From cd9c51087d35433174c208370865409abfebc9c3 Mon Sep 17 00:00:00 2001 From: Your Name Date: Tue, 17 Mar 2026 14:10:16 -0400 Subject: [PATCH] fix(buildspec): remove Unicode box-drawing chars that break CodeBuild parser CodeBuild's YAML parser cannot handle non-ASCII characters (U+2500 box drawing chars) in command blocks. Replaced all decorative comment separators with plain ASCII and removed inline comments from command lists entirely. --- codebuild/buildspec.yml | 56 +++++++---------------------------------- 1 file changed, 9 insertions(+), 47 deletions(-) diff --git a/codebuild/buildspec.yml b/codebuild/buildspec.yml index 4399f34..0891963 100644 --- a/codebuild/buildspec.yml +++ b/codebuild/buildspec.yml @@ -1,25 +1,20 @@ version: 0.2 -# ───────────────────────────────────────────────────────────────────────────── # ghe-runner daily rebuild # # Runs `tf apply` against the ghe-runner workspace identified by $TF_WORKSPACE, -# then forces a new ECS deployment so runners pick up any updated task -# definition, and immediately invokes the token-refresh Lambda so a fresh -# registration token is available without waiting for the 30-min EventBridge -# schedule. +# then invokes the token-refresh Lambda so a fresh registration token is in +# Secrets Manager before forcing a new ECS deployment. # # The `tf` script is downloaded from the team gist at install time and used -# throughout — it automatically handles TF_DATA_DIR, var-file injection, and -# workspace-specific JSON env loading, so none of that needs to be replicated -# manually here. +# throughout -- it automatically handles TF_DATA_DIR, var-file injection, and +# workspace-specific JSON env loading. # # Environment variables injected by CodeBuild (see codebuild/main.tf): -# TF_WORKSPACE - ghe-runner workspace (e.g. "default", "csvd") -# TF_IN_AUTOMATION - set to "true" to suppress interactive prompts -# GITHUB_TOKEN - GitHub PAT from Secrets Manager +# TF_WORKSPACE - ghe-runner workspace (e.g. "default", "sct-engineering") +# TF_IN_AUTOMATION - set to "true" to suppress interactive prompts +# GITHUB_TOKEN - GitHub PAT from Secrets Manager # HTTP_PROXY / HTTPS_PROXY / NO_PROXY - outbound proxy config -# ───────────────────────────────────────────────────────────────────────────── env: variables: @@ -31,34 +26,20 @@ phases: install: on-failure: ABORT commands: - # ── Install terraform ──────────────────────────────────────────────── - echo "Installing terraform ${TF_VERSION}..." - curl -sLo /tmp/tf.zip "https://releases.hashicorp.com/terraform/${TF_VERSION}/terraform_${TF_VERSION}_linux_amd64.zip" - unzip -q /tmp/tf.zip -d /usr/local/bin && rm /tmp/tf.zip - terraform version - - # ── Install tf wrapper script from team gist ───────────────────────── - # GITHUB_TOKEN is already in the environment (injected from Secrets Manager). - echo "Downloading tf script from gist..." - curl -sLo /usr/local/bin/tf -H "Authorization: token $GITHUB_TOKEN" "$TF_GIST_URL" - chmod +x /usr/local/bin/tf - tf --version - - # ── Python already available in standard:7.0 ───────────────────────── - pip3 install --quiet requests pre_build: on-failure: ABORT commands: - # ── Map GitHub PAT to Terraform variable ───────────────────────────── - # GITHUB_TOKEN is read automatically by the GitHub provider. - # TF_VAR_github_token satisfies the var.github_token Lambda variable. - export TF_VAR_github_token="$GITHUB_TOKEN" - - # ── terraform init ─────────────────────────────────────────────────── - # Use a workspace-specific backend-config if one exists; otherwise fall - # back to the backend.tf already committed to the repo root. - # tf passes init straight through to terraform so -backend-config works. - | BACKEND_CONFIG="backend-configs/${TF_WORKSPACE}.tf" if [ -f "$BACKEND_CONFIG" ]; then @@ -68,29 +49,17 @@ phases: echo "No workspace-specific backend config found; using backend.tf" tf init -input=false fi - - # ── Select (or create) workspace ───────────────────────────────────── - # tf workspace select also sets up TF_DATA_DIR, injects the var-file via - # TF_CLI_ARGS_*, and loads varfiles/${TF_WORKSPACE}.json into the env. - tf workspace select "$TF_WORKSPACE" - echo "Active workspace: $(tf workspace show)" build: on-failure: ABORT commands: - # ── Apply ───────────────────────────────────────────────────────────── - - echo "Running tf apply for workspace: $TF_WORKSPACE" + - echo "Running tf apply for workspace ${TF_WORKSPACE}" - tf apply -auto-approve -input=false - - # ── Token refresh before redeploy ──────────────────────────────────── - # Invoke the Lambda first so a fresh registration token is already in - # Secrets Manager before any new container starts. If the ECS force- - # deploy happened first, containers could start with a stale token and - # fail to register with GitHub. - | LAMBDA_ARN=$(tf output -raw lambda_token_refresh_arn 2>/dev/null || true) AWS_REGION=$(aws configure get region || echo "us-gov-west-1") - if [ -n "$LAMBDA_ARN" ]; then echo "Invoking token refresh Lambda: $LAMBDA_ARN" aws lambda invoke \ @@ -103,16 +72,10 @@ phases: else echo "Lambda not deployed or output not found; skipping token refresh." fi - - # ── Force new ECS deployment ────────────────────────────────────────── - # Cycles the runner tasks so they pick up the updated task definition, - # refreshed image digest, or any changed environment. Runs after the - # token refresh so containers start with a guaranteed-fresh token. - | AWS_REGION=$(aws configure get region || echo "us-gov-west-1") CLUSTER=$(tf output -raw ecs_cluster_name 2>/dev/null) SERVICE=$(tf output -raw github_runner_service_name 2>/dev/null) - if [ -n "$CLUSTER" ] && [ -n "$SERVICE" ]; then echo "Forcing new ECS deployment: cluster=$CLUSTER service=$SERVICE" aws ecs update-service \ @@ -127,5 +90,4 @@ phases: post_build: commands: - echo "Build completed at $(date -u '+%Y-%m-%dT%H:%M:%SZ')" - - echo "Workspace: $TF_WORKSPACE" - - echo "Terraform workspace: $(tf workspace show 2>/dev/null || echo unknown)" + - echo "Workspace: $(tf workspace show 2>/dev/null || echo unknown)"