Release version 0.10.2

Updated the `mark-stable` workflow so that the `stable` tag is only moved when:

* the current push is a version tag (`v*`)
* all tests have passed
* the pushed version tag is the highest semantic version among all existing tags

This ensures that `stable` always reflects the latest valid release and prevents older version tags from overwriting it.

https://chatgpt.com/share/693b163b-0c34-800f-adcb-12cf4744dbe2

.github/workflows/mark-stable.yml

@@ -3,7 +3,9 @@ name: Mark stable commit
 on:
   push:
     branches:
-      - main
+      - main          # still run tests for main
+    tags:
+      - 'v*'          # run tests for version tags (e.g. v0.9.1)
 
 jobs:
   test-unit:
@@ -34,31 +36,63 @@ jobs:
       - test-virgin-root
     runs-on: ubuntu-latest
 
+    # Only run this job if the push is for a version tag (v*)
+    if: startsWith(github.ref, 'refs/tags/v')
+
     permissions:
-      contents: write  # to move the tag
+      contents: write  # Required to move/update the tag
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          fetch-tags: true  # We need all tags for version comparison
 
-      - name: Move 'stable' tag to this commit
+      - name: Move 'stable' tag only if this version is the highest
         run: |
           set -euo pipefail
 
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-          echo "Tagging commit $GITHUB_SHA as stable…"
+          echo "Ref: $GITHUB_REF"
+          echo "SHA: $GITHUB_SHA"
 
-          # delete local tag if exists
+          VERSION="${GITHUB_REF#refs/tags/}"
+          echo "Current version tag: ${VERSION}"
+
+          echo "Collecting all version tags..."
+          ALL_V_TAGS="$(git tag --list 'v*' || true)"
+
+          if [[ -z "${ALL_V_TAGS}" ]]; then
+            echo "No version tags found. Skipping stable update."
+            exit 0
+          fi
+
+          echo "All version tags:"
+          echo "${ALL_V_TAGS}"
+
+          # Determine highest version using natural version sorting
+          LATEST_TAG="$(printf '%s\n' ${ALL_V_TAGS} | sort -V | tail -n1)"
+
+          echo "Highest version tag: ${LATEST_TAG}"
+
+          if [[ "${VERSION}" != "${LATEST_TAG}" ]]; then
+            echo "Current version ${VERSION} is NOT the highest version."
+            echo "Stable tag will NOT be updated."
+            exit 0
+          fi
+
+          echo "Current version ${VERSION} IS the highest version."
+          echo "Updating 'stable' tag..."
+
+          # Delete existing stable tag (local + remote)
           git tag -d stable 2>/dev/null || true
-          # delete remote tag if exists
           git push origin :refs/tags/stable || true
 
-          # create new tag on this commit
+          # Create new stable tag
           git tag stable "$GITHUB_SHA"
           git push origin stable
 
-          echo "✅ Stable tag updated."
+          echo "✅ Stable tag updated to ${VERSION}."

CHANGELOG.md

@@ -1,3 +1,12 @@
+## [0.10.2] - 2025-12-11
+
+* * Stable tag now updates only when a new highest version is released.
+* Debian package now includes sudo to ensure privilege escalation works reliably.
+* Nix setup is significantly more resilient with retries, correct permissions, and better environment handling.
+* AUR builder setup uses retries so yay installs succeed even under network instability.
+* Nix flake installation now fails only on mandatory parts; optional outputs no longer block installation.
+
+
 ## [0.10.1] - 2025-12-11
 
 * Fixed Debian\Ubuntu to pass container e2e tests
@@ -5,8 +14,6 @@
 
 ## [0.10.0] - 2025-12-11
 
-* **Changes since v0.9.1**
-
 **Mirror System**
 
 * Added SSH mirror support including multi-push and remote probing

flake.nix

@@ -36,7 +36,7 @@
         rec {
           pkgmgr = pyPkgs.buildPythonApplication {
             pname   = "package-manager";
-            version = "0.10.1";
+            version = "0.10.2";
 
             # Use the git repo as source
             src = ./.;

pyproject.toml

@@ -7,7 +7,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "package-manager"
-version = "0.10.1"
+version = "0.10.2"
 description = "Kevin's package-manager tool (pkgmgr)"
 readme = "README.md"
 requires-python = ">=3.11"

scripts/init-nix.sh

@@ -3,21 +3,22 @@ set -euo pipefail
 
 echo "[init-nix] Starting Nix initialization..."
 
+NIX_INSTALL_URL="${NIX_INSTALL_URL:-https://nixos.org/nix/install}"
+NIX_DOWNLOAD_MAX_TIME=300      # 5 minutes
+NIX_DOWNLOAD_SLEEP_INTERVAL=20 # 20 seconds
+
 # ---------------------------------------------------------------------------
-# Helper: detect whether we are inside a container (Docker/Podman/etc.)
+# Detect whether we are inside a container (Docker/Podman/etc.)
 # ---------------------------------------------------------------------------
 is_container() {
-  # Docker / Podman markers
   if [[ -f /.dockerenv ]] || [[ -f /run/.containerenv ]]; then
     return 0
   fi
 
-  # cgroup hints
   if grep -qiE 'docker|container|podman|lxc' /proc/1/cgroup 2>/dev/null; then
     return 0
   fi
 
-  # Environment variable used by some runtimes
   if [[ -n "${container:-}" ]]; then
     return 0
   fi
@@ -26,219 +27,206 @@ is_container() {
 }
 
 # ---------------------------------------------------------------------------
-# Helper: ensure Nix binaries are on PATH (multi-user or single-user)
+# Ensure Nix binaries are on PATH (multi-user or single-user)
 # ---------------------------------------------------------------------------
 ensure_nix_on_path() {
-  # Multi-user profile (daemon install)
   if [[ -x /nix/var/nix/profiles/default/bin/nix ]]; then
     export PATH="/nix/var/nix/profiles/default/bin:${PATH}"
   fi
 
-  # Single-user profile (current user)
   if [[ -x "${HOME}/.nix-profile/bin/nix" ]]; then
     export PATH="${HOME}/.nix-profile/bin:${PATH}"
   fi
 
-  # Single-user profile for dedicated "nix" user (container case)
   if [[ -x /home/nix/.nix-profile/bin/nix ]]; then
     export PATH="/home/nix/.nix-profile/bin:${PATH}"
   fi
 }
 
 # ---------------------------------------------------------------------------
-# Helper: ensure Nix build group and users exist (build-users-group = nixbld)
+# Ensure Nix build group and users exist (build-users-group = nixbld)
 # ---------------------------------------------------------------------------
 ensure_nix_build_group() {
-  # Ensure nixbld group (build-users-group for Nix)
   if ! getent group nixbld >/dev/null 2>&1; then
     echo "[init-nix] Creating group 'nixbld'..."
     groupadd -r nixbld
   fi
 
-  # Ensure Nix build users (nixbld1..nixbld10) as members of nixbld
   for i in $(seq 1 10); do
     if ! id "nixbld$i" >/dev/null 2>&1; then
       echo "[init-nix] Creating build user nixbld$i..."
-      # -r: system account, -g: primary group, -G: supplementary (ensures membership is listed)
       useradd -r -g nixbld -G nixbld -s /usr/sbin/nologin "nixbld$i"
     fi
   done
 }
 
 # ---------------------------------------------------------------------------
-# Fast path: Nix already available
+# Download and run Nix installer with retry
+#   Usage: install_nix_with_retry daemon|no-daemon [run_as_user]
 # ---------------------------------------------------------------------------
-if command -v nix >/dev/null 2>&1; then
+install_nix_with_retry() {
-  echo "[init-nix] Nix already available on PATH: $(command -v nix)"
+  local mode="$1"
-  exit 0
+  local run_as="${2:-}"
-fi
+  local installer elapsed=0 mode_flag
 
-ensure_nix_on_path
+  case "${mode}" in
+    daemon)    mode_flag="--daemon" ;;
+    no-daemon) mode_flag="--no-daemon" ;;
+    *)
+      echo "[init-nix] ERROR: Invalid mode '${mode}', expected 'daemon' or 'no-daemon'."
+      exit 1
+      ;;
+  esac
 
-if command -v nix >/dev/null 2>&1; then
+  installer="$(mktemp -t nix-installer.XXXXXX)"
-  echo "[init-nix] Nix found after adjusting PATH: $(command -v nix)"
-  exit 0
-fi
 
-echo "[init-nix] Nix not found, starting installation logic..."
+  echo "[init-nix] Downloading Nix installer from ${NIX_INSTALL_URL} with retry (max ${NIX_DOWNLOAD_MAX_TIME}s)..."
 
-IN_CONTAINER=0
+  while true; do
-if is_container; then
+    if curl -fL "${NIX_INSTALL_URL}" -o "${installer}"; then
-  IN_CONTAINER=1
+      echo "[init-nix] Successfully downloaded Nix installer to ${installer}"
-  echo "[init-nix] Detected container environment."
+      break
-else
-  echo "[init-nix] No container detected."
-fi
-
-# ---------------------------------------------------------------------------
-# Container + root: install Nix as dedicated "nix" user (single-user)
-# ---------------------------------------------------------------------------
-if [[ "${IN_CONTAINER}" -eq 1 && "${EUID:-0}" -eq 0 ]]; then
-  echo "[init-nix] Running as root inside a container – using dedicated 'nix' user."
-
-  # Ensure build group/users for Nix
-  ensure_nix_build_group
-
-  # Ensure "nix" user (home at /home/nix)
-  if ! id nix >/dev/null 2>&1; then
-    echo "[init-nix] Creating user 'nix'..."
-    # Resolve a valid shell path across distros:
-    # - Debian/Ubuntu: /bin/bash
-    # - Arch:          /usr/bin/bash (often symlinked)
-    # Fall back to /bin/sh on ultra-minimal systems.
-    BASH_SHELL="$(command -v bash || true)"
-    if [[ -z "${BASH_SHELL}" ]]; then
-      BASH_SHELL="/bin/sh"
     fi
-    useradd -m -r -g nixbld -s "${BASH_SHELL}" nix
-  fi
 
-  # Ensure /nix exists and is writable by the "nix" user.
+    local curl_exit=$?
-  #
+    echo "[init-nix] WARNING: Failed to download Nix installer (curl exit code ${curl_exit})."
-  # In some base images (or previous runs), /nix may already exist and be
+
-  # owned by root. In that case the Nix single-user installer will abort with:
+    elapsed=$((elapsed + NIX_DOWNLOAD_SLEEP_INTERVAL))
-  #
+    if (( elapsed >= NIX_DOWNLOAD_MAX_TIME )); then
-  #   "directory /nix exists, but is not writable by you"
+      echo "[init-nix] ERROR: Giving up after ${elapsed}s trying to download Nix installer."
-  #
+      rm -f "${installer}"
-  # To keep container runs idempotent and robust, we always enforce
+      exit 1
-  # ownership nix:nixbld here.
+    fi
-  if [[ ! -d /nix ]]; then
+
-    echo "[init-nix] Creating /nix with owner nix:nixbld..."
+    echo "[init-nix] Retrying in ${NIX_DOWNLOAD_SLEEP_INTERVAL}s (elapsed: ${elapsed}s/${NIX_DOWNLOAD_MAX_TIME}s)..."
-    mkdir -m 0755 /nix
+    sleep "${NIX_DOWNLOAD_SLEEP_INTERVAL}"
-    chown nix:nixbld /nix
+  done
-  else
+
-    current_owner="$(stat -c '%U' /nix 2>/dev/null || echo '?')"
+  if [[ -n "${run_as}" ]]; then
-    current_group="$(stat -c '%G' /nix 2>/dev/null || echo '?')"
+    echo "[init-nix] Running installer as user '${run_as}' with mode '${mode}'..."
-    if [[ "${current_owner}" != "nix" || "${current_group}" != "nixbld" ]]; then
+    if command -v sudo >/dev/null 2>&1; then
-      echo "[init-nix] /nix already exists with owner ${current_owner}:${current_group} – fixing to nix:nixbld..."
+      sudo -u "${run_as}" bash -lc "sh '${installer}' ${mode_flag}"
-      chown -R nix:nixbld /nix
     else
-      echo "[init-nix] /nix already exists with correct owner nix:nixbld."
+      su - "${run_as}" -c "sh '${installer}' ${mode_flag}"
     fi
-
-    if [[ ! -w /nix ]]; then
-      echo "[init-nix] WARNING: /nix is still not writable after chown; Nix installer may fail."
-    fi
-  fi
-
-  # Run Nix single-user installer as "nix"
-  echo "[init-nix] Installing Nix as user 'nix' (single-user, --no-daemon)..."
-  if command -v sudo >/dev/null 2>&1; then
-    sudo -u nix bash -lc 'sh <(curl -L https://nixos.org/nix/install) --no-daemon'
   else
-    su - nix -c 'sh <(curl -L https://nixos.org/nix/install) --no-daemon'
+    echo "[init-nix] Running installer as current user with mode '${mode}'..."
+    sh "${installer}" "${mode_flag}"
   fi
 
-  # After installation, expose nix to root via PATH and symlink
+  rm -f "${installer}"
-  ensure_nix_on_path
+}
 
-  if [[ -x /home/nix/.nix-profile/bin/nix ]]; then
+# ---------------------------------------------------------------------------
-    if [[ ! -e /usr/local/bin/nix ]]; then
+# Main
-      echo "[init-nix] Creating /usr/local/bin/nix symlink -> /home/nix/.nix-profile/bin/nix"
+# ---------------------------------------------------------------------------
-      ln -s /home/nix/.nix-profile/bin/nix /usr/local/bin/nix
+main() {
-    fi
+  # Fast path: Nix already available
+  if command -v nix >/dev/null 2>&1; then
+    echo "[init-nix] Nix already available on PATH: $(command -v nix)"
+    return 0
   fi
 
   ensure_nix_on_path
 
   if command -v nix >/dev/null 2>&1; then
-    echo "[init-nix] Nix successfully installed (container mode) at: $(command -v nix)"
+    echo "[init-nix] Nix found after adjusting PATH: $(command -v nix)"
-  else
+    return 0
-    echo "[init-nix] WARNING: Nix installation finished in container, but 'nix' is still not on PATH."
   fi
 
-  # Optionally add PATH hints to /etc/profile (best effort)
+  echo "[init-nix] Nix not found, starting installation logic..."
-  if [[ -w /etc/profile ]]; then
-    if ! grep -q 'Nix profiles' /etc/profile 2>/dev/null; then
-      cat <<'EOF' >> /etc/profile
 
-# Nix profiles (added by package-manager init-nix.sh)
+  local IN_CONTAINER=0
-if [ -d /nix/var/nix/profiles/default/bin ]; then
+  if is_container; then
-  PATH="/nix/var/nix/profiles/default/bin:$PATH"
+    IN_CONTAINER=1
-fi
+    echo "[init-nix] Detected container environment."
-if [ -d "$HOME/.nix-profile/bin" ]; then
+  else
-  PATH="$HOME/.nix-profile/bin:$PATH"
+    echo "[init-nix] No container detected."
-fi
-EOF
-      echo "[init-nix] Appended Nix PATH setup to /etc/profile (container mode)."
-    fi
   fi
 
-  echo "[init-nix] Nix initialization complete (container root mode)."
+  # -------------------------------------------------------------------------
-  exit 0
+  # Container + root: dedicated "nix" user, single-user install
-fi
+  # -------------------------------------------------------------------------
+  if [[ "${IN_CONTAINER}" -eq 1 && "${EUID:-0}" -eq 0 ]]; then
+    echo "[init-nix] Container + root – installing as 'nix' user (single-user)."
 
-# ---------------------------------------------------------------------------
+    ensure_nix_build_group
-# Non-container or non-root container: normal installer paths
+
-# ---------------------------------------------------------------------------
+    if ! id nix >/dev/null 2>&1; then
-if [[ "${IN_CONTAINER}" -eq 0 ]]; then
+      echo "[init-nix] Creating user 'nix'..."
-  # Real host
+      local BASH_SHELL
-  if command -v systemctl >/dev/null 2>&1; then
+      BASH_SHELL="$(command -v bash || true)"
-    echo "[init-nix] Host with systemd – using multi-user install (--daemon)."
+      [[ -z "${BASH_SHELL}" ]] && BASH_SHELL="/bin/sh"
-    if [[ "${EUID:-0}" -eq 0 ]]; then
+      useradd -m -r -g nixbld -s "${BASH_SHELL}" nix
-      # Prepare build-users-group for Nix daemon installs
-      ensure_nix_build_group
     fi
-    sh <(curl -L https://nixos.org/nix/install) --daemon
-  else
-    if [[ "${EUID:-0}" -eq 0 ]]; then
-      echo "[init-nix] WARNING: Running as root without systemd on host."
-      echo "[init-nix] Falling back to single-user install (--no-daemon), but this is not recommended."
 
-      # IMPORTANT: This is where Debian/Ubuntu inside your CI end up.
+    if [[ ! -d /nix ]]; then
-      # We must ensure 'nixbld' exists before running the installer,
+      echo "[init-nix] Creating /nix with owner nix:nixbld..."
-      # otherwise modern Nix fails with: "the group 'nixbld' ... does not exist".
+      mkdir -m 0755 /nix
-      ensure_nix_build_group
+      chown nix:nixbld /nix
-
-      sh <(curl -L https://nixos.org/nix/install) --no-daemon
     else
-      echo "[init-nix] Non-root host without systemd – using single-user install (--no-daemon)."
+      local current_owner current_group
-      # Non-root cannot create nixbld group; rely on upstream defaults
+      current_owner="$(stat -c '%U' /nix 2>/dev/null || echo '?')"
-      sh <(curl -L https://nixos.org/nix/install) --no-daemon
+      current_group="$(stat -c '%G' /nix 2>/dev/null || echo '?')"
+      if [[ "${current_owner}" != "nix" || "${current_group}" != "nixbld" ]]; then
+        echo "[init-nix] Fixing /nix ownership from ${current_owner}:${current_group} to nix:nixbld..."
+        chown -R nix:nixbld /nix
+      fi
+      if [[ ! -w /nix ]]; then
+        echo "[init-nix] WARNING: /nix is not writable after chown; Nix installer may fail."
+      fi
     fi
-  fi
+
-else
+    install_nix_with_retry "no-daemon" "nix"
+
+    ensure_nix_on_path
+
+    if [[ -x /home/nix/.nix-profile/bin/nix && ! -e /usr/local/bin/nix ]]; then
+      echo "[init-nix] Creating /usr/local/bin/nix symlink -> /home/nix/.nix-profile/bin/nix"
+      ln -s /home/nix/.nix-profile/bin/nix /usr/local/bin/nix
+    fi
+
+  # -------------------------------------------------------------------------
+  # Host (no container)
+  # -------------------------------------------------------------------------
+  elif [[ "${IN_CONTAINER}" -eq 0 ]]; then
+    if command -v systemctl >/dev/null 2>&1; then
+      echo "[init-nix] Host with systemd – using multi-user install (--daemon)."
+      if [[ "${EUID:-0}" -eq 0 ]]; then
+        ensure_nix_build_group
+      fi
+      install_nix_with_retry "daemon"
+    else
+      if [[ "${EUID:-0}" -eq 0 ]]; then
+        echo "[init-nix] Host without systemd as root – using single-user install (--no-daemon)."
+        ensure_nix_build_group
+      else
+        echo "[init-nix] Host without systemd as non-root – using single-user install (--no-daemon)."
+      fi
+      install_nix_with_retry "no-daemon"
+    fi
+
+  # -------------------------------------------------------------------------
   # Container, but not root (rare)
-  echo "[init-nix] Container as non-root user – using single-user install (--no-daemon)."
+  # -------------------------------------------------------------------------
-  sh <(curl -L https://nixos.org/nix/install) --no-daemon
+  else
-fi
+    echo "[init-nix] Container as non-root – using single-user install (--no-daemon)."
+    install_nix_with_retry "no-daemon"
+  fi
 
-# ---------------------------------------------------------------------------
+  # -------------------------------------------------------------------------
-# After installation: fix PATH (runtime + shell profiles)
+  # After installation: PATH + /etc/profile
-# ---------------------------------------------------------------------------
+  # -------------------------------------------------------------------------
-ensure_nix_on_path
+  ensure_nix_on_path
 
-if ! command -v nix >/dev/null 2>&1; then
+  if ! command -v nix >/dev/null 2>&1; then
-  echo "[init-nix] WARNING: Nix installation finished, but 'nix' is still not on PATH."
+    echo "[init-nix] WARNING: Nix installation finished, but 'nix' is still not on PATH."
-  echo "[init-nix] You may need to source your shell profile manually."
+    echo "[init-nix] You may need to source your shell profile manually."
-  exit 0
+  else
-fi
+    echo "[init-nix] Nix successfully installed at: $(command -v nix)"
+  fi
 
-echo "[init-nix] Nix successfully installed at: $(command -v nix)"
+  if [[ -w /etc/profile ]] && ! grep -q 'Nix profiles' /etc/profile 2>/dev/null; then
-
-# Update global /etc/profile if writable (helps especially on minimal systems)
-if [[ -w /etc/profile ]]; then
-  if ! grep -q 'Nix profiles' /etc/profile 2>/dev/null; then
     cat <<'EOF' >> /etc/profile
 
 # Nix profiles (added by package-manager init-nix.sh)
@@ -251,6 +239,8 @@ fi
 EOF
     echo "[init-nix] Appended Nix PATH setup to /etc/profile"
   fi
-fi
 
-echo "[init-nix] Nix initialization complete."
+  echo "[init-nix] Nix initialization complete."
+}
+
+main "$@"

scripts/installation/arch/aur-builder-setup.sh

@@ -49,8 +49,8 @@ echo "[aur-builder-setup] Ensuring yay is installed for aur_builder..."
 if ! "${RUN_AS_AUR[@]}" 'command -v yay >/dev/null 2>&1'; then
   echo "[aur-builder-setup] yay not found – starting retry sequence for download..."
 
-  MAX_TIME=300         # 5 minutes
+  MAX_TIME=300
-  SLEEP_INTERVAL=20    # 20 seconds
+  SLEEP_INTERVAL=20
   ELAPSED=0
 
   while true; do