GitHub Action runner in Amazon CodeBuild - Amazon CodeBuild
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

GitHub Action runner in Amazon CodeBuild

You can use an action runner to run GitHub Actions within CodeBuild. This can be done by adding steps to any phase in your buildspec file.

CodeBuild buildspecs support a list of sequential GitHub Action steps which run in a separate phase from CodeBuild commands. These GitHub Actions integrate with CodeBuild’s existing features, which include dependency caching, batch builds, access to Amazon Secrets Manager, and more.

How do I get started with the GitHub action runner?

The high-level steps to add a GitHub Action are as follows:

  1. If you haven't done so already, connect your project to GitHub.

    To do so, you can do one of the following:

    Note

    This only needs to be done if you haven't connected to GitHub in another project.

  2. In your project's buildspec, you can add steps, each of which references a GitHub Action. This can be edited in the CodeBuild console or in your source repository. Each build phase supports either a list of commands or a list of steps, but both cannot be used in the same phase. For more information, see GitHub Action runner buildspec reference.

Which GitHub Actions can I use?

You can use any action available in the GitHub Marketplace that doesn't conflict with these limitations.

Can I use source providers other than GitHub when using GitHub Actions in my CodeBuild project?

Yes, but connecting to GitHub is still required to authenticate with GitHub and access GitHub Actions. For more information, see GitHub and GitHub Enterprise Server access token.

Why do I need to connect to GitHub as a source provider in order to use GitHub Actions?

In order to use GitHub Actions, the source must be downloaded on a build compute. Anonymous downloads will be rate limited, so by connecting to GitHub, it can help ensure consistent access.

How much does it cost to use the GitHub Action runner?

Running GitHub Actions is supported at no additional cost.

Which regions support the GitHub Action runner?

GitHub Actions is supported in all CodeBuild regions. For more information about Amazon Web Services Regions where CodeBuild is available, see Amazon Services by Region.

Best practices for GitHub Actions

GitHub Actions are open source, built and maintained by the community. We follow the shared responsibility model and consider GitHub Actions source code as customer data for which you are responsible. GitHub Actions can be granted access to secrets, repository tokens, source code, and account links. Make sure you are confident in the trustworthiness and security of the GitHub Actions you plan to run.

More specific guidance and security best practices for GitHub Actions:

Limitations of the GitHub action runner in CodeBuild

  • GitHub Actions that internally rely on the github context or that reference GitHub-specific resources, such as pull requests and issues, aren't supported in CodeBuild. For example, the following actions won't work in CodeBuild:

    • GitHub Actions that attempt to add, change, or update GitHub resources, such as actions that update pull requests, or create issues in GitHub.

    Note

    Most official GitHub Actions listed in https://github.com/actions rely on github context. Instead, use actions available in the GitHub Marketplace.

  • GitHub Actions that are Docker container actions will work, but your build project must have privileged mode enabled and be run by the default Docker user (root).

  • GitHub Actions are not supported in CodeBuild projects which are configured to run on Windows.

  • GitHub Action jobs (groups of steps) and GitHub Action job properties are not supported.

  • GitHub Actions are not supported in CodeBuild projects that are configured to be triggered by a webhook for a public Git repository. For more information, see git-credential-helper.

  • VPC builds without public internet access cannot run GitHub Actions.

  • Each build phase supports either a list of commands or a list of steps, but both cannot be used in the same phase. For example, in the following sample, steps are used in the pre-build phase to list GitHub Actions, while commands are used in the build phase to list CodeBuild commands.

    version: 0.2 phases: pre-build: steps: - name: Lint Code Base uses: github/super-linter@v4 env: VALIDATE_ALL_CODEBASE: 'true' DEFAULT_BRANCH: main build: commands: - echo "Building..." - npm run build