This project is currently a proof-of-concept Github Actions autoscaling service. It can receive a webhook from Github (using SHA-256 HMAC for authentication) and spin up a github runner to accept the queued job.
Ensure you have docker, docker-compose, poetry, and just installed.
- Clone the repository
- Build the container with
just build - Run the container with
just up
The justfile is provided as a convenience to make commands shorter, but it isn't fully necessary. You can replace any of the listed just commands above with docker compose -f devstack/docker-compose.yaml.:
- Clone the repository
- Build the container with
docker compose -f devstack/docker-compose.yaml build - Run the container with
docker compose -f devstack/docker-compose.yaml up
Ensure you have poetry installed.
- Clone the repository
- Install dependencies with
poetry installOPTIONAL: install only the runtime dependencies:poetry install --without=dev - Run the
gunicornserver:poetry run gunicorn -b 0.0.0.0:5000 -k uvicorn.workers.UvicornWorker 'autoscaler:create_app()'
You should at least use this in a virtual environment, but I'm not your mom.
- Clone the repository
- Install the project:
pip install -e . - Run
uvicornserver:python -m autoscaler
All fields in the Settings object can be set via environment variables, allowing various forms of customization. For example, the runner image name can be configured using the DOCKER_RUNNER_IMAGE variable.
To see what settings are available, check the config file. Note that prefixes must be used (as in the DOCKER_RUNNER_IMAGE example) when setting the environment variables.
For HMAC authentication, a secret token must be created and provided to both the autoscaler and Github webhooks. One way such a token can be generated is by using the openssl CLI:
openssl rand -base64 32When creating the webhook, copy+paste this value. All repositories/orgs that the autoscaler will connect to must contain the same secret.
Both classic PATs as well as the new fine-grained PATs can be used to provision the runner registration tokens. Classic PATs require the repo scope for repository-based webhooks and mannage_runners:org for organization-based webhooks.
Fine-grained PATs have been tested with read/write access repository access to administration and actions scopes.
Note, Github must have a way to connect to your API (such as ngrok) for the autoscaler to respond to the github events.
Under Repository -> Settings -> Webhooks, create a new webhook. Set the secret token for the webhook, and enable the workflow_job hook (and nothing else).
Under Organization -> Settings -> Webhooks, create a new webhook. Set the secret token for the webhook, and enable the workflow_job hook (and nothing else).
No.
While I'm currently working to see if I can make this a properly functioning service, this is very much an in-development piece of work and is likely riddled with security problems that come from setting up infrastructure to run arbitrary code.
For a production-ready Github Actions autoscaler, look at the Github documentation
- Using the Docker-based webhooks does not allow the use of "container" directives in workflow files. This would require the autoscaler to spin up VMs instead.
This project uses fastapi as the framework, pydantic for declaring models and configs, and [loguru] for logging.
The runners that are spun up are created using Docker and the docker python library. The autoscaler uses docker and gunicorn for the web server.
Dependency management is handled with poetry