change

Author: marcoacierno

.editorconfig

@@ -30,5 +30,5 @@ indent_size = 2
 [Makefile]
 indent_style = tab
 
-[*.tf]
+[{*.tf,*.tofu}]
 indent_size = 2

.github/workflows/build-backend.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: [self-hosted]
+    runs-on: [self-hosted, arm64-fargate]
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/build-frontend.yml

@@ -11,7 +11,7 @@ on:
 jobs:
   build:
     name: Build
-    runs-on: [self-hosted]
+    runs-on: [self-hosted, arm64-fargate]
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/build-pretix.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   build:
     name: Build pretix
-    runs-on: [self-hosted]
+    runs-on: [self-hosted, arm64-fargate]
     steps:
       - uses: actions/checkout@v4
         with:

infrastructure/tools/.archive_files/github_runner_webhook.zip

@@ -0,0 +1 @@
+opentofu 1.8.8

infrastructure/tools/.terraform.lock.hcl

@@ -0,0 +1,3 @@
+data "github_repository" "pycon" {
+  full_name = "pythonitalia/pycon"
+}

infrastructure/tools/.tool-versions

@@ -0,0 +1,62 @@
+data "aws_iam_policy_document" "github_runner_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "github_runner_iam" {
+  name               = "github_runner_iam"
+  assume_role_policy = data.aws_iam_policy_document.github_runner_assume_role.json
+}
+
+resource "aws_iam_role_policy" "github_runner_lambda_policy" {
+  name = "github_runner_lambda_policy"
+  role = aws_iam_role.github_runner_iam.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Effect   = "Allow"
+        Action   = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents"
+        ]
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+data "archive_file" "github_runner_webhook_artifact" {
+  type        = "zip"
+  source_file = "${path.root}/lambdas/github_runner_webhook.py"
+  output_path = "${path.root}/.archive_files/github_runner_webhook.zip"
+}
+
+resource "aws_lambda_function" "github_runner_webhook" {
+  function_name = "github_runner_webhook"
+  role          = aws_iam_role.github_runner_iam.arn
+  handler       = "github_runner_webhook.handler"
+  runtime = "python3.13"
+  filename         = data.archive_file.github_runner_webhook_artifact.output_path
+  source_code_hash = data.archive_file.github_runner_webhook_artifact.output_base64sha256
+  environment {
+    variables = {
+      WEBHOOK_SECRET = random_password.webhook_secret.result
+    }
+  }
+}
+
+resource "aws_lambda_function_url" "github_runner_webhook" {
+  function_name      = aws_lambda_function.github_runner_webhook.function_name
+  authorization_type = "NONE"
+}

infrastructure/tools/github_repo.tf

@@ -0,0 +1,17 @@
+resource "random_password" "webhook_secret" {
+  length           = 64
+  special          = true
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+resource "github_repository_webhook" "github_runner_notify" {
+  repository = data.github_repository.pycon.name
+  events = ["workflow_job"]
+  active = true
+
+  configuration {
+    url          = aws_lambda_function_url.github_runner_webhook.function_url
+    secret = random_password.webhook_secret.result
+    content_type = "json"
+  }
+}