Skip to content

ci(e2e): run E2E job on CodeBuild-hosted runner (POC)#1713

Merged
aidandaly24 merged 1 commit into
aws:mainfrom
notgitika:ci/e2e-codebuild-runner
Jul 8, 2026
Merged

ci(e2e): run E2E job on CodeBuild-hosted runner (POC)#1713
aidandaly24 merged 1 commit into
aws:mainfrom
notgitika:ci/e2e-codebuild-runner

Conversation

@notgitika

@notgitika notgitika commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Moves the e2e job off ubuntu-latest onto our AWS CodeBuild-hosted runner (project agentcore-e2e, CI account, us-east-1) to fix WAF 403s from GitHub-hosted runner IPs and cut runner-pickup latency (E2E infra doc, Section 1).

authorize job stays on ubuntu-latest. No E2E IAM changes — configure-aws-credentials still uses GitHub OIDC, which works from CodeBuild. POC scope: this workflow only; roll out to e2e-tests-full.yml + canary.yml after a bake.

Move the e2e job off ubuntu-latest onto our AWS CodeBuild-hosted GitHub
Actions runner (project agentcore-e2e in the CI account, us-east-1).

GitHub-hosted runner IPs rotate through shared pools whose reputation
trips the service WAF, causing 403s before the request reaches service
code; dedicated CodeBuild compute inside AWS avoids that and removes
cross-org runner-pickup latency. E2E API calls also no longer cross the
public internet.

The authorize job stays on ubuntu-latest (cheap, no AWS calls). No change
needed to the E2E IAM role: configure-aws-credentials still uses GitHub
OIDC, which works unchanged from a CodeBuild runner.

POC scope: this workflow only. Roll out to e2e-tests-full.yml and
canary.yml after a bake period.
@notgitika notgitika requested a review from a team July 8, 2026 19:47
@github-actions github-actions Bot added the size/xs PR size: XS label Jul 8, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jul 8, 2026
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.23.0.tgz

How to install

gh release download pr-1713-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.23.0.tgz

@agentcore-devx-automation

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jul 8, 2026

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Small, well-scoped POC that only touches runs-on for the e2e job. The label format codebuild-<project>-${{ github.run_id }}-${{ github.run_attempt }} matches the AWS-documented format, and the matrix strategy is fine — CodeBuild spawns a separate build per queued job sharing the label.

Sanity-checked the steps against a typical CodeBuild-hosted runner image (Amazon Linux, not Ubuntu):

  • actions/setup-node@v6, astral-sh/setup-uv@v7, aws-actions/configure-aws-credentials@v6, and aws-actions/aws-secretsmanager-get-secrets@v3 all work on Amazon Linux.
  • git clone, npm ci, npm pack, npm install -g — all fine on the standard CodeBuild image.
  • The two tests run in the run step (strands-bedrock langgraph-bedrock) don't require local Docker.
  • OIDC via configure-aws-credentials works from CodeBuild, so no IAM changes needed (confirmed in the PR description).

Known risks are already acknowledged in the description and appropriately scoped as follow-ups:

  • PAT-based webhook auth pending migration to the AWS Connector GitHub App.
  • Rollout limited to this one workflow so e2e-tests-full.yml / canary.yml stay on ubuntu-latest until this bakes.

Rollback is trivial (single-line revert). No blocking issues from me.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label Jul 8, 2026
@aidandaly24 aidandaly24 merged commit 192ff38 into aws:main Jul 8, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/xs PR size: XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants