feat(infra): allow runner egress to PostgreSQL 5432 for DB migrations

AGENTS.md

@@ -120,7 +120,7 @@ Use Go version from `lambda/go.mod`. CI runs formatting check, go vet, `make lam
 - **`.github/workflows/label-old-prs.yml`** – workflow_dispatch; applies the labeler to existing PRs (inputs: state e.g. merged/closed/all, limit). Use to backfill labels on old or merged PRs.
 - **`.github/workflows/release.yml`** – On push of tags `v*.*.*` (and workflow_dispatch); runs GoReleaser to create a GitHub Release with five function zip archives (`webhook.zip`, `scaleup.zip`, `scaledown.zip`, `lifecycle.zip`, `rebalancer.zip`), raw binaries, checksums, and release notes. The GCP Terraform module fetches these zips declaratively from the release matching `var.release_tag`.
 - **`.github/workflows/gce-image-build.yml`** – GCP GCE image build on tag push or `workflow_dispatch`. OIDC auth via `GCE_BUILD_WIF_PROVIDER` + `GCE_BUILD_SA_EMAIL` repo secrets (Workload Identity Federation set up out-of-band in the maintainer's personal GCP project per spec D14).
-- **`.github/workflows/ami-build.yml`** – workflow_dispatch (inputs: `runner_version`, `go_version`, `node_major_version`, `jit_runners_version`, `extra_script`, `distribute`), auto-trigger on version tag push (`v*`), and pull_request trigger for `infra/packer/**` changes. `jit_runners_version` is auto-detected via `git describe --tags --always` when not provided. PR builds create private (`ami_groups=[]`) AMIs with the `jit-runner-pr` name prefix, no distribution, and a post-build cleanup step that deregisters the AMI and deletes its snapshots. Non-PR builds run `packer validate` then `packer build`; when `distribute=true`, copies AMI to all distribution regions (US, EU, SA). Uses OIDC (`AMI_BUILD_ROLE_ARN` secret) to assume the build role. Writes AMI ID, jit-runners version, runner version, Go version, Node.js version, and build summary to the GitHub Actions job summary. **Runs on `ubuntu-latest` (GitHub-hosted)**: the self-hosted runner security group only allows egress on ports 443/80/53 — SSH (port 22) is blocked outbound, which causes Packer to time out when connecting to the build instance. GitHub-hosted runners have unrestricted network access and eliminate the circular dependency of building jit-runner AMIs on the jit-runners infrastructure itself.
+- **`.github/workflows/ami-build.yml`** – workflow_dispatch (inputs: `runner_version`, `go_version`, `node_major_version`, `jit_runners_version`, `extra_script`, `distribute`), auto-trigger on version tag push (`v*`), and pull_request trigger for `infra/packer/**` changes. `jit_runners_version` is auto-detected via `git describe --tags --always` when not provided. PR builds create private (`ami_groups=[]`) AMIs with the `jit-runner-pr` name prefix, no distribution, and a post-build cleanup step that deregisters the AMI and deletes its snapshots. Non-PR builds run `packer validate` then `packer build`; when `distribute=true`, copies AMI to all distribution regions (US, EU, SA). Uses OIDC (`AMI_BUILD_ROLE_ARN` secret) to assume the build role. Writes AMI ID, jit-runners version, runner version, Go version, Node.js version, and build summary to the GitHub Actions job summary. **Runs on `ubuntu-latest` (GitHub-hosted)**: the self-hosted runner security group only allows egress on ports 443/80/53/5432 — SSH (port 22) is blocked outbound, which causes Packer to time out when connecting to the build instance. GitHub-hosted runners have unrestricted network access and eliminate the circular dependency of building jit-runner AMIs on the jit-runners infrastructure itself.
 - **Renovate** – Dependency-update PRs (Go modules and GitHub Actions) are opened by [Renovate](https://docs.renovatebot.com/) from [.github/renovate.json5](.github/renovate.json5). Do not remove or override this config without reason.
 
 Semantic versioning: use tags like `v0.1.0`.

CLAUDE.md

@@ -185,7 +185,7 @@ Applies to `.github/**/*.yml`, `Makefile`, `.goreleaser.yml`:
 - **Release**: Push a tag → CI runs `release.yml` → GoReleaser creates a GitHub Release with five function zip archives (`webhook.zip`, `scaleup.zip`, `scaledown.zip`, `lifecycle.zip`, `rebalancer.zip`), raw binaries, checksums, and release notes. The GCP Terraform module fetches these zips declaratively from the release matching `var.release_tag`.
 - **Release notes**: Generated by GitHub (github-native) and categorized by `.github/release.yml` + PR labels. For breaking changes to appear under "Breaking Changes", apply the `breaking-change` label before merge.
 - **Branch naming for labels**: `feat/...` → feature, `fix/...` → bug, `enhance/...` → enhancement, `ci/...` → github-actions, `(deps)/...` → dependencies, branch with `!` → breaking-change.
-- **AMI build CI**: `.github/workflows/ami-build.yml` — workflow_dispatch (inputs: `runner_version`, `go_version`, `node_major_version`, `jit_runners_version`, `extra_script`, `distribute`), auto-trigger on version tag push (`v*`), and pull_request trigger for `infra/packer/**` changes. PR builds create private (`ami_groups=[]`), single-region AMIs with the `jit-runner-pr` prefix and auto-clean up the AMI and snapshots after the build. The `jit_runners_version` is auto-detected via `git describe --tags --always` (falls back to `dev`) if not provided. Uses OIDC role assumption via `AMI_BUILD_ROLE_ARN` secret. Distribute copies AMI to US, EU, and SA regions. **Runs on GitHub-hosted runners (`ubuntu-latest`)**, not self-hosted — the self-hosted runner security group only permits egress on ports 443/80/53, which blocks the SSH connection (port 22) that Packer requires to reach the build instance; this also avoids the circular dependency of building jit-runner AMIs on the jit-runners infrastructure itself.
+- **AMI build CI**: `.github/workflows/ami-build.yml` — workflow_dispatch (inputs: `runner_version`, `go_version`, `node_major_version`, `jit_runners_version`, `extra_script`, `distribute`), auto-trigger on version tag push (`v*`), and pull_request trigger for `infra/packer/**` changes. PR builds create private (`ami_groups=[]`), single-region AMIs with the `jit-runner-pr` prefix and auto-clean up the AMI and snapshots after the build. The `jit_runners_version` is auto-detected via `git describe --tags --always` (falls back to `dev`) if not provided. Uses OIDC role assumption via `AMI_BUILD_ROLE_ARN` secret. Distribute copies AMI to US, EU, and SA regions. **Runs on GitHub-hosted runners (`ubuntu-latest`)**, not self-hosted — the self-hosted runner security group only permits egress on ports 443/80/53/5432, which blocks the SSH connection (port 22) that Packer requires to reach the build instance; this also avoids the circular dependency of building jit-runner AMIs on the jit-runners infrastructure itself.
 - **GCE image build CI**: `.github/workflows/gce-image-build.yml` — workflow_dispatch, auto-trigger on version tag push, and pull_request trigger for `infra/packer/**` changes. PR builds use the `jit-runner-pr` prefix and auto-clean up after the workflow. Uses Workload Identity Federation via `GCE_BUILD_WIF_PROVIDER` + `GCE_BUILD_SA_EMAIL` repo secrets (set up out-of-band in the maintainer's personal GCP project per spec D14).
 - Keep path filters and job dependencies intact in CI workflows. Do not remove or override Renovate config in `.github/renovate.json5`.
 

docs/ami-prebaked.md

@@ -244,7 +244,7 @@ The manifest file at `/opt/jit-runner-manifest.txt` records all installed tool v
 
 The GitHub Actions workflow (`.github/workflows/ami-build.yml`) builds AMIs automatically:
 
-- **Runs on**: `ubuntu-latest` (GitHub-hosted runners). The self-hosted runner security group only permits egress on ports 443/80/53 — SSH (port 22) is blocked outbound, which causes Packer to time out when connecting to the build instance. GitHub-hosted runners have unrestricted network access. Using them also avoids the circular dependency of building jit-runner AMIs on the jit-runners infrastructure itself.
+- **Runs on**: `ubuntu-latest` (GitHub-hosted runners). The self-hosted runner security group only permits egress on ports 443/80/53/5432 — SSH (port 22) is blocked outbound, which causes Packer to time out when connecting to the build instance. GitHub-hosted runners have unrestricted network access. Using them also avoids the circular dependency of building jit-runner AMIs on the jit-runners infrastructure itself.
 - **Triggers**:
   - `workflow_dispatch` (manual)
   - Version tag push (`v*`) — produces a public, distributable AMI matching the release

infra/cloudformation/template.yaml

@@ -178,6 +178,11 @@ Resources:
           ToPort: 53
           CidrIp: 0.0.0.0/0
           Description: DNS
+        - IpProtocol: tcp
+          FromPort: 5432
+          ToPort: 5432
+          CidrIp: 0.0.0.0/0
+          Description: PostgreSQL session pooler (Supabase) for DB migrations in deploy workflows
       Tags:
         - Key: Name
           Value: !Sub "${AWS::StackName}-runner"

infra/terraform/ec2.tf

@@ -43,6 +43,16 @@ resource "aws_security_group" "runner" {
     description = "DNS"
   }
 
+  # Allow outbound PostgreSQL to the Supabase session pooler (port 5432) so
+  # deploy workflows can apply DB migrations from the runner.
+  egress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "PostgreSQL session pooler (Supabase) for DB migrations in deploy workflows"
+  }
+
   # No ingress rules - runners don't need inbound traffic.
 
   tags = {