Skip to content

Commit

Permalink
fix(buildspec): remove Unicode box-drawing chars that break CodeBuild…
Browse files Browse the repository at this point in the history 
… parser

CodeBuild's YAML parser cannot handle non-ASCII characters (U+2500 box
drawing chars) in command blocks. Replaced all decorative comment
separators with plain ASCII and removed inline comments from command
lists entirely.
  • Loading branch information
Your Name committed Mar 17, 2026
1 parent ef59742 commit cd9c510
Showing 1 changed file with 9 additions and 47 deletions.
56 changes: 9 additions & 47 deletions codebuild/buildspec.yml
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,20 @@
version: 0.2

# ─────────────────────────────────────────────────────────────────────────────
# ghe-runner daily rebuild
#
# Runs `tf apply` against the ghe-runner workspace identified by $TF_WORKSPACE,
# then forces a new ECS deployment so runners pick up any updated task
# definition, and immediately invokes the token-refresh Lambda so a fresh
# registration token is available without waiting for the 30-min EventBridge
# schedule.
# then invokes the token-refresh Lambda so a fresh registration token is in
# Secrets Manager before forcing a new ECS deployment.
#
# The `tf` script is downloaded from the team gist at install time and used
# throughout — it automatically handles TF_DATA_DIR, var-file injection, and
# workspace-specific JSON env loading, so none of that needs to be replicated
# manually here.
# throughout -- it automatically handles TF_DATA_DIR, var-file injection, and
# workspace-specific JSON env loading.
#
# Environment variables injected by CodeBuild (see codebuild/main.tf):
# TF_WORKSPACE - ghe-runner workspace (e.g. "default", "csvd")
# TF_IN_AUTOMATION - set to "true" to suppress interactive prompts
# GITHUB_TOKEN - GitHub PAT from Secrets Manager
# TF_WORKSPACE - ghe-runner workspace (e.g. "default", "sct-engineering")
# TF_IN_AUTOMATION - set to "true" to suppress interactive prompts
# GITHUB_TOKEN - GitHub PAT from Secrets Manager
# HTTP_PROXY / HTTPS_PROXY / NO_PROXY - outbound proxy config
# ─────────────────────────────────────────────────────────────────────────────

env:
variables:
Expand All @@ -31,34 +26,20 @@ phases:
install:
on-failure: ABORT
commands:
# ── Install terraform ────────────────────────────────────────────────
- echo "Installing terraform ${TF_VERSION}..."
- curl -sLo /tmp/tf.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip"
- unzip -q /tmp/tf.zip -d /usr/local/bin && rm /tmp/tf.zip
- terraform version

# ── Install tf wrapper script from team gist ─────────────────────────
# GITHUB_TOKEN is already in the environment (injected from Secrets Manager).
- echo "Downloading tf script from gist..."
- curl -sLo /usr/local/bin/tf -H "Authorization: token $GITHUB_TOKEN" "$TF_GIST_URL"
- chmod +x /usr/local/bin/tf
- tf --version

# ── Python already available in standard:7.0 ─────────────────────────
- pip3 install --quiet requests

pre_build:
on-failure: ABORT
commands:
# ── Map GitHub PAT to Terraform variable ─────────────────────────────
# GITHUB_TOKEN is read automatically by the GitHub provider.
# TF_VAR_github_token satisfies the var.github_token Lambda variable.
- export TF_VAR_github_token="$GITHUB_TOKEN"

# ── terraform init ───────────────────────────────────────────────────
# Use a workspace-specific backend-config if one exists; otherwise fall
# back to the backend.tf already committed to the repo root.
# tf passes init straight through to terraform so -backend-config works.
- |
BACKEND_CONFIG="backend-configs/${TF_WORKSPACE}.tf"
if [ -f "$BACKEND_CONFIG" ]; then
Expand All @@ -68,29 +49,17 @@ phases:
echo "No workspace-specific backend config found; using backend.tf"
tf init -input=false
fi
# ── Select (or create) workspace ─────────────────────────────────────
# tf workspace select also sets up TF_DATA_DIR, injects the var-file via
# TF_CLI_ARGS_*, and loads varfiles/${TF_WORKSPACE}.json into the env.
- tf workspace select "$TF_WORKSPACE"
- echo "Active workspace: $(tf workspace show)"

build:
on-failure: ABORT
commands:
# ── Apply ─────────────────────────────────────────────────────────────
- echo "Running tf apply for workspace: $TF_WORKSPACE"
- echo "Running tf apply for workspace ${TF_WORKSPACE}"
- tf apply -auto-approve -input=false

# ── Token refresh before redeploy ────────────────────────────────────
# Invoke the Lambda first so a fresh registration token is already in
# Secrets Manager before any new container starts. If the ECS force-
# deploy happened first, containers could start with a stale token and
# fail to register with GitHub.
- |
LAMBDA_ARN=$(tf output -raw lambda_token_refresh_arn 2>/dev/null || true)
AWS_REGION=$(aws configure get region || echo "us-gov-west-1")
if [ -n "$LAMBDA_ARN" ]; then
echo "Invoking token refresh Lambda: $LAMBDA_ARN"
aws lambda invoke \
Expand All @@ -103,16 +72,10 @@ phases:
else
echo "Lambda not deployed or output not found; skipping token refresh."
fi
# ── Force new ECS deployment ──────────────────────────────────────────
# Cycles the runner tasks so they pick up the updated task definition,
# refreshed image digest, or any changed environment. Runs after the
# token refresh so containers start with a guaranteed-fresh token.
- |
AWS_REGION=$(aws configure get region || echo "us-gov-west-1")
CLUSTER=$(tf output -raw ecs_cluster_name 2>/dev/null)
SERVICE=$(tf output -raw github_runner_service_name 2>/dev/null)
if [ -n "$CLUSTER" ] && [ -n "$SERVICE" ]; then
echo "Forcing new ECS deployment: cluster=$CLUSTER service=$SERVICE"
aws ecs update-service \
Expand All @@ -127,5 +90,4 @@ phases:
post_build:
commands:
- echo "Build completed at $(date -u '+%Y-%m-%dT%H:%M:%SZ')"
- echo "Workspace: $TF_WORKSPACE"
- echo "Terraform workspace: $(tf workspace show 2>/dev/null || echo unknown)"
- echo "Workspace: $(tf workspace show 2>/dev/null || echo unknown)"

0 comments on commit cd9c510

Please sign in to comment.