hercules-ci-agent-0.9.2 - 2022-03-30

0.9.2 - 2022-03-30

Added

• Separate traces in the dashboard (as in --show-trace)

Fixed

• Effects: error: cannot open connection to remote store 'daemon': error: reading from file: Connection reset by peer

hercules-ci-agent-0.9.1 - 2022-03-18

0.9.1 - 2022-03-18

Added

• The built-in flake support now has the sourceInfo attributes.

Changed

• Flakes are checked out by Nix rather than custom local checkout.

hercules-ci-agent-0.9.0 - 2022-03-15

0.9.0 - 2022-03-15

This release comes with an Upgrade Guide! ✨

Added

• Flakes support!

  Instead of needing a ci.nix, the agent will pick up flake.nix and look
  for the herculesCI attribute in the flake.

  Only the outputs.effects sub-attributes may define effects, making attacks on secrets harder to conceal.

• Multiple jobs per commit

• Jobs that run with the latest successful dependency build

• Conditions on secrets, disallowing access to secrets except when the conditions are met. This enforces the four eyes principle when branch protection is set up to match the secrets' conditions.
  A missing condition field does not give a great error message for security reasons, so follow the upgrade guide.

• Hardening against rogue contributors. Trivial attacks trying to read system paths or secrets are no longer possible. Similar to typical CIs, secrets can be stolen under specific circumstances: either a misconfiguration of branch protection or by approval of a second maintainer. Note that issue was already largely addressed by only processing contributions from GitHub users with write access to the repository, which also still applies.

• Built-in support for fetching private repositories and tarballs.

Changed

• File lookup order has changed, to support flakes. ci.nix or nix/ci.nix still take top priority, followed by flake.nix, followed by default.nix.

• Installed private repositories can now be read by a collaborator. If you need to enforce confidentiality across repositories, contact us and use a personal access token with appropriate permissions in the meanwhile.

Fixed

• When the root of a ci.nix is a list, an error message is returned.

Removed

• Nix 2.3 support

hercules-ci-agent-0.8.7 - 2022-03-09

0.8.7 - 2022-03-09

Added

• Nix 2.7 support
• Haskell aeson 2.0 support

hercules-ci-agent-0.8.6 - 2022-03-07

0.8.6 - 2022-03-07

Fixed

• Build with newer Nix versions 2.5, 2.6

Added

• Improved conditional code support with cabal-pkg-config-version-hook

hercules-ci-agent-0.8.5 - 2022-01-21

Added

• The flake now has .nixosModules.multi-agent-service allowing multiple agents
  to run on the same system.
  An instance with default settings can be enabled with services.hercules-ci-agents."some-name" = {}.
  User name and file paths are like the regular module, except replacing hercules-ci-agent by hci-${name} if the chosen name is not "".
  services.hercules-ci-agents."" = {} is equivalent to services.hercules-ci-agent.enable = true.

Fixed

• Fix mounting /etc/resolv.conf, work around runc#1523. Fixed by @Mic92 in #357

• An issue where a Nix evaluator crash could lead to builds being triggered in
  the backend for which the derivation hadn't been pushed to the cache yet,
  causing needless build failures. #314

• A build error caused by a moved symbol in cachix >= 0.7. #363

• A test that relied on aeson field order, which isn't stable. #352

hercules-ci-agent-0.8.4 - 2021-11-17

Added

• The path to secrets.json is now configurable in the module or config file,
  using the secretsJsonPath setting, analogous to clusterJoinTokenPath.

• aarch64-darwin is now officially supported.

• All module settings options will be visible in the NixOS documentation.
  Some less-used settings were hidden, specifically the file path options
  that default to staticSecretsDirectory + "/cluster-join-token.key", etc.

Changed

• The flake packages and modules now link with Nix 2.4.
  Nix 2.3 support is still available via packages.${system}.hercules-ci-agent-nix_2_3, but will be removed in agent 0.9.x.

• No longer patch Boehm GC, staying closer to regular Nix and the Nixpkgs build of the hercules-ci-agent.

Fixed

• Various fixes related to the upgrade to Nix 2.4.

hercules-ci-agent-0.8.3 - 2021-09-06

Added

• hci can now run in the effects sandbox

Fixed

• Interrupt handling has been improved

hercules-ci-agent-0.8.2 - 2021-06-22

Added

• Preparations for the next Nix version

Fixed

• #304, message:epollControl: invalid argument (Bad file descriptor) in effect task

hercules-ci-cli-0.2.0: 0.2.0 - 2021-04-21

0.2.0 - 2021-04-21

Added

• hci secret add: Add --json-env and --string-env: more secure alternative for literals

Changes

• Remove -h and --help from tab completion and help text.
• User-friendly error when ci.nix or similar can not be found.