docs: add developer's guide for running CodeBuild locally (#94)

scottschreckengaust · web-flow · commit 4f9292a392e6 · 2026-03-17T14:24:03.000Z
* docs: add developer's guide for running CodeBuild locally

* feat: updated for running codebuild locally

* Revise prerequisites and script options in guide

Updated prerequisites and options for the codebuild_build.sh script in the developer guide.

* Fix formatting of script options in developer guide

* Update developers guide with buildspec-override note

Added note about editing the buildspec-override value in codebuild.yml.

* Update DEVELOPERS_GUIDE.md

* fix: update documentation and run codebuild

Signed-off-by: Scott Schreckengaust &lt;scottschreckengaust@users.noreply.github.com&gt;

* fix: running codebuild

Signed-off-by: Scott Schreckengaust &lt;scottschreckengaust@users.noreply.github.com&gt;

* Update codebuild command for architecture handling

* feat: fixing for act locally

Signed-off-by: Scott Schreckengaust &lt;345885+scottschreckengaust@users.noreply.github.com&gt;

* feat(doc): the act use

Signed-off-by: Scott Schreckengaust &lt;345885+scottschreckengaust@users.noreply.github.com&gt;

---------

Signed-off-by: Scott Schreckengaust &lt;scottschreckengaust@users.noreply.github.com&gt;
Signed-off-by: Scott Schreckengaust &lt;345885+scottschreckengaust@users.noreply.github.com&gt;
Co-authored-by: Scott Schreckengaust &lt;345885+scottschreckengaust@users.noreply.github.com&gt;
diff --git a/.github/workflows/codebuild.yml b/.github/workflows/codebuild.yml
@@ -62,9 +62,10 @@ jobs:
         with:
           role-to-assume: ${{ secrets.AWS_CODEBUILD_ROLE_ARN }}
           aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
-          role-duration-seconds: 7200
+          role-duration-seconds: ${{ vars.ROLE_DURATION_SECONDS || 7200 }}
           role-session-name: GitHubActions${{ github.run_id }}
           mask-aws-account-id: true
+          retry-max-attempts: 0
 
       - name: Run CodeBuild
         if: steps.cache-check.outputs.cache-hit != 'true'
@@ -77,61 +78,90 @@ jobs:
             version: 0.2
             env:
               variables:
-                TEST_ONE: "1"
+                GH_TOKEN: ${{ github.token }}
             phases:
               install:
                 commands:
-                  - echo "install ${TEST_ONE}" | tee --append ./codebuild.out
-                  - dnf install -y lshw || echo "dnf install failed"
+                  - dnf config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo || echo "dnf config-manager"
+                  - dnf install -y 'dnf-command(config-manager)' gh || echo "dnf install failed"
+                  - curl -LsSf https://astral.sh/uv/install.sh | sh && export PATH=$HOME/.local/bin:$PATH || "echo uv failed"
               pre_build:
                 commands:
-                  - echo "pre_build ${TEST_ONE}" | tee --append ./codebuild.out
-                  - echo "=== OS ==="
-                  - cat /etc/os-release
-                  - echo "=== Kernel ==="
-                  - uname -a
-                  - echo "=== CPU ==="
-                  - lscpu
-                  - echo "=== Memory ==="
-                  - free -h
-                  - echo "=== Kisk ==="
-                  - df -h
-                  - echo "=== Block Devices ==="
-                  - lsblk
-                  - echo "=== Hardward Summary ==="
-                  - lshw -short || echo "lshw failed"
+                  - echo "pre_build"
+                  - mkdir -p .codebuild
+                  - touch .codebuild/codebuild.out
+                  - git config --global --add safe.directory "/codebuild/output/srcDownload/src" # for running AWS CodeBuild locally
               build:
                 commands:
-                  - echo "build ${TEST_ONE}" | tee --append ./codebuild.out
-                  - ls -alR
+                  - DEFAULT_BRANCH=$(gh repo view --json defaultBranchRef --jq '.defaultBranchRef.name')
+                  - CURRENT_BRANCH=$(git symbolic-ref --short HEAD 2>/dev/null || echo "")
+                  - CURRENT_TAG=$(git describe --tags --exact-match 2>/dev/null || echo "")
+                  - IS_RELEASE=$([[ -n "$CURRENT_TAG" ]] && echo "true" || echo "false")
+                  - IS_PRE_RELEASE=$([[ "$CURRENT_BRANCH" == "$DEFAULT_BRANCH" ]] && echo "true" || echo "false")
+                  - IS_PRE_MERGE=$([[ -z "$CURRENT_TAG" && "$CURRENT_BRANCH" != "$DEFAULT_BRANCH" ]] && echo "true" || echo "false")
+                  - if [[ "$IS_RELEASE" == "true" ]]; then echo "This is a release"; fi;
+                  - if [[ "$IS_PRE_RELEASE" == "true" ]]; then echo "This is a pre-release"; fi;
+                  - if [[ "$IS_PRE_MERGE" == "true" ]]; then echo "This is a pre-merge"; fi;
+                  - mkdir -p .codebuild/evaluation
+                  - mkdir -p .codebuild/trend
+                  - mkdir -p .codebuild/missing
+                  - touch .codebuild/evaluation/evaluation_report.html
+                  - touch .codebuild/evaluation/metrics.yml
+                  - touch .codebuild/trend/trend_report.html
               post_build:
                 commands:
-                  - echo "post_build ${TEST_ONE}" | tee --append ./codebuild.out
                   - echo "Build completed with status $CODEBUILD_BUILD_SUCCEEDING"
-                  - cat ./codebuild.out
+                  - cat ./.codebuild/codebuild.out
             artifacts:
               files:
-                - '**/codebuild.out'
-              discard-paths: yes
+                - '**/*'
+              discard-paths: no
+              base-directory: .codebuild
+              secondary-artifacts:
+                evaluation:
+                  files:
+                    - '**/*'
+                  name: evaluation
+                  discard-paths: yes
+                  base-directory: .codebuild/evaluation
+                trend:
+                  files:
+                    - '**/*'
+                  name: trend
+                  discard-paths: yes
+                  base-directory: .codebuild/trend
 
       - name: Build ID
         if: always() && steps.cache-check.outputs.cache-hit != 'true'
         run: echo "CodeBuild Build ID ${{ steps.codebuild.outputs.aws-build-id }}"
 
-      - name: Download CodeBuild artifact
+      - name: Download CodeBuild artifacts
         if: steps.cache-check.outputs.cache-hit != 'true'
         run: |
-          ARTIFACT_LOCATION=$(aws codebuild batch-get-builds \
+          DOWNLOADS="${ACT_CODEBUILD_DIR:-${GITHUB_WORKSPACE}/.codebuild/downloads}"
+          mkdir -p "$DOWNLOADS"
+          PRIMARY_ARTIFACT_LOCATION=$(aws codebuild batch-get-builds \
             --ids "${{ steps.codebuild.outputs.aws-build-id }}" \
             --query 'builds[0].artifacts.location' \
             --output text)
-          aws s3 cp "s3://${ARTIFACT_LOCATION#arn:aws:s3:::}" ./${{ env.CODEBUILD_PROJECT_NAME }}.zip
+          aws s3 cp "s3://${PRIMARY_ARTIFACT_LOCATION#arn:aws:s3:::}" "$DOWNLOADS/${{ env.CODEBUILD_PROJECT_NAME }}.zip"
+          SECONDARY_ARTIFACT_LOCATIONS=$(aws codebuild batch-get-builds \
+            --ids "${{ steps.codebuild.outputs.aws-build-id }}" \
+            --query 'builds[0].secondaryArtifacts[*].[artifactIdentifier, location]' \
+            --output json)
+          echo "$SECONDARY_ARTIFACT_LOCATIONS" | jq -r '.[] | @tsv' | while IFS=$'\t' read -r NAME LOCATION; do
+            echo "Downloading secondary artifact: $NAME"
+            aws s3 cp "s3://${LOCATION#arn:aws:s3:::}" "$DOWNLOADS/${NAME}.zip"
+          done
 
       - name: List CodeBuild artifacts
         if: steps.cache-check.outputs.cache-hit != 'true'
         run: |
-          ls -alR
-          unzip -l ${{ env.CODEBUILD_PROJECT_NAME }}.zip
+          DOWNLOADS="${ACT_CODEBUILD_DIR:-${GITHUB_WORKSPACE}/.codebuild/downloads}"
+          ls -alR "$DOWNLOADS"
+          unzip -l "$DOWNLOADS/${{ env.CODEBUILD_PROJECT_NAME }}.zip"
+          unzip -l "$DOWNLOADS/evaluation.zip"
+          unzip -l "$DOWNLOADS/trend.zip"
 
       - name: Clean old report caches
         if: steps.cache-check.outputs.cache-hit != 'true'
@@ -147,5 +177,29 @@ jobs:
         if: steps.cache-check.outputs.cache-hit != 'true'
         uses: actions/cache/save@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
-          path: ${{ env.CODEBUILD_PROJECT_NAME }}.zip
+          path: ${{ github.workspace }}/.codebuild/downloads/${{ env.CODEBUILD_PROJECT_NAME }}.zip
           key: ${{ env.CODEBUILD_PROJECT_NAME }}-${{ github.ref_name }}-${{ github.sha }}
+
+      - name: Upload CodeBuild primary artifact
+        if: ${{ !env.ACT }} # incompatability with v6 of upload-artifact and act
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: ${{ env.CODEBUILD_PROJECT_NAME }}.zip
+          path: ${{ github.workspace }}/.codebuild/downloads/${{ env.CODEBUILD_PROJECT_NAME }}.zip
+          if-no-files-found: error
+
+      - name: Upload CodeBuild secondary artifact - evaluation
+        if: ${{ !env.ACT }} # incompatability with v6 of upload-artifact and act
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: evaluation.zip
+          path: ${{ github.workspace }}/.codebuild/downloads/evaluation.zip
+          if-no-files-found: error
+
+      - name: Upload CodeBuild secondary artifact - trend
+        if: ${{ !env.ACT }} # incompatability with v6 of upload-artifact and act
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+        with:
+          name: trend.zip
+          path: ${{ github.workspace }}/.codebuild/downloads/trend.zip
+          if-no-files-found: error
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,8 @@
 .DS_Store
 .amazonq/**
-.claude/**
+.claude/**
+.codebuild/**
+.vscode/**
+.env
+buildspec.yml
+codebuild_build.sh
diff --git a/docs/DEVELOPERS_GUIDE.md b/docs/DEVELOPERS_GUIDE.md
@@ -0,0 +1,76 @@
+# Developer's Guide
+
+## Running CodeBuild Locally
+
+You can run AWS CodeBuild builds locally using the [CodeBuild local agent](https://docs.aws.amazon.com/codebuild/latest/userguide/use-codebuild-agent.html). This is useful for testing buildspec changes without pushing to the remote.
+
+### Prerequisites
+
+- Docker installed and running
+- The `codebuild_build.sh` script:
+
+### Basic Usage
+
+1. Setup
+- Download the local CodeBuild script and make it executable.
+- Send the `GH_TOKEN` environmental GitHub Personal Access Token (PAT) into a `./.env` file
+
+```bash
+if [ ! -f codebuild_build.sh ]; then
+  curl -O https://raw.githubusercontent.com/aws/aws-codebuild-docker-images/master/local_builds/codebuild_build.sh && chmod +x codebuild_build.sh;
+fi;
+echo "GH_TOKEN=${GH_TOKEN:-ghp_notset}" > "./.env";
+```
+
+2. Iterate
+
+- _Optionally edit the `buildspec-override` value in the `.github/workflows/codebuild.yml` GitHub workflow_
+- Update `./buildspec.yml` based on the workflow contents to a local file
+- Run AWS CodeBuild build locally with images based on the machine architecture
+
+```bash
+cat .github/workflows/codebuild.yml \
+    | uvx yq -r '.jobs.build.steps[] | select(.id == "codebuild") | .with["buildspec-override"]' \
+    > buildspec.yml
+./codebuild_build.sh \
+  -i "public.ecr.aws/codebuild/amazonlinux-$([ "$(arch)" = "arm64" -o "$(arch)" = "aarch64" ] && echo "aarch64" || echo "x86_64")-standard:$([ "$(arch)" = "arm64" -o "$(arch)" = "aarch64" ] && echo "3.0" || echo "5.0")" \
+  -a "./.codebuild/artifacts/" \
+  -l "public.ecr.aws/codebuild/local-builds:$([ "$(arch)" = "arm64" -o "$(arch)" = "aarch64" ] && echo "aarch64" || echo "latest")" \
+  -c \
+  -e "./.env"
+```
+
+### All Script Options
+
+| Flag         | Required | Description                                                                                                                                                                                         |
+|--------------|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-i IMAGE`   | Yes      | Customer build container image (e.g. `aws/codebuild/standard:5.0`)                                                                                                                                  |
+| `-a DIR`     | Yes      | Artifact output directory                                                                                                                                                                           |
+| `-b FILE`    | No       | Buildspec override file. Defaults to `buildspec.yml` in the source directory                                                                                                                        |
+| `-s DIR`     | No       | Source directory. First `-s` is the primary source; additional `-s` flags use `<sourceIdentifier>:<sourceLocation>` format for secondary sources. Defaults to the current working directory |
+| `-l IMAGE`   | No       | Override the default local agent image                                                                                                                                                              |
+| `-r DIR`     | No       | Report output directory                                                                                                                                                                             |
+| `-c`         | No       | Use AWS configuration and credentials from your local host (`~/.aws` and `AWS_*` environment variables)                                                                                             |
+| `-p PROFILE` | No       | AWS CLI profile to use (requires `-c`)                                                                                                                                                              |
+| `-e FILE`    | No       | File containing environment variables (`VAR=VAL` format, one per line)                                                                                                                              |
+| `-m`         | No       | Mount the source directory into the build container directly                                                                                                                                        |
+| `-d`         | No       | Run the build container in Docker privileged mode                                                                                                                                                   |
+
+
+## Running GitHub Actions locally
+
+_NOTE: This uses the [`act`](https://github.com/nektos/act) tool and assumes access to a valid AWS CodeBuild project `codebuild-project` in "us-east-1"_
+
+```shell
+act --platform ubuntu-latest=-self-hosted \
+    --job build \
+    --workflows .github/workflows/codebuild.yml \
+    --env-file .env \
+    --var CODEBUILD_PROJECT_NAME=codebuild-project \
+    --var AWS_REGION=us-east-1 \
+    --var ROLE_DURATION_SECONDS=7200 \
+    --artifact-server-path=$PWD/.codebuild/artifacts \
+    --cache-server-path=$PWD/.codebuild/artifacts \
+    --env ACT_CODEBUILD_DIR=$PWD/.codebuild/downloads \
+    --bind
+```
