Delay generating test update payload in official builds

The update payload needs the kernel, which isn't signed during the image
job. Secure Boot is not currently enabled for update tests, but we may
as well do this properly. The production update upload is generated
manually at the end after everything has already been signed.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>

build_image

@@ -177,7 +177,7 @@ if [[ "${PROD_IMAGE}" -eq 1 ]]; then
   if [[ ${FLAGS_extract_update} -eq ${FLAGS_TRUE} ]]; then
     extract_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
-  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} ]]; then
+  if [[ ${FLAGS_generate_update} -eq ${FLAGS_TRUE} && ${COREOS_OFFICIAL:-0} -ne 1 ]]; then
     generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
   fi
   if [[ "${PROD_TAR}" -eq 1 ]]; then

ci-automation/sbsign_image.sh

@@ -91,7 +91,8 @@ function _sbsign_image_impl() {
                        --only_store_compressed
 
     # Delete uncompressed generic image before signing and upload
-    rm "${images_local}/flatcar_production_image.bin"
+    # Also delete update image because it will be unchanged
+    rm "${images_local}"/flatcar_production_{image,update}.bin
     create_digests "${SIGNER}" "${images_local}"/*
     sign_artifacts "${SIGNER}" "${images_local}"/*
     copy_to_buildcache "${images_remote}"/ "${images_local}"/*

sbsign_image

@@ -61,8 +61,11 @@ switch_to_strict_mode
 # Create the output directory and temporary mount points.
 mkdir -p "${BUILD_DIR}"
 
+DISK_LAYOUT="${FLAGS_disk_layout:-base}"
+
 fix_mtab
-sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${FLAGS_disk_layout:-base}"
+sbsign_prod_image "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
+generate_update "${FLATCAR_PRODUCTION_IMAGE_NAME}" "${DISK_LAYOUT}"
 
 echo "Done. ${FLATCAR_PRODUCTION_IMAGE_NAME} and associated files are now signed for Secure Boot in ${BUILD_DIR}."
 command_completed