AI agents
Run AI-assisted CI on RunsOn runners — IAM access to invoke Amazon Bedrock models, and self-hosted execution for GitHub's Copilot coding agent.
RunsOn runners are a natural home for AI-assisted CI: automated code review, test triage, documentation generation, and coding agents. There are two complementary ways to power those workloads:
- Amazon Bedrock access — grant runners IAM permission to invoke Bedrock models (Anthropic Claude and others) with no long-lived API keys.
- GitHub Copilot coding agent — point Copilot’s coding agent at a RunsOn runner as its execution environment.
Amazon Bedrock
Bedrock access gives runner instances IAM permissions to invoke Amazon Bedrock ↗ models — Anthropic Claude and others — directly from your jobs. Because the runner runs in your own AWS account, jobs call Bedrock through the instance role, with no long-lived API keys to manage. Enabling Bedrock attaches the IAM policy only; calls reach the public Bedrock runtime endpoint by default. To keep traffic off the public internet, provision a bedrock-runtime VPC interface endpoint yourself.
This is the building block for AI-assisted CI workflows such as automated code review, test triage, and documentation generation.
Flex
Enable Bedrock on the Flex stack with the EnableBedrock parameter. Once enabled, runners receive an instance role allowed to invoke Bedrock, and jobs can call it with the AWS CLI or any SDK:
jobs: review: runs-on: runs-on=${{ github.run_id }}/runner=2cpu-linux-x64 steps: - run: | aws bedrock-runtime converse \ --region us-east-1 \ --model-id us.anthropic.claude-sonnet-4-6 \ --messages '[{"role":"user","content":[{"text":"Reply with OK only."}]}]' \ --inference-config '{"maxTokens":8,"temperature":0}' \ --query 'output.message.content[0].text' --output textSee the EnableBedrock stack parameter for the full reference.
Fleet
For Fleet, Bedrock access is configured in Terraform. Set enable_bedrock = true on the Fleet module — it applies to every runner instance the stack launches, granting them the same IAM access as Flex:
module "runs_on_fleet" { source = "..."
# ...stack configuration...
enable_bedrock = true
runners = { ai-review = { family = ["m7i.large"] image = "ubuntu24-full-x64" } }
fleets = { ai = { runner = "ai-review" } }}Workflows then target the fleet label and call Bedrock the same way as Flex jobs.
AWS-side model access
Enabling Bedrock on the runner only grants the IAM permissions. Before a model can be invoked, your AWS account also needs model access granted on the Bedrock side — Anthropic models require a one-time use-case submission, and the first invocation can auto-create the AWS Marketplace agreement when the caller has enough permissions.
GitHub Copilot coding agent
RunsOn runners can serve as the execution environment for GitHub’s Copilot coding agent ↗, so the agent works in your own AWS account with access to your VPC, internal resources, and the same runner shapes you use for CI.
Copilot picks up a .github/workflows/copilot-setup-steps.yml file in the repository and runs its copilot-setup-steps job before the agent starts. Point that job’s runs-on: at a RunsOn runner label:
jobs: copilot-setup-steps: runs-on: runs-on=${{ github.run_id }}/runner=2cpu-linux-x64 steps: - uses: actions/checkout@v6 # install the languages, tools, and dependencies the agent needs preinstalledA few requirements apply on the GitHub side:
- An organization admin must enable repository-level runner customization for the Copilot cloud agent, and configure the allowed runner group / runner label in the organization’s Copilot settings.
- Copilot’s native firewall is not compatible with self-hosted runners. Disable it in the repository’s Copilot coding agent settings — otherwise the agent is blocked.
- This integration targets github.com. The GitHub environment variables RunsOn injects for the agent are only set on github.com runners, not on GitHub Enterprise Server (GHES).
See GitHub’s docs on customizing the agent environment ↗ and configuring runners for the coding agent ↗.