This is the first release with an upgrade guide! I can recommend it, but if you’re in a hurry, the main take-away is: C/D secrets now require a
condition field or they don’t exist.
Native Flakes support!
While Flakes are still experimental, this is the first release that goes beyond
builtins.getFlake and really integrates them.
If your repository already has a
flake.nix, Hercules CI will pick up the
standard attributes out-of-the-box. Just make sure the repo is enabled in the Hercules CI dashboard.
If you’ve been using a solution like
flake-compat-ci before, you can remove that.
I’d like to thank the upstream Nix maintainers for reviewing and accepting Hercules CI’s patches to improve the stability of the Nix 2.4+ versions.
The continuous delivery secrets in
secrets.json can now be restricted based on
certain conditions, such as the repository name and git branch.
This lets you configure your C/D pipeline such that new usages of secrets follow the four-eyes principle, reducing the risk of accidental or even intentional internal leaks.
Multiple jobs per commit
A new feature is the
herculesCI special attribute. This can be placed in the
outputs attribute set of a
flake.nix or in the top-level attribute set of a
default.nix file, allowing more customization of
the CI. It must be an attribute set, or a function, which is invoked with parameters
that provide extra context.
A significant new attribute in this namespace is
creating multiple jobs per commit. This creates multiple evaluations per job,
with independent commit statuses.
Splitting evaluations is great for reducing latency and lets you spot completed “subsets” in the GitHub UI when they complete early.
These jobs can also request the latest successful versions of dependency repositories, which do not need to be in the flake lock file. This is a beta feature.
Simplified attribute set traversal
Hercules CI used to create builds for attributes according to the rules of the
nix-build command, however these are a bit unintuitive. If you forget a
recurseIntoAttrs call, whole subtrees won’t be built, unless you use the
herculesCI.onPush.<name>.outputs.* attributes on the other hand follow
a simpler rule: always traverse nested attribute sets.
Private repository access via
builtins.fetchTree and Flakes
is now supported without extra configuration.
Agent 0.9 supports the latest Nix release, 2.7.0. Upgrades to Nix will be provided in patch releases as usual.
The next releases will improve the agent’s store path handling aspects, among other improvements. This includes speeding up the evaluation phase, which is currently only up to par for jobs that could be described as “incremental”.
So, stay tuned!