diff --git a/.gitea/workflows/docker-publish-split.yml b/.gitea/workflows/docker-publish-split.yml
index e89ea5f..1bc3551 100644
--- a/.gitea/workflows/docker-publish-split.yml
+++ b/.gitea/workflows/docker-publish-split.yml
@@ -174,7 +174,7 @@ jobs:
           platforms: arm64
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v4.0.0
         with:
           driver-opts: network=host
 
@@ -223,7 +223,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -267,7 +267,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -312,7 +312,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -357,7 +357,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -403,7 +403,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -451,7 +451,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -500,7 +500,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -549,7 +549,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index d445660..553fd35 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,11 +8,25 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a
 
 ## Unreleased
 
-_(no changes since v1.15.11)_
+_(no changes since v1.15.11b)_
 
 ---
 
-## v1.15.11 — 2026-05-27
+## v1.15.11b — 2026-05-27
+
+Container-level rebuild of v1.15.11. The original v1.15.11 release-day publish failed three times in a row (CI runs #332/333/334) with identical `400 Bad request` responses from `registry-1.docker.io` on the buildx layer-blob PUT. Build itself succeeded 30/30 each time; only the multi-arch push failed. Triaged on 2026-05-27 evening:
+
+- **Local multi-arch buildx push from a developer host succeeds in ~25s** — same Hub account, same multi-arch path. Account, repo, and Hub-CDN are all healthy.
+- **Last known-good Gitea Actions Hub push: 2026-05-23 ~20:26 UTC** (`pi-devbox v0.75.5b`). All Gitea-runner-driven pushes since 2026-05-24 have failed identically.
+- **Smoking gun candidate:** `docker/setup-buildx-action@v4` floats to `v4.1.0` (published 2026-05-22 16:00 UTC). Action-resolver caches on the runner appear to have rolled forward to v4.1.0 sometime between the May 23 success and the first May 24 failure. v4.1.0 ships a newer bundled buildx/buildkit which may be using a different push protocol that trips Hub's CDN URI-length cap (the failing `_state` query string is ~1.4 KB).
+
+### Workflow change
+
+- **`.gitea/workflows/docker-publish-split.yml`** — all nine `docker/setup-buildx-action@v4` uses pinned to `@v4.0.0`. `setup-qemu-action@v3` left floating since QEMU wasn't in the suspected blast radius and was working on May 23. If v4.0.0 publishes cleanly we keep the pin and file an upstream buildkit/buildx issue documenting the regression.
+
+No other source changes — same `OPENCODE_VERSION=1.15.11`, same `Dockerfile.base` and `Dockerfile.variant`, same SSH-CM bake, same gitleaks. v1.15.11 (the original tag) is preserved in the repo as a historical marker of the first publish attempt; v1.15.11b is the canonical release.
+
+### v1.15.11
 
 First release on opencode 1.15.11. Also bakes in four devbox-side fixes accumulated since v1.15.10 (SSH ControlMaster on a writable path, gitleaks added to base, CI resolve-versions hardening, CI cache-hit regression fix). Downstream pi-devbox inherits all of these on its next build against `base-latest`.