fix(docs): correct stale version pins and prevent next.yaml drift

[myasnikovdaniil]

What & why

The {{< version-pin >}} data file for the default docs version (data/versions/v1.5.yaml) was a verbatim copy of next.yaml that never got bumped, so every version-pin on the v1.5 docs rendered cozystack v1.3.0 / Talos v1.12.6 instead of v1.5.0 / v1.13.0 — including the Go types go get example and ~40 install-doc references. Root cause: release_next.sh snapshots next.yaml, and next.yaml had itself been stale since the v1.3 cycle.

Changes

Correct the stale pins

• Fix data/versions/v1.5.yaml to the real v1.5 values (v1.5.0 / Talos v1.13.0, verified against the upstream v1.5.0 installer profile).
• Add data/versions/v1.2.yaml and switch the v1.2 go-types page from a hardcoded @v1.2.0 to version-pin. v1.0/v1.1 keep the literal — the api/apps/v1alpha1 Go submodule's earliest tag is v1.2.0, so no earlier tag resolves for go get.

Stop it recurring

• Harden release_next.sh to rewrite cozystack_version/cozystack_tag from RELEASE_TAG at snapshot time, so a stale next.yaml can't freeze the wrong version into a release again.
• Add hack/update_versions.sh + a make update-versions step in update-all that regenerates next.yaml from upstream (Talos from the installer profile, cozystack tag from the latest release). The next trunk can no longer go stale; regeneration is idempotent.

Fix a rendered-wrong warning

• The boot-to-talos version-mismatch warning hardcoded "Cozystack v1.3.0 … target Talos v1.12", which rendered wrong on v1.4/v1.5 (both ship Talos v1.13). Swap the literals for the version-pin shortcodes already used elsewhere in the same file, across next/v1.5/v1.4/v1.3.

Not included (flagged for follow-up)

• 25 autogenerated source: URLs in next/ are frozen at v1.3.0 (should track main). They self-heal on the next make update-all for the trunk and that also refetches README bodies, so it's better done as a separate, deliberate re-sync.

Test notes

• Verified each affected page's effective render against its data file (v1.5 → v1.5.0 / Talos v1.13; v1.3 unchanged / correct).
• hack/update_versions.sh is byte-idempotent across consecutive runs; release_next.sh snapshot rewrite verified in isolation.
• A full hugo build was not run here — local Hugo is v0.163.0 vs the repo-pinned v0.160.1, and 0.163's security.allowContent policy rejects an unrelated existing content file. CI/Netlify use the pinned version.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation

  • Updated Talos installation guides with generic, version-pinned compatibility warnings across all documentation versions.
  • Updated Go API documentation to use dynamic version pins instead of hardcoded values.

• Chores

  • Enhanced build system to automate version data regeneration for documentation.
  • Updated version pins for Cozystack (v1.5.0) and Talos (v1.13.0) across documentation.
  • Added version pinning infrastructure to release workflow.

[netlify]

✅ Deploy Preview for cozystack ready!

Name	Link
🔨 Latest commit	1c3cb2b
🔍 Latest deploy log	https://app.netlify.com/projects/cozystack/deploys/6a3a5563af71e800085a9ea5
😎 Deploy Preview	https://deploy-preview-589--cozystack.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Warning

Review limit reached

@myasnikovdaniil, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 43 minutes and 35 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses rolling per-developer review limits. Reviews become available again as older review attempts age out of the rolling limit window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 640a685e-f50d-471f-b250-bdaeb2855ba9

📥 Commits

Reviewing files that changed from the base of the PR and between ed8f6be and 1c3cb2b.

📒 Files selected for processing (1)

• hack/update_versions.sh

📝 Walkthrough

Walkthrough

Adds hack/update_versions.sh to fetch Talos and Cozystack upstream version pins and write data/versions/*.yaml files. Wires a new update-versions Makefile target into update-all, extends release_next.sh to rewrite pin values on snapshot, updates next.yaml and v1.5.yaml to current versions, adds v1.2.yaml, and replaces hardcoded version strings in Talos install docs and the Go-types doc with template variables.

Changes

Automated Version-Pin Generation

Layer / File(s)	Summary
update_versions.sh script hack/update_versions.sh	New Bash script with CLI parsing (--dest, --branch, --cozystack-tag) that fetches the Talos installer profile from a specified cozystack/cozystack branch, resolves and validates both the Talos and Cozystack release tags, then writes a four-field YAML pin file (cozystack_version, cozystack_tag, talos, talos_minor).
Makefile wiring and release snapshot pinning Makefile, hack/release_next.sh	Adds update-versions target (.PHONY) that calls update_versions.sh only when DOC_VERSION is next; extends update-all to invoke it. Updates release_next.sh to use sed to rewrite cozystack_version and cozystack_tag in the snapshot YAML when promoting next.yaml to a release version file.
Version pin data and doc template variables data/versions/next.yaml, data/versions/v1.5.yaml, data/versions/v1.2.yaml, content/en/docs/next/install/talos/boot-to-talos.md, content/en/docs/v1.3/..., content/en/docs/v1.4/..., content/en/docs/v1.5/..., content/en/docs/v1.2/cozystack-api/go-types.md	Regenerates next.yaml and v1.5.yaml to Cozystack 1.5.0/Talos v1.13.0; adds v1.2.yaml pinning cozystack_tag: v1.2.0; replaces hardcoded version strings in boot-to-talos warnings (next, v1.3, v1.4, v1.5) and the v1.2 Go-types installation snippet with {{< version-pin >}} template variables.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• kvaps
• lllamnyp

Poem

🐇 Hop, hop — no hardcoded tags today!
A script now fetches versions the automated way.
next.yaml bumped, v1.5 aligned,
Release snapshots properly pinned and signed.
The rabbit cheers: let templates always reign! 🎉

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately summarizes the main objectives: correcting stale version pins in documentation and implementing safeguards (update automation) to prevent future drift of the next.yaml file.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/version-pin-staleness

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[gemini-code-assist]

Code Review

This pull request automates the management of pinned upstream-tool versions in the documentation. It introduces a new script hack/update_versions.sh to fetch versions from upstream, integrates it into the Makefile, and replaces hardcoded version strings with the {{< version-pin >}} shortcode in several markdown files. Feedback on the changes suggests improving the robustness of hack/update_versions.sh by appending || true to the curl pipeline to prevent premature exits under set -e, and replacing the GNU-specific sort -V with a POSIX-compliant sorting method to ensure compatibility on macOS.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[gemini-code-assist]

Because set -o pipefail and set -e are enabled, if the curl command fails (e.g., due to a network issue, rate limit, or invalid branch), the entire pipeline will return a non-zero exit code. This causes the shell to exit immediately, preventing the script from reaching the subsequent validation block and printing the helpful error message.

Appending || true to the pipeline inside the subshell allows the script to continue and gracefully handle the failure in the validation block.

Suggested change

	talos="$(curl -fsSL "$INSTALLER_URL" 2>/dev/null | awk '/^version:[[:space:]]/{print $2; exit}')"
	talos="$(curl -fsSL "$INSTALLER_URL" 2>/dev/null | awk '/^version:[[:space:]]/{print $2; exit}' || true)"

[myasnikovdaniil]

Good catch — confirmed: under set -e + set -o pipefail, a failed curl made the command substitution exit the script before the validation block, so the intended error message never printed. Added || true to the pipeline so a fetch failure now falls through to the validation check. Fixed in 949bc63.

[gemini-code-assist]

The sort -V (version sort) option is a GNU extension and is not supported by the default sort utility on macOS (BSD sort). Running this script on macOS will result in a sort: invalid option -- V error.

To make the script portable across both Linux and macOS, we can strip the v prefix, use standard POSIX numeric sort (sort -t. -k 1,1n -k 2,2n -k 3,3n), and then prepend the v back. This also allows us to safely handle pipeline failures with || true so the script can print a clear error message if git ls-remote fails.

Suggested change

	COZYSTACK_TAG="$(git ls-remote --tags --refs "https://github.com/${SOURCE_REPO}.git" 'v*.*.*' \
	| awk -F/ '/refs\/tags\/v[0-9]+\.[0-9]+\.[0-9]+$/{print $NF}' \
	| grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -1)"
	COZYSTACK_TAG="$(git ls-remote --tags --refs "https://github.com/${SOURCE_REPO}.git" 'v*.*.*' \
	| awk -F/ '/refs\/tags\/v[0-9]+\.[0-9]+\.[0-9]+$/{print $NF}' \
	| sed 's/^v//' | sort -t. -k 1,1n -k 2,2n -k 3,3n | sed 's/^/v/' | tail -1 || true)"

[myasnikovdaniil]

Applied the || true part here too (1c3cb2b) — same premature-exit issue on the git ls-remote pipeline, so it now reaches the validation block.

On sort -V: keeping it as-is. This repo already standardises on GNU sort -V in hack/download_openapi.sh and hack/init_version.sh (the former with a comment about prerelease ordering), and there's no macOS/BSD portability target, so matching the existing scripts keeps things consistent.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/update_versions.sh`:
- Around line 39-46: The argument parsing for `--dest`, `--branch`, and
`--cozystack-tag` options reads `$2` without checking if it exists, which causes
an unbound variable error when a flag is passed without a value. Add a guard
before each of these option handlers to check if `$2` is provided, and if not,
call the usage function and exit with an error status code. This applies to all
three options in the case statement that read the second argument
unconditionally.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bdc30a93-015e-4bce-ba0f-99c632457e87

📥 Commits

Reviewing files that changed from the base of the PR and between a90171c and ed8f6be.

📒 Files selected for processing (11)

• Makefile
• content/en/docs/next/install/talos/boot-to-talos.md
• content/en/docs/v1.2/cozystack-api/go-types.md
• content/en/docs/v1.3/install/talos/boot-to-talos.md
• content/en/docs/v1.4/install/talos/boot-to-talos.md
• content/en/docs/v1.5/install/talos/boot-to-talos.md
• data/versions/next.yaml
• data/versions/v1.2.yaml
• data/versions/v1.5.yaml
• hack/release_next.sh
• hack/update_versions.sh

[coderabbitai]

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Add missing option-value guards in CLI parsing.

--dest, --branch, and --cozystack-tag read $2 unconditionally. If a flag is passed without a value, set -u exits with an unbound-variable error instead of a controlled usage error.

💡 Suggested patch

 while [[ $# -gt 0 ]]; do
   case "$1" in
-    --dest)          DEST="$2"; shift 2 ;;
-    --branch)        BRANCH="$2"; shift 2 ;;
-    --cozystack-tag) COZYSTACK_TAG="$2"; shift 2 ;;
+    --dest|--branch|--cozystack-tag)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: $1 requires a value." >&2
+        usage
+        exit 1
+      fi
+      case "$1" in
+        --dest)          DEST="$2" ;;
+        --branch)        BRANCH="$2" ;;
+        --cozystack-tag) COZYSTACK_TAG="$2" ;;
+      esac
+      shift 2
+      ;;
     -h|--help)       usage; exit 0 ;;
     *) echo "Unknown argument: $1" >&2; usage; exit 1 ;;
   esac
 done

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	while [[ $# -gt 0 ]]; do
	case "$1" in
	--dest) DEST="$2"; shift 2 ;;
	--branch) BRANCH="$2"; shift 2 ;;
	--cozystack-tag) COZYSTACK_TAG="$2"; shift 2 ;;
	-h|--help) usage; exit 0 ;;
	*) echo "Unknown argument: $1" >&2; usage; exit 1 ;;
	esac
	while [[ $# -gt 0 ]]; do
	case "$1" in
	--dest|--branch|--cozystack-tag)
	if [[ $# -lt 2 ]]; then
	echo "Error: $1 requires a value." >&2
	usage
	exit 1
	fi
	case "$1" in
	--dest) DEST="$2" ;;
	--branch) BRANCH="$2" ;;
	--cozystack-tag) COZYSTACK_TAG="$2" ;;
	esac
	shift 2
	;;
	-h|--help) usage; exit 0 ;;
	*) echo "Unknown argument: $1" >&2; usage; exit 1 ;;
	esac
	done

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/update_versions.sh` around lines 39 - 46, The argument parsing for
`--dest`, `--branch`, and `--cozystack-tag` options reads `$2` without checking
if it exists, which causes an unbound variable error when a flag is passed
without a value. Add a guard before each of these option handlers to check if
`$2` is provided, and if not, call the usage function and exit with an error
status code. This applies to all three options in the case statement that read
the second argument unconditionally.

[IvanHunters]

Verdict

NOT LGTM — the fix for the stale-pin symptom is correct and well-scoped, but the new update-versions step introduces a release-pipeline regression that will fail every prerelease (-alpha/-beta/-rc.N) docs-update CI run from the upstream cozystack/cozystack tags workflow.

Findings

MAJOR

1. update-versions will break the upstream tags workflow for every RC tag.
   • Upstream .github/workflows/tags.yaml update-website-docs job runs make update-all BRANCH="release-$VERSION" RELEASE_TAG="$TAG" for every tag the regex ^v\d+\.\d+\.\d+(-(alpha|beta|rc)\.\d+)?$ matches, including RCs (lines 456-540 of upstream tags.yaml).
   • For an RC like v1.6.0-rc1, routing resolves DOC_VERSION=next (no v1.6/ yet), so the new update-versions step in Makefile runs and invokes ./hack/update_versions.sh --branch v1.6.0-rc1 --cozystack-tag v1.6.0-rc1.
   • hack/update_versions.sh:72 enforces [[ "$COZYSTACK_TAG" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]], which rejects any prerelease suffix and exits 1.
   • Reproduction:

     $ ./hack/update_versions.sh --dest /tmp/x.yaml --branch main --cozystack-tag v1.6.0-rc1
     Error: could not determine a cozystack release tag (got 'v1.6.0-rc1').
     exit: 1
     

   • Pre-PR, make update-all RELEASE_TAG=v1.6.0-rc1 ran to completion; post-PR the docs-update CI job will fail and no PR will be opened against cozystack/website for any RC.
   • Suggested fix (pick one):
     • Gate update-versions in the Makefile on DOC_VERSION==next AND RELEASE_TAG being empty or a final-release tag.
     • OR loosen the regex in update_versions.sh to accept ^v\d+\.\d+\.\d+(-[A-Za-z0-9.]+)?$ and pin the prerelease tag verbatim.
     • OR, when an RC tag comes in, normalise it to the latest final release for the cozystack_* keys but still refresh Talos keys against --branch.

MINOR

2. data/versions/v1.2.yaml and the PR description repeat an incorrect upstream-tag fact.
   • PR body: "the api/apps/v1alpha1 Go submodule's earliest tag is v1.2.0, so no earlier tag resolves for go get."
   • Reality (verified via the Go module proxy): api/apps/v1alpha1/v1.1.6 and v1.1.7 are real, resolvable Go-module versions.
   • The concrete action (keeping v1.0/v1.1 docs pinned to @v1.2.0) still works, so the rendered docs are not broken. But v1.2.yaml:11-14 ("the Go API submodule was first tagged at api/apps/v1alpha1/v1.2.0") is factually wrong and will mislead the next person tidying this up.
   • Suggested fix: drop the "first tagged at" sentence, or reword to "v1.0/v1.1 keep @v1.2.0 as a deliberate forward-pin because no v1.0.x submodule tag exists and we choose not to backport this docs change to v1.1.7."

NITS

3. release_next.sh sed rewrite drops inline comments from cozystack_* lines. Existing files are untouched (the if [[ -e "$TARGET_DATA" ]]; then ... leaving it as-is guard), but every future snapshot will have terser comments than its predecessors. Purely cosmetic.

4. Talos pin will drift silently between trunk-refreshes. update-versions only runs when DOC_VERSION=next, and there is no scheduled workflow that ever invokes make update-all against trunk. Trunk freshness depends entirely on manual maintainer discipline. The release-time release_next.sh sed rewrite only touches cozystack_version/cozystack_tag, leaving Talos values as-snapshotted. Risk: a long-untouched next.yaml snapshots a stale Talos into vX.Y.yaml at minor-cut time. Out of scope for this PR (explicitly deferred), but worth either a periodic GHA cron that runs make update-versions against trunk, or a release_next.sh step that also re-runs update_versions.sh against --branch $RELEASE_TAG before snapshotting.

What is good

• The core fix (replace data/versions/v1.5.yaml and next.yaml v1.3.0/v1.12.6 values with the correct v1.5.0/v1.13.0 values, verified against cozystack/cozystack@v1.5.0/packages/core/talos/images/talos/profiles/installer.yaml) is exactly right.
• data/versions/v1.2.yaml schema matches sibling files; the v1.2 go-types.md shortcode call resolves correctly.
• The boot-to-talos warning swap is consistent across next/, v1.5/, v1.4/, v1.3/. On v1.3 the effective render is unchanged (literal v1.3.0/v1.12 → data lookup that also returns v1.3.0/v1.12), so no regression on a previously-correct page.
• shellcheck clean on both new and modified shell scripts.
• release_next.sh rewrite is idempotent and safe under the strict ^vX.Y.Z$ regex already enforced upstream of the sed.
• The update_versions.sh failure modes (network errors, missing version: field, missing/empty tag list) all surface as exit-1 with a clear message, not silent stale output.

Claim alignment vs PR description

#	Claim	Status
3	v1.0/v1.1 keep literal because api/apps/v1alpha1 earliest tag is v1.2.0	PARTIAL — earliest tag is v1.1.6; action still works but rationale and v1.2.yaml comment are factually wrong (see Finding 2).
5	update_versions.sh + make update-versions in update-all	PARTIAL — wired in, but breaks for any RC tag in the upstream release pipeline (see Finding 1).

Claims 1, 2, 4, 6, 7, 8, 9 — OK (verified).

Suggested merge plan

Block on Finding 1 — either gate update-versions in the Makefile, or loosen the regex in update_versions.sh. Either is a small follow-up commit. Findings 2-4 can land as separate touch-ups without blocking this one.