps(RunnerProviderProps):
             self._values["compute_type"] = compute_type
         if docker_in_docker is not None:
             self._values["docker_in_docker"] = docker_in_docker
+        if group is not None:
+            self._values["group"] = group
         if image_builder is not None:
             self._values["image_builder"] = image_builder
         if label is not None:
@@ -6669,6 +7136,19 @@ class CodeBuildRunnerProviderProps(RunnerProviderProps):
         if vpc is not None:
             self._values["vpc"] = vpc
 
+    @builtins.property
+    def default_labels(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Add default labels based on OS and architecture of the runner.
+
+        This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``.
+
+        :default: true
+
+        :stability: experimental
+        '''
+        result = self._values.get("default_labels")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def log_retention(
         self,
@@ -6725,6 +7205,24 @@ class CodeBuildRunnerProviderProps(RunnerProviderProps):
         result = self._values.get("docker_in_docker")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def group(self) -> typing.Optional[builtins.str]:
+        '''(experimental) GitHub Actions runner group name.
+
+        If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It
+        requires a paid GitHub account.
+
+        The group must exist or the runner will not start.
+
+        Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group.
+
+        :default: undefined
+
+        :stability: experimental
+        '''
+        result = self._values.get("group")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def image_builder(self) -> typing.Optional[IRunnerImageBuilder]:
         '''(experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements.
@@ -6900,7 +7398,7 @@ class ContainerImageBuilder(
         :param scope: -
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
-        :param instance_type: (experimental) The instance type used to build the image. Default: m5.large
+        :param instance_type: (experimental) The instance type used to build the image. Default: m6i.large
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX
@@ -7152,7 +7650,7 @@ class ContainerImageBuilder(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__f4c47d52e3f51709153fc49a53f833f06b1fd2ba44d3c86696b418a3bf88a972)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "components", value)
+        jsii.set(self, "components", value) # pyright: ignore[reportArgumentType]
 
 
 @jsii.implements(IRunnerProvider)
@@ -7174,6 +7672,7 @@ class Ec2RunnerProvider(
         id: builtins.str,
         *,
         ami_builder: typing.Optional[IRunnerImageBuilder] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -7181,10 +7680,12 @@ class Ec2RunnerProvider(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         spot: typing.Optional[builtins.bool] = None,
         spot_max_price: typing.Optional[builtins.str] = None,
+        storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
         subnet: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISubnet] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -7192,17 +7693,20 @@ class Ec2RunnerProvider(
         :param scope: -
         :param id: -
         :param ami_builder: 
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build AMI containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: Ec2RunnerProvider.imageBuilder()
-        :param instance_type: (experimental) Instance type for launched runner instances. Default: m5.large
+        :param instance_type: (experimental) Instance type for launched runner instances. Default: m6i.large
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['ec2']
         :param security_group: (deprecated) Security Group to assign to launched runner instances. Default: a new security group
         :param security_groups: (experimental) Security groups to assign to launched runner instances. Default: a new security group
         :param spot: (experimental) Use spot instances to save money. Spot instances are cheaper but not always available and can be stopped prematurely. Default: false
         :param spot_max_price: (experimental) Set a maximum price for spot instances. Default: no max price (you will pay current spot price)
+        :param storage_options: (experimental) Options for runner instance storage volume.
         :param storage_size: (experimental) Size of volume available for launched runner instances. This modifies the boot volume size and doesn't add any additional volumes. Default: 30GB
         :param subnet: (deprecated) Subnet where the runner instances will be launched. Default: default subnet of account's default VPC
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Only the first matched subnet will be used. Default: default VPC subnet
         :param vpc: (experimental) VPC where runner instances will be launched. Default: default account VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -7214,6 +7718,7 @@ class Ec2RunnerProvider(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = Ec2RunnerProviderProps(
             ami_builder=ami_builder,
+            group=group,
             image_builder=image_builder,
             instance_type=instance_type,
             labels=labels,
@@ -7221,10 +7726,12 @@ class Ec2RunnerProvider(
             security_groups=security_groups,
             spot=spot,
             spot_max_price=spot_max_price,
+            storage_options=storage_options,
             storage_size=storage_size,
             subnet=subnet,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -7245,6 +7752,7 @@ class Ec2RunnerProvider(
         builder_type: typing.Optional[RunnerImageBuilderType] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional[Os] = None,
@@ -7253,6 +7761,7 @@ class Ec2RunnerProvider(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> "IConfigurableRunnerImageBuilder":
         '''(experimental) Create new image builder that builds EC2 specific runner images.
 
@@ -7265,6 +7774,7 @@ class Ec2RunnerProvider(
         Included components:
 
         - ``RunnerImageComponent.requiredPackages()``
+        - ``RunnerImageComponent.cloudWatchAgent()``
         - ``RunnerImageComponent.runnerUser()``
         - ``RunnerImageComponent.git()``
         - ``RunnerImageComponent.githubCli()``
@@ -7276,11 +7786,12 @@ class Ec2RunnerProvider(
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -7289,6 +7800,7 @@ class Ec2RunnerProvider(
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -7304,6 +7816,7 @@ class Ec2RunnerProvider(
             builder_type=builder_type,
             code_build_options=code_build_options,
             components=components,
+            docker_setup_commands=docker_setup_commands,
             log_removal_policy=log_removal_policy,
             log_retention=log_retention,
             os=os,
@@ -7312,6 +7825,7 @@ class Ec2RunnerProvider(
             security_groups=security_groups,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            wait_on_deploy=wait_on_deploy,
         )
 
         return typing.cast("IConfigurableRunnerImageBuilder", jsii.sinvoke(cls, "imageBuilder", [scope, id, props]))
@@ -7461,9 +7975,11 @@ class Ec2RunnerProvider(
     jsii_type="@cloudsnorkel/cdk-github-runners.Ec2RunnerProviderProps",
     jsii_struct_bases=[RunnerProviderProps],
     name_mapping={
+        "default_labels": "defaultLabels",
         "log_retention": "logRetention",
         "retry_options": "retryOptions",
         "ami_builder": "amiBuilder",
+        "group": "group",
         "image_builder": "imageBuilder",
         "instance_type": "instanceType",
         "labels": "labels",
@@ -7471,6 +7987,7 @@ class Ec2RunnerProvider(
         "security_groups": "securityGroups",
         "spot": "spot",
         "spot_max_price": "spotMaxPrice",
+        "storage_options": "storageOptions",
         "storage_size": "storageSize",
         "subnet": "subnet",
         "subnet_selection": "subnetSelection",
@@ -7481,9 +7998,11 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
     def __init__(
         self,
         *,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         ami_builder: typing.Optional[IRunnerImageBuilder] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -7491,6 +8010,7 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         spot: typing.Optional[builtins.bool] = None,
         spot_max_price: typing.Optional[builtins.str] = None,
+        storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
         subnet: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISubnet] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -7498,16 +8018,19 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
     ) -> None:
         '''(experimental) Properties for {@link Ec2RunnerProvider} construct.
 
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
         :param ami_builder: 
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build AMI containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: Ec2RunnerProvider.imageBuilder()
-        :param instance_type: (experimental) Instance type for launched runner instances. Default: m5.large
+        :param instance_type: (experimental) Instance type for launched runner instances. Default: m6i.large
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['ec2']
         :param security_group: (deprecated) Security Group to assign to launched runner instances. Default: a new security group
         :param security_groups: (experimental) Security groups to assign to launched runner instances. Default: a new security group
         :param spot: (experimental) Use spot instances to save money. Spot instances are cheaper but not always available and can be stopped prematurely. Default: false
         :param spot_max_price: (experimental) Set a maximum price for spot instances. Default: no max price (you will pay current spot price)
+        :param storage_options: (experimental) Options for runner instance storage volume.
         :param storage_size: (experimental) Size of volume available for launched runner instances. This modifies the boot volume size and doesn't add any additional volumes. Default: 30GB
         :param subnet: (deprecated) Subnet where the runner instances will be launched. Default: default subnet of account's default VPC
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Only the first matched subnet will be used. Default: default VPC subnet
@@ -7517,13 +8040,17 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
         '''
         if isinstance(retry_options, dict):
             retry_options = ProviderRetryOptions(**retry_options)
+        if isinstance(storage_options, dict):
+            storage_options = StorageOptions(**storage_options)
         if isinstance(subnet_selection, dict):
             subnet_selection = _aws_cdk_aws_ec2_ceddda9d.SubnetSelection(**subnet_selection)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__b650c4bf7f2a31b514d6f1f9e0c1b4b2cdae8b20b6f209f5b5fc74ef418fc2a3)
+            check_type(argname="argument default_labels", value=default_labels, expected_type=type_hints["default_labels"])
             check_type(argname="argument log_retention", value=log_retention, expected_type=type_hints["log_retention"])
             check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
             check_type(argname="argument ami_builder", value=ami_builder, expected_type=type_hints["ami_builder"])
+            check_type(argname="argument group", value=group, expected_type=type_hints["group"])
             check_type(argname="argument image_builder", value=image_builder, expected_type=type_hints["image_builder"])
             check_type(argname="argument instance_type", value=instance_type, expected_type=type_hints["instance_type"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
@@ -7531,17 +8058,22 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
             check_type(argname="argument spot", value=spot, expected_type=type_hints["spot"])
             check_type(argname="argument spot_max_price", value=spot_max_price, expected_type=type_hints["spot_max_price"])
+            check_type(argname="argument storage_options", value=storage_options, expected_type=type_hints["storage_options"])
             check_type(argname="argument storage_size", value=storage_size, expected_type=type_hints["storage_size"])
             check_type(argname="argument subnet", value=subnet, expected_type=type_hints["subnet"])
             check_type(argname="argument subnet_selection", value=subnet_selection, expected_type=type_hints["subnet_selection"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if default_labels is not None:
+            self._values["default_labels"] = default_labels
         if log_retention is not None:
             self._values["log_retention"] = log_retention
         if retry_options is not None:
             self._values["retry_options"] = retry_options
         if ami_builder is not None:
             self._values["ami_builder"] = ami_builder
+        if group is not None:
+            self._values["group"] = group
         if image_builder is not None:
             self._values["image_builder"] = image_builder
         if instance_type is not None:
@@ -7556,6 +8088,8 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
             self._values["spot"] = spot
         if spot_max_price is not None:
             self._values["spot_max_price"] = spot_max_price
+        if storage_options is not None:
+            self._values["storage_options"] = storage_options
         if storage_size is not None:
             self._values["storage_size"] = storage_size
         if subnet is not None:
@@ -7565,6 +8099,19 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
         if vpc is not None:
             self._values["vpc"] = vpc
 
+    @builtins.property
+    def default_labels(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Add default labels based on OS and architecture of the runner.
+
+        This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``.
+
+        :default: true
+
+        :stability: experimental
+        '''
+        result = self._values.get("default_labels")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def log_retention(
         self,
@@ -7602,6 +8149,24 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
         result = self._values.get("ami_builder")
         return typing.cast(typing.Optional[IRunnerImageBuilder], result)
 
+    @builtins.property
+    def group(self) -> typing.Optional[builtins.str]:
+        '''(experimental) GitHub Actions runner group name.
+
+        If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It
+        requires a paid GitHub account.
+
+        The group must exist or the runner will not start.
+
+        Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group.
+
+        :default: undefined
+
+        :stability: experimental
+        '''
+        result = self._values.get("group")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def image_builder(self) -> typing.Optional[IRunnerImageBuilder]:
         '''(experimental) Runner image builder used to build AMI containing GitHub Runner and all requirements.
@@ -7619,7 +8184,7 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
     def instance_type(self) -> typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType]:
         '''(experimental) Instance type for launched runner instances.
 
-        :default: m5.large
+        :default: m6i.large
 
         :stability: experimental
         '''
@@ -7693,6 +8258,15 @@ class Ec2RunnerProviderProps(RunnerProviderProps):
         result = self._values.get("spot_max_price")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def storage_options(self) -> typing.Optional[StorageOptions]:
+        '''(experimental) Options for runner instance storage volume.
+
+        :stability: experimental
+        '''
+        result = self._values.get("storage_options")
+        return typing.cast(typing.Optional[StorageOptions], result)
+
     @builtins.property
     def storage_size(self) -> typing.Optional[_aws_cdk_ceddda9d.Size]:
         '''(experimental) Size of volume available for launched runner instances.
@@ -7784,6 +8358,7 @@ class EcsRunnerProvider(
         cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
         cpu: typing.Optional[jsii.Number] = None,
         docker_in_docker: typing.Optional[builtins.bool] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -7791,12 +8366,16 @@ class EcsRunnerProvider(
         memory_limit_mib: typing.Optional[jsii.Number] = None,
         memory_reservation_mib: typing.Optional[jsii.Number] = None,
         min_instances: typing.Optional[jsii.Number] = None,
+        placement_constraints: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementConstraint]] = None,
+        placement_strategies: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementStrategy]] = None,
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         spot: typing.Optional[builtins.bool] = None,
         spot_max_price: typing.Optional[builtins.str] = None,
+        storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -7808,19 +8387,24 @@ class EcsRunnerProvider(
         :param cluster: (experimental) Existing ECS cluster to use. Default: a new cluster
         :param cpu: (experimental) The number of cpu units used by the task. 1024 units is 1 vCPU. Fractions of a vCPU are supported. Default: 1024
         :param docker_in_docker: (experimental) Support building and running Docker images by enabling Docker-in-Docker (dind) and the required CodeBuild privileged mode. Disabling this can speed up provisioning of CodeBuild runners. If you don't intend on running or building Docker images, disable this for faster start-up times. Default: true
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: EcsRunnerProvider.imageBuilder()
-        :param instance_type: (experimental) Instance type of ECS cluster instances. Only used when creating a new cluster. Default: m5.large or m6g.large
+        :param instance_type: (experimental) Instance type of ECS cluster instances. Only used when creating a new cluster. Default: m6i.large or m6g.large
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['ecs']
         :param max_instances: (experimental) The maximum number of instances to run in the cluster. Only used when creating a new cluster. Default: 5
         :param memory_limit_mib: (experimental) The amount (in MiB) of memory used by the task. Default: 3500, unless ``memoryReservationMiB`` is used and then it's undefined
         :param memory_reservation_mib: (experimental) The soft limit (in MiB) of memory to reserve for the container. Default: undefined
         :param min_instances: (experimental) The minimum number of instances to run in the cluster. Only used when creating a new cluster. Default: 0
+        :param placement_constraints: (experimental) ECS placement constraints to influence task placement. Example: [ecs.PlacementConstraint.memberOf('ecs-placement')] Default: undefined (no placement constraints)
+        :param placement_strategies: (experimental) ECS placement strategies to influence task placement. Example: [ecs.PlacementStrategy.packedByCpu()] Default: undefined (no placement strategies)
         :param security_groups: (experimental) Security groups to assign to the task. Default: a new security group
         :param spot: (experimental) Use spot capacity. Default: false (true if spotMaxPrice is specified)
         :param spot_max_price: (experimental) Maximum price for spot instances.
+        :param storage_options: (experimental) Options for runner instance storage volume.
         :param storage_size: (experimental) Size of volume available for launched cluster instances. This modifies the boot volume size and doesn't add any additional volumes. Each instance can be used by multiple runners, so make sure there is enough space for all of them. Default: default size for AMI (usually 30GB for Linux and 50GB for Windows)
         :param subnet_selection: (experimental) Subnets to run the runners in. Default: ECS default
         :param vpc: (experimental) VPC to launch the runners in. Default: default account VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -7836,6 +8420,7 @@ class EcsRunnerProvider(
             cluster=cluster,
             cpu=cpu,
             docker_in_docker=docker_in_docker,
+            group=group,
             image_builder=image_builder,
             instance_type=instance_type,
             labels=labels,
@@ -7843,12 +8428,16 @@ class EcsRunnerProvider(
             memory_limit_mib=memory_limit_mib,
             memory_reservation_mib=memory_reservation_mib,
             min_instances=min_instances,
+            placement_constraints=placement_constraints,
+            placement_strategies=placement_strategies,
             security_groups=security_groups,
             spot=spot,
             spot_max_price=spot_max_price,
+            storage_options=storage_options,
             storage_size=storage_size,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -7869,6 +8458,7 @@ class EcsRunnerProvider(
         builder_type: typing.Optional[RunnerImageBuilderType] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional[Os] = None,
@@ -7877,6 +8467,7 @@ class EcsRunnerProvider(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> "IConfigurableRunnerImageBuilder":
         '''(experimental) Create new image builder that builds ECS specific runner images.
 
@@ -7900,11 +8491,12 @@ class EcsRunnerProvider(
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -7913,6 +8505,7 @@ class EcsRunnerProvider(
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -7928,6 +8521,7 @@ class EcsRunnerProvider(
             builder_type=builder_type,
             code_build_options=code_build_options,
             components=components,
+            docker_setup_commands=docker_setup_commands,
             log_removal_policy=log_removal_policy,
             log_retention=log_retention,
             os=os,
@@ -7936,6 +8530,7 @@ class EcsRunnerProvider(
             security_groups=security_groups,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            wait_on_deploy=wait_on_deploy,
         )
 
         return typing.cast("IConfigurableRunnerImageBuilder", jsii.sinvoke(cls, "imageBuilder", [scope, id, props]))
@@ -8082,6 +8677,7 @@ class EcsRunnerProvider(
     jsii_type="@cloudsnorkel/cdk-github-runners.EcsRunnerProviderProps",
     jsii_struct_bases=[RunnerProviderProps],
     name_mapping={
+        "default_labels": "defaultLabels",
         "log_retention": "logRetention",
         "retry_options": "retryOptions",
         "assign_public_ip": "assignPublicIp",
@@ -8089,6 +8685,7 @@ class EcsRunnerProvider(
         "cluster": "cluster",
         "cpu": "cpu",
         "docker_in_docker": "dockerInDocker",
+        "group": "group",
         "image_builder": "imageBuilder",
         "instance_type": "instanceType",
         "labels": "labels",
@@ -8096,9 +8693,12 @@ class EcsRunnerProvider(
         "memory_limit_mib": "memoryLimitMiB",
         "memory_reservation_mib": "memoryReservationMiB",
         "min_instances": "minInstances",
+        "placement_constraints": "placementConstraints",
+        "placement_strategies": "placementStrategies",
         "security_groups": "securityGroups",
         "spot": "spot",
         "spot_max_price": "spotMaxPrice",
+        "storage_options": "storageOptions",
         "storage_size": "storageSize",
         "subnet_selection": "subnetSelection",
         "vpc": "vpc",
@@ -8108,6 +8708,7 @@ class EcsRunnerProviderProps(RunnerProviderProps):
     def __init__(
         self,
         *,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         assign_public_ip: typing.Optional[builtins.bool] = None,
@@ -8115,6 +8716,7 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
         cpu: typing.Optional[jsii.Number] = None,
         docker_in_docker: typing.Optional[builtins.bool] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -8122,15 +8724,19 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         memory_limit_mib: typing.Optional[jsii.Number] = None,
         memory_reservation_mib: typing.Optional[jsii.Number] = None,
         min_instances: typing.Optional[jsii.Number] = None,
+        placement_constraints: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementConstraint]] = None,
+        placement_strategies: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementStrategy]] = None,
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         spot: typing.Optional[builtins.bool] = None,
         spot_max_price: typing.Optional[builtins.str] = None,
+        storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
     ) -> None:
         '''(experimental) Properties for EcsRunnerProvider.
 
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
         :param assign_public_ip: (experimental) Assign public IP to the runner task. Make sure the task will have access to GitHub. A public IP might be required unless you have NAT gateway. Default: true
@@ -8138,16 +8744,20 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         :param cluster: (experimental) Existing ECS cluster to use. Default: a new cluster
         :param cpu: (experimental) The number of cpu units used by the task. 1024 units is 1 vCPU. Fractions of a vCPU are supported. Default: 1024
         :param docker_in_docker: (experimental) Support building and running Docker images by enabling Docker-in-Docker (dind) and the required CodeBuild privileged mode. Disabling this can speed up provisioning of CodeBuild runners. If you don't intend on running or building Docker images, disable this for faster start-up times. Default: true
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: EcsRunnerProvider.imageBuilder()
-        :param instance_type: (experimental) Instance type of ECS cluster instances. Only used when creating a new cluster. Default: m5.large or m6g.large
+        :param instance_type: (experimental) Instance type of ECS cluster instances. Only used when creating a new cluster. Default: m6i.large or m6g.large
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['ecs']
         :param max_instances: (experimental) The maximum number of instances to run in the cluster. Only used when creating a new cluster. Default: 5
         :param memory_limit_mib: (experimental) The amount (in MiB) of memory used by the task. Default: 3500, unless ``memoryReservationMiB`` is used and then it's undefined
         :param memory_reservation_mib: (experimental) The soft limit (in MiB) of memory to reserve for the container. Default: undefined
         :param min_instances: (experimental) The minimum number of instances to run in the cluster. Only used when creating a new cluster. Default: 0
+        :param placement_constraints: (experimental) ECS placement constraints to influence task placement. Example: [ecs.PlacementConstraint.memberOf('ecs-placement')] Default: undefined (no placement constraints)
+        :param placement_strategies: (experimental) ECS placement strategies to influence task placement. Example: [ecs.PlacementStrategy.packedByCpu()] Default: undefined (no placement strategies)
         :param security_groups: (experimental) Security groups to assign to the task. Default: a new security group
         :param spot: (experimental) Use spot capacity. Default: false (true if spotMaxPrice is specified)
         :param spot_max_price: (experimental) Maximum price for spot instances.
+        :param storage_options: (experimental) Options for runner instance storage volume.
         :param storage_size: (experimental) Size of volume available for launched cluster instances. This modifies the boot volume size and doesn't add any additional volumes. Each instance can be used by multiple runners, so make sure there is enough space for all of them. Default: default size for AMI (usually 30GB for Linux and 50GB for Windows)
         :param subnet_selection: (experimental) Subnets to run the runners in. Default: ECS default
         :param vpc: (experimental) VPC to launch the runners in. Default: default account VPC
@@ -8156,10 +8766,13 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         '''
         if isinstance(retry_options, dict):
             retry_options = ProviderRetryOptions(**retry_options)
+        if isinstance(storage_options, dict):
+            storage_options = StorageOptions(**storage_options)
         if isinstance(subnet_selection, dict):
             subnet_selection = _aws_cdk_aws_ec2_ceddda9d.SubnetSelection(**subnet_selection)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__73c1978e12dcea1bd69ce0927a80bd887d7f7d1b6573831942495e9d5966b483)
+            check_type(argname="argument default_labels", value=default_labels, expected_type=type_hints["default_labels"])
             check_type(argname="argument log_retention", value=log_retention, expected_type=type_hints["log_retention"])
             check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
             check_type(argname="argument assign_public_ip", value=assign_public_ip, expected_type=type_hints["assign_public_ip"])
@@ -8167,6 +8780,7 @@ class EcsRunnerProviderProps(RunnerProviderProps):
             check_type(argname="argument cluster", value=cluster, expected_type=type_hints["cluster"])
             check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
             check_type(argname="argument docker_in_docker", value=docker_in_docker, expected_type=type_hints["docker_in_docker"])
+            check_type(argname="argument group", value=group, expected_type=type_hints["group"])
             check_type(argname="argument image_builder", value=image_builder, expected_type=type_hints["image_builder"])
             check_type(argname="argument instance_type", value=instance_type, expected_type=type_hints["instance_type"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
@@ -8174,13 +8788,18 @@ class EcsRunnerProviderProps(RunnerProviderProps):
             check_type(argname="argument memory_limit_mib", value=memory_limit_mib, expected_type=type_hints["memory_limit_mib"])
             check_type(argname="argument memory_reservation_mib", value=memory_reservation_mib, expected_type=type_hints["memory_reservation_mib"])
             check_type(argname="argument min_instances", value=min_instances, expected_type=type_hints["min_instances"])
+            check_type(argname="argument placement_constraints", value=placement_constraints, expected_type=type_hints["placement_constraints"])
+            check_type(argname="argument placement_strategies", value=placement_strategies, expected_type=type_hints["placement_strategies"])
             check_type(argname="argument security_groups", value=security_groups, expected_type=type_hints["security_groups"])
             check_type(argname="argument spot", value=spot, expected_type=type_hints["spot"])
             check_type(argname="argument spot_max_price", value=spot_max_price, expected_type=type_hints["spot_max_price"])
+            check_type(argname="argument storage_options", value=storage_options, expected_type=type_hints["storage_options"])
             check_type(argname="argument storage_size", value=storage_size, expected_type=type_hints["storage_size"])
             check_type(argname="argument subnet_selection", value=subnet_selection, expected_type=type_hints["subnet_selection"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if default_labels is not None:
+            self._values["default_labels"] = default_labels
         if log_retention is not None:
             self._values["log_retention"] = log_retention
         if retry_options is not None:
@@ -8195,6 +8814,8 @@ class EcsRunnerProviderProps(RunnerProviderProps):
             self._values["cpu"] = cpu
         if docker_in_docker is not None:
             self._values["docker_in_docker"] = docker_in_docker
+        if group is not None:
+            self._values["group"] = group
         if image_builder is not None:
             self._values["image_builder"] = image_builder
         if instance_type is not None:
@@ -8209,12 +8830,18 @@ class EcsRunnerProviderProps(RunnerProviderProps):
             self._values["memory_reservation_mib"] = memory_reservation_mib
         if min_instances is not None:
             self._values["min_instances"] = min_instances
+        if placement_constraints is not None:
+            self._values["placement_constraints"] = placement_constraints
+        if placement_strategies is not None:
+            self._values["placement_strategies"] = placement_strategies
         if security_groups is not None:
             self._values["security_groups"] = security_groups
         if spot is not None:
             self._values["spot"] = spot
         if spot_max_price is not None:
             self._values["spot_max_price"] = spot_max_price
+        if storage_options is not None:
+            self._values["storage_options"] = storage_options
         if storage_size is not None:
             self._values["storage_size"] = storage_size
         if subnet_selection is not None:
@@ -8222,6 +8849,19 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         if vpc is not None:
             self._values["vpc"] = vpc
 
+    @builtins.property
+    def default_labels(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Add default labels based on OS and architecture of the runner.
+
+        This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``.
+
+        :default: true
+
+        :stability: experimental
+        '''
+        result = self._values.get("default_labels")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def log_retention(
         self,
@@ -8315,6 +8955,24 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         result = self._values.get("docker_in_docker")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def group(self) -> typing.Optional[builtins.str]:
+        '''(experimental) GitHub Actions runner group name.
+
+        If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It
+        requires a paid GitHub account.
+
+        The group must exist or the runner will not start.
+
+        Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group.
+
+        :default: undefined
+
+        :stability: experimental
+        '''
+        result = self._values.get("group")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def image_builder(self) -> typing.Optional[IRunnerImageBuilder]:
         '''(experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements.
@@ -8334,7 +8992,7 @@ class EcsRunnerProviderProps(RunnerProviderProps):
 
         Only used when creating a new cluster.
 
-        :default: m5.large or m6g.large
+        :default: m6i.large or m6g.large
 
         :stability: experimental
         '''
@@ -8404,6 +9062,36 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         result = self._values.get("min_instances")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def placement_constraints(
+        self,
+    ) -> typing.Optional[typing.List[_aws_cdk_aws_ecs_ceddda9d.PlacementConstraint]]:
+        '''(experimental) ECS placement constraints to influence task placement.
+
+        Example: [ecs.PlacementConstraint.memberOf('ecs-placement')]
+
+        :default: undefined (no placement constraints)
+
+        :stability: experimental
+        '''
+        result = self._values.get("placement_constraints")
+        return typing.cast(typing.Optional[typing.List[_aws_cdk_aws_ecs_ceddda9d.PlacementConstraint]], result)
+
+    @builtins.property
+    def placement_strategies(
+        self,
+    ) -> typing.Optional[typing.List[_aws_cdk_aws_ecs_ceddda9d.PlacementStrategy]]:
+        '''(experimental) ECS placement strategies to influence task placement.
+
+        Example: [ecs.PlacementStrategy.packedByCpu()]
+
+        :default: undefined (no placement strategies)
+
+        :stability: experimental
+        '''
+        result = self._values.get("placement_strategies")
+        return typing.cast(typing.Optional[typing.List[_aws_cdk_aws_ecs_ceddda9d.PlacementStrategy]], result)
+
     @builtins.property
     def security_groups(
         self,
@@ -8437,6 +9125,15 @@ class EcsRunnerProviderProps(RunnerProviderProps):
         result = self._values.get("spot_max_price")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def storage_options(self) -> typing.Optional[StorageOptions]:
+        '''(experimental) Options for runner instance storage volume.
+
+        :stability: experimental
+        '''
+        result = self._values.get("storage_options")
+        return typing.cast(typing.Optional[StorageOptions], result)
+
     @builtins.property
     def storage_size(self) -> typing.Optional[_aws_cdk_ceddda9d.Size]:
         '''(experimental) Size of volume available for launched cluster instances.
@@ -8512,6 +9209,7 @@ class FargateRunnerProvider(
         cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
         cpu: typing.Optional[jsii.Number] = None,
         ephemeral_storage_gib: typing.Optional[jsii.Number] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -8521,6 +9219,7 @@ class FargateRunnerProvider(
         spot: typing.Optional[builtins.bool] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -8531,6 +9230,7 @@ class FargateRunnerProvider(
         :param cluster: (experimental) Existing Fargate cluster to use. Default: a new cluster
         :param cpu: (experimental) The number of cpu units used by the task. For tasks using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the memory parameter: 256 (.25 vCPU) - Available memory values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) 512 (.5 vCPU) - Available memory values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) 1024 (1 vCPU) - Available memory values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) 2048 (2 vCPU) - Available memory values: Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) 4096 (4 vCPU) - Available memory values: Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) Default: 1024
         :param ephemeral_storage_gib: (experimental) The amount (in GiB) of ephemeral storage to be allocated to the task. The maximum supported value is 200 GiB. NOTE: This parameter is only supported for tasks hosted on AWS Fargate using platform version 1.4.0 or later. Default: 20
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: FargateRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['fargate']
@@ -8540,6 +9240,7 @@ class FargateRunnerProvider(
         :param spot: (experimental) Use Fargate spot capacity provider to save money. - Runners may fail to start due to missing capacity. - Runners might be stopped prematurely with spot pricing. Default: false
         :param subnet_selection: (experimental) Subnets to run the runners in. Default: Fargate default
         :param vpc: (experimental) VPC to launch the runners in. Default: default account VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -8554,6 +9255,7 @@ class FargateRunnerProvider(
             cluster=cluster,
             cpu=cpu,
             ephemeral_storage_gib=ephemeral_storage_gib,
+            group=group,
             image_builder=image_builder,
             label=label,
             labels=labels,
@@ -8563,6 +9265,7 @@ class FargateRunnerProvider(
             spot=spot,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -8583,6 +9286,7 @@ class FargateRunnerProvider(
         builder_type: typing.Optional[RunnerImageBuilderType] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional[Os] = None,
@@ -8591,6 +9295,7 @@ class FargateRunnerProvider(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> "IConfigurableRunnerImageBuilder":
         '''(experimental) Create new image builder that builds Fargate specific runner images.
 
@@ -8613,11 +9318,12 @@ class FargateRunnerProvider(
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -8626,6 +9332,7 @@ class FargateRunnerProvider(
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -8641,6 +9348,7 @@ class FargateRunnerProvider(
             builder_type=builder_type,
             code_build_options=code_build_options,
             components=components,
+            docker_setup_commands=docker_setup_commands,
             log_removal_policy=log_removal_policy,
             log_retention=log_retention,
             os=os,
@@ -8649,6 +9357,7 @@ class FargateRunnerProvider(
             security_groups=security_groups,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            wait_on_deploy=wait_on_deploy,
         )
 
         return typing.cast("IConfigurableRunnerImageBuilder", jsii.sinvoke(cls, "imageBuilder", [scope, id, props]))
@@ -8907,12 +9616,14 @@ class FargateRunnerProvider(
     jsii_type="@cloudsnorkel/cdk-github-runners.FargateRunnerProviderProps",
     jsii_struct_bases=[RunnerProviderProps],
     name_mapping={
+        "default_labels": "defaultLabels",
         "log_retention": "logRetention",
         "retry_options": "retryOptions",
         "assign_public_ip": "assignPublicIp",
         "cluster": "cluster",
         "cpu": "cpu",
         "ephemeral_storage_gib": "ephemeralStorageGiB",
+        "group": "group",
         "image_builder": "imageBuilder",
         "label": "label",
         "labels": "labels",
@@ -8928,12 +9639,14 @@ class FargateRunnerProviderProps(RunnerProviderProps):
     def __init__(
         self,
         *,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         assign_public_ip: typing.Optional[builtins.bool] = None,
         cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
         cpu: typing.Optional[jsii.Number] = None,
         ephemeral_storage_gib: typing.Optional[jsii.Number] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -8946,12 +9659,14 @@ class FargateRunnerProviderProps(RunnerProviderProps):
     ) -> None:
         '''(experimental) Properties for FargateRunnerProvider.
 
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
         :param assign_public_ip: (experimental) Assign public IP to the runner task. Make sure the task will have access to GitHub. A public IP might be required unless you have NAT gateway. Default: true
         :param cluster: (experimental) Existing Fargate cluster to use. Default: a new cluster
         :param cpu: (experimental) The number of cpu units used by the task. For tasks using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the memory parameter: 256 (.25 vCPU) - Available memory values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) 512 (.5 vCPU) - Available memory values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) 1024 (1 vCPU) - Available memory values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) 2048 (2 vCPU) - Available memory values: Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) 4096 (4 vCPU) - Available memory values: Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) Default: 1024
         :param ephemeral_storage_gib: (experimental) The amount (in GiB) of ephemeral storage to be allocated to the task. The maximum supported value is 200 GiB. NOTE: This parameter is only supported for tasks hosted on AWS Fargate using platform version 1.4.0 or later. Default: 20
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: FargateRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['fargate']
@@ -8970,12 +9685,14 @@ class FargateRunnerProviderProps(RunnerProviderProps):
             subnet_selection = _aws_cdk_aws_ec2_ceddda9d.SubnetSelection(**subnet_selection)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__26cdeb87df1adf5c49e0f9c1c061c7138af674da9af221212e1505fc1193583d)
+            check_type(argname="argument default_labels", value=default_labels, expected_type=type_hints["default_labels"])
             check_type(argname="argument log_retention", value=log_retention, expected_type=type_hints["log_retention"])
             check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
             check_type(argname="argument assign_public_ip", value=assign_public_ip, expected_type=type_hints["assign_public_ip"])
             check_type(argname="argument cluster", value=cluster, expected_type=type_hints["cluster"])
             check_type(argname="argument cpu", value=cpu, expected_type=type_hints["cpu"])
             check_type(argname="argument ephemeral_storage_gib", value=ephemeral_storage_gib, expected_type=type_hints["ephemeral_storage_gib"])
+            check_type(argname="argument group", value=group, expected_type=type_hints["group"])
             check_type(argname="argument image_builder", value=image_builder, expected_type=type_hints["image_builder"])
             check_type(argname="argument label", value=label, expected_type=type_hints["label"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
@@ -8986,6 +9703,8 @@ class FargateRunnerProviderProps(RunnerProviderProps):
             check_type(argname="argument subnet_selection", value=subnet_selection, expected_type=type_hints["subnet_selection"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if default_labels is not None:
+            self._values["default_labels"] = default_labels
         if log_retention is not None:
             self._values["log_retention"] = log_retention
         if retry_options is not None:
@@ -8998,6 +9717,8 @@ class FargateRunnerProviderProps(RunnerProviderProps):
             self._values["cpu"] = cpu
         if ephemeral_storage_gib is not None:
             self._values["ephemeral_storage_gib"] = ephemeral_storage_gib
+        if group is not None:
+            self._values["group"] = group
         if image_builder is not None:
             self._values["image_builder"] = image_builder
         if label is not None:
@@ -9017,6 +9738,19 @@ class FargateRunnerProviderProps(RunnerProviderProps):
         if vpc is not None:
             self._values["vpc"] = vpc
 
+    @builtins.property
+    def default_labels(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Add default labels based on OS and architecture of the runner.
+
+        This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``.
+
+        :default: true
+
+        :stability: experimental
+        '''
+        result = self._values.get("default_labels")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def log_retention(
         self,
@@ -9108,6 +9842,24 @@ class FargateRunnerProviderProps(RunnerProviderProps):
         result = self._values.get("ephemeral_storage_gib")
         return typing.cast(typing.Optional[jsii.Number], result)
 
+    @builtins.property
+    def group(self) -> typing.Optional[builtins.str]:
+        '''(experimental) GitHub Actions runner group name.
+
+        If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It
+        requires a paid GitHub account.
+
+        The group must exist or the runner will not start.
+
+        Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group.
+
+        :default: undefined
+
+        :stability: experimental
+        '''
+        result = self._values.get("group")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def image_builder(self) -> typing.Optional[IRunnerImageBuilder]:
         '''(experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements.
@@ -9361,6 +10113,7 @@ class LambdaRunner(
         id: builtins.str,
         *,
         ephemeral_storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -9370,6 +10123,7 @@ class LambdaRunner(
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -9377,6 +10131,7 @@ class LambdaRunner(
         :param scope: -
         :param id: -
         :param ephemeral_storage_size: (experimental) The size of the function’s /tmp directory in MiB. Default: 10 GiB
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder must contain the {@link RunnerImageComponent.lambdaEntrypoint} component. The image builder determines the OS and architecture of the runner. Default: LambdaRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['lambda']
@@ -9386,6 +10141,7 @@ class LambdaRunner(
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param timeout: (experimental) The function execution time (in seconds) after which Lambda terminates the function. Because the execution time affects cost, set this value based on the function's expected execution time. Default: Duration.minutes(15)
         :param vpc: (experimental) VPC to launch the runners in. Default: no VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -9397,6 +10153,7 @@ class LambdaRunner(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = LambdaRunnerProviderProps(
             ephemeral_storage_size=ephemeral_storage_size,
+            group=group,
             image_builder=image_builder,
             label=label,
             labels=labels,
@@ -9406,6 +10163,7 @@ class LambdaRunner(
             subnet_selection=subnet_selection,
             timeout=timeout,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -9417,9 +10175,11 @@ class LambdaRunner(
     jsii_type="@cloudsnorkel/cdk-github-runners.LambdaRunnerProviderProps",
     jsii_struct_bases=[RunnerProviderProps],
     name_mapping={
+        "default_labels": "defaultLabels",
         "log_retention": "logRetention",
         "retry_options": "retryOptions",
         "ephemeral_storage_size": "ephemeralStorageSize",
+        "group": "group",
         "image_builder": "imageBuilder",
         "label": "label",
         "labels": "labels",
@@ -9435,9 +10195,11 @@ class LambdaRunnerProviderProps(RunnerProviderProps):
     def __init__(
         self,
         *,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         ephemeral_storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -9449,9 +10211,11 @@ class LambdaRunnerProviderProps(RunnerProviderProps):
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
     ) -> None:
         '''
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
         :param ephemeral_storage_size: (experimental) The size of the function’s /tmp directory in MiB. Default: 10 GiB
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder must contain the {@link RunnerImageComponent.lambdaEntrypoint} component. The image builder determines the OS and architecture of the runner. Default: LambdaRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['lambda']
@@ -9470,9 +10234,11 @@ class LambdaRunnerProviderProps(RunnerProviderProps):
             subnet_selection = _aws_cdk_aws_ec2_ceddda9d.SubnetSelection(**subnet_selection)
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__45a4a92b817689da2d55675d278ad5c96699269cc41f3406b7fca6d7a7664861)
+            check_type(argname="argument default_labels", value=default_labels, expected_type=type_hints["default_labels"])
             check_type(argname="argument log_retention", value=log_retention, expected_type=type_hints["log_retention"])
             check_type(argname="argument retry_options", value=retry_options, expected_type=type_hints["retry_options"])
             check_type(argname="argument ephemeral_storage_size", value=ephemeral_storage_size, expected_type=type_hints["ephemeral_storage_size"])
+            check_type(argname="argument group", value=group, expected_type=type_hints["group"])
             check_type(argname="argument image_builder", value=image_builder, expected_type=type_hints["image_builder"])
             check_type(argname="argument label", value=label, expected_type=type_hints["label"])
             check_type(argname="argument labels", value=labels, expected_type=type_hints["labels"])
@@ -9483,12 +10249,16 @@ class LambdaRunnerProviderProps(RunnerProviderProps):
             check_type(argname="argument timeout", value=timeout, expected_type=type_hints["timeout"])
             check_type(argname="argument vpc", value=vpc, expected_type=type_hints["vpc"])
         self._values: typing.Dict[builtins.str, typing.Any] = {}
+        if default_labels is not None:
+            self._values["default_labels"] = default_labels
         if log_retention is not None:
             self._values["log_retention"] = log_retention
         if retry_options is not None:
             self._values["retry_options"] = retry_options
         if ephemeral_storage_size is not None:
             self._values["ephemeral_storage_size"] = ephemeral_storage_size
+        if group is not None:
+            self._values["group"] = group
         if image_builder is not None:
             self._values["image_builder"] = image_builder
         if label is not None:
@@ -9508,6 +10278,19 @@ class LambdaRunnerProviderProps(RunnerProviderProps):
         if vpc is not None:
             self._values["vpc"] = vpc
 
+    @builtins.property
+    def default_labels(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Add default labels based on OS and architecture of the runner.
+
+        This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``.
+
+        :default: true
+
+        :stability: experimental
+        '''
+        result = self._values.get("default_labels")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def log_retention(
         self,
@@ -9546,6 +10329,24 @@ class LambdaRunnerProviderProps(RunnerProviderProps):
         result = self._values.get("ephemeral_storage_size")
         return typing.cast(typing.Optional[_aws_cdk_ceddda9d.Size], result)
 
+    @builtins.property
+    def group(self) -> typing.Optional[builtins.str]:
+        '''(experimental) GitHub Actions runner group name.
+
+        If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It
+        requires a paid GitHub account.
+
+        The group must exist or the runner will not start.
+
+        Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group.
+
+        :default: undefined
+
+        :stability: experimental
+        '''
+        result = self._values.get("group")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def image_builder(self) -> typing.Optional[IRunnerImageBuilder]:
         '''(experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements.
@@ -9709,6 +10510,7 @@ class RunnerImageBuilder(
         builder_type: typing.Optional[RunnerImageBuilderType] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional[Os] = None,
@@ -9717,17 +10519,19 @@ class RunnerImageBuilder(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> None:
         '''
         :param scope: -
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -9736,6 +10540,7 @@ class RunnerImageBuilder(
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -9751,6 +10556,7 @@ class RunnerImageBuilder(
             builder_type=builder_type,
             code_build_options=code_build_options,
             components=components,
+            docker_setup_commands=docker_setup_commands,
             log_removal_policy=log_removal_policy,
             log_retention=log_retention,
             os=os,
@@ -9759,6 +10565,7 @@ class RunnerImageBuilder(
             security_groups=security_groups,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            wait_on_deploy=wait_on_deploy,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -9777,6 +10584,7 @@ class RunnerImageBuilder(
         builder_type: typing.Optional[RunnerImageBuilderType] = None,
         code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
         components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+        docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
         log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         os: typing.Optional[Os] = None,
@@ -9785,6 +10593,7 @@ class RunnerImageBuilder(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        wait_on_deploy: typing.Optional[builtins.bool] = None,
     ) -> IConfigurableRunnerImageBuilder:
         '''(experimental) Create a new image builder based on the provided properties.
 
@@ -9794,11 +10603,12 @@ class RunnerImageBuilder(
         :param id: -
         :param architecture: (experimental) Image architecture. Default: Architecture.X86_64
         :param aws_image_builder_options: (experimental) Options specific to AWS Image Builder. Only used when builderType is RunnerImageBuilderType.AWS_IMAGE_BUILDER.
-        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
-        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
+        :param base_ami: (experimental) Base AMI from which runner AMIs will be built. This can be an actual AMI or an AWS Image Builder ARN that points to the latest AMI. For example ``arn:aws:imagebuilder:us-east-1:aws:image/ubuntu-server-22-lts-x86/x.x.x`` would always use the latest version of Ubuntu 22.04 in each build. If you want a specific version, you can replace ``x.x.x`` with that version. Default: latest Ubuntu 22.04 AMI for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, Ubuntu 24.04 AMI for Os.LINUX_UBUNTU_2404, latest Amazon Linux 2 AMI for Os.LINUX_AMAZON_2, latest Windows Server 2022 AMI for Os.WINDOWS
+        :param base_docker_image: (experimental) Base image from which Docker runner images will be built. When using private images from a different account or not on ECR, you may need to include additional setup commands with {@link dockerSetupCommands}. Default: public.ecr.aws/lts/ubuntu:22.04 for Os.LINUX_UBUNTU and Os.LINUX_UBUNTU_2204, public.ecr.aws/lts/ubuntu:24.04 for Os.LINUX_UBUNTU_2404, public.ecr.aws/amazonlinux/amazonlinux:2 for Os.LINUX_AMAZON_2, mcr.microsoft.com/windows/servercore:ltsc2019-amd64 for Os.WINDOWS
         :param builder_type: Default: CodeBuild for Linux Docker image, AWS Image Builder for Windows Docker image and any AMI
         :param code_build_options: (experimental) Options specific to CodeBuild image builder. Only used when builderType is RunnerImageBuilderType.CODE_BUILD.
         :param components: (experimental) Components to install on the image. Default: none
+        :param docker_setup_commands: (experimental) Additional commands to run on the build host before starting the Docker runner image build. Use this to execute commands such as ``docker login`` or ``aws ecr get-login-password`` to pull private base images. Default: []
         :param log_removal_policy: (experimental) Removal policy for logs of image builds. If deployment fails on the custom resource, try setting this to ``RemovalPolicy.RETAIN``. This way the CodeBuild logs can still be viewed, and you can see why the build failed. We try to not leave anything behind when removed. But sometimes a log staying behind is useful. Default: RemovalPolicy.DESTROY
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param os: (experimental) Image OS. Default: OS.LINUX_UBUNTU
@@ -9807,6 +10617,7 @@ class RunnerImageBuilder(
         :param security_groups: (experimental) Security Groups to assign to this instance.
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param vpc: (experimental) VPC to build the image in. Default: no VPC
+        :param wait_on_deploy: (experimental) Wait for image to finish building during deployment. It's usually best to leave this enabled to ensure everything is ready once deployment is done. However, it can be disabled to speed up deployment in case where you have a lot of image components that can take a long time to build. Disabling this option means a finished deployment is not ready to be used. You will have to wait for the image to finish building before the system can be used. Disabling this option may also mean any changes to settings or components can take up to a week (default rebuild interval) to take effect. Default: true
 
         :stability: experimental
         '''
@@ -9822,6 +10633,7 @@ class RunnerImageBuilder(
             builder_type=builder_type,
             code_build_options=code_build_options,
             components=components,
+            docker_setup_commands=docker_setup_commands,
             log_removal_policy=log_removal_policy,
             log_retention=log_retention,
             os=os,
@@ -9830,6 +10642,7 @@ class RunnerImageBuilder(
             security_groups=security_groups,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            wait_on_deploy=wait_on_deploy,
         )
 
         return typing.cast(IConfigurableRunnerImageBuilder, jsii.sinvoke(cls, "new", [scope, id, props]))
@@ -9925,7 +10738,7 @@ class RunnerImageBuilder(
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__705c18a1eedaa490aebad511aac32a801519a57162e30be4673a8ab87ca434dc)
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "components", value)
+        jsii.set(self, "components", value) # pyright: ignore[reportArgumentType]
 
 
 class _RunnerImageBuilderProxy(RunnerImageBuilder):
@@ -9995,6 +10808,7 @@ class CodeBuildRunner(
         *,
         compute_type: typing.Optional[_aws_cdk_aws_codebuild_ceddda9d.ComputeType] = None,
         docker_in_docker: typing.Optional[builtins.bool] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -10003,6 +10817,7 @@ class CodeBuildRunner(
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -10011,6 +10826,7 @@ class CodeBuildRunner(
         :param id: -
         :param compute_type: (experimental) The type of compute to use for this build. See the {@link ComputeType} enum for the possible values. Default: {@link ComputeType#SMALL }
         :param docker_in_docker: (experimental) Support building and running Docker images by enabling Docker-in-Docker (dind) and the required CodeBuild privileged mode. Disabling this can speed up provisioning of CodeBuild runners. If you don't intend on running or building Docker images, disable this for faster start-up times. Default: true
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder must contain the {@link RunnerImageComponent.docker} component unless ``dockerInDocker`` is set to false. The image builder determines the OS and architecture of the runner. Default: CodeBuildRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['codebuild']
@@ -10019,6 +10835,7 @@ class CodeBuildRunner(
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Default: no subnet
         :param timeout: (experimental) The number of minutes after which AWS CodeBuild stops the build if it's not complete. For valid values, see the timeoutInMinutes field in the AWS CodeBuild User Guide. Default: Duration.hours(1)
         :param vpc: (experimental) VPC to launch the runners in. Default: no VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -10031,6 +10848,7 @@ class CodeBuildRunner(
         props = CodeBuildRunnerProviderProps(
             compute_type=compute_type,
             docker_in_docker=docker_in_docker,
+            group=group,
             image_builder=image_builder,
             label=label,
             labels=labels,
@@ -10039,6 +10857,7 @@ class CodeBuildRunner(
             subnet_selection=subnet_selection,
             timeout=timeout,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -10063,6 +10882,7 @@ class Ec2Runner(
         id: builtins.str,
         *,
         ami_builder: typing.Optional[IRunnerImageBuilder] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -10070,10 +10890,12 @@ class Ec2Runner(
         security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
         spot: typing.Optional[builtins.bool] = None,
         spot_max_price: typing.Optional[builtins.str] = None,
+        storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
         subnet: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISubnet] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -10081,17 +10903,20 @@ class Ec2Runner(
         :param scope: -
         :param id: -
         :param ami_builder: 
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build AMI containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: Ec2RunnerProvider.imageBuilder()
-        :param instance_type: (experimental) Instance type for launched runner instances. Default: m5.large
+        :param instance_type: (experimental) Instance type for launched runner instances. Default: m6i.large
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['ec2']
         :param security_group: (deprecated) Security Group to assign to launched runner instances. Default: a new security group
         :param security_groups: (experimental) Security groups to assign to launched runner instances. Default: a new security group
         :param spot: (experimental) Use spot instances to save money. Spot instances are cheaper but not always available and can be stopped prematurely. Default: false
         :param spot_max_price: (experimental) Set a maximum price for spot instances. Default: no max price (you will pay current spot price)
+        :param storage_options: (experimental) Options for runner instance storage volume.
         :param storage_size: (experimental) Size of volume available for launched runner instances. This modifies the boot volume size and doesn't add any additional volumes. Default: 30GB
         :param subnet: (deprecated) Subnet where the runner instances will be launched. Default: default subnet of account's default VPC
         :param subnet_selection: (experimental) Where to place the network interfaces within the VPC. Only the first matched subnet will be used. Default: default VPC subnet
         :param vpc: (experimental) VPC where runner instances will be launched. Default: default account VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -10103,6 +10928,7 @@ class Ec2Runner(
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = Ec2RunnerProviderProps(
             ami_builder=ami_builder,
+            group=group,
             image_builder=image_builder,
             instance_type=instance_type,
             labels=labels,
@@ -10110,10 +10936,12 @@ class Ec2Runner(
             security_groups=security_groups,
             spot=spot,
             spot_max_price=spot_max_price,
+            storage_options=storage_options,
             storage_size=storage_size,
             subnet=subnet,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -10141,6 +10969,7 @@ class FargateRunner(
         cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
         cpu: typing.Optional[jsii.Number] = None,
         ephemeral_storage_gib: typing.Optional[jsii.Number] = None,
+        group: typing.Optional[builtins.str] = None,
         image_builder: typing.Optional[IRunnerImageBuilder] = None,
         label: typing.Optional[builtins.str] = None,
         labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -10150,6 +10979,7 @@ class FargateRunner(
         spot: typing.Optional[builtins.bool] = None,
         subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
         vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+        default_labels: typing.Optional[builtins.bool] = None,
         log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
         retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ) -> None:
@@ -10160,6 +10990,7 @@ class FargateRunner(
         :param cluster: (experimental) Existing Fargate cluster to use. Default: a new cluster
         :param cpu: (experimental) The number of cpu units used by the task. For tasks using the Fargate launch type, this field is required and you must use one of the following values, which determines your range of valid values for the memory parameter: 256 (.25 vCPU) - Available memory values: 512 (0.5 GB), 1024 (1 GB), 2048 (2 GB) 512 (.5 vCPU) - Available memory values: 1024 (1 GB), 2048 (2 GB), 3072 (3 GB), 4096 (4 GB) 1024 (1 vCPU) - Available memory values: 2048 (2 GB), 3072 (3 GB), 4096 (4 GB), 5120 (5 GB), 6144 (6 GB), 7168 (7 GB), 8192 (8 GB) 2048 (2 vCPU) - Available memory values: Between 4096 (4 GB) and 16384 (16 GB) in increments of 1024 (1 GB) 4096 (4 vCPU) - Available memory values: Between 8192 (8 GB) and 30720 (30 GB) in increments of 1024 (1 GB) Default: 1024
         :param ephemeral_storage_gib: (experimental) The amount (in GiB) of ephemeral storage to be allocated to the task. The maximum supported value is 200 GiB. NOTE: This parameter is only supported for tasks hosted on AWS Fargate using platform version 1.4.0 or later. Default: 20
+        :param group: (experimental) GitHub Actions runner group name. If specified, the runner will be registered with this group name. Setting a runner group can help managing access to self-hosted runners. It requires a paid GitHub account. The group must exist or the runner will not start. Users will still be able to trigger this runner with the correct labels. But the runner will only be able to run jobs from repos allowed to use the group. Default: undefined
         :param image_builder: (experimental) Runner image builder used to build Docker images containing GitHub Runner and all requirements. The image builder determines the OS and architecture of the runner. Default: FargateRunnerProvider.imageBuilder()
         :param label: (deprecated) GitHub Actions label used for this provider. Default: undefined
         :param labels: (experimental) GitHub Actions labels used for this provider. These labels are used to identify which provider should spawn a new on-demand runner. Every job sends a webhook with the labels it's looking for based on runs-on. We match the labels from the webhook with the labels specified here. If all the labels specified here are present in the job's labels, this provider will be chosen and spawn a new runner. Default: ['fargate']
@@ -10169,6 +11000,7 @@ class FargateRunner(
         :param spot: (experimental) Use Fargate spot capacity provider to save money. - Runners may fail to start due to missing capacity. - Runners might be stopped prematurely with spot pricing. Default: false
         :param subnet_selection: (experimental) Subnets to run the runners in. Default: Fargate default
         :param vpc: (experimental) VPC to launch the runners in. Default: default account VPC
+        :param default_labels: (experimental) Add default labels based on OS and architecture of the runner. This will tell GitHub Runner to add default labels like ``self-hosted``, ``linux``, ``x64``, and ``arm64``. Default: true
         :param log_retention: (experimental) The number of days log events are kept in CloudWatch Logs. When updating this property, unsetting it doesn't remove the log retention policy. To remove the retention policy, set the value to ``INFINITE``. Default: logs.RetentionDays.ONE_MONTH
         :param retry_options: 
 
@@ -10183,6 +11015,7 @@ class FargateRunner(
             cluster=cluster,
             cpu=cpu,
             ephemeral_storage_gib=ephemeral_storage_gib,
+            group=group,
             image_builder=image_builder,
             label=label,
             labels=labels,
@@ -10192,6 +11025,7 @@ class FargateRunner(
             spot=spot,
             subnet_selection=subnet_selection,
             vpc=vpc,
+            default_labels=default_labels,
             log_retention=log_retention,
             retry_options=retry_options,
         )
@@ -10221,6 +11055,7 @@ __all__ = [
     "FargateRunner",
     "FargateRunnerProvider",
     "FargateRunnerProviderProps",
+    "FastLaunchOptions",
     "GitHubRunners",
     "GitHubRunnersProps",
     "IConfigurableRunnerImageBuilder",
@@ -10253,6 +11088,7 @@ __all__ = [
     "RunnerVersion",
     "Secrets",
     "StaticRunnerImage",
+    "StorageOptions",
     "WindowsComponents",
 ]
 
@@ -10306,7 +11142,9 @@ def _typecheckingstub__41cf6bb0c2118d6cb7d082b7e678fba3dae1f5b8812776005eef7b14e
 
 def _typecheckingstub__fe17585d38b67015c3f03db2aefab095f171e0e0900c9a4564679bbc5a29fd07(
     *,
+    fast_launch_options: typing.Optional[typing.Union[FastLaunchOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
+    storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -10357,6 +11195,15 @@ def _typecheckingstub__b7b6832b84987dee7e16a1e7bde046b812c75e74a268cb3fbf2685d3f
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__d2952ae322a0fd40b480084b183be9e7179337af84efb30a496aa331a22fa562(
+    *,
+    enabled: typing.Optional[builtins.bool] = None,
+    max_parallel_launches: typing.Optional[jsii.Number] = None,
+    target_resource_count: typing.Optional[jsii.Number] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__c1a45de07d09ed9f4fd0b9051aeff4571ceda633f49c0b30a5058ad6d72fad18(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -10479,6 +11326,7 @@ def _typecheckingstub__637ac3a7237f114ea2a9842f95653a0d13444cd4da7a4dfe9330fdb98
     id: builtins.str,
     *,
     ephemeral_storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -10488,6 +11336,7 @@ def _typecheckingstub__637ac3a7237f114ea2a9842f95653a0d13444cd4da7a4dfe9330fdb98
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -10505,6 +11354,7 @@ def _typecheckingstub__ce2bbc7a18f99610673c6eb5e5f04fb45ba63301ff0fbe52524601461
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -10513,6 +11363,7 @@ def _typecheckingstub__ce2bbc7a18f99610673c6eb5e5f04fb45ba63301ff0fbe52524601461
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -10674,6 +11525,7 @@ def _typecheckingstub__ab96b7f3871624e8430668114e7f5748ba5d253168db5b8f9a13955d0
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -10682,6 +11534,13 @@ def _typecheckingstub__ab96b7f3871624e8430668114e7f5748ba5d253168db5b8f9a13955d0
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__604cc9b160ccf839230b5f673dff20a8c9722aa81c88ef3ccadcdfcec778ec1a(
+    vars: typing.Mapping[builtins.str, builtins.str],
 ) -> None:
     """Type checking stubs"""
     pass
@@ -10739,6 +11598,7 @@ def _typecheckingstub__6fe5c2d2437d742085479f02259513b739e15d569c2f5b87bf0244bf4
 
 def _typecheckingstub__faa1323116edff475c54eafc82f7af57dd73527c022a54b6210c5a490a80a1d3(
     *,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -10801,6 +11661,15 @@ def _typecheckingstub__f48d8ecb3f18c1471b45f7dfd8f15c51227e04697959138092d72a915
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__ec3b766929d3a048d89c7dc502f77bbbfc7357735093ebc66695a13b92f9bf82(
+    *,
+    iops: typing.Optional[jsii.Number] = None,
+    throughput: typing.Optional[jsii.Number] = None,
+    volume_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.EbsDeviceVolumeType] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__0c68c27f668327e6aeb3b0e5b7e88235ae547046edeb1fa6a808b729a31b7bd2(
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
@@ -10993,6 +11862,7 @@ def _typecheckingstub__bb924a0cf987a9f87f4ad0ebd952c61ebd4e02d7d83501b9600f14157
     *,
     compute_type: typing.Optional[_aws_cdk_aws_codebuild_ceddda9d.ComputeType] = None,
     docker_in_docker: typing.Optional[builtins.bool] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11001,6 +11871,7 @@ def _typecheckingstub__bb924a0cf987a9f87f4ad0ebd952c61ebd4e02d7d83501b9600f14157
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -11018,6 +11889,7 @@ def _typecheckingstub__5b74a56ca854b011edea7d259b730771e5a994081db1aa0bdbea8b3e2
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -11026,6 +11898,7 @@ def _typecheckingstub__5b74a56ca854b011edea7d259b730771e5a994081db1aa0bdbea8b3e2
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -11052,10 +11925,12 @@ def _typecheckingstub__6969b9c3ab349e4eada340b71bb6e985c199a88642a6d68289cc42ad9
 
 def _typecheckingstub__9377dcf4cd4dae74730635bdaf02246acb473843cea2856cf9a64295df964eb6(
     *,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     compute_type: typing.Optional[_aws_cdk_aws_codebuild_ceddda9d.ComputeType] = None,
     docker_in_docker: typing.Optional[builtins.bool] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11149,6 +12024,7 @@ def _typecheckingstub__fd3f279069067627058d9a5818aab030be5ffd71ce03962b4fd7cdd85
     id: builtins.str,
     *,
     ami_builder: typing.Optional[IRunnerImageBuilder] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11156,10 +12032,12 @@ def _typecheckingstub__fd3f279069067627058d9a5818aab030be5ffd71ce03962b4fd7cdd85
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     spot: typing.Optional[builtins.bool] = None,
     spot_max_price: typing.Optional[builtins.str] = None,
+    storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
     subnet: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISubnet] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -11177,6 +12055,7 @@ def _typecheckingstub__c9910152a829b3b3a0a9e70ec31bd3ae8669b723ebb60627c6d08813b
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -11185,6 +12064,7 @@ def _typecheckingstub__c9910152a829b3b3a0a9e70ec31bd3ae8669b723ebb60627c6d08813b
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -11211,9 +12091,11 @@ def _typecheckingstub__f493efe2a09a1094bf977e7690b481a2257fb28bdf86de99ba09b0eb0
 
 def _typecheckingstub__b650c4bf7f2a31b514d6f1f9e0c1b4b2cdae8b20b6f209f5b5fc74ef418fc2a3(
     *,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ami_builder: typing.Optional[IRunnerImageBuilder] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11221,6 +12103,7 @@ def _typecheckingstub__b650c4bf7f2a31b514d6f1f9e0c1b4b2cdae8b20b6f209f5b5fc74ef4
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     spot: typing.Optional[builtins.bool] = None,
     spot_max_price: typing.Optional[builtins.str] = None,
+    storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
     subnet: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISubnet] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
@@ -11238,6 +12121,7 @@ def _typecheckingstub__c520325dd0289bf8c6670ecdce77df4b229a0a2681957e61665818d2f
     cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
     cpu: typing.Optional[jsii.Number] = None,
     docker_in_docker: typing.Optional[builtins.bool] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11245,12 +12129,16 @@ def _typecheckingstub__c520325dd0289bf8c6670ecdce77df4b229a0a2681957e61665818d2f
     memory_limit_mib: typing.Optional[jsii.Number] = None,
     memory_reservation_mib: typing.Optional[jsii.Number] = None,
     min_instances: typing.Optional[jsii.Number] = None,
+    placement_constraints: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementConstraint]] = None,
+    placement_strategies: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementStrategy]] = None,
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     spot: typing.Optional[builtins.bool] = None,
     spot_max_price: typing.Optional[builtins.str] = None,
+    storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -11268,6 +12156,7 @@ def _typecheckingstub__7b459d87ca6935e6c04ff03be02ed821eef81dbc792be822f356697f6
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -11276,6 +12165,7 @@ def _typecheckingstub__7b459d87ca6935e6c04ff03be02ed821eef81dbc792be822f356697f6
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -11302,6 +12192,7 @@ def _typecheckingstub__e7ecb1269ac1102589a8eb3fdd808b1c194dffc5acfa36b649506b72c
 
 def _typecheckingstub__73c1978e12dcea1bd69ce0927a80bd887d7f7d1b6573831942495e9d5966b483(
     *,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     assign_public_ip: typing.Optional[builtins.bool] = None,
@@ -11309,6 +12200,7 @@ def _typecheckingstub__73c1978e12dcea1bd69ce0927a80bd887d7f7d1b6573831942495e9d5
     cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
     cpu: typing.Optional[jsii.Number] = None,
     docker_in_docker: typing.Optional[builtins.bool] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11316,9 +12208,12 @@ def _typecheckingstub__73c1978e12dcea1bd69ce0927a80bd887d7f7d1b6573831942495e9d5
     memory_limit_mib: typing.Optional[jsii.Number] = None,
     memory_reservation_mib: typing.Optional[jsii.Number] = None,
     min_instances: typing.Optional[jsii.Number] = None,
+    placement_constraints: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementConstraint]] = None,
+    placement_strategies: typing.Optional[typing.Sequence[_aws_cdk_aws_ecs_ceddda9d.PlacementStrategy]] = None,
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     spot: typing.Optional[builtins.bool] = None,
     spot_max_price: typing.Optional[builtins.str] = None,
+    storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
@@ -11334,6 +12229,7 @@ def _typecheckingstub__f7098876c10584a4cc58e16d23fd86ffe1fc50f2b55ca60549136d051
     cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
     cpu: typing.Optional[jsii.Number] = None,
     ephemeral_storage_gib: typing.Optional[jsii.Number] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11343,6 +12239,7 @@ def _typecheckingstub__f7098876c10584a4cc58e16d23fd86ffe1fc50f2b55ca60549136d051
     spot: typing.Optional[builtins.bool] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -11360,6 +12257,7 @@ def _typecheckingstub__9fd4f7f17e5e5c5b64ec7abfe1183d153e9472f7a1e9312e6d4b55f3f
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -11368,6 +12266,7 @@ def _typecheckingstub__9fd4f7f17e5e5c5b64ec7abfe1183d153e9472f7a1e9312e6d4b55f3f
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -11394,12 +12293,14 @@ def _typecheckingstub__9c62078db683958716a7ad86909a8b9b4dce462def398eb03faf0dc61
 
 def _typecheckingstub__26cdeb87df1adf5c49e0f9c1c061c7138af674da9af221212e1505fc1193583d(
     *,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     assign_public_ip: typing.Optional[builtins.bool] = None,
     cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
     cpu: typing.Optional[jsii.Number] = None,
     ephemeral_storage_gib: typing.Optional[jsii.Number] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11430,6 +12331,7 @@ def _typecheckingstub__80e9b84ecba02bdef856d3ee3f48a5e0a5e58ad813554fd529c0abe3a
     id: builtins.str,
     *,
     ephemeral_storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11439,6 +12341,7 @@ def _typecheckingstub__80e9b84ecba02bdef856d3ee3f48a5e0a5e58ad813554fd529c0abe3a
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -11447,9 +12350,11 @@ def _typecheckingstub__80e9b84ecba02bdef856d3ee3f48a5e0a5e58ad813554fd529c0abe3a
 
 def _typecheckingstub__45a4a92b817689da2d55675d278ad5c96699269cc41f3406b7fca6d7a7664861(
     *,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     ephemeral_storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11474,6 +12379,7 @@ def _typecheckingstub__963c9a4884bb9d7400672391dfb47486f969a1b8fe5616bba9cd493e8
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -11482,6 +12388,7 @@ def _typecheckingstub__963c9a4884bb9d7400672391dfb47486f969a1b8fe5616bba9cd493e8
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -11497,6 +12404,7 @@ def _typecheckingstub__c44d5704c54d7fdcf24ad39567c0e9f53f9837163bf8bf3b1b4e652e2
     builder_type: typing.Optional[RunnerImageBuilderType] = None,
     code_build_options: typing.Optional[typing.Union[CodeBuildRunnerImageBuilderProps, typing.Dict[builtins.str, typing.Any]]] = None,
     components: typing.Optional[typing.Sequence[RunnerImageComponent]] = None,
+    docker_setup_commands: typing.Optional[typing.Sequence[builtins.str]] = None,
     log_removal_policy: typing.Optional[_aws_cdk_ceddda9d.RemovalPolicy] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     os: typing.Optional[Os] = None,
@@ -11505,6 +12413,7 @@ def _typecheckingstub__c44d5704c54d7fdcf24ad39567c0e9f53f9837163bf8bf3b1b4e652e2
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    wait_on_deploy: typing.Optional[builtins.bool] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -11533,6 +12442,7 @@ def _typecheckingstub__1ab9454b0ecfcd12fc0ab07c0f0f4d7ce646a5a928f5e14092b0a6c42
     *,
     compute_type: typing.Optional[_aws_cdk_aws_codebuild_ceddda9d.ComputeType] = None,
     docker_in_docker: typing.Optional[builtins.bool] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11541,6 +12451,7 @@ def _typecheckingstub__1ab9454b0ecfcd12fc0ab07c0f0f4d7ce646a5a928f5e14092b0a6c42
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     timeout: typing.Optional[_aws_cdk_ceddda9d.Duration] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -11552,6 +12463,7 @@ def _typecheckingstub__a0a6acc584ae2ad3aed3605810cea44858f1a0bc22f62f2df9005b318
     id: builtins.str,
     *,
     ami_builder: typing.Optional[IRunnerImageBuilder] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     instance_type: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.InstanceType] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11559,10 +12471,12 @@ def _typecheckingstub__a0a6acc584ae2ad3aed3605810cea44858f1a0bc22f62f2df9005b318
     security_groups: typing.Optional[typing.Sequence[_aws_cdk_aws_ec2_ceddda9d.ISecurityGroup]] = None,
     spot: typing.Optional[builtins.bool] = None,
     spot_max_price: typing.Optional[builtins.str] = None,
+    storage_options: typing.Optional[typing.Union[StorageOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     storage_size: typing.Optional[_aws_cdk_ceddda9d.Size] = None,
     subnet: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.ISubnet] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
@@ -11577,6 +12491,7 @@ def _typecheckingstub__e507aa08f983fcd409ec9cf4ba5e0e6312ce72778cbbb2f9b5b016fde
     cluster: typing.Optional[_aws_cdk_aws_ecs_ceddda9d.Cluster] = None,
     cpu: typing.Optional[jsii.Number] = None,
     ephemeral_storage_gib: typing.Optional[jsii.Number] = None,
+    group: typing.Optional[builtins.str] = None,
     image_builder: typing.Optional[IRunnerImageBuilder] = None,
     label: typing.Optional[builtins.str] = None,
     labels: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -11586,8 +12501,12 @@ def _typecheckingstub__e507aa08f983fcd409ec9cf4ba5e0e6312ce72778cbbb2f9b5b016fde
     spot: typing.Optional[builtins.bool] = None,
     subnet_selection: typing.Optional[typing.Union[_aws_cdk_aws_ec2_ceddda9d.SubnetSelection, typing.Dict[builtins.str, typing.Any]]] = None,
     vpc: typing.Optional[_aws_cdk_aws_ec2_ceddda9d.IVpc] = None,
+    default_labels: typing.Optional[builtins.bool] = None,
     log_retention: typing.Optional[_aws_cdk_aws_logs_ceddda9d.RetentionDays] = None,
     retry_options: typing.Optional[typing.Union[ProviderRetryOptions, typing.Dict[builtins.str, typing.Any]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
+
+for cls in [IConfigurableRunnerImageBuilder, IRunnerAmiStatus, IRunnerImageBuilder, IRunnerImageStatus, IRunnerProvider, IRunnerProviderStatus]:
+    typing.cast(typing.Any, cls).__protocol_attrs__ = typing.cast(typing.Any, cls).__protocol_attrs__ - set(['__jsii_proxy_class__', '__jsii_type__'])