buildkite-agent: 3.59.0 -> 3.76.1 (#331340)

* buildkite-agent: 3.59.0 -> 3.76.1

* nixos/buildkite-agent: put each agent in its own private /tmp

Workaround for https://github.com/buildkite/agent/issues/2916, but
probably still a good idea.

nixos/doc/manual/release-notes/rl-2411.section.md

@@ -321,6 +321,9 @@
 - `nix.channel.enable = false` no longer implies `nix.settings.nix-path = []`.
   Since Nix 2.13, a `nix-path` set in `nix.conf` cannot be overriden by the `NIX_PATH` configuration variable.
 
+- Buildkite Agents are now each running in their own private `/tmp`.
+  To return to the old behaviour, set `systemd.services.buildkite-agent-${name}.serviceConfig.PrivateTmp = false;`.
+
 ## Detailed migration information {#sec-release-24.11-migration}
 
 ### `sound` options removal {#sec-release-24.11-migration-sound}

nixos/modules/services/continuous-integration/buildkite-agents.nix

@@ -205,6 +205,8 @@ in
       serviceConfig = {
         ExecStart = "${cfg.package}/bin/buildkite-agent start --config ${cfg.dataDir}/buildkite-agent.cfg";
         User = "buildkite-agent-${name}";
+        # Workaround https://github.com/buildkite/agent/issues/2916
+        PrivateTmp = lib.mkDefault true;
         RestartSec = 5;
         Restart = "on-failure";
         TimeoutSec = 10;

pkgs/by-name/bu/buildkite-agent/package.nix

@@ -13,16 +13,16 @@
 }:
 buildGoModule rec {
   pname = "buildkite-agent";
-  version = "3.59.0";
+  version = "3.76.1";
 
   src = fetchFromGitHub {
     owner = "buildkite";
     repo = "agent";
     rev = "v${version}";
-    sha256 = "sha256-pYaxjXoNn6MOE2oHUSKrBzP5oKhtfJwSHFCkcpkyzas=";
+    sha256 = "sha256-0i2b7sVBkV5zcJo+K5kg2Ojbix0rlQRXHKAmL9PJs+g=";
   };
 
-  vendorHash = "sha256-JSuam9Tn+ZekfLrj78tBncH7Q2aP4CaUgaaDkJ/azEw=";
+  vendorHash = "sha256-0P6EXqQa6WxhjNJ4X6THvjJRK/UQvqXTv+7IJViFAQs=";
 
   postPatch = ''
     substituteInPlace clicommand/agent_start.go --replace /bin/bash ${bash}/bin/bash