initial version.

Author: Niko Virtala

README.md

@@ -1,14 +1,35 @@
-# Welcome to your CDK TypeScript project!
+# GitHub Actions runners on AWS Fargate
 
-This is a blank project for TypeScript development with CDK.
+This repository contains an example how to run self-hosted GitHub Actions runners on AWS Fargate!
 
-The `cdk.json` file tells the CDK Toolkit how to execute your app.
+## Docker image
+
+Docker image is based on [`ubuntu:rolling`](https://hub.docker.com/_/ubuntu), which is currently pointed to `19.10` / `eoan`.
+
+On top the base image I have installed GitHub Actions Runner based on [About self-hosted runners](https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) in GitHub documentation.
+
+## Deployment
+
+The application is deployed to AWS using [AWS Cloud Development Kit (AWS CDK)](https://docs.aws.amazon.com/cdk/latest/guide/home.html).
+
+- Store two parameters `GITHUB_ACCESS_TOKEN` and `GITHUB_REPOSITORY_URL` in to SSM Parameter Store.
+- Run `cdk synth --profile <your-aws-cli-profile>`
+- Run `cdk deploy --profile <your-aws-cli-profile>`
+- Wait a little while ...
+
+Now you should be able find your self-hosted runner from repository setting in GitHub:
+
+![](./self-hosted-runner-in-actions-settings.png "Self-hosted runner in GitHub Actions Settings")
+
+We can see also from the Fargate Task Logs that the runner is successfully registered:
+
+![](./fargate-task-logs-in-aws-console.png "Fargate Task Logs in AWS Console")
 
 ## Useful commands
 
- * `npm run build`   compile typescript to js
- * `npm run watch`   watch for changes and compile
- * `npm run test`    perform the jest unit tests
- * `cdk deploy`      deploy this stack to your default AWS account/region
- * `cdk diff`        compare deployed stack with current state
- * `cdk synth`       emits the synthesized CloudFormation template
+- `npm run build` compile typescript to js
+- `npm run watch` watch for changes and compile
+- `npm run test` perform the jest unit tests
+- `cdk deploy` deploy this stack to your default AWS account/region
+- `cdk diff` compare deployed stack with current state
+- `cdk synth` emits the synthesized CloudFormation template

bin/github-actions-runner.ts

@@ -1,7 +1,12 @@
 #!/usr/bin/env node
-import 'source-map-support/register';
-import * as cdk from '@aws-cdk/core';
-import { GithubActionsRunnerStack } from '../lib/github-actions-runner-stack';
+import "source-map-support/register";
+import * as cdk from "@aws-cdk/core";
+import { GithubActionsRunnerStack } from "../lib/github-actions-runner-stack";
 
 const app = new cdk.App();
-new GithubActionsRunnerStack(app, 'GithubActionsRunnerStack');
+new GithubActionsRunnerStack(app, "GithubActionsRunnerStack", {
+  env: {
+    account: process.env.CDK_DEFAULT_ACCOUNT,
+    region: process.env.CDK_DEFAULT_REGION,
+  },
+});

cdk.context.json

@@ -0,0 +1,9 @@
+{
+  "@aws-cdk/core:enableStackNameDuplicates": "true",
+  "aws-cdk:enableDiffNoFail": "true",
+  "availability-zones:account=827333031966:region=eu-west-1": [
+    "eu-west-1a",
+    "eu-west-1b",
+    "eu-west-1c"
+  ]
+}

cdk.json

@@ -1,7 +1,3 @@
 {
-  "app": "npx ts-node bin/github-actions-runner.ts",
-  "context": {
-    "@aws-cdk/core:enableStackNameDuplicates": "true",
-    "aws-cdk:enableDiffNoFail": "true"
-  }
+  "app": "npx ts-node bin/github-actions-runner.ts"
 }

fargate-task-logs-in-aws-console.png

@@ -0,0 +1,29 @@
+FROM ubuntu:rolling
+
+RUN apt-get update && apt-get install -y \
+  curl \
+  jq \
+  && rm -rf /var/lib/apt/lists/*
+
+RUN addgroup runner && \
+  adduser \
+  --system \
+  --disabled-password \
+  --home /home/runner \
+  --ingroup runner \
+  runner
+
+WORKDIR /home/runner
+
+RUN GITHUB_RUNNER_VERSION=${GITHUB_RUNNER_VERSION:-$(curl -s https://api.github.com/repos/actions/runner/releases/latest | jq -r .tag_name | sed 's/v//g')} \
+  && curl -sSLO https://github.com/actions/runner/releases/download/v${GITHUB_RUNNER_VERSION}/actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && tar -zxvf actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && rm -f actions-runner-linux-x64-${GITHUB_RUNNER_VERSION}.tar.gz \
+  && ./bin/installdependencies.sh \
+  && chown -R runner:runner /home/runner
+
+COPY entrypoint.sh entrypoint.sh
+
+USER runner
+
+ENTRYPOINT ["./entrypoint.sh"]

image/.dockerignore

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+RUNNER_NAME=${RUNNER_NAME:-default}
+RUNNER_WORKDIR=${RUNNER_WORKDIR:-_work}
+
+if [[ -z "${GITHUB_ACCESS_TOKEN}" || -z "${REPOSITORY_URL}" ]]; then
+  echo 'One of the mandatory parameters is missing. Quit!'
+  exit 1
+else
+  AUTH_HEADER="Authorization: token ${GITHUB_ACCESS_TOKEN}"
+  USERNAME=$(cut -d/ -f4 <<< ${REPOSITORY_URL})
+  REPOSITORY=$(cut -d/ -f5 <<< ${REPOSITORY_URL})
+
+  RUNNER_TOKEN="$(curl -XPOST -fsSL \
+    -H "Accept: application/vnd.github.v3+json" \
+    -H "${AUTH_HEADER}" \
+    "https://api.github.com/repos/${USERNAME}/${REPOSITORY}/actions/runners/registration-token" \
+    | jq -r '.token')"
+fi
+
+./config.sh --url "${REPOSITORY_URL}" --token "${RUNNER_TOKEN}" --name "${RUNNER_NAME}" --work "${RUNNER_WORKDIR}"
+./run.sh

image/Dockerfile

@@ -1,9 +1,62 @@
-import * as cdk from '@aws-cdk/core';
+import * as cdk from "@aws-cdk/core";
+import * as ec2 from "@aws-cdk/aws-ec2";
+import * as ecs from "@aws-cdk/aws-ecs";
+import * as ssm from "@aws-cdk/aws-ssm";
+import path = require("path");
+import { FargatePlatformVersion } from "@aws-cdk/aws-ecs";
 
 export class GithubActionsRunnerStack extends cdk.Stack {
   constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
     super(scope, id, props);
 
-    // The code that defines your stack goes here
+    const vpc = new ec2.Vpc(this, "GitHubActionsRunnerVpc", {
+      maxAzs: 1, // Default is all AZs in region
+    });
+
+    const cluster = new ecs.Cluster(this, "GitHubActionsRunnerCluster", {
+      vpc: vpc,
+    });
+
+    const taskDefinition = new ecs.FargateTaskDefinition(
+      this,
+      "GitHubActionsRunnerTaskDefinition"
+    );
+
+    taskDefinition.addContainer("GitHubActionsRunnerContainer", {
+      image: ecs.ContainerImage.fromAsset(path.resolve(__dirname, "../image")),
+      logging: ecs.LogDrivers.awsLogs({ streamPrefix: "GitHubActionsRunner" }),
+      secrets: {
+        GITHUB_ACCESS_TOKEN: ecs.Secret.fromSsmParameter(
+          ssm.StringParameter.fromSecureStringParameterAttributes(
+            this,
+            "GitHubAccessToken",
+            {
+              parameterName: "GITHUB_ACCESS_TOKEN",
+              version: 0,
+            }
+          )
+        ),
+        REPOSITORY_URL: ecs.Secret.fromSsmParameter(
+          ssm.StringParameter.fromSecureStringParameterAttributes(
+            this,
+            "GitHubRepositoryUrl",
+            {
+              parameterName: "REPOSITORY_URL",
+              version: 0,
+            }
+          )
+        ),
+      },
+    });
+
+    const ecsService = new ecs.FargateService(
+      this,
+      "GitHubActionsRunnerService",
+      {
+        cluster,
+        taskDefinition,
+        platformVersion: FargatePlatformVersion.VERSION1_3,
+      }
+    );
   }
 }