Demi Marie Obenour <demiobenour@gmail.com> writes:
Whenever a release is made, create a directory with the release files to be used for an update. After its SHA256SSUMS file is signed, the file is ready to be uploaded to a server for users to update from.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- Changes since v2: - Use UUIDs to name the rootfs and verity superblock. This will allow systemd-sysupdate to set the correct UUIDs on the rootfs and verity partitions, avoiding the need to use labels to find these partitions. --- release.nix | 2 ++ release/update.nix | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+)
Reviewed-by: Alyssa Ross <hi@alyssa.is> But I think we should be clearer about set, see below.
diff --git a/release.nix b/release.nix index a4fe66ee5925aeee3a1f5f1fac249c595cee0885..704abb39a3d01152eac3dfe313066834c3cd0a66 100644 --- a/release.nix +++ b/release.nix @@ -8,5 +8,7 @@ import lib/call-package.nix ({ callSpectrumPackage }: {
checks = callSpectrumPackage release/checks {};
+ updates = callSpectrumPackage release/update.nix {}; + combined = callSpectrumPackage release/combined/run-vm.nix {}; }) (_: {}) diff --git a/release/update.nix b/release/update.nix new file mode 100644 index 0000000000000000000000000000000000000000..77eb5fc422baa7d13e8e3ccb823c2fe69d2c39cc --- /dev/null +++ b/release/update.nix @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +import ../lib/call-package.nix ( +{ callSpectrumPackage, config, runCommand, stdenv }: + +let + efi = import ../host/efi.nix {}; +in +runCommand "spectrum-update-directory" { + __structuredAttrs = true; + unsafeDiscardReferences = { out = true; }; + dontFixup = true; + env = { VERSION = config.version; }; +} '' + # One would expect that this is enabled already but it is not. + set -euo pipefail
I see. stdenv leaves -eo pipefail set, but not -u. In that case, we should just set -u so it's clearer what change is actually intended to be made to the environment.