fix(install): detect VERSION_CODENAME for kernel backport defaults

[skullcrushercmd]

Summary

ANYSCAN_KERNEL_BACKPORT_SUITE defaulted to bookworm-backports regardless of host. On the current Debian 13 (Trixie) AMI this means bookworm-backports/linux-image-cloud-amd64 resolves to 6.12.74-2~bpo12+1 — exactly the kernel the metal already runs — so the opt-in completes "0 upgraded, 0 newly installed" and the operator gets a false green light without ever upgrading.

Source: PR #65 issuecomment-4338158487 (anygpt-48):

The current ANYSCAN_EC2_AMI_ID=ami-06e3e2b7faca0265d is Debian 13 (Trixie), not Debian 12 (Bookworm) — so bookworm-backports/linux-image-cloud-amd64 is at version 6.12.74-2~bpo12+1, which is the same kernel version the metal already runs. The opt-in completes successfully ("0 upgraded, 0 newly installed"), so the operator gets a green light without ever moving off 6.12.74.

What changed

• install-external-deps.sh — new detect_debian_codename() helper reads /etc/os-release's VERSION_CODENAME. Default suite is <codename>-backports. On non-bookworm suites the default package switches to linux-image-amd64 (NOT linux-image-cloud-amd64 — the cloud image in trixie-backports is still 6.12 as of 2026-04). Sources-list path also follows the resolved suite (anyscan-<suite>.list).
• ANYSCAN_OS_RELEASE_FILE env override added so the test suite can inject a synthetic os-release without touching /etc/os-release on the test host.
• Operator-set ANYSCAN_KERNEL_BACKPORT_SUITE / _PACKAGE / _SOURCES_LIST still win.
• Header comment block updated to document the new detection behavior + the cloud-vs-non-cloud package distinction.

Resolution per host

Host codename	Suite	Package	Sources list
bookworm (Debian 12)	bookworm-backports	linux-image-cloud-amd64	anyscan-bookworm-backports.list
trixie (Debian 13, current AMI)	trixie-backports	linux-image-amd64	anyscan-trixie-backports.list
missing/unreadable os-release	bookworm-backports	linux-image-cloud-amd64	(legacy fallback — unchanged)

Test plan

• bash tools/test-install-external-deps-kernel-backport.sh → 30 assertions pass (18 existing cases 1-4 still green with the legacy bookworm pin, 12 new assertions in cases 5-6 covering codename auto-detection)
• New cases:
  • Case 5 (Trixie): asserts apt-get install -t trixie-backports linux-image-amd64, sources-list at anyscan-trixie-backports.list, no bookworm artifacts created
  • Case 6 (Bookworm): asserts the legacy default still resolves to bookworm-backports / linux-image-cloud-amd64

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e09c5159fc

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Parse os-release instead of sourcing it

detect_debian_codename() executes . "$release_file" where release_file is controllable via ANYSCAN_OS_RELEASE_FILE; this means arbitrary shell in that file will run as part of script startup (often as root), even when kernel backport install is disabled. Because this commit introduced the env override specifically for tests, a malformed or attacker-controlled file can now trigger command execution or early exits in production invocations that inherit environment variables. Read VERSION_CODENAME as data (e.g., grep/awk) rather than sourcing the file.

Useful? React with 👍 / 👎.