docs: Add ADR for migrating CI orchestration to GitHub Actions#3280
docs: Add ADR for migrating CI orchestration to GitHub Actions#3280kukushking wants to merge 2 commits intomainfrom
Conversation
Proposes consolidating CI from a separate private CodeBuild/CDK repository into GitHub Actions workflows that trigger a single CodeBuild project via aws-actions/aws-codebuild-run-build. Includes security analysis showing the migration does not weaken security posture.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
| Proposed | ||
|
|
||
| ## Context | ||
|
|
There was a problem hiding this comment.
I would focus on the unit tests to start. Others are rarely run and would just add complexity
There was a problem hiding this comment.
Agree, layers build I would also migrate as it's a release dependency
|
|
||
| ## Decision | ||
|
|
||
| Migrate CI orchestration from standalone CodeBuild webhooks to GitHub Actions workflows that trigger a single CodeBuild project via `aws-actions/aws-codebuild-run-build`. |
There was a problem hiding this comment.
Please double check if that action is ok with the OSS team. They might have a different suggesiton
There was a problem hiding this comment.
Giving this a go instead: https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html
|
|
||
| ### Ray load test infrastructure | ||
|
|
||
| The load tests stack in the private repository provisions infrastructure for remote Ray cluster tests: an EC2 instance profile for Ray workers, security groups for cluster communication, and an auto-terminate Lambda that cleans up orphaned instances. All of this moves into `./test_infra/`. The execution model is unchanged. |
There was a problem hiding this comment.
We haven't run this in a long time, not even sure it's still working
| 3. **The existing test resource stacks are already public.** `./test_infra/stacks/` — which defines the VPC, databases, security groups, OpenSearch domains, and IAM roles — is already in the public repository. The CI stack follows the same pattern and exposes no additional sensitive information. | ||
| 4. **Comparable AWS open-source projects do this.** AWS Powertools for Lambda (Python) publishes all CI and infrastructure configuration in their public repository, including IAM role definitions and OIDC trust policies. | ||
|
|
||
| **What to verify before merging:** audit the CDK stack to confirm no account IDs, resource ARNs, IP ranges, or other environment-specific values are hardcoded. All such values should come from SSM parameters, CDK context, or environment variables at deploy time. |
There was a problem hiding this comment.
I would double check this - a full audit before the fist commit
Switch from aws-actions/aws-codebuild-run-build to CodeBuild-hosted runner approach. Workflow steps run directly on CodeBuild — no buildspecs, no OIDC trigger role needed. Simpler architecture with same security model.
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
2 participants
Feature or Bugfix
Detail
Proposes consolidating CI from a separate private CodeBuild/CDK repository into GitHub Actions workflows that trigger a single CodeBuild project via aws-actions/aws-codebuild-run-build. Includes security analysis showing the migration does not weaken security posture.
aws-actions/aws-codebuild-run-buildtest_infra/in this repo, retiring the private repositorySecurity
Detailed analysis in the ADR. Key points:
pull_request_target+ environment approval gatesBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.