New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use hercule with non-github websites (Gitea/Gitlab...) #199
Comments
Hi @tobiasBora, Currently, Hercules CI only integrates with GitHub. We're investigating the feasibility of a GitLab integration, but for now we're prioritizing other features. Compared to drone.io or buildkite, we provide a better experience by integrating Nix. This improves
The only thing that's currently missing is the ability to run arbitrary commands in environments other than the Nix sandbox, but that will land soon. |
Thanks a lot for the detailled answer. Too bad it's github specific, and therefore not self-hostable, but I can understand your point. Pushing this project to gitlab (or in some dreams gitea) would be amazing though. I just would like to come back on one of your comments :
- **sandboxed builds**: in Nix, sandboxing isn't just about security.
The correctness of the build output can depend on it. Running in a
Docker container prevents Nix from setting up its sandbox. The Hercules
CI agent runs outside docker and gives you correct builds from the Nix
sandbox.
Is this sandbox "secure enough" to provide secure execution of untrusted code on the runner, at least as secure as the sandboxing provided by docker?
Thanks!
|
The Nix sandbox should be about as secure as a Docker container, but I am not willing to assume this, because while it uses most of the same Linux kernel features, it is a distinct implementation that hasn't been scrutinized as much. For these reasons, Hercules CI only builds automatically for pushes by people with direct push access to the actual repo. This works perfectly for most teams. If they're maintaining actively contributed open source software, they'll benefit from e.g. |
I agree, it would be great to have nix-first CI across hosting providers. |
Hello,
First, thanks for this tool. This project looks very promising, but I'm curious to know, are there some ways for me to integrate this tool with other websites than github? For example, I'd be interested to use hercules on self-hosted instances of Gitea or Gitlab. Also, being new to this field, how does hercules-ci compares with drone.io + a shell runner that will compile my project using nix-build?
Thanks!
The text was updated successfully, but these errors were encountered: