feat(packaging): Add Debian package infrastructure

[Anshgrover23]

Description

Adds complete .deb packaging infrastructure for cortex-linux, enabling native installation on Debian and Ubuntu systems via APT.

Testing

# Install build deps
make deb-deps

# Build package locally
make deb

# Install and test
make deb-install
cortex --version

Notes

• Requires APT_REPO_PAT secret with write access to cortexlinux/apt-repo
• .deb files are architecture-independent (all) since it's pure Python

Summary by CodeRabbit

Release Notes

• New Features

  • Added Debian package support for Linux distributions, enabling installation via .deb files with automatic dependency management.

• Chores

  • Implemented Debian packaging infrastructure and build automation.
  • Updated release workflow to build and distribute Debian packages alongside existing distribution channels.
  • Added build commands for local Debian package development.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[gemini-code-assist]

Summary of Changes

Hello @Anshgrover23, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request establishes the foundational infrastructure for distributing the Cortex project as Debian packages. It enables the creation of separate packages for the Python-based CLI and the C++ daemon, ensuring proper installation, configuration, and system integration on Debian-based systems. Furthermore, it sets up an automated CI/CD pipeline to streamline the package build and release process.

Highlights

• Debian Packaging Infrastructure: Introduced a complete debian/ directory structure to enable the creation of Debian packages for the project.
• Dual Package Creation: Configured the build process to generate two distinct Debian packages: cortex-linux for the Python CLI and cortexd for the C++ daemon.
• Automated Build Workflow: Implemented a GitHub workflow (build-deb.yml) to automate the building and publishing of these .deb packages upon new releases.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/build-deb.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull request overview

This PR adds Debian packaging infrastructure to enable building and distributing .deb packages for both the cortex-linux Python CLI tool and the cortexd C++ daemon. The implementation includes complete Debian package metadata, maintainer scripts for installation/removal, and a GitHub Actions workflow for automated builds on releases.

Changes:

• Complete debian/ directory structure with package metadata, build rules, and maintainer scripts
• GitHub Actions workflow to build packages on release or manual trigger and upload to GitHub releases
• Support for dual-package builds: cortex-linux (Python CLI) and cortexd (C++ daemon with systemd integration)

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
debian/source/format	Declares native package format
debian/rules	Build instructions for both Python and C++ components
debian/cortexd.service	Systemd service installation path
debian/cortexd.prerm	Pre-removal script to stop daemon
debian/cortexd.postrm	Post-removal cleanup script
debian/cortexd.postinst	Post-installation setup for daemon
debian/cortexd.install	Defines daemon binary and config paths
debian/cortex-linux.postinst	Post-installation setup for CLI
debian/cortex-linux.install	Defines Python package installation paths
debian/copyright	License and copyright information
debian/control	Package metadata and dependencies
debian/compat	Debhelper compatibility level
debian/changelog	Initial package changelog
.github/workflows/build-deb.yml	Automated package build workflow

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This pull request establishes comprehensive Debian packaging infrastructure for cortex-linux, including packaging metadata files, an automated build script, updated CI/CD workflows, and build system configuration to enable release of .deb packages alongside existing PyPI distributions.

Changes

Cohort / File(s)	Summary
Debian Packaging Metadata debian/changelog, debian/control, debian/copyright, debian/source/format, debian/dirs, debian/cortex-linux.links, debian/cortex-linux.postrm, debian/rules	Introduces complete Debian package definition: changelog entry, control manifest with package dependencies, copyright licensing (BUSL-1.1 transitioning to Apache 2.0), binary format specification, virtualenv-based build configuration, post-removal cleanup, and symlink mapping.
Build Automation scripts/build-deb.sh	New Bash script automating .deb package construction with dependency validation, version synchronization from pyproject.toml, dpkg-buildpackage invocation, and artifact staging. Supports CLI flags for --install-deps, --no-sign, and --clean operations.
CI/CD Release Workflow .github/workflows/release.yml	Restructures release workflow: renames top-level job from build to build-python, adds matrix-based build-deb job for multiple architectures, introduces upload-release-assets for GitHub Release uploads, and adds trigger-apt-repo job to dispatch apt repository updates with computed package metadata.
Build Infrastructure Makefile	Expands PHONY targets with deb, deb-deps, deb-install, and deb-clean targets, each delegating to scripts/build-deb.sh with appropriate flags for dependency installation, package building, installation, and cleanup.
Packaging Configuration .gitignore, MANIFEST.in	Adds Debian build artifact patterns (debian/, .deb, .buildinfo, .changes); replaces LLM Python source includes with cortex/i18n/locales YAML file inclusion.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub (Release Event)
    participant BuildPy as build-python Job
    participant BuildDeb as build-deb Job (Matrix)
    participant Artifacts as Artifact Storage
    participant Upload as upload-release-assets Job
    participant GHRelease as GitHub Release
    participant AptRepo as trigger-apt-repo Job
    participant AptRepoService as cortexlinux/apt-repo

    GitHub->>BuildPy: trigger on release
    GitHub->>BuildDeb: trigger on release (multi-arch)
    BuildPy->>Artifacts: upload python-dist/
    BuildDeb->>Artifacts: upload deb-amd64/, deb-arm64/
    Upload->>Artifacts: download all artifacts
    Upload->>GHRelease: upload python-dist/*, deb-*/*.deb
    Upload->>AptRepo: signal completion
    AptRepo->>Artifacts: download deb artifacts
    AptRepo->>AptRepo: compute package metadata
    AptRepo->>AptRepoService: dispatch add-packages event with payload
    AptRepoService->>AptRepoService: update apt repository

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Hop, hop, the packages now build so bright,
Debian's grip holds both .deb and Python tight,
From apt-repo springs forth with automated care,
Release workflows dance through the CI air! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing required sections: no 'Related Issue' field, no 'AI Disclosure' checkbox selection, and no completion of the 'Checklist' items as specified in the template.	Add the 'Closes #' issue reference, select an AI Disclosure option with a checkbox, and complete all checklist items (PR title format, test status, MVP label if applicable, and 'Cortex -h' update if needed).
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: adding Debian package infrastructure, which is the primary focus of all file modifications in this PR.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces Debian packaging for the project, which is a great addition for distribution and installation on Debian-based systems. The changes include a complete debian/ directory with control files, build rules, and maintainer scripts for two packages: cortex-linux (the Python CLI) and cortexd (the C++ daemon). My review focuses on improving the maintainability and safety of these packaging scripts. I've identified a few areas for improvement: using CMake's configure_file to avoid sed in the rules file, removing duplicated logic in post-installation scripts, and addressing a potentially destructive command in the post-removal script.

[coderabbitai]

Actionable comments posted: 7

🤖 Fix all issues with AI agents

In @.github/workflows/build-deb.yml:
- Around line 117-123: The workflow step named "Upload to GitHub Release" uses
softprops/action-gh-release@v1 which is outdated; update the action reference to
softprops/action-gh-release@v2 (replace "@v1" with "@v2" in the uses field for
that step), keep the existing inputs (files: dist/*.deb) and GITHUB_TOKEN env,
and verify any v2-specific input or permission requirements in the action docs
and adjust the step accordingly.
- Around line 72-83: The heredoc that writes debian/changelog in the "Update
changelog version (if manual)" step preserves leading indentation, causing
whitespace issues; change the heredoc to use a stripped form (use <<- EOF) or
unindent the heredoc body so lines start at column 0, e.g., replace cat >
debian/changelog << EOF and the indented block with either cat >
debian/changelog <<- EOF and keep the indented content (tabs only) or remove
leading spaces from the heredoc content so the generated changelog has no extra
indentation; ensure the VERSION variable usage and the closing EOF remain
correct.
- Around line 55-70: The heredoc used in the "Update changelog version (if
release)" step (cat > debian/changelog << EOF) is indented, which will insert
leading spaces and break the Debian changelog format; fix by switching to a
non-indented heredoc body so package name and entries start at column 1 and
change lines have exactly one leading space (or use a tab-stripping heredoc
marker <<-EOF and ensure only tabs are used for indentation), keeping the same
variables (VERSION and github.event.release.tag_name) and preserving the release
date line with $(date -R).

In `@debian/control`:
- Around line 23-46: Update the Debian control Depends list to use the official
NVML bindings package: replace the obsolete python3-nvidia-ml-py entry with
python3-pynvml in the Depends stanza (the block that currently lists
python3-psutil, python3-nvidia-ml-py, etc.), leaving python3-dotenv and the
other dependencies unchanged; ensure the modified package name appears exactly
as python3-pynvml.

In `@debian/cortexd.postinst`:
- Around line 7-10: The postinst currently creates /run/cortex directly but /run
is tmpfs and will be cleared on reboot; instead add a tmpfiles.d entry or use
systemd RuntimeDirectory to ensure /run/cortex is recreated at boot. Either add
a debian/cortexd.tmpfiles file containing a tmpfiles.d directive for /run/cortex
and add it to debian/cortexd.install so it is installed to
usr/lib/tmpfiles.d/cortexd.conf, or set RuntimeDirectory=cortex in your service
unit file (the systemd unit that manages cortexd) so systemd creates /run/cortex
automatically; remove the mkdir/chmod from debian/cortexd.postinst once you
implement one of these options.

In `@debian/cortexd.postrm`:
- Around line 5-19: In the purge) block of debian/cortexd.postrm do not rm -rf
the shared directories (/var/lib/cortex and /etc/cortex); instead only remove
cortexd-specific files (e.g. /etc/cortex/cortexd.yaml and any files/dirs
namespaced for cortexd under /var/lib/cortex such as /var/lib/cortex/cortexd or
files matching cortexd-*) and avoid deleting the parent shared directories;
locate the purge) case in debian/cortexd.postrm and replace the broad rm -rf
commands with targeted removals, optionally guarding with a check for presence
of cortex-linux via dpkg-query or by testing for other packages' files before
deleting shared dirs, while keeping the systemctl daemon-reload logic.

In `@debian/source/format`:
- Line 1: Change the Debian source format or the changelog version to make them
consistent: either update debian/source/format from "3.0 (native)" to "3.0
(quilt)" if you intend to keep the changelog version "0.1.0-1", or keep "3.0
(native)" and edit the changelog entry version (the version string in
debian/changelog, currently "0.1.0-1") to remove the Debian revision and use
"0.1.0"; locate and update the file containing debian/source/format or the
debian/changelog entry respectively (referencing the "debian/source/format" file
and the version string in debian/changelog).

🧹 Nitpick comments (6)

debian/compat (1)

1-1: Consider using debhelper-compat in debian/control instead.

The separate debian/compat file is a legacy approach. Modern Debian packaging (debhelper ≥ 10) recommends specifying the compat level via Build-Depends in debian/control:

Build-Depends: debhelper-compat (= 13), ...

This eliminates the need for a separate file and keeps all build dependencies in one place. The current approach is still functional.

debian/copyright (1)

30-30: Consider specifying an exact Change Date.

The BUSL-1.1 typically requires a specific date (e.g., "2030-01-21") rather than a relative phrase like "Four years from the date the Licensed Work is published." An exact date provides clarity for users about when the license converts to Apache 2.0.

.github/workflows/build-deb.yml (1)

105-108: Consider failing the build on critical lintian errors.

Currently, lintian runs but all errors are suppressed with || true. Consider filtering to fail only on errors (E:) while allowing warnings (W:) to pass:

♻️ Optional: Fail on lintian errors only

       - name: Run lintian checks
         run: |
-          # Run lintian but don't fail on warnings
-          lintian dist/*.deb --no-tag-display-limit || true
+          # Run lintian, fail only on errors
+          lintian dist/*.deb --no-tag-display-limit --fail-on error

debian/cortexd.postinst (2)

13-16: Consider using a dedicated system user for the daemon.

The state directory /var/lib/cortex is created with mode 750 but owned by root. If cortexd runs as root, this works, but running daemons as root is generally discouraged for security.

Consider creating a dedicated cortex system user/group and setting ownership accordingly:

Suggested improvement

+        # Create system user if it doesn't exist
+        if ! getent passwd cortex >/dev/null; then
+            adduser --system --group --no-create-home --home /var/lib/cortex cortex
+        fi
+
         # Create state directory
         if [ ! -d /var/lib/cortex ]; then
             mkdir -p /var/lib/cortex
             chmod 750 /var/lib/cortex
+            chown cortex:cortex /var/lib/cortex
         fi

This requires corresponding changes to the systemd service (User=cortex, Group=cortex).

---

24-30: Config copy logic looks correct, but consider using ucf for config management.

The current approach correctly preserves user modifications by only copying when no config exists. For more robust config file management in Debian packages (handling upgrades, prompting users about changes), consider using ucf (Update Configuration File):

This is optional—the current implementation is functional for an initial release.

debian/rules (1)

27-36: Consider adding error handling for improved defensive programming.

The systemd service file at daemon/systemd/cortexd.service exists in the repository. However, adding a check before the sed command would improve robustness in case the file is accidentally removed or the path changes:

 override_dh_auto_install:
 	# Install Python package
 	dh_auto_install --buildsystem=pybuild
 	# Install C++ daemon
 	$(MAKE) -C daemon/build DESTDIR=$(CURDIR)/debian/cortexd install
 	# Fix systemd service path (use /usr/bin instead of /usr/local/bin)
+	test -f daemon/systemd/cortexd.service || { echo "Error: daemon/systemd/cortexd.service not found"; exit 1; }
 	mkdir -p $(CURDIR)/debian/cortexd/lib/systemd/system
 	sed 's|/usr/local/bin/cortexd|/usr/bin/cortexd|g' \
 		daemon/systemd/cortexd.service > \
 		$(CURDIR)/debian/cortexd/lib/systemd/system/cortexd.service

[github-actions]

CLA Verification Passed

All contributors have signed the CLA.

Contributor	Signed As
@Anshgrover23	@Anshgrover23

[coderabbitai]

Actionable comments posted: 6

🤖 Fix all issues with AI agents

In @.github/workflows/release.yml:
- Around line 140-150: The trigger-apt-repo job currently inherits default token
permissions; add an explicit permissions block on the trigger-apt-repo job (job
name: trigger-apt-repo) to restrict the GITHUB_TOKEN to read-only scopes — e.g.,
set contents: read and packages: read (and actions: read if the job interacts
with actions/artifacts) — so the workflow uses minimal privileges instead of the
default token permissions.
- Around line 83-90: The Prepare artifacts step currently uses a single mv
command (mv dist/*.deb output/cortex-linux_${VERSION}_${{ matrix.codename
}}_${ARCH}.deb) which assumes one .deb and always appends ${ARCH}, causing
overwrites and mislabeling of architecture-independent packages; change this to
iterate over each file in dist/*.deb, parse the original package base name and
architecture (preserving *_all.deb as arch "all" and keeping the package name
like cortex-linux or cortexd), and move/rename each file to output/, including
${VERSION} and ${{ matrix.codename }} but using the package-specific arch
extracted from the filename instead of the global ARCH variable so multiple .deb
outputs are handled safely and arch-independent packages are labeled correctly.

In `@debian/links`:
- Line 1: The global symlink in debian/links ("opt/venvs/cortex-linux/bin/cortex
usr/bin/cortex") will be applied to all binary packages and cause dpkg conflicts
(e.g., cortexd also shipping /usr/bin/cortex); move that single line out of
debian/links and into a package-scoped file named debian/cortex-linux.links
containing the same symlink entry so only the cortex-linux package creates
/usr/bin/cortex.

In `@debian/rules`:
- Around line 35-36: The override_dh_shlibdeps target currently calls
dh_shlibdeps with -l$(VENV_DIR)/lib which points at the host venv; change it to
reference the staged venv that dh_virtualenv creates so dh_shlibdeps scans the
staged libraries (e.g., replace the argument to dh_shlibdeps to point at the
debian-staged venv path under debian/<package>/$(VENV_DIR)/lib). Update the line
in override_dh_shlibdeps (where dh_shlibdeps is invoked) to use the staged venv
path instead of the host path so compiled deps like
cryptography/psutil/nvidia-ml-py are detected.

In `@Makefile`:
- Around line 53-62: The deb-install target only installs cortex-linux_*.deb
while the deb target builds both cortex-linux and cortexd, causing the daemon
package to be skipped; update the deb-install target to install all produced
.deb artifacts (e.g., use a glob like dist/*.deb or explicitly include
cortexd_*.deb) or change deb to only build the CLI and add a separate target for
the daemon, and ensure the install command (in target deb-install) and its
error-handling fallback (sudo apt-get install -f -y) cover every produced .deb
artifact instead of only cortex-linux_*.deb.

In `@scripts/build-deb.sh`:
- Line 5: The script currently uses "set -e" but the version parsing pipeline
("grep ... | sed ...") can silently produce empty/wrong VERSION; enable strict
pipe failure by adding "set -o pipefail" near the top (so the existing set -e +
pipefail will abort on pipe errors), then after the grep|sed pipeline that
extracts the version (the pipeline referenced in lines 103–112), validate the
extracted variable (e.g., VERSION) is non-empty and matches the expected semver
pattern; if validation fails, print a clear error and exit non-zero to fail fast
and avoid rewriting debian/changelog with an empty value.

🧹 Nitpick comments (2)

debian/postrm (1)

4-6: Make the postrm script package-specific to avoid cross-package side effects.

Line 4–5 remove /opt/venvs/cortex-linux, which is specific to cortex-linux. For multi-binary packages, use debian/cortex-linux.postrm to ensure this never runs for cortexd if scripts change later.

.github/workflows/release.yml (1)

126-133: Upgrade softprops/action-gh-release to v2 to resolve Node.js deprecation warning.

@v1 uses Node 16, which is deprecated. Actionlint flags this, and upgrading to @v2 (which uses Node 20) resolves the warning.

🔧 Proposed update

-      - name: Upload to GitHub Release
-        uses: softprops/action-gh-release@v1
+      - name: Upload to GitHub Release
+        uses: softprops/action-gh-release@v2

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit permissions to trigger-apt-repo.

The job currently inherits default token permissions. To minimize exposure, set explicit read-only permissions (the PAT is used for dispatch).

🔒 Suggested permissions block

   trigger-apt-repo:
     needs: upload-release-assets
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
+    permissions:
+      contents: read
+      actions: read
     steps:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	trigger-apt-repo:
	needs: upload-release-assets
	runs-on: ubuntu-latest
	if: github.event_name == 'release'
	steps:
	- name: Download deb artifacts
	uses: actions/download-artifact@v4
	with:
	pattern: deb-*
	path: release/
	merge-multiple: true
	trigger-apt-repo:
	needs: upload-release-assets
	runs-on: ubuntu-latest
	if: github.event_name == 'release'
	permissions:
	contents: read
	actions: read
	steps:
	- name: Download deb artifacts
	uses: actions/download-artifact@v4
	with:
	pattern: deb-*
	path: release/
	merge-multiple: true

🤖 Prompt for AI Agents

In @.github/workflows/release.yml around lines 140 - 150, The trigger-apt-repo
job currently inherits default token permissions; add an explicit permissions
block on the trigger-apt-repo job (job name: trigger-apt-repo) to restrict the
GITHUB_TOKEN to read-only scopes — e.g., set contents: read and packages: read
(and actions: read if the job interacts with actions/artifacts) — so the
workflow uses minimal privileges instead of the default token permissions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Scope the symlink to cortex-linux to avoid package file conflicts.

Line 1 in debian/links will be applied to all binary packages, so cortexd will also ship /usr/bin/cortex, causing a dpkg conflict if both packages are installed. Move this to a package-specific links file.

🔧 Proposed fix

- opt/venvs/cortex-linux/bin/cortex usr/bin/cortex

Create a new file: debian/cortex-linux.links with:

opt/venvs/cortex-linux/bin/cortex usr/bin/cortex

🤖 Prompt for AI Agents

In `@debian/links` at line 1, The global symlink in debian/links
("opt/venvs/cortex-linux/bin/cortex usr/bin/cortex") will be applied to all
binary packages and cause dpkg conflicts (e.g., cortexd also shipping
/usr/bin/cortex); move that single line out of debian/links and into a
package-scoped file named debian/cortex-linux.links containing the same symlink
entry so only the cortex-linux package creates /usr/bin/cortex.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/release.yml:
- Around line 114-133: Update the GitHub Action step titled "Upload to GitHub
Release": change the uses reference for softprops/action-gh-release from `@v1` to
`@v2` so the workflow runs on Node.js-20; locate the step with the uses:
softprops/action-gh-release@v1 line and replace it with
softprops/action-gh-release@v2, keeping the existing with/files and
env/GITHUB_TOKEN configuration intact.

♻️ Duplicate comments (1)

.github/workflows/release.yml (1)

83-90: Artifact renaming still assumes a single .deb and forces ARCH.
This is the same issue flagged previously: it can overwrite multiple packages and mislabel *_all.deb. Please switch to per‑file renaming that preserves package name and arch.

[sonarqubecloud]

Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/release.yml:
- Around line 54-66: The workflow currently sets VERSION from
github.event.release.tag_name or by grepping pyproject.toml but doesn’t validate
it; update the release step to robustly extract and validate VERSION: when
reading RELEASE tag (github.event.release.tag_name) strip any leading "v" into
VERSION and validate against a semantic-version regex, and when falling back to
pyproject.toml parse the file reliably (e.g., using a small python/toml parse)
to populate VERSION; if VERSION is empty or fails the regex, fail the job with a
clear error instead of proceeding; finally, use the validated VERSION in the sed
replacement that updates debian/changelog (the sed -i "s/cortex-linux
([^)]*)/cortex-linux ($VERSION)/" line).

♻️ Duplicate comments (1)

scripts/build-deb.sh (1)

113-118: Harden version parsing to the [project] section.
grep/sed can capture the wrong version (e.g., tool sections), leading to a wrong changelog and package version.

✅ Suggested fix

-# Get version from pyproject.toml
-VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/' || true)
-if [[ -z "${VERSION:-}" ]]; then
-    echo "Error: Could not extract version from pyproject.toml" >&2
-    exit 1
-fi
+# Get version from pyproject.toml (from [project] block)
+VERSION=$(
+  awk '
+    /^\[project\]/{in_proj=1; next}
+    /^\[/{in_proj=0}
+    in_proj && $0 ~ /^version[[:space:]]*=/ {
+      if (match($0, /"([^"]+)"/, m)) { print m[1]; exit }
+    }
+  ' pyproject.toml
+)
+if [[ -z "${VERSION:-}" ]]; then
+  echo "Error: version not found in [project] section of pyproject.toml" >&2
+  exit 1
+fi

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add robust version extraction + validation in release workflow.
The current grep/sed can return empty or wrong VERSION, leading to a malformed changelog and bad package versioning during releases.

✅ Suggested fix

       - name: Update changelog for release
         run: |
+          set -euo pipefail
           # Get version from tag or pyproject.toml
           if [ -n "${{ github.event.release.tag_name }}" ]; then
             VERSION="${{ github.event.release.tag_name }}"
             VERSION="${VERSION#v}"  # Remove 'v' prefix if present
           else
-            VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
+            VERSION=$(
+              awk '
+                /^\[project\]/{in_proj=1; next}
+                /^\[/{in_proj=0}
+                in_proj && $0 ~ /^version[[:space:]]*=/ {
+                  if (match($0, /"([^"]+)"/, m)) { print m[1]; exit }
+                }
+              ' pyproject.toml
+            )
           fi
+          if [ -z "${VERSION:-}" ]; then
+            echo "Error: version not found in [project] section of pyproject.toml" >&2
+            exit 1
+          fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Update changelog for release
	run: |
	# Get version from tag or pyproject.toml
	if [ -n "${{ github.event.release.tag_name }}" ]; then
	VERSION="${{ github.event.release.tag_name }}"
	VERSION="${VERSION#v}" # Remove 'v' prefix if present
	else
	VERSION=$(grep '^version = ' pyproject.toml | sed 's/version = "\(.*\)"/\1/')
	fi
	# Update changelog version
	sed -i "s/cortex-linux ([^)]*)/cortex-linux ($VERSION)/" debian/changelog
	- name: Update changelog for release
	run: |
	set -euo pipefail
	# Get version from tag or pyproject.toml
	if [ -n "${{ github.event.release.tag_name }}" ]; then
	VERSION="${{ github.event.release.tag_name }}"
	VERSION="${VERSION#v}" # Remove 'v' prefix if present
	else
	VERSION=$(
	awk '
	/^\[project\]/{in_proj=1; next}
	/^\[/{in_proj=0}
	in_proj && $0 ~ /^version[[:space:]]*=/ {
	if (match($0, /"([^"]+)"/, m)) { print m[1]; exit }
	}
	' pyproject.toml
	)
	fi
	if [ -z "${VERSION:-}" ]; then
	echo "Error: version not found in [project] section of pyproject.toml" >&2
	exit 1
	fi
	# Update changelog version
	sed -i "s/cortex-linux ([^)]*)/cortex-linux ($VERSION)/" debian/changelog

🤖 Prompt for AI Agents

In @.github/workflows/release.yml around lines 54 - 66, The workflow currently
sets VERSION from github.event.release.tag_name or by grepping pyproject.toml
but doesn’t validate it; update the release step to robustly extract and
validate VERSION: when reading RELEASE tag (github.event.release.tag_name) strip
any leading "v" into VERSION and validate against a semantic-version regex, and
when falling back to pyproject.toml parse the file reliably (e.g., using a small
python/toml parse) to populate VERSION; if VERSION is empty or fails the regex,
fail the job with a clear error instead of proceeding; finally, use the
validated VERSION in the sed replacement that updates debian/changelog (the sed
-i "s/cortex-linux ([^)]*)/cortex-linux ($VERSION)/" line).