Run all builds in GitHub Actions?

Question

Run all builds in GitHub Actions?

mnapoli opened this issue 2 years ago · 4 comments

@deleugpn I'm opening this issue to start the discussion on "where to build and upload layers".

In the decision log, you wrote:

AWS CodeBuild is preferred for publishing the layers because the account that holds the layers has no external access. It is dedicated exclusively for having the layers only and only Matthieu Napoli has access to it.
GitHub Actions require exposing access to an external party. Using AWS CodeBuild allows us to use IAM Assume
Role so that one "Builder Account" can build the layers and then cross-publish them onto the "Layer Account".

With GitHub OIDC, we can have the GitHub action run with an IAM role, without having to store AWS access keys.

Considering that, do you still think CodeBuild might be better here?

I wonder about this because GitHub is much easier to debug (logs are public, with a nice UI, no need to log in, etc.), and run (nothing to set up). If I use GitHub Actions for everything, at least that's consistent across all repos, and lower bus factor (everything is public/easier to replicate).

Answer 1 · 2022-10-19T21:36:07.000Z

I did test AWS CodeBuild public builds, so logs would be public as well. However, I completely take your point that GH Actions has a much better UX/DX than CodeBuild. Personally, I get by easily with both of them since I have nearly 6 years experience with CodeBuild. At this point I'd say the advantage of CodeBuild is that we have nearly everything done to use it ready to go and AWS offers much bigger instance size (better parallel processing) while with GH Actions we would need to learn how to setup OIDC and vCPU is much smaller / only 2 threads would be possible instead of 7, IIRC.

Answer 2 · 2022-10-19T22:09:12.000Z

Thanks for the quick response! I'm tempted to look into https://github.com/aws-actions/aws-codebuild-run-build

I forgot that CodeBuild logs could be public, but the UI… is really offputting and confusing. Having a single entrypoint and model for contributors would be great. Maybe the link above will help, I'll check this out.

Answer 3 · 2022-10-20T12:06:06.000Z

Just gave this a try: I was able to set up the same kind of role except using OIDC, and the publication of layers only took 7 minutes. That's awesome!

I'll try to go all the way (missing the publication of Docker images) but so far this is working out really good with GitHub only. Building ARM images also wasn't an issue (not slow).

Answer 4 · 2022-10-28T13:14:28.000Z

It's working really great so far, I'll stick with it. I'm also able to trigger layer updates once this build is done (https://github.com/brefphp/aws-lambda-layers/blob/main/.github/workflows/release.yml#L53-L67) which is pretty awesome!