Undo the Codebuild Pull Request Regex hack

[unlox775-code-dot-org]

Description

I'm replacing the old “hard-coded GitHub actor regex” CodeBuild webhook hack with an AWS EventBridge → Lambda → CodeBuild flow.
On each pull‐request event:

1. EventBridge catches the PR “state change” on the configured branch.
2. It invokes a Lambda authorizer that fetches your GitHub PAT from Secrets Manager, calls the GitHub API to verify the PR author’s permission (write/maintain/admin), and only then
3. invokes StartBuild on the PR-build CodeBuild project.

Links

• Jira: https://codedotorg.atlassian.net/browse/INF-1713
• Design & docs: cicd/README.md → Pull Request Authorizer Hook
• CloudFormation template: cicd/2-cicd/cicd.template.yml

Testing story

• Manual EventBridge simulation

  aws events put-events --entries '[{
    "Source": "aws.partner/github.com/code-dot-org/aiproxy",
    "DetailType": "Pull Request State Change",
    "Detail": "{\"action\":\"opened\",\"pull_request\":{\"base\":{\"ref\":\"main\"},\"user\":{\"login\":\"YOUR_GITHUB_ID\"}}}"
  }]' --region us-east-1

• SAM local invoke
  1. Install AWS SAM CLI.
  2. Create an event.json matching the structure above.
  3. Run:

     cd cicd/2-cicd
     sam local invoke PullRequestAuthorizerFunction --event event.json

• Check CloudWatch logs and/or the CodeBuild console to confirm whether the build was (or wasn’t) started.

Follow-up work

• Add unit and integration tests for the Lambda authorizer.
• Instrument metrics on GitHub API calls & CodeBuild starts.
• Update onboarding docs for adding new maintainers (no more regex).

PR Checklist

• Documentation updated (cicd/README.md, CFN template).
• Manual tests performed and verified.
• Lambda authorizer comments & code clarity reviewed.