terraform-aws-github-runner | Terraform module for scalable GitHub action runners on AWS | Continous Integration library

Go to GitHub and create a new app. Beware you can create apps your organization or for a user. For now we support only organization level apps.
Create app in Github
Choose a name
Choose a website (mandatory, not required for the module).
Disable the webhook for now (we will configure this later or create an alternative webhook).
Permissions for all runners: Repository: Actions: Read-only (check for queued jobs) Checks: Read-only (receive events for new builds) Metadata: Read-only (default/required)
Permissions for repo level runners only: Repository: Administration: Read & write (to register runner)
Permissions for organization level runners only: Organization Self-hosted runners: Read & write (to register runner)
Save the new app.
On the General page, make a note of the "App ID" and "Client ID" parameters.
Generate a new private key and save the app.private-key.pem file.
To apply the terraform module, the compiled lambdas (.zip files) need to be available either locally or in an S3 bucket. They can be either downloaded from the GitHub release page or build locally. To read the files from S3, set the lambda_s3_bucket variable and the specific object key for each lambda. The lambdas can be downloaded manually from the release page or using the download-lambda terraform module (requires curl to be installed on your machine). In the download-lambda directory, run terraform init && terraform apply. The lambdas will be saved to the same directory. For local development you can build all the lambdas at once using .ci/build.sh or individually using yarn dist. To create spot instances the AWSServiceRoleForEC2Spot role needs to be added to your account. You can do that manually by following the AWS docs. To use terraform for creating the role, either add the following resource or let the module manage the the service linked role by setting create_service_linked_role_spot to true. Be aware this is an account global role, so maybe you don't want to manage it via a specific deployment. Next create a second terraform workspace and initiate the module, or adapt one of the examples. Note that github_app.key_base64 needs to be a base64-encoded string of the .pem file i.e. the output of base64 app.private-key.pem. The decoded string can either be a multiline value or a single line value with new lines represented with literal \n characters. Run terraform by using the following commands. The terraform output displays the API gateway url (endpoint) and secret, which you need in the next step. The lambda for syncing the GitHub distribution to S3 is triggered via CloudWatch (by default once per hour). After deployment the function is triggered via S3 to ensure the distribution is cached.
At this point you have 2 options. Either create a separate webhook (enterprise, org, or repo), or create webhook in the App. Go back to the GitHub App and update the following settings. Finally you need to ensure the app is installed to all or selected repositories. Go back to the GitHub App and update the following settings.
Create a new webhook on repo level for repo level for repo level runner, or org (or enterprise level) for an org level runner.
Provide the webhook url, should be part of the output of terraform.
Provide the webhook secret (terraform output -raw <NAME_OUTPUT_VAR>).
In the "Permissions & Events" section and then "Subscribe to Events" subsection, check either "Workflow Job" or "Check Run" (choose only 1 option!!!).
In the "Install App" section, install the App in your organization, either in all or in selected repositories.
Enable the webhook.
Provide the webhook url, should be part of the output of terraform.
Provide the webhook secret (terraform output -raw <NAME_OUTPUT_VAR>).
In the "Permissions & Events" section and then "Subscribe to Events" subsection, check either "Workflow Job" or "Check Run" (choose only 1 option!!!).
In the "Install App" section, install the App in your organization, either in all or in selected repositories.