Remove CodeBuild runner infrastructure#1959
Merged
Merged
Conversation
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
e120964 to
7d50b62
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
c42672a to
6b71efd
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
7d50b62 to
5928f55
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
6b71efd to
2fd54c2
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
5928f55 to
039a9ad
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
2fd54c2 to
b77f2b3
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
039a9ad to
7c4ad50
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
b77f2b3 to
54ca9c3
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
2 times, most recently
from
3d65d7b to
f8f2138
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
2 times, most recently
from
aa0eb1c to
889dd66
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
f8f2138 to
cff1352
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
cff1352 to
1436189
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
889dd66 to
752c11c
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
1436189 to
ee2195e
Compare
There was a problem hiding this comment.
Pull request overview
Removes the CodeBuild-hosted GitHub Actions runner setup for review apps and updates the integration review environment to use GitHub-hosted runners with OIDC, triggering dedicated CodeBuild projects for deploy/destroy actions and storing deploy outputs as short-lived artifacts.
Changes:
- Deleted the
gha-runnermodule and its wiring (github_actions_runner.tf) that previously provided self-hosted runner infrastructure. - Added a new
review-app-codebuildmodule (CodeBuild project + IAM + logging + buildspecs) to run review app deploy/destroy via Terraform. - Updated
github_actions_oidc.tfto create an artifacts bucket, provision per-app deploy/destroy CodeBuild projects, and tighten GitHub Actions role permissions to CodeBuild/ECR/artifacts.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| infra/deployments/integration/review/review-app-codebuild/main.tf | New CodeBuild project + IAM policy to run Terraform deploy/destroy for review apps |
| infra/deployments/integration/review/review-app-codebuild/inputs.tf | Inputs for the new CodeBuild module (app, action, ARNs, cluster details) |
| infra/deployments/integration/review/review-app-codebuild/outputs.tf | Outputs used by the review environment (project/log group identifiers) |
| infra/deployments/integration/review/review-app-codebuild/logging.tf | Creates a dedicated CloudWatch log group for CodeBuild |
| infra/deployments/integration/review/review-app-codebuild/buildspec-deploy.yml | Buildspec to terraform apply and publish outputs.json as an artifact |
| infra/deployments/integration/review/review-app-codebuild/buildspec-destroy.yml | Buildspec to terraform destroy review app resources |
| infra/deployments/integration/review/github_actions_oidc.tf | Provisions artifact bucket + CodeBuild projects and updates OIDC role permissions accordingly |
| infra/deployments/integration/review/iam.tf | Adds/retains the ECS application autoscaling service-linked role in the review env |
| infra/deployments/integration/review/github_actions_runner.tf | Removed old CodeBuild runner wiring and CodeBuild source credential resource |
| infra/deployments/integration/review/gha-runner/runner.tf | Removed the deprecated runner CodeBuild project + IAM permissions |
| infra/deployments/integration/review/gha-runner/inputs.tf | Removed inputs for the deprecated runner module |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
from
ee2195e to
3873481
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
752c11c to
9a740ce
Compare
whi-tw
force-pushed
the
whi-tw/allow-github-hosted-runner-deploy-review-apps
branch
7 times, most recently
from
6aaf305 to
d4f4c45
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
9a740ce to
8c61907
Compare
There was a problem hiding this comment.
Pull request overview
Removes the now-obsolete CodeBuild-hosted GitHub Actions runner infrastructure for the integration review environment, following the move to GitHub-hosted runners using OIDC, while keeping the ECS application autoscaling service-linked role needed for review app deployments.
Changes:
- Delete the
gha-runnermodule (IAM + CodeBuild project + webhook) previously used to host self-managed runners. - Remove the root
github_actions_runner.tfthat instantiated runner modules for each app. - Relocate/retain the ECS application autoscaling service-linked role and add
aws_caller_identitydata needed by remaining IAM policy generation.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| infra/deployments/integration/review/iam.tf | Retains the ECS application autoscaling service-linked role in the review root module. |
| infra/deployments/integration/review/github_actions_runner.tf | Removes legacy runner infrastructure definitions and per-app gha-runner module usage. |
| infra/deployments/integration/review/github_actions_codebuild.tf | Adds aws_caller_identity data source required for IAM policy ARN construction. |
| infra/deployments/integration/review/gha-runner/runner.tf | Deletes the gha-runner module implementation (IAM + CodeBuild runner + webhook). |
| infra/deployments/integration/review/gha-runner/inputs.tf | Deletes the gha-runner module inputs (module no longer used). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
8c61907 to
f8a1b8e
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
2 times, most recently
from
7a210ca to
03d1a0d
Compare
There was a problem hiding this comment.
Pull request overview
Removes the legacy CodeBuild-hosted GitHub Actions runner infrastructure for review apps (now using GitHub-hosted runners + OIDC), and updates Terraform inputs to support multiple CodeStar/CodeConnections ARNs keyed by GitHub org.
Changes:
- Deleted the integration review “gha-runner” module and the per-app runner provisioning.
- Moved the ECS Application Auto Scaling service-linked role definition into
iam.tf. - Changed
codestar_connection_arnfrom a single string to an object (alphagov,govuk-forms) and updated callers/tfvars accordingly.
Reviewed changes
Copilot reviewed 28 out of 28 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/deployments/integration/tfvars/integration.tfvars | Removes codestar_connection_arn from integration tfvars. |
| infra/deployments/integration/review/iam.tf | Adds the ECS Application Auto Scaling service-linked role resource. |
| infra/deployments/integration/review/github_actions_runner.tf | Removes CodeBuild runner modules and related resources (file deleted). |
| infra/deployments/integration/review/github_actions_codebuild.tf | Adds aws_caller_identity data source for ARN construction. |
| infra/deployments/integration/review/gha-runner/runner.tf | Removes the old gha-runner implementation (file deleted). |
| infra/deployments/integration/review/gha-runner/inputs.tf | Removes gha-runner inputs (file deleted). |
| infra/deployments/integration/inputs.tf | Updates codestar_connection_arn variable type to an object. |
| infra/deployments/forms/tfvars/dev.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/tfvars/staging.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/tfvars/user-research.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/tfvars/production.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/pipelines/deploy-forms-runner-container.tf | Switches pipeline/module usage to codestar_connection_arn.alphagov. |
| infra/deployments/forms/pipelines/deploy-forms-product-page-container.tf | Switches pipeline/module usage to codestar_connection_arn.alphagov. |
| infra/deployments/forms/pipelines/deploy-forms-admin-container.tf | Switches pipeline/module usage to codestar_connection_arn.alphagov. |
| infra/deployments/forms/pipelines/apply-terraform.tf | Switches pipeline/module usage to codestar_connection_arn.alphagov. |
| infra/deployments/forms/inputs.tf | Updates codestar_connection_arn variable type to an object. |
| infra/deployments/forms/account/tfvars/dev.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/account/tfvars/staging.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/account/tfvars/user-research.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/account/tfvars/production.tfvars | Converts codestar_connection_arn to an object with per-org keys. |
| infra/deployments/forms/account/inputs.tf | Updates codestar_connection_arn variable type to an object. |
| infra/deployments/forms/account/engineer-access.tf | Passes codestar_connection_arn.alphagov into engineer-access module. |
| infra/deployments/forms/account/deployer-access.tf | Passes codestar_connection_arn.alphagov into deployer-access module. |
| infra/deployments/deploy/tools/pipeline-visualiser-pipeline.tf | Updates CodeConnections references to per-org ARNs in policy/pipeline config. |
| infra/deployments/deploy/inputs.tf | Updates deploy codestar_connection_arn variable to an object + defaults. |
| infra/deployments/deploy/image-builders/main.tf | Selects per-org CodeConnections ARN for product-page image builds. |
| infra/deployments/deploy/engineer-access/roles.tf | Passes codestar_connection_arn.alphagov into engineer-access module. |
| infra/deployments/deploy/e2e-tests-image-builder/main.tf | Passes codestar_connection_arn.alphagov into e2e image pipeline module. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
03d1a0d to
a4d8e8e
Compare
whi-tw
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
a4d8e8e to
586d77b
Compare
There was a problem hiding this comment.
Pull request overview
Removes the now-unused CodeBuild-hosted GitHub Actions runner (the gha-runner module + per-app runner resources) from the integration review-app infrastructure, reflecting the migration to GitHub-hosted runners with OIDC.
Changes:
- Removes the
gha-runnermodule and thegithub_actions_runner.tfresources that provisioned CodeBuild-hosted runners. - Moves/retains the ECS application autoscaling service-linked role in
iam.tf. - Updates integration tfvars and review CodeBuild config in line with the new runner approach.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| infra/deployments/integration/tfvars/integration.tfvars | Removes CodeStar connection input from integration tfvars. |
| infra/deployments/integration/review/iam.tf | Adds the ECS application autoscaling service-linked role resource. |
| infra/deployments/integration/review/github_actions_runner.tf | Deletes the old CodeBuild-hosted runner modules/resources. |
| infra/deployments/integration/review/github_actions_codebuild.tf | Adds caller identity data source (for IAM policy ARN construction). |
| infra/deployments/integration/review/gha-runner/runner.tf | Deletes the legacy runner implementation (IAM + CodeBuild project/webhook). |
| infra/deployments/integration/review/gha-runner/inputs.tf | Deletes legacy runner module inputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Removes the now-obsolete CodeBuild-hosted GitHub Actions runner infrastructure for review apps, following the migration to GitHub-hosted runners using OIDC, and keeps only the supporting IAM/service-linked role needed by the remaining review app deployment flow.
Changes:
- Removes the per-app
gha-runnermodule and its CodeBuild runner resources from the integration review deployment. - Removes the
codestar_connection_arnvariable wiring from the integration deployment and its tfvars. - Moves the ECS application autoscaling service-linked role definition into
iam.tfand addsaws_caller_identitydata for IAM policy generation.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| infra/deployments/integration/tfvars/integration.tfvars | Removes codestar_connection_arn from integration tfvars. |
| infra/deployments/integration/review/iam.tf | Defines the app autoscaling service-linked role in the review deployment IAM file. |
| infra/deployments/integration/review/github_actions_runner.tf | Deletes the old CodeBuild-hosted runner + gha-runner module instantiations. |
| infra/deployments/integration/review/github_actions_codebuild.tf | Adds data.aws_caller_identity.current used for IAM policy ARNs. |
| infra/deployments/integration/review/gha-runner/runner.tf | Deletes the gha-runner module implementation (IAM + CodeBuild runner project/webhook). |
| infra/deployments/integration/review/gha-runner/inputs.tf | Deletes inputs for the removed gha-runner module. |
| infra/deployments/integration/inputs.tf | Removes the codestar_connection_arn variable from integration deployment inputs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cadmiumcat
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
586d77b to
160db1e
Compare
cadmiumcat
previously approved these changes
Mar 30, 2026
github-merge-queue
Bot
removed this pull request from the merge queue due to a conflict with the base branch
Remove the CodeBuild-hosted GitHub Actions runner infrastructure now that review apps use GitHub-hosted runners with OIDC authentication. The gha-runner module and CodeBuild resources are no longer needed.
cadmiumcat
force-pushed
the
whi-tw/stop-using-self-hosted-runners
branch
from
160db1e to
d461911
Compare
cadmiumcat
approved these changes
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What problem does this pull request solve?
Trello card: https://trello.com/c/UIEQ97bl/792-stop-using-self-hosted-runners-on-github
Remove the CodeBuild-hosted GitHub Actions runner infrastructure now that review apps use GitHub-hosted runners with OIDC authentication.
The gha-runner module and CodeBuild resources are no longer needed. The service-linked role for app autoscaling has been shifted to
iam.tf.This should not be merged until we've migrated all the app repos, and rebased WIP branches (or at least informed developers of the change so they can rebase)
Things to consider when reviewing
Reminders
If you've made changes to the deployer role (files in
modules/deployer-access):make <environment> forms/account applyon the relevant environments (dev,staging,user-research, and/orprod)apply-forms-terraform-<environment>pipelines have run successfully