JavaScript
A continuous integration system built on AWS Lambda

LambCI

Serverless continuous integration

Automate your testing and deployments with:

• 100 concurrent builds out of the box (can request more)
• No maintenance of web servers, build servers or databases
• Zero cost when not in use (ie, 100% utilization)
• Easy to integrate with the rest of your AWS resources

Contents

• Overview
• Installation
• Configuration
• Updating
• Security
• Language Recipes
• Extending with ECS
• Questions

What is it?

LambCI is a package you can upload to AWS Lambda that gets triggered when you push new code or open pull requests on GitHub and runs your tests (in the Lambda environment itself) – in the same vein as Jenkins, Travis or CircleCI.

It integrates with Slack, and updates your Pull Request and other commit statuses on GitHub to let you know if you can merge safely.

It can be easily launched and kept up-to-date as a CloudFormation Stack, or you can manually create the different resources yourself.

(Support for running under Google Cloud Functions may be added in the near future, depending on the API they settle on)

Supported languages

• Node.js (multiple versions via nave)
• Python 2.7
• Go (any version – can manually bootstrap)
• No native compilation as yet (but it's in the works!)
• Java 7/8 JREs are installed, but no SDKs, so... tricky... needs research
• Check the Recipes list below for the status of other languages/tools

Prerequisites

• An Amazon AWS account
• A GitHub OAuth token (see below)
• (optional) A Slack API token (see below)

Current Limitations (due to the Lambda environment itself)

• No root access
• 5 min max build time
• Bring-your-own-binaries – Lambda has a limited selection of installed software
• 1.5GB max memory
• Linux only

You can get around many of these limitations by configuring LambCI to send tasks to an ECS cluster where you can run your builds in Docker.

Installation

The easiest way to install LambCI is to spin up a CloudFormation stack using lambci.template – this is just a collection of related AWS resources, including the main LambCI Lambda function and DynamoDB tables, that you can update or remove together – it should take around 3-4 minutes to spin up.

You can run multiple stacks with different names side-by-side too (eg, lambci-private and lambci-public).

As part of the stack setup, you can supply your GitHub and Slack API tokens, as well as a list of repositories you want to trigger LambCI, but you don't have to – you can add these later, either by updating the CloudFormation stack, or using the AWS DynamoDB console or lambci command line. If you'd prefer to do that, you can skip straight to Step 3.

1. Create a GitHub token

You can create a token in the Personal access tokens section of your GitHub settings. If you're setting up LambCI for an organization, it might be a good idea to create a separate GitHub user dedicated to running automated builds (GitHub calls these "machine users") – that way you have more control over which repositories this user has access to.

Click the Generate new token button and then select the appropriate access levels.

LambCI only needs read access to your code, but unfortunately GitHub has rather crude access mechanisms and doesn't have a readonly scope for private repositories – the only options is to choose repo ("Full control"). Other CI systems have the same frustrations.

If you're only using LambCI for public repositories, then you just need access to commit statuses and repository hooks (even the latter you can do away with if you're adding/removing the hooks manually):

Then click the "Generate token" button and GitHub will generate a 40 character hex API token.

2. Create a Slack token (optional)

You can obtain a Slack API token by creating a bot user (or you can use the token from an existing bot user if you have one) – this direct link should take you there, but you can navigate from the App Directory via Browse Apps > Custom Integrations > Bots.

Pick any name, and when you click "Add integration" Slack will generate an API token that looks something like xoxb-<numbers>-<letters>

3. Launch the LambCI CloudFormation stack

You can either use this direct link or navigate in your AWS Console to Services > CloudFormation, choose "Create Stack" and upload lambci.template from the root of this repository, or use the S3 link:

Then click Next where you can enter a stack name (lambci is a good default), API tokens, Slack channel and a comma-separated list of any repositories you want to add hooks to:

Click Next, and then Next again on the Options step (leaving the default options selected), to get to the final Review step:

Check the acknowledgment checkbox and click Create to start the resource creation process:

Once your stack is created (should be done in a few minutes) you're ready to start building!

By default LambCI only responds to pushes on the master branch and pull requests (you can configure this), so try either of those – if nothing happens, then check Services > CloudWatch > Logs in the AWS Console and see the Questions section below.

You can check that the hooks have been installed in a repository correctly by going to Settings > Webhooks and services on the GitHub repository page (ie, https://github.com/<user>/<repo>/settings/hooks). There should be a Service listed as Amazon SNS – if you click the edit (pencil) button then you can choose to "Test Service" (it should send a push event).

Configuration

Many configuration values can be specified in a .lambci.js, .lambci.json or package.json file in the root of your repository – and all values can be set in the DynamoDB configuration table (named <stack>-config, eg, lambci-config)

For example, the default command that LambCI will try to run is npm install && npm test, but let's say you have a python project – you could put the following in .lambci.json in your repository root:

{
  "cmd": "pip install --user tox && tox"
}

(LambCI bundles pip and adds $HOME/.local/bin to PATH)

If you have a more complicated build setup, then you could specify make or create a bash script in your repository root:

{
  "cmd": "./lambci-test.sh"
}

Overriding default properties

LambCI resolves configuration by overriding properties in a cascading manner in the following order:

1. Default config (see below)
2. global project key in lambci-config DynamoDB table
3. gh/<user>/<repo> project key in lambci-config DynamoDB table
4. lambci property in package.json file in repository root
5. .lambci.js or .lambci.json file in repository root

You can use the command line to edit the DynamoDB config values:

lambci config secretEnv.GITHUB_TOKEN abcdef01234
lambci config --project gh/mhart/kinesalite secretEnv.SLACK_TOKEN abcdef01234

Or the AWS console:

So if you wanted to use a different Slack token and channel for a particular project, you could create an item in the config table with the project key gh/<user>/<repo> that looks similar to the global config above, but with different values:

{
  project: 'gh/mhart/kinesalite',
  secretEnv: {
    SLACK_TOKEN: 'xoxb-1234243432-vnjcnioeiurn'
  },
  notifications: {
    slack: {
      channel: '#someotherchannel'
    }
  }
}

Using the command line:

lambci config --project gh/mhart/kinesalite secretEnv.SLACK_TOKEN xoxb-1234243432-vnjcnioeiurn
lambci config --project gh/mhart/kinesalite notifications.slack.channel '#someotherchannel'

Config file overrides

Here's an example package.json overriding the cmd property:

{
  "name": "some-project",
  "scripts": {
    "lambci-build": "eslint . && mocha"
  },
  "lambci": {
    "cmd": "npm install && npm run lambci-build"
  }
}

And the same example using .lambci.js:

module.exports = {
  cmd: 'npm install && npm run lambci-build'
}

The ability to override config properties using repository files depends on the allowConfigOverrides property (see the default config below).

Branch and pull request properties

Depending on whether LambCI is building a branch from a push or a pull request, config properties can also be specified to override in these cases.

For example, to determine whether a build should even take place, LambCI looks at the top-level build property of the configuration. By default this is actually false, but if the branch is master, then LambCI checks for a branches.master property and if it's set, uses that instead:

{
  build: false,
  branches: {
    master: true
  }
}

If a branch just has a true value, this is the equivalent of {build: true}, so you can override other properties too – ie, the above snippet is just shorthand for:

{
  build: false,
  branches: {
    master: {
      build: true
    }
  }
}

So if you wanted Slack notifications to go to a different channel to the default for the develop branch, you could specify:

{
  branches: {
    master: true,
    develop: {
      build: true,
      notifications: {
        slack: {
          channel: '#dev'
        }
      }
    }
  }
}

Default configuration

This configuration is hardcoded in utils/config.js and overridden by any config from the DB (and config files)

{
  cmd: 'npm install && npm test',
  env: { // env values exposed to build commands
  },
  secretEnv: { // secret env values, exposure depends on inheritSecrets config below
    GITHUB_TOKEN: '',
    SLACK_TOKEN: '',
  },
  s3Bucket: '', // bucket to store build artifacts
  notifications: {
    slack: {
      channel: '#general',
      username: 'LambCI',
      iconUrl: 'https://lambci.s3.amazonaws.com/assets/logo-48x48.png',
      asUser: false,
    },
  },
  build: false, // Build nothing by default except master and PRs
  branches: {
    master: true,
  },
  pullRequests: {
    fromSelfPublicRepo: true, // Pull requests from same (private) repo will build
    fromSelfPrivateRepo: true, // Pull requests from same (public) repo will build
    fromForkPublicRepo: { // Restrictions for pull requests from forks on public repos
      build: true,
      inheritSecrets: false, // Don't expose secretEnv values in the build command environment
      allowConfigOverrides: ['cmd', 'env'], // Only allow file config to override cmd and env properties
    },
    fromForkPrivateRepo: false, // Pull requests from forked private repos won't run at all
  },
  s3PublicSecretNames: true, // Use obscured names for build HTML files and make them public
  inheritSecrets: true, // Expose secretEnv values in the build command environment by default
  allowConfigOverrides: true, // Allow files to override config values
  clearTmp: true, // Delete /tmp each time for safety
  git: {
    depth: 5, // --depth parameter for git clone
  },
}

SNS Notifications (for email, SMS, etc)

By default, the CloudFormation template doesn't create an SNS topic to publish build statuses (ie, success, failure) to – but if you want to receive build notifications via email or SMS, or some other custom SNS subscriber, you can specify an SNS topic and LambCI will push notifications to it:

notifications: {
  sns: {
    topicArn: 'arn:aws:sns:us-east-1:1234:lambci-StatusTopic-1WF8BT36'
  }
}

The Lambda function needs to have permissions to publish to this topic, which you can either add manually, or by modifying the CloudFormation lambci.template and updating your stack.

Add a top-level SNS topic resource:

"StatusTopic" : {
  "Type": "AWS::SNS::Topic",
  "Properties": {
    "DisplayName": "LambCI"
  }
}

And then add the following to the LambdaExecution.Properties.Policies array to give the Lambda function the correct permissions:

{
  "PolicyName": "PublishSNS",
  "PolicyDocument": {
    "Statement": {
      "Effect": "Allow",
      "Action": [
        "sns:Publish"
      ],
      "Resource": {"Ref": "StatusTopic"}
    }
  }
}

Updating

You can update your CloudFormation stack at any time to change, add or remove the parameters – or even upgrade to a new version of LambCI.

In the AWS Console, go to Services > CloudFormation, select your LambCI stack in the list and then choose Actions > Update Stack. You can keep the same template selected (unless you're updating LambCI and the template has different resources), and then when you click Next you can modify parameters like your GitHub token, repositories, Slack channel, LambCI version, etc.

LambCI will do its best to update these parameters correctly, but if it fails or you run into trouble, just try setting them all to blank, updating, and then update again with the values you want.

Security

The default configuration passes secret environment variables to build commands, except when building forked repositories. This allows you to use your AWS credentials and Git/Slack tokens in your build commands to communicate with the rest of your stack. Set inheritSecrets to false to prevent this.

HTML build logs are generated with random filenames, but are accessible to anyone who has the link. Set s3PublicSecretNames to false to make build logs completely private (you'll need to use the AWS console to access them), or you can remove s3Bucket entirely – you can still see the build logs in the Lambda function output in CloudWatch Logs.

By default, the /tmp directory is removed each time – this is to prevent secrets from being leaked if your LambCI stack is building both private and public repositories. However, if you're only building private (trusted) repositories, then you can set the clearTmp config to false, and potentially cache files (eg, in $HOME) for use across builds (this is not guaranteed – it depends on whether the Lambda environment is kept "warm").

If you discover any security issues with LambCI please email security@lambci.org.

Language Recipes

LambCI doesn't currently have any language-specific settings. The default command is npm install && npm test which will use the default Lambda version of Node.js (4.3.x) and npm (2.x).

The way to build with different Node.js versions, or other languages entirely, is just to override the cmd config property (specifying a test property in a package.json file would work too).

Node.js

LambCI comes with nave installed and available on the PATH, so if you wanted to run your npm install and tests using the latest Node.js v6.x and npm v3.x, you could do specify:

{
  "cmd": "nave use 6 bash -c 'npm install && npm test'"
}

If you're happy using the built-in npm to install, you could simplify this a little:

{
  "cmd": "npm install && nave use 6 npm test"
}

There's currently no way to run multiple builds in parallel but you could have processes run in parallel using a tool like npm-run-all – the logs will be a little messy though!

Here's an example package.json for running your tests in Node.js v4, v5 and v6 simultaneously:

{
  "lambci": {
    "cmd": "npm install && npm run ci"
  },
  "scripts": {
    "ci": "run-p ci:*",
    "ci:node4": "nave use 4 npm test",
    "ci:node5": "nave use 5 npm test",
    "ci:node6": "nave use 6 npm test"
  },
  "devDependencies": {
    "npm-run-all": "*"
  }
}

Python 2.7

LambCI comes with pip installed and available on the PATH, and Lambda has Python 2.7 already installed. $HOME/.local/bin is also added to PATH, so local pip installs should work:

{
  "cmd": "pip install --user tox && tox"
}

Go

The go toolchain is not installed on Lambda already and is too big to include in the LambCI package, but it's very easy (and quick) to install as part of your build – and if your Lambda process stays warm, then you won't need to install it again. Just add something like this before your build/test commands:

#!/bin/bash -ex

VERSION=1.6.2

if ! [ -d $HOME/go ]; then
  curl -sSL https://storage.googleapis.com/golang/go${VERSION}.linux-amd64.tar.gz | tar -C $HOME -xz
fi

export GOROOT=$HOME/go
export PATH=$PATH:$GOROOT/bin

(then be sure to set GOPATH correctly)

You can see examples of this working here and here (obviously you can leave out the git clone steps for your own projects)

Rust

This is a work in progress – the commands below will install rustc, cargo and rustup, which work up to a point – but rust relies on a working cc installation, which is still a TODO (see Clang below)

#!/bin/bash -ex

export CARGO_HOME=$HOME/.cargo
export MULTIRUST_HOME=$HOME/.multirust
export RUSTUP_HOME=$HOME/.multirust/rustup

curl https://sh.rustup.rs -sSf | sh -s -- -y

export PATH=$HOME/.cargo/bin:$PATH
rustc --version
cargo --version

(cargo build --verbose works, but cargo test --verbose won't because there's no cc)

Clang

The CentOS 6 version of clang seems to install fine – but getting the various development headers and libraries (stdio.h, etc) is still a work in progress. It should be easier than getting a full gcc installation working though.

#!/bin/bash -ex

curl -sSL http://llvm.org/releases/3.8.0/clang+llvm-3.8.0-linux-x86_64-centos6.tar.xz | tar -C $HOME -xJ
export CC=$HOME/clang+llvm-3.8.0-linux-x86_64-centos6/bin/clang
export CXX=$HOME/clang+llvm-3.8.0-linux-x86_64-centos6/bin/clang++
export PATH=$HOME/clang+llvm-3.8.0-linux-x86_64-centos6/bin:$PATH
clang --version

Java

TODO

Ruby

TODO

PHP

TODO

Extending with ECS

LambCI can run tasks on an ECS cluster, which means you can perform all of your build tasks in a Docker container and not be subject to the same restrictions you have in the Lambda environment.

This needs to be documented further – for now you'll have to go off the source and check out the lambci/ecs repo.

Questions

What does the Lambda function do?

1. Receives notification from GitHub (via SNS)
2. Looks up config in DynamoDB
3. Clones git repo using a bundled git binary
4. Looks up config files in repo
5. Runs install and build cmds on Lambda (or starts ECS task)
6. Updates Slack and GitHub statuses along the way (optionally SNS for email, etc)
7. Uploads build logs/statuses to S3

How do all the pieces fit together?

Something like this:

Why isn't my build triggering on large pushes?

Most GitHub events are relatively small – except in the case of branch pushes that involve hundreds of files (pull request events are not affected). GitHub keeps events it sends under the SNS limit of 256kb by splitting up larger events, but because Lambda events are currently limited to 128kb (which will hopefully be fixed soon!), SNS will fail to deliver them to the Lambda function (and you'll receive an error in your CloudWatch SNS failure logs).

If this happens, and LambCI isn't triggered by a push, then you can just create a dummy commit and push that, which will result in a much smaller event:

git commit --allow-empty -m 'Trigger LambCI'
git push

License

MIT