In the older CoreOS, the strategy was to stop the update-engine and locksmithd services from running automatically. When you wanted to update, start the update-engine service and kick off an update using update_engine_client -update.
In FCOS, all that was replaced with Zincati. There is documentation on how to disable Zincati to prevent autoupdate, but the question remains on how to kick it off manually.
What is the recommended way of doing this?