chore(deps): bump dependencies

[lexfrei]

Summary

Routine dependency bump pass. Closes 3 of 4 open Dependabot alerts on main.

Changes

Go toolchain

• go: 1.25.6 → 1.26.2

Go dependencies

Direct:

• k8s.io/{api,apimachinery,client-go}: v0.35.0 → v0.35.3
• github.com/cosi-project/runtime: v1.13.0 → v1.14.1
• github.com/siderolabs/crypto: v0.6.4 → v0.6.5
• github.com/siderolabs/talos/pkg/machinery: v1.13.0-alpha.0 → v1.13.0-beta.1
• github.com/siderolabs/talos: v1.12.2 → v1.12.6
• github.com/spf13/cobra: v1.10.1 → v1.10.2
• google.golang.org/grpc: v1.77.0 → v1.80.0
• filippo.io/age: v1.2.1 → v1.3.1
• github.com/BurntSushi/toml: v1.5.0 → v1.6.0
• helm.sh/helm/v3: v3.19.5 → v3.20.2

k8s.io lockstep (indirect):

• k8s.io/{apiextensions-apiserver,apiserver,cli-runtime,component-base,component-helpers,kms,kubectl}: v0.35.1 → v0.35.3

Indirect security fixes:

• github.com/docker/cli: v29.1.3 → v29.4.0 (closes Fix Error: either install disk or diskSelector should be defined #34 #41)
• github.com/cloudflare/circl: v1.6.1 → v1.6.3 (closes Update cozystack preset to talos 1.9.3 #40)

Bulk indirect bumps:
327 indirect dependency updates applied across two passes via targeted go get (each change validated with go build). Touches: golang.org/x/*, google.golang.org/protobuf, google.golang.org/genproto/*, go.opentelemetry.io/*, github.com/aws/aws-sdk-go-v2/*, github.com/Azure/azure-sdk-for-go/*, github.com/containerd/*, sigs.k8s.io/*, k8s.io/*, and many more.

Round-2 bumps unblocked by Go 1.26.2:

• github.com/siderolabs/go-kubeconfig: v0.1.1 → v0.1.2
• github.com/siderolabs/go-talos-support: v0.1.4 → v0.2.0

GitHub Actions

• actions/checkout: v4 → v6
• actions/setup-go: v5 → v6
• goreleaser/goreleaser-action: v6 → v7

All three move to Node 24 runtime. GitHub-hosted runners support the required v2.329.0+ runner.

Renovate config

Added .github/renovate.json with config:recommended preset and a custom regex manager that surfaces helm.sh/helm v3 → v4 upgrade proposals (which Go module major versioning otherwise treats as distinct packages). The config is inert until the Renovate GitHub App is installed on the repository.

Code modernization

Ran gopls modernize -fix and go fix across the codebase:

• Replace interface{} with any
• Use maps.Copy instead of for-range copy loops
• Use slices.Contains instead of explicit lookup loops
• gofmt cleanup (trailing whitespace, declaration alignment)

No behavior changes.

Fork replace rationale

Updated the comment above the siderolabs/talos replace directive. The original reference to siderolabs/talos#12644 (--k8s-endpoint) is stale — that PR was closed in favor of siderolabs/talos#12669 and merged upstream. The remaining driver for the fork is siderolabs/talos#12652 (--skip-verify), which upstream declined on security grounds, so the fork is required for as long as that flag is needed.

Dependabot coverage

#	Severity	Package	Status
42	critical	google.golang.org/grpc	closed by this PR
41	high	github.com/docker/cli	closed by this PR
40	low	github.com/cloudflare/circl	closed by this PR
43	medium	go.etcd.io/bbolt	not fixable — no upstream patch available

Out of scope

• helm.sh/helm/v3 → helm.sh/helm/v4 (major) — requires import path migration across all .go files and possible API refactoring. Tracked via the new custom manager for future PRs.
• github.com/cozystack/talos replace bump (pseudo → v1.12.2 tag) — the current pseudo-version points to a fork commit 158 commits ahead of the v1.12.2 tag and contains features not present in the tagged release. Taking the "bump" would regress functionality.
• github.com/siderolabs/go-kubernetes v0.2.30 → v0.2.36 — v0.2.31+ imports siderolabs/talos/pkg/machinery/textdiff, which does not exist in the pinned cozystack/talos fork commit. Unblocking this requires refreshing the fork from upstream, which is out of scope here.

Verification

• go build ./... — clean
• go vet ./... — clean
• go test -race ./... — all pass
• golangci-lint run ./... — 0 issues
• gopls modernize ./... — 0 issues

Summary by CodeRabbit

• Chores

  • Updated CI/CD actions to newer major versions and added Renovate config to automate dependency updates.
  • Bumped Go toolchain and many dependencies (Kubernetes, OpenTelemetry, Talos-related modules, etc.).

• Refactor

  • Modernized code to use Go 1.18+ types and newer standard library helpers for cleaner internals and template/engine handling.

• Bug Fixes

  • Prevented an out-of-range startup argument access.

• Tests

  • Updated tests to align with refactors and dependency changes.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a Renovate config mapping Helm v3→v4 updates, bumps GitHub Actions major versions, upgrades the Go toolchain and many modules, and migrates code/tests to Go 1.18+ idioms (any, slices, strings.SplitSeq) with several minor control/loop adjustments.

Changes

Cohort / File(s)	Summary
Renovate configuration /.github/renovate.json	New Renovate configuration: extends config:recommended, enables gomodUpdateImportPaths/gomodTidy, and adds a regex-based custom manager rewriting helm.sh/helm/v3 → helm.sh/helm/v4 using the go datasource and semver.
GitHub Actions workflows .github/workflows/pr.yml, .github/workflows/release.yml	Bumped action major versions: actions/checkout@v4→@v6, actions/setup-go@v5→@v6, and goreleaser/goreleaser-action@v6→@v7. No step logic changes.
Go modules manifest go.mod	Updated Go toolchain (1.25.6→1.26.2) and many dependency versions (k8s.io, Talos modules, OpenTelemetry, gRPC, crypto, golang.org/x/*, etc.); adjusted replace comment text; replace targets unchanged.
CLI entry / minor fixes main.go	Imported slices; replaced manual membership loop with slices.Contains; added early return in initConfig when args < 2 to avoid out-of-range access; whitespace tweaks.
Secrets / age package pkg/age/age.go	Converted YAML/encryption helpers to use any, map[string]any, []any; updated recursive function signatures and type switches; simplified public-key parsing with strings.SplitSeq and strings.CutPrefix.
Init & preset Chart handling pkg/commands/init.go	Replaced preset membership loop with slices.Contains; switched []byte(fmt.Sprintf(...)) → fmt.Appendf(nil, ...) for Chart.yaml construction in init/update paths.
Root detection & modeline parsing pkg/commands/root_detection.go, pkg/modeline/modeline.go	Replaced strings.Split with strings.SplitSeq and iterated over indices; used strings.CutPrefix for modeline prefix extraction; minor formatting changes.
talosctl wrapper & .gitignore handling pkg/commands/talosctl_wrapper.go	Whitespace/format changes; .gitignore de-duplication changed to strings.SplitSeq with index-based iteration, altering loop variable semantics used for comparisons.
Engine core (values/merge/lookup) pkg/engine/... (pkg/engine/engine.go, pkg/engine/helm/..., pkg/engine/helm/funcs.go, etc.)	Replaced interface{} types with any throughout rendering, values, merge and lookup code; updated Helm helper signatures to use any; lookup/resource extraction now return map[string]any/[]any; used maps.Copy for func merging; changed reflect.Ptr → reflect.Pointer.
Tests updated pkg/engine/helm/engine_test.go, pkg/engine/helm/funcs_test.go, pkg/engine/render_test.go, ...	Test fixtures and maps moved from interface{} to any; some test loops refactored (index/range) and large-string test built with strings.Builder.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibbled through modules, tidy and neat,

I hopped Helm from v3 to v4 with quick feet,
Slices and any now dance in the code,
Actions refreshed for a smoother road,
A little rabbit’s upgrade — quick, discrete! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore(deps): bump dependencies' accurately describes the main objective of the pull request, which is a routine dependency update across Go modules, indirect packages, and GitHub Actions versions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/bump-deps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds a Renovate configuration for Helm version management and updates numerous dependencies in go.mod, including core Kubernetes libraries and various third-party packages. Feedback suggests aligning all Kubernetes-related dependencies, such as component-base and several indirect libraries, to version v0.35.3 to ensure version consistency across the stack.

[gemini-code-assist]

The Kubernetes dependencies should ideally share the same version to ensure compatibility, as noted in the comment on line 5. Since k8s.io/api, k8s.io/apimachinery, and k8s.io/client-go were updated to v0.35.3, k8s.io/component-base should also be updated to v0.35.3 to maintain consistency.

Suggested change

	k8s.io/component-base v0.35.1 // indirect
	k8s.io/component-base v0.35.3 // indirect

[lexfrei]

Thanks, addressed in commit 100888c which brings all k8s.io/* indirect deps into lockstep at v0.35.3.

[gemini-code-assist]

To maintain consistency with the core Kubernetes dependencies (which are at v0.35.3), these indirect dependencies should also be updated to v0.35.3. Kubernetes components are released in lockstep and work best when versions match exactly across the entire stack.

Suggested change

	k8s.io/apiextensions-apiserver v0.35.1 // indirect
	k8s.io/cli-runtime v0.35.1 // indirect
	k8s.io/component-helpers v0.35.1 // indirect
	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
	k8s.io/kubectl v0.35.0 // indirect
	k8s.io/kubectl v0.35.1 // indirect
	k8s.io/apiextensions-apiserver v0.35.3 // indirect
	k8s.io/cli-runtime v0.35.3 // indirect
	k8s.io/component-helpers v0.35.3 // indirect
	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
	k8s.io/kubectl v0.35.3 // indirect

[lexfrei]

Thanks, addressed in commit 100888c. Note: k8s.io/kube-openapi uses a pseudo-version (not a semver tag), so it is left as-is; the other packages you listed are all now at v0.35.3.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 16: The workflow upgrade to uses: actions/checkout@v6 introduces breaking
changes that may affect credential location and runner requirements; update
.github/workflows/release.yml by reviewing and adjusting any uses of
actions/checkout to handle the new behavior: ensure your runners meet the
Node.js/runner version requirements, explicitly set persist-credentials if you
need the old behavior (and update any steps that expect credentials in
.git/config to instead read from $RUNNER_TEMP or adjust to persist-credentials:
true/false as appropriate), verify Docker container actions that run
authenticated git commands will run on Runner ≥ v2.329.0, and keep or
re-evaluate existing fetch-depth: 0 usage to confirm compatibility.

In `@go.mod`:
- Around line 7-10: Update the Kubernetes module versions in go.mod: replace the
non-existent v0.35.3 entries for k8s.io/api, k8s.io/apimachinery, and
k8s.io/client-go and the indirect k8s.io/component-base with the official
v1.35.3 release; ensure all four module lines (k8s.io/api, k8s.io/apimachinery,
k8s.io/client-go, k8s.io/component-base) are changed to use v1.35.3 so `go mod
tidy` and build resolve against the correct upstream Kubernetes versions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 036e192c-78b8-4376-a057-6745756202fb

📥 Commits

Reviewing files that changed from the base of the PR and between a3d5771 and 946a963.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• .github/renovate.json
• .github/workflows/pr.yml
• .github/workflows/release.yml
• go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Has Kubernetes v0.35.3 been released and are there any known issues?

💡 Result:

“Kubernetes v0.35.3” (with a leading 0) is not an upstream Kubernetes release series; upstream Kubernetes uses v1.x.y versioning.

Upstream Kubernetes v1.35.3 has been released (tagged March 19, 2026) and its binaries/images are published. (github.com)

Known issues: the upstream v1.35.3 changelog does not call out any specific “known issues” section; it mainly lists fixes (notably some kubeadm bugfixes and a DRA status-reporting tweak). (github.com)

Citations:

• 1: https://github.com/kubernetes/kubernetes/releases
• 2: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.35.md

---

Kubernetes version v0.35.3 does not exist—use v1.35.3 instead.

The k8s.io packages at v0.35.3 are not official Kubernetes releases. Upstream Kubernetes uses v1.x.y versioning; v1.35.3 was released on March 19, 2026. Update the dependencies to use v1.35.3:

k8s.io/api v1.35.3
k8s.io/apimachinery v1.35.3
k8s.io/client-go v1.35.3
k8s.io/component-base v1.35.3

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 7 - 10, Update the Kubernetes module versions in go.mod:
replace the non-existent v0.35.3 entries for k8s.io/api, k8s.io/apimachinery,
and k8s.io/client-go and the indirect k8s.io/component-base with the official
v1.35.3 release; ensure all four module lines (k8s.io/api, k8s.io/apimachinery,
k8s.io/client-go, k8s.io/component-base) are changed to use v1.35.3 so `go mod
tidy` and build resolve against the correct upstream Kubernetes versions.

[lexfrei]

False positive. The k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, and k8s.io/component-base modules follow the staging repository versioning scheme: module tag v0.N.M corresponds to Kubernetes release v1.N.M. So k8s.io/api v0.35.3 is the correct Go module version for Kubernetes 1.35.3 — v1.35.3 does not resolve (there is no k8s.io/api v1 module). See https://github.com/kubernetes/kubernetes/tree/master/staging

[coderabbitai]

@lexfrei, you are absolutely right — I apologize for the false positive. The k8s.io/* packages (such as k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/component-base) are published from Kubernetes' staging directory and intentionally use a v0.N.M Go module tag scheme where v0.N.M maps to Kubernetes release v1.N.M. There is no v1 Go module path for these packages, so k8s.io/api v0.35.3 is entirely correct for Kubernetes 1.35.3.

I'll record this for future reviews.

---

✏️ Learnings added

Learnt from: lexfrei
Repo: cozystack/talm PR: 124
File: go.mod:0-0
Timestamp: 2026-04-10T14:15:12.033Z
Learning: The k8s.io staging Go modules (k8s.io/api, k8s.io/apimachinery, k8s.io/client-go, k8s.io/component-base, k8s.io/kubectl, k8s.io/cli-runtime, k8s.io/apiextensions-apiserver, etc.) intentionally use a v0.N.M versioning scheme in Go module tags, where v0.N.M corresponds to upstream Kubernetes release v1.N.M (e.g., k8s.io/api v0.35.3 is correct for Kubernetes 1.35.3). There is no v1 Go module path for these packages. Never flag v0.x.y versions for these staging packages as incorrect — it is the only valid format.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

main.go (1)

133-145: ⚠️ Potential issue | 🟠 Major

Guard zero-arg startup before reading os.Args[1].

Line 134 panics on a plain talm invocation because os.Args only contains the program name when no positional args are passed. The initConfig() function is registered via cobra.OnInitialize() at line 82, so it executes before normal command handling. Returning early when len(os.Args) < 2 prevents a crash in the initialization phase.

Suggested fix

 func initConfig() {
+	if len(os.Args) < 2 {
+		return
+	}
 	cmdName := os.Args[1]
 	cmd, _, err := rootCmd.Find([]string{cmdName})

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` around lines 133 - 145, The initConfig function reads os.Args[1]
unguarded and can panic when no positional args are provided; update initConfig
(the function that calls rootCmd.Find) to first check len(os.Args) >= 2 and
return early if not, then proceed to use cmdName/os.Args[1]; keep the existing
logic around rootCmd.Find, cmd.HasParent()/cmd.Parent(), and setting
commands.Config.InitOptions.Version from Version unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@main.go`:
- Around line 133-145: The initConfig function reads os.Args[1] unguarded and
can panic when no positional args are provided; update initConfig (the function
that calls rootCmd.Find) to first check len(os.Args) >= 2 and return early if
not, then proceed to use cmdName/os.Args[1]; keep the existing logic around
rootCmd.Find, cmd.HasParent()/cmd.Parent(), and setting
commands.Config.InitOptions.Version from Version unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec76e77f-9596-4eb8-a0e7-e432cacdf888

📥 Commits

Reviewing files that changed from the base of the PR and between b1a3a26 and 3b4710e.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (13)

• go.mod
• main.go
• pkg/age/age.go
• pkg/commands/init.go
• pkg/commands/root_detection.go
• pkg/commands/talosctl_wrapper.go
• pkg/engine/engine.go
• pkg/engine/helm/engine.go
• pkg/engine/helm/engine_test.go
• pkg/engine/helm/funcs.go
• pkg/engine/helm/funcs_test.go
• pkg/engine/render_test.go
• pkg/modeline/modeline.go

✅ Files skipped from review due to trivial changes (1)

• pkg/engine/helm/funcs_test.go

[lexfrei]

Addressed the outside-diff finding from the latest review in commit 1d89fa0 — added len(os.Args) < 2 guard at the top of initConfig() to prevent panic on plain talm invocation with no arguments. Good catch, even though it was a pre-existing bug unrelated to the bump.

[lexfrei]

Squashed the branch into a single commit (f22e31c). All previously addressed findings are preserved:

• k8s.io lockstep at v0.35.3 — component-base, apiextensions-apiserver, apiserver, cli-runtime, component-helpers, kms, kubectl all at v0.35.3. (Replaces earlier reference to commit 100888c.)
• actions/checkout@v6 breaking changes — verified compatible with release workflow as discussed.
• k8s v0.35.3 staging versioning — the v0.N.M scheme is intentional and correct for Kubernetes 1.N.M staging packages, not a typo.
• initConfig() panic on missing os.Args[1] — guard added at the top of initConfig() in main.go.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

main.go (1)

106-123: ⚠️ Potential issue | 🟠 Major

User-provided --talosconfig flag is overwritten by computed path

At line 106, cmd.PersistentFlags().Changed("talosconfig") does not detect a persistent flag passed by the user on the root command. This causes an explicitly provided --talosconfig to be silently overwritten by the fallback logic below.

Use cmd.Flags().Changed("talosconfig") instead, which includes inherited persistent flags from parent commands:

Fix

-       if !cmd.PersistentFlags().Changed("talosconfig") {
+       if !cmd.Flags().Changed("talosconfig") {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` around lines 106 - 123, The code uses
cmd.PersistentFlags().Changed("talosconfig") which does not detect a
user-provided inherited persistent flag and therefore lets the fallback logic
overwrite an explicit --talosconfig; change the check to
cmd.Flags().Changed("talosconfig") so the flag existence is detected correctly,
retaining user-supplied value in commands.GlobalArgs.Talosconfig and only
applying the talosconfigPath fallback (from
commands.Config.GlobalOptions.Talosconfig or "talosconfig"), filepath.IsAbs
logic and RootDir joining when the flag was not provided.

🧹 Nitpick comments (1)

pkg/engine/helm/funcs.go (1)

96-172: Refresh the helper doc comments.

The surrounding comments still reference map[string]interface{} / []interface{}, but these helpers now expose map[string]any / []any.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/engine/helm/funcs.go` around lines 96 - 172, Update the doc comments for
the helper functions to use the new Go 1.18 shorthand types instead of the old
long forms: change references of "map[string]interface{}" to "map[string]any"
and "[]interface{}" to "[]any" in the comments for fromYAML, fromYAMLArray,
fromJSON, fromJSONArray (and any nearby comments for toTOML/toJSON if they
mention those types) so the documentation matches the actual return types.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@main.go`:
- Around line 106-123: The code uses
cmd.PersistentFlags().Changed("talosconfig") which does not detect a
user-provided inherited persistent flag and therefore lets the fallback logic
overwrite an explicit --talosconfig; change the check to
cmd.Flags().Changed("talosconfig") so the flag existence is detected correctly,
retaining user-supplied value in commands.GlobalArgs.Talosconfig and only
applying the talosconfigPath fallback (from
commands.Config.GlobalOptions.Talosconfig or "talosconfig"), filepath.IsAbs
logic and RootDir joining when the flag was not provided.

---

Nitpick comments:
In `@pkg/engine/helm/funcs.go`:
- Around line 96-172: Update the doc comments for the helper functions to use
the new Go 1.18 shorthand types instead of the old long forms: change references
of "map[string]interface{}" to "map[string]any" and "[]interface{}" to "[]any"
in the comments for fromYAML, fromYAMLArray, fromJSON, fromJSONArray (and any
nearby comments for toTOML/toJSON if they mention those types) so the
documentation matches the actual return types.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: db269866-1c11-4e3b-897a-6ad0c2a00343

📥 Commits

Reviewing files that changed from the base of the PR and between 1d89fa0 and f22e31c.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (16)

• .github/renovate.json
• .github/workflows/pr.yml
• .github/workflows/release.yml
• go.mod
• main.go
• pkg/age/age.go
• pkg/commands/init.go
• pkg/commands/root_detection.go
• pkg/commands/talosctl_wrapper.go
• pkg/engine/engine.go
• pkg/engine/helm/engine.go
• pkg/engine/helm/engine_test.go
• pkg/engine/helm/funcs.go
• pkg/engine/helm/funcs_test.go
• pkg/engine/render_test.go
• pkg/modeline/modeline.go

✅ Files skipped from review due to trivial changes (6)

• .github/workflows/release.yml
• pkg/engine/helm/funcs_test.go
• .github/workflows/pr.yml
• pkg/engine/render_test.go
• pkg/commands/init.go
• .github/renovate.json

🚧 Files skipped from review as they are similar to previous changes (5)

• pkg/engine/helm/engine_test.go
• pkg/engine/helm/engine.go
• pkg/age/age.go
• pkg/commands/root_detection.go
• go.mod