chore: update dependencies

[renovate]

Update Request | Renovate Bot

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/siderolabs/talos/pkg/machinery	v1.9.5 -> v1.11.3
github.com/siderolabs/talos/pkg/machinery	v1.9.2 -> v1.11.3
golang.org/x/sys	v0.32.0 -> v0.37.0
golang.org/x/sys	v0.29.0 -> v0.37.0

---

Release Notes

siderolabs/talos (github.com/siderolabs/talos/pkg/machinery)

v1.11.3

Compare Source

Talos 1.11.3 (2025-10-15)

Welcome to the v1.11.3 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

runc: 1.3.2
Kubernetes: 1.34.1
Linux: 6.12.52
linux-firmware: 2025101
CoreDNS: 1.12.4
etcd: 3.6.5
Flannel: 0.27.4

Talos is built with Go 1.24.9.

Contributors

• Noel Georgi
• Andrey Smirnov
• Chris Sanders
• Grzegorz Rozniecki

Changes

11 commits

• @​a0243ef release(v1.11.3): prepare release
• @​560241c fix: make Akamai platform usable
• @​1b23cad fix: cherry-pick of commit 0fbb0b0 from #​11959
• @​876719a fix: cherry-pick of commit cd9fb27 from #​11943
• @​9a30ab6 feat: bump go, kernel and runc
• @​0fbb0b0 fix: provide nocloud metadata with missing network config
• @​0dad328 feat: update Flannel to v0.27.4
• @​49182b3 fix: support secure HTTP proxy with gRPC dial
• @​a460f57 feat: update etcd 3.6.5, CoreDNS 1.12.4
• @​48ee858 fix: don't set broadcast for /31 and /32 addresses
• @​7668c52 fix: provide refreshing CA pool (resolvers)

Changes from siderolabs/pkgs

5 commits

• siderolabs/pkgs@c316374 feat: bump go to 1.24.9
• siderolabs/pkgs@769a799 feat: update linux-firmware to 2025101
• siderolabs/pkgs@99ddfd5 feat: update runc to 1.3.2
• siderolabs/pkgs@4fecfeb feat: bump kernel to 6.12.52
• siderolabs/pkgs@934783f feat: bump go

Changes from siderolabs/tools

2 commits

• siderolabs/tools@05ee846 feat: bump go
• siderolabs/tools@efbbe9d feat: bump go

Dependency Changes

• github.com/siderolabs/pkgs v1.11.0-21-gf95c679 -> v1.11.0-26-gc316374
• github.com/siderolabs/talos/pkg/machinery v1.11.2 -> v1.11.3
• github.com/siderolabs/tools v1.11.0-2-g8556c73 -> v1.11.0-4-g05ee846

Previous release can be found at v1.11.2

Images

ghcr.io/siderolabs/flannel:v0.27.4
registry.k8s.io/coredns/coredns:v1.12.4
gcr.io/etcd-development/etcd:v3.6.5
registry.k8s.io/kube-apiserver:v1.34.1
registry.k8s.io/kube-controller-manager:v1.34.1
registry.k8s.io/kube-scheduler:v1.34.1
registry.k8s.io/kube-proxy:v1.34.1
ghcr.io/siderolabs/kubelet:v1.34.1
ghcr.io/siderolabs/installer:v1.11.3
registry.k8s.io/pause:3.10

v1.11.2

Compare Source

Talos 1.11.2 (2025-09-25)

Welcome to the v1.11.2 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

runc: 1.3.1
Kubernetes: 1.34.1
Linux: 6.12.48
linux-firmware: 2025091

Talos is built with Go 1.24.6.

Contributors

• Andrey Smirnov
• Mateusz Urbanek
• Noel Georgi
• Dmitrii Sharshakov
• Oguz Kilcan
• Serge Logvinov

Changes

17 commits

• @​511b4d2 release(v1.11.2): prepare release
• @​ac45257 fix: default gateway as string
• @​7cec0e0 fix: uefi boot entry handling logic
• @​637154e docs: drop invalid v1.12 docs
• @​a6d2f65 chore(ci): rekres to use new runner groups
• @​cd82ee2 refactor: efivarfs mock and tests
• @​996d97d chore: update pkgs
• @​bbf860c docs: update component updates
• @​24c1bce fix: bump trustd memory limit
• @​56d6d6f chore: pass in github token to imager
• @​682df89 fix: use correct order to determine SideroV1 keys directory path
• @​a838881 fix: trim zero bytes in the DHCP host & domain response
• @​9c962ae fix: re-create cgroups when restarting runners
• @​de243f9 test: fix flakiness in RawVolumes test
• @​ec8fde5 feat: update Kubernetes to 1.34.1
• @​797897d test: improve test stability
• @​9827366 feat: update runc to 1.3.1

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@f95c679 chore: update kernel to 6.12.48
• siderolabs/pkgs@0bd4cb9 chore: update linuxfirmware and rekres
• siderolabs/pkgs@0c8a195 feat: update runc to 1.3.1

Dependency Changes

• github.com/siderolabs/pkgs v1.11.0-18-g1a25681 -> v1.11.0-21-gf95c679
• github.com/siderolabs/talos/pkg/machinery v1.11.1 -> v1.11.2
• k8s.io/api v0.34.0 -> v0.34.1
• k8s.io/apiextensions-apiserver v0.34.0 -> v0.34.1
• k8s.io/apiserver v0.34.0 -> v0.34.1
• k8s.io/client-go v0.34.0 -> v0.34.1
• k8s.io/component-base v0.34.0 -> v0.34.1
• k8s.io/kube-scheduler v0.34.0 -> v0.34.1
• k8s.io/kubectl v0.34.0 -> v0.34.1
• k8s.io/kubelet v0.34.0 -> v0.34.1
• k8s.io/pod-security-admission v0.34.0 -> v0.34.1

Previous release can be found at v1.11.1

Images

ghcr.io/siderolabs/flannel:v0.27.2
registry.k8s.io/coredns/coredns:v1.12.3
gcr.io/etcd-development/etcd:v3.6.4
registry.k8s.io/kube-apiserver:v1.34.1
registry.k8s.io/kube-controller-manager:v1.34.1
registry.k8s.io/kube-scheduler:v1.34.1
registry.k8s.io/kube-proxy:v1.34.1
ghcr.io/siderolabs/kubelet:v1.34.1
ghcr.io/siderolabs/installer:v1.11.2
registry.k8s.io/pause:3.10

v1.11.1

Compare Source

Talos 1.11.1 (2025-09-08)

Welcome to the v1.11.1 release of Talos!

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Component Updates

Linux: 6.12.45
CoreDNS: 1.12.3

Talos is built with Go 1.24.6.

Contributors

• Andrey Smirnov
• Markus Freitag
• Olivier Doucet
• Sammy ETUR

Changes

7 commits

• @​8e85c83 release(v1.11.1): prepare release
• @​ff8644c fix: correctly handle status-code 204
• @​7d5fe2d feat: update Linux kernel (memcg_v1, ublk)
• @​9e310a9 fix: enable support for VMWare arm64
• @​f7620f0 feat: update CoreDNS to 1.12.3
• @​01bf2f6 feat: add SOCKS5 proxy support to dynamic proxy dialer
• @​8a578bc feat: update Linux to 6.12.45

Changes from siderolabs/pkgs

3 commits

• siderolabs/pkgs@1a25681 feat: enable ublk support
• siderolabs/pkgs@95f0be4 fix: enable memcg v1
• siderolabs/pkgs@e1c333c feat: update Linux to 6.12.45

Dependency Changes

• cloud.google.com/go/compute/metadata v0.7.0 -> v0.8.0
• github.com/aws/aws-sdk-go-v2/config v1.29.17 -> v1.31.2
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.32 -> v1.18.4
• github.com/aws/smithy-go v1.22.4 -> v1.22.5
• github.com/miekg/dns v1.1.67 -> v1.1.68
• github.com/siderolabs/pkgs v1.11.0-15-g2ac857a -> v1.11.0-18-g1a25681
• github.com/siderolabs/talos/pkg/machinery v1.11.0 -> v1.11.1
• golang.org/x/net v0.42.0 -> v0.43.0
• golang.org/x/sys v0.34.0 -> v0.35.0
• golang.org/x/term v0.33.0 -> v0.34.0
• golang.org/x/text v0.27.0 -> v0.28.0
• google.golang.org/grpc v1.73.0 -> v1.75.0
• google.golang.org/protobuf v1.36.6 -> v1.36.8

Previous release can be found at v1.11.0

Images

ghcr.io/siderolabs/flannel:v0.27.2
registry.k8s.io/coredns/coredns:v1.12.3
gcr.io/etcd-development/etcd:v3.6.4
registry.k8s.io/kube-apiserver:v1.34.0
registry.k8s.io/kube-controller-manager:v1.34.0
registry.k8s.io/kube-scheduler:v1.34.0
registry.k8s.io/kube-proxy:v1.34.0
ghcr.io/siderolabs/kubelet:v1.34.0
ghcr.io/siderolabs/installer:v1.11.1
registry.k8s.io/pause:3.10

v1.11.0

Compare Source

Welcome to the v1.12.0-alpha.2 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at
https://github.com/siderolabs/talos/issues.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs
field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations
and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

Embedded Config

Talos Linux now supports embedding the machine configuration directly into the boot image.

etcd

etcd container image is now pulled from registry.k8s.io/etcd instead of gcr.io/etcd-development/etcd.

Ethernet Configuration

The Ethernet configuration now includes a wakeOnLAN field to enable Wake-on-LAN (WOL) support.
This field can be set to enable WOL and specify the desired WOL modes.

Extra Binaries

Talos Linux now ships with nft binary in the rootfs to support CNIs which shell out to nft command.

Feature Lock

Talos now ignores the following machine configuration fields:

• machine.features.rbac (locked to true)
• machine.features.apidCheckExtKeyUsage (locked to true)
• cluster.apiServer.disablePodSecurityPolicy (locked to false)

These fields were removed from the default machine configuration schema in v1.12 and are now always set to the locked values above.

GRUB

Talos Linux introduces new machine configuration option .machine.install.grubUseUKICmdline to control whether GRUB should use the kernel command line
provided by the boot assets (UKI) or to use the command line constructed by Talos itself (legacy behavior).

This option defaults to true for new installations, which means that GRUB will use the command line from the UKI, making it easier to customize kernel parameters via boot asset generation.
For existing installations upgrading to v1.12, this option will default to false to preserve the legacy behavior.

Kernel Module

Talos now supports optionally disabling kernel module signature verification by setting module.sig_enforce=0 kernel parameter.
By default module signature verification is enabled (module.sig_enforce=1).
When using Factory or Imager supply as -module.sig_enfore module.sig_enforce=0 kernel parameters to disable module signature enforcement.

Kernel Security Posture Profile (KSPP)

Talos now enables a stricter set of KSPP sysctl settings by default.
The list of overridden settings is available with talosctl get kernelparamstatus command.

Encrypted Volumes

Talos Linux now consistently provides mapped names for encrypted volumes in the format /dev/mapper/luks2-<volume-id>.
This change should not affect system or user volumes, but might allow easier identification of encrypted volumes,
and specifically for raw encrypted volumes.

talosctl image cache-serve

talosctl includes new subcommand image cache-serve.
It allows serving the created OCI image registry over HTTP/HTTPS.
It is a read-only registry, meaning images cannot be pushed to it, but the backing storage can be updated by re-running the cache-create command;

Additionally talosctl image cache-create has some changes:

• new flag --layout: oci (default), flat:
  • oci preserves current behavior;
  • flat does not repack artifact layer, but moves it to a destination directory, allowing it to be served by talosctl image cache-serve;
• changed flag --platform: now can accept multiple os/arch combinations:
  • comma separated (--platform=linux/amd64,linux/arm64);
  • multiple instances (--platform=linux/amd64 --platform=linux/arm64);

Component Updates

Linux: 6.17.5
Kubernetes: 1.35.0-alpha.2
CNI Plugins: 1.8.0
cryptsetup: 2.8.1
LVM2: 2_03_34
systemd-udevd: 257.8
runc: 1.3.2
CoreDNS: 1.13.0
etcd: 3.6.5
Flannel: 0.27.4
Flannel CNI plugin: v1.8.0-flannel1

Talos is built with Go 1.25.3.

Contributors

• Andrey Smirnov
• Noel Georgi
• Mateusz Urbanek
• Dmitrii Sharshakov
• Amarachi Iheanacho
• Orzelius
• Oguz Kilcan
• Utku Ozdemir
• George Gaál
• Jorik Jonker
• Justin Garrison
• Michael Smith
• 459below
• Alp Celik
• Andrew Longwill
• Chris Sanders
• Dmitry
• Febrian
• Florian Grignon
• Fred Heinecke
• Giau. Tran Minh
• Grzegorz Rozniecki
• Guillaume LEGRAIN
• Markus Freitag
• Max Makarov
• Mike Beaumont
• Misha Aksenov
• MrMrRubic
• Olivier Doucet
• Sammy ETUR
• Serge Logvinov
• Skyler Mäntysaari
• SuitDeer
• Tom
• aurh1l
• frozenprocess
• frozensprocess
• kassad
• leppeK
• samoreno
• theschles
• winnie

Changes

245 commits

• 3d811a4c8 release(v1.12.0-alpha.2): prepare release
• fb4bfe851 chore: fix LVM test
• f4ee0d112 chore: disable VIP operator test
• 288f63872 feat: bump deps
• b66482c52 feat: allow disabling injection of extra cmdline in cluster create
• 704b5f99e feat: update Kubernetes to 1.35.0-alpha.2
• 1dffa5d99 feat: implement virtual IP operator config
• 43b1d7537 fix: validate provisioner when destroying local clusters
• b494c54c8 fix: talos import on non-linux
• 61e95cb4b feat: support bootloader option for ISO
• d11072726 fix: provide offset for partitions in discovered volumes
• 39eeae963 feat: update dependencies
• 9890a9a31 test: fix OOM test
• c0772b8ed feat: add airgapped mode to QEMU backed talos
• ac60a9e27 fix: update test for PCI driver rebind/IOMMU
• 6c98f4cdb feat: implement new DHCP network configuration
• da92a756d fix: drop 'ro' falg from defaults
• 28fd2390c fix: imager build on arm64
• 4e12df8c5 test: integration test for OOM controller
• 7e498faba feat: use image signer
• eccb21dd3 feat: add presets to the 'cluster create qemu' command
• ec0a813fa feat: unify cmdline handling GRUB/systemd-boot
• 37e4c40c6 fix: skip module signature tests on docker provisioner only
• 8124efb42 fix: cache e2e
• 4adcda0f5 fix: reserve the apid and trustd ports from the ephemeral port range
• ced57b047 feat: support optionally disabling module sig verification
• 1e5c4ed64 fix: build talosctl image cache-serve non-linux
• dbdd2b237 feat: add static registry to talosctl
• 77d8cc7c5 chore: push latest tag only on main
• 59d9b1c75 feat: update dependencies
• bf6ad5171 feat: add back install script
• da451c5ba chore: drop documentation except for fresh reference
• 2f23fedeb fix: file leak in reading cgroups
• b412ffdbc docs: update README.md for docs link
• 8dc51bae7 feat: add drm_gpuvm and drm_gpusvm_helper modules
• 4ca58aeb8 fix: make Akamai platform usable
• 061f8e76f feat: bump pkgs
• a9fa852da feat: update uefi image to talos linux logo
• 04753ba69 feat: update go to 1.25.2
• 9a42b05bd feat: implement link aliasing
• d732bd0be chore(ci): run only nvidia tests for NVIDIA workflows
• 8d1468209 fix: stop populating apiserver cert SANs
• 02473244c fix: wait for mount status to be proper mode
• 825622d90 fix: resource proto definitions
• 2c6003e79 docs: add Project Calico installation in two mode
• 4fb4c8678 feat: add disk.EnableUUID to generated ova
• 33fb48f8f fix: add dashboard spinner
• 053fd0bd4 feat: update Linux to 6.17
• 34e107e1b docs: fix broken link
• dfbece56b docs: update the kubespan docs
• 8b041a72c docs: update scaleway.md
• 435dcbf82 fix: provide nocloud metadata with missing network config
• ec3bd878f refactor: remove the go-blockdevice v1 completely
• 33544bde9 fix: minor improvements to fs
• fd2eebf7f feat: create merge patch from diff of two machine configs
• eadbdda94 fix: uefi boot order setting
• cd9fb2743 fix: support secure HTTP proxy with gRPC dial
• adf87b4b9 feat: update Flannel to v0.27.4
• 5dfb7e1fe feat: serve etcd image from registry.k8s.io
• 5ca841804 fix: nftables flaky test
• a940e45a7 feat: generate list of images required to build talos
• 3472d6e79 fix: revert "chore: use new mount/v3 package in efivarfs"
• 42c0bdbf3 feat: add provisioner flag to images default command
• 6bc0b1bcf feat: drop and lock deprecated features
• 362a8e63b fix: change the compression format
• 6e58f58aa fix: mkdir artifacts path
• 3165a2b84 release(v1.12.0-alpha.1): prepare release
• e455c7ea9 chore: use testing/synctest in tests
• 7f048e962 feat: update dependencies
• fe36b3d32 fix: stop returning EINVAL on remount of detached mounts
• c6279e04c chore: use new mount/v3 package in efivarfs
• d5197effb feat: update etcd 3.6.5, CoreDNS 1.12.4
• 33714b715 feat: release cloud image using factory
• d10a2747e docs: deprecate JSON6902 patches and interactive installer
• 1e604cbf5 fix: don't set broadcast for /31 and /32 addresses
• 65a66097a refactor: split cluster create logic into smaller parts
• ab847310e fix: provide refreshing CA pool (resolvers)
• d63c3ed7d docs: update secureboot docs
• 493f7ed9d feat: support embedded config
• 251df70f6 feat: add a userspace OOM controller
• 7bae5b40b feat: implement link configuration
• 724857dec fix(ci): skip netbird extension for tests
• e06a08698 fix: default gateway as string
• 7ed07412e fix: uefi boot entry handling logic
• ea4ed165a refactor: efivarfs mock and tests
• 1fca111e2 feat: support setting wake-on-lan for Ethernet
• 94f78dbe7 docs: add a documentation for running Talos in KVM
• 46902f8fd docs: add TrueFullstaq to adopters
• a28e5cbd5 chore: update pkgs and tools
• 7cf403db8 docs: step-by-step scaleway documentation to get an image
• 687285fa2 docs: remove 'curl' in wget command
• 9db6dc06c feat: stop mounting state partition
• 53ce93aae test: try to clear connection refused more aggressively
• 51db5279c fix: bump trustd memory limit
• 25204dc8a fix(machined): change constants.MinimumGOAMD64Level using build tag
• 9cd2d794d feat: ship nft binary with Talos rootfs
• b1416c9fe feat: record last log the failed service
• 0b129f9ef feat: enforce more KSPP and hardening sysctls
• 11872643c chore: drop docs folder
• d30fdcd88 chore: pass in github token to imager
• b88f27d80 chore: make reset test code a bit better
• 1cde53d01 test: fix several issues with tests
• 16cd127a0 docs: add docs on updating image cache
• c3ae92b14 fix: build kernel checks only on linux
• 2120904ec feat: create detached tmpfs
• 6bbee6de5 docs: remove 'ceph-data' from volume examples/docs
• 07acb3bd2 fix: use correct order to determine SideroV1 keys directory path
• 2d57fa002 fix: trim zero bytes in the DHCP host & domain response
• 451cb5f78 docs: clarify disk partition confusion
• a2122ee5c feat: implement HostConfig multi-doc
• 69ab076b4 fix: re-create cgroups when restarting runners
• 297b5cc28 docs: add docs on node labels
• e168512dd fix: apply 'ro' flag to iso9660 filesystems
• 7f7acfbb9 docs: fix typo in doc
• d57882b18 feat: update Kubernetes to 1.34.1
• f85f82f32 test: fix flakiness in RawVolumes test
• 82569e319 feat: update Linux 6.16.6
• 2fd2ab4e4 fix: remove CoreDNS cpu limit
• ce9bc32a0 chore(ci): rekres to use new runner groups
• 8b64f68f6 test: improve test stability
• 272cb860d chore: drop the --input-dir flag from the cluster create command
• 1b6533675 docs: add note about ca-signed certs for secureboot
• d3f88f50c docs: document talos vip failover behavior
• 005fc8bd5 docs: add docs on syncing configs after a kube upgrade
• 4d876d9af feat: update Go to 1.25.1
• 2b556cd22 feat: implement multi-doc StaticHostConfig
• a7b776842 docs: replace Raspberry Pi 5 links with Talos builder
• a349b20ed docs: clarify that talos does not support intermediate ca
• 895133de9 feat: support configuring PCR states to bind disk encryption
• c1360103b docs: fix command for uploading image on Hetzner
• 43b5b9d89 fix: correctly handle status-code 204
• feeb0d312 feat: update runc to 1.3.1
• 421634a14 docs: add docs on multihoming
• 41af2d230 refactor: clean up internal cluster creation code
• 3000d9e43 fix: don't bootstrap talos cluster if there's no config present
• 79cb871d0 feat: use the id of the volume in the mapped luks2 name
• 6c322710d chore: refactor mount package
• ced7186e2 refactor: update COSI to 1.11.0
• de2e24fcd docs: clarify that install-cni image is deprecated
• bef8ef509 docs: add docs on cilium's compatibility with kubespan
• e5acb10fc feat: update pkgs
• c4c1daf0e docs: add info about br_netfilter
• 5c52ecac3 docs: clarify interactive dashboard resolution control
• 15ecb02a4 feat: update Linux kernel (memcg_v1, ublk)
• 53f18c2f6 fix: enable support for VMWare arm64
• 3bbe1c0da docs: add docs on grow flag
• b9fb09dcd release(v1.12.0-alpha.0): prepare release
• 6a389cad3 chore: update dependencies
• 9d98c2e89 feat: add a cgroup preset for PSI and --skip-cri-resolve
• 072f77b16 chore: prepare for future Talos 1.12-alpha.0 release
• 96f41ce88 docs: update qemu and docker docs
• a751cd6b7 docs: activate Talos v1.11 docs by default
• e8f1ec1c5 docs: fix broken create qemu command v1.11 docs
• 639f0dfdd feat: update Linux to 6.16.4
• 8aa7b3933 fix: bring back linux/armv7 build and update xz
• 9cae7ba6b feat: update CoreDNS to 1.12.3
• cfef3ad45 fix: drop linux/armv7 build
• 42ea2ac50 fix: update xz module (security)
• 4fcfd35b9 docs: fix module name example
• 50824599a chore: update some tools
• bcd297490 feat: allow Ed25119 in FIPS mode
• 5992138bb test: ignore one leaking goroutine
• d155326c1 docs: add sbc unofficial ports docs
• 285fa7d22 docs: add the deploy application docs
• 527791f09 feat: update Kubernetes to 1.34.0
• a1c0e237d feat: update Linux to 6.15.11, Go to 1.25
• 4d7fc25f8 docs: switch order of wipe disk command
• 7368a994d feat: add SOCKS5 proxy support to dynamic proxy dialer
• d63591069 chore: silence linter warnings
• 07eb4d7ec fix: set default ram unit to MiB instead of MB
• 6b732adc4 feat: update Linux to 6.12.43
• b6410914f feat: add human readable byte size cli flags
• ec70cef99 feat: update NVIDIA drivers and kernel
• 0879efa69 feat: update Kubernetes default to v1.34.0-rc.2
• f504639df feat: add a user-facing create qemu command
• 558e0b09a test: fix the Image Factory PXE boot test
• d73f0a2e5 docs: make readme badges consistent
• f1369af98 chore: use new filesystem api on STATE partition
• 366cedbe7 docs: link to kubernetes linux swap tuning
• 2f5a16f5e fix: make --with-uuid-hostnames functionality available to qemu provider
• 70612c1f9 refactor: split the PlatformConfigController
• 511748339 docs: add system extension tier documentation
• 009fb1540 test: don't run nvidia tests on integration/aws
• 99674ef20 docs: apply fixes for what is new
• 92db677b5 fix: image cache lockup on a missing volume
• 9c97ed886 fix: version contract parsing in encryption keys handling
• 1fc670a08 fix: dial with proxy
• 18447d0af feat: update Linux to 6.12.41
• f65f39b78 fix: provide mitigation CVE-1999-0524
• 8817cc60c fix: actually use SIDEROV1_KEYS_DIR env var if it's provided
• b08b20a10 feat: use key provider with fallback option for auth type SideroV1
• 7a52d7489 fix: kubernetes upgrade options for kubelet
• ea8289f55 feat: add a user facing docker command
• 54ad64765 chore: re-enable vulncheck
• 26bbddea9 fix: darwin build
• b5d5ef79e fix: set secs field in DHCPv4 packets
• c07911933 chore: refactor how tools are being installed
• 34f25815c docs: fork docs for v1.12
• b66b995d3 feat: update default Kubernetes to v1.34.0-rc.1
• b967c587d docs: fix clone URL to include .git
• b72c68398 docs: edit the insecure, etcd-metrics, inline and extramanifests
• e5b9c1fff docs: remov RAS Syndrome
• 701fe774b docs: fix cilium links and bump to 1.18.0
• d306713a1 feat: update Go to 1.24.6
• 721595a00 chore: add deadcode elimination linter
• dc4865915 refactor: stop using text/template in machined code paths
• 545be55ed feat: add a pause function to dashboard
• 06a6c0fe3 refactor: fix deadcode elimination with godbus
• 2dce8f8d4 refactor: replace containerd/containerd/v2 module for proper DCE
• 9b11d8608 chore: rekres to configure slack notify workflow for CI failures
• 5ce6a660f docs: augment the pod security docs
• ada51ff69 fix: unmarshal encryption STATE from META
• b9e9b2e07 docs: add what is new notes for 1.11
• 53055bdf4 docs: fix typo in kubevirt page
• 8d12db480 fix: one more attempt to fix volume mount race on restart
• 34d37a268 chore: rekres to use correct slack channel for slack-notify
• 326a00538 feat: implement talos.config.early command line arg
• a5f3000f2 feat: implement encryption locking to STATE
• c1e65a342 docs: remove talos API flags from mgmt commands
• 181d0bbf5 feat: bootedentry resource
• 7ad439ac3 fix: enforce minimum size on user volumes if not set explicitly
• 50e37aefd fix: live reload of TLS client config for discovery client
• 87efd75ef feat: update containerd to 2.1.4
• 724b9de6d feat: add F71808E watchdog driver
• 8af96f7af docs: add ETCD downgrade documentation
• 44edd205d docs: add remark about 'exclude-from-external-load-balancers' label
• 727101926 fix(ci): use a random suffix for ami names
• d621ce372 fix: grype scan
• d62e255c2 fix: issues with reading GPT
• 5d0883e14 feat: update PCI DB module to v0.3.2
• 3751c8ccf test: wait for service account test job longer
• a592eb9f9 feat: update Linux to 6.12.40
• 4c40e6d3f feat: update etcd to 3.6.4
• 2bc37bd2c docs: fix error in kernel module guide
• bfc57fb86 chore: tag aws snapshots created via ci with the image name
• 06ef7108a fix: issue with volume remount on service restart
• 03efbff18 docs

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: installers/rock5t/src/go.sum

Command failed: install-tool golang 1.23.3