From 2bfecb2819e9889981d602cd13032aea6df050a9 Mon Sep 17 00:00:00 2001
From: Mitchell R <root@mitchellr.info>
Date: Wed, 13 May 2026 13:08:36 +0200
Subject: [PATCH] feat(deploy): apt full-upgrade on every setup run
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an OS + dist upgrade step before the BetterFrame install logic so
re-running the script keeps the host current. Uses
  --force-confdef --force-confold
so package maintainer scripts never block on prompts, and follows with
autoremove + autoclean. Kernel/libc updates set /var/run/reboot-required
which the existing REBOOT_NEEDED guard picks up → auto-reboot at end.

BF_SKIP_UPGRADE=1 bypasses the upgrade for fast iteration.
---
 deploy/scripts/setup-pi-kiosk.sh | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/deploy/scripts/setup-pi-kiosk.sh b/deploy/scripts/setup-pi-kiosk.sh
index 690d108..7e02a4c 100755
--- a/deploy/scripts/setup-pi-kiosk.sh
+++ b/deploy/scripts/setup-pi-kiosk.sh
@@ -24,6 +24,7 @@
 #   BF_HOME=/path/to/repo          override repo location (default: $HOME/betterframe)
 #   BF_REPO_URL=git@…              override clone URL (default: github)
 #   SKIP_BUILD=1                   skip kiosk cargo build (expects existing binary)
+#   BF_SKIP_UPGRADE=1              skip apt full-upgrade (faster re-runs)
 #   BF_NO_REBOOT=1                 don't auto-reboot when boot-time files changed
 
 set -euo pipefail
@@ -60,10 +61,27 @@ run_as_user() {
 }
 
 # ----------------------------------------------------------------------------
-# 1. Base packages
+# 1. Base packages + full OS upgrade
 # ----------------------------------------------------------------------------
-echo "==> Installing base packages"
+echo "==> apt update"
+export DEBIAN_FRONTEND=noninteractive
 apt-get update
+
+if [ "${BF_SKIP_UPGRADE:-0}" != "1" ]; then
+  echo "==> apt full-upgrade (OS + dist updates)"
+  # full-upgrade handles changing dependencies (incl. kernel + libc); the
+  # confdef/confold flags keep maintainer scripts non-interactive. If anything
+  # gets held back, autoremove won't touch BetterFrame's deps because we
+  # install them with --no-install-recommends and explicit names below.
+  apt-get -y \
+    -o Dpkg::Options::="--force-confdef" \
+    -o Dpkg::Options::="--force-confold" \
+    full-upgrade
+  apt-get -y autoremove --purge
+  apt-get -y autoclean
+fi
+
+echo "==> Installing base packages"
 apt-get install -y --no-install-recommends \
   git ca-certificates curl gnupg lsb-release sudo