Skip to content

Bootstrap cortex linux distro hybrid ISO (Live boot + Full installer mode) #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Anshgrover23 wants to merge 23 commits into
base: main
Choose a base branch
from
Open

Bootstrap cortex linux distro hybrid ISO (Live boot + Full installer mode) #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
404b8d0
part1
divanshu-go Jan 7, 2026
241576a
part2
divanshu-go Jan 7, 2026
c211b2d
part3
Jan 8, 2026
5aea666
part4
Jan 9, 2026
4e631aa
part5
Jan 10, 2026
82ebb7a
part6
Jan 11, 2026
72f6fd6
Refactor Makefile and scripts for improved build process
Jan 11, 2026
d1e1a2c
Enhance GitHub Actions workflow for ISO and branding package builds
Jan 11, 2026
aac8af0
Update GitHub Actions workflow to enhance dependency management and s…
Jan 11, 2026
2882c18
Update GitHub Actions workflow to include 'make' in dependency instal…
Jan 11, 2026
922ee06
Disable Cortex APT repository configuration in the chroot hook until …
Jan 11, 2026
b304e3c
Update Cortex GRUB theme for improved aesthetics and layout
Jan 11, 2026
e8211b8
Refactor GitHub Actions workflow to optimize ISO build process
Jan 11, 2026
b071385
Enhance GitHub Actions workflow with additional disk cleanup steps
Jan 11, 2026
3b68a92
Refactor Makefile and GitHub Actions workflow for streamlined ISO bui…
Jan 12, 2026
13953b2
Refactor preseed files and provisioning script for Cortex Linux
Jan 12, 2026
aa34a92
Refactor Cortex Linux documentation and build scripts
Jan 12, 2026
070ed6b
Enhance build scripts and workflows with compression options
Jan 12, 2026
26cc7f5
Update compression variable in build scripts for consistency
Jan 12, 2026
c9c502b
Add GRUB theme copying to build scripts
Jan 12, 2026
09eede1
Remove reproducible builds workflow from GitHub Actions
Jan 12, 2026
6564a1a
Add Cortex terminal profile and PAM configurations
Jan 12, 2026
79c2cda
Enhance Plymouth theme configuration and initramfs update process
Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
272 changes: 174 additions & 98 deletions .github/workflows/build-iso.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,188 +11,264 @@ on:
tags: ['v*']
paths:
- 'iso/**'
- 'branding/**'
- 'packages/**'
- 'scripts/**'
- 'Makefile'
- '.github/workflows/build-iso.yml'
pull_request:
branches: [main]
paths:
- 'iso/**'
- 'branding/**'
- 'packages/**'
- 'scripts/**'
- 'Makefile'
workflow_dispatch:
Comment on lines 19 to 27
Copy link

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

PR path filter omits the workflow file, so CI won’t run when only the workflow changes.

Push includes .github/workflows/build-iso.yml (Line 18) but pull_request does not (Lines 21-27).

Proposed fix 
   pull_request:
     branches: [main]
     paths:
       - 'iso/**'
       - 'branding/**'
       - 'packages/**'
       - 'scripts/**'
       - 'Makefile'
+      - '.github/workflows/build-iso.yml'
🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 19 - 27, The pull_request path
filter currently omits the workflow itself so PRs that only change
.github/workflows/build-iso.yml won’t trigger CI; update the pull_request: paths
list (the pull_request.paths key in the workflow) to include the workflow file
(for example add '.github/workflows/build-iso.yml' or a broader
'.github/workflows/**' pattern), or remove the paths filter entirely so workflow
changes trigger the workflow; edit the build-iso.yml to modify the
pull_request.paths entry accordingly.

inputs:
iso_type:
description: 'ISO type to build'
required: true
default: 'offline'
type: choice
options:
- netinst
- offline
- both

env:
DEBIAN_FRONTEND: noninteractive

jobs:
build-packages:
name: Build Debian Packages
validate:
name: Validate
runs-on: ubuntu-24.04
container:
image: debian:bookworm
steps:
- name: Install git
run: |
apt-get update
apt-get install -y git sudo make shellcheck

- name: Checkout
uses: actions/checkout@v4

- name: Install build dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
dpkg-dev \
devscripts \
debhelper \
fakeroot \
gnupg

- name: Build cortex-archive-keyring
run: |
cd packages/cortex-archive-keyring
dpkg-buildpackage -us -uc -b
- name: Run validation
run: make validate

- name: Build cortex-core
build-branding-package:
name: Build Branding Package
runs-on: ubuntu-24.04
container:
image: debian:bookworm
needs: validate
steps:
- name: Install dependencies
run: |
cd packages/cortex-core
dpkg-buildpackage -us -uc -b
apt-get update
apt-get install -y git dpkg-dev sudo imagemagick

- name: Build cortex-full
run: |
cd packages/cortex-full
dpkg-buildpackage -us -uc -b
- name: Checkout
uses: actions/checkout@v4

- name: Upload packages
- name: Build cortex-branding package
run: make branding-package

- name: Upload branding package
uses: actions/upload-artifact@v4
with:
name: debian-packages
path: packages/*.deb
name: cortex-branding
path: output/*.deb
retention-days: 7

build-iso:
name: Build ISO Image
runs-on: ubuntu-24.04
needs: build-packages
name: Build ISO (${{ matrix.arch }})
runs-on: ${{ matrix.runner }}
needs: [validate, build-branding-package]
strategy:
fail-fast: false
matrix:
arch: [amd64]
# arm64 builds require self-hosted runner with ARM
include:
- arch: amd64
runner: ubuntu-24.04
- arch: arm64
runner: ubuntu-24.04-arm
steps:
- name: Free disk space
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
Comment on lines +88 to +97
Copy link

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

jlumbroso/free-disk-space GitHub Action latest release version

💡 Result:

Latest release: v1.3.1 — released Oct 18, 2023. [1]

Sources
[1] jlumbroso/free-disk-space tags (v1.3.1).

Pin jlumbroso/free-disk-space to a stable version instead of @main.

Using @main exposes the build to supply chain risks—breaking changes or malicious commits could affect builds without notice. Pin to a stable release like v1.3.1:

Recommended change 
      - name: Free disk space
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@v1.3.1
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Free disk space
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
- name: Free disk space
uses: jlumbroso/free-disk-space@v1.3.1
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: true
docker-images: true
swap-storage: true
🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 96 - 105, The workflow step
named "Free disk space" currently references the external action
jlumbroso/free-disk-space@main; change that reference to a fixed, published
version (e.g., jlumbroso/free-disk-space@v1.3.1) to avoid supply-chain risks,
updating the uses field in that step while leaving the existing with: inputs
unchanged.


- name: Additional cleanup
run: |
echo "=== Additional cleanup ==="
sudo rm -rf /home/runner/.rustup || true
sudo rm -rf /home/runner/.cargo || true
sudo rm -rf /usr/share/swift || true
sudo rm -rf /usr/lib/jvm || true
sudo rm -rf /usr/local/julia* || true
sudo rm -rf /usr/local/share/chromium || true
sudo rm -rf /usr/lib/google-cloud-sdk || true
sudo rm -rf /opt/hostedtoolcache/CodeQL || true
echo "=== Disk space after additional cleanup ==="
df -h

- name: Checkout
uses: actions/checkout@v4

- name: Download packages
- name: Download branding package
uses: actions/download-artifact@v4
with:
name: debian-packages
path: packages/

- name: Install live-build dependencies
run: |
sudo apt-get update
sudo apt-get install -y \
live-build \
debootstrap \
squashfs-tools \
xorriso \
isolinux \
syslinux-efi \
grub-pc-bin \
grub-efi-amd64-bin \
mtools \
dosfstools

- name: Configure live-build
run: |
cd iso/live-build
chmod +x auto/*
sudo lb config
name: cortex-branding
path: output/

- name: Copy packages to chroot
- name: Build in Debian container
run: |
mkdir -p iso/live-build/config/packages.chroot/
cp packages/*.deb iso/live-build/config/packages.chroot/
# Use xz compression for releases (smaller), lz4 for PR/branch builds (faster)
if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
COMPRESSION="xz"
else
COMPRESSION="lz4"
fi
docker run --rm --privileged \
-v "${{ github.workspace }}:/workspace" \
-w /workspace \
-e ARCH=${{ matrix.arch }} \
-e SQUASHFS_COMP=$COMPRESSION \
-e DEBIAN_FRONTEND=noninteractive \
debian:bookworm /bin/bash -c '
set -e
./scripts/install-deps.sh
make check-deps
make iso
'

- name: Build ISO
run: |
cd iso/live-build
sudo lb build 2>&1 | tee build.log

- name: Generate checksums
- name: List output
if: always()
run: |
cd iso/live-build
sha256sum *.iso > SHA256SUMS
sha512sum *.iso > SHA512SUMS
ls -la output/ || echo "No output directory"
ls -la build/ || echo "No build directory"

- name: Upload ISO
uses: actions/upload-artifact@v4
with:
name: cortex-linux-${{ matrix.arch }}
path: |
iso/live-build/*.iso
iso/live-build/SHA256SUMS
iso/live-build/SHA512SUMS
output/*.iso
output/*.sha256
retention-days: 14

- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom-${{ matrix.arch }}
path: output/sbom/
retention-days: 14
continue-on-error: true

- name: Upload build log
if: always()
uses: actions/upload-artifact@v4
with:
name: build-log-${{ matrix.arch }}
path: iso/live-build/build.log
path: build.log
retention-days: 7

test-iso:
name: Test ISO (${{ matrix.arch }})
runs-on: ${{ matrix.runner }}
needs: build-iso
strategy:
fail-fast: false
matrix:
include:
- arch: amd64
runner: ubuntu-24.04
- arch: arm64
runner: ubuntu-24.04-arm
steps:
- name: Download ISO
uses: actions/download-artifact@v4
with:
name: cortex-linux-${{ matrix.arch }}

- name: Verify checksums
run: |
ls -la
for iso in *.iso; do
if [ -f "${iso}.sha256" ]; then
sha256sum -c "${iso}.sha256"
fi
done
Comment on lines +192 to +199
Copy link

@coderabbitai coderabbitai bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Checksum verification loop may silently pass when no checksums exist.

If no .sha256 files are present, the loop completes without error. Consider adding a check to ensure at least one checksum file was verified.

🔧 Proposed fix 
      - name: Verify checksums
        run: |
          ls -la
+          verified=0
          for iso in *.iso; do
            if [ -f "${iso}.sha256" ]; then
              sha256sum -c "${iso}.sha256"
+              verified=$((verified + 1))
            fi
          done
+          if [ $verified -eq 0 ]; then
+            echo "WARNING: No checksum files found to verify"
+            exit 1
+          fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Verify checksums
run: |
ls -la
for iso in *.iso; do
if [ -f "${iso}.sha256" ]; then
sha256sum -c "${iso}.sha256"
fi
done
- name: Verify checksums
run: |
ls -la
verified=0
for iso in *.iso; do
if [ -f "${iso}.sha256" ]; then
sha256sum -c "${iso}.sha256"
verified=$((verified + 1))
fi
done
if [ $verified -eq 0 ]; then
echo "WARNING: No checksum files found to verify"
exit 1
fi
🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 192 - 199, The Verify checksums
step's loop can exit silently if no .sha256 files exist; modify the shell block
in the "Verify checksums" step to detect whether any checksum files were found
and validated (e.g., set a counter or use nullglob to list *.sha256) and fail
the step if none were verified by exiting non-zero or printing an error; ensure
you still run sha256sum -c for each existing "${iso}.sha256" but after the loop
check the counter (or absence of matches) and call exit 1 with a clear message
if zero checksum files were processed.


- name: Check ISO structure
run: |
sudo apt-get update
sudo apt-get install -y xorriso
for iso in *.iso; do
echo "=== Checking $iso ==="
xorriso -indev "$iso" -find / -maxdepth 1 2>/dev/null | head -20
done

release:
name: Create Release
runs-on: ubuntu-24.04
needs: build-iso
needs: [build-iso, test-iso]
if: startsWith(github.ref, 'refs/tags/v')
permissions:
contents: write
steps:
- name: Download ISO artifacts
- name: Download all ISO artifacts
uses: actions/download-artifact@v4
with:
pattern: cortex-linux-*
merge-multiple: true
path: release/

- name: Download branding package
uses: actions/download-artifact@v4
with:
name: cortex-branding
path: release/

- name: Download packages
- name: Download SBOMs
uses: actions/download-artifact@v4
with:
name: debian-packages
pattern: sbom-*
merge-multiple: true
path: release/sbom/
continue-on-error: true

- name: Generate combined checksums
run: |
cd release
sha256sum *.iso *.deb > SHA256SUMS
sha512sum *.iso *.deb > SHA512SUMS
Comment on lines +240 to +243
Copy link

@coderabbitai coderabbitai bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Checksum generation may fail if no matching files exist.

If the build produces no .iso or .deb files, sha256sum and sha512sum will fail with "no input files". Consider adding a guard.

🔧 Proposed fix 
      - name: Generate combined checksums
        run: |
          cd release
-          sha256sum *.iso *.deb > SHA256SUMS
-          sha512sum *.iso *.deb > SHA512SUMS
+          if ls *.iso *.deb 1>/dev/null 2>&1; then
+            sha256sum *.iso *.deb > SHA256SUMS
+            sha512sum *.iso *.deb > SHA512SUMS
+          else
+            echo "No ISO or DEB files found for checksumming"
+            exit 1
+          fi
🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 240 - 243, The checksum
commands can fail when no .iso or .deb files exist; update the workflow step
that runs sha256sum and sha512sum to first detect matching files (e.g., using a
glob check or find) and only run sha256sum *.iso *.deb and sha512sum *.iso *.deb
when the file list is non-empty, otherwise create empty/placeholder SHA256SUMS
and SHA512SUMS or skip generation; modify the shell block containing the
sha256sum and sha512sum invocations so it guards execution with a file-existence
check before calling those tools.


Comment on lines +239 to 244
Copy link

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Release checksum generation can fail on empty globs (Line 245–250).
If anything changes in naming/paths, sha256sum *.iso *.deb will error. Consider nullglob + explicit checks (or checksum everything under release/).

🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 245 - 250, The "Generate
combined checksums" step can fail when glob patterns match nothing; change the
run block to avoid bare globs by enabling nullglob (shopt -s nullglob) or by
building an explicit file list (e.g., files=(release/*.{iso,deb}) or use find)
and only run sha256sum/sha512sum when the list is non-empty; update the commands
that call sha256sum and sha512sum to use the guarded file array/variable so the
step exits successfully when there are no matches.

- name: Create Release
uses: softprops/action-gh-release@v1
Copy link

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Update to the latest version of softprops/action-gh-release.

The v1 tag uses an outdated runner version that may not work on GitHub Actions. Update to a more recent version (e.g., v2 or a specific commit SHA).

Based on the static analysis hint from actionlint.

📦 Proposed fix 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
uses: softprops/action-gh-release@v1
uses: softprops/action-gh-release@v2
🧰 Tools
🪛 actionlint (1.7.10)

236-236: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml at line 236, The workflow currently pins the
GitHub Action as "softprops/action-gh-release@v1" which is outdated; update the
uses entry for softprops/action-gh-release to a newer release (e.g., "@v2" or a
specific commit SHA) to ensure compatibility with current runners and satisfy
actionlint; locate the "uses: softprops/action-gh-release@v1" line in the
workflow and replace the version tag with the chosen newer tag or SHA, then run
the workflow lint/CI to verify the change.

Comment on lines 245 to 246
Copy link

@coderabbitai coderabbitai bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Update softprops/action-gh-release to a newer version.

The static analysis tool indicates that @v1 is too old to run on current GitHub Actions runners. This could cause failures or deprecated behavior warnings.

🔧 Update to v2 
      - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        with:
          files: |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Create Release
uses: softprops/action-gh-release@v1
- name: Create Release
uses: softprops/action-gh-release@v2
🧰 Tools
🪛 actionlint (1.7.10)

260-260: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 259 - 260, The workflow's
"Create Release" step uses the outdated action reference
softprops/action-gh-release@v1 which may fail on modern runners; update the uses
entry to the newer major version (e.g., softprops/action-gh-release@v2) in the
Create Release job so the workflow pulls the updated action release instead of
@v1.

with:
files: |
*.iso
*.deb
SHA256SUMS
SHA512SUMS
release/*.iso
release/*.deb
release/SHA256SUMS
release/SHA512SUMS
release/sbom/*
Comment on lines 245 to +253
Copy link

@coderabbitai coderabbitai bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Update softprops/action-gh-release to v2.

Static analysis indicates @v1 is too old for current GitHub Actions runners. The action should be updated to v2 for compatibility and continued support.

Suggested fix 
       - name: Create Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           files: |
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Create Release
uses: softprops/action-gh-release@v1
with:
files: |
*.iso
*.deb
SHA256SUMS
SHA512SUMS
release/*.iso
release/*.deb
release/SHA256SUMS
release/SHA512SUMS
release/sbom/*
- name: Create Release
uses: softprops/action-gh-release@v2
with:
files: |
release/*.iso
release/*.deb
release/SHA256SUMS
release/SHA512SUMS
release/sbom/*
🧰 Tools
🪛 actionlint (1.7.10)

246-246: the runner of "softprops/action-gh-release@v1" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In @.github/workflows/build-iso.yml around lines 245 - 253, The workflow is
using the outdated softprops/action-gh-release@v1 action which is incompatible
with newer runners; update the uses entry to softprops/action-gh-release@v2
(replace "softprops/action-gh-release@v1" with "@v2") and ensure the existing
inputs (the multi-line files list: release/*.iso, release/*.deb,
release/SHA256SUMS, release/SHA512SUMS, release/sbom/*) remain unchanged and
still supported by v2; run a test pipeline to confirm the release step executes
successfully and adjust any v2-specific input names if the action's docs require
it.

body: |
## Cortex Linux ${{ github.ref_name }}

### Downloads
- **cortex-linux-*-amd64-offline.iso** - Full offline installer
- **cortex-linux-*-amd64-netinst.iso** - Minimal network installer
- **cortex-linux-*.iso** - Cortex Linux ISO
- **cortex-branding_*.deb** - Branding package

### Verification
```bash
sha256sum -c SHA256SUMS
```

### Quick Start
1. Write ISO to USB: `dd if=cortex-linux-*.iso of=/dev/sdX bs=4M status=progress`
1. Write ISO to USB: `sudo dd if=cortex-linux-*.iso of=/dev/sdX bs=4M status=progress oflag=sync`
2. Boot from USB
3. Follow installation prompts
3. Select "Live Boot" or "Install"

### Documentation
See https://cortexlinux.com/docs for full documentation.
See https://github.com/cortexlinux/cortex-distro for documentation.
draft: false
prerelease: ${{ contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'rc') }}
Loading
Loading