Add LICENSE, update README, upgrade provenance to max-mode

- Add MPL 2.0 LICENSE file for compliance
- Add license section and upstream attribution to README
- Upgrade provenance attestation from mode=min to mode=max

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/build.yaml

@@ -96,10 +96,14 @@ jobs:
             SCOUT_SECTION=$(cat _out/scout-report.md)
           fi
 
+          # Extract component versions from tag (format: v1.12.3-k6.12.47-1)
+          TALOS_VER=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
+          KERNEL_VER=$(echo "$TAG" | sed -E 's/.*-k([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
+
           RELEASE_BODY="Custom Talos Linux image for Raspberry Pi 5 / CM5 (Compute Blade)
 
-          **Talos version**: ${TAG}
-          **Kernel**: RPi downstream (CM5/RP1 support)
+          **Talos**: ${TALOS_VER}
+          **Kernel**: RPi downstream ${KERNEL_VER} (CM5/RP1 support)
           **Extensions**: iscsi-tools, util-linux-tools
           **Overclock**: 2.6GHz (arm_freq=2600)
 

.gitea/workflows/check-updates.yaml

@@ -1,25 +1,32 @@
-# Check for upstream Talos and RPi kernel updates
+# Daily upstream update check with auto-build
 #
-# Runs on a schedule and creates a Gitea issue when new versions are found.
-# This is notification-only — builds require manual tag push after verifying
-# patches still apply.
+# Detects new Talos OS and RPi kernel versions, applies updates,
+# smoke-tests patches, and pushes a release tag (which triggers build.yaml).
+# Falls back to creating a Gitea issue if patches fail to apply.
 
 name: Check Upstream Updates
 
 on:
   schedule:
-    # Run weekly on Monday at 08:00 UTC
-    - cron: '0 8 * * 1'
+    - cron: '0 8 * * *'    # Daily at 08:00 UTC
   workflow_dispatch:
 
 jobs:
-  check-updates:
+  check-and-build:
     runs-on: [self-hosted, macos]
-    timeout-minutes: 10
+    timeout-minutes: 15
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0    # Need full history for tag-based build numbering
+
+      - name: Install dependencies
+        run: |
+          for pkg in make gnu-sed crane jq; do
+            brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
+          done
 
       - name: Check for upstream updates
         id: check
@@ -27,95 +34,83 @@ jobs:
           chmod +x scripts/check-upstream.sh
           scripts/check-upstream.sh >> "$GITHUB_OUTPUT"
 
-      - name: Create issue for Talos update
-        if: steps.check.outputs.talos_update == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const currentVersion = '${{ steps.check.outputs.talos_current }}';
-            const latestVersion = '${{ steps.check.outputs.talos_latest }}';
-            const title = `Talos update available: ${currentVersion} → ${latestVersion}`;
+      - name: Run auto-update
+        if: steps.check.outputs.talos_update == 'true' || steps.check.outputs.rpi_update == 'true'
+        id: update
+        env:
+          TALOS_UPDATE: ${{ steps.check.outputs.talos_update }}
+          RPI_UPDATE: ${{ steps.check.outputs.rpi_update }}
+          LATEST_TALOS: ${{ steps.check.outputs.talos_latest }}
+          LATEST_RPI_TAG: ${{ steps.check.outputs.rpi_latest }}
+        run: |
+          chmod +x scripts/auto-update.sh
+          scripts/auto-update.sh >> "$GITHUB_OUTPUT"
 
-            // Check if an open issue already exists
-            const issues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'upstream-update',
-            });
+      - name: Commit and tag
+        if: steps.update.outputs.patch_failed != 'true' && steps.update.outputs.new_tag != ''
+        env:
+          NEW_TAG: ${{ steps.update.outputs.new_tag }}
+        run: |
+          git config user.name "Gitea Actions"
+          git config user.email "actions@openharbor.io"
+          git add -A
+          git commit -m "Bump upstream: ${NEW_TAG}"
+          git tag "$NEW_TAG"
+          git push origin main --tags
 
-            const existing = issues.data.find(i => i.title.includes('Talos update'));
-            if (existing) {
-              console.log(`Issue already exists: #${existing.number}`);
-              return;
-            }
+      - name: Create issue on patch failure
+        if: steps.update.outputs.patch_failed == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TALOS_CURRENT: ${{ steps.check.outputs.talos_current }}
+          TALOS_LATEST: ${{ steps.check.outputs.talos_latest }}
+          TALOS_UPDATE: ${{ steps.check.outputs.talos_update }}
+          RPI_CURRENT: ${{ steps.check.outputs.rpi_current }}
+          RPI_LATEST: ${{ steps.check.outputs.rpi_latest }}
+          RPI_UPDATE: ${{ steps.check.outputs.rpi_update }}
+        run: |
+          GITEA_URL="${GITHUB_SERVER_URL}"
+          REPO="${GITHUB_REPOSITORY}"
+          API="${GITEA_URL}/api/v1"
 
-            await github.rest.issues.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title: title,
-              body: [
-                `## Talos Update Available`,
-                ``,
-                `| | Version |`,
-                `|---|---|`,
-                `| Current | \`${currentVersion}\` |`,
-                `| Latest  | \`${latestVersion}\` |`,
-                ``,
-                `### Steps`,
-                `1. Update \`TALOS_VERSION\` in \`Makefile\``,
-                `2. Verify patches still apply: \`make checkouts patches\``,
-                `3. If patches fail, port them to the new version`,
-                `4. Push a version tag to trigger the build pipeline`,
-                ``,
-                `### Links`,
-                `- [Talos Release Notes](https://github.com/siderolabs/talos/releases/tag/${latestVersion})`,
-              ].join('\n'),
-              labels: ['upstream-update', 'talos'],
-            });
+          BODY="## Upstream update requires manual patch porting
 
-      - name: Create issue for RPi kernel update
-        if: steps.check.outputs.rpi_update == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const currentVersion = '${{ steps.check.outputs.rpi_current }}';
-            const latestVersion = '${{ steps.check.outputs.rpi_latest }}';
-            const title = `RPi kernel update available: ${currentVersion} → ${latestVersion}`;
+          Automated patch application failed. Manual intervention needed.
 
-            const issues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'upstream-update',
-            });
+          | Component | Current | Latest | Update? |
+          |-----------|---------|--------|---------|
+          | Talos     | \`${TALOS_CURRENT}\` | \`${TALOS_LATEST}\` | ${TALOS_UPDATE} |
+          | RPi kernel | \`${RPI_CURRENT}\` | \`${RPI_LATEST}\` | ${RPI_UPDATE} |
 
-            const existing = issues.data.find(i => i.title.includes('RPi kernel update'));
-            if (existing) {
-              console.log(`Issue already exists: #${existing.number}`);
-              return;
-            }
+          ### Steps
+          1. Check out this repo and run \`scripts/auto-update.sh\` to see what fails
+          2. Port patches to the new upstream version
+          3. Verify: \`gmake checkouts patches && gmake checkouts-clean\`
+          4. Push changes — the next scheduled run will pick them up
 
-            await github.rest.issues.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title: title,
-              body: [
-                `## RPi Kernel Update Available`,
-                ``,
-                `| | Version |`,
-                `|---|---|`,
-                `| Current (in pkgs patch) | \`${currentVersion}\` |`,
-                `| Latest stable           | \`${latestVersion}\` |`,
-                ``,
-                `### Steps`,
-                `1. Update the kernel version in the pkgs patch`,
-                `2. Verify the patch still applies: \`make checkouts patches\``,
-                `3. Test build: \`make kernel\``,
-                `4. Push a version tag to trigger the full build pipeline`,
-                ``,
-                `### Links`,
-                `- [RPi Linux Releases](https://github.com/raspberrypi/linux/tags)`,
-              ].join('\n'),
-              labels: ['upstream-update', 'kernel'],
-            });
+          ### Links
+          - [Talos Releases](https://github.com/siderolabs/talos/releases)
+          - [RPi Linux Tags](https://github.com/raspberrypi/linux/tags)"
+
+          # Strip leading whitespace from heredoc-style indentation
+          BODY=$(echo "$BODY" | sed 's/^          //')
+          BODY_JSON=$(jq -Rs '.' <<< "$BODY")
+
+          # Check for existing open issue to avoid duplicates
+          EXISTING=$(curl -sf \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            "${API}/repos/${REPO}/issues?state=open&type=issues&labels=upstream-update" \
+            | jq -r '[.[] | select(.title | contains("manual patch"))][0].id // empty')
+
+          if [ -n "$EXISTING" ]; then
+            echo "Issue already exists (id: $EXISTING), skipping creation"
+            exit 0
+          fi
+
+          curl -sf -X POST \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"title\":\"Upstream update requires manual patch porting\",\"body\":${BODY_JSON},\"labels\":[\"upstream-update\"]}" \
+            "${API}/repos/${REPO}/issues"
+
+          echo "Created issue for manual patch porting"

LICENSE

@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

Makefile

@@ -45,11 +45,14 @@ PATCHES_DIRECTORY := $(PWD)/patches
 
 PKGS_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/pkgs && git describe --tag --always --dirty --match v[0-9]\*)
 TALOS_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/talos && git describe --tag --always --dirty --match v[0-9]\*)
-SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git describe --tag --always --dirty)-$(PKGS_TAG)
+SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git describe --tag --always)-$(PKGS_TAG)
 
 # Build the --system-extension-image flags from the EXTENSIONS list
 EXTENSION_FLAGS = $(foreach ext,$(EXTENSIONS),--system-extension-image=$(ext))
 
+# Supply chain attestation flags (overrides upstream --provenance=false)
+ATTESTATION_ARGS = --provenance=mode=max --sbom=true
+
 # Common imager flags for overlay and extensions
 IMAGER_COMMON_FLAGS = \
 	--overlay-name="rpi5" \
@@ -103,7 +106,7 @@ checkouts-clean:
 #
 # Patches
 #
-.PHONY: patches-pkgs patches-talos patches
+.PHONY: patches-pkgs patches-talos patches-overlay patches
 patches-pkgs:
 	cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
 		git am "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch
@@ -112,7 +115,11 @@ patches-talos:
 	cd "$(CHECKOUTS_DIRECTORY)/talos" && \
 		git am "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch
 
-patches: patches-pkgs patches-talos
+patches-overlay:
+	cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
+		git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/"*.patch
+
+patches: patches-pkgs patches-talos patches-overlay
 
 #
 # Kernel — build and push the RPi downstream kernel
@@ -121,7 +128,7 @@ patches: patches-pkgs patches-talos
 kernel:
 	cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
 		$(MAKE) docker-kernel \
-			TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true" \
+			TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true $(ATTESTATION_ARGS)" \
 			PLATFORM=linux/arm64
 
 #
@@ -138,7 +145,7 @@ overlay:
 		rm -f "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5/internal/base/pkg.yaml.bak"
 	cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
 		$(MAKE) docker-sbc-raspberrypi5 \
-			TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true" \
+			TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true $(ATTESTATION_ARGS)" \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64
 
 #
@@ -160,13 +167,13 @@ installer:
 			PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
 			target-imager \
-			TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true" && \
+			TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
 		$(MAKE) \
 			REGISTRY=$(REGISTRY) USERNAME=$(REGISTRY_USERNAME) \
 			PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
 			target-installer-base \
-			TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true" && \
+			TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
 		docker pull $(IMAGER_IMAGE):$(TALOS_TAG) && \
 		docker run --rm -t -v ./_out:/out --privileged --network=host \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \

README.md

@@ -92,4 +92,18 @@ patches/
   siderolabs/
     pkgs/0001-*.patch      # RPi kernel patch
     talos/0001-*.patch     # Module list patch
+  talos-rpi5/
+    sbc-raspberrypi5/      # Overlay patches (Go toolchain bump)
 ```
+
+## License
+
+This project is licensed under the [Mozilla Public License 2.0](LICENSE).
+
+It builds upon the following MPL 2.0 licensed upstream projects:
+
+- [siderolabs/talos](https://github.com/siderolabs/talos) — Talos Linux OS
+- [siderolabs/pkgs](https://github.com/siderolabs/pkgs) — Talos package definitions
+- [talos-rpi5/sbc-raspberrypi5](https://github.com/talos-rpi5/sbc-raspberrypi5) — Raspberry Pi 5 SBC overlay
+
+Our patches to these projects are in the `patches/` directory and are distributed under the same MPL 2.0 terms.

patches/talos-rpi5/sbc-raspberrypi5/0001-Bump-Go-toolchain-to-1.24.13.patch

@@ -0,0 +1,38 @@
+From 69f14c84e9e458dcff24905145cac8557c0e2965 Mon Sep 17 00:00:00 2001
+From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
+Date: Fri, 13 Feb 2026 15:25:26 -0500
+Subject: [PATCH] Bump Go toolchain to 1.24.13 to fix stdlib CVEs
+
+---
+ go.work                    | 4 +++-
+ installers/rpi5/src/go.mod | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/go.work b/go.work
+index f4dafe7..798ea43 100644
+--- a/go.work
++++ b/go.work
+@@ -1,3 +1,5 @@
+-go 1.24.0
++go 1.24.13
++
++toolchain go1.24.13
+ 
+ use ./installers/rpi5/src
+diff --git a/installers/rpi5/src/go.mod b/installers/rpi5/src/go.mod
+index 50b72d5..af5f5f8 100644
+--- a/installers/rpi5/src/go.mod
++++ b/installers/rpi5/src/go.mod
+@@ -1,6 +1,8 @@
+ module rpi_generic
+ 
+-go 1.24.0
++go 1.24.13
++
++toolchain go1.24.13
+ 
+ require (
+ 	github.com/siderolabs/go-copy v0.1.0
+-- 
+2.50.1 (Apple Git-155)
+

scripts/auto-update.sh

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# Auto-update upstream versions, verify patches, and generate a release tag
+#
+# Expects environment variables from check-upstream.sh:
+#   TALOS_UPDATE, RPI_UPDATE, LATEST_TALOS, LATEST_RPI_TAG
+#
+# Outputs (for GitHub Actions):
+#   patch_failed=true   — if patches fail to apply (caller should create issue)
+#   new_tag=<tag>       — the computed release tag (e.g. v1.12.3-k6.12.47-1)
+#
+# Usage:
+#   TALOS_UPDATE=true LATEST_TALOS=v1.13.0 ./scripts/auto-update.sh >> "$GITHUB_OUTPUT"
+
+set -euo pipefail
+
+TALOS_UPDATE=${TALOS_UPDATE:-false}
+RPI_UPDATE=${RPI_UPDATE:-false}
+LATEST_TALOS=${LATEST_TALOS:-}
+LATEST_RPI_TAG=${LATEST_RPI_TAG:-}
+
+MAKEFILE="Makefile"
+PATCH_FILE="patches/siderolabs/pkgs/0001-Patched-for-Raspberry-Pi-5.patch"
+
+# Helper: extract kernel semver (e.g. 6.12.47) from the RPi repo Makefile
+get_kernel_version() {
+  local tag="$1"
+  curl -sf "https://raw.githubusercontent.com/raspberrypi/linux/${tag}/Makefile" \
+    | awk '
+      /^VERSION/     { version=$3 }
+      /^PATCHLEVEL/  { patchlevel=$3 }
+      /^SUBLEVEL/    { sublevel=$3 }
+      END { print version "." patchlevel "." sublevel }
+    '
+}
+
+# ── RPi kernel update ───────────────────────────────────────────────
+if [ "$RPI_UPDATE" = "true" ] && [ -n "$LATEST_RPI_TAG" ]; then
+  echo "Updating RPi kernel to $LATEST_RPI_TAG ..." >&2
+
+  # Download tarball and compute checksums
+  TARBALL_URL="https://github.com/raspberrypi/linux/archive/refs/tags/${LATEST_RPI_TAG}.tar.gz"
+  TMP=$(mktemp)
+  curl -sL "$TARBALL_URL" -o "$TMP"
+  NEW_SHA256=$(shasum -a 256 "$TMP" | awk '{print $1}')
+  NEW_SHA512=$(shasum -a 512 "$TMP" | awk '{print $1}')
+  rm -f "$TMP"
+
+  echo "  SHA256: $NEW_SHA256" >&2
+  echo "  SHA512: $NEW_SHA512" >&2
+
+  # Get actual kernel version for the config header
+  KERNEL_VERSION=$(get_kernel_version "$LATEST_RPI_TAG")
+  echo "  Kernel version: $KERNEL_VERSION" >&2
+
+  # Update patch file
+  sed -i "s/+  linux_version: .*/+  linux_version: ${LATEST_RPI_TAG}/" "$PATCH_FILE"
+  sed -i "s/+  linux_sha256: .*/+  linux_sha256: ${NEW_SHA256}/" "$PATCH_FILE"
+  sed -i "s/+  linux_sha512: .*/+  linux_sha512: ${NEW_SHA512}/" "$PATCH_FILE"
+  sed -i "s|+# Linux/arm64 .* Kernel Configuration|+# Linux/arm64 ${KERNEL_VERSION} Kernel Configuration|" "$PATCH_FILE"
+fi
+
+# ── Talos update ────────────────────────────────────────────────────
+if [ "$TALOS_UPDATE" = "true" ] && [ -n "$LATEST_TALOS" ]; then
+  echo "Updating Talos to $LATEST_TALOS ..." >&2
+
+  # Update TALOS_VERSION in Makefile
+  sed -i "s/^TALOS_VERSION = .*/TALOS_VERSION = ${LATEST_TALOS}/" "$MAKEFILE"
+
+  # Derive matching PKG_VERSION (same major.minor as Talos)
+  PKG_MINOR=$(echo "$LATEST_TALOS" | sed -E 's/^(v[0-9]+\.[0-9]+)\..*/\1/')
+  LATEST_PKG=$(curl -sf "https://api.github.com/repos/siderolabs/pkgs/tags?per_page=20" \
+    | jq -r "[.[] | select(.name | startswith(\"${PKG_MINOR}\"))][0].name")
+
+  if [ -n "$LATEST_PKG" ] && [ "$LATEST_PKG" != "null" ]; then
+    echo "  Updating PKG_VERSION to $LATEST_PKG" >&2
+    sed -i "s/^PKG_VERSION = .*/PKG_VERSION = ${LATEST_PKG}/" "$MAKEFILE"
+  else
+    echo "  WARNING: No matching pkgs tag for $PKG_MINOR — keeping current PKG_VERSION" >&2
+  fi
+fi
+
+# ── Smoke test — verify patches apply ───────────────────────────────
+echo "Running patch smoke test ..." >&2
+if ! gmake checkouts patches; then
+  echo "Patches failed to apply!" >&2
+  gmake checkouts-clean 2>/dev/null || true
+  echo "patch_failed=true"
+  exit 0
+fi
+gmake checkouts-clean
+
+# ── Generate tag ────────────────────────────────────────────────────
+TALOS_VER=$(grep '^TALOS_VERSION' "$MAKEFILE" | awk '{print $NF}')
+RPI_TAG=$(grep '+  linux_version:' "$PATCH_FILE" | awk '{print $NF}')
+KERNEL_VER=$(get_kernel_version "$RPI_TAG")
+
+# Find next build number for this component combination
+TAG_PREFIX="${TALOS_VER}-k${KERNEL_VER}"
+LAST_BUILD=$(git tag -l "${TAG_PREFIX}-*" \
+  | sed "s|${TAG_PREFIX}-||" \
+  | sort -n \
+  | tail -1)
+NEXT_BUILD=$(( ${LAST_BUILD:-0} + 1 ))
+NEW_TAG="${TAG_PREFIX}-${NEXT_BUILD}"
+
+echo "Generated tag: $NEW_TAG" >&2
+echo "new_tag=$NEW_TAG"

scripts/check-upstream.sh

@@ -1,54 +1,57 @@
 #!/usr/bin/env bash
 # Check for upstream Talos and RPi kernel updates
 #
-# Compares current versions in Makefile against the latest GitHub releases.
-# Outputs GitHub Actions-compatible variables for use in CI workflows.
+# Compares current versions (from Makefile + pkgs patch) against the
+# latest GitHub releases/tags. Outputs GitHub Actions-compatible variables.
 #
 # Usage:
-#   ./scripts/check-upstream.sh           # Print results
+#   ./scripts/check-upstream.sh           # Print results to stdout/stderr
 #   ./scripts/check-upstream.sh >> "$GITHUB_OUTPUT"  # For CI
 
 set -euo pipefail
 
 MAKEFILE="${MAKEFILE:-Makefile}"
+PATCH_FILE="${PATCH_FILE:-patches/siderolabs/pkgs/0001-Patched-for-Raspberry-Pi-5.patch}"
 
-# Extract current versions from Makefile
-CURRENT_TALOS=$(grep '^TALOS_VERSION' "$MAKEFILE" | head -1 | awk '{print $NF}')
-CURRENT_PKG=$(grep '^PKG_VERSION' "$MAKEFILE" | head -1 | awk '{print $NF}')
+# ── Current versions ────────────────────────────────────────────────
+CURRENT_TALOS=$(grep '^TALOS_VERSION' "$MAKEFILE" | awk '{print $NF}')
+CURRENT_RPI_TAG=$(grep '+  linux_version:' "$PATCH_FILE" | awk '{print $NF}')
 
-echo "Current Talos version: $CURRENT_TALOS"
-echo "Current PKG version:   $CURRENT_PKG"
+echo "Current Talos version: $CURRENT_TALOS" >&2
+echo "Current RPi kernel tag: $CURRENT_RPI_TAG" >&2
 
-# Check latest Talos stable release
+# ── Latest versions from GitHub API ─────────────────────────────────
 LATEST_TALOS=$(curl -sf "https://api.github.com/repos/siderolabs/talos/releases/latest" \
-  | grep '"tag_name"' | sed -E 's/.*"tag_name": *"([^"]+)".*/\1/')
+  | jq -r '.tag_name')
 
-echo "Latest Talos release:  $LATEST_TALOS"
+LATEST_RPI_TAG=$(curl -sf "https://api.github.com/repos/raspberrypi/linux/tags?per_page=20" \
+  | jq -r '[.[] | select(.name | startswith("stable_"))][0].name')
 
-# Check latest RPi kernel stable tag (format: stable_YYYYMMDD)
-LATEST_RPI_KERNEL=$(curl -sf "https://api.github.com/repos/raspberrypi/linux/tags?per_page=10" \
-  | grep '"name"' | grep 'stable_' | head -1 | sed -E 's/.*"name": *"([^"]+)".*/\1/')
+echo "Latest Talos release:  $LATEST_TALOS" >&2
+echo "Latest RPi kernel tag: $LATEST_RPI_TAG" >&2
 
-echo "Latest RPi kernel tag: $LATEST_RPI_KERNEL"
-
-# Output for GitHub Actions
-echo "talos_current=$CURRENT_TALOS"
-echo "talos_latest=$LATEST_TALOS"
+# ── Determine what needs updating ───────────────────────────────────
+TALOS_UPDATE=false
+RPI_UPDATE=false
 
 if [ "$CURRENT_TALOS" != "$LATEST_TALOS" ]; then
-  echo "talos_update=true"
+  TALOS_UPDATE=true
   echo ">> Talos update available: $CURRENT_TALOS -> $LATEST_TALOS" >&2
 else
-  echo "talos_update=false"
   echo ">> Talos is up to date" >&2
 fi
 
-# For RPi kernel, we output what we found — the actual version tracking
-# depends on the pkgs patch content which references a specific kernel tag
-echo "rpi_current=check-patch"
-echo "rpi_latest=$LATEST_RPI_KERNEL"
+if [ "$CURRENT_RPI_TAG" != "$LATEST_RPI_TAG" ]; then
+  RPI_UPDATE=true
+  echo ">> RPi kernel update available: $CURRENT_RPI_TAG -> $LATEST_RPI_TAG" >&2
+else
+  echo ">> RPi kernel is up to date" >&2
+fi
 
-# We always flag RPi kernel for review since we can't easily parse the
-# patch to extract the exact pinned version
-echo "rpi_update=true"
-echo ">> RPi kernel latest stable: $LATEST_RPI_KERNEL (review patch manually)" >&2
+# ── Output for GitHub Actions ───────────────────────────────────────
+echo "talos_current=$CURRENT_TALOS"
+echo "talos_latest=$LATEST_TALOS"
+echo "talos_update=$TALOS_UPDATE"
+echo "rpi_current=$CURRENT_RPI_TAG"
+echo "rpi_latest=$LATEST_RPI_TAG"
+echo "rpi_update=$RPI_UPDATE"