Demi Marie Obenour writes: > Whenever a release is made, create a directory with the release files to > be used for an update. After its SHA256SSUMS file is signed, the file > is ready to be uploaded to a server for users to update from. > > Signed-off-by: Demi Marie Obenour > --- > Changes since v2: > - Use UUIDs to name the rootfs and verity superblock. > This will allow systemd-sysupdate to set the correct UUIDs on the > rootfs and verity partitions, avoiding the need to use labels to find > these partitions. > --- > release.nix | 2 ++ > release/update.nix | 33 +++++++++++++++++++++++++++++++++ > 2 files changed, 35 insertions(+) Reviewed-by: Alyssa Ross But I think we should be clearer about set, see below. > diff --git a/release.nix b/release.nix > index a4fe66ee5925aeee3a1f5f1fac249c595cee0885..704abb39a3d01152eac3dfe313066834c3cd0a66 100644 > --- a/release.nix > +++ b/release.nix > @@ -8,5 +8,7 @@ import lib/call-package.nix ({ callSpectrumPackage }: { > > checks = callSpectrumPackage release/checks {}; > > + updates = callSpectrumPackage release/update.nix {}; > + > combined = callSpectrumPackage release/combined/run-vm.nix {}; > }) (_: {}) > diff --git a/release/update.nix b/release/update.nix > new file mode 100644 > index 0000000000000000000000000000000000000000..77eb5fc422baa7d13e8e3ccb823c2fe69d2c39cc > --- /dev/null > +++ b/release/update.nix > @@ -0,0 +1,33 @@ > +# SPDX-License-Identifier: MIT > +# SPDX-FileCopyrightText: 2021-2024 Alyssa Ross > +# SPDX-FileCopyrightText: 2025 Demi Marie Obenour > + > +import ../lib/call-package.nix ( > +{ callSpectrumPackage, config, runCommand, stdenv }: > + > +let > + efi = import ../host/efi.nix {}; > +in > +runCommand "spectrum-update-directory" { > + __structuredAttrs = true; > + unsafeDiscardReferences = { out = true; }; > + dontFixup = true; > + env = { VERSION = config.version; }; > +} '' > + # One would expect that this is enabled already but it is not. > + set -euo pipefail I see. stdenv leaves -eo pipefail set, but not -u. In that case, we should just set -u so it's clearer what change is actually intended to be made to the environment.