Skip to content

github

2 posts with the tag “github”

GitHub Action runner images (AMI) for AWS EC2

As part of the RunsOn service, we automatically maintain and publish replicas of the official GitHub runner images as AWS-formatted images (AMIs).

New images are automatically released within 48h of the official upstream release, and are slightly trimmed to remove outdated software, or (mostly useless) caches.

This means the disk usage is below 30GB, making it sufficiently small to boot in around 40s. The runner binary is also preinstalled in the images.

Supported regions:

  • us-east-1
  • eu-west-1

AMIs can be found using the following search:

  • name: runs-on-ubuntu22-full-x64-*
  • owner 135269210855

You can find more details on https://github.com/runs-on/runner-images-for-aws.

Use GitHub App manifests to symplify your GitHub App registration flow

Clicking through the GitHub UI interface to register a GitHub App with the correct permissions and settings is tedious, and error-prone.

I recently discovered that you can automate all this with GitHub App manifests, which contain all the required details about your app. You can then submit it to GitHub and dynamically exchange the manifest with the App ID, Webhook Secret, and Private key.

On the client front, you simply need a way to POST the manifest to GitHub, using a state parameter that you generate:

<form action="https://github.com/settings/apps/new?state=abc123" method="post">
Register a GitHub App Manifest: <input type="text" name="manifest" id="manifest"><br>
<input type="submit" value="Submit">
</form>
<script>
input = document.getElementById("manifest")
input.value = JSON.stringify({
"name": "Octoapp",
"url": "https://www.example.com",
"hook_attributes": {
"url": "https://example.com/github/events",
},
"redirect_url": "https://example.com/redirect",
"callback_urls": [
"https://example.com/callback"
],
"public": true,
"default_permissions": {
"issues": "write",
"checks": "write"
},
"default_events": [
"issues",
"issue_comment",
"check_suite",
"check_run"
]
})
</script>

Upon submission, GitHub will redirect back to your site with a temporary code, that you can then exchange for the app secrets.

For RunsOn GitHub Action runners, I am using this feature so that you only need 2 clicks after installation to get your private RunsOn app registered into your own GitHub organization with all the correct settings.

With Probot, you can describe your GitHub App manifest in YAML, so this would look like:

# The list of events the GitHub App subscribes to.
default_events:
- workflow_job
- meta
default_permissions:
# required for registering runners
administration: write
# required to access config file
single_file: write
# required to access collaborators and repository metadata
metadata: read
# Organization members and teams.
# https://developer.github.com/v3/apps/permissions/#permission-on-members
members: read
# required to access workflow runs
actions: read
single_file_paths:
- ./.github/runs-on.yml
name: runs-on
# Set to true when your GitHub App is available to the public or false when it is only accessible to the owner of the app.
public: false

For more details, you can have a look at the Probot doc about this.