This is the first release with an upgrade guide! I can recommend it, but if you’re in a hurry, the main take-away is: C/D secrets now require a condition
field or they don’t exist.
Native Flakes support!
While Flakes are still experimental, this is the first release that goes beyond
builtins.getFlake
and really integrates them.
If your repository already has a flake.nix
, Hercules CI will pick up the
standard attributes out-of-the-box. Just make sure the repo is enabled in the Hercules CI dashboard.
If you’ve been using a solution like flake-compat-ci
before, you can remove that.
I’d like to thank the upstream Nix maintainers for reviewing and accepting Hercules CI’s patches to improve the stability of the Nix 2.4+ versions.
Secrets condition
The continuous delivery secrets in secrets.json
can now be restricted based on
certain conditions, such as the repository name and git branch.
This lets you configure your C/D pipeline such that new usages of secrets follow the four-eyes principle, reducing the risk of accidental or even intentional internal leaks.
Multiple jobs per commit
A new feature is the herculesCI
special attribute. This can be placed in the
outputs
attribute set of a flake.nix
or in the top-level attribute set of a
ci.nix
or nix/ci.nix
or default.nix
file, allowing more customization of
the CI. It must be an attribute set, or a function, which is invoked with parameters
that provide extra context.
A significant new attribute in this namespace is herculesCI.onPush.<name>
for
creating multiple jobs per commit. This creates multiple evaluations per job,
with independent commit statuses.
Splitting evaluations is great for reducing latency and lets you spot completed “subsets” in the GitHub UI when they complete early.
These jobs can also request the latest successful versions of dependency repositories, which do not need to be in the flake lock file. This is a beta feature.
Simplified attribute set traversal
Hercules CI used to create builds for attributes according to the rules of the
nix-build
command, however these are a bit unintuitive. If you forget a
recurseIntoAttrs
call, whole subtrees won’t be built, unless you use the -A
flag. The herculesCI.onPush.<name>.outputs.*
attributes on the other hand follow
a simpler rule: always traverse nested attribute sets.
Other improvements
Private repository access via builtins.fetchGit
, builtins.fetchTree
and Flakes
is now supported without extra configuration.
Agent 0.9 supports the latest Nix release, 2.7.0. Upgrades to Nix will be provided in patch releases as usual.
Upcoming Release
The next releases will improve the agent’s store path handling aspects, among other improvements. This includes speeding up the evaluation phase, which is currently only up to par for jobs that could be described as “incremental”.
So, stay tuned!