From f439e998baf524ea6418ef8d2b9d88631083e13d Mon Sep 17 00:00:00 2001
From: yuriyryabikov <22548029+kurok@users.noreply.github.com>
Date: Tue, 21 Apr 2026 15:47:59 +0100
Subject: [PATCH] ci: rotate ec2-github-runner SHA + opt into EBS encryption
 (Phase 6.b)

namecheap/ec2-github-runner#27 merged. Rotates both pins from
0fdd401 (Phase 4 retry) to 7c6a9a7 (Phase 6.b) and flips the new
encrypt-ebs input to 'true' so the acceptance-test runner's root
volume launches with SSE-EBS.

Risk: if the CI AWS account can't use the default aws/ebs KMS key
or the shared AMI's snapshot is encrypted with a customer-managed
key lacking a cross-account grant, start-runner will fail with a
KMS / IAM error. The action-side code handles that gracefully
(throws early rather than timing out on registration), so
diagnostics are easy via aws ec2 get-console-output.

If dogfood fails, revert just the encrypt-ebs line; SHA rotation
is orthogonal and can stay green.

Signed-off-by: yuriyryabikov <22548029+kurok@users.noreply.github.com>
---
 .github/workflows/ci.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c586a568..5e965003 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -133,7 +133,7 @@ jobs:
         # SHA-pinned (was @feat/al2023-support). The same SHA is reused by
         # the stop-runner step so both halves of the runner lifecycle run
         # identical action code.
-        uses: namecheap/ec2-github-runner@0fdd4014da74d56d46154f73a1cfe6d6113cbedc # feat/al2023-support @ 2026-04-21 — Phase 4 (retry): non-root runner + --ephemeral + hardcoded checksum table
+        uses: namecheap/ec2-github-runner@7c6a9a782d374e1c6d834b6dee1a4be3511197bf # feat/al2023-support @ 2026-04-21 — Phase 6.b: opt-in EBS encryption
         with:
           mode: start
           github-token: ${{ secrets.GH_TOKEN }}
@@ -147,6 +147,10 @@ jobs:
           security-group-id: sg-106ec76d
           eip-allocation-id: eipalloc-1796f61b
           iam-role-name: AmazonSSMRoleForInstancesQuickSetup
+          # SSE-EBS on the runner's root volume. Uses the launch
+          # account's default aws/ebs KMS key; AMI snapshot-id is
+          # dropped so AWS re-encrypts at launch time.
+          encrypt-ebs: 'true'
           aws-resource-tags: >
             [
               { "Key": "Name", "Value": "github_runner" },
@@ -224,7 +228,7 @@ jobs:
       - name: Stop EC2 runner
         # SHA-pinned (was @main). Matches the start-runner step above so
         # stop logic is in lockstep with the code that started the runner.
-        uses: namecheap/ec2-github-runner@0fdd4014da74d56d46154f73a1cfe6d6113cbedc # feat/al2023-support @ 2026-04-21 — Phase 4 (retry): non-root runner + --ephemeral + hardcoded checksum table
+        uses: namecheap/ec2-github-runner@7c6a9a782d374e1c6d834b6dee1a4be3511197bf # feat/al2023-support @ 2026-04-21 — Phase 6.b: opt-in EBS encryption
         with:
           mode: stop
           github-token: ${{ secrets.GH_TOKEN }}