chore: Bump github.com/siderolabs/talos/pkg/machinery from 1.12.0-beta.0 to 1.12.0-rc.1

[dependabot]

Bumps github.com/siderolabs/talos/pkg/machinery from 1.12.0-beta.0 to 1.12.0-rc.1.

Release notes

Sourced from github.com/siderolabs/talos/pkg/machinery's releases.

v1.12.0-rc.1

Talos 1.12.0-rc.1 (2025-12-15)

Welcome to the v1.12.0-rc.1 release of Talos!
This is a pre-release of Talos

Please try out the release binaries and report any issues at https://github.com/siderolabs/talos/issues.

API Server Cipher Suites

The Kubernetes API server in Talos has been updated to use a more secure set of TLS cipher suites by default. This is in line with a set of best practices documented in CIS 1.12 benchmark.

You can still expand the list of supported cipher suites via the cluster.apiServer.extraArgs."tls-cipher-suites" machine configuration field if needed.

New User Volume type - bind

New field in UserVolumeConfig - volumeType that defaults to partition, but can be set to directory. When set to directory, provisioning and filesystem operations are skipped and a directory is created under /var/mnt/<name>.

The directory type enables lightweight storage volumes backed by a host directory, instead of requiring a full block device partition.

When volumeType = "directory":

• A directory is created at /var/mnt/<metadata.name>;
• provisioning, filesystem and encryption are prohibited.

Note: this mode does not provide filesystem-level isolation and inherits the EPHEMERAL partition capacity limits. It should not be used for workloads requiring predictable storage quotas.

Disk Encryption

Talos versions prior to v1.12 used the state of PCR 7 and signed policies locked to PCR 11 for TPM based disk encryption.

Talos now supports configuring which PCRs states are to be used for TPM based disk encryption via the options.pcrs field in the tpm section of the disk encryption configuration.

If user doesn't specify any options Talos defaults to using PCR 7 for backwards compatibility with existing installations.

This change was made to improve compatibility with systems that may have varying states in PCR 7 due to UEFI Secure Boot configurations and users may wish to disable locking to PCR 7 state entirely.

Signed PCR policies will still be bound to PCR 11.

The currently used PCR's can be seen with talosctl get volumestatus <volume> -o yaml command.

... (truncated)

Commits

• a2a7700 release(v1.12.0-rc.1): prepare release
• 4719878 fix: bond configuration with new settings
• 03a424b fix: disable kexec on arm64
• 688fb78 feat: add Secure Boot to CloudStack platform config
• 66e67fd fix: discard better klog message from Kubernetes client
• d840349 fix: disable kexec in talosctl cluster create on arm64
• 5ced425 fix: do not override DNS on MacOS
• fabf3f0 fix: selection of boot entry
• 93cec4b fix: update CNI plugins to 1.9.0
• 964098d fix: update KubeSpan MSS clamping
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[netlify]

✅ Deploy Preview for wonderful-swartz-a1308c ready!

Name	Link
🔨 Latest commit	2904962
🔍 Latest deploy log	https://app.netlify.com/projects/wonderful-swartz-a1308c/deploys/6948986f29e44c00085a1000
😎 Deploy Preview	https://deploy-preview-1566--wonderful-swartz-a1308c.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.