Spotlight
- Flex now canonicalizes workflow job GitHub App installation IDs from the current app registry, preventing stale installation IDs from breaking token refresh and active job processing.
- Pool runners now allow preinstall scripts to run for up to 30 minutes, while non-pool lifecycle scripts keep the existing 10-minute timeout.
- Added the
windows25-gpu-x64 default image definition for Windows GPU runners.
- Runner job details now include the RunsOn stack name, making multi-stack diagnostics easier.
CloudFormation
- SSH access is disabled by default for new CloudFormation installs, and the managed networking template no longer opens SSH from
0.0.0.0/0 unless explicitly configured.
- Lambda log groups now use stack-scoped
/runs-on/<stack>/lambda/... names with explicit log-write policies.
- Tightened CloudFormation IAM permissions for Lambda invocation, EC2 runner launches, S3 cache access, ECR Public access, CloudWatch metrics, SSM license state, WAF sync, and cleanup operations.
- Upgraded Python Lambda runtimes to
python3.14 and hardened launch-template XML parsing.
Terraform
- SSH access is disabled by default for new Flex and Fleet module security groups.
- Terraform control-plane Lambda log groups now use stack-scoped names with explicit log-write policies.
- Tightened Terraform IAM permissions for runner launches, Lambda/API Gateway invocation, ECR Public reads, S3 cache prefixes, CloudWatch metrics, SSM license state, WAF sync, SQS, DynamoDB indexes, EFS, and cleanup operations.
- Enabled point-in-time recovery for the Flex workflow jobs DynamoDB table.
Other fixes
- Sanitized agent runtime EC2 tag keys and values before applying them to instances.
Release resources
![runson-monorepo-mirror[bot]](https://avatars.githubusercontent.com/u/150241074?v=4){kind=small}
runson-monorepo-mirror[bot]