Agent 0.9: native Flakes, multi-jobs and more

This is the first release with an upgrade guide! I can recommend it, but if you’re in a hurry, the main take-away is: C/D secrets now require a condition field or they don’t exist.

Native Flakes support!

While Flakes are still experimental, this is the first release that goes beyond builtins.getFlake and really integrates them.

If your repository already has a flake.nix, Hercules CI will pick up the standard attributes out-of-the-box. Just make sure the repo is enabled in the Hercules CI dashboard.

If you’ve been using a solution like flake-compat-ci before, you can remove that.

I’d like to thank the upstream Nix maintainers for reviewing and accepting Hercules CI’s patches to improve the stability of the Nix 2.4+ versions.

Secrets condition

The continuous delivery secrets in secrets.json can now be restricted based on certain conditions, such as the repository name and git branch.

This lets you configure your C/D pipeline such that new usages of secrets follow the four-eyes principle, reducing the risk of accidental or even intentional internal leaks.

Multiple jobs per commit

A new feature is the herculesCI special attribute. This can be placed in the outputs attribute set of a flake.nix or in the top-level attribute set of a ci.nix or nix/ci.nix or default.nix file, allowing more customization of the CI. It must be an attribute set, or a function, which is invoked with parameters that provide extra context.

A significant new attribute in this namespace is herculesCI.onPush.<name> for creating multiple jobs per commit. This creates multiple evaluations per job, with independent commit statuses.

Splitting evaluations is great for reducing latency and lets you spot completed “subsets” in the GitHub UI when they complete early.

These jobs can also request the latest successful versions of dependency repositories, which do not need to be in the flake lock file. This is a beta feature.

Simplified attribute set traversal

Hercules CI used to create builds for attributes according to the rules of the nix-build command, however these are a bit unintuitive. If you forget a recurseIntoAttrs call, whole subtrees won’t be built, unless you use the -A flag. The herculesCI.onPush.<name>.outputs.* attributes on the other hand follow a simpler rule: always traverse nested attribute sets.

Other improvements

Private repository access via builtins.fetchGit, builtins.fetchTree and Flakes is now supported without extra configuration.

Agent 0.9 supports the latest Nix release, 2.7.0. Upgrades to Nix will be provided in patch releases as usual.

Upcoming Release

The next releases will improve the agent’s store path handling aspects, among other improvements. This includes speeding up the evaluation phase, which is currently only up to par for jobs that could be described as “incremental”.

So, stay tuned!