• The current working directory is not mounted unconditionally to
  /work/src anymore. Instead, the default value for BuildSources=
  now mounts the current working directory to /work/src. This means
  that the current working directory is no longer implicitly included
  when BuildSources= is explicitly configured.
• Assigning the empty string to a setting that takes a list of values
  now overrides any configured default value as well.
• The github action does not build and install systemd from source
  anymore. Instead, ToolsTree=default can be used to make sure a
  recent version of systemd is used to do the image build.
• Added EnvironmentFiles= to read environment variables from
  environment files.
• We drastically reduced how much of the host system we expose to
  scripts. Aside from /usr, a few directories in /etc, /tmp,
  /var/tmp and various directories configured in mkosi settings, all
  host directories are hidden from scripts, package managers and other
  tools executed by mkosi.
• Added RuntimeScratch= to automatically mount a directory with extra
  scratch space into mkosi-spawned containers and virtual machines.
• Package manager trees can now be used to configure every tool invoked
  by mkosi while building an image that reads config files from /etc
  or /usr.
• Added SELinuxRelabel= to specify whether to relabel selinux files
  or not.
• Many fixes to tools trees were made and tools trees are now covered by
  CI. Some combinations aren't possible yet but we're actively working
  to make these possible.
• mkosi qemu can now direct kernel boot s390x and powerpc images.
• Added HostArchitecture= match to match against the host
  architecture.
• We don't use the user's SSH public/private keypair anymore for
  mkosi ssh but instead use a separate key pair which can be
  generated by mkosi genkey. Users using mkosi ssh will have to run
  mkosi genkey once to generate the necessary files to keep
  mkosi ssh working.
• We don't automatically set --offline=no anymore when we detect the
  Subvolumes= setting is used in a systemd-repart partition
  definition file. Instead, use the new RepartOffline= option to
  explicitly disable running systemd-repart in offline mode.
• During the image build we now install UKIs/kernels/initrds to /boot
  instead of /efi. While this will generally not be noticeable, users
  with custom systemd-repart ESP partition definitions will need to add
  CopyFiles=/boot:/ along with the usual CopyFiles=/efi:/ to their
  ESP partition definitions. By installing UKIs/kernels/initrds to
  /boot, it becomes possible to use /boot to populate an XBOOTLDR
  partition which wasn't possible before. Note that this is also safe to
  do before v20 so CopyFiles=/boot:/ can unconditionally be added to
  any ESP partition definition files.
• Added QemuFirmwareVariables= to allow specifying a custom OVMF
  variables file to use.
• Added MinimumVersion= to allow specifying the minimum required mkosi
  version to build an image.
• Added support for Arch Linux's debug repositories
• Merged the mkosi-initrd project into mkosi itself. mkosi-initrd is now
  used to build the default initrd.
• Implemented mkosi-initrd for all supported distributions.
• Added ShimBootloader= to support installing shim to the ESP.
• Added sysext, confext and portable output formats. These will produce
  signed disk images that can be used as sysexts, confexts and portable
  services respectively.
• Added QemuVsockConnectionId= to configure how to allocate the vsock
  connection ID when QemUVsock= is enabled.
• Added documentation on how to build sysexts with mkosi.
• Global systemd user presets are now also configured.
• Implemented WithDocs= for apt.
• On supported package managers, locale data for other locales is now
  stripped if the local is explicitly configured using Locale=.
• All rpm plugins are now disabled when building images.
• Added KernelModulesIncludeHost= and
  KernelModulesInitrdIncludeHost= to only include modules loaded on
  the host system in the image/initrd respectively.
• Implemented RemovePackages= for Arch Linux.
• Added useradd and groupadd scripts to configure these binaries to
  operate on the image during builds instead on the host.
• Added microcode support. If installed into the image, an early
  microcode initrd will automatically be built and prepended to the
  initrd.
• A passwordless root account may now be created by specifying hashed:
• The Autologin= feature was extended with support for arm64,
  s390x and powerpc architectures.
• Added SecureBootAutoEnroll= to control automatic enrollment of secureboot
  keys separately from signing systemd-boot and generated UKIs.
• ImageVersion= is no longer automatically appended to the output files,
  instead this is automatically appended to Output= if not specified and
  results in the %o specifier being equivalent to %i or %i_%v depending
  on if ImageVersion= is specified.