Add opentree fallback patch for RPi downstream kernel (<6.15)

Talos assumes bare metal kernels support open_tree on anonymous FS
(added in 6.15). The RPi downstream kernel (6.12.x) does not, causing
shadow bind mount failures for /etc files and cascading network init
failures. This patch removes the InContainer() gate so the capability
check runs on all platforms.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/build.yaml

@@ -33,6 +33,7 @@ jobs:
           for pkg in make gnu-sed crane; do
             brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
           done
+          echo "/opt/homebrew/opt/gnu-sed/libexec/gnubin" >> "$GITHUB_PATH"
           gmake --version | head -1
 
       - name: Set up Docker Buildx
@@ -66,9 +67,6 @@ jobs:
       - name: Tag release images
         run: gmake release TAG=${{ steps.version.outputs.tag }}
 
-      - name: Run Docker Scout CVE scan
-        run: gmake scout
-
       - name: Compress disk image
         run: |
           # The imager outputs to checkouts/talos/_out/
@@ -91,24 +89,20 @@ jobs:
           REPO="${GITHUB_REPOSITORY}"
           API="${GITEA_URL}/api/v1"
 
-          SCOUT_SECTION=""
-          if [ -f _out/scout-report.md ]; then
-            SCOUT_SECTION=$(cat _out/scout-report.md)
-          fi
+          # Extract component versions from tag (format: v1.12.3-k6.12.47-1)
+          TALOS_VER=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
+          KERNEL_VER=$(echo "$TAG" | sed -E 's/.*-k([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
 
           RELEASE_BODY="Custom Talos Linux image for Raspberry Pi 5 / CM5 (Compute Blade)
 
-          **Talos version**: ${TAG}
-          **Kernel**: RPi downstream (CM5/RP1 support)
+          **Talos**: ${TALOS_VER}
+          **Kernel**: RPi downstream ${KERNEL_VER} (CM5/RP1 support)
           **Extensions**: iscsi-tools, util-linux-tools
           **Overclock**: 2.6GHz (arm_freq=2600)
 
           ## Artifacts
           - \`metal-arm64.raw.zst\` — Raw disk image for eMMC flashing
-          - \`docker.io/svrnty/talos-rpi5:${TAG}\` — Installer image for talosctl upgrade
-
-          ## Security Scan
-          ${SCOUT_SECTION}"
+          - \`docker.io/svrnty/talos-rpi5:${TAG}\` — Installer image for talosctl upgrade"
 
           # Strip leading whitespace from heredoc-style indentation
           RELEASE_BODY=$(echo "$RELEASE_BODY" | sed 's/^          //')

.gitea/workflows/check-updates.yaml

@@ -1,25 +1,33 @@
-# Check for upstream Talos and RPi kernel updates
+# Daily upstream update check with auto-build
 #
-# Runs on a schedule and creates a Gitea issue when new versions are found.
-# This is notification-only — builds require manual tag push after verifying
-# patches still apply.
+# Detects new Talos OS and RPi kernel versions, applies updates,
+# smoke-tests patches, and pushes a release tag (which triggers build.yaml).
+# Falls back to creating a Gitea issue if patches fail to apply.
 
 name: Check Upstream Updates
 
 on:
   schedule:
-    # Run weekly on Monday at 08:00 UTC
-    - cron: '0 8 * * 1'
+    - cron: '0 8 * * *'    # Daily at 08:00 UTC
   workflow_dispatch:
 
 jobs:
-  check-updates:
+  check-and-build:
     runs-on: [self-hosted, macos]
-    timeout-minutes: 10
+    timeout-minutes: 15
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0    # Need full history for tag-based build numbering
+
+      - name: Install dependencies
+        run: |
+          for pkg in make gnu-sed crane jq; do
+            brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
+          done
+          echo "/opt/homebrew/opt/gnu-sed/libexec/gnubin" >> "$GITHUB_PATH"
 
       - name: Check for upstream updates
         id: check
@@ -27,95 +35,83 @@ jobs:
           chmod +x scripts/check-upstream.sh
           scripts/check-upstream.sh >> "$GITHUB_OUTPUT"
 
-      - name: Create issue for Talos update
-        if: steps.check.outputs.talos_update == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const currentVersion = '${{ steps.check.outputs.talos_current }}';
-            const latestVersion = '${{ steps.check.outputs.talos_latest }}';
-            const title = `Talos update available: ${currentVersion} → ${latestVersion}`;
+      - name: Run auto-update
+        if: steps.check.outputs.talos_update == 'true' || steps.check.outputs.rpi_update == 'true'
+        id: update
+        env:
+          TALOS_UPDATE: ${{ steps.check.outputs.talos_update }}
+          RPI_UPDATE: ${{ steps.check.outputs.rpi_update }}
+          LATEST_TALOS: ${{ steps.check.outputs.talos_latest }}
+          LATEST_RPI_TAG: ${{ steps.check.outputs.rpi_latest }}
+        run: |
+          chmod +x scripts/auto-update.sh
+          scripts/auto-update.sh >> "$GITHUB_OUTPUT"
 
-            // Check if an open issue already exists
-            const issues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'upstream-update',
-            });
+      - name: Commit and tag
+        if: steps.update.outputs.patch_failed != 'true' && steps.update.outputs.new_tag != ''
+        env:
+          NEW_TAG: ${{ steps.update.outputs.new_tag }}
+        run: |
+          git config user.name "Gitea Actions"
+          git config user.email "actions@openharbor.io"
+          git add -A
+          git commit -m "Bump upstream: ${NEW_TAG}"
+          git tag "$NEW_TAG"
+          git push origin main --tags
 
-            const existing = issues.data.find(i => i.title.includes('Talos update'));
-            if (existing) {
-              console.log(`Issue already exists: #${existing.number}`);
-              return;
-            }
+      - name: Create issue on patch failure
+        if: steps.update.outputs.patch_failed == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TALOS_CURRENT: ${{ steps.check.outputs.talos_current }}
+          TALOS_LATEST: ${{ steps.check.outputs.talos_latest }}
+          TALOS_UPDATE: ${{ steps.check.outputs.talos_update }}
+          RPI_CURRENT: ${{ steps.check.outputs.rpi_current }}
+          RPI_LATEST: ${{ steps.check.outputs.rpi_latest }}
+          RPI_UPDATE: ${{ steps.check.outputs.rpi_update }}
+        run: |
+          GITEA_URL="${GITHUB_SERVER_URL}"
+          REPO="${GITHUB_REPOSITORY}"
+          API="${GITEA_URL}/api/v1"
 
-            await github.rest.issues.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title: title,
-              body: [
-                `## Talos Update Available`,
-                ``,
-                `| | Version |`,
-                `|---|---|`,
-                `| Current | \`${currentVersion}\` |`,
-                `| Latest  | \`${latestVersion}\` |`,
-                ``,
-                `### Steps`,
-                `1. Update \`TALOS_VERSION\` in \`Makefile\``,
-                `2. Verify patches still apply: \`make checkouts patches\``,
-                `3. If patches fail, port them to the new version`,
-                `4. Push a version tag to trigger the build pipeline`,
-                ``,
-                `### Links`,
-                `- [Talos Release Notes](https://github.com/siderolabs/talos/releases/tag/${latestVersion})`,
-              ].join('\n'),
-              labels: ['upstream-update', 'talos'],
-            });
+          BODY="## Upstream update requires manual patch porting
 
-      - name: Create issue for RPi kernel update
-        if: steps.check.outputs.rpi_update == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const currentVersion = '${{ steps.check.outputs.rpi_current }}';
-            const latestVersion = '${{ steps.check.outputs.rpi_latest }}';
-            const title = `RPi kernel update available: ${currentVersion} → ${latestVersion}`;
+          Automated patch application failed. Manual intervention needed.
 
-            const issues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'upstream-update',
-            });
+          | Component | Current | Latest | Update? |
+          |-----------|---------|--------|---------|
+          | Talos     | \`${TALOS_CURRENT}\` | \`${TALOS_LATEST}\` | ${TALOS_UPDATE} |
+          | RPi kernel | \`${RPI_CURRENT}\` | \`${RPI_LATEST}\` | ${RPI_UPDATE} |
 
-            const existing = issues.data.find(i => i.title.includes('RPi kernel update'));
-            if (existing) {
-              console.log(`Issue already exists: #${existing.number}`);
-              return;
-            }
+          ### Steps
+          1. Check out this repo and run \`scripts/auto-update.sh\` to see what fails
+          2. Port patches to the new upstream version
+          3. Verify: \`gmake checkouts patches && gmake checkouts-clean\`
+          4. Push changes — the next scheduled run will pick them up
 
-            await github.rest.issues.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title: title,
-              body: [
-                `## RPi Kernel Update Available`,
-                ``,
-                `| | Version |`,
-                `|---|---|`,
-                `| Current (in pkgs patch) | \`${currentVersion}\` |`,
-                `| Latest stable           | \`${latestVersion}\` |`,
-                ``,
-                `### Steps`,
-                `1. Update the kernel version in the pkgs patch`,
-                `2. Verify the patch still applies: \`make checkouts patches\``,
-                `3. Test build: \`make kernel\``,
-                `4. Push a version tag to trigger the full build pipeline`,
-                ``,
-                `### Links`,
-                `- [RPi Linux Releases](https://github.com/raspberrypi/linux/tags)`,
-              ].join('\n'),
-              labels: ['upstream-update', 'kernel'],
-            });
+          ### Links
+          - [Talos Releases](https://github.com/siderolabs/talos/releases)
+          - [RPi Linux Tags](https://github.com/raspberrypi/linux/tags)"
+
+          # Strip leading whitespace from heredoc-style indentation
+          BODY=$(echo "$BODY" | sed 's/^          //')
+          BODY_JSON=$(jq -Rs '.' <<< "$BODY")
+
+          # Check for existing open issue to avoid duplicates
+          EXISTING=$(curl -sf \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            "${API}/repos/${REPO}/issues?state=open&type=issues&labels=upstream-update" \
+            | jq -r '[.[] | select(.title | contains("manual patch"))][0].id // empty')
+
+          if [ -n "$EXISTING" ]; then
+            echo "Issue already exists (id: $EXISTING), skipping creation"
+            exit 0
+          fi
+
+          curl -sf -X POST \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"title\":\"Upstream update requires manual patch porting\",\"body\":${BODY_JSON},\"labels\":[\"upstream-update\"]}" \
+            "${API}/repos/${REPO}/issues"
+
+          echo "Created issue for manual patch porting"

LICENSE

@@ -0,0 +1,373 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+---------------------------------------------------------
+
+  This Source Code Form is "Incompatible With Secondary Licenses", as
+  defined by the Mozilla Public License, v. 2.0.

Makefile

@@ -12,7 +12,7 @@
 #   make clean               # Remove checkouts and build artifacts
 
 PKG_VERSION = v1.12.0
-TALOS_VERSION = v1.12.3
+TALOS_VERSION = v1.12.4
 SBCOVERLAY_VERSION = main
 
 # Prefer GNU coreutils (macOS: brew install gnu-sed coreutils)
@@ -45,11 +45,14 @@ PATCHES_DIRECTORY := $(PWD)/patches
 
 PKGS_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/pkgs && git describe --tag --always --dirty --match v[0-9]\*)
 TALOS_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/talos && git describe --tag --always --dirty --match v[0-9]\*)
-SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git describe --tag --always --dirty)-$(PKGS_TAG)
+SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git describe --tag --always)-$(PKGS_TAG)
 
 # Build the --system-extension-image flags from the EXTENSIONS list
 EXTENSION_FLAGS = $(foreach ext,$(EXTENSIONS),--system-extension-image=$(ext))
 
+# Supply chain attestation flags (overrides upstream --provenance=false)
+ATTESTATION_ARGS = --provenance=mode=max --sbom=true
+
 # Common imager flags for overlay and extensions
 IMAGER_COMMON_FLAGS = \
 	--overlay-name="rpi5" \
@@ -71,7 +74,6 @@ help:
 	@echo "  overlay    — Build SBC overlay (U-Boot, firmware, DTBs)"
 	@echo "  installer  — Build Talos installer image + raw disk image"
 	@echo "  release    — Tag and push release images"
-	@echo "  scout      — Run Docker Scout CVE scan on all images"
 	@echo "  clean      — Remove checkouts and build artifacts"
 	@echo ""
 	@echo "Variables:"
@@ -103,7 +105,7 @@ checkouts-clean:
 #
 # Patches
 #
-.PHONY: patches-pkgs patches-talos patches
+.PHONY: patches-pkgs patches-talos patches-overlay patches
 patches-pkgs:
 	cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
 		git am "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch
@@ -112,7 +114,19 @@ patches-talos:
 	cd "$(CHECKOUTS_DIRECTORY)/talos" && \
 		git am "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch
 
-patches: patches-pkgs patches-talos
+patches-overlay:
+	@cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
+		GO_VER=$$(sed -n 's/^go //p' go.work | head -1) && \
+		GO_MINOR=$$(echo "$$GO_VER" | cut -d. -f1,2) && \
+		if [ "$$GO_MINOR" = "1.24" ]; then \
+			echo "Overlay Go $$GO_VER — applying Go toolchain patch (CVE fix)"; \
+			git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0001-"*.patch; \
+		else \
+			echo "Overlay Go $$GO_VER — skipping Go toolchain patch (CVEs fixed upstream)"; \
+		fi && \
+		git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/0002-"*.patch
+
+patches: patches-pkgs patches-talos patches-overlay
 
 #
 # Kernel — build and push the RPi downstream kernel
@@ -121,7 +135,7 @@ patches: patches-pkgs patches-talos
 kernel:
 	cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
 		$(MAKE) docker-kernel \
-			TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true" \
+			TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true $(ATTESTATION_ARGS)" \
 			PLATFORM=linux/arm64
 
 #
@@ -138,7 +152,7 @@ overlay:
 		rm -f "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5/internal/base/pkg.yaml.bak"
 	cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
 		$(MAKE) docker-sbc-raspberrypi5 \
-			TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true" \
+			TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true $(ATTESTATION_ARGS)" \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64
 
 #
@@ -160,13 +174,13 @@ installer:
 			PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
 			target-imager \
-			TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true" && \
+			TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
 		$(MAKE) \
 			REGISTRY=$(REGISTRY) USERNAME=$(REGISTRY_USERNAME) \
 			PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
 			target-installer-base \
-			TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true" && \
+			TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
 		docker pull $(IMAGER_IMAGE):$(TALOS_TAG) && \
 		docker run --rm -t -v ./_out:/out --privileged --network=host \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \
@@ -174,6 +188,10 @@ installer:
 			--base-installer-image="$(INSTALLER_IMAGE):base-$(TALOS_TAG)" \
 			$(IMAGER_COMMON_FLAGS) && \
 		crane push ./_out/installer-arm64.tar $(INSTALLER_IMAGE):$(TALOS_TAG) && \
+		printf "FROM $(INSTALLER_IMAGE):$(TALOS_TAG)\n" | docker buildx build \
+			--platform linux/arm64 \
+			$(ATTESTATION_ARGS) \
+			-t $(INSTALLER_IMAGE):$(TALOS_TAG) --push - && \
 		docker \
 			run --rm -t -v ./_out:/out -v /dev:/dev --privileged \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \
@@ -186,40 +204,9 @@ installer:
 #
 .PHONY: release
 release:
-	docker pull $(INSTALLER_IMAGE):$(TALOS_TAG) && \
-		docker tag $(INSTALLER_IMAGE):$(TALOS_TAG) $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) && \
-		docker push $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG)
-
-#
-# Scout — Docker Scout CVE scan on all pushed images
-#
-SCOUT_REPORT := _out/scout-report.md
-SCOUT_IMAGES := \
-	$(KERNEL_IMAGE):$(PKGS_TAG) \
-	$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) \
-	$(IMAGER_IMAGE):$(TALOS_TAG) \
-	$(INSTALLER_IMAGE):base-$(TALOS_TAG) \
-	$(INSTALLER_IMAGE):$(TALOS_TAG)
-
-.PHONY: scout
-scout:
-	@mkdir -p _out
-	@if ! docker scout version >/dev/null 2>&1; then \
-		echo "Docker Scout not available -- skipping CVE scan." > $(SCOUT_REPORT); \
-		exit 0; \
-	fi
-	@echo "# Docker Scout CVE Summary" > $(SCOUT_REPORT)
-	@echo "" >> $(SCOUT_REPORT)
-	@for image in $(SCOUT_IMAGES); do \
-		echo "Scanning $$image ..."; \
-		echo "### $${image##*/}" >> $(SCOUT_REPORT); \
-		echo '```' >> $(SCOUT_REPORT); \
-		docker scout quickview "$$image" --platform linux/arm64 2>&1 >> $(SCOUT_REPORT) || \
-			echo "Scout scan failed for $$image" >> $(SCOUT_REPORT); \
-		echo '```' >> $(SCOUT_REPORT); \
-		echo "" >> $(SCOUT_REPORT); \
-	done
-	@echo "Scout report written to $(SCOUT_REPORT)"
+	docker buildx imagetools create \
+		-t $(REGISTRY)/$(REGISTRY_USERNAME)/$(IMAGE_NAME):$(TAG) \
+		$(INSTALLER_IMAGE):$(TALOS_TAG)
 
 #
 # Clean

README.md

@@ -1,95 +1,160 @@
 # Talos CM5 Builder
 
-Custom Talos Linux images for Raspberry Pi CM5 on Compute Blade hardware.
+Custom Talos Linux images for Raspberry Pi 5 / CM5 on Compute Blade hardware.
+
+<a href="https://hub.docker.com/r/svrnty/talos-rpi5" target="_blank"><img src="https://img.shields.io/docker/v/svrnty/talos-rpi5?sort=semver&label=talos-rpi5&logo=docker&arch=arm64" alt="Docker Hub"></a>
+<a href="https://hub.docker.com/r/svrnty/talos-rpi5" target="_blank"><img src="https://img.shields.io/docker/pulls/svrnty/talos-rpi5?logo=docker" alt="Docker Pulls"></a>
+<a href="https://hub.docker.com/r/svrnty/talos-rpi5" target="_blank"><img src="https://img.shields.io/docker/image-size/svrnty/talos-rpi5?sort=semver&logo=docker&arch=arm64" alt="Docker Image Size"></a>
 
 The official Talos Image Factory does not support CM5 — the mainline kernel lacks CM5 device trees and RP1 driver support. This builder uses the RPi downstream kernel (via [talos-rpi5/talos-builder](https://github.com/talos-rpi5/talos-builder) patches) to produce working CM5 images with our extensions and overclock config.
 
-## What it builds
+## Current versions
 
-- **Installer image** → `docker.io/svrnty/talos-rpi5:<tag>` (for `talosctl upgrade`)
-- **Raw disk image** → Gitea release `metal-arm64.raw.zst` (for eMMC flashing)
+| Component | Version |
+|-----------|---------|
+| Talos Linux | <a href="https://github.com/siderolabs/talos" target="_blank"><img src="https://img.shields.io/badge/talos-v1.12.4-blue?logo=kubernetes&logoColor=white" alt="Talos version"></a> |
+| RPi Kernel | <a href="https://github.com/raspberrypi/linux" target="_blank"><img src="https://img.shields.io/badge/kernel-6.12.47-blue?logo=linux&logoColor=white" alt="Kernel version"></a> |
+| iscsi-tools | <a href="https://github.com/siderolabs/extensions" target="_blank"><img src="https://img.shields.io/badge/iscsi--tools-v0.1.6-blue?logo=docker" alt="iscsi-tools version"></a> |
+| util-linux-tools | <a href="https://github.com/siderolabs/extensions" target="_blank"><img src="https://img.shields.io/badge/util--linux--tools-2.40.4-blue?logo=docker" alt="util-linux-tools version"></a> |
 
-Baked-in config:
-- RPi downstream kernel with CM5/RP1 support
-- Overclock: 2.6GHz (`arm_freq=2600`, `over_voltage_delta=50000`, `arm_boost=1`)
-- Extensions: `iscsi-tools`, `util-linux-tools`
+## Image tags
+
+Release images are published to <a href="https://hub.docker.com/r/svrnty/talos-rpi5" target="_blank"><code>docker.io/svrnty/talos-rpi5</code></a> with the format:
+
+```
+v<talos>-k<kernel>-<revision>
+```
+
+For example: `v1.12.4-k6.12.47-1`
+
+| Segment | Meaning |
+|---------|---------|
+| `v1.12.4` | Upstream Talos Linux version |
+| `k6.12.47` | RPi downstream kernel version |
+| `2` | Build revision (bumped for config/patch changes on the same upstream versions) |
 
 ## Usage
 
-### Building locally (ARM64 host required)
+### Install from raw disk image
+
+Download `metal-arm64.raw.zst` from the [latest release](../../releases/latest) and flash to eMMC:
 
 ```bash
-make checkouts patches   # Clone and patch sources
-make kernel              # Build RPi kernel
-make overlay             # Build SBC overlay
-make installer           # Build installer + disk image
+zstd -d metal-arm64.raw.zst -o metal-arm64.raw
+# Flash to eMMC/SD via your preferred tool (dd, balenaEtcher, etc.)
 ```
 
-### CI/CD (Gitea Actions)
-
-Push a version tag to trigger an automated build:
+### Upgrade an existing node
 
 ```bash
-git tag v1.11.5-1
-git push origin v1.11.5-1
+talosctl upgrade --image docker.io/svrnty/talos-rpi5:v1.12.4-k6.12.47-1
 ```
 
-The pipeline runs on the ARM64 self-hosted runner and:
-1. Builds the kernel, overlay, and installer
-2. Pushes the installer image to Docker Hub
-3. Creates a Gitea release with the raw disk image
-
-### Upstream update checks
-
-A weekly scheduled workflow checks for new Talos and RPi kernel releases and creates Gitea issues when updates are available.
-
-## CI Secrets
-
-| Secret | Description |
-|--------|-------------|
-| `REGISTRY_USERNAME` | Docker Hub username (org-level) |
-| `REGISTRY_PASSWORD` | Docker Hub access token (org-level) |
-
-## Runner Setup (Apple Silicon Mac Mini)
-
-The build runner needs:
-- Docker Desktop with Buildx (arm64 native)
-- Gitea `act_runner` registered with labels: `self-hosted`, `macOS`, `arm64`
-- Sufficient disk space for kernel builds (~20GB)
+> **Note:** In-place upgrades use GRUB with `--no-nvram` to work around the RPi5/CM5 `SetVariableRT` firmware limitation. This patch is included but not yet tested in production — re-flashing the disk image is the proven fallback.
 
 ```bash
-# Install act_runner via Homebrew
-brew install act_runner
-
-# Or download directly
-curl -sL https://gitea.com/gitea/act_runner/releases/latest/download/act_runner-darwin-arm64 -o act_runner
-chmod +x act_runner
-
-# Register
-./act_runner register \
-  --instance https://git.openharbor.io \
-  --token <runner-token> \
-  --name mac-mini \
-  --labels self-hosted,macOS,arm64
-
-# Run as service
-./act_runner daemon
+# Fallback: re-flash method
+zstd -d metal-arm64.raw.zst -o metal-arm64.raw
+# Flash to eMMC/SD via your preferred tool
 ```
 
-## Structure
+### What's included
 
+- RPi downstream kernel with CM5/RP1 support (4K page size, aligned with upstream Talos)
+- GRUB bootloader with `--no-nvram` for reliable `talosctl upgrade` on RPi5/CM5
+- Overclock: 2.6GHz (`arm_freq=2600`, `over_voltage_delta=50000`, `arm_boost=1`)
+- Extensions: `iscsi-tools`, `util-linux-tools`
+
+## Known issues
+
+### ~~No serial console output after boot~~ (Fixed)
+
+The overlay was using `console=ttyAMA0` (GPIO 14/15 UART) but the RPi5/CM5 debug UART is `ttyAMA10`. Fixed by switching to `console=ttyAMA10,115200` and adding `earlycon=pl011,0x107d001000,115200n8` for early boot output. Also added `[pi5] enable_uart=0` to `config.txt` to match upstream and avoid U-Boot compatibility issues.
+
+*Upstream: <a href="https://github.com/talos-rpi5/talos-builder/issues/4" target="_blank">talos-builder#4</a>*
+
+### Install disk config ignored on SBCs
+
+Talos ignores the `machine.install.disk` config field on SBC platforms. You **must flash the disk image directly** to your target disk (eMMC, SD, NVMe). For NVMe boot, `dd` the metal image to the NVMe drive and configure the EEPROM boot order (`BOOT_ORDER=0xf416`, `PCIE_PROBE=1`).
+
+*Upstream: <a href="https://github.com/talos-rpi5/talos-builder/issues/22" target="_blank">talos-builder#22</a>*
+
+## Roadmap
+
+This project targets production-ready Talos clusters on RPi5/CM5 hardware.
+
+| Status | Milestone | Description |
+|--------|-----------|-------------|
+| Untested | **4K page size** | Aligned with upstream Talos kernel config. Reduces memory overhead and improves workload compatibility (Longhorn, jemalloc, F2FS, etc.). |
+| Untested | **Reliable in-place upgrades** | Force GRUB bootloader with `--no-nvram` on arm64 to work around the `SetVariableRT` firmware limitation (<a href="https://github.com/talos-rpi5/talos-builder/issues/21" target="_blank">talos-builder#21</a>). |
+| Untested | **Serial console fix** | Use correct debug UART (`ttyAMA10`) with `earlycon` for early boot output. |
+| Untested | **NVMe boot support** | `dd` image to NVMe + set EEPROM `BOOT_ORDER=0xf416` and `PCIE_PROBE=1`. Kernel has `CONFIG_BLK_DEV_NVME=y` built-in. |
+
+## NVMe boot (untested)
+
+The kernel has NVMe built-in (`CONFIG_BLK_DEV_NVME=y`), so booting from NVMe should work by flashing the disk image directly and configuring the RPi5/CM5 EEPROM.
+
+### 1. Flash the image to NVMe
+
+Connect the NVMe drive via a USB adapter and flash:
+
+```bash
+zstd -d metal-arm64.raw.zst | sudo dd of=/dev/<nvme-device> bs=4M status=progress
+sync
 ```
-.gitea/workflows/
-  build.yaml              # Build pipeline (tag push trigger)
-  check-updates.yaml      # Upstream update checker (weekly cron)
-Makefile                   # Build orchestration
-config/
-  config.txt.append        # CM5 overclock settings
-  extensions.yaml          # System extensions list
-scripts/
-  check-upstream.sh        # Version comparison script
-patches/
-  siderolabs/
-    pkgs/0001-*.patch      # RPi kernel patch
-    talos/0001-*.patch     # Module list patch
+
+### 2. Configure EEPROM boot order
+
+Use `rpiboot` to update the CM5 EEPROM. Clone the usbboot repo and edit the boot config:
+
+```bash
+git clone --depth=1 https://github.com/raspberrypi/usbboot
+cd usbboot && make
+# Edit the EEPROM config for CM5
+cp recovery/boot.conf recovery/boot.conf.bak
 ```
+
+Add or update these values in `recovery/boot.conf`:
+
+```ini
+BOOT_ORDER=0xf416
+PCIE_PROBE=1
+```
+
+Then flash via USB with the CM5 in USB boot mode (hold nRPIBOOT or disable eMMC boot on your carrier board):
+
+```bash
+sudo ./rpiboot -d recovery
+```
+
+`BOOT_ORDER` is read right-to-left: try NVMe (`6`) first, then SD (`1`), then USB (`4`), then restart (`f`). `PCIE_PROBE=1` is required for non-HAT+ NVMe adapters (Compute Blade, most M.2 carrier boards).
+
+### 3. Boot from NVMe
+
+Power on. The RPi firmware should find the boot partition on NVMe, load U-Boot, and boot Talos.
+
+### Optional: enable PCIe Gen 3
+
+Add to your `configTxtAppend` overlay option or directly to `config.txt` on the boot partition:
+
+```ini
+dtparam=pciex1_gen=3
+```
+
+This doubles throughput (~400 MB/s Gen 2 to ~800 MB/s Gen 3). Not officially certified by Raspberry Pi but works on most NVMe drives.
+
+## Building
+
+For local builds, CI/CD setup, runner configuration, and project structure, see [TECHNICAL.md](TECHNICAL.md).
+
+## License
+
+This project is licensed under the [Mozilla Public License 2.0](LICENSE).
+
+It builds upon the following MPL 2.0 licensed upstream projects:
+
+- [siderolabs/talos](https://github.com/siderolabs/talos) — Talos Linux OS
+- [siderolabs/pkgs](https://github.com/siderolabs/pkgs) — Talos package definitions
+- [talos-rpi5/sbc-raspberrypi5](https://github.com/talos-rpi5/sbc-raspberrypi5) — Raspberry Pi 5 SBC overlay
+
+Our patches to these projects are in the `patches/` directory and are distributed under the same MPL 2.0 terms.

TECHNICAL.md

@@ -0,0 +1,87 @@
+# Technical Guide
+
+Build infrastructure, CI/CD configuration, and project structure for the Talos CM5 Builder.
+
+## Building locally (ARM64 host required)
+
+```bash
+make checkouts patches   # Clone and patch upstream sources
+make kernel              # Build RPi kernel
+make overlay             # Build SBC overlay
+make installer           # Build installer + disk image
+```
+
+## CI/CD (Gitea Actions)
+
+Push a version tag to trigger an automated build:
+
+```bash
+git tag v1.12.3-k6.12.47-2
+git push origin v1.12.3-k6.12.47-2
+```
+
+The pipeline runs on the ARM64 self-hosted runner and:
+1. Builds the kernel, overlay, and installer
+2. Attaches SBOM attestation (cosign + syft)
+3. Pushes the installer image to Docker Hub
+4. Creates a Gitea release with the raw disk image
+
+### Upstream update checks
+
+A weekly scheduled workflow checks for new Talos and RPi kernel releases and creates Gitea issues when updates are available.
+
+## CI Secrets
+
+| Secret | Description |
+|--------|-------------|
+| `REGISTRY_USERNAME` | Docker Hub username (org-level) |
+| `REGISTRY_PASSWORD` | Docker Hub access token (org-level) |
+
+## Runner Setup (Apple Silicon Mac Mini)
+
+The build runner needs:
+- Docker Desktop with Buildx (arm64 native)
+- Gitea `act_runner` registered with labels: `self-hosted`, `macOS`, `arm64`
+- Sufficient disk space for kernel builds (~20GB)
+
+```bash
+# Install act_runner via Homebrew
+brew install act_runner
+
+# Or download directly
+curl -sL https://gitea.com/gitea/act_runner/releases/latest/download/act_runner-darwin-arm64 -o act_runner
+chmod +x act_runner
+
+# Register
+./act_runner register \
+  --instance https://git.openharbor.io \
+  --token <runner-token> \
+  --name mac-mini \
+  --labels self-hosted,macOS,arm64
+
+# Run as service
+./act_runner daemon
+```
+
+## Project Structure
+
+```
+.gitea/workflows/
+  build.yaml              # Build pipeline (tag push trigger)
+  check-updates.yaml      # Upstream update checker (weekly cron)
+Makefile                   # Build orchestration
+config/
+  config.txt.append        # CM5 overclock settings
+  extensions.yaml          # System extensions list
+scripts/
+  check-upstream.sh        # Version comparison script
+patches/
+  siderolabs/
+    pkgs/0001-*.patch      # RPi kernel patch
+    talos/0001-*.patch     # Module list patch
+    talos/0002-*.patch     # Skip NVRAM writes for GRUB on arm64
+    talos/0003-*.patch     # Force GRUB bootloader on arm64
+  talos-rpi5/
+    sbc-raspberrypi5/      # Overlay patches (Go toolchain bump)
+cosign.pub                 # Public key for verifying image attestations
+```

cosign.pub

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPkZxXgi280kakXdVwjygCvIs5chd
+Ns/gANqNilq0OZDkmcAzeaKJRkRbiDjqNeW1JLv1CYwN/1olypEdVyjLoQ==
+-----END PUBLIC KEY-----

patches/siderolabs/pkgs/0001-Patched-for-Raspberry-Pi-5.patch

@@ -58,17 +58,6 @@ index 65b3647..7ba70c0 100644
  # CONFIG_KEXEC is not set
  CONFIG_KEXEC_FILE=y
  CONFIG_KEXEC_SIG=y
-@@ -450,8 +451,8 @@ CONFIG_ROCKCHIP_ERRATUM_3588001=y
- CONFIG_SOCIONEXT_SYNQUACER_PREITS=y
- # end of ARM errata workarounds via the alternatives framework
- 
--CONFIG_ARM64_4K_PAGES=y
--# CONFIG_ARM64_16K_PAGES is not set
-+# CONFIG_ARM64_4K_PAGES is not set
-+CONFIG_ARM64_16K_PAGES=y
- # CONFIG_ARM64_64K_PAGES is not set
- # CONFIG_ARM64_VA_BITS_39 is not set
- CONFIG_ARM64_VA_BITS_48=y
 @@ -660,7 +661,7 @@ CONFIG_CPU_FREQ_STAT=y
  # CONFIG_CPU_FREQ_DEFAULT_GOV_PERFORMANCE is not set
  # CONFIG_CPU_FREQ_DEFAULT_GOV_POWERSAVE is not set

patches/siderolabs/talos/0002-Skip-NVRAM-writes-for-GRUB-on-arm64.patch

@@ -0,0 +1,33 @@
+From 2db8797af370535aba7c5694cd291bba8e6c5a67 Mon Sep 17 00:00:00 2001
+From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
+Date: Fri, 13 Feb 2026 19:08:41 -0500
+Subject: [PATCH 2/3] Skip NVRAM writes for GRUB on arm64
+
+On arm64 platforms like RPi5/CM5, the UEFI firmware (U-Boot) does not
+support EFI runtime SetVariable, causing grub-install to fail when
+efibootmgr tries to create NVRAM boot entries. Since arm64-efi systems
+boot by convention (finding BOOTAA64.efi on the ESP), NVRAM boot
+entries are unnecessary.
+
+Pass --no-nvram to grub-install on arm64 to allow in-place upgrades
+via talosctl upgrade to succeed.
+---
+ .../machined/pkg/runtime/v1alpha1/bootloader/grub/install.go    | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/install.go b/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/install.go
+index 6f5c9f8..766374b 100644
+--- a/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/install.go
++++ b/internal/app/machined/pkg/runtime/v1alpha1/bootloader/grub/install.go
+@@ -196,7 +196,7 @@ func (c *Config) install(opts options.InstallOptions) (*options.InstallResult, e
+ 			args = append(args, "--efi-directory="+filepath.Join(opts.MountPrefix, constants.EFIMountPoint))
+ 		}
+ 
+-		if opts.ImageMode {
++		if opts.ImageMode || opts.Arch == arm64 {
+ 			args = append(args, "--no-nvram")
+ 		}
+ 
+-- 
+2.50.1 (Apple Git-155)
+

patches/siderolabs/talos/0003-Force-GRUB-bootloader-on-arm64.patch

@@ -0,0 +1,47 @@
+From 1393b3f013e758f6bb52d14006d3a7e7db348930 Mon Sep 17 00:00:00 2001
+From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
+Date: Fri, 13 Feb 2026 19:08:58 -0500
+Subject: [PATCH 3/3] Force GRUB bootloader on arm64
+
+On arm64 platforms like RPi5/CM5, the UEFI firmware (U-Boot) exposes
+/sys/firmware/efi but does not support EFI runtime SetVariable. This
+causes NewAuto() to select sd-boot, which then fails when trying to
+write EFI variables during installation/upgrade.
+
+Force GRUB on arm64 since it uses config files instead of EFI
+variables for boot configuration. Combined with the --no-nvram patch,
+this enables reliable in-place upgrades via talosctl upgrade on
+RPi5/CM5 hardware.
+
+Ref: https://github.com/siderolabs/talos/issues/10859
+Ref: https://github.com/talos-rpi5/talos-builder/issues/21
+---
+ .../machined/pkg/runtime/v1alpha1/bootloader/bootloader.go   | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/internal/app/machined/pkg/runtime/v1alpha1/bootloader/bootloader.go b/internal/app/machined/pkg/runtime/v1alpha1/bootloader/bootloader.go
+index f084e09..5c388c1 100644
+--- a/internal/app/machined/pkg/runtime/v1alpha1/bootloader/bootloader.go
++++ b/internal/app/machined/pkg/runtime/v1alpha1/bootloader/bootloader.go
+@@ -8,6 +8,7 @@ package bootloader
+ import (
+ 	"fmt"
+ 	"os"
++	goruntime "runtime"
+ 
+ 	"github.com/siderolabs/go-blockdevice/v2/block"
+ 	"github.com/siderolabs/go-blockdevice/v2/partitioning/gpt"
+@@ -73,6 +74,10 @@ func Probe(disk string, options options.ProbeOptions) (Bootloader, error) {
+ 
+ // NewAuto returns a new bootloader based on auto-detection.
+ func NewAuto() Bootloader {
++	if goruntime.GOARCH == "arm64" {
++		return grub.NewConfig()
++	}
++
+ 	if sdboot.IsUEFIBoot() {
+ 		return sdboot.New()
+ 	}
+-- 
+2.50.1 (Apple Git-155)
+

patches/siderolabs/talos/0004-Fallback-to-classic-bind-mounts-on-kernels-without-o.patch

@@ -0,0 +1,45 @@
+From 98366401143dcc31c056a7d96242775f9ba013ca Mon Sep 17 00:00:00 2001
+From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
+Date: Sat, 14 Feb 2026 14:05:15 -0500
+Subject: [PATCH 4/4] Fallback to classic bind mounts on kernels without
+ open_tree support
+
+The open_tree syscall on anonymous filesystem file descriptors was added
+in kernel 6.15.0. Talos previously only checked for this capability when
+running in container mode, assuming bare metal always had a sufficiently
+new kernel. However, platforms like RPi5/CM5 use the RPi downstream
+kernel (6.12.x) which lacks this feature, causing shadow bind mount
+failures for /etc files and cascading network initialization failures.
+
+Remove the InContainer() gate so the OpentreeOnAnonymousFS() capability
+check runs on all platforms, enabling the classic (OSRoot) fallback when
+the kernel does not support the newer mount API.
+---
+ .../pkg/runtime/v1alpha2/v1alpha2_controller.go       | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
+index 29b297654..653a45d57 100644
+--- a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
++++ b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
+@@ -113,11 +113,12 @@ func (ctrl *Controller) Run(ctx context.Context, drainer *runtime.Drainer) error
+ 
+ 	networkBindMountTarget = constants.SystemResolvedPath
+ 
+-	// While running in container, we don't have control over kernel version
+-	// shipped with the machine. If the kernel does not support open_tree syscall
+-	// on anonymous filesystem file descriptors, we need to fallback to the classic,
+-	// less secure mode. This capability was added in kernel 6.15.0.
+-	if ctrl.v1alpha1Runtime.State().Platform().Mode().InContainer() {
++	// If the kernel does not support open_tree syscall on anonymous filesystem
++	// file descriptors, we need to fallback to the classic, less secure mode.
++	// This capability was added in kernel 6.15.0. This check is needed for
++	// containers (where the host kernel is unknown) and for bare metal platforms
++	// running older kernels such as the RPi downstream kernel (6.12.x).
++	{
+ 		opentreeOnAnonymous, err := runtime.KernelCapabilities().OpentreeOnAnonymousFS()
+ 		if err != nil {
+ 			return err
+-- 
+2.50.1 (Apple Git-155)
+

patches/talos-rpi5/sbc-raspberrypi5/0001-Bump-Go-toolchain-to-1.24.13.patch

@@ -0,0 +1,38 @@
+From 69f14c84e9e458dcff24905145cac8557c0e2965 Mon Sep 17 00:00:00 2001
+From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
+Date: Fri, 13 Feb 2026 15:25:26 -0500
+Subject: [PATCH] Bump Go toolchain to 1.24.13 to fix stdlib CVEs
+
+---
+ go.work                    | 4 +++-
+ installers/rpi5/src/go.mod | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/go.work b/go.work
+index f4dafe7..798ea43 100644
+--- a/go.work
++++ b/go.work
+@@ -1,3 +1,5 @@
+-go 1.24.0
++go 1.24.13
++
++toolchain go1.24.13
+ 
+ use ./installers/rpi5/src
+diff --git a/installers/rpi5/src/go.mod b/installers/rpi5/src/go.mod
+index 50b72d5..af5f5f8 100644
+--- a/installers/rpi5/src/go.mod
++++ b/installers/rpi5/src/go.mod
+@@ -1,6 +1,8 @@
+ module rpi_generic
+ 
+-go 1.24.0
++go 1.24.13
++
++toolchain go1.24.13
+ 
+ require (
+ 	github.com/siderolabs/go-copy v0.1.0
+-- 
+2.50.1 (Apple Git-155)
+

patches/talos-rpi5/sbc-raspberrypi5/0002-Fix-serial-console-for-RPi5-CM5-debug-UART.patch

@@ -0,0 +1,64 @@
+From 7c1f75d724e54df5382d7900a0fdfac50f870043 Mon Sep 17 00:00:00 2001
+From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
+Date: Fri, 13 Feb 2026 19:43:02 -0500
+Subject: [PATCH] Fix serial console for RPi5/CM5 debug UART
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The overlay was using console=ttyAMA0 (GPIO 14/15 UART) but the RPi5
+debug UART — the JST connector between HDMI ports on Pi5, or test pads
+TP35/TP36 on CM5 — is ttyAMA10.
+
+Changes:
+- main.go: Use console=ttyAMA10,115200 (Pi5 debug UART, not GPIO UART0)
+- main.go: Add earlycon=pl011,0x107d001000,115200n8 for early boot output
+  before the full PL011 driver initializes
+- config.txt: Add [pi5] enable_uart=0 to match upstream and avoid U-Boot
+  compatibility issues (the debug UART is always active regardless)
+
+The earlycon parameter uses the BCM2712 debug UART MMIO base address
+(0x107d001000) to provide kernel output immediately after ExitBootServices,
+bridging the gap between U-Boot handoff and full driver init.
+---
+ installers/rpi5/src/config.txt | 7 ++++++-
+ installers/rpi5/src/main.go    | 3 ++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/installers/rpi5/src/config.txt b/installers/rpi5/src/config.txt
+index 1445d0e..7af461e 100644
+--- a/installers/rpi5/src/config.txt
++++ b/installers/rpi5/src/config.txt
+@@ -11,8 +11,13 @@ kernel=u-boot.bin
+ arm_64bit=1
+ # Run as fast as firmware / board allows.
+ arm_boost=1
+-# Enable the primary/console UART.
++# Enable the primary/console UART (globally).
+ enable_uart=1
++# Disable UART on Pi5 to avoid U-Boot compatibility issue.
++# The debug UART (ttyAMA10) is always active regardless of this setting.
++[pi5]
++enable_uart=0
++[all]
+ # Disable Bluetooth.
+ dtoverlay=disable-bt
+ # Disable Wireless Lan.
+diff --git a/installers/rpi5/src/main.go b/installers/rpi5/src/main.go
+index 38cd824..fed3819 100644
+--- a/installers/rpi5/src/main.go
++++ b/installers/rpi5/src/main.go
+@@ -32,8 +32,9 @@ func (i *RpiInstaller) GetOptions(extra rpiOptions) (overlay.Options, error) {
+ 	return overlay.Options{
+ 		Name: "rpi5",
+ 		KernelArgs: []string{
++			"earlycon=pl011,0x107d001000,115200n8",
+ 			"console=tty0",
+-			"console=ttyAMA0,115200",
++			"console=ttyAMA10,115200",
+ 			"sysctl.kernel.kexec_load_disabled=1",
+ 			"talos.dashboard.disabled=1",
+ 		},
+-- 
+2.50.1 (Apple Git-155)
+

scripts/auto-update.sh

@@ -0,0 +1,125 @@
+#!/usr/bin/env bash
+# Auto-update upstream versions, verify patches, and generate a release tag
+#
+# Expects environment variables from check-upstream.sh:
+#   TALOS_UPDATE, RPI_UPDATE, LATEST_TALOS, LATEST_RPI_TAG
+#
+# Outputs (for GitHub Actions):
+#   patch_failed=true   — if patches fail to apply (caller should create issue)
+#   new_tag=<tag>       — the computed release tag (e.g. v1.12.3-k6.12.47-1)
+#
+# Usage:
+#   TALOS_UPDATE=true LATEST_TALOS=v1.13.0 ./scripts/auto-update.sh >> "$GITHUB_OUTPUT"
+
+set -euo pipefail
+
+TALOS_UPDATE=${TALOS_UPDATE:-false}
+RPI_UPDATE=${RPI_UPDATE:-false}
+LATEST_TALOS=${LATEST_TALOS:-}
+LATEST_RPI_TAG=${LATEST_RPI_TAG:-}
+
+MAKEFILE="Makefile"
+PATCH_FILE="patches/siderolabs/pkgs/0001-Patched-for-Raspberry-Pi-5.patch"
+
+# Helper: extract kernel semver (e.g. 6.12.47) from the RPi repo Makefile
+get_kernel_version() {
+  local tag="$1"
+  curl -sf "https://raw.githubusercontent.com/raspberrypi/linux/${tag}/Makefile" \
+    | awk '
+      /^VERSION/     { version=$3 }
+      /^PATCHLEVEL/  { patchlevel=$3 }
+      /^SUBLEVEL/    { sublevel=$3 }
+      END { print version "." patchlevel "." sublevel }
+    '
+}
+
+# ── RPi kernel update ───────────────────────────────────────────────
+if [ "$RPI_UPDATE" = "true" ] && [ -n "$LATEST_RPI_TAG" ]; then
+  echo "Updating RPi kernel to $LATEST_RPI_TAG ..." >&2
+
+  # Download tarball and compute checksums
+  TARBALL_URL="https://github.com/raspberrypi/linux/archive/refs/tags/${LATEST_RPI_TAG}.tar.gz"
+  TMP=$(mktemp)
+  curl -sL "$TARBALL_URL" -o "$TMP"
+  NEW_SHA256=$(shasum -a 256 "$TMP" | awk '{print $1}')
+  NEW_SHA512=$(shasum -a 512 "$TMP" | awk '{print $1}')
+  rm -f "$TMP"
+
+  echo "  SHA256: $NEW_SHA256" >&2
+  echo "  SHA512: $NEW_SHA512" >&2
+
+  # Get actual kernel version for the config header
+  KERNEL_VERSION=$(get_kernel_version "$LATEST_RPI_TAG")
+  echo "  Kernel version: $KERNEL_VERSION" >&2
+
+  # Update patch file
+  sed -i "s/+  linux_version: .*/+  linux_version: ${LATEST_RPI_TAG}/" "$PATCH_FILE"
+  sed -i "s/+  linux_sha256: .*/+  linux_sha256: ${NEW_SHA256}/" "$PATCH_FILE"
+  sed -i "s/+  linux_sha512: .*/+  linux_sha512: ${NEW_SHA512}/" "$PATCH_FILE"
+  sed -i "s|+# Linux/arm64 .* Kernel Configuration|+# Linux/arm64 ${KERNEL_VERSION} Kernel Configuration|" "$PATCH_FILE"
+fi
+
+# ── Talos update ────────────────────────────────────────────────────
+if [ "$TALOS_UPDATE" = "true" ] && [ -n "$LATEST_TALOS" ]; then
+  echo "Updating Talos to $LATEST_TALOS ..." >&2
+
+  # Update TALOS_VERSION in Makefile
+  sed -i "s/^TALOS_VERSION = .*/TALOS_VERSION = ${LATEST_TALOS}/" "$MAKEFILE"
+
+  # Derive matching PKG_VERSION (same major.minor as Talos)
+  PKG_MINOR=$(echo "$LATEST_TALOS" | sed -E 's/^(v[0-9]+\.[0-9]+)\..*/\1/')
+  LATEST_PKG=$(curl -sf "https://api.github.com/repos/siderolabs/pkgs/tags?per_page=20" \
+    | jq -r "[.[] | select(.name | startswith(\"${PKG_MINOR}\"))][0].name")
+
+  if [ -n "$LATEST_PKG" ] && [ "$LATEST_PKG" != "null" ]; then
+    echo "  Updating PKG_VERSION to $LATEST_PKG" >&2
+    sed -i "s/^PKG_VERSION = .*/PKG_VERSION = ${LATEST_PKG}/" "$MAKEFILE"
+  else
+    echo "  WARNING: No matching pkgs tag for $PKG_MINOR — keeping current PKG_VERSION" >&2
+  fi
+fi
+
+# ── Smoke test — verify patches apply ───────────────────────────────
+echo "Running patch smoke test ..." >&2
+if ! gmake checkouts patches; then
+  echo "Patches failed to apply!" >&2
+  gmake checkouts-clean >/dev/null 2>&1 || true
+  echo "patch_failed=true"
+  exit 0
+fi
+gmake checkouts-clean >/dev/null 2>&1
+
+# ── Generate tag ────────────────────────────────────────────────────
+TALOS_VER=$(grep '^TALOS_VERSION' "$MAKEFILE" | awk '{print $NF}')
+RPI_TAG=$(grep '+  linux_version:' "$PATCH_FILE" | awk '{print $NF}')
+KERNEL_VER=$(get_kernel_version "$RPI_TAG")
+
+# Find next build number for this component combination
+TAG_PREFIX="${TALOS_VER}-k${KERNEL_VER}"
+LAST_BUILD=$(git tag -l "${TAG_PREFIX}-*" \
+  | sed "s|${TAG_PREFIX}-||" \
+  | sort -n \
+  | tail -1)
+NEXT_BUILD=$(( ${LAST_BUILD:-0} + 1 ))
+NEW_TAG="${TAG_PREFIX}-${NEXT_BUILD}"
+
+# ── Update README badges and examples ───────────────────────────────
+README="README.md"
+if [ -f "$README" ]; then
+  OLD_TALOS=$(sed -n 's/.*talos-v\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p' "$README" | head -1)
+  OLD_KERNEL=$(sed -n 's/.*kernel-\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p' "$README" | head -1)
+  OLD_TAG=$(sed -n 's/.*\(v[0-9]*\.[0-9]*\.[0-9]*-k[0-9]*\.[0-9]*\.[0-9]*-[0-9]*\).*/\1/p' "$README" | head -1)
+
+  echo "Updating README: talos v${OLD_TALOS} → v${TALOS_VER}, kernel ${OLD_KERNEL} → ${KERNEL_VER}, tag ${OLD_TAG} → ${NEW_TAG}" >&2
+
+  sed -i "s/talos-v${OLD_TALOS}/talos-${TALOS_VER}/g" "$README"
+  sed -i "s/kernel-${OLD_KERNEL}/kernel-${KERNEL_VER}/g" "$README"
+  sed -i "s/\`v${OLD_TALOS}\`/\`${TALOS_VER}\`/g" "$README"
+  sed -i "s/\`k${OLD_KERNEL}\`/\`k${KERNEL_VER}\`/g" "$README"
+  if [ -n "$OLD_TAG" ]; then
+    sed -i "s/${OLD_TAG}/${NEW_TAG}/g" "$README"
+  fi
+fi
+
+echo "Generated tag: $NEW_TAG" >&2
+echo "new_tag=$NEW_TAG"

scripts/check-upstream.sh

@@ -1,54 +1,57 @@
 #!/usr/bin/env bash
 # Check for upstream Talos and RPi kernel updates
 #
-# Compares current versions in Makefile against the latest GitHub releases.
-# Outputs GitHub Actions-compatible variables for use in CI workflows.
+# Compares current versions (from Makefile + pkgs patch) against the
+# latest GitHub releases/tags. Outputs GitHub Actions-compatible variables.
 #
 # Usage:
-#   ./scripts/check-upstream.sh           # Print results
+#   ./scripts/check-upstream.sh           # Print results to stdout/stderr
 #   ./scripts/check-upstream.sh >> "$GITHUB_OUTPUT"  # For CI
 
 set -euo pipefail
 
 MAKEFILE="${MAKEFILE:-Makefile}"
+PATCH_FILE="${PATCH_FILE:-patches/siderolabs/pkgs/0001-Patched-for-Raspberry-Pi-5.patch}"
 
-# Extract current versions from Makefile
-CURRENT_TALOS=$(grep '^TALOS_VERSION' "$MAKEFILE" | head -1 | awk '{print $NF}')
-CURRENT_PKG=$(grep '^PKG_VERSION' "$MAKEFILE" | head -1 | awk '{print $NF}')
+# ── Current versions ────────────────────────────────────────────────
+CURRENT_TALOS=$(grep '^TALOS_VERSION' "$MAKEFILE" | awk '{print $NF}')
+CURRENT_RPI_TAG=$(grep '+  linux_version:' "$PATCH_FILE" | awk '{print $NF}')
 
-echo "Current Talos version: $CURRENT_TALOS"
-echo "Current PKG version:   $CURRENT_PKG"
+echo "Current Talos version: $CURRENT_TALOS" >&2
+echo "Current RPi kernel tag: $CURRENT_RPI_TAG" >&2
 
-# Check latest Talos stable release
+# ── Latest versions from GitHub API ─────────────────────────────────
 LATEST_TALOS=$(curl -sf "https://api.github.com/repos/siderolabs/talos/releases/latest" \
-  | grep '"tag_name"' | sed -E 's/.*"tag_name": *"([^"]+)".*/\1/')
+  | jq -r '.tag_name')
 
-echo "Latest Talos release:  $LATEST_TALOS"
+LATEST_RPI_TAG=$(curl -sf "https://api.github.com/repos/raspberrypi/linux/tags?per_page=20" \
+  | jq -r '[.[] | select(.name | startswith("stable_"))][0].name')
 
-# Check latest RPi kernel stable tag (format: stable_YYYYMMDD)
-LATEST_RPI_KERNEL=$(curl -sf "https://api.github.com/repos/raspberrypi/linux/tags?per_page=10" \
-  | grep '"name"' | grep 'stable_' | head -1 | sed -E 's/.*"name": *"([^"]+)".*/\1/')
+echo "Latest Talos release:  $LATEST_TALOS" >&2
+echo "Latest RPi kernel tag: $LATEST_RPI_TAG" >&2
 
-echo "Latest RPi kernel tag: $LATEST_RPI_KERNEL"
-
-# Output for GitHub Actions
-echo "talos_current=$CURRENT_TALOS"
-echo "talos_latest=$LATEST_TALOS"
+# ── Determine what needs updating ───────────────────────────────────
+TALOS_UPDATE=false
+RPI_UPDATE=false
 
 if [ "$CURRENT_TALOS" != "$LATEST_TALOS" ]; then
-  echo "talos_update=true"
+  TALOS_UPDATE=true
   echo ">> Talos update available: $CURRENT_TALOS -> $LATEST_TALOS" >&2
 else
-  echo "talos_update=false"
   echo ">> Talos is up to date" >&2
 fi
 
-# For RPi kernel, we output what we found — the actual version tracking
-# depends on the pkgs patch content which references a specific kernel tag
-echo "rpi_current=check-patch"
-echo "rpi_latest=$LATEST_RPI_KERNEL"
+if [ "$CURRENT_RPI_TAG" != "$LATEST_RPI_TAG" ]; then
+  RPI_UPDATE=true
+  echo ">> RPi kernel update available: $CURRENT_RPI_TAG -> $LATEST_RPI_TAG" >&2
+else
+  echo ">> RPi kernel is up to date" >&2
+fi
 
-# We always flag RPi kernel for review since we can't easily parse the
-# patch to extract the exact pinned version
-echo "rpi_update=true"
-echo ">> RPi kernel latest stable: $LATEST_RPI_KERNEL (review patch manually)" >&2
+# ── Output for GitHub Actions ───────────────────────────────────────
+echo "talos_current=$CURRENT_TALOS"
+echo "talos_latest=$LATEST_TALOS"
+echo "talos_update=$TALOS_UPDATE"
+echo "rpi_current=$CURRENT_RPI_TAG"
+echo "rpi_latest=$LATEST_RPI_TAG"
+echo "rpi_update=$RPI_UPDATE"