Release hercules-ci-agent-0.9.0 - 2022-03-15 · hercules-ci/hercules-ci-agent

0.9.0 - 2022-03-15

This release comes with an Upgrade Guide! ✨

Flakes support!

Instead of needing a ci.nix, the agent will pick up flake.nix and look
for the herculesCI attribute in the flake.

Only the outputs.effects sub-attributes may define effects, making attacks on secrets harder to conceal.
Multiple jobs per commit
Jobs that run with the latest successful dependency build
Conditions on secrets, disallowing access to secrets except when the conditions are met. This enforces the four eyes principle when branch protection is set up to match the secrets' conditions.
A missing condition field does not give a great error message for security reasons, so follow the upgrade guide.
Hardening against rogue contributors. Trivial attacks trying to read system paths or secrets are no longer possible. Similar to typical CIs, secrets can be stolen under specific circumstances: either a misconfiguration of branch protection or by approval of a second maintainer. Note that issue was already largely addressed by only processing contributions from GitHub users with write access to the repository, which also still applies.
Built-in support for fetching private repositories and tarballs.

File lookup order has changed, to support flakes. ci.nix or nix/ci.nix still take top priority, followed by flake.nix, followed by default.nix.
Installed private repositories can now be read by a collaborator. If you need to enforce confidentiality across repositories, contact us and use a personal access token with appropriate permissions in the meanwhile.