diff --git a/lambda/github/index.js b/lambda/github/index.js
index d9f8125..e6eaeb3 100644
--- a/lambda/github/index.js
+++ b/lambda/github/index.js
@@ -6,15 +6,38 @@ import {
   DeleteCommand,
 } from '@aws-sdk/lib-dynamodb';
 import { SecretsManagerClient, GetSecretValueCommand } from '@aws-sdk/client-secrets-manager';
-import { SSMClient, PutParameterCommand, DeleteParameterCommand } from '@aws-sdk/client-ssm';
+import {
+  SSMClient,
+  PutParameterCommand,
+  DeleteParameterCommand,
+  GetParameterCommand,
+} from '@aws-sdk/client-ssm';
 import crypto from 'crypto';
 import { buildResponse } from '../shared/response.js';
-import { resolveGitToken } from '../shared/git-token.js';
 
 const ddb = DynamoDBDocumentClient.from(new DynamoDBClient({}));
 const secrets = new SecretsManagerClient({});
 const ssm = new SSMClient({});
 
+const GIT_TOKEN_PARAM_PATTERN = /^\/[\w-]+\/[\w-]+\/[\w-]+\/[\w-]+$/;
+
+// Inlined from shared/git-token.js — esbuild cannot bundle the CJS module
+// because it does `require('@aws-sdk/client-ssm')` which becomes a dynamic
+// require not supported in the ESM runtime. Mirrors the pattern adopted by
+// lambda/github-issues (see PR #180).
+const resolveGitToken = async (ssmClient, item) => {
+  if (item?.parameterName) {
+    if (!GIT_TOKEN_PARAM_PATTERN.test(item.parameterName)) {
+      throw new Error('Invalid SSM parameter name format');
+    }
+    const param = await ssmClient.send(
+      new GetParameterCommand({ Name: item.parameterName, WithDecryption: true }),
+    );
+    return JSON.parse(param.Parameter.Value).accessToken;
+  }
+  throw new Error('No SSM parameter name set');
+};
+
 class OAuthNotConfiguredError extends Error {
   constructor() {
     super(
diff --git a/terraform/modules/api/lambda/main.tf b/terraform/modules/api/lambda/main.tf
index 27f5d9d..83ddc17 100644
--- a/terraform/modules/api/lambda/main.tf
+++ b/terraform/modules/api/lambda/main.tf
@@ -668,17 +668,16 @@ module "github_lambda" {
 
   function_name = "${var.project_name}-github-${var.environment}"
   handler       = "index.handler"
-  runtime       = "nodejs18.x"
+  runtime       = "nodejs24.x"
   timeout       = 30
 
   source_path = [
     {
-      path             = "${path.module}/../../../../lambda/github"
-      npm_requirements = true
-    },
-    {
-      path          = "${path.module}/../../../../lambda/shared"
-      prefix_in_zip = "shared"
+      path = "${path.module}/../../../../lambda/github"
+      commands = [
+        "cd ../.. && npm run build -w github-lambda",
+        ":zip lambda/github/.build",
+      ]
     }
   ]