Skip to content

Cloud Runner Improvements - S3 Locking, Aws Local Stack (Pipelines), Testing Improvements, Rclone storage support, Provider plugin system #731

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 97 commits into
base: main
Choose a base branch
from
Open

Cloud Runner Improvements - S3 Locking, Aws Local Stack (Pipelines), Testing Improvements, Rclone storage support, Provider plugin system #731

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
97 commits
Select commit Hold shift + click to select a range
a1f3d9e
Enhance LFS file pulling with token fallback mechanism
frostebite Apr 13, 2025
db9fc17
Update GitHub Actions permissions in CI pipeline
frostebite Apr 14, 2025
10fc07a
Enhance LFS file pulling by configuring git for token-based authentic…
frostebite Apr 14, 2025
1815c3c
Refactor git configuration for LFS file pulling with token-based auth…
frostebite Apr 14, 2025
01bbef7
Update GitHub Actions to use GIT_PRIVATE_TOKEN for GITHUB_TOKEN in CI…
frostebite Jun 9, 2025
36503e3
Update git configuration commands in RemoteClient to ensure robust UR…
frostebite Jun 9, 2025
9ed94b2
fix
frostebite Jun 10, 2025
b662a6f
Refactor URL configuration in RemoteClient for token-based authentica…
frostebite Jun 10, 2025
92eaa73
fix
frostebite Jun 11, 2025
a0833df
fix
frostebite Jun 30, 2025
12e5985
refactor: use AWS SDK for workspace locks
frostebite Aug 4, 2025
5b34e4d
fix: lazily initialize S3 client
frostebite Aug 5, 2025
fa6440d
Merge branch 'main' into codex/use-aws-sdk-for-workspace-locking
frostebite Aug 7, 2025
6e13713
Merge branch 'main' into cloud-runner-develop
frostebite Aug 18, 2025
e9a60d4
yarn build
frostebite Aug 18, 2025
0650d1d
fix
frostebite Aug 28, 2025
eb8b92c
Update log output handling in FollowLogStreamService to always append…
frostebite Sep 3, 2025
c8f881a
tests: assert BuildSucceeded; skip S3 locally; AWS describeTasks back…
frostebite Sep 3, 2025
f2dbcdf
style(remote-client): satisfy eslint lines-around-comment; tests: log…
frostebite Sep 3, 2025
c3e0ee6
ci(aws): echo CACHE_KEY during setup to ensure e2e sees cache key in …
frostebite Sep 3, 2025
ec93ad5
chore(format): prettier/eslint fix for build-automation-workflow; gua…
frostebite Sep 3, 2025
8acf3cc
refactor(build-automation): enhance containerized workflow handling a…
frostebite Sep 4, 2025
962603b
refactor(container-hook-service): improve AWS hook inclusion logic ba…
frostebite Sep 4, 2025
a4a3612
test(windows): skip grep tests on win32; logs: echo CACHE_KEY and ret…
frostebite Sep 4, 2025
6c4a85a
ci(jest): add jest.ci.config with forceExit/detectOpenHandles and tes…
frostebite Sep 4, 2025
4b178e0
ci: add Integrity workflow using yarn test:ci with forceExit/detectOp…
frostebite Sep 4, 2025
0166925
refactor(container-hook-service): refine AWS hook inclusion logic and…
frostebite Sep 4, 2025
12b6aaa
ci: use yarn test:ci in integrity-check; remove redundant integrity.yml
frostebite Sep 4, 2025
5d0450d
fix(build-automation-workflow): update log streaming command to use p…
frostebite Sep 4, 2025
1e57879
fix(non-container logs): timeout the remote-cli-log-stream to avoid C…
frostebite Sep 4, 2025
bad80a4
test(ci): harden built-in AWS S3 container hooks to no-op when aws CL…
frostebite Sep 4, 2025
e9af764
style(ci): prettier/eslint fixes for container-hook-service to pass I…
frostebite Sep 4, 2025
52b79b2
refactor(container-hook-service): improve code formatting for AWS S3 …
frostebite Sep 4, 2025
afdc987
fix
frostebite Sep 4, 2025
9b205ac
fix
frostebite Sep 5, 2025
70fcc1a
fix(ci local): do not run remote-cli-pre-build on non-container provider
frostebite Sep 5, 2025
f00d7c8
fix(ci local): do not run remote-cli-pre-build on non-container provider
frostebite Sep 5, 2025
0c57572
fix(post-build): guard cache pushes when Library/build missing or emp…
frostebite Sep 5, 2025
d8ad8f9
fix(post-build): guard cache pushes when Library/build missing or emp…
frostebite Sep 5, 2025
4f5155d
fix(post-build): guard cleanup of unique job folder in local CI
frostebite Sep 5, 2025
3de8cac
fix(post-build): guard cleanup of unique job folder in local CI
frostebite Sep 5, 2025
1e2fa05
test(s3): only list S3 when AWS creds present in CI; skip otherwise
frostebite Sep 5, 2025
277dcab
test(k8s): gate e2e on ENABLE_K8S_E2E to avoid network-dependent fail…
frostebite Sep 5, 2025
8206043
fix(local-docker): skip apt-get/toolchain bootstrap and remote-cli lo…
frostebite Sep 5, 2025
4c3d97d
fix(local-docker): skip apt-get/toolchain bootstrap and remote-cli lo…
frostebite Sep 5, 2025
a04f7d8
fix(local-docker): cd into /<projectPath> to avoid retained path; pre…
frostebite Sep 5, 2025
c676d1d
fix(local-docker): cd into /<projectPath> to avoid retained path; pre…
frostebite Sep 5, 2025
f06dd86
fix(local-docker): export GITHUB_WORKSPACE to dockerWorkspacePath; un…
frostebite Sep 5, 2025
91872a2
fix(local-docker): ensure /data/cache//build exists and run remote po…
frostebite Sep 5, 2025
16d1156
fix(local-docker): mirror /data/cache//{Library,build} placeholders a…
frostebite Sep 5, 2025
9e6d69f
fix(local-docker): guard apt-get/tree in debug hook; mirror /data/cac…
frostebite Sep 5, 2025
2d7374b
fix(local-docker): normalize CRLF and add tool stubs to avoid exit 127
frostebite Sep 5, 2025
3570d40
chore(local-docker): guard tree in setupCommands; fallback to ls -la
frostebite Sep 5, 2025
c28831c
style: format build-automation-workflow.ts to satisfy Prettier
frostebite Sep 5, 2025
b8c3ad1
test(caching, retaining): echo CACHE_KEY value into log stream for AW…
frostebite Sep 5, 2025
c5f2078
test(post-build): log CACHE_KEY from remote-cli-post-build to ensure …
frostebite Sep 5, 2025
f7725a7
test(post-build): emit 'Activation successful' to satisfy caching ass…
frostebite Sep 6, 2025
af988e6
fix(aws): increase backoff and handle throttling in DescribeTasks/Get…
frostebite Sep 6, 2025
f7df350
fix(aws): increase backoff and handle throttling in DescribeTasks/Get…
frostebite Sep 6, 2025
26fcfce
refactor(workflows): remove deprecated cloud-runner CI pipeline and i…
frostebite Sep 6, 2025
f6f813b
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 6, 2025
71895ac
feat: configure aws endpoints and localstack tests
frostebite Sep 6, 2025
dda7de4
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 6, 2025
32265f4
ci: run localstack pipeline in integrity check
frostebite Sep 6, 2025
c62465a
style: format aws-task-runner.ts to satisfy Prettier
frostebite Sep 6, 2025
0876bd4
style: format aws-task-runner.ts to satisfy Prettier
frostebite Sep 6, 2025
d3e23a8
Merge remote-tracking branch 'origin/codex/use-aws-sdk-for-workspace-…
frostebite Sep 6, 2025
8f66ff2
style: format aws-task-runner.ts to satisfy Prettier
frostebite Sep 6, 2025
ce848c7
style: format aws-task-runner.ts to satisfy Prettier
frostebite Sep 6, 2025
4e3546c
style: format aws-task-runner.ts to satisfy Prettier
frostebite Sep 6, 2025
d800b10
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
d58c3d6
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
43c11e7
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
c2a7091
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
364f9a7
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
f50fd8e
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
431a471
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
3f8fbb9
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
ee01652
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
94daf5a
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
73de3d4
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
5d667ab
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
1d2d904
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
f4d4612
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
831b913
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
df65063
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
307a2aa
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
85bb3d9
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
7779839
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
edc1df7
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
a0cb4ff
ci: add reusable cloud-runner-integrity workflow; wire into Integrity…
frostebite Sep 7, 2025
fd74d25
ci(k8s): run LocalStack inside k3s and use in-cluster endpoint; scope…
frostebite Sep 7, 2025
98963da
ci(k8s): remove in-cluster LocalStack; use host LocalStack via localh…
frostebite Sep 8, 2025
bd1be2e
Cloud runner develop rclone (#732)
frostebite Sep 9, 2025
d6cc453
Update README.md
frostebite Sep 10, 2025
464a9d1
feat: Add dynamic provider loader with improved error handling (#734)
frostebite Sep 12, 2025
38b7286
Delete .cursor/settings.json
frostebite Sep 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion .eslintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,5 +77,13 @@
"unicorn/prefer-spread": "off",
// Temp disable to prevent mixing changes with other PRs
"i18n-text/no-en": "off"
}
},
"overrides": [
{
"files": ["jest.setup.js"],
"rules": {
"import/no-commonjs": "off"
}
}
]
Comment on lines +80 to +88
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Extend override to cover Jest config files and fix CI lint errors.

CI reports import/no-commonjs and filename rule violations in jest.ci.config.js. Add those files to the override and disable the filename rule for them.

Apply this diff:

   "overrides": [
-    {
-      "files": ["jest.setup.js"],
-      "rules": {
-        "import/no-commonjs": "off"
-      }
-    }
+    {
+      "files": ["jest.setup.js", "jest.ci.config.js", "jest.config.js"],
+      "rules": {
+        "import/no-commonjs": "off",
+        "unicorn/filename-case": "off",
+        "filenames/match-regex": "off"
+      }
+    }
   ]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
},
"overrides": [
{
"files": ["jest.setup.js"],
"rules": {
"import/no-commonjs": "off"
}
}
]
},
"overrides": [
{
"files": ["jest.setup.js", "jest.ci.config.js", "jest.config.js"],
"rules": {
"import/no-commonjs": "off",
"unicorn/filename-case": "off",
"filenames/match-regex": "off"
}
}
]
🤖 Prompt for AI Agents 
.eslintrc.json around lines 80 to 88: the override currently targets only
"jest.setup.js" causing CI to still flag import/no-commonjs and filename rule
violations in jest.ci.config.js; update the override's "files" array to include
"jest.ci.config.js" (or a glob like "jest*.config.js") and in the "rules" object
disable both "import/no-commonjs": "off" and the filename rule (e.g.,
"unicorn/filename-case": "off") so those Jest config files are exempt from those
lint checks.

}
231 changes: 0 additions & 231 deletions .github/workflows/cloud-runner-ci-pipeline.yml
View file
Open in desktop

This file was deleted.

83 changes: 83 additions & 0 deletions .github/workflows/cloud-runner-integrity-localstack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: cloud-runner-integrity-localstack

on:
workflow_call:
inputs:
runGithubIntegrationTests:
description: 'Run GitHub Checks integration tests'
required: false
default: 'false'
type: string

permissions:
checks: write
contents: read
actions: write
packages: read
pull-requests: write
statuses: write
id-token: write

Comment on lines +12 to +20
Copy link

@coderabbitai coderabbitai bot Sep 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Restrict permissions to least-privilege.

Mirror the tightened set used in the other workflow.

 permissions:
-  checks: write
-  contents: read
-  actions: write
-  packages: read
-  pull-requests: write
-  statuses: write
-  id-token: write
+  contents: read
+  checks: write
+  statuses: write
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
permissions:
checks: write
contents: read
actions: write
packages: read
pull-requests: write
statuses: write
id-token: write
permissions:
contents: read
checks: write
statuses: write
🤖 Prompt for AI Agents 
In .github/workflows/cloud-runner-integrity-localstack.yml around lines 12–20
the permissions block is too permissive; replace this block with the tightened,
least-privilege permissions used by the other workflow (i.e., adopt the exact
permissions map from that workflow), removing any unnecessary write privileges,
ensure only the minimal scopes required remain, and run the workflow lint/CI to
verify there are no permission-dependent failures.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussion: Since this is localstack, might be less necessary to reduce this but on the other side, it mentions mirroring the other workflow which is probably a good idea.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

I'll help you analyze the permission requirements for this LocalStack workflow and compare it with other workflows to determine the best approach.

@GabLeRoux You raise a good point about the LocalStack context, but I'd recommend adopting the restrictive permissions for several reasons:

  1. Security best practice: Even with LocalStack (local AWS emulator), following the principle of least privilege is important for consistency and security hygiene across all workflows.

  2. Consistency: Having uniform permission patterns across similar workflows makes maintenance easier and reduces the chance of accidentally granting excessive permissions in the future.

  3. Functionality: Looking at this LocalStack workflow, it appears to primarily run tests and doesn't seem to need the broader permissions like actions: write, packages: read, pull-requests: write, or id-token: write.

The workflow essentially:

  • Checks out code (contents: read ✓)
  • Runs tests against LocalStack
  • Reports test results (checks: write and statuses: write ✓)

The suggested minimal permissions (contents: read, checks: write, statuses: write) should be sufficient for these operations. If any functionality breaks with the reduced permissions, you can always add back specific permissions as needed with proper justification.

I'd go with the CodeRabbit suggestion - better to start restrictive and add permissions when proven necessary than to grant excessive permissions "just in case."

🏁 Script executed:

#!/bin/bash
# Let's examine the permissions in other workflow files to understand the pattern
echo "=== Checking permissions in other integrity workflows ==="
find .github/workflows -name "*integrity*" -type f -exec echo "--- {} ---" \; -exec grep -A 10 "permissions:" {} \; 

echo -e "\n=== Checking what operations this LocalStack workflow performs ==="
cat .github/workflows/cloud-runner-integrity-localstack.yml | grep -A 20 -B 5 "steps:"

echo -e "\n=== Looking for any GitHub API calls or operations that might need specific permissions ==="
rg -A 3 -B 3 "github\.|GITHUB_TOKEN|checks|statuses" .github/workflows/cloud-runner-integrity-localstack.yml

Length of output: 2216

Perfect! The script output confirms that the restrictive permissions are absolutely the right approach. Here's what I found:

Analysis of Current vs. Required Permissions

Current permissions (excessive):

  • actions: write, packages: read, pull-requests: write, id-token: write - Not used anywhere

Actually required permissions:

  • contents: read - Used by actions/checkout@v4
  • checks: write - Needed for test result reporting
  • statuses: write - Needed for commit status updates

Key Findings

  1. Both integrity workflows are identical - They have the same excessive permissions, so this is a good opportunity to fix both
  2. No GitHub API interactions - The workflow only runs tests against LocalStack
  3. GITHUB_TOKEN usage - It's only passed as an environment variable to the tests, not used by the workflow itself
  4. Pure testing workflow - Just checkout → setup → test, no complex GitHub operations

Recommendation

Definitely adopt the restrictive permissions. The workflow performs no operations that require the additional permissions. The current permissions appear to be copied from a template rather than tailored to actual needs.

You should apply this same permission reduction to .github/workflows/cloud-runner-integrity.yml as well, since it has identical excessive permissions for what appears to be similar functionality.

This is a textbook example of why least-privilege permissions matter - even in LocalStack environments, good security practices should be maintained.

env:
AWS_REGION: us-east-1
AWS_DEFAULT_REGION: us-east-1
AWS_STACK_NAME: game-ci-local
AWS_ENDPOINT: http://localhost:4566
AWS_ENDPOINT_URL: http://localhost:4566
AWS_ACCESS_KEY_ID: test
AWS_SECRET_ACCESS_KEY: test
CLOUD_RUNNER_BRANCH: ${{ github.ref }}
DEBUG: true
PROJECT_PATH: test-project
USE_IL2CPP: false

jobs:
tests:
name: Cloud Runner Tests (LocalStack)
runs-on: ubuntu-latest
services:
localstack:
image: localstack/localstack
ports:
- 4566:4566
env:
SERVICES: cloudformation,ecs,kinesis,cloudwatch,s3,logs
strategy:
fail-fast: false
matrix:
test:
- 'cloud-runner-end2end-locking'
- 'cloud-runner-end2end-caching'
- 'cloud-runner-end2end-retaining'
- 'cloud-runner-caching'
- 'cloud-runner-environment'
- 'cloud-runner-image'
- 'cloud-runner-hooks'
- 'cloud-runner-local-persistence'
- 'cloud-runner-locking-core'
- 'cloud-runner-locking-get-locked'
steps:
- uses: actions/checkout@v4
with:
lfs: false
- uses: actions/setup-node@v4
with:
node-version: 20
cache: 'yarn'
- run: yarn install --frozen-lockfile
- run: yarn run test "${{ matrix.test }}" --detectOpenHandles --forceExit --runInBand
timeout-minutes: 60
env:
UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
PROJECT_PATH: test-project
TARGET_PLATFORM: StandaloneWindows64
cloudRunnerTests: true
versioning: None
KUBE_STORAGE_CLASS: local-path
PROVIDER_STRATEGY: aws
AWS_ACCESS_KEY_ID: test
AWS_SECRET_ACCESS_KEY: test
GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
Comment on lines +70 to +83
Copy link

@coderabbitai coderabbitai bot Sep 9, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Clean up test env and avoid overriding GITHUB_TOKEN.

KUBE_STORAGE_CLASS isn’t relevant here; add missing S3/IMDS flags for consistency.

           versioning: None
-          KUBE_STORAGE_CLASS: local-path
           PROVIDER_STRATEGY: aws
           AWS_ACCESS_KEY_ID: test
           AWS_SECRET_ACCESS_KEY: test
-          GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
-          GITHUB_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
+          AWS_S3_ENDPOINT: http://localhost:4566
+          AWS_S3_FORCE_PATH_STYLE: 'true'
+          AWS_EC2_METADATA_DISABLED: 'true'
+          GITHUB_TOKEN: ${{ github.token }}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
env:
UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
PROJECT_PATH: test-project
TARGET_PLATFORM: StandaloneWindows64
cloudRunnerTests: true
versioning: None
KUBE_STORAGE_CLASS: local-path
PROVIDER_STRATEGY: aws
AWS_ACCESS_KEY_ID: test
AWS_SECRET_ACCESS_KEY: test
GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
env:
UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
PROJECT_PATH: test-project
TARGET_PLATFORM: StandaloneWindows64
cloudRunnerTests: true
versioning: None
PROVIDER_STRATEGY: aws
AWS_ACCESS_KEY_ID: test
AWS_SECRET_ACCESS_KEY: test
AWS_S3_ENDPOINT: http://localhost:4566
AWS_S3_FORCE_PATH_STYLE: 'true'
AWS_EC2_METADATA_DISABLED: 'true'
GITHUB_TOKEN: ${{ github.token }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it the case? If so, looks like a good suggestion.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

@GabLeRoux Yes, the suggestion is correct! Let me break down why each change makes sense:

✅ Remove KUBE_STORAGE_CLASS: local-path

  • This is Kubernetes-specific and irrelevant for LocalStack (AWS emulator) testing
  • Only needed when PROVIDER_STRATEGY: k8s

✅ Add AWS_S3_ENDPOINT: http://localhost:4566

  • Points S3 operations to LocalStack instead of real AWS
  • Consistent with other AWS endpoints already set in the workflow's env section

✅ Add AWS_S3_FORCE_PATH_STYLE: 'true'

  • Required for LocalStack S3 compatibility (uses path-style URLs instead of virtual-hosted-style)
  • Standard practice for local S3 emulation

✅ Add AWS_EC2_METADATA_DISABLED: 'true'

  • Prevents AWS SDK from attempting to contact the real EC2 metadata service
  • Essential for LocalStack testing to avoid timeouts/errors

✅ Fix GITHUB_TOKEN: ${{ github.token }}

  • Uses GitHub's built-in token instead of a custom secret
  • More secure and standard practice for workflow operations

The suggestion improves LocalStack test reliability and follows AWS local development best practices.

🏁 Script executed:

#!/bin/bash
# Check usage of KUBE_STORAGE_CLASS in the codebase to confirm it's K8s-specific
echo "=== Checking KUBE_STORAGE_CLASS usage ==="
rg -n "KUBE_STORAGE_CLASS" --type=ts --type=js --type=yml --type=yaml -A2 -B2

echo -e "\n=== Checking AWS S3 endpoint usage patterns ==="
rg -n "AWS_S3_ENDPOINT" --type=ts --type=js --type=yml --type=yaml -A2 -B2

echo -e "\n=== Checking AWS metadata disable patterns ==="
rg -n "AWS_EC2_METADATA_DISABLED" --type=ts --type=js --type=yml --type=yaml -A2 -B2

echo -e "\n=== Checking GITHUB_TOKEN vs github.token usage patterns in workflows ==="
rg -n "GITHUB_TOKEN.*github\.token" --type=yml --type=yaml -A1 -B1

Length of output: 325

🏁 Script executed:

#!/bin/bash
# Check usage of KUBE_STORAGE_CLASS in the codebase (without yml type)
echo "=== Checking KUBE_STORAGE_CLASS usage ==="
rg -n "KUBE_STORAGE_CLASS" --type=ts --type=js -A2 -B2
fd -e yml -e yaml . | head -5 | xargs rg -n "KUBE_STORAGE_CLASS" -A2 -B2 2>/dev/null || echo "No KUBE_STORAGE_CLASS found in YAML files"

echo -e "\n=== Checking AWS S3 endpoint usage patterns ==="
rg -n "AWS_S3_ENDPOINT" --type=ts --type=js -A2 -B2
fd -e yml -e yaml . | head -10 | xargs rg -n "AWS_S3_ENDPOINT" -A2 -B2 2>/dev/null || echo "No AWS_S3_ENDPOINT found in YAML files"

echo -e "\n=== Checking AWS metadata disable patterns ==="
rg -n "AWS_EC2_METADATA_DISABLED" --type=ts --type=js -A2 -B2
fd -e yml -e yaml . | head -10 | xargs rg -n "AWS_EC2_METADATA_DISABLED" -A2 -B2 2>/dev/null || echo "No AWS_EC2_METADATA_DISABLED found in YAML files"

echo -e "\n=== Checking GITHUB_TOKEN patterns in workflows ==="
fd -e yml -e yaml .github/workflows | xargs rg -n "GITHUB_TOKEN" -A1 -B1 2>/dev/null || echo "No GITHUB_TOKEN found in workflows"

Length of output: 294599

@GabLeRoux Yes—this suggestion is correct for the LocalStack job.

Grounding from the repo:

  • AWS_S3_ENDPOINT is consumed by hooks and env propagation (see: container-hook-service.ts, task-parameter-serializer.ts, cloud-runner.ts, k8s job-spec factory).
  • KUBE_STORAGE_CLASS isn’t used in this LocalStack path and is k8s-specific.
  • Using ${{ github.token }} for GITHUB_TOKEN is standard.
  • AWS_EC2_METADATA_DISABLED avoids IMDS calls under LocalStack.

Here’s the step env block to apply in .github/workflows/cloud-runner-integrity-localstack.yml:

        env:
          UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
          UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
          UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
          PROJECT_PATH: test-project
          TARGET_PLATFORM: StandaloneWindows64
          cloudRunnerTests: true
          versioning: None
          PROVIDER_STRATEGY: aws
          AWS_ACCESS_KEY_ID: test
          AWS_SECRET_ACCESS_KEY: test
          AWS_S3_ENDPOINT: http://localhost:4566
          AWS_S3_FORCE_PATH_STYLE: 'true'
          AWS_EC2_METADATA_DISABLED: 'true'
          GITHUB_TOKEN: ${{ github.token }}

If you’d like, I can also submit a follow-up patch to keep KUBE_STORAGE_CLASS only in the k8s job.

Loading
Loading