agent-plugins/.github/workflows/build-codebuild.yml at main · awslabs/agent-plugins · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# This workflow runs on a GitHub-hosted runner, authenticates to AWS via OIDC,
# and invokes CodeBuild's StartBuild API. CloudWatch logs are streamed back
# to the GitHub Actions console.
#
# Prerequisites: see docs/ADMINISTRATORS_GUIDE.md#codebuild-integration

name: Build (CodeBuild)

on:
  workflow_dispatch: {}

permissions:
  actions: none
  attestations: none
  checks: none
  contents: none
  deployments: none
  discussions: none
  id-token: none
  issues: none
  models: none
  packages: none
  pages: none
  pull-requests: none
  repository-projects: none
  security-events: none
  statuses: none

jobs:
  build:
    # Protected environment — requires non-self-approval before the job runs.
    # Configure in Settings > Environments > codebuild:
    #   - Required reviewers: at least 1
    #   - Prevent self-review: enabled
    environment: codebuild

    permissions:
      actions: read
      contents: read
      id-token: write # Required for OIDC token request to AWS STS

    runs-on: ubuntu-latest

    steps:
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@e3ef6f550da368605b4c77eccc1b4b21662498dd # v4.1.0
        with:
          role-to-assume: ${{ secrets.AWS_CODEBUILD_ROLE_ARN }}
          aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}

      - name: Verify AWS identity
        run: aws sts get-caller-identity

      - name: Run CodeBuild
        id: codebuild
        uses: aws-actions/aws-codebuild-run-build@85cb4d9a6537e8456d6845d7cdf031a005181c3b # v1.0.18
        with:
          project-name: ${{ vars.CODEBUILD_PROJECT_NAME }}
          source-version-override: ${{ github.sha }}
          # BUILD_GENERAL1_SMALL | BUILD_GENERAL1_MEDIUM | BUILD_GENERAL1_LARGE
          compute-type-override: BUILD_GENERAL1_LARGE
          buildspec-override: |
            version: 0.2
            env:
              variables:
                MISE_YES: "1"
            phases:
              install:
                commands:
                  - curl https://mise.run | sh
                  - mise install
              pre_build:
                commands:
                  - eval "$(~/.local/bin/mise activate bash)"
                  - mise --version
                  - mise ls
              build:
                commands:
                  - eval "$(~/.local/bin/mise activate bash)"
                  - mise run build
              post_build:
                commands:
                  - echo "Build completed with status $CODEBUILD_BUILD_SUCCEEDING"
            artifacts:
              files:
                - '**/*_sarif.json'
              discard-paths: yes

      - name: Build ID
        if: always()
        run: echo "CodeBuild Build ID ${{ steps.codebuild.outputs.aws-build-id }}"