diff --git a/.gitea/workflows/docker-publish-split.yml b/.gitea/workflows/docker-publish-split.yml index 1bc3551..e89ea5f 100644 --- a/.gitea/workflows/docker-publish-split.yml +++ b/.gitea/workflows/docker-publish-split.yml @@ -174,7 +174,7 @@ jobs: platforms: arm64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 + uses: docker/setup-buildx-action@v4 with: driver-opts: network=host @@ -223,7 +223,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -267,7 +267,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -312,7 +312,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -357,7 +357,7 @@ jobs: /usr/lib/jvm 2>/dev/null || true docker system prune -af --volumes || true docker builder prune -af || true - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -403,7 +403,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -451,7 +451,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -500,7 +500,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: @@ -549,7 +549,7 @@ jobs: docker builder prune -af || true - uses: docker/setup-qemu-action@v3 with: {platforms: arm64} - - uses: docker/setup-buildx-action@v4.0.0 + - uses: docker/setup-buildx-action@v4 with: {driver-opts: network=host} - uses: docker/login-action@v3 with: diff --git a/CHANGELOG.md b/CHANGELOG.md index 553fd35..4fdadff 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,43 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a ## Unreleased -_(no changes since v1.15.11b)_ +_(no changes since v1.15.12)_ + +--- + +## v1.15.12 — 2026-05-28 + +Manual-published release. Reverts the `setup-buildx-action@v4.0.0` pin from v1.15.11b (hypothesis was disproven — see below) and bumps the bundled `pi-coding-agent` to 0.76.0 via the floating `PI_VERSION=latest` resolution. + +### Why "manual-published" + +v1.15.11b reproduced the exact same Hub `400 Bad request` regression as v1.15.11 (CI run #336, build-base failed twice including a Gitea auto-rerun), confirming `setup-buildx-action@v4.1.0` is **not** the regressor. After four consecutive identical CI failures across two days, the SSH-CM and gitleaks fixes were shipped by hand from a developer host's Orbstack/Docker-Desktop — a path we already knew worked in ~25s for the same multi-arch build to the same Hub account. + +This release ships the same content the runner-side build would have shipped; it just bypasses the broken runner-network → Hub-CDN combo. CI auto-publishing remains broken pending separate runner-side investigation (see [AGENTS.md — known issues](AGENTS.md)). + +### Workflow change + +- **`.gitea/workflows/docker-publish-split.yml`** — all nine `setup-buildx-action@v4.0.0` pins reverted to `@v4`. The pin added no value (failure reproduced) and was holding us off action improvements. + +### Bumped: pi-coding-agent (latest → 0.76.0) + +`PI_VERSION=latest` in `Dockerfile.variant` resolves at build time. 0.76.0 was published 2026-05-27 20:03 UTC. No Dockerfile edit needed; floating-`latest` is intentional so each opencode-devbox release pulls the freshest pi without a manual bump. + +### Hub-push regression — ruled out / still suspect + +**Ruled out:** +- `setup-buildx-action@v4.1.0` — v4.0.0 reproduces the failure identically. +- `@docker/actions-toolkit 0.79.0 → 0.90.0` — rolled back via the action pin; same failure. +- Account / repo / Hub-CDN globally — local pushes from a developer host succeed. +- Multi-arch as such — pi-devbox v0.75.5b pushed multi-arch on 2026-05-23. + +**Still suspect:** +- `catthehacker/ubuntu:act-latest` runner image (floating, not pinned in workflows). +- act-runner host network egress from `runner-2` (sustained CDN-edge rejection from this specific source IP). +- buildx 0.34.x's signed `_state` token format hitting a Hub-edge WAF/length rule that didn't apply to 0.33.x. +- Hub-side per-repo state for `joakimp/opencode-devbox` specifically (other Hub repos from the same account work). + +Four failing runs share the exact failure shape: HTTP 400 with HTML body (CDN-tier, not registry backend) on the very first PUT (`Offset:0`) of the resumable layer-blob upload. UUIDs and `_state` signatures differ across attempts — only the failure pattern is stable. ---