From a16da2f041fd319f01a65c27039a6a5af43e5709 Mon Sep 17 00:00:00 2001 From: Joakim Persson Date: Wed, 27 May 2026 21:05:17 +0000 Subject: [PATCH] =?UTF-8?q?Cut=20v1.15.11b=20=E2=80=94=20pin=20setup-build?= =?UTF-8?q?x-action@v4.0.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The v1.15.11 publish failed three times in a row (runs #332/333/334) with identical '400 Bad request' from registry-1.docker.io on the multi-arch buildx layer-blob PUT. Triage on 2026-05-27 confirmed: - Multi-arch buildx push from a developer host: succeeds in 25s (same Hub account, same multi-arch path) - Account / repo / Hub-CDN: all healthy - Last known-good Gitea-runner Hub push: 2026-05-23 ~20:26 UTC (pi-devbox v0.75.5b) — predates docker/setup-buildx-action v4.1.0 by <24h - docker/setup-buildx-action@v4 floats to v4.1.0 (published 2026-05-22 16:00 UTC), bundling a newer buildx/buildkit whose push protocol may trip Hub's CDN URI-length cap on the ~1.4 KB _state query string in resumable-upload PUT URLs. Pinning all nine setup-buildx-action references to @v4.0.0 to test the hypothesis. setup-qemu-action@v3 left floating since QEMU wasn't in the suspected blast radius. If v4.0.0 publishes cleanly we keep the pin and file an upstream buildkit/buildx issue. No source changes — same OPENCODE_VERSION=1.15.11, same Dockerfile.base and Dockerfile.variant. v1.15.11 (original tag) is preserved as a historical marker of the first publish attempt; v1.15.11b becomes the canonical release. --- .gitea/workflows/docker-publish-split.yml | 18 +++++++++--------- CHANGELOG.md | 18 ++++++++++++++++-- 2 files changed, 25 insertions(+), 11 deletions(-) diff --git a/.gitea/workflows/docker-publish-split.yml b/.gitea/workflows/docker-publish-split.yml index e89ea5f..1bc3551 100644 --- a/.gitea/workflows/docker-publish-split.yml +++ b/.gitea/workflows/docker-publish-split.yml @@ -174,7 +174,7 @@ jobs: platforms: arm64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@v4.0.0 with: driver-opts: network=host @@ -223,7 +223,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -267,7 +267,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -312,7 +312,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -357,7 +357,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -403,7 +403,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -451,7 +451,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -500,7 +500,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -549,7 +549,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4 + - uses: docker/setup-buildx-action@v4.0.0 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: diff --git a/CHANGELOG.md b/CHANGELOG.md index d445660..553fd35 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,11 +8,25 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a ## Unreleased -_(no changes since v1.15.11)_ +_(no changes since v1.15.11b)_ --- -## v1.15.11 — 2026-05-27 +## v1.15.11b — 2026-05-27 + +Container-level rebuild of v1.15.11. The original v1.15.11 release-day publish failed three times in a row (CI runs #332/333/334) with identical `400 Bad request` responses from `registry-1.docker.io` on the buildx layer-blob PUT. Build itself succeeded 30/30 each time; only the multi-arch push failed. Triaged on 2026-05-27 evening: + +- **Local multi-arch buildx push from a developer host succeeds in ~25s** — same Hub account, same multi-arch path. Account, repo, and Hub-CDN are all healthy. +- **Last known-good Gitea Actions Hub push: 2026-05-23 ~20:26 UTC** (`pi-devbox v0.75.5b`). All Gitea-runner-driven pushes since 2026-05-24 have failed identically. +- **Smoking gun candidate:** `docker/setup-buildx-action@v4` floats to `v4.1.0` (published 2026-05-22 16:00 UTC). Action-resolver caches on the runner appear to have rolled forward to v4.1.0 sometime between the May 23 success and the first May 24 failure. v4.1.0 ships a newer bundled buildx/buildkit which may be using a different push protocol that trips Hub's CDN URI-length cap (the failing `_state` query string is ~1.4 KB). + +### Workflow change + +- **`.gitea/workflows/docker-publish-split.yml`** — all nine `docker/setup-buildx-action@v4` uses pinned to `@v4.0.0`. `setup-qemu-action@v3` left floating since QEMU wasn't in the suspected blast radius and was working on May 23. If v4.0.0 publishes cleanly we keep the pin and file an upstream buildkit/buildx issue documenting the regression. + +No other source changes — same `OPENCODE_VERSION=1.15.11`, same `Dockerfile.base` and `Dockerfile.variant`, same SSH-CM bake, same gitleaks. v1.15.11 (the original tag) is preserved in the repo as a historical marker of the first publish attempt; v1.15.11b is the canonical release. + +### v1.15.11 First release on opencode 1.15.11. Also bakes in four devbox-side fixes accumulated since v1.15.10 (SSH ControlMaster on a writable path, gitleaks added to base, CI resolve-versions hardening, CI cache-hit regression fix). Downstream pi-devbox inherits all of these on its next build against `base-latest`.