Demi Marie Obenour <demiobenour@gmail.com> writes:

> Whenever a release is made, create a directory with the release files to
> be used for an update.  After its SHA256SSUMS file is signed, the file
> is ready to be uploaded to a webserver for users to update from.
>
> Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
> ---
>  release.nix        |  2 ++
>  release/update.nix | 30 ++++++++++++++++++++++++++++++
>  2 files changed, 32 insertions(+)
>
> diff --git a/release.nix b/release.nix
> index a4fe66ee5925aeee3a1f5f1fac249c595cee0885..704abb39a3d01152eac3dfe313066834c3cd0a66 100644
> --- a/release.nix
> +++ b/release.nix
> @@ -8,5 +8,7 @@ import lib/call-package.nix ({ callSpectrumPackage }: {
>  
>    checks = callSpectrumPackage release/checks {};
>  
> +  updates = callSpectrumPackage release/update.nix {};
> +

Should this just be called "update" (singular)?

>    combined = callSpectrumPackage release/combined/run-vm.nix {};
>  }) (_: {})
> diff --git a/release/update.nix b/release/update.nix
> new file mode 100644
> index 0000000000000000000000000000000000000000..ec51eb12d33030255b7b4a7e74e14416f1f0659d
> --- /dev/null
> +++ b/release/update.nix
> @@ -0,0 +1,30 @@
> +# SPDX-License-Identifier: MIT
> +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross <hi@alyssa.is>
> +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour <demiobenour@gmail.com>
> +
> +import ../lib/call-package.nix (
> +{ callSpectrumPackage, config, efi
> +, runCommand, stdenv, rootfs
> +}:
> +
> +runCommand "spectrum-update-directory" {
> +  __structuredAttrs = true;
> +  unsafeDiscardReferences = { out = true; };
> +  dontFixup = true;
> +  env = {
> +    VERSION = config.version;
> +    ROOTHASH = "${rootfs}/rootfs.verity.roothash";
> +    VERITY = "${rootfs}/rootfs.verity.superblock";
> +    ROOT_FS = "${rootfs}/rootfs";
> +    EFI = efi;
> +  };

I'd just inline these as string interpolations rather than passing them
as environment variables (except maybe VERSION).

> +} ''
> +  read -r roothash < "$ROOTHASH"
> +  mkdir -- "$out"
> +  cp -- "$VERITY" "$out/Spectrum_$VERSION.verity"
> +  cp -- "$ROOT_FS" "$out/Spectrum_$VERSION.root"
> +  cp -- "$EFI" "$out/Spectrum_$VERSION.efi"
> +  cd -- "$out"
> +  sha256sum -b "Spectrum_$VERSION.root" "Spectrum_$VERSION.verity" "Spectrum_$VERSION.efi" > SHA256SUMS
> +  ''
> +) (_: {})
>
> -- 
> 2.51.2