Merge pull request #1477 from crazy-max/git-wsl

build: lookup the right git binary on WSL

.github/workflows/build.yml

@@ -21,12 +21,14 @@ on:
       - 'docs/**'
 
 env:
+  BUILDX_VERSION: "v0.10.0-rc1"
+  BUILDKIT_IMAGE: "moby/buildkit:v0.11.0-rc3"
   REPO_SLUG: "docker/buildx-bin"
   DESTDIR: "./bin"
 
 jobs:
   test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       -
         name: Checkout
@@ -35,7 +37,9 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
         name: Test
         uses: docker/bake-action@v2
@@ -51,7 +55,7 @@ jobs:
           directory: ${{ env.DESTDIR }}/coverage
 
   prepare:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     outputs:
       matrix: ${{ steps.platforms.outputs.matrix }}
     steps:
@@ -62,14 +66,14 @@ jobs:
         name: Create matrix
         id: platforms
         run: |
-          echo ::set-output name=matrix::$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')
+          echo "matrix=$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')" >>${GITHUB_OUTPUT}
       -
         name: Show matrix
         run: |
           echo ${{ steps.platforms.outputs.matrix }}
 
   binaries:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs:
       - prepare
     strategy:
@@ -92,26 +96,27 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
         name: Build
-        uses: docker/bake-action@v2
-        with:
-          targets: release
-          set: |
-            *.platform=${{ matrix.platform }}
-            *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-            *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
+        run: |
+          make release
+        env:
+          PLATFORMS: ${{ matrix.platform }}
+          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v3
         with:
           name: buildx
-          path: ${{ env.DESTDIR }}/release/*
+          path: ${{ env.DESTDIR }}/*
           if-no-files-found: error
 
   bin-image:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     if: ${{ github.event_name != 'pull_request' }}
     steps:
       -
@@ -124,7 +129,9 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
       -
         name: Docker meta
         id: meta
@@ -156,9 +163,11 @@ jobs:
           set: |
             *.cache-from=type=gha,scope=bin-image
             *.cache-to=type=gha,scope=bin-image,mode=max
+            *.attest=type=sbom
+            *.attest=type=provenance,mode=max,builder-id=https://github.com/${{ env.GITHUB_REPOSITORY }}/actions/runs/${{ env.GITHUB_RUN_ID }}
 
   release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     needs:
       - binaries
     steps:
@@ -193,7 +202,7 @@ jobs:
           files: ${{ env.DESTDIR }}/*
 
   buildkit-edge:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     continue-on-error: true
     steps:
       -
@@ -206,7 +215,7 @@ jobs:
         name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
         with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
           driver-opts: image=moby/buildkit:master
           buildkitd-flags: --debug
       -

.github/workflows/docs-release.yml

@@ -2,11 +2,13 @@ name: docs-release
 
 on:
   release:
-    types: [ released ]
+    types:
+      - releases
 
 jobs:
   open-pr:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+    if: "!github.event.release.prerelease"
     steps:
       -
         name: Checkout docs repo

.github/workflows/docs-upstream.yml

@@ -22,7 +22,7 @@ on:
 
 jobs:
   docs-yaml:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
       -
         name: Checkout

.github/workflows/e2e.yml

@@ -23,7 +23,7 @@ env:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.github/workflows/validate.yml

@@ -19,7 +19,7 @@ on:
 
 jobs:
   validate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     strategy:
       fail-fast: false
       matrix:

Dockerfile

@@ -1,4 +1,4 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile-upstream:master
 
 ARG GO_VERSION=1.19
 ARG XX_VERSION=1.1.2
@@ -58,6 +58,8 @@ FROM scratch AS binaries-windows
 COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe
 
 FROM binaries-$TARGETOS AS binaries
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 # Release
 FROM --platform=$BUILDPLATFORM alpine AS releaser

bake/bake.go

@@ -559,24 +559,24 @@ type Target struct {
 	Attest   []string `json:"attest,omitempty" hcl:"attest,optional" cty:"attest"`
 	Inherits []string `json:"inherits,omitempty" hcl:"inherits,optional" cty:"inherits"`
 
-	Context          *string           `json:"context,omitempty" hcl:"context,optional" cty:"context"`
-	Contexts         map[string]string `json:"contexts,omitempty" hcl:"contexts,optional" cty:"contexts"`
-	Dockerfile       *string           `json:"dockerfile,omitempty" hcl:"dockerfile,optional" cty:"dockerfile"`
-	DockerfileInline *string           `json:"dockerfile-inline,omitempty" hcl:"dockerfile-inline,optional" cty:"dockerfile-inline"`
-	Args             map[string]string `json:"args,omitempty" hcl:"args,optional" cty:"args"`
-	Labels           map[string]string `json:"labels,omitempty" hcl:"labels,optional" cty:"labels"`
-	Tags             []string          `json:"tags,omitempty" hcl:"tags,optional" cty:"tags"`
-	CacheFrom        []string          `json:"cache-from,omitempty"  hcl:"cache-from,optional" cty:"cache-from"`
-	CacheTo          []string          `json:"cache-to,omitempty"  hcl:"cache-to,optional" cty:"cache-to"`
-	Target           *string           `json:"target,omitempty" hcl:"target,optional" cty:"target"`
-	Secrets          []string          `json:"secret,omitempty" hcl:"secret,optional" cty:"secret"`
-	SSH              []string          `json:"ssh,omitempty" hcl:"ssh,optional" cty:"ssh"`
-	Platforms        []string          `json:"platforms,omitempty" hcl:"platforms,optional" cty:"platforms"`
-	Outputs          []string          `json:"output,omitempty" hcl:"output,optional" cty:"output"`
-	Pull             *bool             `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"`
-	NoCache          *bool             `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
-	NetworkMode      *string           `json:"-" hcl:"-" cty:"-"`
-	NoCacheFilter    []string          `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
+	Context          *string            `json:"context,omitempty" hcl:"context,optional" cty:"context"`
+	Contexts         map[string]string  `json:"contexts,omitempty" hcl:"contexts,optional" cty:"contexts"`
+	Dockerfile       *string            `json:"dockerfile,omitempty" hcl:"dockerfile,optional" cty:"dockerfile"`
+	DockerfileInline *string            `json:"dockerfile-inline,omitempty" hcl:"dockerfile-inline,optional" cty:"dockerfile-inline"`
+	Args             map[string]*string `json:"args,omitempty" hcl:"args,optional" cty:"args"`
+	Labels           map[string]*string `json:"labels,omitempty" hcl:"labels,optional" cty:"labels"`
+	Tags             []string           `json:"tags,omitempty" hcl:"tags,optional" cty:"tags"`
+	CacheFrom        []string           `json:"cache-from,omitempty"  hcl:"cache-from,optional" cty:"cache-from"`
+	CacheTo          []string           `json:"cache-to,omitempty"  hcl:"cache-to,optional" cty:"cache-to"`
+	Target           *string            `json:"target,omitempty" hcl:"target,optional" cty:"target"`
+	Secrets          []string           `json:"secret,omitempty" hcl:"secret,optional" cty:"secret"`
+	SSH              []string           `json:"ssh,omitempty" hcl:"ssh,optional" cty:"ssh"`
+	Platforms        []string           `json:"platforms,omitempty" hcl:"platforms,optional" cty:"platforms"`
+	Outputs          []string           `json:"output,omitempty" hcl:"output,optional" cty:"output"`
+	Pull             *bool              `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"`
+	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
+	NetworkMode      *string            `json:"-" hcl:"-" cty:"-"`
+	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
 	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/manuals/bake/file-definition.md.
 
 	// linked is a private field to mark a target used as a linked one
@@ -615,8 +615,11 @@ func (t *Target) Merge(t2 *Target) {
 		t.DockerfileInline = t2.DockerfileInline
 	}
 	for k, v := range t2.Args {
+		if v == nil {
+			continue
+		}
 		if t.Args == nil {
-			t.Args = map[string]string{}
+			t.Args = map[string]*string{}
 		}
 		t.Args[k] = v
 	}
@@ -627,8 +630,11 @@ func (t *Target) Merge(t2 *Target) {
 		t.Contexts[k] = v
 	}
 	for k, v := range t2.Labels {
+		if v == nil {
+			continue
+		}
 		if t.Labels == nil {
-			t.Labels = map[string]string{}
+			t.Labels = map[string]*string{}
 		}
 		t.Labels[k] = v
 	}
@@ -688,9 +694,9 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 				return errors.Errorf("args require name")
 			}
 			if t.Args == nil {
-				t.Args = map[string]string{}
+				t.Args = map[string]*string{}
 			}
-			t.Args[keys[1]] = value
+			t.Args[keys[1]] = &value
 		case "contexts":
 			if len(keys) != 2 {
 				return errors.Errorf("contexts require name")
@@ -704,9 +710,9 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 				return errors.Errorf("labels require name")
 			}
 			if t.Labels == nil {
-				t.Labels = map[string]string{}
+				t.Labels = map[string]*string{}
 			}
-			t.Labels[keys[1]] = value
+			t.Labels[keys[1]] = &value
 		case "tags":
 			t.Tags = o.ArrValue
 		case "cache-from":
@@ -882,6 +888,22 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 		dockerfilePath = path.Join(contextPath, dockerfilePath)
 	}
 
+	args := map[string]string{}
+	for k, v := range t.Args {
+		if v == nil {
+			continue
+		}
+		args[k] = *v
+	}
+
+	labels := map[string]string{}
+	for k, v := range t.Labels {
+		if v == nil {
+			continue
+		}
+		labels[k] = *v
+	}
+
 	noCache := false
 	if t.NoCache != nil {
 		noCache = *t.NoCache
@@ -922,8 +944,8 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	bo := &build.Options{
 		Inputs:        bi,
 		Tags:          t.Tags,
-		BuildArgs:     t.Args,
-		Labels:        t.Labels,
+		BuildArgs:     args,
+		Labels:        labels,
 		NoCache:       noCache,
 		NoCacheFilter: t.NoCacheFilter,
 		Pull:          pull,

bake/bake_test.go

@@ -2,7 +2,6 @@ package bake
 
 import (
 	"context"
-	"os"
 	"sort"
 	"strings"
 	"testing"
@@ -42,7 +41,7 @@ target "webapp" {
 
 		require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
 		require.Equal(t, ".", *m["webapp"].Context)
-		require.Equal(t, "webDEP", m["webapp"].Args["VAR_INHERITED"])
+		require.Equal(t, ptrstr("webDEP"), m["webapp"].Args["VAR_INHERITED"])
 		require.Equal(t, true, *m["webapp"].NoCache)
 		require.Nil(t, m["webapp"].Pull)
 
@@ -58,8 +57,7 @@ target "webapp" {
 
 	t.Run("ArgsOverrides", func(t *testing.T) {
 		t.Run("leaf", func(t *testing.T) {
-			os.Setenv("VAR_FROMENV"+t.Name(), "fromEnv")
-			defer os.Unsetenv("VAR_FROM_ENV" + t.Name())
+			t.Setenv("VAR_FROMENV"+t.Name(), "fromEnv")
 
 			m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{
 				"webapp.args.VAR_UNSET",
@@ -80,12 +78,12 @@ target "webapp" {
 			_, isSet = m["webapp"].Args["VAR_EMPTY"]
 			require.True(t, isSet, m["webapp"].Args["VAR_EMPTY"])
 
-			require.Equal(t, m["webapp"].Args["VAR_SET"], "bananas")
+			require.Equal(t, ptrstr("bananas"), m["webapp"].Args["VAR_SET"])
 
-			require.Equal(t, m["webapp"].Args["VAR_FROMENV"+t.Name()], "fromEnv")
+			require.Equal(t, ptrstr("fromEnv"), m["webapp"].Args["VAR_FROMENV"+t.Name()])
 
-			require.Equal(t, m["webapp"].Args["VAR_BOTH"], "webapp")
-			require.Equal(t, m["webapp"].Args["VAR_INHERITED"], "override")
+			require.Equal(t, ptrstr("webapp"), m["webapp"].Args["VAR_BOTH"])
+			require.Equal(t, ptrstr("override"), m["webapp"].Args["VAR_INHERITED"])
 
 			require.Equal(t, 1, len(g))
 			require.Equal(t, []string{"webapp"}, g["default"].Targets)
@@ -99,8 +97,8 @@ target "webapp" {
 			}, nil)
 
 			require.NoError(t, err)
-			require.Equal(t, m["webapp"].Args["VAR_INHERITED"], "override")
-			require.Equal(t, m["webapp"].Args["VAR_BOTH"], "webapp")
+			require.Equal(t, ptrstr("override"), m["webapp"].Args["VAR_INHERITED"])
+			require.Equal(t, ptrstr("webapp"), m["webapp"].Args["VAR_BOTH"])
 			require.Equal(t, 1, len(g))
 			require.Equal(t, []string{"webapp"}, g["default"].Targets)
 		})
@@ -139,9 +137,9 @@ target "webapp" {
 			require.NoError(t, err)
 			require.Equal(t, 2, len(m))
 			require.Equal(t, "foo", *m["webapp"].Dockerfile)
-			require.Equal(t, "webDEP", m["webapp"].Args["VAR_INHERITED"])
+			require.Equal(t, ptrstr("webDEP"), m["webapp"].Args["VAR_INHERITED"])
 			require.Equal(t, "foo", *m["webDEP"].Dockerfile)
-			require.Equal(t, "webDEP", m["webDEP"].Args["VAR_INHERITED"])
+			require.Equal(t, ptrstr("webDEP"), m["webDEP"].Args["VAR_INHERITED"])
 			require.Equal(t, 1, len(g))
 			sort.Strings(g["default"].Targets)
 			require.Equal(t, []string{"webDEP", "webapp"}, g["default"].Targets)
@@ -173,7 +171,7 @@ target "webapp" {
 					require.NoError(t, err)
 					require.Equal(t, 1, len(m))
 					require.Equal(t, "foo", *m["webapp"].Dockerfile)
-					require.Equal(t, "webDEP", m["webapp"].Args["VAR_INHERITED"])
+					require.Equal(t, ptrstr("webDEP"), m["webapp"].Args["VAR_INHERITED"])
 					require.Equal(t, 1, len(g))
 					require.Equal(t, []string{"webapp"}, g["default"].Targets)
 				},
@@ -300,8 +298,8 @@ services:
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
 	require.Equal(t, ".", *m["webapp"].Context)
-	require.Equal(t, "1", m["webapp"].Args["buildno"])
-	require.Equal(t, "12", m["webapp"].Args["buildno2"])
+	require.Equal(t, ptrstr("1"), m["webapp"].Args["buildno"])
+	require.Equal(t, ptrstr("12"), m["webapp"].Args["buildno2"])
 
 	require.Equal(t, 1, len(g))
 	sort.Strings(g["default"].Targets)
@@ -344,7 +342,7 @@ services:
 	_, ok := m["web_app"]
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
-	require.Equal(t, "1", m["web_app"].Args["buildno"])
+	require.Equal(t, ptrstr("1"), m["web_app"].Args["buildno"])
 
 	m, _, err = ReadTargets(ctx, []File{fp2}, []string{"web_app"}, nil, nil)
 	require.NoError(t, err)
@@ -352,7 +350,7 @@ services:
 	_, ok = m["web_app"]
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile", *m["web_app"].Dockerfile)
-	require.Equal(t, "12", m["web_app"].Args["buildno2"])
+	require.Equal(t, ptrstr("12"), m["web_app"].Args["buildno2"])
 
 	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"default"}, nil, nil)
 	require.NoError(t, err)
@@ -361,8 +359,8 @@ services:
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
 	require.Equal(t, ".", *m["web_app"].Context)
-	require.Equal(t, "1", m["web_app"].Args["buildno"])
-	require.Equal(t, "12", m["web_app"].Args["buildno2"])
+	require.Equal(t, ptrstr("1"), m["web_app"].Args["buildno"])
+	require.Equal(t, ptrstr("12"), m["web_app"].Args["buildno2"])
 
 	require.Equal(t, 1, len(g))
 	sort.Strings(g["default"].Targets)
@@ -999,22 +997,22 @@ target "d" {
 	cases := []struct {
 		name      string
 		overrides []string
-		want      map[string]string
+		want      map[string]*string
 	}{
 		{
 			name:      "nested simple",
 			overrides: nil,
-			want:      map[string]string{"bar": "234", "baz": "890", "foo": "123"},
+			want:      map[string]*string{"bar": ptrstr("234"), "baz": ptrstr("890"), "foo": ptrstr("123")},
 		},
 		{
 			name:      "nested with overrides first",
 			overrides: []string{"a.args.foo=321", "b.args.bar=432"},
-			want:      map[string]string{"bar": "234", "baz": "890", "foo": "321"},
+			want:      map[string]*string{"bar": ptrstr("234"), "baz": ptrstr("890"), "foo": ptrstr("321")},
 		},
 		{
 			name:      "nested with overrides last",
 			overrides: []string{"a.args.foo=321", "c.args.bar=432"},
-			want:      map[string]string{"bar": "432", "baz": "890", "foo": "321"},
+			want:      map[string]*string{"bar": ptrstr("432"), "baz": ptrstr("890"), "foo": ptrstr("321")},
 		},
 	}
 	for _, tt := range cases {
@@ -1067,26 +1065,26 @@ group "default" {
 	cases := []struct {
 		name      string
 		overrides []string
-		wantch1   map[string]string
-		wantch2   map[string]string
+		wantch1   map[string]*string
+		wantch2   map[string]*string
 	}{
 		{
 			name:      "nested simple",
 			overrides: nil,
-			wantch1:   map[string]string{"BAR": "fuu", "FOO": "bar"},
-			wantch2:   map[string]string{"BAR": "fuu", "FOO": "bar", "FOO2": "bar2"},
+			wantch1:   map[string]*string{"BAR": ptrstr("fuu"), "FOO": ptrstr("bar")},
+			wantch2:   map[string]*string{"BAR": ptrstr("fuu"), "FOO": ptrstr("bar"), "FOO2": ptrstr("bar2")},
 		},
 		{
 			name:      "nested with overrides first",
 			overrides: []string{"grandparent.args.BAR=fii", "child1.args.FOO=baaar"},
-			wantch1:   map[string]string{"BAR": "fii", "FOO": "baaar"},
-			wantch2:   map[string]string{"BAR": "fii", "FOO": "bar", "FOO2": "bar2"},
+			wantch1:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("baaar")},
+			wantch2:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("bar"), "FOO2": ptrstr("bar2")},
 		},
 		{
 			name:      "nested with overrides last",
 			overrides: []string{"grandparent.args.BAR=fii", "child2.args.FOO=baaar"},
-			wantch1:   map[string]string{"BAR": "fii", "FOO": "bar"},
-			wantch2:   map[string]string{"BAR": "fii", "FOO": "baaar", "FOO2": "bar2"},
+			wantch1:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("bar")},
+			wantch2:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("baaar"), "FOO2": ptrstr("bar2")},
 		},
 	}
 	for _, tt := range cases {
@@ -1285,8 +1283,78 @@ services:
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, "app", c.Targets[0].Name)
-	require.Equal(t, "foo", c.Targets[0].Args["v1"])
-	require.Equal(t, "bar", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("foo"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["v2"])
 	require.Equal(t, "dir", *c.Targets[0].Context)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[0].Dockerfile)
 }
+
+func TestHCLNullVars(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`variable "FOO" {
+				default = null
+			}
+			variable "BAR" {
+				default = null
+			}
+			target "default" {
+				args = {
+					foo = FOO
+					bar = "baz"
+				}
+				labels = {
+					"com.docker.app.bar" = BAR
+					"com.docker.app.baz" = "foo"
+				}
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(m))
+	_, ok := m["default"]
+	require.True(t, ok)
+
+	_, err = TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, m["default"].Args)
+	require.Equal(t, map[string]*string{"com.docker.app.baz": ptrstr("foo")}, m["default"].Labels)
+}
+
+func TestJSONNullVars(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.json",
+		Data: []byte(
+			`{
+				"variable": {
+					"FOO": {
+						"default": null
+					}
+				},
+				"target": {
+					"default": {
+						"args": {
+							"foo": "${FOO}",
+							"bar": "baz"
+						}
+					}
+				}
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(m))
+	_, ok := m["default"]
+	require.True(t, ok)
+
+	_, err = TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, m["default"].Args)
+}

bake/compose.go

@@ -75,13 +75,19 @@ func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, e
 				secrets = append(secrets, secret)
 			}
 
+			// compose does not support nil values for labels
+			labels := map[string]*string{}
+			for k, v := range s.Build.Labels {
+				labels[k] = &v
+			}
+
 			g.Targets = append(g.Targets, targetName)
 			t := &Target{
 				Name:       targetName,
 				Context:    contextPathP,
 				Dockerfile: dockerfilePathP,
 				Tags:       s.Build.Tags,
-				Labels:     s.Build.Labels,
+				Labels:     labels,
 				Args: flatten(s.Build.Args.Resolve(func(val string) (string, bool) {
 					if val, ok := s.Environment[val]; ok && val != nil {
 						return *val, true
@@ -193,16 +199,16 @@ func loadDotEnv(curenv map[string]string, workingDir string) (map[string]string,
 	return curenv, nil
 }
 
-func flatten(in compose.MappingWithEquals) compose.Mapping {
+func flatten(in compose.MappingWithEquals) map[string]*string {
 	if len(in) == 0 {
 		return nil
 	}
-	out := compose.Mapping{}
+	out := map[string]*string{}
 	for k, v := range in {
 		if v == nil {
 			continue
 		}
-		out[k] = *v
+		out[k] = v
 	}
 	return out
 }

bake/compose_test.go

@@ -60,7 +60,7 @@ secrets:
 	require.Equal(t, "./dir", *c.Targets[1].Context)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[1].Dockerfile)
 	require.Equal(t, 1, len(c.Targets[1].Args))
-	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])
 	require.Equal(t, []string{"type=local,src=path/to/cache"}, c.Targets[1].CacheFrom)
 	require.Equal(t, []string{"type=local,dest=path/to/cache"}, c.Targets[1].CacheTo)
 	require.Equal(t, "none", *c.Targets[1].NetworkMode)
@@ -149,18 +149,15 @@ services:
         BRB: FOO
 `)
 
-	os.Setenv("FOO", "bar")
-	defer os.Unsetenv("FOO")
-	os.Setenv("BAR", "foo")
-	defer os.Unsetenv("BAR")
-	os.Setenv("ZZZ_BAR", "zzz_foo")
-	defer os.Unsetenv("ZZZ_BAR")
+	t.Setenv("FOO", "bar")
+	t.Setenv("BAR", "foo")
+	t.Setenv("ZZZ_BAR", "zzz_foo")
 
 	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, sliceToMap(os.Environ()))
 	require.NoError(t, err)
-	require.Equal(t, "bar", c.Targets[0].Args["FOO"])
-	require.Equal(t, "zzz_foo", c.Targets[0].Args["BAR"])
-	require.Equal(t, "FOO", c.Targets[0].Args["BRB"])
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["FOO"])
+	require.Equal(t, ptrstr("zzz_foo"), c.Targets[0].Args["BAR"])
+	require.Equal(t, ptrstr("FOO"), c.Targets[0].Args["BRB"])
 }
 
 func TestInconsistentComposeFile(t *testing.T) {
@@ -308,7 +305,7 @@ services:
 	sort.Slice(c.Targets, func(i, j int) bool {
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
-	require.Equal(t, map[string]string{"CT_ECR": "foo", "CT_TAG": "bar"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"CT_ECR": ptrstr("foo"), "CT_TAG": ptrstr("bar")}, c.Targets[0].Args)
 	require.Equal(t, []string{"ct-addon:baz", "ct-addon:foo", "ct-addon:alp"}, c.Targets[0].Tags)
 	require.Equal(t, []string{"linux/amd64", "linux/arm64"}, c.Targets[0].Platforms)
 	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
@@ -381,7 +378,7 @@ services:
 
 	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
-	require.Equal(t, map[string]string{"CT_ECR": "foo", "FOO": "bsdf -csdf", "NODE_ENV": "test"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"CT_ECR": ptrstr("foo"), "FOO": ptrstr("bsdf -csdf"), "NODE_ENV": ptrstr("test")}, c.Targets[0].Args)
 }
 
 func TestDotEnv(t *testing.T) {
@@ -405,7 +402,7 @@ services:
 		Data: dt,
 	}})
 	require.NoError(t, err)
-	require.Equal(t, map[string]string{"FOO": "bar"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"FOO": ptrstr("bar")}, c.Targets[0].Args)
 }
 
 func TestPorts(t *testing.T) {
@@ -629,6 +626,22 @@ target "default" {
 	}
 }
 
+func TestComposeNullArgs(t *testing.T) {
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: .
+     args:
+        FOO: null
+        bar: "baz"
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, c.Targets[0].Args)
+}
+
 // chdir changes the current working directory to the named directory,
 // and then restore the original working directory at the end of the test.
 func chdir(t *testing.T, dir string) {

bake/hcl_test.go

@@ -1,7 +1,7 @@
 package bake
 
 import (
-	"os"
+	"reflect"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -54,7 +54,7 @@ func TestHCLBasic(t *testing.T) {
 
 	require.Equal(t, c.Targets[1].Name, "webapp")
 	require.Equal(t, 1, len(c.Targets[1].Args))
-	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])
 
 	require.Equal(t, c.Targets[2].Name, "cross")
 	require.Equal(t, 2, len(c.Targets[2].Platforms))
@@ -62,7 +62,7 @@ func TestHCLBasic(t *testing.T) {
 
 	require.Equal(t, c.Targets[3].Name, "webapp-plus")
 	require.Equal(t, 1, len(c.Targets[3].Args))
-	require.Equal(t, map[string]string{"IAMCROSS": "true"}, c.Targets[3].Args)
+	require.Equal(t, map[string]*string{"IAMCROSS": ptrstr("true")}, c.Targets[3].Args)
 }
 
 func TestHCLBasicInJSON(t *testing.T) {
@@ -114,7 +114,7 @@ func TestHCLBasicInJSON(t *testing.T) {
 
 	require.Equal(t, c.Targets[1].Name, "webapp")
 	require.Equal(t, 1, len(c.Targets[1].Args))
-	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])
 
 	require.Equal(t, c.Targets[2].Name, "cross")
 	require.Equal(t, 2, len(c.Targets[2].Platforms))
@@ -122,7 +122,7 @@ func TestHCLBasicInJSON(t *testing.T) {
 
 	require.Equal(t, c.Targets[3].Name, "webapp-plus")
 	require.Equal(t, 1, len(c.Targets[3].Args))
-	require.Equal(t, map[string]string{"IAMCROSS": "true"}, c.Targets[3].Args)
+	require.Equal(t, map[string]*string{"IAMCROSS": ptrstr("true")}, c.Targets[3].Args)
 }
 
 func TestHCLWithFunctions(t *testing.T) {
@@ -147,7 +147,7 @@ func TestHCLWithFunctions(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "124", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("124"), c.Targets[0].Args["buildno"])
 }
 
 func TestHCLWithUserDefinedFunctions(t *testing.T) {
@@ -177,7 +177,7 @@ func TestHCLWithUserDefinedFunctions(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "124", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("124"), c.Targets[0].Args["buildno"])
 }
 
 func TestHCLWithVariables(t *testing.T) {
@@ -206,9 +206,9 @@ func TestHCLWithVariables(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "123", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[0].Args["buildno"])
 
-	os.Setenv("BUILD_NUMBER", "456")
+	t.Setenv("BUILD_NUMBER", "456")
 
 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)
@@ -219,7 +219,7 @@ func TestHCLWithVariables(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "456", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("456"), c.Targets[0].Args["buildno"])
 }
 
 func TestHCLWithVariablesInFunctions(t *testing.T) {
@@ -244,7 +244,7 @@ func TestHCLWithVariablesInFunctions(t *testing.T) {
 	require.Equal(t, c.Targets[0].Name, "webapp")
 	require.Equal(t, []string{"user/repo:v1"}, c.Targets[0].Tags)
 
-	os.Setenv("REPO", "docker/buildx")
+	t.Setenv("REPO", "docker/buildx")
 
 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)
@@ -280,10 +280,10 @@ func TestHCLMultiFileSharedVariables(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-abc", c.Targets[0].Args["v1"])
-	require.Equal(t, "abc-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre-abc"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("abc-post"), c.Targets[0].Args["v2"])
 
-	os.Setenv("FOO", "def")
+	t.Setenv("FOO", "def")
 
 	c, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
@@ -293,12 +293,11 @@ func TestHCLMultiFileSharedVariables(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-def", c.Targets[0].Args["v1"])
-	require.Equal(t, "def-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre-def"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("def-post"), c.Targets[0].Args["v2"])
 }
 
 func TestHCLVarsWithVars(t *testing.T) {
-	os.Unsetenv("FOO")
 	dt := []byte(`
 		variable "FOO" {
 			default = upper("${BASE}def")
@@ -330,10 +329,10 @@ func TestHCLVarsWithVars(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre--ABCDEF-", c.Targets[0].Args["v1"])
-	require.Equal(t, "ABCDEF-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre--ABCDEF-"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("ABCDEF-post"), c.Targets[0].Args["v2"])
 
-	os.Setenv("BASE", "new")
+	t.Setenv("BASE", "new")
 
 	c, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
@@ -343,12 +342,11 @@ func TestHCLVarsWithVars(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre--NEWDEF-", c.Targets[0].Args["v1"])
-	require.Equal(t, "NEWDEF-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre--NEWDEF-"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("NEWDEF-post"), c.Targets[0].Args["v2"])
 }
 
 func TestHCLTypedVariables(t *testing.T) {
-	os.Unsetenv("FOO")
 	dt := []byte(`
 		variable "FOO" {
 			default = 3
@@ -369,33 +367,80 @@ func TestHCLTypedVariables(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "lower", c.Targets[0].Args["v1"])
-	require.Equal(t, "yes", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("lower"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("yes"), c.Targets[0].Args["v2"])
 
-	os.Setenv("FOO", "5.1")
-	os.Setenv("IS_FOO", "0")
+	t.Setenv("FOO", "5.1")
+	t.Setenv("IS_FOO", "0")
 
 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "higher", c.Targets[0].Args["v1"])
-	require.Equal(t, "no", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("higher"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("no"), c.Targets[0].Args["v2"])
 
-	os.Setenv("FOO", "NaN")
+	t.Setenv("FOO", "NaN")
 	_, err = ParseFile(dt, "docker-bake.hcl")
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to parse FOO as number")
 
-	os.Setenv("FOO", "0")
-	os.Setenv("IS_FOO", "maybe")
+	t.Setenv("FOO", "0")
+	t.Setenv("IS_FOO", "maybe")
 
 	_, err = ParseFile(dt, "docker-bake.hcl")
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to parse IS_FOO as bool")
 }
 
+func TestHCLNullVariables(t *testing.T) {
+	dt := []byte(`
+		variable "FOO" {
+			default = null
+		}
+		target "default" {
+			args = {
+				foo = FOO
+			}
+		}`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr(nil), c.Targets[0].Args["foo"])
+
+	t.Setenv("FOO", "bar")
+	c, err = ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["foo"])
+}
+
+func TestJSONNullVariables(t *testing.T) {
+	dt := []byte(`{
+		"variable": {
+			"FOO": {
+				"default": null
+			}
+		},
+		"target": {
+			"default": {
+				"args": {
+					"foo": "${FOO}"
+				}
+			}
+		}
+	}`)
+
+	c, err := ParseFile(dt, "docker-bake.json")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr(nil), c.Targets[0].Args["foo"])
+
+	t.Setenv("FOO", "bar")
+	c, err = ParseFile(dt, "docker-bake.json")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["foo"])
+}
+
 func TestHCLVariableCycle(t *testing.T) {
 	dt := []byte(`
 		variable "FOO" {
@@ -431,16 +476,16 @@ func TestHCLAttrs(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "attr-abcdef", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("attr-abcdef"), c.Targets[0].Args["v1"])
 
 	// env does not apply if no variable
-	os.Setenv("FOO", "bar")
+	t.Setenv("FOO", "bar")
 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "attr-abcdef", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("attr-abcdef"), c.Targets[0].Args["v1"])
 	// attr-multifile
 }
 
@@ -549,11 +594,10 @@ func TestHCLAttrsCustomType(t *testing.T) {
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
 	require.Equal(t, []string{"linux/arm64", "linux/amd64"}, c.Targets[0].Platforms)
-	require.Equal(t, "linux/arm64", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("linux/arm64"), c.Targets[0].Args["v1"])
 }
 
 func TestHCLMultiFileAttrs(t *testing.T) {
-	os.Unsetenv("FOO")
 	dt := []byte(`
 		variable "FOO" {
 			default = "abc"
@@ -575,9 +619,9 @@ func TestHCLMultiFileAttrs(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-def", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-def"), c.Targets[0].Args["v1"])
 
-	os.Setenv("FOO", "ghi")
+	t.Setenv("FOO", "ghi")
 
 	c, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
@@ -587,7 +631,7 @@ func TestHCLMultiFileAttrs(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-ghi", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-ghi"), c.Targets[0].Args["v1"])
 }
 
 func TestJSONAttributes(t *testing.T) {
@@ -598,7 +642,7 @@ func TestJSONAttributes(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-abc-def", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-abc-def"), c.Targets[0].Args["v1"])
 }
 
 func TestJSONFunctions(t *testing.T) {
@@ -623,7 +667,7 @@ func TestJSONFunctions(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-<FOO-abc>", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-<FOO-abc>"), c.Targets[0].Args["v1"])
 }
 
 func TestHCLFunctionInAttr(t *testing.T) {
@@ -651,7 +695,7 @@ func TestHCLFunctionInAttr(t *testing.T) {
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "FOO <> [baz]", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("FOO <> [baz]"), c.Targets[0].Args["v1"])
 }
 
 func TestHCLCombineCompose(t *testing.T) {
@@ -682,8 +726,8 @@ services:
 
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "foo", c.Targets[0].Args["v1"])
-	require.Equal(t, "bar", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("foo"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["v2"])
 	require.Equal(t, "dir", *c.Targets[0].Context)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[0].Dockerfile)
 }
@@ -828,10 +872,10 @@ target "two" {
 	require.Equal(t, 2, len(c.Targets))
 
 	require.Equal(t, c.Targets[0].Name, "one")
-	require.Equal(t, map[string]string{"a": "pre-ghi-jkl"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"a": ptrstr("pre-ghi-jkl")}, c.Targets[0].Args)
 
 	require.Equal(t, c.Targets[1].Name, "two")
-	require.Equal(t, map[string]string{"b": "pre-jkl"}, c.Targets[1].Args)
+	require.Equal(t, map[string]*string{"b": ptrstr("pre-jkl")}, c.Targets[1].Args)
 }
 
 func TestEmptyVariableJSON(t *testing.T) {
@@ -882,3 +926,12 @@ func TestVarUnsupportedType(t *testing.T) {
 	_, err := ParseFile(dt, "docker-bake.hcl")
 	require.Error(t, err)
 }
+
+func ptrstr(s interface{}) *string {
+	var n *string = nil
+	if reflect.ValueOf(s).Kind() == reflect.String {
+		ss := s.(string)
+		n = &ss
+	}
+	return n
+}

bake/hclparser/expr.go

@@ -83,7 +83,7 @@ func appendJSONFuncCalls(exp hcl.Expression, m map[string]struct{}) error {
 
 	// hcl/v2/json/ast#stringVal
 	val := src.FieldByName("Value")
-	if val.IsZero() {
+	if !val.IsValid() || val.IsZero() {
 		return nil
 	}
 	rng := src.FieldByName("SrcRange")

bake/hclparser/hclparser.go

@@ -281,19 +281,16 @@ func (p *parser) resolveValue(name string) (err error) {
 	_, isVar := p.vars[name]
 
 	if envv, ok := p.opt.LookupVar(name); ok && isVar {
-		if vv.Type().Equals(cty.Bool) {
+		switch {
+		case vv.Type().Equals(cty.Bool):
 			b, err := strconv.ParseBool(envv)
 			if err != nil {
 				return errors.Wrapf(err, "failed to parse %s as bool", name)
 			}
-			vv := cty.BoolVal(b)
-			v = &vv
-			return nil
-		} else if vv.Type().Equals(cty.String) {
-			vv := cty.StringVal(envv)
-			v = &vv
-			return nil
-		} else if vv.Type().Equals(cty.Number) {
+			vv = cty.BoolVal(b)
+		case vv.Type().Equals(cty.String), vv.Type().Equals(cty.DynamicPseudoType):
+			vv = cty.StringVal(envv)
+		case vv.Type().Equals(cty.Number):
 			n, err := strconv.ParseFloat(envv, 64)
 			if err == nil && (math.IsNaN(n) || math.IsInf(n, 0)) {
 				err = errors.Errorf("invalid number value")
@@ -301,10 +298,8 @@ func (p *parser) resolveValue(name string) (err error) {
 			if err != nil {
 				return errors.Wrapf(err, "failed to parse %s as number", name)
 			}
-			vv := cty.NumberVal(big.NewFloat(n))
-			v = &vv
-			return nil
-		} else {
+			vv = cty.NumberVal(big.NewFloat(n))
+		default:
 			// TODO: support lists with csv values
 			return errors.Errorf("unsupported type %s for variable %s", vv.Type().FriendlyName(), name)
 		}

build/build.go

@@ -37,7 +37,6 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
-	"github.com/moby/buildkit/frontend/attestations"
 	gateway "github.com/moby/buildkit/frontend/gateway/client"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/upload/uploadprovider"
@@ -595,10 +594,6 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 		so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true"
 	}
 
-	for k, v := range getGitAttributes(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath) {
-		so.FrontendAttrs[k] = v
-	}
-
 	// set platforms
 	if len(opt.Platforms) != 0 {
 		pp := make([]string, len(opt.Platforms))
@@ -853,6 +848,10 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 	for k, opt := range opt {
 		multiDriver := len(m[k]) > 1
 		hasMobyDriver := false
+		gitattrs, err := getGitAttributes(ctx, opt.Inputs.ContextPath, opt.Inputs.DockerfilePath)
+		if err != nil {
+			logrus.Warn(err)
+		}
 		for i, np := range m[k] {
 			node := nodes[np.driverIndex]
 			if node.Driver.IsMobyDriver() {
@@ -862,6 +861,9 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 			so, release, err := toSolveOpt(ctx, node, multiDriver, opt, np.bopts, configDir, w, func(name string) (io.WriteCloser, func(), error) {
 				return docker.LoadImage(ctx, name, w)
 			})
+			for k, v := range gitattrs {
+				so.FrontendAttrs[k] = v
+			}
 			if err != nil {
 				return nil, err
 			}
@@ -1113,11 +1115,13 @@ func BuildWithResultHandler(ctx context.Context, nodes []builder.Node, opt map[s
 
 						req := gateway.SolveRequest{
 							Frontend:       so.Frontend,
-							FrontendOpt:    so.FrontendAttrs,
 							FrontendInputs: frontendInputs,
+							FrontendOpt:    make(map[string]string),
+						}
+						for k, v := range so.FrontendAttrs {
+							req.FrontendOpt[k] = v
 						}
 						so.Frontend = ""
-						so.FrontendAttrs = attestations.Filter(so.FrontendAttrs)
 						so.FrontendInputs = nil
 
 						ch, done := progress.NewChannel(pw)

build/git.go

@@ -3,18 +3,19 @@ package build
 import (
 	"context"
 	"os"
+	"path"
 	"path/filepath"
 	"strconv"
 	"strings"
 
 	"github.com/docker/buildx/util/gitutil"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/sirupsen/logrus"
+	"github.com/pkg/errors"
 )
 
 const DockerfileLabel = "com.docker.image.source.entrypoint"
 
-func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (res map[string]string) {
+func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (res map[string]string, _ error) {
 	res = make(map[string]string)
 	if contextPath == "" {
 		return
@@ -24,13 +25,13 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	if v, ok := os.LookupEnv("BUILDX_GIT_LABELS"); ok {
 		if v == "full" { // backward compatibility with old "full" mode
 			setGitLabels = true
-		} else if v, _ := strconv.ParseBool(v); v {
+		} else if v, err := strconv.ParseBool(v); err == nil {
 			setGitLabels = v
 		}
 	}
 	setGitInfo := true
 	if v, ok := os.LookupEnv("BUILDX_GIT_INFO"); ok {
-		if v, _ := strconv.ParseBool(v); v {
+		if v, err := strconv.ParseBool(v); err == nil {
 			setGitInfo = v
 		}
 	}
@@ -48,27 +49,50 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 		wd, _ = filepath.Abs(filepath.Join(cwd, contextPath))
 	}
 
-	gitc := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
-	if !gitc.IsInsideWorkTree() {
-		logrus.Warnf("Unable to determine Git information")
+	gitc, err := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
+	if err != nil {
+		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
+			return res, errors.New("git was not found in the system. Current commit information was not captured by the build")
+		}
 		return
 	}
 
-	var resRevision, resSource, resDockerfilePath string
+	if !gitc.IsInsideWorkTree() {
+		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
+			return res, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
+		}
+		return res, nil
+	}
 
-	if sha, err := gitc.FullCommit(); err == nil && sha != "" {
-		resRevision = sha
+	if sha, err := gitc.FullCommit(); err != nil {
+		return res, errors.Wrapf(err, "failed to get git commit")
+	} else if sha != "" {
 		if gitc.IsDirty() {
-			resRevision += "-dirty"
+			sha += "-dirty"
+		}
+		if setGitLabels {
+			res["label:"+specs.AnnotationRevision] = sha
+		}
+		if setGitInfo {
+			res["vcs:revision"] = sha
 		}
 	}
 
-	if rurl, err := gitc.RemoteURL(); err == nil && rurl != "" {
-		resSource = rurl
+	if rurl, err := gitc.RemoteURL(); err != nil {
+		return res, errors.Wrapf(err, "failed to get git remote url")
+	} else if rurl != "" {
+		if setGitLabels {
+			res["label:"+specs.AnnotationSource] = rurl
+		}
+		if setGitInfo {
+			res["vcs:source"] = rurl
+		}
 	}
 
 	if setGitLabels {
-		if root, err := gitc.RootDir(); err == nil && root != "" {
+		if root, err := gitc.RootDir(); err != nil {
+			return res, errors.Wrapf(err, "failed to get git root dir")
+		} else if root != "" {
 			if dockerfilePath == "" {
 				dockerfilePath = filepath.Join(wd, "Dockerfile")
 			}
@@ -78,32 +102,10 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 			}
 			dockerfilePath, _ = filepath.Rel(root, dockerfilePath)
 			if !strings.HasPrefix(dockerfilePath, "..") {
-				resDockerfilePath = dockerfilePath
+				res["label:"+DockerfileLabel] = dockerfilePath
 			}
 		}
 	}
 
-	if resSource != "" {
-		if setGitLabels {
-			res["label:"+specs.AnnotationSource] = resSource
-		}
-		if setGitInfo {
-			res["vcs:source"] = resSource
-		}
-	}
-	if resRevision != "" {
-		if setGitLabels {
-			res["label:"+specs.AnnotationRevision] = resRevision
-		}
-		if setGitInfo {
-			res["vcs:revision"] = resRevision
-		}
-	}
-	if resDockerfilePath != "" {
-		if setGitLabels {
-			res["label:"+DockerfileLabel] = resDockerfilePath
-		}
-	}
-
 	return
 }

build/git_test.go

@@ -3,6 +3,7 @@ package build
 import (
 	"context"
 	"os"
+	"path"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -10,21 +11,42 @@ import (
 	"github.com/docker/buildx/util/gitutil"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func setupTest(tb testing.TB) {
 	gitutil.Mktmp(tb)
-	gitutil.GitInit(tb)
+
+	c, err := gitutil.New()
+	require.NoError(tb, err)
+	gitutil.GitInit(c, tb)
+
 	df := []byte("FROM alpine:latest\n")
 	assert.NoError(tb, os.WriteFile("Dockerfile", df, 0644))
-	gitutil.GitAdd(tb, "Dockerfile")
-	gitutil.GitCommit(tb, "initial commit")
+
+	gitutil.GitAdd(c, tb, "Dockerfile")
+	gitutil.GitCommit(c, tb, "initial commit")
+	gitutil.GitSetRemote(c, tb, "git@github.com:docker/buildx.git")
+}
+
+func TestGetGitAttributesNotGitRepo(t *testing.T) {
+	_, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
+	assert.NoError(t, err)
+}
+
+func TestGetGitAttributesBadGitRepo(t *testing.T) {
+	tmp := t.TempDir()
+	require.NoError(t, os.MkdirAll(path.Join(tmp, ".git"), 0755))
+
+	_, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
+	assert.Error(t, err)
 }
 
 func TestGetGitAttributesNoContext(t *testing.T) {
 	setupTest(t)
 
-	gitattrs := getGitAttributes(context.Background(), "", "Dockerfile")
+	gitattrs, err := getGitAttributes(context.Background(), "", "Dockerfile")
+	assert.NoError(t, err)
 	assert.Empty(t, gitattrs)
 }
 
@@ -41,14 +63,22 @@ func TestGetGitAttributes(t *testing.T) {
 			envGitInfo:   "",
 			expected: []string{
 				"vcs:revision",
+				"vcs:source",
 			},
 		},
+		{
+			name:         "none",
+			envGitLabels: "false",
+			envGitInfo:   "false",
+			expected:     []string{},
+		},
 		{
 			name:         "gitinfo",
 			envGitLabels: "false",
 			envGitInfo:   "true",
 			expected: []string{
 				"vcs:revision",
+				"vcs:source",
 			},
 		},
 		{
@@ -58,6 +88,7 @@ func TestGetGitAttributes(t *testing.T) {
 			expected: []string{
 				"label:" + DockerfileLabel,
 				"label:" + specs.AnnotationRevision,
+				"label:" + specs.AnnotationSource,
 			},
 		},
 		{
@@ -67,7 +98,9 @@ func TestGetGitAttributes(t *testing.T) {
 			expected: []string{
 				"label:" + DockerfileLabel,
 				"label:" + specs.AnnotationRevision,
+				"label:" + specs.AnnotationSource,
 				"vcs:revision",
+				"vcs:source",
 			},
 		},
 	}
@@ -81,52 +114,42 @@ func TestGetGitAttributes(t *testing.T) {
 			if tt.envGitInfo != "" {
 				t.Setenv("BUILDX_GIT_INFO", tt.envGitInfo)
 			}
-			gitattrs := getGitAttributes(context.Background(), ".", "Dockerfile")
+			gitattrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+			require.NoError(t, err)
 			for _, e := range tt.expected {
 				assert.Contains(t, gitattrs, e)
 				assert.NotEmpty(t, gitattrs[e])
 				if e == "label:"+DockerfileLabel {
 					assert.Equal(t, "Dockerfile", gitattrs[e])
+				} else if e == "label:"+specs.AnnotationSource || e == "vcs:source" {
+					assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs[e])
 				}
 			}
 		})
 	}
 }
 
-func TestGetGitAttributesWithRemote(t *testing.T) {
-	setupTest(t)
-	gitutil.GitSetRemote(t, "git@github.com:docker/buildx.git")
-
-	t.Setenv("BUILDX_GIT_LABELS", "true")
-	gitattrs := getGitAttributes(context.Background(), ".", "Dockerfile")
-	assert.Equal(t, 5, len(gitattrs))
-	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
-	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
-	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
-	assert.NotEmpty(t, gitattrs["label:"+specs.AnnotationRevision])
-	assert.Contains(t, gitattrs, "label:"+specs.AnnotationSource)
-	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["label:"+specs.AnnotationSource])
-	assert.Contains(t, gitattrs, "vcs:revision")
-	assert.NotEmpty(t, gitattrs["vcs:revision"])
-	assert.Contains(t, gitattrs, "vcs:source")
-	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["vcs:source"])
-}
-
 func TestGetGitAttributesDirty(t *testing.T) {
 	setupTest(t)
 
 	// make a change to test dirty flag
 	df := []byte("FROM alpine:edge\n")
-	assert.NoError(t, os.Mkdir("dir", 0755))
-	assert.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))
+	require.NoError(t, os.Mkdir("dir", 0755))
+	require.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))
 
 	t.Setenv("BUILDX_GIT_LABELS", "true")
-	gitattrs := getGitAttributes(context.Background(), ".", "Dockerfile")
-	assert.Equal(t, 3, len(gitattrs))
+	gitattrs, _ := getGitAttributes(context.Background(), ".", "Dockerfile")
+	assert.Equal(t, 5, len(gitattrs))
+
 	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
 	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationSource)
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["label:"+specs.AnnotationSource])
 	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
 	assert.True(t, strings.HasSuffix(gitattrs["label:"+specs.AnnotationRevision], "-dirty"))
+
+	assert.Contains(t, gitattrs, "vcs:source")
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["vcs:source"])
 	assert.Contains(t, gitattrs, "vcs:revision")
 	assert.True(t, strings.HasSuffix(gitattrs["vcs:revision"], "-dirty"))
 }

builder/builder.go

@@ -219,9 +219,9 @@ func (b *Builder) Factory(ctx context.Context) (_ driver.Factory, err error) {
 			// driver for a docker context and allows falling back to a
 			// docker-container driver for older daemon that doesn't support
 			// buildkit (< 18.06).
-			ep := b.nodes[0].Endpoint
+			ep := b.NodeGroup.Nodes[0].Endpoint
 			var dockerapi *dockerutil.ClientAPI
-			dockerapi, err = dockerutil.NewClientAPI(b.opts.dockerCli, b.nodes[0].Endpoint)
+			dockerapi, err = dockerutil.NewClientAPI(b.opts.dockerCli, b.NodeGroup.Nodes[0].Endpoint)
 			if err != nil {
 				return
 			}

go.mod

@@ -17,6 +17,7 @@ require (
 	github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
 	github.com/hashicorp/hcl/v2 v2.8.2
 	github.com/moby/buildkit v0.11.0-rc1.0.20221213193744-862b22d7e7cf
+	github.com/moby/sys/mountinfo v0.6.2
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1

go.sum

@@ -411,6 +411,7 @@ github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8
 github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
 github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78=
+github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
 github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
@@ -780,6 +781,7 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
 golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

hack/release

@@ -2,27 +2,56 @@
 
 set -eu -o pipefail
 
+: "${GITHUB_ACTIONS=}"
+: "${GITHUB_REPOSITORY=}"
+: "${GITHUB_RUN_ID=}"
+
 : "${BUILDX_CMD=docker buildx}"
 : "${DESTDIR=./bin/release}"
 : "${CACHE_FROM=}"
 : "${CACHE_TO=}"
+: "${PLATFORMS=}"
 
 if [ -n "$CACHE_FROM" ]; then
   for cfrom in $CACHE_FROM; do
-    cacheFlags+=(--set "*.cache-from=$cfrom")
+    setFlags+=(--set "*.cache-from=$cfrom")
   done
 fi
 if [ -n "$CACHE_TO" ]; then
   for cto in $CACHE_TO; do
-    cacheFlags+=(--set "*.cache-to=$cto")
+    setFlags+=(--set "*.cache-to=$cto")
   done
 fi
+if [ -n "$PLATFORMS" ]; then
+  setFlags+=(--set "*.platform=$PLATFORMS")
+fi
+if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then
+  prvattrs="mode=max"
+  if [ "$GITHUB_ACTIONS" = "true" ]; then
+    prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+  fi
+  setFlags+=(--set "*.attest=type=sbom")
+  setFlags+=(--set "*.attest=type=provenance,$prvattrs")
+fi
 
-# release
-(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release)
+output=$(mktemp -d -t buildx-output.XXXXXXXXXX)
 
-# wrap binaries
-mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
-find ./${DESTDIR} -type d -empty -delete
+(
+  set -x
+  ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release
+)
 
-source ./hack/hash-files
+for pdir in "${output}"/*/; do
+  (
+    cd "$pdir"
+    binname=$(find . -name 'buildx-*')
+    filename=$(basename "${binname%.exe}")
+    mv "provenance.json" "${filename}.provenance.json"
+    mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
+    find . -name 'sbom*.json' -exec rm {} \;
+  )
+done
+
+mkdir -p "$DESTDIR"
+mv "$output"/**/* "$DESTDIR/"
+rm -rf "$output"

hack/test-driver

@@ -131,6 +131,14 @@ buildxCmd build ${buildPlatformFlag} \
   "${context}"
 cat "${context}/metadata-build.json"
 
+# load to docker store
+if [ "$DRIVER" != "docker" ]; then
+  buildxCmd build \
+    --output="type=docker,name=buildx-test-load" \
+    --builder="${builderName}" \
+    "${context}"
+fi
+
 # create bake def
 cat > "${bakedef}" <<EOL
 group "default" {

util/buildflags/attests.go

@@ -29,6 +29,9 @@ func ParseAttests(in []string) (map[string]*string, error) {
 		}
 
 		k := "attest:" + attestType
+		if _, ok := out[k]; ok {
+			return nil, errors.Errorf("duplicate attestation field %s", attestType)
+		}
 		if enabled {
 			out[k] = &in
 		} else {

util/gitutil/gitpath_unix.go

@@ -0,0 +1,42 @@
+//go:build !windows
+// +build !windows
+
+package gitutil
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/moby/sys/mountinfo"
+)
+
+func gitPath(wd string) (string, error) {
+	// On WSL2 we need to check if the current working directory is mounted on
+	// a Windows drive and if so, we need to use the Windows git executable.
+	if os.Getenv("WSL_DISTRO_NAME") != "" && wd != "" {
+		// ensure any symlinks are resolved
+		wdPath, err := filepath.EvalSymlinks(wd)
+		if err != nil {
+			return "", err
+		}
+		mi, err := mountinfo.GetMounts(mountinfo.ParentsFilter(wdPath))
+		if err != nil {
+			return "", err
+		}
+		// find the longest mount point
+		var idx, maxlen int
+		for i := range mi {
+			if len(mi[i].Mountpoint) > maxlen {
+				maxlen = len(mi[i].Mountpoint)
+				idx = i
+			}
+		}
+		if mi[idx].FSType == "9p" {
+			if p, err := exec.LookPath("git.exe"); err == nil {
+				return p, nil
+			}
+		}
+	}
+	return exec.LookPath("git")
+}

util/gitutil/gitpath_windows.go

@@ -0,0 +1,9 @@
+package gitutil
+
+import (
+	"os/exec"
+)
+
+func gitPath(wd string) (string, error) {
+	return exec.LookPath("git.exe")
+}

util/gitutil/gitutil.go

@@ -11,8 +11,9 @@ import (
 
 // Git represents an active git object
 type Git struct {
-	ctx context.Context
-	wd  string
+	ctx     context.Context
+	wd      string
+	gitpath string
 }
 
 // Option provides a variadic option for configuring the git client.
@@ -33,14 +34,22 @@ func WithWorkingDir(wd string) Option {
 }
 
 // New initializes a new git client
-func New(opts ...Option) *Git {
+func New(opts ...Option) (*Git, error) {
+	var err error
 	c := &Git{
 		ctx: context.Background(),
 	}
+
 	for _, opt := range opts {
 		opt(c)
 	}
-	return c
+
+	c.gitpath, err = gitPath(c.wd)
+	if err != nil {
+		return nil, errors.New("git not found in PATH")
+	}
+
+	return c, nil
 }
 
 func (c *Git) IsInsideWorkTree() bool {
@@ -89,16 +98,12 @@ func (c *Git) Tag() (string, error) {
 }
 
 func (c *Git) run(args ...string) (string, error) {
-	if _, err := exec.LookPath("git"); err != nil {
-		return "", errors.New("git not present in PATH")
-	}
-
 	var extraArgs = []string{
 		"-c", "log.showSignature=false",
 	}
 
 	args = append(extraArgs, args...)
-	cmd := exec.Command("git", args...)
+	cmd := exec.CommandContext(c.ctx, c.gitpath, args...)
 	if c.wd != "" {
 		cmd.Dir = c.wd
 	}

util/gitutil/gitutil_test.go

@@ -7,7 +7,9 @@ import (
 )
 
 func TestGit(t *testing.T) {
-	c := New()
+	c, err := New()
+	require.NoError(t, err)
+
 	out, err := c.run("status")
 	require.NoError(t, err)
 	require.NotEmpty(t, out)
@@ -20,10 +22,12 @@ func TestGit(t *testing.T) {
 
 func TestGitFullCommit(t *testing.T) {
 	Mktmp(t)
-	GitInit(t)
-	GitCommit(t, "bar")
+	c, err := New()
+	require.NoError(t, err)
+
+	GitInit(c, t)
+	GitCommit(c, t, "bar")
 
-	c := New()
 	out, err := c.FullCommit()
 	require.NoError(t, err)
 	require.Equal(t, 40, len(out))
@@ -31,10 +35,12 @@ func TestGitFullCommit(t *testing.T) {
 
 func TestGitShortCommit(t *testing.T) {
 	Mktmp(t)
-	GitInit(t)
-	GitCommit(t, "bar")
+	c, err := New()
+	require.NoError(t, err)
+
+	GitInit(c, t)
+	GitCommit(c, t, "bar")
 
-	c := New()
 	out, err := c.ShortCommit()
 	require.NoError(t, err)
 	require.Equal(t, 7, len(out))
@@ -42,13 +48,15 @@ func TestGitShortCommit(t *testing.T) {
 
 func TestGitTagsPointsAt(t *testing.T) {
 	Mktmp(t)
-	GitInit(t)
-	GitCommit(t, "bar")
-	GitTag(t, "v0.8.0")
-	GitCommit(t, "foo")
-	GitTag(t, "v0.9.0")
+	c, err := New()
+	require.NoError(t, err)
+
+	GitInit(c, t)
+	GitCommit(c, t, "bar")
+	GitTag(c, t, "v0.8.0")
+	GitCommit(c, t, "foo")
+	GitTag(c, t, "v0.9.0")
 
-	c := New()
 	out, err := c.clean(c.run("tag", "--points-at", "HEAD", "--sort", "-version:creatordate"))
 	require.NoError(t, err)
 	require.Equal(t, "v0.9.0", out)
@@ -56,13 +64,15 @@ func TestGitTagsPointsAt(t *testing.T) {
 
 func TestGitDescribeTags(t *testing.T) {
 	Mktmp(t)
-	GitInit(t)
-	GitCommit(t, "bar")
-	GitTag(t, "v0.8.0")
-	GitCommit(t, "foo")
-	GitTag(t, "v0.9.0")
+	c, err := New()
+	require.NoError(t, err)
+
+	GitInit(c, t)
+	GitCommit(c, t, "bar")
+	GitTag(c, t, "v0.8.0")
+	GitCommit(c, t, "foo")
+	GitTag(c, t, "v0.9.0")
 
-	c := New()
 	out, err := c.clean(c.run("describe", "--tags", "--abbrev=0"))
 	require.NoError(t, err)
 	require.Equal(t, "v0.9.0", out)

util/gitutil/testutil.go

@@ -7,46 +7,46 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-func GitInit(tb testing.TB) {
+func GitInit(c *Git, tb testing.TB) {
 	tb.Helper()
-	out, err := fakeGit("init")
+	out, err := fakeGit(c, "init")
 	require.NoError(tb, err)
 	require.Contains(tb, out, "Initialized empty Git repository")
 	require.NoError(tb, err)
-	GitCheckoutBranch(tb, "main")
-	_, _ = fakeGit("branch", "-D", "master")
+	GitCheckoutBranch(c, tb, "main")
+	_, _ = fakeGit(c, "branch", "-D", "master")
 }
 
-func GitCommit(tb testing.TB, msg string) {
+func GitCommit(c *Git, tb testing.TB, msg string) {
 	tb.Helper()
-	out, err := fakeGit("commit", "--allow-empty", "-m", msg)
+	out, err := fakeGit(c, "commit", "--allow-empty", "-m", msg)
 	require.NoError(tb, err)
 	require.Contains(tb, out, "main", msg)
 }
 
-func GitTag(tb testing.TB, tag string) {
+func GitTag(c *Git, tb testing.TB, tag string) {
 	tb.Helper()
-	out, err := fakeGit("tag", tag)
+	out, err := fakeGit(c, "tag", tag)
 	require.NoError(tb, err)
 	require.Empty(tb, out)
 }
 
-func GitCheckoutBranch(tb testing.TB, name string) {
+func GitCheckoutBranch(c *Git, tb testing.TB, name string) {
 	tb.Helper()
-	out, err := fakeGit("checkout", "-b", name)
+	out, err := fakeGit(c, "checkout", "-b", name)
 	require.NoError(tb, err)
 	require.Empty(tb, out)
 }
 
-func GitAdd(tb testing.TB, file string) {
+func GitAdd(c *Git, tb testing.TB, file string) {
 	tb.Helper()
-	_, err := fakeGit("add", file)
+	_, err := fakeGit(c, "add", file)
 	require.NoError(tb, err)
 }
 
-func GitSetRemote(tb testing.TB, url string) {
+func GitSetRemote(c *Git, tb testing.TB, url string) {
 	tb.Helper()
-	_, err := fakeGit("remote", "add", "origin", url)
+	_, err := fakeGit(c, "remote", "add", "origin", url)
 	require.NoError(tb, err)
 }
 
@@ -62,7 +62,7 @@ func Mktmp(tb testing.TB) string {
 	return folder
 }
 
-func fakeGit(args ...string) (string, error) {
+func fakeGit(c *Git, args ...string) (string, error) {
 	allArgs := []string{
 		"-c", "user.name=buildx",
 		"-c", "user.email=buildx@docker.com",
@@ -71,6 +71,5 @@ func fakeGit(args ...string) (string, error) {
 		"-c", "log.showSignature=false",
 	}
 	allArgs = append(allArgs, args...)
-	c := New()
 	return c.clean(c.run(allArgs...))
 }

vendor/github.com/moby/buildkit/frontend/attestations/parse.go

@@ -1,81 +0,0 @@
-package attestations
-
-import (
-	"encoding/csv"
-	"strings"
-
-	"github.com/pkg/errors"
-)
-
-const (
-	KeyTypeSbom       = "sbom"
-	KeyTypeProvenance = "provenance"
-)
-
-const (
-	defaultSBOMGenerator = "docker/buildkit-syft-scanner:stable-1"
-)
-
-func Filter(v map[string]string) map[string]string {
-	attests := make(map[string]string)
-	for k, v := range v {
-		if strings.HasPrefix(k, "attest:") {
-			attests[k] = v
-			continue
-		}
-		if strings.HasPrefix(k, "build-arg:BUILDKIT_ATTEST_") {
-			attests[k] = v
-			continue
-		}
-	}
-	return attests
-}
-
-func Validate(values map[string]map[string]string) (map[string]map[string]string, error) {
-	for k := range values {
-		if k != KeyTypeSbom && k != KeyTypeProvenance {
-			return nil, errors.Errorf("unknown attestation type %q", k)
-		}
-	}
-	return values, nil
-}
-
-func Parse(values map[string]string) (map[string]map[string]string, error) {
-	attests := make(map[string]string)
-	for k, v := range values {
-		if strings.HasPrefix(k, "attest:") {
-			attests[strings.ToLower(strings.TrimPrefix(k, "attest:"))] = v
-			continue
-		}
-		if strings.HasPrefix(k, "build-arg:BUILDKIT_ATTEST_") {
-			attests[strings.ToLower(strings.TrimPrefix(k, "build-arg:BUILDKIT_ATTEST_"))] = v
-			continue
-		}
-	}
-
-	out := make(map[string]map[string]string)
-	for k, v := range attests {
-		attrs := make(map[string]string)
-		out[k] = attrs
-		if k == KeyTypeSbom {
-			attrs["generator"] = defaultSBOMGenerator
-		}
-		if v == "" {
-			continue
-		}
-		csvReader := csv.NewReader(strings.NewReader(v))
-		fields, err := csvReader.Read()
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed to parse %s", k)
-		}
-		for _, field := range fields {
-			parts := strings.SplitN(field, "=", 2)
-			if len(parts) != 2 {
-				parts = append(parts, "")
-			}
-			attrs[parts[0]] = parts[1]
-		}
-	}
-
-	return Validate(out)
-}

vendor/github.com/moby/sys/mountinfo/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

vendor/github.com/moby/sys/mountinfo/doc.go

@@ -0,0 +1,44 @@
+// Package mountinfo provides a set of functions to retrieve information about OS mounts.
+//
+// Currently it supports Linux. For historical reasons, there is also some support for FreeBSD and OpenBSD,
+// and a shallow implementation for Windows, but in general this is Linux-only package, so
+// the rest of the document only applies to Linux, unless explicitly specified otherwise.
+//
+// In Linux, information about mounts seen by the current process is available from
+// /proc/self/mountinfo. Note that due to mount namespaces, different processes can
+// see different mounts. A per-process mountinfo table is available from /proc/<PID>/mountinfo,
+// where <PID> is a numerical process identifier.
+//
+// In general, /proc is not a very efficient interface, and mountinfo is not an exception.
+// For example, there is no way to get information about a specific mount point (i.e. it
+// is all-or-nothing). This package tries to hide the /proc ineffectiveness by using
+// parse filters while reading mountinfo. A filter can skip some entries, or stop
+// processing the rest of the file once the needed information is found.
+//
+// For mountinfo filters that accept path as an argument, the path must be absolute,
+// having all symlinks resolved, and being cleaned (i.e. no extra slashes or dots).
+// One way to achieve all of the above is to employ filepath.Abs followed by
+// filepath.EvalSymlinks (the latter calls filepath.Clean on the result so
+// there is no need to explicitly call filepath.Clean).
+//
+// NOTE that in many cases there is no need to consult mountinfo at all. Here are some
+// of the cases where mountinfo should not be parsed:
+//
+// 1. Before performing a mount. Usually, this is not needed, but if required (say to
+// prevent over-mounts), to check whether a directory is mounted, call os.Lstat
+// on it and its parent directory, and compare their st.Sys().(*syscall.Stat_t).Dev
+// fields -- if they differ, then the directory is the mount point. NOTE this does
+// not work for bind mounts. Optionally, the filesystem type can also be checked
+// by calling unix.Statfs and checking the Type field (i.e. filesystem type).
+//
+// 2. After performing a mount. If there is no error returned, the mount succeeded;
+// checking the mount table for a new mount is redundant and expensive.
+//
+// 3. Before performing an unmount. It is more efficient to do an unmount and ignore
+// a specific error (EINVAL) which tells the directory is not mounted.
+//
+// 4. After performing an unmount. If there is no error returned, the unmount succeeded.
+//
+// 5. To find the mount point root of a specific directory. You can perform os.Stat()
+// on the directory and traverse up until the Dev field of a parent directory differs.
+package mountinfo

vendor/github.com/moby/sys/mountinfo/mounted_linux.go

@@ -0,0 +1,101 @@
+package mountinfo
+
+import (
+	"os"
+	"path/filepath"
+
+	"golang.org/x/sys/unix"
+)
+
+// MountedFast is a method of detecting a mount point without reading
+// mountinfo from procfs. A caller can only trust the result if no error
+// and sure == true are returned. Otherwise, other methods (e.g. parsing
+// /proc/mounts) have to be used. If unsure, use Mounted instead (which
+// uses MountedFast, but falls back to parsing mountinfo if needed).
+//
+// If a non-existent path is specified, an appropriate error is returned.
+// In case the caller is not interested in this particular error, it should
+// be handled separately using e.g. errors.Is(err, fs.ErrNotExist).
+//
+// This function is only available on Linux. When available (since kernel
+// v5.6), openat2(2) syscall is used to reliably detect all mounts. Otherwise,
+// the implementation falls back to using stat(2), which can reliably detect
+// normal (but not bind) mounts.
+func MountedFast(path string) (mounted, sure bool, err error) {
+	// Root is always mounted.
+	if path == string(os.PathSeparator) {
+		return true, true, nil
+	}
+
+	path, err = normalizePath(path)
+	if err != nil {
+		return false, false, err
+	}
+	mounted, sure, err = mountedFast(path)
+	return
+}
+
+// mountedByOpenat2 is a method of detecting a mount that works for all kinds
+// of mounts (incl. bind mounts), but requires a recent (v5.6+) linux kernel.
+func mountedByOpenat2(path string) (bool, error) {
+	dir, last := filepath.Split(path)
+
+	dirfd, err := unix.Openat2(unix.AT_FDCWD, dir, &unix.OpenHow{
+		Flags: unix.O_PATH | unix.O_CLOEXEC,
+	})
+	if err != nil {
+		return false, &os.PathError{Op: "openat2", Path: dir, Err: err}
+	}
+	fd, err := unix.Openat2(dirfd, last, &unix.OpenHow{
+		Flags:   unix.O_PATH | unix.O_CLOEXEC | unix.O_NOFOLLOW,
+		Resolve: unix.RESOLVE_NO_XDEV,
+	})
+	_ = unix.Close(dirfd)
+	switch err { //nolint:errorlint // unix errors are bare
+	case nil: // definitely not a mount
+		_ = unix.Close(fd)
+		return false, nil
+	case unix.EXDEV: // definitely a mount
+		return true, nil
+	}
+	// not sure
+	return false, &os.PathError{Op: "openat2", Path: path, Err: err}
+}
+
+// mountedFast is similar to MountedFast, except it expects a normalized path.
+func mountedFast(path string) (mounted, sure bool, err error) {
+	// Root is always mounted.
+	if path == string(os.PathSeparator) {
+		return true, true, nil
+	}
+
+	// Try a fast path, using openat2() with RESOLVE_NO_XDEV.
+	mounted, err = mountedByOpenat2(path)
+	if err == nil {
+		return mounted, true, nil
+	}
+
+	// Another fast path: compare st.st_dev fields.
+	mounted, err = mountedByStat(path)
+	// This does not work for bind mounts, so false negative
+	// is possible, therefore only trust if return is true.
+	if mounted && err == nil {
+		return true, true, nil
+	}
+
+	return
+}
+
+func mounted(path string) (bool, error) {
+	path, err := normalizePath(path)
+	if err != nil {
+		return false, err
+	}
+	mounted, sure, err := mountedFast(path)
+	if sure && err == nil {
+		return mounted, nil
+	}
+
+	// Fallback to parsing mountinfo.
+	return mountedByMountinfo(path)
+}

vendor/github.com/moby/sys/mountinfo/mounted_unix.go

@@ -0,0 +1,53 @@
+//go:build linux || freebsd || openbsd || darwin
+// +build linux freebsd openbsd darwin
+
+package mountinfo
+
+import (
+	"os"
+	"path/filepath"
+
+	"golang.org/x/sys/unix"
+)
+
+func mountedByStat(path string) (bool, error) {
+	var st unix.Stat_t
+
+	if err := unix.Lstat(path, &st); err != nil {
+		return false, &os.PathError{Op: "stat", Path: path, Err: err}
+	}
+	dev := st.Dev
+	parent := filepath.Dir(path)
+	if err := unix.Lstat(parent, &st); err != nil {
+		return false, &os.PathError{Op: "stat", Path: parent, Err: err}
+	}
+	if dev != st.Dev {
+		// Device differs from that of parent,
+		// so definitely a mount point.
+		return true, nil
+	}
+	// NB: this does not detect bind mounts on Linux.
+	return false, nil
+}
+
+func normalizePath(path string) (realPath string, err error) {
+	if realPath, err = filepath.Abs(path); err != nil {
+		return "", err
+	}
+	if realPath, err = filepath.EvalSymlinks(realPath); err != nil {
+		return "", err
+	}
+	if _, err := os.Stat(realPath); err != nil {
+		return "", err
+	}
+	return realPath, nil
+}
+
+func mountedByMountinfo(path string) (bool, error) {
+	entries, err := GetMounts(SingleEntryFilter(path))
+	if err != nil {
+		return false, err
+	}
+
+	return len(entries) > 0, nil
+}

vendor/github.com/moby/sys/mountinfo/mountinfo.go

@@ -0,0 +1,67 @@
+package mountinfo
+
+import (
+	"os"
+)
+
+// GetMounts retrieves a list of mounts for the current running process,
+// with an optional filter applied (use nil for no filter).
+func GetMounts(f FilterFunc) ([]*Info, error) {
+	return parseMountTable(f)
+}
+
+// Mounted determines if a specified path is a mount point. In case of any
+// error, false (and an error) is returned.
+//
+// If a non-existent path is specified, an appropriate error is returned.
+// In case the caller is not interested in this particular error, it should
+// be handled separately using e.g. errors.Is(err, fs.ErrNotExist).
+func Mounted(path string) (bool, error) {
+	// root is always mounted
+	if path == string(os.PathSeparator) {
+		return true, nil
+	}
+	return mounted(path)
+}
+
+// Info reveals information about a particular mounted filesystem. This
+// struct is populated from the content in the /proc/<pid>/mountinfo file.
+type Info struct {
+	// ID is a unique identifier of the mount (may be reused after umount).
+	ID int
+
+	// Parent is the ID of the parent mount (or of self for the root
+	// of this mount namespace's mount tree).
+	Parent int
+
+	// Major and Minor are the major and the minor components of the Dev
+	// field of unix.Stat_t structure returned by unix.*Stat calls for
+	// files on this filesystem.
+	Major, Minor int
+
+	// Root is the pathname of the directory in the filesystem which forms
+	// the root of this mount.
+	Root string
+
+	// Mountpoint is the pathname of the mount point relative to the
+	// process's root directory.
+	Mountpoint string
+
+	// Options is a comma-separated list of mount options.
+	Options string
+
+	// Optional are zero or more fields of the form "tag[:value]",
+	// separated by a space.  Currently, the possible optional fields are
+	// "shared", "master", "propagate_from", and "unbindable". For more
+	// information, see mount_namespaces(7) Linux man page.
+	Optional string
+
+	// FSType is the filesystem type in the form "type[.subtype]".
+	FSType string
+
+	// Source is filesystem-specific information, or "none".
+	Source string
+
+	// VFSOptions is a comma-separated list of superblock options.
+	VFSOptions string
+}

vendor/github.com/moby/sys/mountinfo/mountinfo_bsd.go

@@ -0,0 +1,56 @@
+//go:build freebsd || openbsd || darwin
+// +build freebsd openbsd darwin
+
+package mountinfo
+
+import "golang.org/x/sys/unix"
+
+// parseMountTable returns information about mounted filesystems
+func parseMountTable(filter FilterFunc) ([]*Info, error) {
+	count, err := unix.Getfsstat(nil, unix.MNT_WAIT)
+	if err != nil {
+		return nil, err
+	}
+
+	entries := make([]unix.Statfs_t, count)
+	_, err = unix.Getfsstat(entries, unix.MNT_WAIT)
+	if err != nil {
+		return nil, err
+	}
+
+	var out []*Info
+	for _, entry := range entries {
+		var skip, stop bool
+		mountinfo := getMountinfo(&entry)
+
+		if filter != nil {
+			// filter out entries we're not interested in
+			skip, stop = filter(mountinfo)
+			if skip {
+				continue
+			}
+		}
+
+		out = append(out, mountinfo)
+		if stop {
+			break
+		}
+	}
+	return out, nil
+}
+
+func mounted(path string) (bool, error) {
+	path, err := normalizePath(path)
+	if err != nil {
+		return false, err
+	}
+	// Fast path: compare st.st_dev fields.
+	// This should always work for FreeBSD and OpenBSD.
+	mounted, err := mountedByStat(path)
+	if err == nil {
+		return mounted, nil
+	}
+
+	// Fallback to parsing mountinfo
+	return mountedByMountinfo(path)
+}

vendor/github.com/moby/sys/mountinfo/mountinfo_filters.go

@@ -0,0 +1,63 @@
+package mountinfo
+
+import "strings"
+
+// FilterFunc is a type defining a callback function for GetMount(),
+// used to filter out mountinfo entries we're not interested in,
+// and/or stop further processing if we found what we wanted.
+//
+// It takes a pointer to the Info struct (fully populated with all available
+// fields on the GOOS platform), and returns two booleans:
+//
+// skip: true if the entry should be skipped;
+//
+// stop: true if parsing should be stopped after the entry.
+type FilterFunc func(*Info) (skip, stop bool)
+
+// PrefixFilter discards all entries whose mount points do not start with, or
+// are equal to the path specified in prefix. The prefix path must be absolute,
+// have all symlinks resolved, and cleaned (i.e. no extra slashes or dots).
+//
+// PrefixFilter treats prefix as a path, not a partial prefix, which means that
+// given "/foo", "/foo/bar" and "/foobar" entries, PrefixFilter("/foo") returns
+// "/foo" and "/foo/bar", and discards "/foobar".
+func PrefixFilter(prefix string) FilterFunc {
+	return func(m *Info) (bool, bool) {
+		skip := !strings.HasPrefix(m.Mountpoint+"/", prefix+"/")
+		return skip, false
+	}
+}
+
+// SingleEntryFilter looks for a specific entry.
+func SingleEntryFilter(mp string) FilterFunc {
+	return func(m *Info) (bool, bool) {
+		if m.Mountpoint == mp {
+			return false, true // don't skip, stop now
+		}
+		return true, false // skip, keep going
+	}
+}
+
+// ParentsFilter returns all entries whose mount points
+// can be parents of a path specified, discarding others.
+//
+// For example, given /var/lib/docker/something, entries
+// like /var/lib/docker, /var and / are returned.
+func ParentsFilter(path string) FilterFunc {
+	return func(m *Info) (bool, bool) {
+		skip := !strings.HasPrefix(path, m.Mountpoint)
+		return skip, false
+	}
+}
+
+// FSTypeFilter returns all entries that match provided fstype(s).
+func FSTypeFilter(fstype ...string) FilterFunc {
+	return func(m *Info) (bool, bool) {
+		for _, t := range fstype {
+			if m.FSType == t {
+				return false, false // don't skip, keep going
+			}
+		}
+		return true, false // skip, keep going
+	}
+}

vendor/github.com/moby/sys/mountinfo/mountinfo_freebsdlike.go

@@ -0,0 +1,14 @@
+//go:build freebsd || darwin
+// +build freebsd darwin
+
+package mountinfo
+
+import "golang.org/x/sys/unix"
+
+func getMountinfo(entry *unix.Statfs_t) *Info {
+	return &Info{
+		Mountpoint: unix.ByteSliceToString(entry.Mntonname[:]),
+		FSType:     unix.ByteSliceToString(entry.Fstypename[:]),
+		Source:     unix.ByteSliceToString(entry.Mntfromname[:]),
+	}
+}

vendor/github.com/moby/sys/mountinfo/mountinfo_linux.go

@@ -0,0 +1,214 @@
+package mountinfo
+
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"strconv"
+	"strings"
+)
+
+// GetMountsFromReader retrieves a list of mounts from the
+// reader provided, with an optional filter applied (use nil
+// for no filter). This can be useful in tests or benchmarks
+// that provide fake mountinfo data, or when a source other
+// than /proc/self/mountinfo needs to be read from.
+//
+// This function is Linux-specific.
+func GetMountsFromReader(r io.Reader, filter FilterFunc) ([]*Info, error) {
+	s := bufio.NewScanner(r)
+	out := []*Info{}
+	for s.Scan() {
+		var err error
+
+		/*
+		   See http://man7.org/linux/man-pages/man5/proc.5.html
+
+		   36 35 98:0 /mnt1 /mnt2 rw,noatime master:1 - ext3 /dev/root rw,errors=continue
+		   (1)(2)(3)   (4)   (5)      (6)      (7)   (8) (9)   (10)         (11)
+
+		   (1) mount ID:  unique identifier of the mount (may be reused after umount)
+		   (2) parent ID:  ID of parent (or of self for the top of the mount tree)
+		   (3) major:minor:  value of st_dev for files on filesystem
+		   (4) root:  root of the mount within the filesystem
+		   (5) mount point:  mount point relative to the process's root
+		   (6) mount options:  per mount options
+		   (7) optional fields:  zero or more fields of the form "tag[:value]"
+		   (8) separator:  marks the end of the optional fields
+		   (9) filesystem type:  name of filesystem of the form "type[.subtype]"
+		   (10) mount source:  filesystem specific information or "none"
+		   (11) super options:  per super block options
+
+		   In other words, we have:
+		    * 6 mandatory fields	(1)..(6)
+		    * 0 or more optional fields	(7)
+		    * a separator field		(8)
+		    * 3 mandatory fields	(9)..(11)
+		*/
+
+		text := s.Text()
+		fields := strings.Split(text, " ")
+		numFields := len(fields)
+		if numFields < 10 {
+			// should be at least 10 fields
+			return nil, fmt.Errorf("parsing '%s' failed: not enough fields (%d)", text, numFields)
+		}
+
+		// separator field
+		sepIdx := numFields - 4
+		// In Linux <= 3.9 mounting a cifs with spaces in a share
+		// name (like "//srv/My Docs") _may_ end up having a space
+		// in the last field of mountinfo (like "unc=//serv/My Docs").
+		// Since kernel 3.10-rc1, cifs option "unc=" is ignored,
+		// so spaces should not appear.
+		//
+		// Check for a separator, and work around the spaces bug
+		for fields[sepIdx] != "-" {
+			sepIdx--
+			if sepIdx == 5 {
+				return nil, fmt.Errorf("parsing '%s' failed: missing - separator", text)
+			}
+		}
+
+		p := &Info{}
+
+		p.Mountpoint, err = unescape(fields[4])
+		if err != nil {
+			return nil, fmt.Errorf("parsing '%s' failed: mount point: %w", fields[4], err)
+		}
+		p.FSType, err = unescape(fields[sepIdx+1])
+		if err != nil {
+			return nil, fmt.Errorf("parsing '%s' failed: fstype: %w", fields[sepIdx+1], err)
+		}
+		p.Source, err = unescape(fields[sepIdx+2])
+		if err != nil {
+			return nil, fmt.Errorf("parsing '%s' failed: source: %w", fields[sepIdx+2], err)
+		}
+		p.VFSOptions = fields[sepIdx+3]
+
+		// ignore any numbers parsing errors, as there should not be any
+		p.ID, _ = strconv.Atoi(fields[0])
+		p.Parent, _ = strconv.Atoi(fields[1])
+		mm := strings.SplitN(fields[2], ":", 3)
+		if len(mm) != 2 {
+			return nil, fmt.Errorf("parsing '%s' failed: unexpected major:minor pair %s", text, mm)
+		}
+		p.Major, _ = strconv.Atoi(mm[0])
+		p.Minor, _ = strconv.Atoi(mm[1])
+
+		p.Root, err = unescape(fields[3])
+		if err != nil {
+			return nil, fmt.Errorf("parsing '%s' failed: root: %w", fields[3], err)
+		}
+
+		p.Options = fields[5]
+
+		// zero or more optional fields
+		p.Optional = strings.Join(fields[6:sepIdx], " ")
+
+		// Run the filter after parsing all fields.
+		var skip, stop bool
+		if filter != nil {
+			skip, stop = filter(p)
+			if skip {
+				continue
+			}
+		}
+
+		out = append(out, p)
+		if stop {
+			break
+		}
+	}
+	if err := s.Err(); err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func parseMountTable(filter FilterFunc) ([]*Info, error) {
+	f, err := os.Open("/proc/self/mountinfo")
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	return GetMountsFromReader(f, filter)
+}
+
+// PidMountInfo retrieves the list of mounts from a given process' mount
+// namespace. Unless there is a need to get mounts from a mount namespace
+// different from that of a calling process, use GetMounts.
+//
+// This function is Linux-specific.
+//
+// Deprecated: this will be removed before v1; use GetMountsFromReader with
+// opened /proc/<pid>/mountinfo as an argument instead.
+func PidMountInfo(pid int) ([]*Info, error) {
+	f, err := os.Open(fmt.Sprintf("/proc/%d/mountinfo", pid))
+	if err != nil {
+		return nil, err
+	}
+	defer f.Close()
+
+	return GetMountsFromReader(f, nil)
+}
+
+// A few specific characters in mountinfo path entries (root and mountpoint)
+// are escaped using a backslash followed by a character's ascii code in octal.
+//
+//   space              -- as \040
+//   tab (aka \t)       -- as \011
+//   newline (aka \n)   -- as \012
+//   backslash (aka \\) -- as \134
+//
+// This function converts path from mountinfo back, i.e. it unescapes the above sequences.
+func unescape(path string) (string, error) {
+	// try to avoid copying
+	if strings.IndexByte(path, '\\') == -1 {
+		return path, nil
+	}
+
+	// The following code is UTF-8 transparent as it only looks for some
+	// specific characters (backslash and 0..7) with values < utf8.RuneSelf,
+	// and everything else is passed through as is.
+	buf := make([]byte, len(path))
+	bufLen := 0
+	for i := 0; i < len(path); i++ {
+		if path[i] != '\\' {
+			buf[bufLen] = path[i]
+			bufLen++
+			continue
+		}
+		s := path[i:]
+		if len(s) < 4 {
+			// too short
+			return "", fmt.Errorf("bad escape sequence %q: too short", s)
+		}
+		c := s[1]
+		switch c {
+		case '0', '1', '2', '3', '4', '5', '6', '7':
+			v := c - '0'
+			for j := 2; j < 4; j++ { // one digit already; two more
+				if s[j] < '0' || s[j] > '7' {
+					return "", fmt.Errorf("bad escape sequence %q: not a digit", s[:3])
+				}
+				x := s[j] - '0'
+				v = (v << 3) | x
+			}
+			if v > 255 {
+				return "", fmt.Errorf("bad escape sequence %q: out of range" + s[:3])
+			}
+			buf[bufLen] = v
+			bufLen++
+			i += 3
+			continue
+		default:
+			return "", fmt.Errorf("bad escape sequence %q: not a digit" + s[:3])
+
+		}
+	}
+
+	return string(buf[:bufLen]), nil
+}

vendor/github.com/moby/sys/mountinfo/mountinfo_openbsd.go

@@ -0,0 +1,11 @@
+package mountinfo
+
+import "golang.org/x/sys/unix"
+
+func getMountinfo(entry *unix.Statfs_t) *Info {
+	return &Info{
+		Mountpoint: unix.ByteSliceToString(entry.F_mntonname[:]),
+		FSType:     unix.ByteSliceToString(entry.F_fstypename[:]),
+		Source:     unix.ByteSliceToString(entry.F_mntfromname[:]),
+	}
+}

vendor/github.com/moby/sys/mountinfo/mountinfo_unsupported.go

@@ -0,0 +1,19 @@
+//go:build !windows && !linux && !freebsd && !openbsd && !darwin
+// +build !windows,!linux,!freebsd,!openbsd,!darwin
+
+package mountinfo
+
+import (
+	"fmt"
+	"runtime"
+)
+
+var errNotImplemented = fmt.Errorf("not implemented on %s/%s", runtime.GOOS, runtime.GOARCH)
+
+func parseMountTable(_ FilterFunc) ([]*Info, error) {
+	return nil, errNotImplemented
+}
+
+func mounted(path string) (bool, error) {
+	return false, errNotImplemented
+}

vendor/github.com/moby/sys/mountinfo/mountinfo_windows.go

@@ -0,0 +1,10 @@
+package mountinfo
+
+func parseMountTable(_ FilterFunc) ([]*Info, error) {
+	// Do NOT return an error!
+	return nil, nil
+}
+
+func mounted(_ string) (bool, error) {
+	return false, nil
+}

vendor/modules.txt

@@ -448,7 +448,6 @@ github.com/moby/buildkit/client/ociindex
 github.com/moby/buildkit/cmd/buildkitd/config
 github.com/moby/buildkit/exporter/containerimage/exptypes
 github.com/moby/buildkit/exporter/containerimage/image
-github.com/moby/buildkit/frontend/attestations
 github.com/moby/buildkit/frontend/gateway/client
 github.com/moby/buildkit/frontend/gateway/grpcclient
 github.com/moby/buildkit/frontend/gateway/pb
@@ -511,6 +510,9 @@ github.com/moby/patternmatcher
 ## explicit; go 1.13
 github.com/moby/spdystream
 github.com/moby/spdystream/spdy
+# github.com/moby/sys/mountinfo v0.6.2
+## explicit; go 1.16
+github.com/moby/sys/mountinfo
 # github.com/moby/sys/sequential v0.5.0
 ## explicit; go 1.17
 github.com/moby/sys/sequential