Overhaul docs: README rewrite, DEPLOY troubleshooting, CHANGELOG

manascb1344 · manascb1344 · commit 7d8cb1342528 · 2026-04-25T00:02:56.000+05:30
README: badges, 30-sec quickstart, feature/comparison tables,
GPU and network docs, star CTA. DEPLOY: troubleshooting section
for 6 common issues. CHANGELOG: v0.1.0 through v0.3.0.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -0,0 +1,42 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+## [2025-04-25] - v0.3.0
+
+### Added
+- Per-job GPU support via workflow labels (gpu:T4, gpu:A100, etc.) — T4, L4, A100, A100-80GB, H100
+- Network isolation via `ALLOWED_CIDRS` environment variable
+- Full network blocking via `BLOCK_NETWORK` environment variable
+- Persistent cache volume support via `CACHE_VOLUME_NAME` environment variable
+
+## [2025-04-25] - v0.2.0
+
+### Added
+- Structured JSON logging with contextual fields (job_id, repo, duration, status, error_code)
+- Health check endpoint (`GET /health`)
+- Retry logic for GitHub API calls with exponential backoff (1s/2s/4s, 3 attempts, 429/5xx)
+- Hardened payload validation with specific 400 error messages
+- Per-repo concurrency limits via `MAX_CONCURRENT_PER_REPO` environment variable
+- CI linting with ruff and pyproject.toml config
+- Unit test suite (23 tests) with pytest and pytest-asyncio
+- `tests/**` added to CI path triggers
+
+### Changed
+- Optimized runner image: removed unused packages (net-tools, sudo, jq), reordered layers for better caching
+- All logger calls updated from f-strings to structured `extra={}` pattern
+
+## [2025-04-24] - v0.1.0
+
+### Added
+- Initial release: Modal-powered ephemeral GitHub Actions runner
+- Docker-in-Sandbox support for container-based workflows
+- HMAC-SHA256 webhook signature verification
+- Repository allowlist via `ALLOWED_REPOS`
+- JIT runner registration for single-use tokens
+- Replay protection via delivery ID cache
+- Job deduplication cache
+- Configurable runner version, group ID, and labels
+- GitHub Enterprise domain support
+- Body size limit (1MB)
+- Automated CI/CD via GitHub Actions
diff --git a/DEPLOY.md b/DEPLOY.md
@@ -101,6 +101,32 @@ This guide outlines the steps to deploy this project using Modal.
 
 Every time a job is queued, Modal will spawn an ephemeral sandbox that runs the job and then exits. This ensures a clean and isolated environment for each job execution. The webhook is secured using HMAC-SHA256 signature verification.
 
+### Troubleshooting
+
+**Webhook signature verification fails (403)**
+
+`WEBHOOK_SECRET` is mismatched between the Modal secret and GitHub webhook settings. Make sure the same secret value is used in both `modal secret create` and the GitHub webhook configuration.
+
+**JIT token generation fails (401/403)**
+
+`GITHUB_TOKEN` lacks the required permissions or has expired. Use a fine-grained PAT with `Actions: Read and Write` and `Administration: Read and Write` permissions.
+
+**Sandbox spawn fails with timeout**
+
+The runner image build can take a while on first deploy, or the Docker-in-Sandbox setup may have failed. Check Modal logs for build errors. Ensure `MODAL_IMAGE_BUILDER_VERSION=2025.06` is set (this is handled automatically in `app.py`).
+
+**Jobs stuck in queued state**
+
+The webhook is not reaching the endpoint, or the `modal` label is missing from the workflow. Verify the webhook URL is correct and publicly accessible. Check that your workflow file has `runs-on: [self-hosted, modal]`.
+
+**GPU jobs fail to start**
+
+Either an invalid GPU label was used, or the GPU quota on your Modal account has been exceeded. Use one of the valid labels: `gpu:t4`, `gpu:l4`, `gpu:a100`, `gpu:a100-80gb`, `gpu:h100`. Check Modal GPU availability in your account.
+
+**Duplicate delivery warnings in logs**
+
+GitHub retries webhooks when responses are slow or network issues occur. This is normal. The deduplication cache handles it automatically, so no action is needed.
+
 ### Environment Variables Reference
 
 | Variable | Required | Default | Description |
diff --git a/README.md b/README.md
@@ -1,21 +1,111 @@
 # Modal GitHub Runner
 
-[![Modal](https://img.shields.io/badge/Powered%20By-Modal-000000?style=flat-square&logo=modal&logoColor=white)](https://modal.com)
-[![GitHub Actions](https://img.shields.io/badge/GitHub%20Actions-Runner-2088FF?style=flat-square&logo=github-actions&logoColor=white)](https://github.com/features/actions)
-[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg?style=flat-square)](https://opensource.org/licenses/MIT)
+![CI](https://github.com/manascb1344/modal-github-runner/actions/workflows/ci-cd.yml/badge.svg)
+![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)
+![Modal](https://img.shields.io/badge/Powered%20By-Modal-000000?style=flat-square&logo=modal&logoColor=white)
+![GitHub Actions](https://img.shields.io/badge/GitHub%20Actions-Runner-2088FF?style=flat-square&logo=github-actions&logoColor=white)
 
-A high-performance, ephemeral self-hosted GitHub Actions runner powered by [**Modal**](https://modal.com). Achieve zero idle costs and instant horizontal scaling with Just-In-Time (JIT) security.
+![Star History Chart](https://api.star-history.com/svg?repos=manascb1344/modal-github-runner&type=Date)
 
-## 🚀 Key Features
+An ephemeral, self-hosted GitHub Actions runner built on [Modal](https://modal.com). Each job runs in a fresh sandbox, you pay only while jobs execute, and credentials are scoped to a single use.
 
-- **⚡ Ephemeral:** Every job runs in a fresh, hardware-isolated Modal Sandbox, ensuring a clean state and preventing side effects between runs.
-- **💰 Zero Idle Cost:** No long-running servers or "warm" instances. You only pay for the exact seconds your runner is executing jobs.
-- **🛡️ JIT Security:** Utilizes GitHub's Just-In-Time runner registration. Runners are created on-demand and automatically cleaned up by GitHub after a single use.
-- **📈 Horizontal Scaling:** Modal's serverless infrastructure allows you to scale to hundreds of concurrent runners instantly. Each job gets its own dedicated resources without queueing delays.
+## 30-second quickstart
 
-## 🏗️ Architecture
+```bash
+# 1. Create a Modal secret with your GitHub PAT and webhook secret
+modal secret create github-secret \
+  GITHUB_TOKEN=ghp_xxx \
+  WEBHOOK_SECRET=$(openssl rand -hex 32)
 
-The runner follows a reactive, event-driven flow:
+# 2. Deploy the runner
+modal deploy app.py
+
+# 3. Add a webhook in your GitHub repo settings
+#    Point it at the URL modal deploy prints, content type JSON,
+#    secret = the WEBHOOK_SECRET from step 1, events = "Workflow jobs"
+```
+
+Then update your workflow file:
+
+```yaml
+runs-on: [self-hosted, modal]
+```
+
+Full deployment walkthrough: [DEPLOY.md](DEPLOY.md).
+
+## Features
+
+| Feature | Description |
+|---------|-------------|
+| Ephemeral | Fresh Modal Sandbox per job. No state leaks between runs. |
+| Zero idle cost | No long-running servers. You pay for the seconds a job runs, nothing else. |
+| JIT security | Single-use runner tokens via GitHub's `generate-jitconfig` API. |
+| GPU support | T4, L4, A100, A100-80GB, H100 through workflow labels. |
+| Network isolation | Outbound CIDR allowlists or full network blocking. |
+| Cache volumes | Persistent `/cache` mount across jobs via Modal Volumes. |
+| Auto-retry | Exponential backoff (1s, 2s, 4s) on transient GitHub API failures. |
+| Structured logging | JSON logs with job ID, repo, duration, and error context. |
+
+## Comparison
+
+| | Modal Runner | ARC (K8s) | GitHub-hosted |
+|--|-------------|------------|---------------|
+| Infrastructure | None (serverless) | Kubernetes cluster | None (managed) |
+| Idle cost | Zero | Node compute when idle | N/A (billed per minute) |
+| Startup time | Sub-second sandbox | Pod scheduling (seconds to minutes) | ~10-20 seconds |
+| GPU support | T4, L4, A100, A100-80GB, H100 | Requires GPU nodes | Limited, macOS only |
+| Horizontal scaling | Automatic, no config | Requires HPA/cluster autoscaler | Automatic |
+| Isolation | MicroVM sandbox | Container (shared kernel) | VM |
+| Kubernetes required | No | Yes | No |
+
+ARC is the better choice if you already run a Kubernetes cluster and need deep integration with your existing infrastructure. Modal Runner is simpler if you want something that deploys in under a minute with no ops overhead.
+
+## GPU configuration
+
+Add a `gpu:` label to your workflow's `runs-on` to request a specific GPU:
+
+```yaml
+jobs:
+  train:
+    runs-on: [self-hosted, modal, gpu:a100]
+    steps:
+      - run: python train.py
+```
+
+Supported labels:
+
+| Label | Hardware |
+|-------|----------|
+| `gpu:t4` | NVIDIA T4 (16 GB) |
+| `gpu:l4` | NVIDIA L4 (24 GB) |
+| `gpu:a100` | NVIDIA A100 (40 GB) |
+| `gpu:a100-80gb` | NVIDIA A100 (80 GB) |
+| `gpu:h100` | NVIDIA H100 (80 GB) |
+
+## Network and security
+
+Control outbound network access from runner sandboxes with environment variables:
+
+```bash
+modal secret create github-secret \
+  GITHUB_TOKEN=ghp_xxx \
+  WEBHOOK_SECRET=xxx \
+  BLOCK_NETWORK=true                       # block all outbound
+  # or
+  ALLOWED_CIDRS="10.0.0.0/8,192.168.0.0/16"  # allow specific ranges
+```
+
+- `BLOCK_NETWORK=true` drops all outbound connections from the sandbox.
+- `ALLOWED_CIDRS` takes a comma-separated list of CIDR ranges. When set, only those ranges are reachable.
+
+Additional security controls:
+
+- `ALLOWED_REPOS` restricts which repositories can trigger runner creation.
+- HMAC-SHA256 signature verification on every webhook request.
+- Delivery ID deduplication prevents replay attacks.
+- Per-repo concurrency limits via `MAX_CONCURRENT_PER_REPO`.
+
+## Architecture
 
 ```mermaid
 sequenceDiagram
@@ -35,35 +125,41 @@ sequenceDiagram
     MS->>MS: 8. Exit & Terminate Sandbox
 ```
 
-1.  **Workflow Queued:** A GitHub Action workflow is triggered and a job enters the `queued` state.
-2.  **Webhook Trigger:** GitHub sends a `workflow_job` webhook to the Modal web endpoint.
-3.  **JIT Handshake:** The Modal app validates the request and calls the GitHub API to generate a JIT (Just-In-Time) runner configuration.
-4.  **Sandbox Spawning:** A Modal Sandbox is provisioned immediately with the pre-configured runner image.
-5.  **Execution & Cleanup:** The runner connects to GitHub, executes the specific job, and the Sandbox is terminated immediately upon completion.
+1. A workflow triggers and a job enters `queued`.
+2. GitHub sends a `workflow_job` webhook to the Modal endpoint.
+3. The endpoint verifies the HMAC-SHA256 signature, then calls GitHub's `generate-jitconfig` API.
+4. A Modal Sandbox is provisioned with the runner image and JIT config.
+5. The runner connects to GitHub, executes the job, and the sandbox terminates on completion.
 
-## 🏁 Quick Start
+## Environment variables
 
-Setting up your own Modal runner takes only a few minutes.
+| Variable | Required | Default | Description |
+|----------|----------|---------|-------------|
+| `GITHUB_TOKEN` | Yes | | GitHub PAT for runner registration |
+| `WEBHOOK_SECRET` | Yes | | Secret for webhook signature validation |
+| `ALLOWED_REPOS` | No | (all) | Comma-separated allowlist of `owner/repo` |
+| `RUNNER_VERSION` | No | `2.333.1` | GitHub Actions runner version |
+| `RUNNER_GROUP_ID` | No | `1` | Runner group ID |
+| `MAX_CONCURRENT_PER_REPO` | No | (unlimited) | Max concurrent sandboxes per repo |
+| `ALLOWED_CIDRS` | No | (allow all) | Comma-separated CIDR ranges for outbound |
+| `BLOCK_NETWORK` | No | `false` | Fully isolate sandbox network |
+| `CACHE_VOLUME_NAME` | No | | Modal Volume name for persistent `/cache` |
+| `GITHUB_ENTERPRISE_DOMAIN` | No | | Custom domain for GitHub Enterprise |
 
-Refer to the [**DEPLOY.md**](DEPLOY.md) for step-by-step instructions on:
-- Setting up Modal secrets.
-- Deploying the webhook endpoint.
-- Configuring GitHub repository webhooks.
+## Limitations
 
-## 🛠️ Technical Details
+- Docker-in-Docker support uses Modal's alpha Docker-in-Sandbox feature. GitHub Actions `services:` and container actions generally work but may have edge cases.
+- Every job runs in a fresh sandbox. Files saved outside the repository workspace are lost after the job completes.
 
--   **Modal Sandbox:** Built on top of Modal's serverless runtime, providing sub-second startup times and robust isolation using micro-VM technology.
--   **JIT Configuration:** Instead of persistent runner tokens, this project uses the `generate-jitconfig` endpoint. This ensures that even if a runner environment were compromised, the credentials are valid for only one specific job.
--   **Custom Images:** The runner environment is defined directly within `app.py`, allowing you to easily add dependencies (e.g., specific versions of Python, Node.js, or system libraries) that are pre-baked into the runner image.
--   **Root Execution:** Sandboxes run with `RUNNER_ALLOW_RUNASROOT=1` in ephemeral `/tmp` directories, ensuring compatibility with all GitHub Actions features without permission hurdles.
+## License
 
-## 📄 License
-
-This project is licensed under the [MIT License](LICENSE).
+[MIT](LICENSE)
 
 ---
 
-## 👤 Author
+If this project helps you, giving it a star helps others discover it.
+
+## Author
 
 **Manas C. Bavaskar**
 - GitHub: [@manascb1344](https://github.com/manascb1344)
