NVMe kernel driver is already built-in (CONFIG_BLK_DEV_NVME=y). The
expected approach is simply dd'ing the metal image to NVMe and setting
EEPROM BOOT_ORDER=0xf416 + PCIE_PROBE=1. Pending hardware validation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The overlay was using console=ttyAMA0 (GPIO 14/15) but the RPi5 debug
UART is ttyAMA10 (JST connector between HDMI ports on Pi5, test pads
TP35/TP36 on CM5). Also adds earlycon for early boot output and disables
GPIO UART on Pi5 in config.txt to avoid U-Boot compatibility issues.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Force GRUB instead of sd-boot on arm64 and pass --no-nvram to
grub-install, working around the SetVariableRT firmware limitation
that prevents in-place upgrades on RPi5/CM5 hardware.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove the 16K page override from the kernel patch, preserving
upstream Talos's default 4K pages. RPi5 hardware works correctly
with 4K pages — the RPi Foundation's 16K default is a TLB
performance optimization (~5%), not a hardware requirement.
Benefits:
- Correct memory accounting (4x less overhead per page)
- Full software compatibility (jemalloc, Longhorn, F2FS, etc.)
- No OOM surprises on control-plane nodes
- Aligned with upstream Talos kernel config
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Document SetVariableRT upgrade failure, 16K page size implications,
serial console issue, and SBC install disk behavior
- Add production roadmap (4K pages, GRUB boot, serial fix, NVMe)
- Make overlay Go patch conditional: apply only on Go 1.24.x,
skip on 1.25+ where CVEs are already fixed upstream
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Docker Scout requires buildx-style provenance+SBOM, not cosign
attestations. Replace crane push with docker load + buildx build
(--provenance=mode=max --sbom=true) for the installer image. Use
buildx imagetools create for the release tag to preserve attestations.
Remove cosign/syft from CI.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Move CI/CD, runner setup, secrets, and project structure to
TECHNICAL.md. Streamline README as a user-facing guide with
install/upgrade instructions. Fix Docker badges for arm64.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Attach cosign+syft SBOM attestations to crane-pushed installer and
release images to satisfy Docker Scout supply chain policy. Replace
docker tag/push with crane copy for the release target. Remove the
Scout CVE scan target and clean up release notes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add MPL 2.0 LICENSE file for compliance
- Add license section and upstream attribution to README
- Upgrade provenance attestation from mode=min to mode=max
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Patch sbc-raspberrypi5 overlay to use Go 1.24.13 (fixes 1C/7H/12M/1L CVEs)
- Add ATTESTATION_ARGS (--provenance=true --sbom=true) to all buildx targets
- Override upstream --provenance=false via TARGET_ARGS (last flag wins)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rewrite check-upstream.sh to parse RPi kernel version from patch file
- Add auto-update.sh for automated version bumps with patch smoke test
- Rewrite check-updates.yaml as daily auto-build with issue fallback
- Update build.yaml release body to show Talos + kernel versions from tag
- Fix overlay dirty tag: remove --dirty from SBCOVERLAY_TAG git describe
(the sed rewrite of pkg.yaml is intentional, not an accidental change)
Tag strategy: v{TALOS}-k{KERNEL}-{BUILD} (e.g. v1.12.3-k6.12.47-1)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Patch was stale — regenerated from the working checkout to match
the v1.12.3 hack/modules-arm64.txt index.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The talos patch was incorrectly replaced with pkgs-repo changes
(Pkgfile, kernel config). Restored the correct patch that modifies
hack/modules-arm64.txt in the talos checkout.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Regenerated patches to match current upstream checkouts:
- pkgs: updated kernel version, checksums, and config-arm64
- talos: reworked to patch Pkgfile, kernel config, and pkg.yaml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add `scout` Makefile target that scans all 5 pushed images with
`docker scout quickview` and writes a summary to _out/scout-report.md
- Switch all CI workflow steps from `make` to `gmake` for GNU Make 4.x
- Add brew dependency step for make, gnu-sed, and crane
- Include CVE summary in Gitea release notes via jq JSON escaping
- Update `clean` target to remove _out/ directory
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The act_runner can't resolve Forgejo actions from Codeberg.
Use direct Gitea API calls for release creation and artifact
upload instead — simpler and no external dependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update workflows from linux/arm64 to macOS/arm64 runner labels.
Replace GitHub Actions for Docker setup with direct commands
compatible with Docker Desktop on macOS.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace DOCKERHUB_USERNAME/DOCKERHUB_TOKEN with the existing org-level
secrets. Use automatic GITHUB_TOKEN for Gitea release creation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The image supports both RPi 5 and CM5 (same SoC/RP1), so talos-rpi5
is a better public-facing name. The internal build still produces
an installer image which gets retagged to svrnty/talos-rpi5:<tag>
in the release target.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
