|
| 1 | +# Best Practices |
| 2 | + |
| 3 | +## Choose the right runner mode |
| 4 | + |
| 5 | +## Use pre-built AMIs when possible |
| 6 | + |
| 7 | +Pre-built AMIs can dramatically reduce runner startup time. |
| 8 | +If you use a custom AMI, keep the runner binary and required tooling preinstalled. |
| 9 | +If you do not want to manage AMIs, enable the runner binaries syncer and use the bundled downloader lambda. |
| 10 | + |
| 11 | +## Reduce startup delays |
| 12 | + |
| 13 | +Enable `runner_binaries_syncer` to cache GitHub runner binaries in S3. |
| 14 | +Use `runner_binaries_s3_versioning` and `runner_binaries_s3_tags` to manage bucket lifecycle and ownership metadata. |
| 15 | +Configure `lambda_architecture` as `arm64` where supported for better cost and performance. |
| 16 | + |
| 17 | +## Keep your infrastructure secure |
| 18 | + |
| 19 | +Use `repository_white_list` to restrict which repositories can use the GitHub App. |
| 20 | +Use `enable_ssm_on_runners` only for debugging and disable it in production. |
| 21 | +Avoid `enable_user_data_debug_logging_runner` in production because it logs sensitive runner bootstrap values. |
| 22 | +Use `role_permissions_boundary` and `lambda_principals` to keep IAM permissions scoped and auditable. |
| 23 | + |
| 24 | +## Configure cost-optimizing defaults |
| 25 | + |
| 26 | +Keep `instance_target_capacity_type` set to `spot` unless on-demand capacity is specifically required. |
| 27 | +Use `instance_allocation_strategy` with `capacity_optimized` or `price-capacity-optimized` for better spot instance stability. |
| 28 | +Set `runner_boot_time_in_minutes` and `minimum_running_time_in_minutes` appropriately for job duration and instance reuse. |
| 29 | + |
| 30 | +## Use queues and monitoring thoughtfully |
| 31 | + |
| 32 | +Use `queue_encryption` to protect SQS message payloads at rest. |
| 33 | +Configure `logging_retention_in_days` and `log_class` for CloudWatch logs according to your retention policy. |
| 34 | +Enable metrics only when you need additional visibility, because it may incur extra cost. |
| 35 | + |
| 36 | +## Feature guidance |
| 37 | + |
| 38 | +- `enable_ami_housekeeper`: enable only when you are building and managing your own AMIs. |
| 39 | +- `enable_runner_binaries_syncer`: enabled by default and recommended unless using a custom AMI with binaries already baked in. |
| 40 | +- `enable_instance_termination_watcher`: useful in spot environments to track termination warnings, but keep it in beta configuration if you are still evaluating it. |
| 41 | +- `job_retry`: only enable for ephemeral runners, and monitor GitHub API rate usage carefully. |
| 42 | + |
| 43 | +## Deployment checklist |
| 44 | + |
| 45 | +1. Confirm your AWS region, VPC, and subnets are configured. |
| 46 | +2. Create or install a GitHub App with `workflow_job` permissions. |
| 47 | +3. Choose `runner_os` and `runner_architecture` based on your workload. |
| 48 | +4. Enable `runner_binaries_syncer` or provide a prebuilt AMI. |
| 49 | +5. Configure `repository_white_list` or `enable_organization_runners` to limit scope. |
| 50 | +6. Review IAM permissions and set `role_permissions_boundary` if available. |
| 51 | +7. Validate `enable_ssm_on_runners` and debug logging settings before production rollout. |
| 52 | + |
| 53 | +## Learn more |
| 54 | + |
| 55 | +See the full documentation site for detailed configuration, examples, and architecture notes: |
| 56 | + |
| 57 | +- [Getting started](getting-started.md) |
| 58 | +- [Configuration](configuration.md) |
| 59 | +- [Modules](modules/runners.md) |
| 60 | +- [Examples](examples/index.md) |
0 commit comments