release-targets: introduce per-scope DEBIAN/UBUNTU codename substitution#295
Open
igorpecovnik wants to merge 10 commits intomainfrom
Open
release-targets: introduce per-scope DEBIAN/UBUNTU codename substitution#295igorpecovnik wants to merge 10 commits intomainfrom
igorpecovnik wants to merge 10 commits intomainfrom
Conversation
…ldstable
Per release rotation: resolute is the new stable Ubuntu LTS-grade
target, noble shifts down to oldstable.
YAML block keys carry the stable/oldstable label, so:
Renamed (RELEASE: noble unchanged, only key + comment changed):
minimal-stable-ubuntu-current-uefi → minimal-oldstable-ubuntu-current-uefi
desktop-stable-ubuntu-gnome-uefi → desktop-oldstable-ubuntu-gnome-uefi
desktop-stable-ubuntu-cinnamon-uefi → desktop-oldstable-ubuntu-cinnamon-uefi
Added (RELEASE: resolute, picking up the freed `-stable-` slot):
minimal-stable-ubuntu-uefi
- uefi-arm64 / uefi-x86 (BRANCH=edge — resolute is forward-looking)
- 4 cloud variants (qcow2 + vhdx for both arches)
desktop-stable-ubuntu-gnome-uefi
- uefi-arm64 (v4l2loopback-dkms,mesa-vpu)
- uefi-x86 (v4l2loopback-dkms,mesa-vpu,nvidia)
Block name `minimal-stable-ubuntu-uefi` drops the `-current-` infix
the noble block had, since resolute uses BRANCH=edge — the noble
block kept "current" because it specifically pinned that kernel
branch on noble.
Cinnamon for resolute deliberately not added (per request: only
minimal + gnome). Resolute board roster is the bare UEFI core —
radxa-dragon-q6a / radxa-nio-12l were not pulled in (deferred for
when their resolute support is verified).
Debian trixie minimal block (`minimal-stable-debian-uefi`)
unchanged — it's the Debian stable, separate cadence.
Contributor
WalkthroughManual release-target files were updated to replace literal Debian/Ubuntu codenames with symbolic Estimated code review effort🎯 4 (Complex) | ⏱️ ~40 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
05
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@release-targets/targets-release-standard-support.manual`:
- Around line 100-102: The release manifest is missing thinkpad-x13s (BRANCH
sc8280xp) in the stable GNOME targets though it exists in the noble GNOME and
Cinnamon blocks; verify whether omission is intentional and if not, add
thinkpad-x13s with BRANCH: sc8280xp to the items list in
release-targets/targets-release-standard-support.manual so it mirrors the noble
entries, or add a comment explaining why sc8280xp is deferred (e.g., not
validated on resolute) to avoid regressions and maintain parity with oldstable
GNOME.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 7779469e-84ef-446d-9542-b99c6de1c5f0
📒 Files selected for processing (1)
release-targets/targets-release-standard-support.manual
Replace literal `RELEASE: noble` / `RELEASE: trixie` (and the four `RELEASE: resolute` and one `RELEASE: forky` from the nightly generator) with symbolic `RELEASE: UBUNTU` / `RELEASE: DEBIAN` tokens, both in the manual-override file and in generate_targets.py's own hardcoded YAML stanzas. Tokens are substituted with real codenames just before each output file is written. Per-scope flag pairs — promoting one output file is independent of the others (e.g. nightly on forky+resolute while standard stays on trixie+noble, which is exactly what defaults reproduce): --debian-standard / --ubuntu-standard (default: trixie / noble) --debian-nightly / --ubuntu-nightly (default: forky / resolute) --debian-community / --ubuntu-community (default: trixie / noble) --debian-apps / --ubuntu-apps (default: trixie / noble) The substitution helper (`resolve_release_tokens`) uses `re.sub(r'RELEASE:\s*<TOKEN>\b', ...)` so block keys / comments that contain the literal word "noble", "trixie", etc. are untouched, and longer identifiers like UBUNTU_FOO won't false- match. `apps-kali` keeps `RELEASE: sid` literal — Kali tracks Debian unstable forever; that's not a "current Debian stable" pin and shouldn't move with the scope flag. Scope/output mapping in generate_targets.py main(): apps_yaml -> args.debian_apps, args.ubuntu_apps stable_yaml -> args.debian_standard, args.ubuntu_standard nightly_yaml -> args.debian_nightly, args.ubuntu_nightly community_yaml -> args.debian_community, args.ubuntu_community Wire the same eight flags into .github/workflows/generate-build-lists.yaml as `workflow_dispatch.inputs`, with `||` fallbacks so push / repository_dispatch triggers (which don't carry inputs) get the script's own argparse defaults. Heads-up: the previous commit's stable + oldstable Ubuntu block duplication (3 oldstable + 2 stable blocks in the manual file) is now semantically a duplicate — both stable and oldstable blocks substitute to the same `--ubuntu-standard` codename. If true coexistence is needed, either run the generator twice with different flags or introduce a second token (e.g. UBUNTU_OLD). Left as-is for now — orchestration is "controlled from outside".
github-actions
Bot
added
GitHub Actions
igorpecovnik
changed the title
Comments like
# Ubuntu noble minimal with current kernel - UEFI only (oldstable)
# Debian forky minimal CLI for all boards
# Ubuntu resolute GNOME desktop for fast HDMI boards
were lying after the substitution refactor: the codename in the
comment was a hand-pinned label, the actual emitted codename now
comes from the per-scope CLI flag, and the two could drift the
moment any scope was promoted via `--<distro>-<scope>=`. The
block key (e.g. `nightly-forky-all`, `community-noble-gnome`)
already carries the original codename for identifier stability,
and the rendered `RELEASE: <codename>` line carries the actual
substituted value, so the comment doesn't need to repeat either.
Strip the bare codename word out of every "# Debian <codename>"
or "# Ubuntu <codename>" descriptive comment — the surrounding
"minimal with current kernel - UEFI only (oldstable)" descriptor
is what those comments are really for. Block keys and the
SCOPE_DEFAULTS table keep literal codenames (they're identifiers
and configuration data respectively, not descriptions).
Three Python comments inside generate_exposed_map() at lines
~1700/1721/1738 keep their literal codenames intentionally —
they describe regex pattern strings that match literal codenames
in image filenames on the mirror, so the comments are accurate
to the patterns and shouldn't drift even when the symbolic flags
do. Pattern templating is a separate concern.
exposed.map regex patterns previously had `_trixie_` and `_noble_`
hardcoded literally — separate from the per-scope CLI flags that
control the YAML output. Promoting any release line via
`--debian-…` / `--ubuntu-…` would update the *.yaml files but the
exposed.map patterns would keep matching the old codenames, and
"recommended images" on the website would silently drop off
until exposed.map was rebuilt with another set of literals. The
two pieces have to move together.
Pass the four codenames (debian/ubuntu × standard/community)
through to generate_exposed_map as keyword-only arguments. Inside
the loop, pick the right pair based on the per-board `board_type`
('stable' → standard flags; 'community' → community flags), then
interpolate that pair into the regex pattern strings in place of
the literal codenames.
Defaults reproduce previous output exactly — every codename
resolves to the same trixie / noble values that were hardcoded
before, so an unflagged run produces a byte-identical exposed.map.
Side cleanup: the two desktop-pattern variants for fast vs slow
hardware were almost-identical four-line copies; collapsed to a
single emit after the desktop_type is chosen. Comment about
loongarch & "bookworm" was wrong — the loop never emitted a
bookworm pattern (loongarch boards just get the Debian minimal
from earlier in the loop and skip Ubuntu); fixed the comment.
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (2)
scripts/generate_targets.py (1)
43-65:resolve_release_tokensis correct; one fragility worth keeping in mind.The regex
RELEASE:\s*DEBIAN\bis unanchored and applied to the assembled YAML text, so it would also matchRELEASE: DEBIANif it ever showed up inside a YAML comment or a quoted string value. There are no such occurrences in the current generated/manual content (the PR explicitly removed bare codename words from comments), so this is safe today — just be aware that a future "describe a target withRELEASE: DEBIANin a comment" could silently get rewritten. If you ever want to harden this, anchoring on indentation (^\s+RELEASE:\s*DEBIAN\bwithre.MULTILINE) would restrict to map keys.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/generate_targets.py` around lines 43 - 65, The current resolve_release_tokens uses unanchored regexes that can match RELEASE: DEBIAN/UBUNTU inside comments or quoted strings; to harden it, anchor the patterns to line starts and use re.MULTILINE (e.g., change the two re.sub calls in resolve_release_tokens to match r"^\s*RELEASE:\s*"+re.escape(RELEASE_TOKEN_DEBIAN)+r"\b" and r"^\s*RELEASE:\s*"+re.escape(RELEASE_TOKEN_UBUNTU)+r"\b" and pass flags=re.MULTILINE or compile with re.MULTILINE) so only YAML map keys are replaced..github/workflows/generate-build-lists.yaml (1)
94-110: Passinputs.*viaenv:rather than direct expression interpolation.The current
"${{ inputs.debian_standard || 'trixie' }}"form expands inside the shell script before bash quoting, so any"/`/$in a dispatched value can break out of the quoted argument and inject shell. Dispatch is gated by team membership so the practical risk is low, but this is the GitHub-recommended pattern for any user-controlledinputs.*reachingrun:.♻️ Suggested refactor
- name: Run generate_targets.py # `inputs.*` is only populated on workflow_dispatch; push / # repository_dispatch fire with empty inputs, so each `||` # falls back to the same default the script's argparse uses. # Net effect: codename promotion is a workflow_dispatch knob; # automatic re-runs use the script's pinned defaults. + env: + DEBIAN_STANDARD: ${{ inputs.debian_standard || 'trixie' }} + UBUNTU_STANDARD: ${{ inputs.ubuntu_standard || 'noble' }} + DEBIAN_NIGHTLY: ${{ inputs.debian_nightly || 'forky' }} + UBUNTU_NIGHTLY: ${{ inputs.ubuntu_nightly || 'resolute' }} + DEBIAN_COMMUNITY: ${{ inputs.debian_community || 'trixie' }} + UBUNTU_COMMUNITY: ${{ inputs.ubuntu_community || 'noble' }} + DEBIAN_APPS: ${{ inputs.debian_apps || 'trixie' }} + UBUNTU_APPS: ${{ inputs.ubuntu_apps || 'noble' }} run: | python3 scripts/generate_targets.py image-info.json release-targets \ - --debian-standard "${{ inputs.debian_standard || 'trixie' }}" \ - --ubuntu-standard "${{ inputs.ubuntu_standard || 'noble' }}" \ - --debian-nightly "${{ inputs.debian_nightly || 'forky' }}" \ - --ubuntu-nightly "${{ inputs.ubuntu_nightly || 'resolute' }}" \ - --debian-community "${{ inputs.debian_community || 'trixie' }}" \ - --ubuntu-community "${{ inputs.ubuntu_community || 'noble' }}" \ - --debian-apps "${{ inputs.debian_apps || 'trixie' }}" \ - --ubuntu-apps "${{ inputs.ubuntu_apps || 'noble' }}" \ + --debian-standard "$DEBIAN_STANDARD" \ + --ubuntu-standard "$UBUNTU_STANDARD" \ + --debian-nightly "$DEBIAN_NIGHTLY" \ + --ubuntu-nightly "$UBUNTU_NIGHTLY" \ + --debian-community "$DEBIAN_COMMUNITY" \ + --ubuntu-community "$UBUNTU_COMMUNITY" \ + --debian-apps "$DEBIAN_APPS" \ + --ubuntu-apps "$UBUNTU_APPS" \ 2>&1 | tee -a generation.log🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/generate-build-lists.yaml around lines 94 - 110, The Run generate_targets.py step is interpolating inputs directly into the run script which risks shell injection; change to pass each inputs.* into the job environment and reference those env vars inside the run command. Add an env: block on the step mapping each input (e.g. DEBIAN_STANDARD from inputs.debian_standard with the same fallback, UBUNTU_STANDARD, DEBIAN_NIGHTLY, etc.), then in the run string replace the "${{ inputs... }}" expansions with their corresponding "$DEBIAN_STANDARD", "$UBUNTU_STANDARD", "$DEBIAN_NIGHTLY", "$UBUNTU_NIGHTLY", "$DEBIAN_COMMUNITY", "$UBUNTU_COMMUNITY", "$DEBIAN_APPS", "$UBUNTU_APPS" variables (keeping proper double quotes around each) so the values are expanded by the shell from env vars rather than by GitHub before shell parsing.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/generate-build-lists.yaml:
- Around line 94-110: The Run generate_targets.py step is interpolating inputs
directly into the run script which risks shell injection; change to pass each
inputs.* into the job environment and reference those env vars inside the run
command. Add an env: block on the step mapping each input (e.g. DEBIAN_STANDARD
from inputs.debian_standard with the same fallback, UBUNTU_STANDARD,
DEBIAN_NIGHTLY, etc.), then in the run string replace the "${{ inputs... }}"
expansions with their corresponding "$DEBIAN_STANDARD", "$UBUNTU_STANDARD",
"$DEBIAN_NIGHTLY", "$UBUNTU_NIGHTLY", "$DEBIAN_COMMUNITY", "$UBUNTU_COMMUNITY",
"$DEBIAN_APPS", "$UBUNTU_APPS" variables (keeping proper double quotes around
each) so the values are expanded by the shell from env vars rather than by
GitHub before shell parsing.
In `@scripts/generate_targets.py`:
- Around line 43-65: The current resolve_release_tokens uses unanchored regexes
that can match RELEASE: DEBIAN/UBUNTU inside comments or quoted strings; to
harden it, anchor the patterns to line starts and use re.MULTILINE (e.g., change
the two re.sub calls in resolve_release_tokens to match
r"^\s*RELEASE:\s*"+re.escape(RELEASE_TOKEN_DEBIAN)+r"\b" and
r"^\s*RELEASE:\s*"+re.escape(RELEASE_TOKEN_UBUNTU)+r"\b" and pass
flags=re.MULTILINE or compile with re.MULTILINE) so only YAML map keys are
replaced.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 1e41a98f-99e8-4247-a38d-509a2748195e
📒 Files selected for processing (3)
.github/workflows/generate-build-lists.yamlrelease-targets/targets-release-standard-support.manualscripts/generate_targets.py
Commit e1e5c5d ("promote Ubuntu resolute to stable, demote noble to oldstable") added a second set of Ubuntu blocks (`minimal-stable-ubuntu-uefi` + `desktop-stable-ubuntu-gnome-uefi`, both pinned to resolute) alongside the existing noble blocks that were renamed `*-oldstable-*`. Under the RELEASE codename substitution introduced in 6590973 both blocks resolve to the same `--ubuntu-standard` codename per generator invocation, so stable and oldstable are duplicates — the same image gets built twice, once under each label. The structural split was the right answer to "promote resolute" when that meant editing literal codenames in YAML; with the symbolic token + flag flip, it's an extra build matrix slot that produces nothing new. Drop the two `*-stable-*` resolute blocks. Rename the three `*-oldstable-*` blocks back to `*-stable-*` (their pre-e1e5c5d names). Drop the `(stable)` / `(oldstable)` annotations from header comments — those distinctions are no longer real, the codename comes from the flag now. Net result: file is byte-for-byte the pre-PR-#295 state from main, plus the four `RELEASE: noble|trixie` → `RELEASE: UBUNTU|DEBIAN` token swaps and four codename words removed from descriptive comments. Promoting Ubuntu standard to resolute now becomes a `--ubuntu-standard=resolute` flag flip on the workflow dispatch, no manual file edits.
igorpecovnik
added
Ready to merge
…nity + README
Apply the same symbolic-token treatment to the two remaining
manual override files and the example in README.md, mirroring
what was done for targets-release-standard-support.manual.
Files touched:
- targets-release-community-maintained.manual
RELEASE: trixie / noble → RELEASE: DEBIAN / UBUNTU
Drop codename word from "# Debian trixie cli" / "# Ubuntu
noble cli" / "# Debian stable XFCE desktop" comments
(the descriptor is what those comments are for, the
codename comes from --debian-community / --ubuntu-community).
- targets-release-nightly.manual
RELEASE: resolute / forky / trixie / noble → UBUNTU /
DEBIAN / DEBIAN / UBUNTU. Drop the parenthetical "(trixie)"
/ "(noble)" from header comments — that disambiguator was
the previous way to tell two same-distro blocks apart, but
with substitution they collapse onto one codename per
generator invocation.
Caveat: the nightly file used to carry two distinct Debian
codenames (forky for the "unstable cloud" block, trixie
for the "stable cloud" block) and likewise two Ubuntu
codenames (resolute / noble). Under the substitution model
with one DEBIAN / UBUNTU token per scope, both pairs
resolve to the same codename per generator run — so the
"-trixie" and "-noble" blocks become duplicates of their
sibling cloud blocks. Documented inline above each
duplicated block; left in place pending a follow-up that
either drops them or introduces a second per-scope token
to carry an explicit "stable vs testing" split inside one
nightly invocation.
- README.md
Update the manual-override example to use RELEASE: UBUNTU
with a brief inline note, so the docs match the new style
newcomers should follow.
After this commit there are zero literal Debian/Ubuntu release
codenames left under release-targets/ — only block keys
(identifiers, intentionally stable) and the README's
documentation reference to the substitution token itself.
github-actions
Bot
added
Needs review
Add a new "Release codename substitution" section explaining the
DEBIAN / UBUNTU symbolic tokens and the eight per-scope flag
pairs that control them, with a flag-level table mapping each
flag to its default and the output file it substitutes into.
Rework the Usage section accordingly:
- Show the full flag-aware invocation
- Drop the wrong "Both arguments are required" line
(output_directory is optional, defaults to cwd via argparse
nargs='?')
- Add a second example showing how to flip standard-support to
a different Ubuntu without touching the script or the
*.manual files
Note that the same per-scope codenames drive exposed.map regex
patterns too, so promoting via these flags keeps the build matrix
and the website's "recommended images" filter in lockstep.
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
release-targets/targets-release-nightly.manual (1)
38-77:⚠️ Potential issue | 🟡 MinorDefault-run output for the legacy
*-trixie/*-nobleblocks now changes (intentional collapse — please confirm).Pre-PR,
minimal-cli-stable-debian-cloud-trixieemittedRELEASE: trixieandminimal-cli-stable-ubuntu-cloud-nobleemittedRELEASE: noble. With the new substitution model and the nightly defaults (--debian-nightly=forky,--ubuntu-nightly=resolute), both legacy blocks now resolve to the same codename asminimal-cli-unstable-debian-cloud/minimal-cli-stable-ubuntu-cloud, making them byte-for-byte duplicate target stanzas (samevars, sameitems). Two implications worth confirming:
- The "unflagged run is byte-identical to previous output" property in the PR description does not hold for these two stanzas — their
RELEASE:flips fromtrixie/nobletoforky/resoluteat defaults. If the byte-identical check still passes, it's likely because these blocks were already changed (or compared post-substitution); worth double-checking what the reference output actually contains.- Two identical stanzas under different YAML keys means CI will build the same image twice per nightly run. The comments correctly flag this; just want to make sure that's an acceptable cost until the planned follow-up drops them or introduces a
DEBIAN_TESTING/DEBIAN_STABLEtoken split.The comments on Lines 38–42 and 59–62 already document this clearly, so this is a heads-up rather than a blocker.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@release-targets/targets-release-nightly.manual` around lines 38 - 77, The legacy targets minimal-cli-stable-debian-cloud-trixie and minimal-cli-stable-ubuntu-cloud-noble now resolve to the same RELEASE values as their unstable counterparts, causing byte-identical duplicate builds; update these stanzas to restore explicit codenames or deduplicate them: either set explicit vars RELEASE: trixie and RELEASE: noble in the minimal-cli-stable-debian-cloud-trixie and minimal-cli-stable-ubuntu-cloud-noble blocks respectively, or remove one of each duplicate block (or introduce distinct tokens like DEBIAN_STABLE/DEBIAN_TESTING) so CI does not build the same image twice under different keys and the unflagged default output remains byte-identical to previous runs.
🧹 Nitpick comments (1)
scripts/generate_targets.py (1)
43-65: Substitution is not actually comment-safe — anchor the regex to the line start.The PR description claims "block-key/comment safety", but the current pattern
r"RELEASE:\s*DEBIAN\b"has no anchor and will rewrite the token wherever it appears, including inside YAML comments. Concrete examples in this PR:
release-targets/targets-release-nightly.manualLines 38–42 and 59–62 contain comments like# both blocks resolve to RELEASE: DEBIAN under the substitution model— afterresolve_release_tokens()runs, those comments becomeRELEASE: forky(or whatever--debian-nightlyis), so the meta-documentation about the substitution model itself gets rewritten and loses its explanatory value.- Per the AI summary, similar wording exists in
release-targets/README.md.It's not a correctness bug for YAML loaders (comments are still comments), but it directly contradicts the stated guarantee and silently mutates documentation. A line-anchored variant fixes both:
♻️ Anchor to start-of-line so only real YAML keys are substituted
yaml_text = re.sub( - r"RELEASE:\s*" + re.escape(RELEASE_TOKEN_DEBIAN) + r"\b", + r"^(\s*)RELEASE:(\s*)" + re.escape(RELEASE_TOKEN_DEBIAN) + r"\b", f"RELEASE: {debian}", yaml_text, + flags=re.MULTILINE, ) yaml_text = re.sub( - r"RELEASE:\s*" + re.escape(RELEASE_TOKEN_UBUNTU) + r"\b", + r"^(\s*)RELEASE:(\s*)" + re.escape(RELEASE_TOKEN_UBUNTU) + r"\b", f"RELEASE: {ubuntu}", yaml_text, + flags=re.MULTILINE, )(If you want to preserve the original indent/spacing in the substitution, switch the replacement to
r"\1RELEASE:\2{debian}"style. The simpler anchored form above is enough to keep comments untouched and still matches every real YAML stanza ingenerate_*_yaml()and the manual files, since they all useRELEASE: TOKENat the start of the line.)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/generate_targets.py` around lines 43 - 65, The substitution in resolve_release_tokens currently matches RELEASE tokens anywhere (including in comments); change the regexes to anchor to the start of a line (allowing optional leading indentation) and run with the re.MULTILINE flag so only actual YAML key lines are replaced; update the two calls that match RELEASE_TOKEN_DEBIAN and RELEASE_TOKEN_UBUNTU in resolve_release_tokens to use a start-of-line pattern (optionally capturing the leading whitespace so you can preserve indentation in the replacement) and pass re.MULTILINE to re.sub.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@release-targets/targets-release-nightly.manual`:
- Around line 38-77: The legacy targets minimal-cli-stable-debian-cloud-trixie
and minimal-cli-stable-ubuntu-cloud-noble now resolve to the same RELEASE values
as their unstable counterparts, causing byte-identical duplicate builds; update
these stanzas to restore explicit codenames or deduplicate them: either set
explicit vars RELEASE: trixie and RELEASE: noble in the
minimal-cli-stable-debian-cloud-trixie and minimal-cli-stable-ubuntu-cloud-noble
blocks respectively, or remove one of each duplicate block (or introduce
distinct tokens like DEBIAN_STABLE/DEBIAN_TESTING) so CI does not build the same
image twice under different keys and the unflagged default output remains
byte-identical to previous runs.
---
Nitpick comments:
In `@scripts/generate_targets.py`:
- Around line 43-65: The substitution in resolve_release_tokens currently
matches RELEASE tokens anywhere (including in comments); change the regexes to
anchor to the start of a line (allowing optional leading indentation) and run
with the re.MULTILINE flag so only actual YAML key lines are replaced; update
the two calls that match RELEASE_TOKEN_DEBIAN and RELEASE_TOKEN_UBUNTU in
resolve_release_tokens to use a start-of-line pattern (optionally capturing the
leading whitespace so you can preserve indentation in the replacement) and pass
re.MULTILINE to re.sub.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: e74419e7-3753-4e17-8ecd-2c54ca457557
📒 Files selected for processing (5)
release-targets/README.mdrelease-targets/targets-release-community-maintained.manualrelease-targets/targets-release-nightly.manualrelease-targets/targets-release-standard-support.manualscripts/generate_targets.py
✅ Files skipped from review due to trivial changes (2)
- release-targets/README.md
- release-targets/targets-release-community-maintained.manual
🚧 Files skipped from review as they are similar to previous changes (1)
- release-targets/targets-release-standard-support.manual
…lute
Resolute is now ready to be the standard-support Ubuntu line.
Flip the default in three coordinated places — and only those
three places, which is the whole point of the substitution
refactor:
- scripts/generate_targets.py: SCOPE_DEFAULTS["standard"]["ubuntu"]
"noble" -> "resolute"
- .github/workflows/generate-build-lists.yaml: the inputs.
ubuntu_standard default and the matching `||`-fallback in
the generate_targets.py invocation step
- release-targets/README.md: the per-scope flags table cell
for --ubuntu-standard, and the rollback example (which
previously promoted resolute and is now a no-op against the
new default — re-aimed at noble to still demonstrate
something useful)
community / apps stay on noble (those build matrices follow a
different cadence). nightly was already on resolute — no change
there.
After this commit the standard-support YAML produced with no
flags will target resolute for every Ubuntu block. Roll back to
noble for one invocation by passing `--ubuntu-standard noble`.
Same default flip as the previous commit, this time for the
community-maintained scope. Three coordinated places:
- SCOPE_DEFAULTS["community"]["ubuntu"]: noble -> resolute
- inputs.ubuntu_community.default + matching `||`-fallback in
the workflow's generate_targets.py invocation
- README per-scope flags table cell
apps stays on noble — that scope follows a different cadence
(HA / OMV / OpenHAB pinned to a stable LTS for reproducibility).
The generator's hardcoded desktop blocks all set DESKTOP_TIER
explicitly (mid for normal blocks, minimal only for the
riscv64-xfce slow-hardware block) but the three manual desktop
override blocks lacked it entirely:
standard-support desktop-stable-ubuntu-gnome-uefi (no TIER)
standard-support desktop-stable-ubuntu-cinnamon-uefi (no TIER)
community desktop-stable-debian-xfce (no TIER)
Add DESKTOP_TIER: "mid" to all three, matching the generator's
default desktop tier. Same insertion point — right after
DESKTOP_APPGROUPS_SELECTED — so the var ordering is consistent
with the script-emitted blocks.
mid is the right default here:
- The two standard-support blocks target UEFI / Qualcomm /
MediaTek hardware that comfortably runs the mid bundle
(browsers + programming appgroup is already selected).
- The community block runs on aml-s9xx-box and only enables
XFCE without any appgroups — mid is still appropriate;
minimal would drop standard XFCE companion utils.
Contributor
There was a problem hiding this comment.
🧹 Nitpick comments (5)
scripts/generate_targets.py (4)
29-30: Ruff S105 here is a false positive — safe to ignore or silence.Ruff is flagging
RELEASE_TOKEN_DEBIAN/RELEASE_TOKEN_UBUNTUas possible hardcoded passwords because of the_TOKEN_substring in the name. These are obviously placeholder strings, not credentials. If the noise is unwanted, a# noqa: S105on each line (or a per-file ignore in your ruff config) clears it without renaming.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/generate_targets.py` around lines 29 - 30, Ruff is flagging RELEASE_TOKEN_DEBIAN and RELEASE_TOKEN_UBUNTU as S105 false positives; to silence this, add a per-line noqa comment by appending "# noqa: S105" to the RELEASE_TOKEN_DEBIAN and RELEASE_TOKEN_UBUNTU definitions, or alternatively add a per-file or project-level S105 ignore in your ruff config if you prefer to suppress this rule for the file.
1192-1192: Target names still hardcode codenames (forky,resolute,trixie,noble) — flag-flip promotion is incomplete.The PR's stated goal is that "Promoting nightly to a new Debian … becomes a single flag flip, not a 30-place codename rename." But target keys like
nightly-forky-all,nightly-resolute-gnome,nightly-resolute-xfce,nightly-resolute-riscv64-xfce,nightly-resolute-minimal,community-trixie-all,community-noble-gnome,community-noble-kde-neon,community-noble-xfce,community-noble-riscv64-xfce, andcommunity-noble-minimalare emitted as static strings and are not run throughresolve_release_tokens(which only matchesRELEASE: <token>). After flipping--debian-nightlyfromforkyto (say)trixie, the YAML will containnightly-forky-all:withRELEASE: trixie— internally inconsistent, and any downstream tooling/dashboards keyed on these target names will silently break or need a parallel rename.Two reasonable options:
- Make target names codename-agnostic (e.g.,
nightly-debian-all,nightly-ubuntu-gnome,community-debian-all,community-ubuntu-gnome, …) — this also matches what the manual/standard side already does (minimal-stable-debian,desktop-stable-ubuntu-xfce).- Or substitute the codename into the name at generate time using the same per-scope codenames already threaded through
main().Option 1 is the cheaper and more consistent fix and aligns nightly/community naming with the rest of the file.
Also applies to: 1217-1217, 1239-1239, 1261-1261, 1283-1283, 1458-1458, 1503-1503, 1529-1529, 1555-1555, 1582-1582, 1609-1609
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/generate_targets.py` at line 1192, The generated target keys are hardcoded with codenames (e.g., nightly-forky-all, community-noble-gnome) causing mismatch after a RELEASE token flip; update the generator in scripts/generate_targets.py (where targets are emitted in the same scope as resolve_release_tokens and main()) to produce codename-agnostic keys (e.g., nightly-debian-all, nightly-ubuntu-gnome, community-debian-all) instead of embedding the codename, or alternatively substitute the codename at generation time using the per-scope codename passed through main() and the same token resolution machinery; change the static string keys referenced around the existing occurrences (nightly-forky-all, nightly-resolute-*, community-trixie-*, community-noble-*) to the chosen codename-agnostic names (or build them from the resolved codename) so emitted YAML keys remain consistent with RELEASE values and downstream tooling.
1128-1138: Docstrings/comments still pin specific codenames (Forky,Resolute,Noble,bookworm).
generate_nightly_yamldocstring (1130–1138) andgenerate_community_yamldocstring (1308–1313) describe the output in terms ofForky/Resolute/Noble, and the inline notes at lines 1297 and 1628 refer toresolute/noble/bookworm. After this PR, those codenames are runtime-configurable via--debian-{nightly,community}/--ubuntu-{nightly,community}, so the docs are now stale and misleading. Also,bookwormis no longer used anywhere in the generator, so the loongarch notes are doubly wrong.Suggest making these generic (e.g., "Debian minimal CLI", "Ubuntu desktop", "loongarch boards only get the Debian minimal image").
Also applies to: 1297-1297, 1307-1314, 1628-1628
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/generate_targets.py` around lines 1128 - 1138, Update the stale hard-coded release codenames in the generate_nightly_yaml and generate_community_yaml docstrings and any inline comments that reference "Forky", "Resolute", "Noble", or "bookworm" to use generic descriptions (e.g., "Debian minimal CLI", "Ubuntu desktop", "Debian minimal for loongarch") because Debian/Ubuntu codenames are now runtime-configurable via the --debian-{nightly,community} and --ubuntu-{nightly,community} flags; specifically, edit the docstrings in generate_nightly_yaml and generate_community_yaml and the nearby inline notes that currently mention resolute/noble/bookworm to remove codename assertions and to state that codenames are configurable at runtime and that loongarch boards receive the Debian minimal CLI image.
54-64: Regex isn't anchored beforeRELEASE:, so it can match a suffix of an unrelated key.The pattern
RELEASE:\s*DEBIAN\bhas a\bafter the token but no anchor beforeRELEASE. A YAML key likeKERNEL_RELEASE: DEBIAN(or any future*_RELEASE: DEBIAN) would still be substituted because_RELEASE:ends with the same characters. The PR description claims "word-boundary and block-key/comment safety", which would require(?<!\w)RELEASE:(or^\s*RELEASE:per-line) to actually hold.No such key exists today, so no current breakage — but worth tightening defensively since the cost is one lookbehind.
♻️ Suggested tightening
yaml_text = re.sub( - r"RELEASE:\s*" + re.escape(RELEASE_TOKEN_DEBIAN) + r"\b", + r"(?<!\w)RELEASE:\s*" + re.escape(RELEASE_TOKEN_DEBIAN) + r"\b", f"RELEASE: {debian}", yaml_text, ) yaml_text = re.sub( - r"RELEASE:\s*" + re.escape(RELEASE_TOKEN_UBUNTU) + r"\b", + r"(?<!\w)RELEASE:\s*" + re.escape(RELEASE_TOKEN_UBUNTU) + r"\b", f"RELEASE: {ubuntu}", yaml_text, )🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@scripts/generate_targets.py` around lines 54 - 64, The current re.sub calls replace any occurrence of "RELEASE: TOKEN" even when it's part of a longer key (e.g., "KERNEL_RELEASE: DEBIAN"); tighten the regex in the two replacements so it only matches a block key by anchoring before RELEASE, e.g. use a multiline start anchor or negative-word lookbehind (patterns like (?m)^\s*RELEASE:\s* + re.escape(RELEASE_TOKEN_DEBIAN) + \b and similarly for RELEASE_TOKEN_UBUNTU) and apply them to the same yaml_text variables so only top-level RELEASE keys are substituted..github/workflows/generate-build-lists.yaml (1)
10-42: Defaults are duplicated three times — workflow input defaults, inline||fallbacks, andSCOPE_DEFAULTSin the script.Each codename default now lives in three places:
workflow_dispatch.inputs.*.default(lines 14, 18, 22, 26, 30, 34, 38, 42)${{ inputs.* || '<literal>' }}fallback in the run step (lines 102–109)SCOPE_DEFAULTSinscripts/generate_targets.pyIf any of these drift (e.g., a future codename promotion updates only the workflow input default but forgets the inline fallback),
push/repository_dispatchruns andworkflow_dispatchruns will silently produce different outputs. Two cheaper alternatives:
- Drop the
|| '<literal>'fallbacks and just pass"${{ inputs.* }}"— argparse in the script will fall back toSCOPE_DEFAULTSwhen the value is empty… but only if you also handle empty strings in argparse (currentlydefault=...only kicks in when the flag is absent, not when it's passed as""). So this needs a small tweak in the script (e.g.,type=lambda v: v or defaults["debian"]).- Or, simpler and zero script change: drop the
inputs.*.defaultblock and rely on the||fallback as the single source of truth for non-script defaults. The dispatch UI will show empty fields, which is mildly less friendly but eliminates one of the three copies.Not a blocker for this PR, but worth a note before the next codename promotion lands.
Also applies to: 100-110
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/generate-build-lists.yaml around lines 10 - 42, Remove the duplicated inline "|| '<literal>'" fallbacks in the workflow run step and pass the raw inputs (e.g., use "${{ inputs.debian_standard }}" etc.), and update the script's argparse logic in scripts/generate_targets.py to treat empty strings as missing by using a small type/coerce function (e.g., change the argparse.add_argument for each scope to use type=lambda v: v or SCOPE_DEFAULTS["debian"/"ubuntu"/...]) or equivalent post-processing so SCOPE_DEFAULTS is the single source of truth; reference the workflow input names (debian_standard, ubuntu_standard, debian_nightly, ubuntu_nightly, debian_community, ubuntu_community, debian_apps, ubuntu_apps) and the SCOPE_DEFAULTS mapping when making the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/generate-build-lists.yaml:
- Around line 10-42: Remove the duplicated inline "|| '<literal>'" fallbacks in
the workflow run step and pass the raw inputs (e.g., use "${{
inputs.debian_standard }}" etc.), and update the script's argparse logic in
scripts/generate_targets.py to treat empty strings as missing by using a small
type/coerce function (e.g., change the argparse.add_argument for each scope to
use type=lambda v: v or SCOPE_DEFAULTS["debian"/"ubuntu"/...]) or equivalent
post-processing so SCOPE_DEFAULTS is the single source of truth; reference the
workflow input names (debian_standard, ubuntu_standard, debian_nightly,
ubuntu_nightly, debian_community, ubuntu_community, debian_apps, ubuntu_apps)
and the SCOPE_DEFAULTS mapping when making the change.
In `@scripts/generate_targets.py`:
- Around line 29-30: Ruff is flagging RELEASE_TOKEN_DEBIAN and
RELEASE_TOKEN_UBUNTU as S105 false positives; to silence this, add a per-line
noqa comment by appending "# noqa: S105" to the RELEASE_TOKEN_DEBIAN and
RELEASE_TOKEN_UBUNTU definitions, or alternatively add a per-file or
project-level S105 ignore in your ruff config if you prefer to suppress this
rule for the file.
- Line 1192: The generated target keys are hardcoded with codenames (e.g.,
nightly-forky-all, community-noble-gnome) causing mismatch after a RELEASE token
flip; update the generator in scripts/generate_targets.py (where targets are
emitted in the same scope as resolve_release_tokens and main()) to produce
codename-agnostic keys (e.g., nightly-debian-all, nightly-ubuntu-gnome,
community-debian-all) instead of embedding the codename, or alternatively
substitute the codename at generation time using the per-scope codename passed
through main() and the same token resolution machinery; change the static string
keys referenced around the existing occurrences (nightly-forky-all,
nightly-resolute-*, community-trixie-*, community-noble-*) to the chosen
codename-agnostic names (or build them from the resolved codename) so emitted
YAML keys remain consistent with RELEASE values and downstream tooling.
- Around line 1128-1138: Update the stale hard-coded release codenames in the
generate_nightly_yaml and generate_community_yaml docstrings and any inline
comments that reference "Forky", "Resolute", "Noble", or "bookworm" to use
generic descriptions (e.g., "Debian minimal CLI", "Ubuntu desktop", "Debian
minimal for loongarch") because Debian/Ubuntu codenames are now
runtime-configurable via the --debian-{nightly,community} and
--ubuntu-{nightly,community} flags; specifically, edit the docstrings in
generate_nightly_yaml and generate_community_yaml and the nearby inline notes
that currently mention resolute/noble/bookworm to remove codename assertions and
to state that codenames are configurable at runtime and that loongarch boards
receive the Debian minimal CLI image.
- Around line 54-64: The current re.sub calls replace any occurrence of
"RELEASE: TOKEN" even when it's part of a longer key (e.g., "KERNEL_RELEASE:
DEBIAN"); tighten the regex in the two replacements so it only matches a block
key by anchoring before RELEASE, e.g. use a multiline start anchor or
negative-word lookbehind (patterns like (?m)^\s*RELEASE:\s* +
re.escape(RELEASE_TOKEN_DEBIAN) + \b and similarly for RELEASE_TOKEN_UBUNTU) and
apply them to the same yaml_text variables so only top-level RELEASE keys are
substituted.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c2a2585f-238d-449f-b333-e75eb8c32157
📒 Files selected for processing (5)
.github/workflows/generate-build-lists.yamlrelease-targets/README.mdrelease-targets/targets-release-community-maintained.manualrelease-targets/targets-release-standard-support.manualscripts/generate_targets.py
🚧 Files skipped from review as they are similar to previous changes (2)
- release-targets/targets-release-standard-support.manual
- release-targets/README.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replace literal Debian / Ubuntu codenames in
release-targets/*.manualand the hardcoded sections ofscripts/generate_targets.pywith two symbolic tokens —DEBIANandUBUNTU— that get substituted with real codenames at generation time. Each of the four output files gets its own (debian, ubuntu) flag pair, so promoting any release line is a single CLI flag flip instead of a multi-place rename.What gets templated
Symbol → was-literal:
DEBIANtrixieDEBIANforkyUBUNTUnobleUBUNTUresoluteRELEASE: sid(apps-kali) stays literal — Kali tracks Debian unstable forever, that's not a "current Debian stable" pin.Per-scope flags
Defaults reproduce the previous literal pins exactly — running with no flags is bit-identical to the pre-refactor output (modulo the symbolic-token round-trip).
exposed.map follows too
generate_exposed_mapregex patterns previously had_trixie_and_noble_hardcoded — separate from the YAML-output flags. Promoting via--*-standardwould then update the*.yamlfiles but exposed.map would keep matching old codenames, and "recommended images" on the website would silently drop off.Now
generate_exposed_maptakes the four codenames (debian/ubuntu × standard/community) as keyword args; per-board it picks the right pair based onboard_type(stable boards → standard flags; community boards → community flags) and bakes that pair into the regex pattern strings. A single flag flip atomically updates both the build matrix and the recommended-images filter.Workflow
.github/workflows/generate-build-lists.yamlexposes all 8 asworkflow_dispatch.inputswith matching defaults. TheRun generate_targets.pystep uses${{ inputs.X || 'default' }}so push /repository_dispatchtriggers (which don't carry inputs) still get the right defaults.Promoting Ubuntu standard to resolute, for example, becomes:
ubuntu_standardinput toresoluteNo code changes, no PR, no rename.
Substitution mechanics
resolve_release_tokens()usesre.sub(r'RELEASE:\s*<TOKEN>\b', ...)— handlesRELEASE: UBUNTU,RELEASE: UBUNTU, etc., refuses to touch block keys / comments that happen to contain the literal word "noble" or "trixie", and the\banchor prevents false-matchingUBUNTU_FOO-style identifiers.Commit history
e1e5c5d— first attempt at the wrong abstraction (manual stable/oldstable block split pinned to literal codenames). Made obsolete by the next four.6590973— substitution refactor: symbolic tokens + per-scope CLI flags + workflow inputs.a880d47— descriptive YAML comments lose their codename word now that the codename is dynamic.e7f6df2—generate_exposed_mapthreaded with the per-scope codenames so its regex patterns track the YAML output.ea38a33— drop e1e5c5d's structural additions (the stable/oldstable block split is duplicate output under the substitution model).Test plan
python3 scripts/generate_targets.py --helplists all 8 per-scope flags with correct defaultsresolve_release_tokensround-trip verified on UBUNTU / DEBIAN tokens, whitespace variants, word-boundary safety, and block-key safetygenerate_exposed_mapsmoke test confirmed: stable board uses--*-standardcodenames, community board uses--*-communitycodenames, defaults produce the same patterns as beforeubuntu_nightly=oracularproduces nightly YAML targeting oracular while standard stays on noble