ci: foundational CodeBuild infra + ci-plugin canary (#168)

[dwinter3]

Summary

First canary of the GHA → CodeBuild migration scoped in docs/decisions/13-gha-to-codebuild-migration.md.

• templates/codebuild-project.yaml — reusable CloudFormation module: one CodeBuild project per workflow, IAM Pattern B service role (<workflow>-<repo-short>-cb-role), webhook filter groups for PR (created/updated/reopened) + push to main, optional BatchBuild for matrix workflows, optional sts:AssumeRole on a deploy-target role (e.g. marketing-website-deployer). Source = GitHub via CodeStarConnections so PR commit-status reports back automatically. Copyable verbatim into 8th-layer-marketing-website / 8th-layer-marketplace for feat(L2 ui): apply 8th-Layer brand theme (replace mainline cq defaults) #169 / feat(L2 ui): Personas/agents directory + per-persona activity timeline #170.
• ci/buildspecs/ci-plugin.yml — buildspec mirroring .github/workflows/ci-plugin.yaml exactly (install uv, run make setup-plugin lint-plugin, cache uv install dir). No tighten / no loosen.
• ci/README.md — deploy + rollback runbook.
• The existing GHA workflow file is intentionally untouched for the Week-0 dual-run period.

Status — blocked on operator action

Foundational AWS resources are already created in 8th-layer-app (124074140789 / us-east-1):

Resource	ARN	State
CodeStar Connection OneZero1ai-github	arn:aws:codestar-connections:us-east-1:124074140789:connection/59c82259-9b0e-4a07-990e-732a9eedec71	PENDING — needs operator handshake
Secrets Manager /8th-layer-agent/pypi-api-token	arn:aws:secretsmanager:us-east-1:124074140789:secret:/8th-layer-agent/pypi-api-token-OgN382	placeholder; not yet used

Operator step: AWS console → Developer Tools → Settings → Connections → select OneZero1ai-github → Update pending connection → click through GitHub OAuth → install / reuse the AWS Connector for GitHub app on the OneZero1ai org → grant the App access to 8th-layer-agent (and later 8th-layer-marketing-website, 8th-layer-marketplace). Status flips to AVAILABLE.

Deploy command (run after the connection is AVAILABLE)

aws --profile 8th-layer-app --region us-east-1 cloudformation deploy \
  --template-file templates/codebuild-project.yaml \
  --stack-name codebuild-ci-plugin-agent \
  --capabilities CAPABILITY_NAMED_IAM \
  --parameter-overrides \
    RepoFullName=OneZero1ai/8th-layer-agent \
    RepoShort=agent \
    WorkflowName=ci-plugin \
    BuildspecPath=ci/buildspecs/ci-plugin.yml \
    ConnectionArn=arn:aws:codestar-connections:us-east-1:124074140789:connection/59c82259-9b0e-4a07-990e-732a9eedec71 \
    WebhookFilePathFilter='^(plugins/cq/.*|schema/.*|\.github/workflows/ci-plugin\.yaml|ci/buildspecs/ci-plugin\.yml)$'

Test plan

• Operator authorises OneZero1ai-github CodeStar Connection (status AVAILABLE).
• cloudformation deploy command above succeeds; stack reaches CREATE_COMPLETE.
• No-op PR touching plugins/cq/** shows a ci-plugin-agent commit-status check on the PR head SHA, green alongside the existing Plugin CI / Lint GHA check.
• Force a lint failure to verify the CodeBuild check goes red (Week-1 gate before flipping required checks).
• After 5 green PRs + 1 forced-red, flip branch-protection required check from Plugin CI / Lint → ci-plugin-agent and delete the GHA workflow in a follow-up PR.

Notes / surprises

• codestar-connections vs codeconnections. AWS renamed the service in 2024. CFN AWS::CodeBuild::Project source uses Auth.Type: CODECONNECTIONS (new spelling), but IAM actions exist under both codestar-connections:UseConnection and codeconnections:UseConnection. Service role policy grants both for forward compatibility.
• Webhook filter groups are AND-within-group, OR-across-groups. PR group: EVENT=PULL_REQUEST_* AND BASE_REF=main AND (optional) FILE_PATH=<regex>; push group: EVENT=PUSH AND HEAD_REF=main. Two groups joined by OR is the equivalent shape of GHA on: { push, pull_request }.
• ReportBuildStatus: true under Source is what wires GitHub commit-status reporting; no separate webhook config needed.

Refs #168.