Functional (not verbatim) port of the build-provenance, CI-hardening, SSH
and shell fixes from the sibling pi-devbox repo, adapted to opencode-devbox's
companions and two-variant (base/omos) shape. Defaults unchanged → canonical
CI build stays byte-identical apart from the opencode bump and the
(cache-free) provenance layer.
Fixed:
- SSH read-only ~/.ssh ControlPath: setup-lan-access.sh now renders the
writable ~/.ssh-local/config sidecar (ControlPath redirect + Include) on
EVERY host OS instead of exit 0-ing on native Linux; jump-specific blocks
gated behind new NEED_JUMP flag. dssh/dscp + ControlMaster now survive a
read-only ~/.ssh on native-Linux hosts. (pi-devbox v1.1.5)
- bash history loss in nested/tmux shells: DEVBOX_HIST_SET no longer exported
so each shell re-installs its own history -a flush. (pi-devbox v1.1.4)
Added:
- build provenance: OCI labels + /etc/opencode-devbox/build-manifest.json
written from ground truth (opencode --version, installed omos version,
/opt/mempalace-toolkit HEAD); wired into build-variant-* and smoke-* jobs;
smoke-test.sh asserts manifest + label. (pi-devbox v1.1.6)
- scripts/check-base-hash.sh CI guard: fails if a Dockerfile.base ARG *_REF
is not folded into the base_tag hash. (pi-devbox v1.1.6)
- overridable MEMPALACE_TOOLKIT_REPO build-arg in Dockerfile.base. (v1.1.6)
Changed:
- resolve-versions: fail-loud validation (SHA / semver) that aborts the
release instead of silently falling back to floating main; adds shell: bash
(set -o pipefail is illegal under the runner default dash). (pi-devbox v1.1.6)
Bumped:
- opencode-ai 1.17.7 → 1.17.8 (current npm latest stable).
Deferred (needs a decision): opencode.json merge-on-recreate — see CHANGELOG.
pi