port pi-devbox v1.1.4–v1.1.6 hardening; bump opencode 1.17.7→1.17.8
Functional (not verbatim) port of the build-provenance, CI-hardening, SSH and shell fixes from the sibling pi-devbox repo, adapted to opencode-devbox's companions and two-variant (base/omos) shape. Defaults unchanged → canonical CI build stays byte-identical apart from the opencode bump and the (cache-free) provenance layer. Fixed: - SSH read-only ~/.ssh ControlPath: setup-lan-access.sh now renders the writable ~/.ssh-local/config sidecar (ControlPath redirect + Include) on EVERY host OS instead of exit 0-ing on native Linux; jump-specific blocks gated behind new NEED_JUMP flag. dssh/dscp + ControlMaster now survive a read-only ~/.ssh on native-Linux hosts. (pi-devbox v1.1.5) - bash history loss in nested/tmux shells: DEVBOX_HIST_SET no longer exported so each shell re-installs its own history -a flush. (pi-devbox v1.1.4) Added: - build provenance: OCI labels + /etc/opencode-devbox/build-manifest.json written from ground truth (opencode --version, installed omos version, /opt/mempalace-toolkit HEAD); wired into build-variant-* and smoke-* jobs; smoke-test.sh asserts manifest + label. (pi-devbox v1.1.6) - scripts/check-base-hash.sh CI guard: fails if a Dockerfile.base ARG *_REF is not folded into the base_tag hash. (pi-devbox v1.1.6) - overridable MEMPALACE_TOOLKIT_REPO build-arg in Dockerfile.base. (v1.1.6) Changed: - resolve-versions: fail-loud validation (SHA / semver) that aborts the release instead of silently falling back to floating main; adds shell: bash (set -o pipefail is illegal under the runner default dash). (pi-devbox v1.1.6) Bumped: - opencode-ai 1.17.7 → 1.17.8 (current npm latest stable). Deferred (needs a decision): opencode.json merge-on-recreate — see CHANGELOG.
This commit is contained in:
pi
@@ -6,6 +6,102 @@ Tags follow **independent semver** (since `v2.0.0`) — they version *this image
|
||||
|
||||
---
|
||||
|
||||
## Unreleased
|
||||
|
||||
Ports the build-provenance, CI-hardening, SSH and shell fixes that landed in
|
||||
the sibling **pi-devbox** repo (v1.1.4–v1.1.6) into opencode-devbox, adapted to
|
||||
this image's companions and two-variant (`base`/`omos`) shape. Also bumps
|
||||
opencode. Defaults are unchanged, so the canonical CI build stays byte-identical
|
||||
apart from the opencode bump and the (cache-free) provenance layer.
|
||||
|
||||
### Fixed: read-only `~/.ssh` ControlPath / LAN sidecar on native Linux
|
||||
|
||||
`rootfs/usr/local/lib/opencode-devbox/setup-lan-access.sh` previously
|
||||
`exit 0`-ed early on native-Linux hosts (`auto` mode, not VM-backed) **before**
|
||||
rendering the writable `~/.ssh-local/config` sidecar. On such hosts with a
|
||||
read-only `~/.ssh` bind-mount, `dssh`/`dscp` got no config and the `Host *`
|
||||
ControlPath redirect into `~/.ssh-local/cm` never happened, so a user
|
||||
`~/.ssh/config` carrying the CGNAT idiom `ControlPath ~/.ssh/cm/%r@%h:%p`
|
||||
broke ControlMaster. The sidecar (ControlPath redirect + `Include
|
||||
~/.ssh/config`) is now rendered on **every** host OS; only the jump-specific
|
||||
blocks (host alias, key generation, peer overrides, RFC1918 catch-all) stay
|
||||
gated behind a new `NEED_JUMP` flag. `Dockerfile.base` and `entrypoint-user.sh`
|
||||
comments updated to document the always-render behavior and the
|
||||
plain-`ssh <host>` caveat. (Mirrors pi-devbox v1.1.5; the pi-only
|
||||
`ssh-controlmaster` extension layer has no opencode equivalent and is N/A.)
|
||||
|
||||
### Fixed: bash history loss in nested / tmux shells
|
||||
|
||||
`rootfs/home/developer/.bash_aliases` exported the `DEVBOX_HIST_SET` flush
|
||||
guard, so it leaked into child processes — every nested shell (crucially each
|
||||
tmux pane, which inherits the tmux server's env) saw the guard already set and
|
||||
skipped installing `history -a` in `PROMPT_COMMAND`. Those shells only
|
||||
persisted history on a clean exit, silently losing in-memory history on abrupt
|
||||
termination (`docker stop`, `tmux kill-server`, SIGKILL). The guard is now
|
||||
shell-local (dropped `export`). (Mirrors pi-devbox v1.1.4.)
|
||||
|
||||
### Added: build provenance — OCI labels + on-disk manifest
|
||||
|
||||
The variant build now bakes OCI labels
|
||||
(`org.opencontainers.image.{version,revision,created}` +
|
||||
`se.jordbo.opencode-devbox.{opencode-version,install-omos,omos-version,mempalace-toolkit-ref}`)
|
||||
and writes `/etc/opencode-devbox/build-manifest.json` from **ground truth** —
|
||||
the live `opencode --version`, the installed `oh-my-opencode-slim` version
|
||||
(JSON `null` in the `base` variant), and the actual checked-out HEAD of
|
||||
`/opt/mempalace-toolkit` — so a published tag is self-describing and
|
||||
reconstructable after CI logs rotate. Provenance ARGs (`RELEASE_TAG`,
|
||||
`BUILD_DATE`, `SOURCE_REVISION`, re-declared `MEMPALACE_TOOLKIT_REF`) are
|
||||
declared last in `Dockerfile.variant` so they never bust the expensive
|
||||
npm-install layers. Wired into both `build-variant-*` and `smoke-*` jobs;
|
||||
`scripts/smoke-test.sh` now asserts the manifest exists, is complete, has no
|
||||
`unknown` components, and that the `opencode-version` OCI label is present.
|
||||
(Mirrors pi-devbox v1.1.6.)
|
||||
|
||||
### Added: base-rebuild hash guard (`scripts/check-base-hash.sh`)
|
||||
|
||||
New CI guard (run first in the `base-decide` job) that fails the build if any
|
||||
floating `ARG *_REF` consumed by `Dockerfile.base` is not folded into the
|
||||
`base_tag` hash — preventing the v1.1.2-class staleness footgun where a
|
||||
ref-only dependency change silently fails to rebuild the base. Passes today
|
||||
(`MEMPALACE_TOOLKIT_REF` is already folded in); this is forward protection.
|
||||
(Mirrors pi-devbox v1.1.6.)
|
||||
|
||||
### Changed: fail-loud version/ref resolution
|
||||
|
||||
The `resolve-versions` step now validates each resolved value — the
|
||||
mempalace-toolkit ref must be a 40-hex commit SHA, the omos version must be
|
||||
semver — and **aborts the release** on failure instead of silently falling
|
||||
back to a floating `main` ref (which defeats both cache-busting and
|
||||
reproducibility). The step also gains `shell: bash`, because `set -o pipefail`
|
||||
is illegal under the runner's default dash/sh and would otherwise abort the
|
||||
step (this exact latent bug bit pi-devbox's first v1.1.6 run). (Mirrors
|
||||
pi-devbox v1.1.6.)
|
||||
|
||||
### Added: overridable `MEMPALACE_TOOLKIT_REPO` build-arg
|
||||
|
||||
`Dockerfile.base` no longer hardcodes the mempalace-toolkit clone URL inline;
|
||||
it is now an `ARG MEMPALACE_TOOLKIT_REPO` defaulting to the canonical gitea
|
||||
origin, so a relocated/forked build can repoint it via `--build-arg` without
|
||||
editing the Dockerfile. Default unchanged. (Mirrors pi-devbox v1.1.6.)
|
||||
|
||||
### Bumped: opencode-ai 1.17.7 → 1.17.8
|
||||
|
||||
`OPENCODE_VERSION` ARG in `Dockerfile.variant`. `1.17.8` is the current npm
|
||||
`latest` stable. Only the variant layer rebuilds; the base is unaffected.
|
||||
|
||||
### Deferred (needs a decision): opencode.json merge-on-recreate
|
||||
|
||||
pi-devbox v1.1.4 added a non-destructive deep-merge of new template keys into a
|
||||
preserved-volume `settings.json`. The direct analogue does **not** port cleanly
|
||||
here: opencode's config is *generated from env vars* and written as **JSONC
|
||||
with comments** (not a static image-owned template), and `generate-config.py`
|
||||
deliberately never touches an existing config (host bind-mount or persisted
|
||||
volume). A `jq`-style merge would strip the JSONC comments and risks clobbering
|
||||
or re-adding entries a user removed. Left for a separate, deliberate change —
|
||||
see discussion.
|
||||
|
||||
---
|
||||
|
||||
## v2.1.2 — 2026-06-16
|
||||
|
||||
Image-semver **patch**: bumps opencode to `1.17.7`. No devbox-side changes
|
||||
|
||||
Reference in New Issue
Block a user