This repository contains the automated deployment process for Harrier, an open-source developer productivity tool to accelerate CI/CD build times of GitHub Actions workflows by automating deployment of AWS self-hosted runners and persistent cache storage.
Learn more about Harrier:
Harrier deploys the following key components in your AWS account:
- Secure AWS Integration: Harrier securely integrates with your AWS and GitHub using OIDC and AWS Secrets Manager.
- Smart Configurations: Generate setup workflows with smart defaults or customized preferences.
- Open-Source Transparency: All code is publicly accessible, ensuring full transparency.
-
Configure your AWS and GitHub accounts (detailed steps below).
-
Generate a
setup.ymlfile using theTry Harrierfeature. -
Deploy
setup.ymlas a GitHub Actions workflow in your organization. -
Use your self-hosted runners with a simple workflow change:
🚫
- ubuntu-latest
✅+ self-hosted
Before starting, ensure you have:
- An active AWS account
- An active GitHub account
- A GitHub organization
- Login to your AWS account and navigate to Identity and Access Management (IAM).
- Select Identity Providers from the left-hand menu and click Add provider.
- Choose OpenID Connect as the provider type.
- Enter the following details:
- Provider URL:
https://token.actions.githubusercontent.com - Audience:
sts.amazonaws.com
- Provider URL:
- Click Add provider.
- Assign a role to the new provider:
- Click on the provider name (
token.actions.githubusercontent.com). - Select Assign role > Create a new role.
- Configure the role with:
- Trusted entity: Web identity
- Identity provider:
token.actions.githubusercontent.com - Audience:
sts.amazonaws.com - GitHub organization name (e.g.,
harrier-gha-runner)
- Add the following permissions:
AmazonVPCFullAccessAmazonEC2FullAccessAmazonS3FullAccessAWSLambda_FullAccessIAMFullAccessAmazonAPIGatewayAdministratorAmazonEventBridgeFullAccessAWSWAFConsoleFullAccessSecretsManagerReadWrite
- Role Name:
setup-harrier(required).
- Click on the provider name (
Follow GitHub's guide or:
- Login to GitHub and go to Settings > Developer settings > Tokens (classic).
- Click Generate new token (classic) and configure:
- Note: Add a descriptive name.
- Expiration: Choose or set a custom date.
- Scopes: Select the following:
repoworkflowadmin:orgadmin:org_hook
- Click Generate token and save it securely.
- Go to Secrets Manager in AWS and click Store a new secret.
- Select Other type of secret > Plaintext.
- Paste the GitHub token into the field.
- Set the Secret name:
github/pat/harrier(required). - Complete the wizard, leaving Automatic rotation off.
- Navigate to your GitHub repository's Settings > Security > Secrets and variables.
- Add new secrets for DockerHub credentials (e.g.,
DOCKER_USERandDOCKER_TOKEN).
Create a new GitHub Actions workflow using the Harrier-setup YAML and run from any repo in your GitHub Actions organization to deploy the necessary AWS resources in your AWS account.
Setup template: (replace AWS_REGION and AWS_ACCOUNT and any other inputs with your own information)
name: Setup GitHub Actions Self-hosted Runners in your AWS
on:
workflow_dispatch:
jobs:
setup-harrier-runner:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Configure AWS Credentials for Harrier setup
uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com
aws-region: <<AWS_REGION>>
role-to-assume: arn:aws:iam::<<AWS_ACCOUNT_NUMBER>>:role/setup-harrier
- name: Harrier Self-Hosted Runner Setup
uses: harrier-gha-runner/harrier-self-hosted-runner@main
with:
region: <<AWS_REGION>>
ghOwnerName: ${{ github.repository_owner }}
awsAccountId: <<AWS_ACCOUNT_NUMBER>>
instanceType: m7a.large
cacheTtlHours: 168
cidrBlockVPC: 10.0.0.0/16
cidrBlockSubnet: 10.0.0.0/24Update workflows to use Harrier’s self-hosted runners by replacing ubuntu-22.04 or ubuntu-latest with self-hosted.
name: CI
on: push
jobs:
build:
- runs-on: ubuntu-22.04
+ runs-on: self-hostedUse Harrier’s caching features to optimize workflow execution by using predefined cache keys and locations.
To remove all Harrier-related resources, run the Harrier-cleanup action. Create a new GitHub Actions workflow using the Harrier-cleanup YAML and run from any repo in your GitHub Actions organization to destroy any Harrier-provisioned resources on your AWS account.
Cleanup template: (replace AWS_REGION and AWS_ACCOUNT and any other inputs with your own information)
name: Cleanup Harrier (tear down) from AWS
on:
workflow_dispatch:
jobs:
cleanup-harrier-runner:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "20"
- name: Configure AWS Credentials for Harrier setup
uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com
aws-region: <<AWS_REGION>>
role-to-assume: arn:aws:iam::<<AWS_ACCOUNT_NUMBER>>:role/setup-harrier
- name: Cleanup Harrier from AWS (tear down)
uses: harrier-gha-runner/harrier-self-hosted-runner@main
with:
region: <<AWS_REGION>>
ghOwnerName: ${{ github.repository_owner }}
awsAccountId: <<AWS_ACCOUNT_NUMBER>>
instanceType: m7a.large
cleanOnly: true⚠ Warning:
This cleanup action permanently deletes all resources and data. Use with caution. To start fresh, you can re-run the setup process.