change

Author: marcoacierno

.github/workflows/build-backend.yml

@@ -20,23 +20,12 @@ jobs:
           aws-access-key-id: ${{ secrets.aws_access_key_id }}
           aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
           aws-region: eu-central-1
-      - name: Set up QEMU dependency
-        uses: docker/setup-qemu-action@v3
       - name: Login to Amazon ECR
         uses: aws-actions/amazon-ecr-login@v2
-      - name: Set up Docker Buildx
-        id: buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Build and push
-        uses: docker/build-push-action@v6
+      - name: Run kaniko
+        uses: pythonitalia/kaniko-action@main
         with:
-          context: ./backend
-          file: ./backend/Dockerfile
-          builder: ${{ steps.buildx.outputs.name }}
-          provenance: false
           push: true
-          tags: |
-            ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com/pythonit/pycon-backend:arm-${{ inputs.githash }}
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
-          platforms: linux/arm64
+          tags: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-central-1.amazonaws.com/pythonit/pycon-backend:arm-${{ inputs.githash }}
+          cache: true
+          cache-repository: ghcr.io/${{ github.repository }}/cache

infrastructure/tools/github_runner_lambda.tf

@@ -44,6 +44,24 @@ resource "aws_iam_role_policy" "github_runner_webhook_lambda_policy" {
         Resource = [
           data.aws_ssm_parameter.github_token.arn
         ]
+      },
+      {
+        Effect   = "Allow"
+        Action   = [
+          "ecs:RunTask"
+        ]
+        Resource = [
+          "${aws_ecs_task_definition.github_runner.arn}*",
+        ]
+      },
+      {
+        Effect   = "Allow"
+        Action   = [
+          "iam:PassRole"
+        ]
+        Resource = [
+          aws_iam_role.github_runner_execution_role.arn
+        ]
       }
     ]
   })
@@ -75,6 +93,8 @@ resource "aws_lambda_function" "github_runner_webhook" {
           "assignPublicIp": "ENABLED"
         }
       })
+      ECS_CLUSTER_NAME = aws_ecs_cluster.github_runners.name
+      ECS_TASK_DEFINITION = aws_ecs_task_definition.github_runner.arn
     }
   }
 }

infrastructure/tools/github_runner_task.tf

@@ -67,6 +67,7 @@ resource "aws_ecs_task_definition" "github_runner" {
       name      = "runner"
       image     = "ghcr.io/actions/actions-runner:2.321.0"
       essential = true
+      entrypoint = ["bash", "-c"]
       portMappings = []
       logConfiguration = {
         logDriver = "awslogs"

infrastructure/tools/lambdas/github_runner_webhook.py

@@ -8,6 +8,8 @@
 WEBHOOK_SECRET = os.environ["WEBHOOK_SECRET"]
 GITHUB_TOKEN_SSM_NAME = os.environ["GITHUB_TOKEN_SSM_NAME"]
 NETWORK_CONFIGURATION = os.environ["NETWORK_CONFIGURATION"]
+ECS_CLUSTER_NAME = os.environ["ECS_CLUSTER_NAME"]
+ECS_TASK_DEFINITION = os.environ["ECS_TASK_DEFINITION"]
 
 
 def handler(event, context):
@@ -62,7 +64,7 @@ def handle_workflow_job(body, context):
         "labels": [arm64_fargate_label],
     }
     payload_encoded = json.dumps(payload).encode("utf-8")
-    print("sending payload:", payload_encoded)
+
     req = request.Request(
         "https://api.github.com/orgs/pythonitalia/actions/runners/generate-jitconfig",
         data=payload_encoded,
@@ -85,9 +87,17 @@ def handle_workflow_job(body, context):
     print("Context:", context)
 
     ecs_client = boto3.client("ecs")
-    ecs_client.start_task(
-        cluster="github-actions-runners",
+    ecs_client.run_task(
+        cluster=ECS_CLUSTER_NAME,
+        taskDefinition=ECS_TASK_DEFINITION,
         networkConfiguration=json.loads(NETWORK_CONFIGURATION),
+        count=1,
+        launchType="FARGATE",
+        overrides={
+            "containerOverrides": [
+                {"name": "runner", "command": [f"./run.sh --jitconfig {jit_config}"]}
+            ]
+        },
     )