Cut v1.15.11b — pin setup-buildx-action@v4.0.0

The v1.15.11 publish failed three times in a row (runs #332/333/334)
with identical '400 Bad request' from registry-1.docker.io on the
multi-arch buildx layer-blob PUT. Triage on 2026-05-27 confirmed:

  - Multi-arch buildx push from a developer host: succeeds in 25s
    (same Hub account, same multi-arch path)
  - Account / repo / Hub-CDN: all healthy
  - Last known-good Gitea-runner Hub push: 2026-05-23 ~20:26 UTC
    (pi-devbox v0.75.5b) — predates docker/setup-buildx-action v4.1.0
    by <24h
  - docker/setup-buildx-action@v4 floats to v4.1.0 (published
    2026-05-22 16:00 UTC), bundling a newer buildx/buildkit whose
    push protocol may trip Hub's CDN URI-length cap on the ~1.4 KB
    _state query string in resumable-upload PUT URLs.

Pinning all nine setup-buildx-action references to @v4.0.0 to
test the hypothesis. setup-qemu-action@v3 left floating since
QEMU wasn't in the suspected blast radius. If v4.0.0 publishes
cleanly we keep the pin and file an upstream buildkit/buildx
issue.

No source changes — same OPENCODE_VERSION=1.15.11, same Dockerfile.base
and Dockerfile.variant. v1.15.11 (original tag) is preserved as a
historical marker of the first publish attempt; v1.15.11b becomes
the canonical release.

.gitea/workflows/docker-publish-split.yml

@@ -174,7 +174,7 @@ jobs:
           platforms: arm64
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v4.0.0
         with:
           driver-opts: network=host
 
@@ -223,7 +223,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -267,7 +267,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -312,7 +312,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -357,7 +357,7 @@ jobs:
             /usr/lib/jvm 2>/dev/null || true
           docker system prune -af --volumes || true
           docker builder prune -af || true
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -403,7 +403,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -451,7 +451,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -500,7 +500,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:
@@ -549,7 +549,7 @@ jobs:
           docker builder prune -af || true
       - uses: docker/setup-qemu-action@v3
         with: {platforms: arm64}
-      - uses: docker/setup-buildx-action@v4
+      - uses: docker/setup-buildx-action@v4.0.0
         with: {driver-opts: network=host}
       - uses: docker/login-action@v3
         with:

CHANGELOG.md

@@ -8,6 +8,40 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a
 
 ## Unreleased
 
+_(no changes since v1.15.11b)_
+
+---
+
+## v1.15.11b — 2026-05-27
+
+Container-level rebuild of v1.15.11. The original v1.15.11 release-day publish failed three times in a row (CI runs #332/333/334) with identical `400 Bad request` responses from `registry-1.docker.io` on the buildx layer-blob PUT. Build itself succeeded 30/30 each time; only the multi-arch push failed. Triaged on 2026-05-27 evening:
+
+- **Local multi-arch buildx push from a developer host succeeds in ~25s** — same Hub account, same multi-arch path. Account, repo, and Hub-CDN are all healthy.
+- **Last known-good Gitea Actions Hub push: 2026-05-23 ~20:26 UTC** (`pi-devbox v0.75.5b`). All Gitea-runner-driven pushes since 2026-05-24 have failed identically.
+- **Smoking gun candidate:** `docker/setup-buildx-action@v4` floats to `v4.1.0` (published 2026-05-22 16:00 UTC). Action-resolver caches on the runner appear to have rolled forward to v4.1.0 sometime between the May 23 success and the first May 24 failure. v4.1.0 ships a newer bundled buildx/buildkit which may be using a different push protocol that trips Hub's CDN URI-length cap (the failing `_state` query string is ~1.4 KB).
+
+### Workflow change
+
+- **`.gitea/workflows/docker-publish-split.yml`** — all nine `docker/setup-buildx-action@v4` uses pinned to `@v4.0.0`. `setup-qemu-action@v3` left floating since QEMU wasn't in the suspected blast radius and was working on May 23. If v4.0.0 publishes cleanly we keep the pin and file an upstream buildkit/buildx issue documenting the regression.
+
+No other source changes — same `OPENCODE_VERSION=1.15.11`, same `Dockerfile.base` and `Dockerfile.variant`, same SSH-CM bake, same gitleaks. v1.15.11 (the original tag) is preserved in the repo as a historical marker of the first publish attempt; v1.15.11b is the canonical release.
+
+### v1.15.11
+
+First release on opencode 1.15.11. Also bakes in four devbox-side fixes accumulated since v1.15.10 (SSH ControlMaster on a writable path, gitleaks added to base, CI resolve-versions hardening, CI cache-hit regression fix). Downstream pi-devbox inherits all of these on its next build against `base-latest`.
+
+### Bumped: opencode 1.15.10 → 1.15.11
+
+`OPENCODE_VERSION` ARG bumped in `Dockerfile.variant`. Highlights from the upstream release (full notes: <https://github.com/anomalyco/opencode/releases/tag/v1.15.11>):
+
+- **Core / Improvements** — new `headerTimeout` config for provider requests (10s default for default OpenAI setups); experimental background agents now push updates without polling; remote-backed projects resolve a stable project identity; `modalities.input` / `modalities.output` can be set independently.
+- **Core / Bugfixes** — dynamically added MCP servers now disconnect cleanly on removal; Google tool calling fixed after upstream tool-ID regression; resumed sessions no longer continue orphaned interrupted tools; OpenAI reasoning summaries render as separate blocks; the `shell` tool now advertises its configured timeout to the model; config loading falls back cleanly when user info is unavailable.
+- **TUI** — prompt resizes with terminal width (new prompt-size config); accelerated diff-viewer scrolling; external editors open from the worktree directory when available.
+- **Desktop** — refined v2 home screen, prompt, status popover, and session controls; fixed V2 titlebar errors when a session sync cache was deleted; web deployments no longer run desktop health checks; duplicate server connections are merged.
+- **Extensions** — new `dispose` hook for plugins; Codex plugin now sends the expected session-ID header.
+
+No `opencode-devbox`-side changes were required to consume 1.15.11 — pure version bump.
+
 ### Base: SSH ControlMaster default on a writable socket path
 
 Devboxes typically mount `~/.ssh` from the host as **read-only** (security: keys remain readable but agents can't tamper with config / known_hosts / authorized_keys / plant a malicious ProxyCommand). OpenSSH's default `ControlPath` lands inside `~/.ssh/cm/`, which is unwritable on such mounts — so any attempt to use `ControlMaster auto` (or anything that wants to multiplex) fails with:
@@ -26,6 +60,8 @@ The second line is downstream: when ControlMaster fails the ssh client falls bac
 
 Downstream pi-devbox and any other variant inherits this on its next build against `base-latest`. Discovered while running a recon-shell from inside pi-devbox to a Proxmox node — fresh ssh hit banner timeout, debug output pointed at the read-only socket dir.
 
+_(Originally landed on `main` 2026-05-24 as commit `668592d`; first ships in v1.15.11.)_
+
 ### Base: gitleaks added; git-crypt confirmed already installed
 
 `gitleaks` is now baked into `Dockerfile.base` (Go-compiled binary fetched from GitHub releases, same `/releases/latest` redirect-resolution pattern as gosu/fzf/git-lfs/etc.). It pairs with `git-crypt`, which has been installed via apt all along but wasn't asserted by smoke or called out in user-facing docs. Several of the user's repos use both as part of their secret-management setup (gitleaks pre-commit hook + git-crypt for selectively-encrypted canonical config); having them in the devbox means `pi install`-style hooks fire correctly inside the container instead of warning that gitleaks is missing.

Dockerfile.variant

@@ -36,7 +36,7 @@ ARG USER_NAME=developer
 # edit, so the cache-hit class of bug that bit pi-devbox v0.74.0..
 # v0.75.5 cannot apply here.
 ARG INSTALL_OPENCODE=true
-ARG OPENCODE_VERSION=1.15.10
+ARG OPENCODE_VERSION=1.15.11
 RUN if [ "${INSTALL_OPENCODE}" = "true" ]; then \
       NPM_CONFIG_PREFIX=/usr npm install -g opencode-ai@${OPENCODE_VERSION} && \
       opencode --version ; \