Re: [PATCH v2 5/8] release: Create directory with system update

Demi Marie Obenour <demiobenour@gmail.com> writes:

Whenever a release is made, create a directory with the release files to be used for an update. After its SHA256SSUMS file is signed, the file is ready to be uploaded to a webserver for users to update from.

Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- release.nix | 2 ++ release/update.nix | 30 ++++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+)

diff --git a/release.nix b/release.nix index a4fe66ee5925aeee3a1f5f1fac249c595cee0885..704abb39a3d01152eac3dfe313066834c3cd0a66 100644 --- a/release.nix +++ b/release.nix @@ -8,5 +8,7 @@ import lib/call-package.nix ({ callSpectrumPackage }: {

checks = callSpectrumPackage release/checks {};

+ updates = callSpectrumPackage release/update.nix {}; +

Should this just be called "update" (singular)?

combined = callSpectrumPackage release/combined/run-vm.nix {}; }) (_: {}) diff --git a/release/update.nix b/release/update.nix new file mode 100644 index 0000000000000000000000000000000000000000..ec51eb12d33030255b7b4a7e74e14416f1f0659d --- /dev/null +++ b/release/update.nix @@ -0,0 +1,30 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross <hi@alyssa.is> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com> + +import ../lib/call-package.nix ( +{ callSpectrumPackage, config, efi +, runCommand, stdenv, rootfs +}: + +runCommand "spectrum-update-directory" { + __structuredAttrs = true; + unsafeDiscardReferences = { out = true; }; + dontFixup = true; + env = { + VERSION = config.version; + ROOTHASH = "${rootfs}/rootfs.verity.roothash"; + VERITY = "${rootfs}/rootfs.verity.superblock"; + ROOT_FS = "${rootfs}/rootfs"; + EFI = efi; + };

I'd just inline these as string interpolations rather than passing them as environment variables (except maybe VERSION).

+} '' + read -r roothash < "$ROOTHASH" + mkdir -- "$out" + cp -- "$VERITY" "$out/Spectrum_$VERSION.verity" + cp -- "$ROOT_FS" "$out/Spectrum_$VERSION.root" + cp -- "$EFI" "$out/Spectrum_$VERSION.efi" + cd -- "$out" + sha256sum -b "Spectrum_$VERSION.root" "Spectrum_$VERSION.verity" "Spectrum_$VERSION.efi" > SHA256SUMS + '' +) (_: {})

-- 2.51.2