We should set up an autoscaling schedule to spin up the runners on certain days to do the release, then spin them down. Currently, we only use the release runners approx 1 day out of 7, leading to some inefficiencies.

This repo doesn't have a CONTRIBUTING.md file and it is referenced in the PR Template.

Finch targets a full CI suite for the latest 2 versions of macOS. Now that Ventura is now released, CI should be run on macOS 12.6 and macOS 13.0 instead of 11 & 12. In addition, two extra 10.15 runners need to be provisioned to serve the release build process.

After the beta infrastructure is deployed and after the tests are conducted, the EC2 instances should be spun down to conserve cost.

Currently, EC2 bare metal macOS instances are used to run finch's workflows. Due to the performance available on this hardware, it is not economical to have them only run 1 workflow at a time. If VMs are used, we can also leverage ephemeral GH runners to increase the availability/lower the cost of the infrastructure needed to support finch.

My recommendation is to consider the following options to make dependabot updates less churnful:

1. Apply a update group to the npm package ecosystem. (Ref)
2. Downgrade the frequency from daily to weekly.

The lambda function used for sending notifications about Inspector V2 image scan findings can be improved by adding Cloudwatch monitoring and alarming to alert on failed and/or missing invocations of the function.

The Build action has been consistently failing for the last month: https://github.com/runfinch/finch-core/actions/workflows/release.yaml

GitHub runners use passwordless sudo. However runners provisioned via finch infra don't allow passwordless sudo. (EDIT: this is observed consistently on the macOS 12 runner for arm64 https://github.com/runfinch/finch-core/actions/runs/6010202363/job/16301161154)

The log lines in step Make and release deps before timeout have been:

if [ "Darwin" != "Linux" -a ! -e "/opt/homebrew/bin/nerdctl" ]; then ln -sf nerdctl.lima "/opt/homebrew/bin/nerdctl"; fi
if [ "Darwin" != "Linux" -a ! -e "/opt/homebrew/bin/apptainer" ]; then ln -sf apptainer.lima "/opt/homebrew/bin/apptainer"; fi
sudo may prompt for password to run FileMonitor
Error: The operation was canceled. # <-- timeout, cancelled workflow

This message is coming from https://github.com/runfinch/finch-core/blob/08a4ca2a9285f1dd2fac3bd4701087b1b2fdec87/bin/lima-and-qemu.pl#L46

Still looking to verify but the smoking gun is that the script is hanging on a prompt for password.

eOn my machine macOS Ventura 13.4 M1 chip:

./bin/lima-and-qemu.pl                                            
ls: /opt/homebrew/bin/limactl: No such file or directory
Missing argument in sprintf at ./bin/lima-and-qemu.pl line 213.
sudo may prompt for password to run FileMonitor
Password:

Currently, there are no lifecycle policies for the S3 buckets or ECR repo created by this stack. Ideally we should discuss some reasonable policy and define it for resources in this repository.

Dedicated hosts should be created with auto placement on. This allows for reusing of hosts when deployments fail and hosts are created (but have to wait for the 24 hour limit on macOS EC2 instances).

This repo makes use of dependabot for code dependency updates. However, our infrastructure relies on other software, in particular GitHub Actions runners (https://github.com/actions/runner/releases).

Success criteria: a scheduled GitHub action utilizing the create-pull-request action that will 1/ check https://github.com/actions/runner/releases for a new release of the GitHub actions runner and 2/ cut a PR to update the version and sha for both x86 and ARM.

Using an ASG allows for a lot more flexibility in provisioning hosts, ensuring that there is always a set number of hosts/instances available to run finch's workflows. This also allows this issue to be handled well.

As each ASG is a stack made from the combination of a macOS version, the arch, and the repo, changing any of the attributes to a new combination will result in a new stack being created and the old stack being abandoned. See this PR for example. This PR will orphan the 12.6/arm/finch-core and 12.6/x86/finch-core stacks and create a new stack with 13.2/arm/finch-core and 13.2/x86/finch-core.

The old stacks should be cleaned up somehow when renamed like this.

Right now there are no unit tests for the rootfs image scanning Lambda. While this is non-critical infrastructure and the function is fairly simple, unit test coverage for the function would surely be an enhancement to the overall testing profile of this package.

A solution could define a class like this with a boto3 resource to be easily mocked:

class SnsTopicClass:
    """
    AWS SNS Topic Resource Class
    """
    def __init__(self,  sns_topic_resource):
        self.resource = sns_topic_resource["resource"]
        self.topic_arn = sns_topic_resource["topic_arn"]
        self.topic = self.resource.Topic(self.topic_arn)

# [1] Globally scoped resources
# Initialize the resources once per Lambda execution environment by using global scope.
_LAMBDA_SNS_TOPIC_RESOURCE = { "resource" : resource('sns'), 
                              "topic_arn" : os.environ.get("SNS_ARN","NONE") }

Alternatively, given this project is mainly TypeScript, the lambda function could be rewritten in TS to get the built in benefit of all testing tooling already living with the project, i.e. not having to maintain a python virtual environment or similar for testing this both locally for devs and in the actual pipeline defined in this project.

The AWS CDK toolkit provides no APIs for enabling enhanced image scanning for ECR repositories. The only image scanning that can be configured is the basic on-push scanning: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ecr-readme.html#image-scanning

To get around this, we can create a custom CDK stack that uses the AWS SDK to enable enhanced image scanning.

Summary

macOS 11 is not EOL (Ref)

Tasks

1. Remove macOS 11 from build and release matrix in finch repo
   a. e.g. https://github.com/runfinch/finch/blob/17d4bc8fbdf6b80e5070d2aa3ed1c85b112252fb/.github/workflows/build-and-test-pkg.yaml#L59
2. Remove macOS 11 runners from configuration in infrastructure repo