Hermit is an experimental CI server for building container images from GitHub repositories. Hermit's schtick is to run builds in ephemeral virtual machines that are limited to HTTP/HTTPS network connections through a custom proxy. The idea was to satisfy the Hermetic requirement from SLSA level 4, without requiring purpose-built build tools (e.g. bazel). Hermit runs existing build tools, and locks them to a fixed snapshot of the internet.
Hermit was designed to run on my home infra, and is not intended to be used. It was a cool experiment that is no longer used or maintained.
Hermit's proxy has several features:
- Limit the URLs that can be accessed during the build. Example rules.
- Fetch assets from a shared cache (Redis) to reduce network traffic.
- Record every request made during the build. Example snapshot.
- Restrict network access to replaying a recording, to reproduce builds in a hermetic environment.
- Generate a CA keypair at launch, for intercepting HTTPS traffic.
Hermit is triggered by GitHub push events.
- If the push was made by Hermit, or was made to the default branch, Hermit will run the build with the proxy limited to requests in the current snapshot. This is a hermetic build.
- If the push was not made by Hermit, Hermit will run the build with the proxy following the specified rules. If Hermit detects network changes, it will push a commit to amend the snapshot.
- The built container is scanned using aquasecurity/trivy. This is hermetic. Sample result.
- If the push was made to the default branch, the built container is pushed to the registry.
I keep a gitops repo full of kustomization files for hosted services.
Any containers with active deployments, built by Hermit or externally, will be raised by Renovate as PRs against this repository. It has a simplified flow:
- On push, find all images affected by the current branch. Scan every image and post the result.