Attach cosign+syft SBOM attestations to crane-pushed installer and
release images to satisfy Docker Scout supply chain policy. Replace
docker tag/push with crane copy for the release target. Remove the
Scout CVE scan target and clean up release notes.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add MPL 2.0 LICENSE file for compliance
- Add license section and upstream attribution to README
- Upgrade provenance attestation from mode=min to mode=max
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Patch sbc-raspberrypi5 overlay to use Go 1.24.13 (fixes 1C/7H/12M/1L CVEs)
- Add ATTESTATION_ARGS (--provenance=true --sbom=true) to all buildx targets
- Override upstream --provenance=false via TARGET_ARGS (last flag wins)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Rewrite check-upstream.sh to parse RPi kernel version from patch file
- Add auto-update.sh for automated version bumps with patch smoke test
- Rewrite check-updates.yaml as daily auto-build with issue fallback
- Update build.yaml release body to show Talos + kernel versions from tag
- Fix overlay dirty tag: remove --dirty from SBCOVERLAY_TAG git describe
(the sed rewrite of pkg.yaml is intentional, not an accidental change)
Tag strategy: v{TALOS}-k{KERNEL}-{BUILD} (e.g. v1.12.3-k6.12.47-1)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Patch was stale — regenerated from the working checkout to match
the v1.12.3 hack/modules-arm64.txt index.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The talos patch was incorrectly replaced with pkgs-repo changes
(Pkgfile, kernel config). Restored the correct patch that modifies
hack/modules-arm64.txt in the talos checkout.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Regenerated patches to match current upstream checkouts:
- pkgs: updated kernel version, checksums, and config-arm64
- talos: reworked to patch Pkgfile, kernel config, and pkg.yaml
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add `scout` Makefile target that scans all 5 pushed images with
`docker scout quickview` and writes a summary to _out/scout-report.md
- Switch all CI workflow steps from `make` to `gmake` for GNU Make 4.x
- Add brew dependency step for make, gnu-sed, and crane
- Include CVE summary in Gitea release notes via jq JSON escaping
- Update `clean` target to remove _out/ directory
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The act_runner can't resolve Forgejo actions from Codeberg.
Use direct Gitea API calls for release creation and artifact
upload instead — simpler and no external dependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Update workflows from linux/arm64 to macOS/arm64 runner labels.
Replace GitHub Actions for Docker setup with direct commands
compatible with Docker Desktop on macOS.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace DOCKERHUB_USERNAME/DOCKERHUB_TOKEN with the existing org-level
secrets. Use automatic GITHUB_TOKEN for Gitea release creation.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The image supports both RPi 5 and CM5 (same SoC/RP1), so talos-rpi5
is a better public-facing name. The internal build still produces
an installer image which gets retagged to svrnty/talos-rpi5:<tag>
in the release target.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
