CodeBuild GitHub Actions Runner Project (#2704)

### Description of changes: 
Sets up a CodeBuild project to be able to leverage self-hosted GitHub
Action Runners in AWS CodeBuild.

### Testing:
Follow-up PRs will migrate various omnibus jobs and demonstrate this
working. For now this just stages the CDK code needed to get it setup so
we can phase roll it out.

A demonstration of this code in action can be found here:
https://github.com/skmcgrail/aws-lc/actions/runs/17870473934

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Author: skmcgrail

.github/actions/codebuild-docker-run/action.yml

@@ -0,0 +1,32 @@
+name: 'codebuild-docker-run'
+description: 'Run one or more commands inside a docker container'
+inputs:
+  image:
+    description: 'Docker image to pull'
+    required: true
+  options:
+    description: 'Additional docker run configuration options'
+    required: false
+  run:
+    description: 'Run command in container'
+    required: false
+  shell:
+    description: 'Use a specific shell that must be available in the image'
+    required: false
+    default: bash
+  env:
+    description: 'Environment variables to set or pass to the container'
+    required: false
+    default: ''
+runs:
+  using: 'composite'
+  steps:
+    - name: Run Docker Container (${{ inputs.image }})
+      shell: bash
+      env:
+        INPUT_IMAGE: ${{ inputs.image }}
+        INPUT_OPTIONS: ${{ inputs.options }}
+        INPUT_RUN: ${{ inputs.run }}
+        INPUT_SHELL: ${{ inputs.shell }}
+        INPUT_ENV: ${{ inputs.env }}
+      run: ${{ github.action_path }}/codebuild-docker-run.sh

.github/actions/codebuild-docker-run/codebuild-docker-run.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+
+set -ex
+
+# Function to parse INPUT_ENV and convert to -e flags
+parse_env_vars() {
+    local env_string="$1"
+    local env_flags=""
+    
+    # Return empty if INPUT_ENV is not set or empty
+    if [[ -z "$env_string" ]]; then
+        echo ""
+        return
+    fi
+    
+    # Process each line as a single key=value pair or just key
+    while IFS= read -r line; do
+        # Skip empty lines
+        [[ -z "$line" ]] && continue
+        
+        # Check if line contains an equals sign
+        if [[ "$line" == *"="* ]]; then
+            # Extract key and value
+            key="${line%%=*}"
+            value="${line#*=}"
+            
+            # Skip if key is empty
+            [[ -z "$key" ]] && continue
+            
+            # Add -e flag with proper quoting
+            env_flags="$env_flags -e $key=\"$value\""
+        else
+            # Line is just a key name, pass current environment value
+            key="$line"
+            
+            # Skip if key is empty
+            [[ -z "$key" ]] && continue
+            
+            # Add -e flag without value (Docker will use current environment)
+            env_flags="$env_flags -e $key"
+        fi
+    done <<< "$env_string"
+    
+    echo "$env_flags"
+}
+
+# Parse environment variables from INPUT_ENV
+ENV_FLAGS=$(parse_env_vars "$INPUT_ENV")
+
+exec docker run -v /var/run/docker.sock:/var/run/docker.sock \
+    -v ${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE} \
+    -w ${GITHUB_WORKSPACE} \
+    ${INPUT_OPTIONS:-} \
+    -e GOPROXY \
+    ${ENV_FLAGS} \
+    --entrypoint=${INPUT_SHELL} ${INPUT_IMAGE} \
+    -c "${INPUT_RUN//$'\n'/;}"

.github/workflows/actions-ci.yml

@@ -13,7 +13,7 @@ env:
   SDE_VERSION_TAG: sde-external-9.44.0-2024-08-22-win
   PACKAGE_NAME: aws-lc
   # Used to enable ASAN test dimension.
-  AWSLC_NO_ASM_FIPS: 1
+  AWSLC_ENABLE_FIPS_ASAN: 1
   DEBIAN_FRONTEND: noninteractive
 
 jobs:

tests/ci/cdk/cdk/aws_lc_github_actions_stack.py

@@ -0,0 +1,132 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+import typing
+
+from aws_cdk import (
+    Duration,
+    Stack,
+    aws_codebuild as codebuild,
+    aws_iam as iam,
+    aws_s3_assets,
+    aws_logs as logs,
+    Environment,
+)
+from constructs import Construct
+
+from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack
+from cdk.components import PruneStaleGitHubBuilds
+from util.iam_policies import (
+    code_build_publish_metrics_in_json,
+)
+from util.metadata import LINUX_X86_ECR_REPO, LINUX_AARCH_ECR_REPO, WINDOWS_X86_ECR_REPO
+
+class AwsLcGitHubActionsStack(AwsLcBaseCiStack):
+    """Define a stack used to execute AWS-LC self-hosted GitHub Actions Runners."""
+
+    def __init__(
+        self,
+        scope: Construct,
+        id: str,
+        env: typing.Union[Environment, typing.Dict[str, typing.Any]],
+        **kwargs
+    ) -> None:
+        super().__init__(scope, id, env=env, timeout=180, **kwargs)
+
+        # Define a IAM role for this stack.
+        metrics_policy = iam.PolicyDocument.from_json(
+            code_build_publish_metrics_in_json(env)
+        )
+
+        inline_policies = {
+            "metrics_policy": metrics_policy,
+            "ecr": iam.PolicyDocument(
+                statements=[
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        actions=[
+                            "ecr:GetAuthorizationToken",
+                        ],
+                        resources=["*"],
+                    ),
+                    iam.PolicyStatement(
+                        effect=iam.Effect.ALLOW,
+                        actions=[
+                            "ecr:BatchGetImage",
+                            "ecr:BatchCheckLayerAvailability",
+                            "ecr:GetDownloadUrlForLayer",
+                        ],
+                        resources=[
+                            "arn:aws:ecr:{}:{}:repository/{}"
+                                .format(env.region, env.account, repo) for repo in [LINUX_X86_ECR_REPO,
+                                                                                    LINUX_AARCH_ECR_REPO,
+                                                                                    WINDOWS_X86_ECR_REPO]
+                        ],
+                    ),
+                ],
+            )
+        }
+        role = iam.Role(
+            scope=self,
+            id="{}-role".format(id),
+            assumed_by=iam.ServicePrincipal("codebuild.amazonaws.com"),
+            inline_policies=inline_policies,
+        )
+
+        logging_options = codebuild.LoggingOptions(
+            cloud_watch=codebuild.CloudWatchLoggingOptions(log_group=logs.LogGroup(
+                self, id="{}-logs".format(id)))
+        )
+
+        # Override base class provided configuration
+        self.git_hub_source = codebuild.Source.git_hub(
+            owner=self.github_repo_owner,
+            repo=self.github_repo_name,
+            webhook=True,
+            webhook_filters=[
+                codebuild.FilterGroup.in_event_of(
+                    codebuild.EventAction.WORKFLOW_JOB_QUEUED
+                ),
+            ],
+        )
+
+        # Define CodeBuild.
+        project = codebuild.Project(
+            scope=self,
+            id=id,
+            project_name=id,
+            source=self.git_hub_source,
+            role=role,
+            timeout=Duration.minutes(self.timeout),
+            logging=logging_options,
+            environment=codebuild.BuildEnvironment(
+                compute_type=codebuild.ComputeType.SMALL,
+                privileged=True,
+                build_image=codebuild.LinuxBuildImage.STANDARD_7_0,
+                environment_variables={
+                    "AWS_ACCOUNT_ID": codebuild.BuildEnvironmentVariable(value=env.account),
+                },
+            ),
+            build_spec=codebuild.BuildSpec.from_object({
+                "version": 0.2,
+                "phases": {
+                    "pre_build": {
+                        "commands": [
+                            "mkdir -p /root/.docker",
+                            """\
+cat <<EOF > /root/.docker/config.json
+{
+  "credHelpers": {
+    "public.ecr.aws": "ecr-login",
+    "$AWS_ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com": "ecr-login"
+  }
+}
+EOF
+"""
+                        ]
+                    }
+                },
+            }),
+        )
+
+        cfn_project = project.node.default_child
+        cfn_project.add_property_override("Triggers.PullRequestBuildPolicy", self.pull_request_policy)

tests/ci/cdk/cdk/codebuild/github_ci_linux_arm_omnibus.yaml

@@ -106,7 +106,7 @@ batch:
         variables:
           # AWS_LC_GO_TEST_TIMEOUT is needed on aarch when ASAN is enabled because the ASAN is very slow.
           AWS_LC_GO_TEST_TIMEOUT: 120m
-          AWSLC_NO_ASM_FIPS: 1
+          AWSLC_ENABLE_FIPS_ASAN: 1
           AWS_LC_CI_TARGET: "tests/ci/run_fips_tests.sh"
 
     - identifier: ubuntu2004_clang7x_aarch_minimal
@@ -239,7 +239,6 @@ batch:
         variables:
           # AL2 Clang-7 does not support AddressSanitizer. Related ticket is linked in CryptoAlg-694.
           # https://github.com/aws/aws-lc/pull/120#issuecomment-808439279
-          AWSLC_NO_ASM_FIPS: 0
           AWS_LC_CI_TARGET: "tests/ci/run_fips_tests.sh"
 
     - identifier: amazonlinux2023_gcc11x_aarch
@@ -270,9 +269,6 @@ batch:
         compute-type: BUILD_GENERAL1_LARGE
         image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-aarch:amazonlinux-2_gcc-7x_latest
         variables:
-          # AL2 Clang-7 does not support AddressSanitizer. Related ticket is linked in CryptoAlg-694.
-          # https://github.com/aws/aws-lc/pull/120#issuecomment-808439279
-          AWSLC_NO_ASM_FIPS: 0
           AWS_LC_CI_TARGET: "tests/ci/run_fips_callback_tests.sh"
 
     - identifier: amazonlinux2023_gcc11x_aarch_fips_callback

tests/ci/cdk/cdk/codebuild/github_ci_linux_x86_omnibus.yaml

@@ -223,7 +223,7 @@ batch:
         compute-type: BUILD_GENERAL1_LARGE
         image: 620771051181.dkr.ecr.us-west-2.amazonaws.com/aws-lc-docker-images-linux-x86:ubuntu-20.04_clang-7x_latest
         variables:
-          AWSLC_NO_ASM_FIPS: 1
+          AWSLC_ENABLE_FIPS_ASAN: 1
           AWS_LC_CI_TARGET: "tests/ci/run_fips_tests.sh"
 
     - identifier: ubuntu2004_clang8x_x86_64
@@ -378,7 +378,6 @@ batch:
         variables:
           # AL2 Clang-7 does not support AddressSanitizer. Related ticket is linked in CryptoAlg-694.
           # https://github.com/aws/aws-lc/pull/120#issuecomment-808439279
-          AWSLC_NO_ASM_FIPS: 0
           AWS_LC_CI_TARGET: "tests/ci/run_fips_tests.sh"
 
     - identifier: amazonlinux2_clang7x_x86_64_prefix

tests/ci/cdk/pipeline/ci_stage.py

@@ -15,6 +15,7 @@
 from constructs import Construct
 
 from cdk.aws_lc_base_ci_stack import AwsLcBaseCiStack
+from cdk.aws_lc_github_actions_stack import AwsLcGitHubActionsStack
 from pipeline.ci_util import add_ci_stacks
 from pipeline.codebuild_batch_step import CodeBuildBatchStep
 from util.metadata import (
@@ -47,7 +48,8 @@ def __init__(
     @property
     def stacks(self) -> typing.List[AwsLcBaseCiStack]:
         return [
-            child for child in self.node.children if isinstance(child, AwsLcBaseCiStack)
+            child for child in self.node.children if isinstance(child, AwsLcBaseCiStack) and 
+                not isinstance(child, AwsLcGitHubActionsStack)
         ]
 
     def add_stage_to_pipeline(

tests/ci/cdk/pipeline/ci_util.py

@@ -6,6 +6,7 @@
 from cdk.aws_lc_analytics_stack import AwsLcGitHubAnalyticsStack
 from cdk.aws_lc_android_ci_stack import AwsLcAndroidCIStack
 from cdk.aws_lc_ec2_test_framework_ci_stack import AwsLcEC2TestingCIStack
+from cdk.aws_lc_github_actions_stack import AwsLcGitHubActionsStack
 from cdk.aws_lc_github_ci_stack import AwsLcGitHubCIStack
 from cdk.aws_lc_github_ci_x509_stack import AwsLcGitHubX509CIStack
 from cdk.aws_lc_github_fuzz_ci_stack import AwsLcGitHubFuzzCIStack
@@ -19,6 +20,14 @@ def add_ci_stacks(
     # define customized settings to run CodeBuild jobs from CodePipeline
     build_options = []
 
+    AwsLcGitHubActionsStack(
+        scope,
+        "aws-lc-ci-github-actions",
+        env=env,
+        ignore_failure=False,
+        stack_name="aws-lc-ci-github-actions",
+    )
+
     x86_build_spec_file = "cdk/codebuild/github_ci_linux_x86_omnibus.yaml"
     AwsLcGitHubCIStack(
         scope,

tests/ci/common_posix_setup.sh

@@ -2,7 +2,7 @@
 # SPDX-License-Identifier: Apache-2.0 OR ISC
 
 SRC_ROOT="$(pwd)"
-if [ -v CODEBUILD_SRC_DIR ]; then
+if [ -v CODEBUILD_SRC_DIR && ! -v CODEBUILD_WEBHOOK_JOB_ID ]; then
   SRC_ROOT="$CODEBUILD_SRC_DIR"
 elif [ "$(basename "${SRC_ROOT}")" != 'aws-lc' ]; then
   SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

tests/ci/run_fips_tests.sh

@@ -68,7 +68,7 @@ if static_linux_supported || static_openbsd_supported; then
 fi
 
 # The AL2 version of Clang does not have all of the required artifacts for address sanitizer, see P45594051
-if [[ "${AWSLC_NO_ASM_FIPS}" == "1" ]]; then
+if [[ "${AWSLC_ENABLE_FIPS_ASAN:-0}" == "1" ]]; then
   if [[ ("$(uname -p)" == 'x86_64'*) ]]; then
     echo "Building with Clang and testing AWS-LC in FIPS Release mode with address sanitizer."
     fips_build_and_test -DASAN=1 -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIBS=1