Demi Marie Obenour <demiobenour@gmail.com> writes:
On 11/13/25 11:04, Alyssa Ross wrote:
Demi Marie Obenour <demiobenour@gmail.com> writes:
combined = callSpectrumPackage release/combined/run-vm.nix {}; }) (_: {}) diff --git a/release/update.nix b/release/update.nix new file mode 100644 index 0000000000000000000000000000000000000000..ec51eb12d33030255b7b4a7e74e14416f1f0659d --- /dev/null +++ b/release/update.nix @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +import ../lib/call-package.nix ( +{ callSpectrumPackage, config, efi +, runCommand, stdenv, rootfs +}: + +runCommand "spectrum-update-directory" { + __structuredAttrs = true; + unsafeDiscardReferences = { out = true; }; + dontFixup = true; + env = { + VERSION = config.version; + ROOTHASH = "${rootfs}/rootfs.verity.roothash"; + VERITY = "${rootfs}/rootfs.verity.superblock"; + ROOT_FS = "${rootfs}/rootfs"; + EFI = efi; + };
I'd just inline these as string interpolations rather than passing them as environment variables (except maybe VERSION).
In general, this is very bad practice and has caused security vulnerabilities in GitHub Actions. These have even been exploited in the wild. However, this is *not* a vulnerability in this context as the input is trusted and known not to contain shell metacharacters. I mostly wanted to avoid bad habits that are fine in the Nix context, but not in others.
I think that will result in overly unidiomatic Nix code. Bad practices are always contextual.