Skip to content

ci: add CodeBuild workflow and administrators guide#63

Open
scottschreckengaust wants to merge 7 commits intomainfrom
feat/codebuild-hosted-runner-workflow
Open

ci: add CodeBuild workflow and administrators guide#63
scottschreckengaust wants to merge 7 commits intomainfrom
feat/codebuild-hosted-runner-workflow

Conversation

@scottschreckengaust
Copy link
Member

@scottschreckengaust scottschreckengaust commented Feb 25, 2026
edited
Loading

Summary

  • Adds a workflow_dispatch-triggered GitHub Actions workflow (build-codebuild.yml) that runs the full build on AWS CodeBuild via aws-actions/aws-codebuild-run-build (no webhooks)
  • Authenticates via OIDC using aws-actions/configure-aws-credentials, gated by a protected codebuild GitHub environment requiring non-self-approval from @awslabs/agent-plugins-admins
  • Adds docs/ADMINISTRATORS_GUIDE.md with:
    • Step-by-step prerequisites in deployment order (OIDC provider → CodeBuild project → IAM role → GitHub environment → secrets/variables)
    • Copy-pasteable CloudFormation template for the CodeBuild project with S3 artifact bucket (KMS-encrypted, 90-day lifecycle) for SARIF reports
    • Copy-pasteable CloudFormation template for the IAM OIDC role with conditional S3/KMS permissions for artifact download
    • GitHub CLI commands for environment setup with agent-plugins-admins team-based reviewers
    • Troubleshooting table for common deployment issues
  • Cross-references from README.md, CONTRIBUTING.md, and MAINTAINERS_GUIDE.md

Test plan

  • Setup GitHub and AWS based on the ADMINISTRATIVE_GUIDE
  • Trigger the workflow via workflow_dispatch and confirm approval gate blocks until a non-self reviewer approves
  • Confirm CodeBuild build runs successfully and streams CloudWatch logs to the Actions console
  • Verify SARIF artifacts are uploaded to the S3 bucket under the build ID prefix
  • Verify all doc cross-references resolve correctly

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

@scottschreckengaust
fix(lint): pretty up JSON
850d94c 
Signed-off-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
@scottschreckengaust scottschreckengaust force-pushed the feat/codebuild-hosted-runner-workflow branch from cb95946 to 371b03a Compare February 25, 2026 22:29
@scottschreckengaust @claude
ci: add CodeBuild workflow and administrators guide
b3d2a29 
Adds a workflow_dispatch-triggered GitHub Actions workflow that runs the
full build on AWS CodeBuild via aws-actions/aws-codebuild-run-build (no
webhooks). Authenticates via OIDC using aws-actions/configure-aws-credentials,
gated by a protected "codebuild" GitHub environment requiring non-self-approval
from the @awslabs/agent-plugins-admins team.

Adds docs/ADMINISTRATORS_GUIDE.md with:
- Copy-pasteable CloudFormation templates for the IAM OIDC role (step 2)
  and CodeBuild project with S3 artifact bucket (step 3)
- GitHub CLI commands for environment setup with team-based reviewers
- KMS decrypt permissions for SSE-encrypted SARIF artifacts
- Troubleshooting table for common deployment issues

Cross-references added to README.md, CONTRIBUTING.md, and MAINTAINERS_GUIDE.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust force-pushed the feat/codebuild-hosted-runner-workflow branch from 371b03a to b3d2a29 Compare February 25, 2026 22:58
scottschreckengaust and others added 5 commits February 26, 2026 00:44
@scottschreckengaust
update documentation
4ca8ced 
Signed-off-by: Scott Schreckengaust <345885+scottschreckengaust@users.noreply.github.com>
@scottschreckengaust
Merge branch 'main' into feat/codebuild-hosted-runner-workflow
e79ae89
@scottschreckengaust @claude
docs: add GitHub fine-grained PAT setup to administrators guide
6405153 
Add step 2 documenting how to create a fine-grained GitHub PAT with
least-privilege permissions (Contents: Read-only) and import it into
CodeBuild. Renumber subsequent steps (3-6) and update all cross-references.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
docs: add CLI examples for CloudFormation overrides and GitHub secrets
8ad78f7 
Add custom parameter-overrides example and describe-stacks output
command to step 3. Add gh secret set / gh variable set commands to
step 6.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust @claude
docs: harden CodeBuild CloudFormation template
123720e 
- Add S3 bucket policy enforcing SSL-only access (W51 remediation)
- Add cfn_nag suppression metadata with rationale (W11, W28, W32, W35, W84)
- Add checkov skip comments with rationale (CKV_AWS_18, CKV_AWS_21, CKV_AWS_158)
- Enable build badge on CodeBuild project
- Set PrivilegedMode: false explicitly on build environment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@scottschreckengaust scottschreckengaust marked this pull request as ready for review February 27, 2026 00:55
@scottschreckengaust scottschreckengaust requested a review from a team February 27, 2026 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scottschreckengaust