chore: Update BSL license to 6-year conversion (Jan 2032)

[mikejmorgan-ai]

Changes

• Change Date: January 15, 2030 → January 15, 2032 (6 years instead of 4)
• README: Updated badge from Apache 2.0 to BSL 1.1
• SPDX headers: Updated all scripts to BUSL-1.1

Why

Per founder decision: 6-year conversion period provides longer commercial protection while still guaranteeing eventual open source release.

Verification

grep '2032' LICENSE
grep 'BSL' README.md

Summary by CodeRabbit

• Chores
  • Project license updated from Apache 2.0 to BSL/BUSL 1.1 across docs and file headers.
  • CI/workflow reworked to a Debian-container based build, consolidated steps and reorganized artifact outputs.
  • Removed deprecated Debian debhelper compatibility files from packaging.
  • Refined ISO build defaults and package-list settings, including distribution target and bootloader/options.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@mikejmorgan-ai has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 31 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a3c4fbc and 3d59f26.

📒 Files selected for processing (1)

• .github/workflows/build-iso.yml

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Updated repository license headers and README badge from Apache-2.0 to BUSL-1.1, removed multiple Debian debhelper compatibility files, simplified live-build config (codename and options), and significantly reworked the GitHub Actions CI to use Debian-container package and ISO builds with new artifact paths.

Changes

Cohort / File(s)	Summary
License Header & Docs README.md, iso/live-build/config/includes.chroot/usr/lib/cortex/firstboot.sh, repository/scripts/repo-manage.sh, sbom/generate-sbom.sh, scripts/build.sh, tests/verify-iso.sh, tests/verify-packages.sh, tests/verify-preseed.sh	Replaced SPDX/license badge and header text from Apache-2.0 to BUSL-1.1; README badge/label updated. Purely metadata/text updates.
Debhelper compat removals packages/cortex-archive-keyring/debian/compat, packages/cortex-core/debian/compat, packages/cortex-full/debian/compat, packages/cortex-gpu-amd/debian/compat, packages/cortex-gpu-nvidia/debian/compat, packages/cortex-llm/debian/compat, packages/cortex-secops/debian/compat	Deleted single-line debhelper compatibility files, removing explicit debhelper compatibility declarations from packaging metadata.
CI workflow rewrite .github/workflows/build-iso.yml	Major restructuring: added scripts/** trigger, removed workflow_dispatch input, replaced per-package apt/dpkg steps with Docker-based Debian container builds, reworked ISO build into a Debian-container flow, added a disk-space step, changed artifact upload paths to output/*, and reorganized build/log steps and messages.
Live-build config simplification iso/live-build/auto/config, iso/live-build/auto/config/package-lists/*	Changed distribution codename (trixie → bookworm), removed several live-build flags (bootloaders, updates, cache-stages, color/quiet/verbose, inline debootstrap options, image-name, initramfs-compression), and added package-lists with base.list.chroot containing core packages.

Sequence Diagram(s)

sequenceDiagram
    participant Repo as Repository (push/PR)
    participant GH as GitHub Actions
    participant Docker as Debian Container
    participant LB as live-build (inside container)
    participant Store as Artifact Storage

    Repo->>GH: push / PR (includes scripts/**)
    GH->>Docker: start Debian container, run package & ISO build steps
    Docker->>Docker: build packages (loop), copy packages into lb config
    Docker->>LB: run lb build (inside container)
    LB-->>Docker: produce .iso, SHA256/512, build-log
    Docker->>Store: upload output/*.iso, output/SHA*, output/build-log
    GH-->>Repo: workflow completes (artifacts available)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through headers, swapped the old for new,
BUSL now waves where Apache once flew,
Compat crumbs gone, CI sails reset,
Live-build trimmed and tidy, no regret,
A little rabbit clap — repo refreshed and true!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the BSL license with a 6-year conversion period to January 2032, which is the primary focus across license headers, README, and documentation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @mikejmorgan-ai, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a strategic decision to extend the project's Business Source License (BSL) conversion period from four to six years. This change is reflected in the main LICENSE file, the README.md documentation, and ensures consistency across several script files by updating their SPDX headers. The primary goal is to enhance commercial protection while maintaining the commitment to eventual open-source availability.

Highlights

• License Conversion Period Extended: The Business Source License (BSL) conversion date has been updated from January 15, 2030 (4 years from release) to January 15, 2032 (6 years from release), providing a longer commercial protection period.
• README Updates: The README.md file has been updated to reflect the change in licensing, specifically updating the license badge from Apache 2.0 to BSL 1.1 and modifying the license declaration.
• SPDX Header Alignment: Various script files across the repository have had their SPDX-License-Identifier headers updated from Apache-2.0 to BUSL-1.1 to align with the new licensing terms.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the project's license from Apache 2.0 to BSL 1.1, extending the open-source conversion period to 6 years. The changes correctly update the LICENSE file, the README.md badges and license section, and the SPDX license identifiers for numerous shell scripts.

The review identified one area for improvement within the changed files. Additionally, a related file that was not part of this pull request appears to have been missed during the update.

• The SBOM generation script, sbom/generate-sbom.sh, has been updated with the correct SPDX header, but it still contains hardcoded references to the old Apache-2.0 license in the SBOM content it generates. This will lead to incorrect license information in the build artifacts.
• The root Makefile still contains an SPDX-License-Identifier: Apache-2.0 header. To ensure consistency across the project, this should also be updated to BUSL-1.1.

Overall, the changes are in the right direction, but addressing these points will ensure the license update is complete and consistent across the entire repository.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

sbom/generate-sbom.sh (2)

40-40: Critical: SBOM contains incorrect license information.

The CycloneDX SBOM metadata still declares the license as Apache-2.0, which contradicts the actual BSL 1.1 license. This creates compliance and legal risks, as the SBOM is an authoritative source for license information.

🔧 Proposed fix

-      "licenses": [{"license": {"id": "Apache-2.0"}}]
+      "licenses": [{"license": {"id": "BUSL-1.1"}}]

---

66-67: Critical: SBOM contains incorrect license information.

The SPDX SBOM package metadata still declares the license as Apache-2.0 for both the main distribution and cortex-core package, which contradicts the actual BSL 1.1 license. This creates compliance and legal risks.

🔧 Proposed fix

-    {"SPDXID": "SPDXRef-cortex-linux", "name": "Cortex Linux", "versionInfo": "${VERSION}", "licenseConcluded": "Apache-2.0", "downloadLocation": "https://cortexlinux.com"},
-    {"SPDXID": "SPDXRef-cortex-core", "name": "cortex-core", "versionInfo": "${VERSION}", "licenseConcluded": "Apache-2.0", "downloadLocation": "https://repo.cortexlinux.com"},
+    {"SPDXID": "SPDXRef-cortex-linux", "name": "Cortex Linux", "versionInfo": "${VERSION}", "licenseConcluded": "BUSL-1.1", "downloadLocation": "https://cortexlinux.com"},
+    {"SPDXID": "SPDXRef-cortex-core", "name": "cortex-core", "versionInfo": "${VERSION}", "licenseConcluded": "BUSL-1.1", "downloadLocation": "https://repo.cortexlinux.com"},

🤖 Fix all issues with AI agents

In `@README.md`:
- Line 234: Several source files still carry the old Apache-2.0 SPDX header;
search the listed files (e.g., iso/preseed/cortex.preseed,
packages/cortex-core/* (cortex-verify.py, cortex-upgrade.py, cortex-gpu.py,
config/*, debian/rules), packages/cortex-full/debian/rules,
iso/live-build/auto/*, iso/live-build/config/*, Makefile,
packages/cortex-archive-keyring/debian/rules) for the existing SPDX line (e.g.,
"SPDX-License-Identifier: Apache-2.0") and replace it with the exact header
"SPDX-License-Identifier: BUSL-1.1" so all files match the LICENSE and README;
ensure the header formatting/placement is preserved in each file and run a quick
grep to verify no Apache-2.0 SPDX lines remain before committing.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's verify the README.md license section
git ls-files | grep -i readme

# Get line 234 of README.md if it exists
if [ -f README.md ]; then
  echo "=== README.md line 234 ===" 
  sed -n '234p' README.md
fi

Repository: cortexlinux/cortex-distro

Length of output: 138

---

🏁 Script executed:

#!/bin/bash
# Verify repository-wide license consistency

echo "=== Checking for any remaining Apache-2.0 SPDX headers ==="
rg -c "SPDX-License-Identifier:\s*Apache-2\.0" 2>/dev/null || echo "No matches found"

echo -e "\n=== Checking for any remaining Apache references in documentation ==="
rg -c -i "apache\s*2\.0" -t md 2>/dev/null || echo "No markdown files with Apache 2.0 references"

echo -e "\n=== Checking for BUSL-1.1 headers ==="
rg -c "SPDX-License-Identifier:\s*BUSL-1\.1" 2>/dev/null || echo "No BUSL-1.1 headers found"

echo -e "\n=== Checking LICENSE file content ==="
if [ -f LICENSE ]; then
  head -20 LICENSE
else
  echo "No LICENSE file found"
fi

echo -e "\n=== Repository files count by type ==="
find . -type f -name "*.md" | wc -l
find . -type f \( -name "*.js" -o -name "*.ts" -o -name "*.go" -o -name "*.py" -o -name "*.java" \) | wc -l

Repository: cortexlinux/cortex-distro

Length of output: 1856

---

License migration incomplete across codebase.

While README.md correctly reflects BSL 1.1 and the LICENSE file is properly configured with BUSL-1.1 terms, 18 source files still retain Apache-2.0 SPDX headers and must be updated to maintain consistency:

• iso/preseed/cortex.preseed
• packages/cortex-full/debian/rules
• packages/cortex-core/cortex-verify.py
• iso/live-build/auto/config
• iso/live-build/auto/build
• packages/cortex-core/cortex-upgrade.py
• iso/live-build/auto/clean
• packages/cortex-archive-keyring/debian/rules
• iso/live-build/config/package-lists/cortex-full.list.chroot
• packages/cortex-core/cortex-gpu.py
• iso/live-build/config/package-lists/cortex-core.list.chroot
• Makefile
• packages/cortex-core/config/provision.yaml.example
• iso/live-build/config/hooks/live/0100-cortex-config.hook.chroot
• packages/cortex-core/config/cortex.yaml
• packages/cortex-core/config/cortex.sources
• packages/cortex-core/config/cortex.pref
• packages/cortex-core/debian/rules

Update all SPDX headers to: SPDX-License-Identifier: BUSL-1.1

🤖 Prompt for AI Agents

In `@README.md` at line 234, Several source files still carry the old Apache-2.0
SPDX header; search the listed files (e.g., iso/preseed/cortex.preseed,
packages/cortex-core/* (cortex-verify.py, cortex-upgrade.py, cortex-gpu.py,
config/*, debian/rules), packages/cortex-full/debian/rules,
iso/live-build/auto/*, iso/live-build/config/*, Makefile,
packages/cortex-archive-keyring/debian/rules) for the existing SPDX line (e.g.,
"SPDX-License-Identifier: Apache-2.0") and replace it with the exact header
"SPDX-License-Identifier: BUSL-1.1" so all files match the LICENSE and README;
ensure the header formatting/placement is preserved in each file and run a quick
grep to verify no Apache-2.0 SPDX lines remain before committing.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

iso/live-build/auto/config (1)

4-5: Update SPDX header to BUSL-1.1 to match the new license.

This script still declares Apache-2.0, which conflicts with the PR objective to update all scripts to BUSL-1.1.

🛠️ Proposed fix

-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: BUSL-1.1

🤖 Fix all issues with AI agents

In `@iso/live-build/auto/config`:
- Around line 59-63: The script writes to
config/package-lists/debootstrap-includes.list.chroot but only ensures the
parent config directory exists (mkdir -p config), so the echo will fail when
config/package-lists doesn't exist; update the setup to create the package-lists
directory (e.g., run mkdir -p config/package-lists) before writing to
config/package-lists/debootstrap-includes.list.chroot so the echo succeeds under
set -e.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

iso/live-build/auto/config (1)

14-31: Document the reason for disabling security/backports on Trixie.

The --security false and --backports false flags do omit security updates from the build. Git history shows this was intentional for Trixie (testing distribution), which is reasonable since testing receives frequent updates. However, add an inline comment explaining this choice for future maintainers. If other Debian releases (stable, bookworm) are planned, consider gating this behavior by distribution type rather than hardcoding it.

♻️ Duplicate comments (3)

sbom/generate-sbom.sh (1)

40-40: SBOM still emits Apache-2.0 license IDs.
Line 40 and Lines 66–67 still hardcode Apache-2.0, so generated SBOMs will be incorrect for BUSL-1.1.

🛠️ Proposed fix

-      "licenses": [{"license": {"id": "Apache-2.0"}}]
+      "licenses": [{"license": {"id": "BUSL-1.1"}}]
...
-    {"SPDXID": "SPDXRef-cortex-linux", "name": "Cortex Linux", "versionInfo": "${VERSION}", "licenseConcluded": "Apache-2.0", "downloadLocation": "https://cortexlinux.com"},
-    {"SPDXID": "SPDXRef-cortex-core", "name": "cortex-core", "versionInfo": "${VERSION}", "licenseConcluded": "Apache-2.0", "downloadLocation": "https://repo.cortexlinux.com"},
+    {"SPDXID": "SPDXRef-cortex-linux", "name": "Cortex Linux", "versionInfo": "${VERSION}", "licenseConcluded": "BUSL-1.1", "downloadLocation": "https://cortexlinux.com"},
+    {"SPDXID": "SPDXRef-cortex-core", "name": "cortex-core", "versionInfo": "${VERSION}", "licenseConcluded": "BUSL-1.1", "downloadLocation": "https://repo.cortexlinux.com"},

Also applies to: 66-67

iso/live-build/auto/config (2)

5-5: SPDX header still Apache-2.0 — update to BUSL-1.1.
This script’s header is out of sync with the repo-wide license change.

🛠️ Proposed fix

-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: BUSL-1.1

---

59-63: Create config/package-lists before writing into it.
With set -e, Line 62 fails if the directory doesn’t exist.

🛠️ Proposed fix

-mkdir -p config
+mkdir -p config config/package-lists

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

iso/live-build/auto/config (1)

1-5: Update SPDX header to BUSL-1.1 for license consistency.

PR objectives call for BUSL-1.1 across scripts, but this header still declares Apache-2.0, creating mixed licensing metadata.

🛠️ Proposed fix

-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: BUSL-1.1

.github/workflows/build-iso.yml (1)

1-4: Update SPDX header to BUSL-1.1 for license consistency.

This workflow header still declares Apache-2.0 while the PR objective is BUSL-1.1.

🛠️ Proposed fix

-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: BUSL-1.1

🤖 Fix all issues with AI agents

In @.github/workflows/build-iso.yml:
- Around line 103-132: The pipeline masks failures from the lb build step
because the shell lacks pipefail; ensure the build failure is propagated by
enabling pipefail before running lb build (e.g., add set -o pipefail in the same
shell block where lb build is run) or wrap the lb build invocation so a non-zero
exit from lb build causes the script to exit non-zero (e.g., check the exit
status of lb build piped to tee). Target the shell block that runs the lb build
command (the segment containing lb build 2>&1 | tee /workspace/build.log) and
modify it to enable pipefail or explicitly fail on lb build errors.
- Around line 76-85: The workflow step "Free disk space" currently uses the
mutable action reference jlumbroso/free-disk-space@main; replace the `@main` ref
with a specific commit SHA for that action (e.g.
jlumbroso/free-disk-space@<COMMIT_SHA>) so the action is immutable, and add a
comment next to the SHA noting the corresponding release tag (e.g. // tag:
vX.Y.Z) for future tracking; ensure Dependabot configuration can detect and
suggest updates when you change the SHA.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/build-iso.yml | sed -n '70,90p'

Repository: cortexlinux/cortex-distro

Length of output: 697

---

🌐 Web query:

GitHub Actions version pinning commit SHA best practices supply chain security

💡 Result:

Short best-practices for pinning GitHub Actions to commit SHAs (supply‑chain security):

1. Pin to a full-length commit SHA (not @main/@tag) so the action code is immutable for your workflow. Verify the SHA originates from the action’s official repo (not a fork). [1][4]

2. Prefer SHAs that correspond to official tagged releases (and comment the tag/version in the workflow) so Dependabot can recommend updates while retaining immutability. [1]

3. Audit the action’s source for mutable dependencies (unpinned container images, scripts that download code at runtime, composite actions that pull external code) — pinning SHA does not help if the action itself fetches mutable artifacts. Reject “unpinnable” actions. [1][2][4]

4. Enforce SHA pinning and blocklists at org/enterprise level (Allowed actions & reusable workflows policy) so non-pinned or known-malicious actions fail policy checks. Use explicit block entries for compromised actions. [1][3][4]

5. Use Dependabot (or similar) to surface outdated/vulnerable actions, but note Dependabot alerts behave differently for SHA-pinned dependencies — prefer SHAs tied to tags to keep update signals. [1]

6. Minimize risk via least-privilege: narrow GITHUB_TOKEN permissions, require environment approvals for prod workflows, and rotate/separate secrets accessible to Actions. Monitor for exfiltration patterns. [1][4]

7. Add operational controls: workflow review/PR gating, automated checks (e.g., “ensure SHA pinned” linter/action), CI audits of used actions, and alerting for new external references. [3]

8. When available, prefer vendor-provided “immutable releases” (GitHub immutable releases / verified creators) so you can safely pin to semantic versions instead of raw SHAs. Still verify provenance. [1][5]

Trade-offs / notes:

• SHAs maximize integrity but cost maintainability (manual updates). Tag+SHA comment is a practical compromise to get Dependabot help. [1]
• SHA pinning can’t fully protect if the action downloads mutable artifacts at runtime — inspect runtime behavior. [2]
• Enforce org policies and monitoring to respond quickly if a widely-used action is compromised. [3]

Sources: GitHub Well‑Architected / Actions security guidance; GitHub Docs (secure use & allowed actions); GitHub changelog on SHA enforcement; industry analysis of “unpinnable” actions; marketplace/tools for enforcing SHA pinning. [1][4][3][2][3]

---

Pin jlumbroso/free-disk-space to a commit SHA.

Using @main is mutable and weakens supply-chain security. Pin to a trusted commit SHA tied to an official release tag (comment the tag in the workflow) so the action code is immutable and Dependabot can track updates.

🛠️ Proposed fix

-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@<PINNED_SHA>

🤖 Prompt for AI Agents

In @.github/workflows/build-iso.yml around lines 76 - 85, The workflow step
"Free disk space" currently uses the mutable action reference
jlumbroso/free-disk-space@main; replace the `@main` ref with a specific commit SHA
for that action (e.g. jlumbroso/free-disk-space@<COMMIT_SHA>) so the action is
immutable, and add a comment next to the SHA noting the corresponding release
tag (e.g. // tag: vX.Y.Z) for future tracking; ensure Dependabot configuration
can detect and suggest updates when you change the SHA.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Ensure lb build failure is not masked by tee.

Without pipefail, a failing build can still appear successful when piped.

🛠️ Proposed fix

-              set -e
+              set -e
+              set -o pipefail

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	debian:bookworm /bin/bash -c '
	set -e
	echo "=== Installing build dependencies ==="
	apt-get update
	apt-get install -y \
	live-build \
	debootstrap \
	squashfs-tools \
	xorriso \
	isolinux \
	syslinux-efi \
	grub-pc-bin \
	grub-efi-amd64-bin \
	mtools \
	dosfstools \
	gnupg \
	debian-archive-keyring
	echo "=== Configuring live-build ==="
	cd /workspace/iso/live-build
	chmod +x auto/* 2>/dev/null || true
	lb config
	echo "=== Copying packages to chroot ==="
	mkdir -p config/packages.chroot/
	cp /workspace/packages/*.deb config/packages.chroot/ 2>/dev/null || echo "No packages to copy"
	echo "=== Building ISO ==="
	lb build 2>&1 | tee /workspace/build.log
	debian:bookworm /bin/bash -c '
	set -e
	set -o pipefail
	echo "=== Installing build dependencies ==="
	apt-get update
	apt-get install -y \
	live-build \
	debootstrap \
	squashfs-tools \
	xorriso \
	isolinux \
	syslinux-efi \
	grub-pc-bin \
	grub-efi-amd64-bin \
	mtools \
	dosfstools \
	gnupg \
	debian-archive-keyring
	echo "=== Configuring live-build ==="
	cd /workspace/iso/live-build
	chmod +x auto/* 2>/dev/null || true
	lb config
	echo "=== Copying packages to chroot ==="
	mkdir -p config/packages.chroot/
	cp /workspace/packages/*.deb config/packages.chroot/ 2>/dev/null || echo "No packages to copy"
	echo "=== Building ISO ==="
	lb build 2>&1 | tee /workspace/build.log

🤖 Prompt for AI Agents

In @.github/workflows/build-iso.yml around lines 103 - 132, The pipeline masks
failures from the lb build step because the shell lacks pipefail; ensure the
build failure is propagated by enabling pipefail before running lb build (e.g.,
add set -o pipefail in the same shell block where lb build is run) or wrap the
lb build invocation so a non-zero exit from lb build causes the script to exit
non-zero (e.g., check the exit status of lb build piped to tee). Target the
shell block that runs the lb build command (the segment containing lb build 2>&1
| tee /workspace/build.log) and modify it to enable pipefail or explicitly fail
on lb build errors.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

iso/live-build/auto/config (1)

4-5: Update SPDX header to BUSL-1.1 to match the new license.

This file still declares Apache-2.0, which contradicts the PR objective to update scripts to BUSL-1.1 and creates license inconsistency.

🛠️ Proposed fix

-# SPDX-License-Identifier: Apache-2.0
+# SPDX-License-Identifier: BUSL-1.1

🤖 Fix all issues with AI agents

In `@iso/live-build/auto/config`:
- Line 15: Update the stale comment string "# Ubuntu 24.04 compatible live-build
options" to reflect the actual target distro (e.g., "Debian Bookworm compatible
live-build options" or a neutral "Debian (bookworm) compatible live-build
options") so the top-of-file comment in the auto/config matches the script's
configuration; locate and edit the exact comment line shown ("# Ubuntu 24.04
compatible live-build options") and replace the text accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix stale Ubuntu reference in comment.

The comment says “Ubuntu 24.04” but the script is configured for Debian bookworm, which can mislead maintainers.

📝 Suggested update

-# Ubuntu 24.04 compatible live-build options
+# Debian bookworm live-build options

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Ubuntu 24.04 compatible live-build options
	# Debian bookworm live-build options

🤖 Prompt for AI Agents

In `@iso/live-build/auto/config` at line 15, Update the stale comment string "#
Ubuntu 24.04 compatible live-build options" to reflect the actual target distro
(e.g., "Debian Bookworm compatible live-build options" or a neutral "Debian
(bookworm) compatible live-build options") so the top-of-file comment in the
auto/config matches the script's configuration; locate and edit the exact
comment line shown ("# Ubuntu 24.04 compatible live-build options") and replace
the text accordingly.