awslabs · scottschreckengaust · Feb 25, 2026 · Feb 25, 2026 · Feb 26, 2026 · Feb 26, 2026
@@ -0,0 +1,91 @@
+# This workflow runs on a GitHub-hosted runner, authenticates to AWS via OIDC,
+# and invokes CodeBuild's StartBuild API. CloudWatch logs are streamed back
+# to the GitHub Actions console.
+#
+# Prerequisites: see docs/ADMINISTRATORS_GUIDE.md#codebuild-integration
+
+name: Build (CodeBuild)
+
+on:
+  workflow_dispatch: {}
+
+permissions:
+  actions: none
+  attestations: none
+  checks: none
+  contents: none
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  models: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+jobs:
+  build:
+    # Protected environment — requires non-self-approval before the job runs.
+    # Configure in Settings > Environments > codebuild:
+    #   - Required reviewers: at least 1
+    #   - Prevent self-review: enabled
+    environment: codebuild
+
+    permissions:
+      actions: read
+      contents: read
+      id-token: write # Required for OIDC token request to AWS STS
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@e3ef6f550da368605b4c77eccc1b4b21662498dd # v4.1.0
+        with:
+          role-to-assume: ${{ secrets.AWS_CODEBUILD_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION || 'us-east-1' }}
+
+      - name: Verify AWS identity
+        run: aws sts get-caller-identity
+
+      - name: Run CodeBuild
+        id: codebuild
+        uses: aws-actions/aws-codebuild-run-build@d8279f349f3b1b84e834c30e47c20dcb8888b7e5 # v1.0.18
+        with:
+          project-name: ${{ vars.CODEBUILD_PROJECT_NAME }}
+          source-version-override: ${{ github.sha }}
+          # BUILD_GENERAL1_SMALL | BUILD_GENERAL1_MEDIUM | BUILD_GENERAL1_LARGE
+          compute-type-override: BUILD_GENERAL1_LARGE
+          buildspec-override: |
+            version: 0.2
+            env:
+              variables:
+                MISE_YES: "1"
+            phases:
+              install:
+                commands:
+                  - curl https://mise.run | sh
+                  - mise install
+              pre_build:
+                commands:
+                  - eval "$(~/.local/bin/mise activate bash)"
+                  - mise --version
+                  - mise ls
+              build:
+                commands:
+                  - eval "$(~/.local/bin/mise activate bash)"
+                  - mise run build
+              post_build:
+                commands:
+                  - echo "Build completed with status $CODEBUILD_BUILD_SUCCEEDING"
+            artifacts:
+              files:
+                - '**/*_sarif.json'
+              discard-paths: yes
+
+      - name: Build ID
+        if: always()
+        run: echo "CodeBuild Build ID ${{ steps.codebuild.outputs.aws-build-id }}"
@@ -8,6 +8,7 @@ Depending on your role, please review the appropriate guide for repository-speci
 
 - [Development Guide](./docs/DEVELOPMENT_GUIDE.md) - For contributors and developers
 - [Maintainers Guide](./docs/MAINTAINERS_GUIDE.md) - For reviewers, maintainers, and admins
+- [Administrators Guide](./docs/ADMINISTRATORS_GUIDE.md) - For GitHub repository and AWS account setup
 
 **Using Claude Code?** See the [Claude Code Setup](./docs/DEVELOPMENT_GUIDE.md#claude-code-setup) section in the Development Guide for project-specific configuration.
 

@@ -129,6 +129,10 @@ If you want to add a new plugin to the library, check out our [design guidelines
 
 Repository reviewers, maintainers, and admins can find PR review workflows, merge rules, and CI/CD documentation in the [maintainers guide](./docs/MAINTAINERS_GUIDE.md).
 
+## Administrators
+
+GitHub environment and AWS account configuration are documented in the [administrators guide](./docs/ADMINISTRATORS_GUIDE.md).
+
 ## Additional Resources
 
 - [Introducing Agent Plugins for AWS Blog](https://aws.amazon.com/blogs/developer/introducing-agent-plugins-for-aws/)