75 comments

[ 0.25 ms ] story [ 124 ms ] thread
Having built CI/CD pipelines in CircleCI, Jenkins, GitLab CI, Concourse, Semaphore, and GitHub Actions, I'm not entirely sure what this offers, other than being FOSS. That's not to say that it being FOSS is not valuable – for some users it most certainly is – but that I can't see another way that this would be valuable.

The config language is nice, but honestly I've never been bothered by YAML for pipelines. I want my pipelines to be declarative anyway. I'm a little disappointed that Cicada didn't go with one of the existing options such as Jsonnet, Cue, Dhall, etc.

Lastly, there's a feature I've always found useful and in many cases necessary, that many CI systems don't have – enforced serial execution. When you're doing continuous delivery it's often critical to make sure that only one release is going out at a time and that the version being released strictly increases. I've seen outages because of release jobs racing and an unintended downgrade happening. This requires CI system support to achieve. Last time I checked, Jenkins, Concourse, and GitHub Actions all provided mechanisms for this, Semaphore may have as well. Circle and GitLab did not (the former after endless discussion with our account manager over it!) and I found it hard to trust the platforms as a result. Cicada does not appear to have this, which is a shame. It suggests to me a lack of hands-on production experience with continuous delivery. Arguably this is not a CD system, but there's no reason why a CI system shouldn't be CD as well, it's not until a much larger team/product size that a dedicated CD system becomes truly necessary and they take a lot of work to set up well.

Maybe I’m misunderstanding? For GitLab this should be doable by two different ways.

The first is merge trains, which merges requests one by one to prevent this exact outcome. You just have to force all deployments to be done via a merge request. That’s the downside.

The second being forcing a GitLab Runner to run one job at a time. Tag it as “deployer” then ensure all deployment jobs are marked as “deployer”. That runner will pick up deployment jobs one by one in order of first creation.

I think merge trains weren't a feature when I worked with GitLab, it was a while ago. This does certainly solve it, but at the cost of quite a different process. If what you're optimising for is time to release, merge trains add an overhead. At some point that overhead is worth it, but it depends on the team/product/etc.

Having just one runner be the deployer is an option too. I think we used hosted runners so not sure if this is possible in that setup? This would also make pipelines harder to optimise. Often there are many parts in pipelines that are safe to do in parallel, and only a few "critical sections" around which you want locking. This would solve simultaneous releases, but not the general case of the problem (which at least Jenkins and GitHub Actions manage ok).

GitLab always felt to me like Travis++, whereas systems developed later felt like they were built on fundamentally better primitives. Jenkins is a weird one because it has all of the features, can do all of these things, really quite well in many cases, but has a pretty bad developer experience and required a lot of maintenance to run a performant and secure install.

There's also a third way called resource groups [1]. We use that to ensure that we only run the newest job if we have multiple deployment jobs waiting for execution. This way even if we have multiple pipelines racing each other, only the last deployment job wins.

[1] https://docs.gitlab.com/ee/ci/resource_groups/index.html

Yeah, we use that instead of dedicated runners, too. But it is a relatively new Gitlab concept, isn't it?
We've been using it for a year, as we often had the problem that somebody would push an update after an initial publish of a branch, not stopping the first branch and then two or more deploy jobs racing each other with unpredictable results.
I was a bit confused when I first saw this in the context of deployment jobs.

If you go with oldest first and two or more prod jobs want to run, you are gonna have to wait for all the old deployments to finish unless you go to each one and cancel them, leaving only the latest one. This does prevent unorderd deployments from overwriting each other, but it's a pita.

If you go with newest first, old deployments will overwrite new ones unless you toggle the setting to prevent outdated jobs from running, by which case you'll be locked out of doing a rollback unless you regenerate a whole old pipeline.

It would make sense if they had a "newest only", where if you have one deployment running and 10 pending, by the time the current deployment finishes, gitlab would cancel all deployments except for the latest one. This way you don't have to wait for old deployments and you're free to do a rollback at any time. Bonus points if the cancelled jobs display a link to the latest job that was chosen from the queue.

I've just checked our code, and we use `oldest_first`, not `newest_first`.
> "It would make sense if they had a "newest only", where if you have one deployment running and 10 pending, by the time the current deployment finishes, gitlab would cancel all deployments except for the latest one. This way you don't have to wait for old deployments, and you're free to do a rollback at any time."

Hi, GitLab Team member here. This is exactly how GitLab functions when you use "newest first" process mode [1] with Prevent outdated deployment jobs enabled [2]. By default, pipeline job retries for deployment rollback is enabled, you can rollback to any of the failed old deployments, except where its disabled. [3]

[1] https://docs.gitlab.com/ee/ci/resource_groups/#process-modes

[2] https://docs.gitlab.com/ee/ci/environments/deployment_safety...

[3] https://docs.gitlab.com/ee/ci/environments/deployment_safety...

Thanks for getting back to me!

That's amazing, I always had this problem in my head about how to solve people stepping on each other's toes with high volume CD workflows.

This should solve it nicely, thanks again!

Ah this is good. This had come in when I used it but I think the GitLab instance I used was a few releases out of date so wasn't available at the time.
> I want my pipelines to be declarative anyway.

Is there any CI system that allows one to write declarative pipelines? What would that even mean? GitHub Actions, GitLab Pipelines, etc. are all effectively just shell scripts disguised as more or less verbose yaml, with some trigger conditions added.

I guess nix's hydra is the closest to a declarative CI system that exists, because nix does the hard work of abstracting the imperative build steps into a declarative interface. Even then, if you want to do anything outside of nix derivations you would be writing something imperative.

it's github actions but you keep it short and put everything you can in a script that gets shelled out to.
So, only use the CI system for it's dispatch/scheduling part and put the imperative steps into a dedicated script? Reasonable, and what I have done with some GitLab Pipelines as well, but I don't see how that would be considered more "declarative".
I'm not looking for literally everything to be declarative, but ideally each snippet of shell script would be entirely independent and run effectively reproducibly. GitHub/GitLab do this well enough, although not perfectly. Concourse does this really well. Bazel is also great at this.
> [...], but ideally each snippet of shell script would be entirely independent and run effectively reproducibly.

Sure, if you design your scripts carefully (e.g. make them idempotent, reproducible, make all inputs explicit, etc.) you can build an abstraction to what you want to achieve which can then be used declaratively in the yaml flavor of choice. I think that is a very good way to do it. The script is still imperative though.

I guess what I want to say is that a generic CI or even just job scheduling system cannot be declarative without limiting what it can do. You can build your own scripts which can then provide a declarative interface to the imperative world to your CI pipeline, but you will be limited to the scope of your script. You can call out to other such abstractions (nix for your packaging needs, terraform for infrastructure, etc.) as well, but again you will be limited to the scopes of those.

As long as the CI system retains the ability to run jobs in some order instead of just being able to declare what you want and let the CI system figure everything else out (e.g. build first, then test, then possibly release; even if I declared what I want in a different order) it is still an imperative interface.

To make this clear: I don't think declarative CI/CD pipelines are desirable. They should be an (ideally as short as possible) list of steps executed in order to achieve some goal, because that is what fits the problem domain best (interact with the imperative world in arbitrary ways). Parts of those steps can be pushed out to declarative abstractions though where that makes sense, e.g. building and testing in nix so you get caching, sandboxing and reproducibility of builds basically for free, or deploying infrastructure changes through terraform so you get idempotence on those changes mostly for free. A generic CI system can then be reduced to it's bare minimum: a way to run a short script when some event happens.

Creator of Cicada here. Thank you for the feedback! I've mentioned this in a few threads already, but the reason for making a new DSL for writing the workflows is that YAML makes it hard/cumbersome to express more complex workflows. Using a programming language though gives you more control over how your workflows execute. While there are already plenty of tools that use existing programming languages (ie, Python/TypeScript) to configure workflows, having a custom DSL allows you to make some of the more abstract terms like caching, conditional execution, permissions, etc. more explicit.

To your last point, I have experience with using CD in production, but not to the scale where I have builds stepping over each other and causing issues. I agree that serial builds are important in this case, and is something that I will need to look into (conceptually it sounds pretty simple).

Awesome! I think serial builds should be fairly simple to implement if you can tie it back to a transaction in a data store.

I get the DSL desire, and I feel I've already lost the "YAML is fine" battle elsewhere so that's not a problem. I think a language like jsonnet or cue would have been a better choice simply because they don't involve users learning a new language or you from implementing a new language. Both would have allowed plugging in your own standard library of functions and abstractions.

You might want to check out the SparrowCI - it has combination of yaml AND standard programming languages ( Python/Ruby/GoLang/Powershell/Bash/Raku) giving you the best of two worlds - declarative style and extremely flexible flows when required
(comment deleted)
This project looks interesting, I very much like how secrets are handled, but here’s 3 reasons why, given what I can gather from the docs, I can’t use it right now.

1. It doesn’t seem it’s possible to include other .ci files? I have multiple projects that use the same ci config with their own augments and Cicada seemingly won’t work with that flow?

2. Self hosted non-docker runners are Python3.11. Some of us (albeit few of us) don’t have the luxury of being able to abandon ancient OS targets.

3. Doesn’t seem git.push allows branch to specified as “$DEFAULT_BRANCH” macro (or similar). Some projects use master, some use main, some use gold, whatever, it would be nice to not have to know.

The example CI repo is no more than a “hello world”. I don’t think people with simple CI requirements are interesting in switching from what they already have. Your target audience is likely someone like me who maintains 10k+ lines (merged) of GitLab YAML and wants to get out. I would be more encouraged to look deeper into this project if it could show me the value it adds, because right now it just seems like a different YAML that I’ll eventually loathe too.

Very neat project, I hope to see it mature.

It also seems to require github credentials instead of just supporting saml/ldap/local accounts and I don't see a way to make it work with over git providers (i.e. gitea) so not sure where the home gamer market would use this either? If I'm ponying up private github repositories already why wouldn't I just pony up slightly more to use their system? maybe I'm just missing it (I am, after all, a noob just scraping by on beginning to learn git and using it to manage a few things).
Creator of Cicada here. Currently I am using GitHub SSO to reduce spam for the logins. When installing Cicada locally though you need to create an admin account, though there is no way (in the UI) to create new local users. Adding more sign-in methods (ie Gitlab, Bitbucket) is definitely on my radar.
Creator of Cicada here. Thank you for these questions! I'll try and answer them all:

0: Secrets are stored using Vault. Read this commit message [1] for a full breakdown.

1: Currently you cannot include other .ci files. I have been in feature creep mode for months now, and I've been forcing myself to stop adding features and start talking to users. The goal is to make Cicada more or less a general purpose programming language, but the first step is making it work well for defining CI/CD workflows.

2: If it is necessary, I could back-port the self-hosted runners to Python 3.10/3.9 or earlier. And, since the runner interface just uses websockets, I (or someone else) could make a runner in a different language, ie Rust or Go.

3: There is a "event" global variable that includes info like "event.branch", which is the branch that was pushed, but it does not include stuff like the default branch. Currently you could do `on git.push where event.branch is "main"`, but something like "event.branch is event.default_branch" would be even better. I'll work on adding that.

The value add currently is that Cicada is FOSS, platform agnostic (works with GitHub/Gitlab), and uses a language that consolidates the workflows and scripts into one manageable file format. Existing CI systems are already packed with features that people expect, so the current struggle is catching up to this and then adding more on top of that. I'm trying to focus on what sets Cicada apart: That it gives you more control over your workflows, while being expressive and easier to manage then YAML and shell scripts.

[1]: https://github.com/Cicada-Software/cicada/commit/2659f79b500...

> Currently you cannot include other .ci files

I definitely understand the reluctance towards feature creep, but I can imagine most bigger customers mightn't want to rewrite their include-heavy CI definitions in this, knowing it will come later and they'll have to rewrite again.

There is a collision in names:

Cicada, this CI tool, uses a DSL (domain specific language) to write configuration, and this DSL is referred to as "Cicada language", and blasted in marketing copy as a "real programming language" on https://cicada.sh/ . The Cicada DSL is documented in https://cicada.sh/docs/ci-lang/index.html

However, this is a completely different language from Cicada language, a programming language and theorem prover hosted at https://cicada-lang.org/ and https://github.com/cicada-lang/cicada .

This name collision is very confusing, and I wonder why Cicada the CI tool didn't just stick to python, since it is also a "real programming language."

(comment deleted)
I didn't know about that other Cicada language, but the part about using a DSL for this does seem unnecessary to me. I haven't dived into the docs at all, so if anyone has I'd be curious to know what this DSL offers over Python, Starlark, or any other existing programming language?

Especially since, as far as I can tell, this is built on Python. So you already have a working Python installation at least.

Creator of Cicada here. I created a new DSL because I wanted a more declarative, expressive, yet capable file format, something like Dockerfile but with programming capabilities. In terms of "just running commands", Python (or any other language) is just as good if not better.

Where Cicada shines though is that it makes higher level concepts like conditional execution and caching front end center, so you can describe more with less lines. The DSL itself isn't very mature at the moment, but I plan on adding stuff like allow/deny capabilities and more in the future.

This is a misleading title. Being yet another CI tool is not the same thing as being a cross platform version of Github Actions and Gitlab CI.

A cross platform version of Github Actions would allow you to run your actions using your own tooling.

Also this exists:

https://github.com/nektos/act

which is conveniently packaged in a GH-a-like system by:

https://gitea.com/gitea/act_runner

in

https://github.com/go-gitea

And there's us, https://garden.io, that does totally portable CI pipelines with caching from builds to tests: https://github.com/garden-io/garden

I made an irreverent short on why your CI pipelines ought to be portable and runnable locally. Number one reason? Give your developers their time (and sanity) back. Pushing to Git in the inner loop disrupts flow and shatters attention.

https://www.youtube.com/watch?v=JFnan6s2cDg

Nice product! I haven't heard of Garden until now.

Adding a CLI for Cicada has been on my todo list for a while, and is long overdue! This should be easy enough to do.

Another Gardener here :)

Just to add to what Tao was saying, our pipelines are not only portable but also "smart".

Instead of having to specify every step of a job—either in code or config—you instead tell Garden that it's e.g. a build of type container, or a deploy of type Helm, and our plugin system figures out the rest (of course with escape hatches when needed).

We also track the files that go "into" each job and cache the results, so the same job never has to run twice if the code doesn't change. So if you have a large distributed system and a change only affects a small part of it, you don't need to re-run everything. It can save _a lot_ of time.

Unrelated, but love that the Cicada team created a Treesitter grammar for Neovim!

(comment deleted)
Something I have noticed lately, First startup idea that every Devops person starts with is to create a CI/CD project because they think world is inefficient and workflows can be optimized, and then they pivot to other ideas.
So would that mean there is still room for improvement?
I think market is very mature for CI/CD, it often boils down to price war. Economics of operating your own CI/CD in org like this one is fairly bad compared to Github actions. Especially, the way Github bundles actions with the other services as a buyer it definitely feels like a better deal than buying best in class CI/CD. Github actions gets the job done.

The slow changing nature of pipelines makes then candidate for not being touch once the configuration is set.

So, to answer your question, in my opinion - is there a room for improvement - yes, but the value is minuscule for a customer to switch to a different provider in CI/CD is working fairly well.

Appreciate that.

The economics may appear bad for not using GitHub, but there’s still valid needs for code that isn’t hosted in the cloud.

For those cases it is reasonable to see or know what’s out there.

I always thought its ease of creation (few weekends) was the main driver?
It's definitely a much bigger challenge than it appears on the surface. But I think the space is due for a shake-up - the current crop of tools has been around for years now, and they all suffer from a broadly similar set of scalability and usability problems.
What I really want is a 'Grand Translator' tool that allows any CI pipeline definition to be translated into any other CI pipeline definition.

I want to take any .gitlab-ci.yml and magically translate it to a github workflow, and vice-versa. I know it isn't impossible, but it's a heck lot of work to get it right with all the hidden features behind declarative pipelines.

If doing this sort of a migration is a real possibility, it's an argument for having the bare minimum logic in the CI tool and as much as you can in your own scripts...
That's actually what we did for our monorepo. We had a huge Gitlab pipeline of multiple steps and jobs, now it's a single job pipeline that builds, tests and deploys 15 different projects, all powered by Nix and some Python scripts.
Ugh, yes, but then I fall into the "too complex for bash, too simple for Python" trap. I feel like everything goes to hell the moment someone writes a Python class to deal with /something/ in a build pipeline. For bash, well, we all know where that goes... the other options are simply too obscure for me to invest in.

But I agree with your assessment, as much as the classic

script:

  - chmod +x pipeline.sh

  - ./pipeline.sh
makes me want to die.
We need a "terraform" for build pipelines.
oh god, please, no. :)

I mean, go for it if you want but I'm not sure why you'd need to maintain so many heterogeous pipelines that would warrant a tool like this.

With teamcity you write xml for your pipeline, and you can write kotlin scripts to generate your pipelines (which just compiles to the xml above).

It's really, really limiting, and very hard to do things like "run this pipeline if on this branch"

Creator of Cicada here. I mentioned this in another thread, but I have an experimental "GitHub Actions to Cicada" converter tool I'm working on that makes it easier to import GHA workflows to Cicada. GitHub already has an importer tool to import other git providers to GHA, but of course they don't have any export features.

Like you said, there are lots of intricate details you need to get right, and each CI/CD provider has a different ethos about how CI should be done. What I'm trying to do with Cicada is create one workflow format that gives you the power of GitHub Actions with their numerous event triggers, but make it work for other providers like Gitlab. Having one format that works with many providers is better than converting multiple formats back and forth, IMO.

You should change your name. "Cicada" was also a CI/CD tool recently sunset by AWS after acquiring Fig. I maintain the community fork so I happen to know Amazon still holds a trademark on "Cicada"[1]. We rebranded to "Katoa" but you're going to run into them directly especially if you have any commercial plans.

1: Can't link, you can search "Cicada" and "Amazon" on the USPTO TESS

(comment deleted)
I'm going to plug https://onedev.io/ its awesome. Its self hosted and has its own tooling for CI/CD. I feel it doesn't get enough love, but I've been using it for years for my own stuff.
Oh this looks really neat. I've been slowly hand rolling a home server. Started with Gogs felt that was too heavy, now I'm at cgit + gitolite which is awesome but I'm not sure what I want to do when it comes to CI/CD. This is probably on the scale of Gogs but something about it feels more reasonable lol.
There is a bit of a learning curve, but there is for any new platform. The devs are very responsive and looks like they're doing an enterprise version for funding. It uses Agents which run the tasks in the CI/CD jobs.
(comment deleted)
Mods, can we change the title to reflect what this really is, Open Source CI platform (not GitHub Actions, not GitLab CI). Unless I’m mistaken, this project doesn’t use their flavors of yaml. So calling it a “version of” is a lie.
(comment deleted)
What's the difference between this and Gitea/Forgejo Runners that are compatible with GitHub Actions?
I have logic that needs to be put into the build. I can put it into a DSL or I can put it into a bash script. A bash script can be run on a developer's machine. This a bash script allows the developer to test the build on their own machine without the need for running an entire build through the CI system first.

I therefore don't see the need for all that DSL stuff that's designed around not needing a bash script. I still need the batch script for testability purposes.

I'm fine with the DSL otherwise; switching from Jenkins to GitHub actions isn't a big deal especially when all you're going to do is run a bash script.

This looks really interesting, but I wish people would instead contribute to WoodpeckerCI. It's a FOSS fork of Drone, and Drone really is the pinnacle of CI for me. Only what you need, no fat, simple, functional, modern, easy. IMHO the only thing Woodpecker really needs right now is help finishing their core implementations of K8s support and support for the big 3 DVCS vendors.
WoodpeckerCI only works with containers. Many of us are not building web apps.
If anyone from the project is reading this, the multiple misspellings or typos featured prominently on your website make it look very amateurish (imo). Between "You deserve better then YAML", "autotomatically escaped", and other weird phrasing, this doesn't really inspire confidence.