Fix 21 Go stdlib CVEs and enable supply chain attestations

- Patch sbc-raspberrypi5 overlay to use Go 1.24.13 (fixes 1C/7H/12M/1L CVEs)
- Add ATTESTATION_ARGS (--provenance=true --sbom=true) to all buildx targets
- Override upstream --provenance=false via TARGET_ARGS (last flag wins)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/build.yaml

@@ -96,10 +96,14 @@ jobs:
             SCOUT_SECTION=$(cat _out/scout-report.md)
           fi
 
+          # Extract component versions from tag (format: v1.12.3-k6.12.47-1)
+          TALOS_VER=$(echo "$TAG" | sed -E 's/^(v[0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
+          KERNEL_VER=$(echo "$TAG" | sed -E 's/.*-k([0-9]+\.[0-9]+\.[0-9]+)-.*/\1/')
+
           RELEASE_BODY="Custom Talos Linux image for Raspberry Pi 5 / CM5 (Compute Blade)
 
-          **Talos version**: ${TAG}
-          **Kernel**: RPi downstream (CM5/RP1 support)
+          **Talos**: ${TALOS_VER}
+          **Kernel**: RPi downstream ${KERNEL_VER} (CM5/RP1 support)
           **Extensions**: iscsi-tools, util-linux-tools
           **Overclock**: 2.6GHz (arm_freq=2600)
 

.gitea/workflows/check-updates.yaml

@@ -1,25 +1,32 @@
-# Check for upstream Talos and RPi kernel updates
+# Daily upstream update check with auto-build
 #
-# Runs on a schedule and creates a Gitea issue when new versions are found.
-# This is notification-only — builds require manual tag push after verifying
-# patches still apply.
+# Detects new Talos OS and RPi kernel versions, applies updates,
+# smoke-tests patches, and pushes a release tag (which triggers build.yaml).
+# Falls back to creating a Gitea issue if patches fail to apply.
 
 name: Check Upstream Updates
 
 on:
   schedule:
-    # Run weekly on Monday at 08:00 UTC
-    - cron: '0 8 * * 1'
+    - cron: '0 8 * * *'    # Daily at 08:00 UTC
   workflow_dispatch:
 
 jobs:
-  check-updates:
+  check-and-build:
     runs-on: [self-hosted, macos]
-    timeout-minutes: 10
+    timeout-minutes: 15
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0    # Need full history for tag-based build numbering
+
+      - name: Install dependencies
+        run: |
+          for pkg in make gnu-sed crane jq; do
+            brew list --formula "$pkg" &>/dev/null || brew install "$pkg"
+          done
 
       - name: Check for upstream updates
         id: check
@@ -27,95 +34,83 @@ jobs:
           chmod +x scripts/check-upstream.sh
           scripts/check-upstream.sh >> "$GITHUB_OUTPUT"
 
-      - name: Create issue for Talos update
-        if: steps.check.outputs.talos_update == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const currentVersion = '${{ steps.check.outputs.talos_current }}';
-            const latestVersion = '${{ steps.check.outputs.talos_latest }}';
-            const title = `Talos update available: ${currentVersion} → ${latestVersion}`;
+      - name: Run auto-update
+        if: steps.check.outputs.talos_update == 'true' || steps.check.outputs.rpi_update == 'true'
+        id: update
+        env:
+          TALOS_UPDATE: ${{ steps.check.outputs.talos_update }}
+          RPI_UPDATE: ${{ steps.check.outputs.rpi_update }}
+          LATEST_TALOS: ${{ steps.check.outputs.talos_latest }}
+          LATEST_RPI_TAG: ${{ steps.check.outputs.rpi_latest }}
+        run: |
+          chmod +x scripts/auto-update.sh
+          scripts/auto-update.sh >> "$GITHUB_OUTPUT"
 
-            // Check if an open issue already exists
-            const issues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'upstream-update',
-            });
+      - name: Commit and tag
+        if: steps.update.outputs.patch_failed != 'true' && steps.update.outputs.new_tag != ''
+        env:
+          NEW_TAG: ${{ steps.update.outputs.new_tag }}
+        run: |
+          git config user.name "Gitea Actions"
+          git config user.email "actions@openharbor.io"
+          git add -A
+          git commit -m "Bump upstream: ${NEW_TAG}"
+          git tag "$NEW_TAG"
+          git push origin main --tags
 
-            const existing = issues.data.find(i => i.title.includes('Talos update'));
-            if (existing) {
-              console.log(`Issue already exists: #${existing.number}`);
-              return;
-            }
+      - name: Create issue on patch failure
+        if: steps.update.outputs.patch_failed == 'true'
+        env:
+          GITEA_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TALOS_CURRENT: ${{ steps.check.outputs.talos_current }}
+          TALOS_LATEST: ${{ steps.check.outputs.talos_latest }}
+          TALOS_UPDATE: ${{ steps.check.outputs.talos_update }}
+          RPI_CURRENT: ${{ steps.check.outputs.rpi_current }}
+          RPI_LATEST: ${{ steps.check.outputs.rpi_latest }}
+          RPI_UPDATE: ${{ steps.check.outputs.rpi_update }}
+        run: |
+          GITEA_URL="${GITHUB_SERVER_URL}"
+          REPO="${GITHUB_REPOSITORY}"
+          API="${GITEA_URL}/api/v1"
 
-            await github.rest.issues.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title: title,
-              body: [
-                `## Talos Update Available`,
-                ``,
-                `| | Version |`,
-                `|---|---|`,
-                `| Current | \`${currentVersion}\` |`,
-                `| Latest  | \`${latestVersion}\` |`,
-                ``,
-                `### Steps`,
-                `1. Update \`TALOS_VERSION\` in \`Makefile\``,
-                `2. Verify patches still apply: \`make checkouts patches\``,
-                `3. If patches fail, port them to the new version`,
-                `4. Push a version tag to trigger the build pipeline`,
-                ``,
-                `### Links`,
-                `- [Talos Release Notes](https://github.com/siderolabs/talos/releases/tag/${latestVersion})`,
-              ].join('\n'),
-              labels: ['upstream-update', 'talos'],
-            });
+          BODY="## Upstream update requires manual patch porting
 
-      - name: Create issue for RPi kernel update
-        if: steps.check.outputs.rpi_update == 'true'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const currentVersion = '${{ steps.check.outputs.rpi_current }}';
-            const latestVersion = '${{ steps.check.outputs.rpi_latest }}';
-            const title = `RPi kernel update available: ${currentVersion} → ${latestVersion}`;
+          Automated patch application failed. Manual intervention needed.
 
-            const issues = await github.rest.issues.listForRepo({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              state: 'open',
-              labels: 'upstream-update',
-            });
+          | Component | Current | Latest | Update? |
+          |-----------|---------|--------|---------|
+          | Talos     | \`${TALOS_CURRENT}\` | \`${TALOS_LATEST}\` | ${TALOS_UPDATE} |
+          | RPi kernel | \`${RPI_CURRENT}\` | \`${RPI_LATEST}\` | ${RPI_UPDATE} |
 
-            const existing = issues.data.find(i => i.title.includes('RPi kernel update'));
-            if (existing) {
-              console.log(`Issue already exists: #${existing.number}`);
-              return;
-            }
+          ### Steps
+          1. Check out this repo and run \`scripts/auto-update.sh\` to see what fails
+          2. Port patches to the new upstream version
+          3. Verify: \`gmake checkouts patches && gmake checkouts-clean\`
+          4. Push changes — the next scheduled run will pick them up
 
-            await github.rest.issues.create({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              title: title,
-              body: [
-                `## RPi Kernel Update Available`,
-                ``,
-                `| | Version |`,
-                `|---|---|`,
-                `| Current (in pkgs patch) | \`${currentVersion}\` |`,
-                `| Latest stable           | \`${latestVersion}\` |`,
-                ``,
-                `### Steps`,
-                `1. Update the kernel version in the pkgs patch`,
-                `2. Verify the patch still applies: \`make checkouts patches\``,
-                `3. Test build: \`make kernel\``,
-                `4. Push a version tag to trigger the full build pipeline`,
-                ``,
-                `### Links`,
-                `- [RPi Linux Releases](https://github.com/raspberrypi/linux/tags)`,
-              ].join('\n'),
-              labels: ['upstream-update', 'kernel'],
-            });
+          ### Links
+          - [Talos Releases](https://github.com/siderolabs/talos/releases)
+          - [RPi Linux Tags](https://github.com/raspberrypi/linux/tags)"
+
+          # Strip leading whitespace from heredoc-style indentation
+          BODY=$(echo "$BODY" | sed 's/^          //')
+          BODY_JSON=$(jq -Rs '.' <<< "$BODY")
+
+          # Check for existing open issue to avoid duplicates
+          EXISTING=$(curl -sf \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            "${API}/repos/${REPO}/issues?state=open&type=issues&labels=upstream-update" \
+            | jq -r '[.[] | select(.title | contains("manual patch"))][0].id // empty')
+
+          if [ -n "$EXISTING" ]; then
+            echo "Issue already exists (id: $EXISTING), skipping creation"
+            exit 0
+          fi
+
+          curl -sf -X POST \
+            -H "Authorization: token ${GITEA_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "{\"title\":\"Upstream update requires manual patch porting\",\"body\":${BODY_JSON},\"labels\":[\"upstream-update\"]}" \
+            "${API}/repos/${REPO}/issues"
+
+          echo "Created issue for manual patch porting"

Makefile

@@ -45,11 +45,14 @@ PATCHES_DIRECTORY := $(PWD)/patches
 
 PKGS_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/pkgs && git describe --tag --always --dirty --match v[0-9]\*)
 TALOS_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/talos && git describe --tag --always --dirty --match v[0-9]\*)
-SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git describe --tag --always --dirty)-$(PKGS_TAG)
+SBCOVERLAY_TAG = $(shell cd $(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5 && git describe --tag --always)-$(PKGS_TAG)
 
 # Build the --system-extension-image flags from the EXTENSIONS list
 EXTENSION_FLAGS = $(foreach ext,$(EXTENSIONS),--system-extension-image=$(ext))
 
+# Supply chain attestation flags (overrides upstream --provenance=false)
+ATTESTATION_ARGS = --provenance=true --sbom=true
+
 # Common imager flags for overlay and extensions
 IMAGER_COMMON_FLAGS = \
 	--overlay-name="rpi5" \
@@ -103,7 +106,7 @@ checkouts-clean:
 #
 # Patches
 #
-.PHONY: patches-pkgs patches-talos patches
+.PHONY: patches-pkgs patches-talos patches-overlay patches
 patches-pkgs:
 	cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
 		git am "$(PATCHES_DIRECTORY)/siderolabs/pkgs/"*.patch
@@ -112,7 +115,11 @@ patches-talos:
 	cd "$(CHECKOUTS_DIRECTORY)/talos" && \
 		git am "$(PATCHES_DIRECTORY)/siderolabs/talos/"*.patch
 
-patches: patches-pkgs patches-talos
+patches-overlay:
+	cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
+		git am "$(PATCHES_DIRECTORY)/talos-rpi5/sbc-raspberrypi5/"*.patch
+
+patches: patches-pkgs patches-talos patches-overlay
 
 #
 # Kernel — build and push the RPi downstream kernel
@@ -121,7 +128,7 @@ patches: patches-pkgs patches-talos
 kernel:
 	cd "$(CHECKOUTS_DIRECTORY)/pkgs" && \
 		$(MAKE) docker-kernel \
-			TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true" \
+			TARGET_ARGS="--tag=$(KERNEL_IMAGE):$(PKGS_TAG) --push=true $(ATTESTATION_ARGS)" \
 			PLATFORM=linux/arm64
 
 #
@@ -138,7 +145,7 @@ overlay:
 		rm -f "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5/internal/base/pkg.yaml.bak"
 	cd "$(CHECKOUTS_DIRECTORY)/sbc-raspberrypi5" && \
 		$(MAKE) docker-sbc-raspberrypi5 \
-			TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true" \
+			TARGET_ARGS="--tag=$(OVERLAY_IMAGE):$(SBCOVERLAY_TAG) --push=true $(ATTESTATION_ARGS)" \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64
 
 #
@@ -160,13 +167,13 @@ installer:
 			PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
 			target-imager \
-			TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true" && \
+			TARGET_ARGS="--output type=image,name=$(IMAGER_IMAGE):$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
 		$(MAKE) \
 			REGISTRY=$(REGISTRY) USERNAME=$(REGISTRY_USERNAME) \
 			PKG_KERNEL=$(KERNEL_IMAGE):$(PKGS_TAG) \
 			INSTALLER_ARCH=arm64 PLATFORM=linux/arm64 \
 			target-installer-base \
-			TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true" && \
+			TARGET_ARGS="--output type=image,name=$(INSTALLER_IMAGE):base-$(TALOS_TAG),push=true $(ATTESTATION_ARGS)" && \
 		docker pull $(IMAGER_IMAGE):$(TALOS_TAG) && \
 		docker run --rm -t -v ./_out:/out --privileged --network=host \
 			$(IMAGER_IMAGE):$(TALOS_TAG) \

patches/siderolabs/talos/0001-Patched-for-Raspberry-Pi-5.patch

@@ -1,17 +1,18 @@
-From 87c9e57548bc0aef15d67967a68cc9185216361d Mon Sep 17 00:00:00 2001
+From 808bd99557797a8175464184202ff4df7c324a55 Mon Sep 17 00:00:00 2001
 From: Patrick Hunziker <patrick@hunziker.io>
 Date: Sat, 8 Nov 2025 11:31:15 +0100
-Subject: [PATCH] [PATCH] Patched for Raspberry Pi 5
+Subject: [PATCH] Patched for Raspberry Pi 5
 
 ---
- hack/modules-arm64.txt | 343 +++++++++++++++++++----------------------
- 1 file changed, 160 insertions(+), 183 deletions(-)
+ hack/modules-arm64.txt | 367 ++++++++++++++++++-----------------------
+ 1 file changed, 160 insertions(+), 207 deletions(-)
 
 diff --git a/hack/modules-arm64.txt b/hack/modules-arm64.txt
-index 6c48a7465..95c3ee669 100644
+index 3b11b7551..95c3ee669 100644
 --- a/hack/modules-arm64.txt
 +++ b/hack/modules-arm64.txt
-@@ -1,213 +1,190 @@
+@@ -1,237 +1,190 @@
+-kernel/arch/arm64/lib/xor-neon.ko
 +modules.builtin.bin
 +modules.builtin.modinfo
 +modules.builtin.alias.bin
@@ -32,6 +33,7 @@ index 6c48a7465..95c3ee669 100644
  kernel/crypto/async_tx/async_raid6_recov.ko
  kernel/crypto/async_tx/async_tx.ko
 -kernel/crypto/async_tx/async_xor.ko
+-kernel/crypto/hkdf.ko
 -kernel/crypto/xor.ko
 -kernel/drivers/acpi/video.ko
 -kernel/drivers/ata/ahci.ko
@@ -53,9 +55,10 @@ index 6c48a7465..95c3ee669 100644
 +kernel/drivers/infiniband/hw/hns/hns-roce-hw-v2.ko
 +kernel/drivers/misc/bcm2835_smi.ko
  kernel/drivers/crypto/tegra/tegra-se.ko
--kernel/drivers/gpu/drm/display/drm_dp_aux_bus.ko
 -kernel/drivers/gpu/drm/drm_buddy.ko
 -kernel/drivers/gpu/drm/drm_exec.ko
+-kernel/drivers/gpu/drm/drm_gpuvm.ko
+-kernel/drivers/gpu/drm/drm_panel_backlight_quirks.ko
 -kernel/drivers/gpu/drm/drm_suballoc_helper.ko
 +kernel/drivers/acpi/video.ko
 +kernel/drivers/gpu/drm/vc4/vc4.ko
@@ -108,12 +111,15 @@ index 6c48a7465..95c3ee669 100644
 -kernel/drivers/infiniband/hw/mlx4/mlx4_ib.ko
 -kernel/drivers/infiniband/hw/mlx5/mlx5_ib.ko
 -kernel/drivers/infiniband/sw/rxe/rdma_rxe.ko
+-kernel/drivers/irqchip/irq-bcm2712-mip.ko
 -kernel/drivers/irqchip/irq-imx-mu-msi.ko
+-kernel/drivers/leds/led-class-multicolor.ko
 -kernel/drivers/mailbox/bcm-flexrm-mailbox.ko
 -kernel/drivers/md/bcache/bcache.ko
 -kernel/drivers/md/dm-bio-prison.ko
 -kernel/drivers/md/dm-cache-smq.ko
 -kernel/drivers/md/dm-cache.ko
+-kernel/drivers/md/dm-integrity.ko
 -kernel/drivers/md/dm-multipath.ko
 -kernel/drivers/md/dm-raid.ko
 -kernel/drivers/md/dm-round-robin.ko
@@ -133,6 +139,7 @@ index 6c48a7465..95c3ee669 100644
 -kernel/drivers/mmc/host/sdhci-pci.ko
 -kernel/drivers/mmc/host/sdhci-pltfm.ko
 -kernel/drivers/mmc/host/sdhci-tegra.ko
+-kernel/drivers/mmc/host/sdhci-uhs2.ko
 -kernel/drivers/mmc/host/sdhci-xenon-driver.ko
 +kernel/drivers/nvme/host/nvme-rdma.ko
 +kernel/drivers/nvme/target/nvme-loop.ko
@@ -189,12 +196,16 @@ index 6c48a7465..95c3ee669 100644
 -kernel/drivers/net/ethernet/intel/i40e/i40e.ko
 -kernel/drivers/net/ethernet/intel/iavf/iavf.ko
 -kernel/drivers/net/ethernet/intel/ice/ice.ko
+-kernel/drivers/net/ethernet/intel/idpf/idpf.ko
 -kernel/drivers/net/ethernet/intel/igb/igb.ko
 -kernel/drivers/net/ethernet/intel/igbvf/igbvf.ko
 -kernel/drivers/net/ethernet/intel/igc/igc.ko
 -kernel/drivers/net/ethernet/intel/ixgbe/ixgbe.ko
 -kernel/drivers/net/ethernet/intel/ixgbevf/ixgbevf.ko
+-kernel/drivers/net/ethernet/intel/libeth/libeth_xdp.ko
 -kernel/drivers/net/ethernet/intel/libeth/libeth.ko
+-kernel/drivers/net/ethernet/intel/libie/libie_adminq.ko
+-kernel/drivers/net/ethernet/intel/libie/libie_fwlog.ko
 -kernel/drivers/net/ethernet/intel/libie/libie.ko
 -kernel/drivers/net/ethernet/marvell/sky2.ko
 -kernel/drivers/net/ethernet/mellanox/mlx4/mlx4_core.ko
@@ -220,6 +231,7 @@ index 6c48a7465..95c3ee669 100644
 -kernel/drivers/net/ethernet/stmicro/stmmac/dwmac-meson.ko
 -kernel/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.ko
 -kernel/drivers/net/ethernet/stmicro/stmmac/dwmac-qcom-ethqos.ko
+-kernel/drivers/net/ethernet/stmicro/stmmac/dwmac-renesas-gbeth.ko
 -kernel/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.ko
 -kernel/drivers/net/ethernet/stmicro/stmmac/dwmac-sun8i.ko
 -kernel/drivers/net/ethernet/stmicro/stmmac/dwmac-sunxi.ko
@@ -315,18 +327,30 @@ index 6c48a7465..95c3ee669 100644
 -kernel/drivers/usb/serial/cp210x.ko
 -kernel/drivers/usb/serial/ftdi_sio.ko
 -kernel/drivers/usb/serial/pl2303.ko
+-kernel/drivers/vdpa/mlx5/mlx5_vdpa.ko
+-kernel/drivers/vdpa/octeon_ep/octep_vdpa.ko
+-kernel/drivers/vdpa/solidrun/snet_vdpa.ko
+-kernel/drivers/vdpa/vdpa_sim/vdpa_sim_blk.ko
+-kernel/drivers/vdpa/vdpa_sim/vdpa_sim_net.ko
+-kernel/drivers/vdpa/vdpa_sim/vdpa_sim.ko
+-kernel/drivers/vdpa/vdpa_user/vduse.ko
+-kernel/drivers/vdpa/vdpa.ko
+-kernel/drivers/vdpa/virtio_pci/vp_vdpa.ko
 -kernel/drivers/vfio/pci/vfio-pci-core.ko
 +kernel/drivers/thunderbolt/thunderbolt.ko
  kernel/drivers/vfio/pci/vfio-pci.ko
 -kernel/drivers/vfio/vfio_iommu_type1.ko
 +kernel/drivers/vfio/pci/vfio-pci-core.ko
  kernel/drivers/vfio/vfio.ko
+-kernel/drivers/vhost/vhost_vdpa.ko
+-kernel/drivers/vhost/vringh.ko
 -kernel/drivers/virtio/virtio_balloon.ko
 -kernel/drivers/virtio/virtio_input.ko
 -kernel/drivers/virtio/virtio_mmio.ko
 -kernel/drivers/virtio/virtio_pci_legacy_dev.ko
 -kernel/drivers/virtio/virtio_pci_modern_dev.ko
 -kernel/drivers/virtio/virtio_pci.ko
+-kernel/drivers/virtio/virtio_vdpa.ko
 +kernel/drivers/vfio/vfio_iommu_type1.ko
 +kernel/drivers/usb/class/cdc-wdm.ko
 +kernel/drivers/usb/serial/usb_wwan.ko

patches/talos-rpi5/sbc-raspberrypi5/0001-Bump-Go-toolchain-to-1.24.13.patch

@@ -0,0 +1,38 @@
+From 69f14c84e9e458dcff24905145cac8557c0e2965 Mon Sep 17 00:00:00 2001
+From: Mathias Beaulieu-Duncan <mathias@svrnty.io>
+Date: Fri, 13 Feb 2026 15:25:26 -0500
+Subject: [PATCH] Bump Go toolchain to 1.24.13 to fix stdlib CVEs
+
+---
+ go.work                    | 4 +++-
+ installers/rpi5/src/go.mod | 4 +++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/go.work b/go.work
+index f4dafe7..798ea43 100644
+--- a/go.work
++++ b/go.work
+@@ -1,3 +1,5 @@
+-go 1.24.0
++go 1.24.13
++
++toolchain go1.24.13
+ 
+ use ./installers/rpi5/src
+diff --git a/installers/rpi5/src/go.mod b/installers/rpi5/src/go.mod
+index 50b72d5..af5f5f8 100644
+--- a/installers/rpi5/src/go.mod
++++ b/installers/rpi5/src/go.mod
+@@ -1,6 +1,8 @@
+ module rpi_generic
+ 
+-go 1.24.0
++go 1.24.13
++
++toolchain go1.24.13
+ 
+ require (
+ 	github.com/siderolabs/go-copy v0.1.0
+-- 
+2.50.1 (Apple Git-155)
+

scripts/auto-update.sh

@@ -0,0 +1,107 @@
+#!/usr/bin/env bash
+# Auto-update upstream versions, verify patches, and generate a release tag
+#
+# Expects environment variables from check-upstream.sh:
+#   TALOS_UPDATE, RPI_UPDATE, LATEST_TALOS, LATEST_RPI_TAG
+#
+# Outputs (for GitHub Actions):
+#   patch_failed=true   — if patches fail to apply (caller should create issue)
+#   new_tag=<tag>       — the computed release tag (e.g. v1.12.3-k6.12.47-1)
+#
+# Usage:
+#   TALOS_UPDATE=true LATEST_TALOS=v1.13.0 ./scripts/auto-update.sh >> "$GITHUB_OUTPUT"
+
+set -euo pipefail
+
+TALOS_UPDATE=${TALOS_UPDATE:-false}
+RPI_UPDATE=${RPI_UPDATE:-false}
+LATEST_TALOS=${LATEST_TALOS:-}
+LATEST_RPI_TAG=${LATEST_RPI_TAG:-}
+
+MAKEFILE="Makefile"
+PATCH_FILE="patches/siderolabs/pkgs/0001-Patched-for-Raspberry-Pi-5.patch"
+
+# Helper: extract kernel semver (e.g. 6.12.47) from the RPi repo Makefile
+get_kernel_version() {
+  local tag="$1"
+  curl -sf "https://raw.githubusercontent.com/raspberrypi/linux/${tag}/Makefile" \
+    | awk '
+      /^VERSION/     { version=$3 }
+      /^PATCHLEVEL/  { patchlevel=$3 }
+      /^SUBLEVEL/    { sublevel=$3 }
+      END { print version "." patchlevel "." sublevel }
+    '
+}
+
+# ── RPi kernel update ───────────────────────────────────────────────
+if [ "$RPI_UPDATE" = "true" ] && [ -n "$LATEST_RPI_TAG" ]; then
+  echo "Updating RPi kernel to $LATEST_RPI_TAG ..." >&2
+
+  # Download tarball and compute checksums
+  TARBALL_URL="https://github.com/raspberrypi/linux/archive/refs/tags/${LATEST_RPI_TAG}.tar.gz"
+  TMP=$(mktemp)
+  curl -sL "$TARBALL_URL" -o "$TMP"
+  NEW_SHA256=$(shasum -a 256 "$TMP" | awk '{print $1}')
+  NEW_SHA512=$(shasum -a 512 "$TMP" | awk '{print $1}')
+  rm -f "$TMP"
+
+  echo "  SHA256: $NEW_SHA256" >&2
+  echo "  SHA512: $NEW_SHA512" >&2
+
+  # Get actual kernel version for the config header
+  KERNEL_VERSION=$(get_kernel_version "$LATEST_RPI_TAG")
+  echo "  Kernel version: $KERNEL_VERSION" >&2
+
+  # Update patch file
+  sed -i "s/+  linux_version: .*/+  linux_version: ${LATEST_RPI_TAG}/" "$PATCH_FILE"
+  sed -i "s/+  linux_sha256: .*/+  linux_sha256: ${NEW_SHA256}/" "$PATCH_FILE"
+  sed -i "s/+  linux_sha512: .*/+  linux_sha512: ${NEW_SHA512}/" "$PATCH_FILE"
+  sed -i "s|+# Linux/arm64 .* Kernel Configuration|+# Linux/arm64 ${KERNEL_VERSION} Kernel Configuration|" "$PATCH_FILE"
+fi
+
+# ── Talos update ────────────────────────────────────────────────────
+if [ "$TALOS_UPDATE" = "true" ] && [ -n "$LATEST_TALOS" ]; then
+  echo "Updating Talos to $LATEST_TALOS ..." >&2
+
+  # Update TALOS_VERSION in Makefile
+  sed -i "s/^TALOS_VERSION = .*/TALOS_VERSION = ${LATEST_TALOS}/" "$MAKEFILE"
+
+  # Derive matching PKG_VERSION (same major.minor as Talos)
+  PKG_MINOR=$(echo "$LATEST_TALOS" | sed -E 's/^(v[0-9]+\.[0-9]+)\..*/\1/')
+  LATEST_PKG=$(curl -sf "https://api.github.com/repos/siderolabs/pkgs/tags?per_page=20" \
+    | jq -r "[.[] | select(.name | startswith(\"${PKG_MINOR}\"))][0].name")
+
+  if [ -n "$LATEST_PKG" ] && [ "$LATEST_PKG" != "null" ]; then
+    echo "  Updating PKG_VERSION to $LATEST_PKG" >&2
+    sed -i "s/^PKG_VERSION = .*/PKG_VERSION = ${LATEST_PKG}/" "$MAKEFILE"
+  else
+    echo "  WARNING: No matching pkgs tag for $PKG_MINOR — keeping current PKG_VERSION" >&2
+  fi
+fi
+
+# ── Smoke test — verify patches apply ───────────────────────────────
+echo "Running patch smoke test ..." >&2
+if ! gmake checkouts patches; then
+  echo "Patches failed to apply!" >&2
+  gmake checkouts-clean 2>/dev/null || true
+  echo "patch_failed=true"
+  exit 0
+fi
+gmake checkouts-clean
+
+# ── Generate tag ────────────────────────────────────────────────────
+TALOS_VER=$(grep '^TALOS_VERSION' "$MAKEFILE" | awk '{print $NF}')
+RPI_TAG=$(grep '+  linux_version:' "$PATCH_FILE" | awk '{print $NF}')
+KERNEL_VER=$(get_kernel_version "$RPI_TAG")
+
+# Find next build number for this component combination
+TAG_PREFIX="${TALOS_VER}-k${KERNEL_VER}"
+LAST_BUILD=$(git tag -l "${TAG_PREFIX}-*" \
+  | sed "s|${TAG_PREFIX}-||" \
+  | sort -n \
+  | tail -1)
+NEXT_BUILD=$(( ${LAST_BUILD:-0} + 1 ))
+NEW_TAG="${TAG_PREFIX}-${NEXT_BUILD}"
+
+echo "Generated tag: $NEW_TAG" >&2
+echo "new_tag=$NEW_TAG"

scripts/check-upstream.sh

@@ -1,54 +1,57 @@
 #!/usr/bin/env bash
 # Check for upstream Talos and RPi kernel updates
 #
-# Compares current versions in Makefile against the latest GitHub releases.
-# Outputs GitHub Actions-compatible variables for use in CI workflows.
+# Compares current versions (from Makefile + pkgs patch) against the
+# latest GitHub releases/tags. Outputs GitHub Actions-compatible variables.
 #
 # Usage:
-#   ./scripts/check-upstream.sh           # Print results
+#   ./scripts/check-upstream.sh           # Print results to stdout/stderr
 #   ./scripts/check-upstream.sh >> "$GITHUB_OUTPUT"  # For CI
 
 set -euo pipefail
 
 MAKEFILE="${MAKEFILE:-Makefile}"
+PATCH_FILE="${PATCH_FILE:-patches/siderolabs/pkgs/0001-Patched-for-Raspberry-Pi-5.patch}"
 
-# Extract current versions from Makefile
-CURRENT_TALOS=$(grep '^TALOS_VERSION' "$MAKEFILE" | head -1 | awk '{print $NF}')
-CURRENT_PKG=$(grep '^PKG_VERSION' "$MAKEFILE" | head -1 | awk '{print $NF}')
+# ── Current versions ────────────────────────────────────────────────
+CURRENT_TALOS=$(grep '^TALOS_VERSION' "$MAKEFILE" | awk '{print $NF}')
+CURRENT_RPI_TAG=$(grep '+  linux_version:' "$PATCH_FILE" | awk '{print $NF}')
 
-echo "Current Talos version: $CURRENT_TALOS"
-echo "Current PKG version:   $CURRENT_PKG"
+echo "Current Talos version: $CURRENT_TALOS" >&2
+echo "Current RPi kernel tag: $CURRENT_RPI_TAG" >&2
 
-# Check latest Talos stable release
+# ── Latest versions from GitHub API ─────────────────────────────────
 LATEST_TALOS=$(curl -sf "https://api.github.com/repos/siderolabs/talos/releases/latest" \
-  | grep '"tag_name"' | sed -E 's/.*"tag_name": *"([^"]+)".*/\1/')
+  | jq -r '.tag_name')
 
-echo "Latest Talos release:  $LATEST_TALOS"
+LATEST_RPI_TAG=$(curl -sf "https://api.github.com/repos/raspberrypi/linux/tags?per_page=20" \
+  | jq -r '[.[] | select(.name | startswith("stable_"))][0].name')
 
-# Check latest RPi kernel stable tag (format: stable_YYYYMMDD)
-LATEST_RPI_KERNEL=$(curl -sf "https://api.github.com/repos/raspberrypi/linux/tags?per_page=10" \
-  | grep '"name"' | grep 'stable_' | head -1 | sed -E 's/.*"name": *"([^"]+)".*/\1/')
+echo "Latest Talos release:  $LATEST_TALOS" >&2
+echo "Latest RPi kernel tag: $LATEST_RPI_TAG" >&2
 
-echo "Latest RPi kernel tag: $LATEST_RPI_KERNEL"
-
-# Output for GitHub Actions
-echo "talos_current=$CURRENT_TALOS"
-echo "talos_latest=$LATEST_TALOS"
+# ── Determine what needs updating ───────────────────────────────────
+TALOS_UPDATE=false
+RPI_UPDATE=false
 
 if [ "$CURRENT_TALOS" != "$LATEST_TALOS" ]; then
-  echo "talos_update=true"
+  TALOS_UPDATE=true
   echo ">> Talos update available: $CURRENT_TALOS -> $LATEST_TALOS" >&2
 else
-  echo "talos_update=false"
   echo ">> Talos is up to date" >&2
 fi
 
-# For RPi kernel, we output what we found — the actual version tracking
-# depends on the pkgs patch content which references a specific kernel tag
-echo "rpi_current=check-patch"
-echo "rpi_latest=$LATEST_RPI_KERNEL"
+if [ "$CURRENT_RPI_TAG" != "$LATEST_RPI_TAG" ]; then
+  RPI_UPDATE=true
+  echo ">> RPi kernel update available: $CURRENT_RPI_TAG -> $LATEST_RPI_TAG" >&2
+else
+  echo ">> RPi kernel is up to date" >&2
+fi
 
-# We always flag RPi kernel for review since we can't easily parse the
-# patch to extract the exact pinned version
-echo "rpi_update=true"
-echo ">> RPi kernel latest stable: $LATEST_RPI_KERNEL (review patch manually)" >&2
+# ── Output for GitHub Actions ───────────────────────────────────────
+echo "talos_current=$CURRENT_TALOS"
+echo "talos_latest=$LATEST_TALOS"
+echo "talos_update=$TALOS_UPDATE"
+echo "rpi_current=$CURRENT_RPI_TAG"
+echo "rpi_latest=$LATEST_RPI_TAG"
+echo "rpi_update=$RPI_UPDATE"