Merge pull request #1815 from jedevc/v0.10-vendor-buildkit

Signed-off-by: Justin Chadwell <me@jedevc.com>

bake/bake.go

@@ -590,7 +590,7 @@ type Target struct {
 	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
 	NetworkMode      *string            `json:"-" hcl:"-" cty:"-"`
 	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
-	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/manuals/bake/file-definition.md.
+	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/bake-reference.md.
 
 	// linked is a private field to mark a target used as a linked one
 	linked bool

build/build.go

@@ -465,9 +465,20 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 			so.FrontendAttrs[k] = v
 		}
 	}
+
 	if _, ok := opt.Attests["attest:provenance"]; !ok && supportsAttestations {
+		const noAttestEnv = "BUILDX_NO_DEFAULT_ATTESTATIONS"
+		var noProv bool
+		if v, ok := os.LookupEnv(noAttestEnv); ok {
+			noProv, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, nil, errors.Wrap(err, "invalid "+noAttestEnv)
+			}
+		}
+		if !noProv {
 			so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true"
 		}
+	}
 
 	switch len(opt.Exports) {
 	case 1:

build/git.go

@@ -67,7 +67,13 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	if sha, err := gitc.FullCommit(); err != nil && !gitutil.IsUnknownRevision(err) {
 		return res, errors.Wrapf(err, "buildx: failed to get git commit")
 	} else if sha != "" {
-		if gitc.IsDirty() {
+		checkDirty := false
+		if v, ok := os.LookupEnv("BUILDX_GIT_CHECK_DIRTY"); ok {
+			if v, err := strconv.ParseBool(v); err == nil {
+				checkDirty = v
+			}
+		}
+		if checkDirty && gitc.IsDirty() {
 			sha += "-dirty"
 		}
 		if setGitLabels {

build/git_test.go

@@ -131,6 +131,7 @@ func TestGetGitAttributes(t *testing.T) {
 
 func TestGetGitAttributesDirty(t *testing.T) {
 	setupTest(t)
+	t.Setenv("BUILDX_GIT_CHECK_DIRTY", "true")
 
 	// make a change to test dirty flag
 	df := []byte("FROM alpine:edge\n")

commands/bake.go

@@ -131,7 +131,7 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 
 	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
 		// don't forget to update documentation if you add a new
-		// built-in variable: docs/manuals/bake/file-definition.md#built-in-variables
+		// built-in variable: docs/bake-reference.md#built-in-variables
 		"BAKE_CMD_CONTEXT":    cmdContext,
 		"BAKE_LOCAL_PLATFORM": platforms.DefaultString(),
 	})

docs/bake-reference.md

@@ -0,0 +1,818 @@
+# Bake file reference
+
+The Bake file is a file for defining workflows that you run using `docker buildx bake`.
+
+## File format
+
+You can define your Bake file in the following file formats:
+
+- HashiCorp Configuration Language (HCL)
+- JSON
+- YAML (Compose file)
+
+By default, Bake uses the following lookup order to find the configuration file:
+
+1. `docker-bake.override.hcl`
+2. `docker-bake.hcl`
+3. `docker-bake.override.json`
+4. `docker-bake.json`
+5. `docker-compose.yaml`
+6. `docker-compose.yml`
+
+Bake searches for the file in the current working directory.
+You can specify the file location explicitly using the `--file` flag:
+
+```console
+$ docker buildx bake --file=../docker/bake.hcl --print
+```
+
+## Syntax
+
+The Bake file supports the following property types:
+
+- `target`: build targets
+- `group`: collections of build targets
+- `variable`: build arguments and variables
+- `function`: custom Bake functions
+
+You define properties as hierarchical blocks in the Bake file.
+You can assign one or more attributes to a property.
+
+The following snippet shows a JSON representation of a simple Bake file.
+This Bake file defines three properties: a variable, a group, and a target.
+
+```json
+{
+  "variable": {
+    "TAG": {
+      "default": "latest"
+    }
+  },
+  "group": {
+    "default": {
+      "targets": ["webapp"]
+    }
+  },
+  "target": {
+    "webapp": {
+      "dockerfile": "Dockerfile",
+      "tags": ["docker.io/username/webapp:${TAG}"]
+    }
+  }
+}
+```
+
+In the JSON representation of a Bake file, properties are objects,
+and attributes are values assigned to those objects.
+
+The following example shows the same Bake file in the HCL format:
+
+```hcl
+variable "TAG" {
+  "default" = "latest"
+}
+
+group "default" {
+  "targets" = ["latest"]
+}
+
+target "webapp" {
+  "dockerfile" = "Dockerfile"
+  "tags" = ["docker.io/username/webapp:${TAG}"]
+}
+```
+
+HCL is the preferred format for Bake files.
+Aside from syntactic differences,
+HCL lets you use features that the JSON and YAML formats don't support.
+
+The examples in this document use the HCL format.
+
+## Target
+
+A target reflects a single `docker build` invocation.
+Consider the following build command:
+
+```console
+$ docker build \
+  --file=Dockerfile.webapp \
+  --tag=docker.io/username/webapp:latest \
+  https://github.com/username/webapp
+```
+
+You can express this command in a Bake file as follows:
+
+```hcl
+target "webapp" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  context = "https://github.com/username/webapp"
+}
+```
+
+The following table shows the complete list of attributes that you can assign to a target:
+
+| Name                                            | Type    | Description                                                          |
+| ----------------------------------------------- | ------- | -------------------------------------------------------------------- |
+| [`args`](#targetargs)                           | Map     | Build arguments                                                      |
+| [`attest`](#targetattest)                       | List    | Build attestations                                                   |
+| [`cache-from`](#targetcache-from)               | List    | External cache sources                                               |
+| [`cache-to`](#targetcache-to)                   | List    | External cache destinations                                          |
+| [`context`](#targetcontext)                     | String  | Set of files located in the specified path or URL                    |
+| [`contexts`](#targetcontexts)                   | Map     | Additional build contexts                                            |
+| [`dockerfile-inline`](#targetdockerfile-inline) | String  | Inline Dockerfile string                                             |
+| [`dockerfile`](#targetdockerfile)               | String  | Dockerfile location                                                  |
+| [`inherits`](#targetinherits)                   | List    | Inherit attributes from other targets                                |
+| [`labels`](#targetlabels)                       | Map     | Metadata for images                                                  |
+| [`no-cache-filter`](#targetno-cache-filter)     | List    | Disable build cache for specific stages                              |
+| [`no-cache`](#targetno-cache)                   | Boolean | Disable build cache completely                                       |
+| [`output`](#targetoutput)                       | List    | Output destinations                                                  |
+| [`platforms`](#targetplatforms)                 | List    | Target platforms                                                     |
+| [`pull`](#targetpull)                           | Boolean | Always pull images                                                   |
+| [`secret`](#targetsecret)                       | List    | Secrets to expose to the build                                       |
+| [`ssh`](#targetssh)                             | List    | SSH agent sockets or keys to expose to the build                     |
+| [`tags`](#targettags)                           | List    | Image names and tags                                                 |
+| [`target`](#targettarget)                       | String  | Target build stage                                                   |
+
+### `target.args`
+
+Use the `args` attribute to define build arguments for the target.
+This has the same effect as passing a [`--build-arg`][build-arg] flag to the build command.
+
+```hcl
+target "default" {
+  args = {
+    VERSION = "0.0.0+unknown"
+  }
+}
+```
+
+You can set `args` attributes to use `null` values.
+Doing so forces the `target` to use the `ARG` value specified in the Dockerfile.
+
+```hcl
+variable "GO_VERSION" {
+  default = "1.20.3"
+}
+
+target "webapp" {
+  dockerfile = "webapp.Dockerfile"
+  tags = ["docker.io/username/webapp"]
+}
+
+target "db" {
+  args = {
+    GO_VERSION = null
+  }
+  dockerfile = "db.Dockerfile"
+  tags = ["docker.io/username/db"]
+}
+```
+
+### `target.attest`
+
+The `attest` attribute lets you apply [build attestations][attestations] to the target.
+This attribute accepts the long-form CSV version of attestation parameters.
+
+```hcl
+target "default" {
+  attest = [
+    "type=provenance,mode=min",
+    "type=sbom"
+  ]
+}
+```
+
+### `target.cache-from`
+
+Build cache sources.
+The builder imports cache from the locations you specify.
+It uses the [Buildx cache storage backends][cache-backends],
+and it works the same way as the [`--cache-from`][cache-from] flag.
+This takes a list value, so you can specify multiple cache sources.
+
+```hcl
+target "app" {
+  cache-from = [
+    "type=s3,region=eu-west-1,bucket=mybucket",
+    "user/repo:cache",
+  ]
+}
+```
+
+### `target.cache-to`
+
+Build cache export destinations.
+The builder exports its build cache to the locations you specify.
+It uses the [Buildx cache storage backends][cache-backends],
+and it works the same way as the [`--cache-to` flag][cache-to].
+This takes a list value, so you can specify multiple cache export targets.
+
+```hcl
+target "app" {
+  cache-to = [
+    "type=s3,region=eu-west-1,bucket=mybucket",
+    "type=inline"
+  ]
+}
+```
+
+### `target.context`
+
+Specifies the location of the build context to use for this target.
+Accepts a URL or a directory path.
+This is the same as the [build context][context] positional argument
+that you pass to the build command.
+
+```hcl
+target "app" {
+  context = "./src/www"
+}
+```
+
+This resolves to the current working directory (`"."`) by default.
+
+```console
+$ docker buildx bake --print -f - <<< 'target "default" {}'
+[+] Building 0.0s (0/0)
+{
+  "target": {
+    "default": {
+      "context": ".",
+      "dockerfile": "Dockerfile"
+    }
+  }
+}
+```
+
+### `target.contexts`
+
+Additional build contexts.
+This is the same as the [`--build-context` flag][build-context].
+This attribute takes a map, where keys result in named contexts that you can
+reference in your builds.
+
+You can specify different types of contexts, such local directories, Git URLs,
+and even other Bake targets. Bake automatically determines the type of
+a context based on the pattern of the context value.
+
+| Context type    | Example                                   |
+| --------------- | ----------------------------------------- |
+| Container image | `docker-image://alpine@sha256:0123456789` |
+| Git URL         | `https://github.com/user/proj.git`        |
+| HTTP URL        | `https://example.com/files`               |
+| Local directory | `../path/to/src`                          |
+| Bake target     | `target:base`                             |
+
+#### Pin an image version
+
+```hcl
+# docker-bake.hcl
+target "app" {
+    contexts = {
+        alpine = "docker-image://alpine:3.13"
+    }
+}
+```
+
+```Dockerfile
+# Dockerfile
+FROM alpine
+RUN echo "Hello world"
+```
+
+#### Use a local directory
+
+```hcl
+# docker-bake.hcl
+target "app" {
+    contexts = {
+        src = "../path/to/source"
+    }
+}
+```
+
+```Dockerfile
+# Dockerfile
+FROM scratch AS src
+FROM golang
+COPY --from=src . .
+```
+
+#### Use another target as base
+
+> **Note**
+>
+> You should prefer to use regular multi-stage builds over this option. You can
+> Use this feature when you have multiple Dockerfiles that can't be easily
+> merged into one.
+
+```hcl
+# docker-bake.hcl
+target "base" {
+    dockerfile = "baseapp.Dockerfile"
+}
+target "app" {
+    contexts = {
+        baseapp = "target:base"
+    }
+}
+```
+
+```Dockerfile
+# Dockerfile
+FROM baseapp
+RUN echo "Hello world"
+```
+
+### `target.dockerfile-inline`
+
+Uses the string value as an inline Dockerfile for the build target.
+
+```hcl
+target "default" {
+  dockerfile-inline = "FROM alpine\nENTRYPOINT [\"echo\", \"hello\"]"
+}
+```
+
+The `dockerfile-inline` takes precedence over the `dockerfile` attribute.
+If you specify both, Bake uses the inline version.
+
+### `target.dockerfile`
+
+Name of the Dockerfile to use for the build.
+This is the same as the [`--file` flag][file] for the `docker build` command.
+
+```hcl
+target "default" {
+  dockerfile = "./src/www/Dockerfile"
+}
+```
+
+Resolves to `"Dockerfile"` by default.
+
+```console
+$ docker buildx bake --print -f - <<< 'target "default" {}'
+[+] Building 0.0s (0/0)
+{
+  "target": {
+    "default": {
+      "context": ".",
+      "dockerfile": "Dockerfile"
+    }
+  }
+}
+```
+
+### `target.inherits`
+
+A target can inherit attributes from other targets.
+Use `inherits` to reference from one target to another.
+
+In the following example,
+the `app-dev` target specifies an image name and tag.
+The `app-release` target uses `inherits` to reuse the tag name.
+
+```hcl
+variable "TAG" {
+  default = "latest"
+}
+
+target "app-dev" {
+  tags = ["docker.io/username/myapp:${TAG}"]
+}
+
+target "app-release" {
+  inherits = ["app-dev"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+```
+
+The `inherits` attribute is a list,
+meaning you can reuse attributes from multiple other targets.
+In the following example, the `app-release` target reuses attributes
+from both the `app-dev` and `_release` targets.
+
+```hcl
+target "app-dev" {
+  args = {
+    GO_VERSION = "1.20"
+    BUILDX_EXPERIMENTAL = 1
+  }
+  tags = ["docker.io/username/myapp"]
+  dockerfile = "app.Dockerfile"
+  labels = {
+    "org.opencontainers.image.source" = "https://github.com/username/myapp"
+  }
+}
+
+target "_release" {
+  args = {
+    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
+    BUILDX_EXPERIMENTAL = 0
+  }
+}
+
+target "app-release" {
+  inherits = ["app-dev", "_release"]
+  platforms = ["linux/amd64", "linux/arm64"]
+}
+```
+
+When inheriting attributes from multiple targets and there's a conflict,
+the target that appears last in the `inherits` list takes precedence.
+The previous example defines the `BUILDX_EXPERIMENTAL` argument twice for the `app-release` target.
+It resolves to `0` because the `_release` target appears last in the inheritance chain:
+
+```console
+$ docker buildx bake --print app-release
+[+] Building 0.0s (0/0)
+{
+  "group": {
+    "default": {
+      "targets": [
+        "app-release"
+      ]
+    }
+  },
+  "target": {
+    "app-release": {
+      "context": ".",
+      "dockerfile": "app.Dockerfile",
+      "args": {
+        "BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1",
+        "BUILDX_EXPERIMENTAL": "0",
+        "GO_VERSION": "1.20"
+      },
+      "labels": {
+        "org.opencontainers.image.source": "https://github.com/username/myapp"
+      },
+      "tags": [
+        "docker.io/username/myapp"
+      ],
+      "platforms": [
+        "linux/amd64",
+        "linux/arm64"
+      ]
+    }
+  }
+}
+```
+
+### `target.labels`
+
+Assigns image labels to the build.
+This is the same as the `--label` flag for `docker build`.
+
+```hcl
+target "default" {
+  labels = {
+    "org.opencontainers.image.source" = "https://github.com/username/myapp"
+    "com.docker.image.source.entrypoint" = "Dockerfile"
+  }
+}
+```
+
+It's possible to use a `null` value for labels.
+If you do, the builder uses the label value specified in the Dockerfile.
+
+### `target.no-cache-filter`
+
+Don't use build cache for the specified stages.
+This is the same as the `--no-cache-filter` flag for `docker build`.
+The following example avoids build cache for the `foo` build stage.
+
+```hcl
+target "default" {
+  no-cache-filter = ["foo"]
+}
+```
+
+### `target.no-cache`
+
+Don't use cache when building the image.
+This is the same as the `--no-cache` flag for `docker build`.
+
+```hcl
+target "default" {
+  no-cache = 1
+}
+```
+
+### `target.output`
+
+Configuration for exporting the build output.
+This is the same as the [`--output` flag][output].
+The following example configures the target to use a cache-only output,
+
+```hcl
+target "default" {
+  output = ["type=cacheonly"]
+}
+```
+
+### `target.platforms`
+
+Set target platforms for the build target.
+This is the same as the [`--platform` flag][platform].
+The following example creates a multi-platform build for three architectures.
+
+```hcl
+target "default" {
+  platforms = ["linux/amd64", "linux/arm64", "linux/arm/v7"]
+}
+```
+
+### `target.pull`
+
+Configures whether the builder should attempt to pull images when building the target.
+This is the same as the `--pull` flag for `docker build`.
+The following example forces the builder to always pull all images referenced in the build target.
+
+```hcl
+target "default" {
+  pull = "always"
+}
+```
+
+### `target.secret`
+
+Defines secrets to expose to the build target.
+This is the same as the [`--secret` flag][secret].
+
+```hcl
+variable "HOME" {
+  default = null
+}
+
+target "default" {
+  secret = [
+    "type=env,id=KUBECONFIG",
+    "type=file,id=aws,src=${HOME}/.aws/credentials"
+  ]
+}
+```
+
+This lets you [mount the secret][run_mount_secret] in your Dockerfile.
+
+```dockerfile
+RUN --mount=type=secret,id=aws,target=/root/.aws/credentials \
+    aws cloudfront create-invalidation ...
+RUN --mount=type=secret,id=KUBECONFIG \
+    KUBECONFIG=$(cat /run/secrets/KUBECONFIG) helm upgrade --install
+```
+
+### `target.ssh`
+
+Defines SSH agent sockets or keys to expose to the build.
+This is the same as the [`--ssh` flag][ssh].
+This can be useful if you need to access private repositories during a build.
+
+```hcl
+target "default" {
+  ssh = ["default"]
+}
+```
+
+```dockerfile
+FROM alpine
+RUN --mount=type=ssh \
+    apk add git openssh-client \
+    && install -m 0700 -d ~/.ssh \
+    && ssh-keyscan github.com >> ~/.ssh/known_hosts \
+    && git clone git@github.com:user/my-private-repo.git
+```
+
+### `target.tags`
+
+Image names and tags to use for the build target.
+This is the same as the [`--tag` flag][tag].
+
+```hcl
+target "default" {
+  tags = [
+    "org/repo:latest",
+    "myregistry.azurecr.io/team/image:v1"
+  ]
+}
+```
+
+### `target.target`
+
+Set the target build stage to build.
+This is the same as the [`--target` flag][target].
+
+```hcl
+target "default" {
+  target = "binaries"
+}
+```
+
+## Group
+
+Groups allow you to invoke multiple builds (targets) at once.
+
+```hcl
+group "default" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+```
+
+Groups take precedence over targets, if both exist with the same name.
+The following bake file builds the `default` group.
+Bake ignores the `default` target.
+
+```hcl
+target "default" {
+  dockerfile-inline = "FROM ubuntu"
+}
+
+group "default" {
+  targets = ["alpine", "debian"]
+}
+target "alpine" {
+  dockerfile-inline = "FROM alpine"
+}
+target "debian" {
+  dockerfile-inline = "FROM debian"
+}
+```
+
+## Variable
+
+The HCL file format supports variable block definitions.
+You can use variables as build arguments in your Dockerfile,
+or interpolate them in attribute values in your Bake file.
+
+```hcl
+variable "TAG" {
+  default = "latest"
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:${TAG}"]
+}
+```
+
+You can assign a default value for a variable in the Bake file,
+or assign a `null` value to it. If you assign a `null` value,
+Buildx uses the default value from the Dockerfile instead.
+
+You can override variable defaults set in the Bake file using environment variables.
+The following example sets the `TAG` variable to `dev`,
+overriding the default `latest` value shown in the previous example.
+
+```console
+$ TAG=dev docker buildx bake webapp-dev
+```
+
+### Built-in variables
+
+The following variables are built-ins that you can use with Bake without having
+to define them.
+
+| Variable              | Description                                                                         |
+| --------------------- | ----------------------------------------------------------------------------------- |
+| `BAKE_CMD_CONTEXT`    | Holds the main context when building using a remote Bake file.                      |
+| `BAKE_LOCAL_PLATFORM` | Returns the current platform’s default platform specification (e.g. `linux/amd64`). |
+
+### Use environment variable as default
+
+You can set a Bake variable to use the value of an environment variable as a default value:
+
+```hcl
+variable "HOME" {
+  default = "$HOME"
+}
+```
+
+### Interpolate variables into attributes
+
+To interpolate a variable into an attribute string value,
+you must use curly brackets.
+The following doesn't work:
+
+```hcl
+variable "HOME" {
+  default = "$HOME"
+}
+
+target "default" {
+  ssh = ["default=$HOME/.ssh/id_rsa"]
+}
+```
+
+Wrap the variable in curly brackets where you want to insert it:
+
+```diff
+  variable "HOME" {
+    default = "$HOME"
+  }
+
+  target "default" {
+-   ssh = ["default=$HOME/.ssh/id_rsa"]
++   ssh = ["default=${HOME}/.ssh/id_rsa"]
+  }
+```
+
+Before you can interpolate a variable into an attribute,
+first you must declare it in the bake file,
+as demonstrated in the following example.
+
+```console
+$ cat docker-bake.hcl
+target "default" {
+  dockerfile-inline = "FROM ${BASE_IMAGE}"
+}
+$ docker buildx bake
+[+] Building 0.0s (0/0)
+docker-bake.hcl:2
+--------------------
+   1 |     target "default" {
+   2 | >>>   dockerfile-inline = "FROM ${BASE_IMAGE}"
+   3 |     }
+   4 |
+--------------------
+ERROR: docker-bake.hcl:2,31-41: Unknown variable; There is no variable named "BASE_IMAGE"., and 1 other diagnostic(s)
+$ cat >> docker-bake.hcl
+
+variable "BASE_IMAGE" {
+  default = "alpine"
+}
+
+$ docker buildx bake
+[+] Building 0.6s (5/5) FINISHED
+```
+
+## Function
+
+A [set of general-purpose functions][bake_stdlib]
+provided by [go-cty][go-cty]
+are available for use in HCL files:
+
+```hcl
+# docker-bake.hcl
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${add(123, 1)}"
+  }
+}
+```
+
+In addition, [user defined functions][userfunc]
+are also supported:
+
+```hcl
+# docker-bake.hcl
+function "increment" {
+  params = [number]
+  result = number + 1
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp:latest"]
+  args = {
+    buildno = "${increment(123)}"
+  }
+}
+```
+
+> **Note**
+>
+> See [User defined HCL functions][hcl-funcs] page for more details.
+
+<!-- external links -->
+
+[attestations]: https://docs.docker.com/build/attestations/
+[bake_stdlib]: https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go
+[build-arg]: https://docs.docker.com/engine/reference/commandline/build/#build-arg
+[build-context]: https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
+[cache-backends]: https://docs.docker.com/build/cache/backends/
+[cache-from]: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-from
+[cache-to]: https://docs.docker.com/engine/reference/commandline/buildx_build/#cache-to
+[context]: https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
+[file]: https://docs.docker.com/engine/reference/commandline/build/#file
+[go-cty]: https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib
+[hcl-funcs]: https://docs.docker.com/build/bake/hcl-funcs/
+[output]: https://docs.docker.com/engine/reference/commandline/buildx_build/#output
+[platform]: https://docs.docker.com/engine/reference/commandline/buildx_build/#platform
+[run_mount_secret]: https://docs.docker.com/engine/reference/builder/#run---mounttypesecret
+[secret]: https://docs.docker.com/engine/reference/commandline/buildx_build/#secret
+[ssh]: https://docs.docker.com/engine/reference/commandline/buildx_build/#ssh
+[tag]: https://docs.docker.com/engine/reference/commandline/build/#tag
+[target]: https://docs.docker.com/engine/reference/commandline/build/#target
+[userfunc]: https://github.com/hashicorp/hcl/tree/main/ext/userfunc

docs/manuals/bake/file-definition.md

@@ -1,3 +1,3 @@
 # Bake file definition
 
-Moved to [docs.docker.com](https://docs.docker.com/build/bake/file-definition)
+This page has moved to [docs/bake-reference.md](../../bake-reference.md)

docs/reference/buildx_bake.md

@@ -87,8 +87,8 @@ target "db" {
 $ docker buildx bake -f docker-bake.dev.hcl db webapp-release
 ```
 
-See our [file definition](https://docs.docker.com/build/bake/file-definition/)
-guide for more details.
+See the [Bake file reference](https://docs.docker.com/build/bake/reference/)
+for more details.
 
 ### <a name="no-cache"></a> Do not use cache when building the image (--no-cache)
 

docs/reference/buildx_build.md

@@ -414,8 +414,13 @@ The `registry` exporter is a shortcut for `type=image,push=true`.
 
 Set the target platform for the build. All `FROM` commands inside the Dockerfile
 without their own `--platform` flag will pull base images for this platform and
-this value will also be the platform of the resulting image. The default value
-will be the current platform of the buildkit daemon.
+this value will also be the platform of the resulting image.
+
+The default value is the platform of the BuildKit daemon where the build runs.
+The value takes the form of `os/arch` or `os/arch/variant`. For example,
+`linux/amd64` or `linux/arm/v7`. Additionally, the `--platform` flag also supports
+a special `local` value, which tells BuildKit to use the platform of the BuildKit
+client that invokes the build.
 
 When using `docker-container` driver with `buildx`, this flag can accept multiple
 values as an input separated by a comma. With multiple values the result will be

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.15.5
 	github.com/compose-spec/compose-go v1.6.0
 	github.com/containerd/console v1.0.3
-	github.com/containerd/containerd v1.6.16-0.20230124210447-1709cfe273d9
+	github.com/containerd/containerd v1.6.20
 	github.com/docker/cli v23.0.0-rc.1+incompatible
 	github.com/docker/cli-docs-tool v0.5.1
 	github.com/docker/distribution v2.8.1+incompatible
@@ -16,11 +16,11 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
 	github.com/hashicorp/hcl/v2 v2.8.2
-	github.com/moby/buildkit v0.11.2
+	github.com/moby/buildkit v0.11.7-0.20230519102302-348e79dfed17
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
+	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
 	github.com/serialx/hashring v0.0.0-20190422032157-8b2912629002
@@ -74,7 +74,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/cloudflare/cfssl v0.0.0-20181213083726-b94e044bb51e // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/containerd/ttrpc v1.1.0 // indirect
+	github.com/containerd/ttrpc v1.1.1 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/distribution/v3 v3.0.0-20220725133111-4bf3547399eb // indirect
@@ -123,7 +123,7 @@ require (
 	github.com/moby/term v0.0.0-20221120202655-abb19827d345 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/opencontainers/runc v1.1.3 // indirect
+	github.com/opencontainers/runc v1.1.5 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect

go.sum

@@ -57,7 +57,7 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/hcsshim v0.9.6 h1:VwnDOgLeoi2du6dAznfmspNqTiwczvjv4K7NxuY9jsY=
+github.com/Microsoft/hcsshim v0.9.8 h1:lf7xxK2+Ikbj9sVf2QZsouGjRjEp2STj1yDHgoVtU5k=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
@@ -140,16 +140,16 @@ github.com/compose-spec/compose-go v1.6.0/go.mod h1:os+Ulh2jlZxY1XT1hbciERadjSUU
 github.com/containerd/cgroups v1.0.4 h1:jN/mbWBEaz+T1pi5OFtnkQ+8qnmEbAr1Oo1FRm5B0dA=
 github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/containerd v1.6.16-0.20230124210447-1709cfe273d9 h1:zdFesNKUzj0PDylWScwyU6zv3KAKwYeSE1ZLUmi01wk=
-github.com/containerd/containerd v1.6.16-0.20230124210447-1709cfe273d9/go.mod h1:1RdCUu95+gc2v9t3IL+zIlpClSmew7/0YS8O5eQZrOw=
+github.com/containerd/containerd v1.6.20 h1:+itjwpdqXpzHB/QAiWc/BZCjjVfcNgw69w/oIeF4Oy0=
+github.com/containerd/containerd v1.6.20/go.mod h1:apei1/i5Ux2FzrK6+DM/suEsGuK/MeVOfy8tR2q7Wnw=
 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
 github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
 github.com/containerd/fifo v1.0.0 h1:6PirWBr9/L7GDamKr+XM0IeUFXu5mf3M/BPpH9gaLBU=
 github.com/containerd/nydus-snapshotter v0.3.1 h1:b8WahTrPkt3XsabjG2o/leN4fw3HWZYr+qxo/Z8Mfzk=
 github.com/containerd/stargz-snapshotter v0.13.0 h1:3zr1/IkW1aEo6cMYTQeZ4L2jSuCN+F4kgGfjnuowe4U=
 github.com/containerd/stargz-snapshotter/estargz v0.13.0 h1:fD7AwuVV+B40p0d9qVkH/Au1qhp8hn/HWJHIYjpEcfw=
-github.com/containerd/ttrpc v1.1.0 h1:GbtyLRxb0gOLR0TYQWt3O6B0NvT8tMdorEHqIQo/lWI=
-github.com/containerd/ttrpc v1.1.0/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
+github.com/containerd/ttrpc v1.1.1 h1:NoRHS/z8UiHhpY1w0xcOqoJDGf2DHyzXrF0H4l5AE8c=
+github.com/containerd/ttrpc v1.1.1/go.mod h1:XX4ZTnoOId4HklF4edwc4DcqskFZuvXB1Evzy5KFQpQ=
 github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY=
 github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
@@ -401,8 +401,8 @@ github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZX
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.11.2 h1:hNNsYuRssvFnp/qJ8FifStEUzROl5riPAEwk7cRzMjg=
-github.com/moby/buildkit v0.11.2/go.mod h1:b5hR8j3BZaOj5+gf6yielP9YLT9mU92zy3zZtdoUTrw=
+github.com/moby/buildkit v0.11.7-0.20230519102302-348e79dfed17 h1:asvsqGToDMMsf5LOXiZxjKeHokXLF2FdYHzQVKympL8=
+github.com/moby/buildkit v0.11.7-0.20230519102302-348e79dfed17/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
@@ -443,10 +443,10 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 h1:9iFHD5Kt9hkOfeawBNiEeEaV7bmC4/Z5wJp8E9BptMs=
-github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1/go.mod h1:K/JAU0m27RFhDRX4PcFdIKntROP6y5Ed6O91aZYDQfs=
-github.com/opencontainers/runc v1.1.3 h1:vIXrkId+0/J2Ymu2m7VjGvbSlAId9XNRPhn2p4b+d8w=
-github.com/opencontainers/runc v1.1.3/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
+github.com/opencontainers/runc v1.1.5 h1:L44KXEpKmfWDcS02aeGm8QNTFXTo2D+8MYGDIJ/GDEs=
+github.com/opencontainers/runc v1.1.5/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 h1:3snG66yBm59tKhhSPQrQ/0bCrv1LQbKt40LnUPiUxdc=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
@@ -499,7 +499,6 @@ github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFR
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.8.1 h1:geMPLpDpQOgVyCg5z5GoRwLHepNdb71NXb67XFkP+Eg=
 github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4nPKWu0nJ5d+o=
-github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
@@ -517,6 +516,7 @@ github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/spdx/tools-golang v0.3.1-0.20230104082527-d6f58551be3f h1:9B623Cfs+mclYK6dsae7gLSwuIBHvlgmEup87qpqsAQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=

util/gitutil/gitutil.go

@@ -3,6 +3,7 @@ package gitutil
 import (
 	"bytes"
 	"context"
+	"net/url"
 	"os"
 	"os/exec"
 	"strings"
@@ -70,11 +71,11 @@ func (c *Git) RootDir() (string, error) {
 func (c *Git) RemoteURL() (string, error) {
 	// Try to get the remote URL from the origin remote first
 	if ru, err := c.clean(c.run("remote", "get-url", "origin")); err == nil && ru != "" {
-		return ru, nil
+		return stripCredentials(ru), nil
 	}
 	// If that fails, try to get the remote URL from the upstream remote
 	if ru, err := c.clean(c.run("remote", "get-url", "upstream")); err == nil && ru != "" {
-		return ru, nil
+		return stripCredentials(ru), nil
 	}
 	return "", errors.New("no remote URL found for either origin or upstream")
 }
@@ -147,3 +148,16 @@ func IsUnknownRevision(err error) bool {
 	errMsg := strings.ToLower(err.Error())
 	return strings.Contains(errMsg, "unknown revision or path not in the working tree") || strings.Contains(errMsg, "bad revision")
 }
+
+// stripCredentials takes a URL and strips username and password from it.
+// e.g. "https://user:password@host.tld/path.git" will be changed to
+// "https://host.tld/path.git".
+// TODO: remove this function once fix from BuildKit is vendored here
+func stripCredentials(s string) string {
+	ru, err := url.Parse(s)
+	if err != nil {
+		return s // string is not a URL, just return it
+	}
+	ru.User = nil
+	return ru.String()
+}

util/gitutil/gitutil_test.go

@@ -189,3 +189,45 @@ func TestGitRemoteURL(t *testing.T) {
 		})
 	}
 }
+
+func TestStripCredentials(t *testing.T) {
+	cases := []struct {
+		name string
+		url  string
+		want string
+	}{
+		{
+			name: "non-blank Password",
+			url:  "https://user:password@host.tld/this:that",
+			want: "https://host.tld/this:that",
+		},
+		{
+			name: "blank Password",
+			url:  "https://user@host.tld/this:that",
+			want: "https://host.tld/this:that",
+		},
+		{
+			name: "blank Username",
+			url:  "https://:password@host.tld/this:that",
+			want: "https://host.tld/this:that",
+		},
+		{
+			name: "blank Username, blank Password",
+			url:  "https://host.tld/this:that",
+			want: "https://host.tld/this:that",
+		},
+		{
+			name: "invalid URL",
+			url:  "1https://foo.com",
+			want: "1https://foo.com",
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			if g, w := stripCredentials(tt.url), tt.want; g != w {
+				t.Fatalf("got: %q\nwant: %q", g, w)
+			}
+		})
+	}
+}

vendor/github.com/containerd/containerd/content/local/store.go

@@ -34,7 +34,7 @@ import (
 	"github.com/containerd/containerd/log"
 	"github.com/sirupsen/logrus"
 
-	digest "github.com/opencontainers/go-digest"
+	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
@@ -505,6 +505,7 @@ func (s *store) resumeStatus(ref string, total int64, digester digest.Digester)
 		return status, fmt.Errorf("provided total differs from status: %v != %v", total, status.Total)
 	}
 
+	//nolint:dupword
 	// TODO(stevvooe): slow slow slow!!, send to goroutine or use resumable hashes
 	fp, err := os.Open(data)
 	if err != nil {

vendor/github.com/containerd/containerd/platforms/defaults_windows.go

@@ -46,10 +46,14 @@ type matchComparer struct {
 
 // Match matches platform with the same windows major, minor
 // and build version.
-func (m matchComparer) Match(p imagespec.Platform) bool {
-	if m.defaults.Match(p) {
-		// TODO(windows): Figure out whether OSVersion is deprecated.
-		return strings.HasPrefix(p.OSVersion, m.osVersionPrefix)
+func (m matchComparer) Match(p specs.Platform) bool {
+	match := m.defaults.Match(p)
+
+	if match && p.OS == "windows" {
+		if strings.HasPrefix(p.OSVersion, m.osVersionPrefix) {
+			return true
+		}
+		return p.OSVersion == ""
 	}
 	return false
 }

vendor/github.com/containerd/containerd/version/version.go

@@ -23,7 +23,7 @@ var (
 	Package = "github.com/containerd/containerd"
 
 	// Version holds the complete version number. Filled in at linking time.
-	Version = "1.6.15+unknown"
+	Version = "1.6.20+unknown"
 
 	// Revision is filled with the VCS (e.g. git) revision being used to build
 	// the program at linking time.

vendor/github.com/containerd/ttrpc/server.go

@@ -24,6 +24,7 @@ import (
 	"net"
 	"sync"
 	"sync/atomic"
+	"syscall"
 	"time"
 
 	"github.com/sirupsen/logrus"
@@ -467,14 +468,12 @@ func (c *serverConn) run(sctx context.Context) {
 			// branch. Basically, it means that we are no longer receiving
 			// requests due to a terminal error.
 			recvErr = nil // connection is now "closing"
-			if err == io.EOF || err == io.ErrUnexpectedEOF {
+			if err == io.EOF || err == io.ErrUnexpectedEOF || errors.Is(err, syscall.ECONNRESET) {
 				// The client went away and we should stop processing
 				// requests, so that the client connection is closed
 				return
 			}
-			if err != nil {
 			logrus.WithError(err).Error("error receiving message")
-			}
 		case <-shutdown:
 			return
 		}

vendor/github.com/moby/buildkit/client/llb/definition.go

@@ -29,6 +29,10 @@ type DefinitionOp struct {
 
 // NewDefinitionOp returns a new operation from a marshalled definition.
 func NewDefinitionOp(def *pb.Definition) (*DefinitionOp, error) {
+	if def == nil {
+		return nil, errors.New("invalid nil input definition to definition op")
+	}
+
 	ops := make(map[digest.Digest]*pb.Op)
 	defs := make(map[digest.Digest][]byte)
 	platforms := make(map[digest.Digest]*ocispecs.Platform)
@@ -205,6 +209,7 @@ func (d *DefinitionOp) Inputs() []Output {
 				dgst:       input.Digest,
 				index:      input.Index,
 				inputCache: d.inputCache,
+				sources:    d.sources,
 			}
 			existingIndexes := d.inputCache[input.Digest]
 			indexDiff := int(input.Index) - len(existingIndexes)

vendor/github.com/moby/buildkit/exporter/containerimage/exptypes/types.go

@@ -11,7 +11,7 @@ const (
 	ExporterImageConfigDigestKey = "containerimage.config.digest"
 	ExporterImageDescriptorKey   = "containerimage.descriptor"
 	ExporterInlineCache          = "containerimage.inlinecache"
-	ExporterBuildInfo            = "containerimage.buildinfo"
+	ExporterBuildInfo            = "containerimage.buildinfo" // Deprecated: Build information is deprecated: https://github.com/moby/buildkit/blob/master/docs/deprecated.md
 	ExporterPlatformsKey         = "refs.platforms"
 	ExporterEpochKey             = "source.date.epoch"
 )

vendor/github.com/moby/buildkit/frontend/gateway/grpcclient/client.go

@@ -927,11 +927,11 @@ func (ctr *container) Start(ctx context.Context, req client.StartRequest) (clien
 
 			if msg == nil {
 				// empty message from ctx cancel, so just start shutting down
-				// input, but continue processing more exit/done messages
+				// input
 				closeDoneOnce.Do(func() {
 					close(done)
 				})
-				continue
+				return ctx.Err()
 			}
 
 			if file := msg.GetFile(); file != nil {

vendor/github.com/moby/buildkit/session/session.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"strings"
+	"sync"
 
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/moby/buildkit/identity"
@@ -36,6 +37,7 @@ type Attachable interface {
 
 // Session is a long running connection between client and a daemon
 type Session struct {
+	mu          sync.Mutex // synchronizes conn run and close
 	id          string
 	name        string
 	sharedKey   string
@@ -44,6 +46,7 @@ type Session struct {
 	done        chan struct{}
 	grpcServer  *grpc.Server
 	conn        net.Conn
+	closeCalled bool
 }
 
 // NewSession returns a new long running session
@@ -99,6 +102,11 @@ func (s *Session) ID() string {
 
 // Run activates the session
 func (s *Session) Run(ctx context.Context, dialer Dialer) error {
+	s.mu.Lock()
+	if s.closeCalled {
+		s.mu.Unlock()
+		return nil
+	}
 	ctx, cancel := context.WithCancel(ctx)
 	s.cancelCtx = cancel
 	s.done = make(chan struct{})
@@ -118,15 +126,18 @@ func (s *Session) Run(ctx context.Context, dialer Dialer) error {
 	}
 	conn, err := dialer(ctx, "h2c", meta)
 	if err != nil {
+		s.mu.Unlock()
 		return errors.Wrap(err, "failed to dial gRPC")
 	}
 	s.conn = conn
+	s.mu.Unlock()
 	serve(ctx, s.grpcServer, conn)
 	return nil
 }
 
 // Close closes the session
 func (s *Session) Close() error {
+	s.mu.Lock()
 	if s.cancelCtx != nil && s.done != nil {
 		if s.conn != nil {
 			s.conn.Close()
@@ -134,6 +145,8 @@ func (s *Session) Close() error {
 		s.grpcServer.Stop()
 		<-s.done
 	}
+	s.closeCalled = true
+	s.mu.Unlock()
 	return nil
 }
 

vendor/github.com/moby/buildkit/util/buildinfo/types/types.go

@@ -1,3 +1,6 @@
+// Package binfotypes implements types for build information.
+//
+// Deprecated: Build information is deprecated: https://github.com/moby/buildkit/blob/master/docs/deprecated.md
 package binfotypes
 
 import (

vendor/github.com/moby/buildkit/util/gitutil/git_ref.go

@@ -73,22 +73,12 @@ func ParseGitRef(ref string) (*GitRef, error) {
 		}
 	}
 
-	refSplitBySharp := strings.SplitN(ref, "#", 2)
-	res.Remote = refSplitBySharp[0]
+	var fragment string
+	res.Remote, fragment, _ = strings.Cut(ref, "#")
 	if len(res.Remote) == 0 {
 		return res, errdefs.ErrInvalidArgument
 	}
-
-	if len(refSplitBySharp) > 1 {
-		refSplitBySharpSplitByColon := strings.SplitN(refSplitBySharp[1], ":", 2)
-		res.Commit = refSplitBySharpSplitByColon[0]
-		if len(res.Commit) == 0 {
-			return res, errdefs.ErrInvalidArgument
-		}
-		if len(refSplitBySharpSplitByColon) > 1 {
-			res.SubDir = refSplitBySharpSplitByColon[1]
-		}
-	}
+	res.Commit, res.SubDir, _ = strings.Cut(fragment, ":")
 	repoSplitBySlash := strings.Split(res.Remote, "/")
 	res.ShortName = strings.TrimSuffix(repoSplitBySlash[len(repoSplitBySlash)-1], ".git")
 	return res, nil

vendor/github.com/moby/buildkit/util/imageutil/buildinfo.go

@@ -9,6 +9,8 @@ import (
 )
 
 // BuildInfo returns build info from image config.
+//
+// Deprecated: Build information is deprecated: https://github.com/moby/buildkit/blob/master/docs/deprecated.md
 func BuildInfo(dt []byte) (*binfotypes.BuildInfo, error) {
 	if len(dt) == 0 {
 		return nil, nil

vendor/github.com/moby/buildkit/util/progress/progressui/init.go

@@ -14,7 +14,7 @@ var colorError aec.ANSI
 
 func init() {
 	// As recommended on https://no-color.org/
-	if _, ok := os.LookupEnv("NO_COLOR"); ok {
+	if v := os.Getenv("NO_COLOR"); v != "" {
 		// nil values will result in no ANSI color codes being emitted.
 		return
 	} else if runtime.GOOS == "windows" {

vendor/github.com/opencontainers/image-spec/specs-go/v1/annotations.go

@@ -59,4 +59,13 @@ const (
 
 	// AnnotationBaseImageName is the annotation key for the image reference of the image's base image.
 	AnnotationBaseImageName = "org.opencontainers.image.base.name"
+
+	// AnnotationArtifactCreated is the annotation key for the date and time on which the artifact was built, conforming to RFC 3339.
+	AnnotationArtifactCreated = "org.opencontainers.artifact.created"
+
+	// AnnotationArtifactDescription is the annotation key for the human readable description for the artifact.
+	AnnotationArtifactDescription = "org.opencontainers.artifact.description"
+
+	// AnnotationReferrersFiltersApplied is the annotation key for the comma separated list of filters applied by the registry in the referrers listing.
+	AnnotationReferrersFiltersApplied = "org.opencontainers.referrers.filtersApplied"
 )

vendor/github.com/opencontainers/image-spec/specs-go/v1/artifact.go

@@ -0,0 +1,34 @@
+// Copyright 2022 The Linux Foundation
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package v1
+
+// Artifact describes an artifact manifest.
+// This structure provides `application/vnd.oci.artifact.manifest.v1+json` mediatype when marshalled to JSON.
+type Artifact struct {
+	// MediaType is the media type of the object this schema refers to.
+	MediaType string `json:"mediaType"`
+
+	// ArtifactType is the IANA media type of the artifact this schema refers to.
+	ArtifactType string `json:"artifactType"`
+
+	// Blobs is a collection of blobs referenced by this manifest.
+	Blobs []Descriptor `json:"blobs,omitempty"`
+
+	// Subject (reference) is an optional link from the artifact to another manifest forming an association between the artifact and the other manifest.
+	Subject *Descriptor `json:"subject,omitempty"`
+
+	// Annotations contains arbitrary metadata for the artifact manifest.
+	Annotations map[string]string `json:"annotations,omitempty"`
+}

vendor/github.com/opencontainers/image-spec/specs-go/v1/config.go

@@ -48,6 +48,15 @@ type ImageConfig struct {
 
 	// StopSignal contains the system call signal that will be sent to the container to exit.
 	StopSignal string `json:"StopSignal,omitempty"`
+
+	// ArgsEscaped `[Deprecated]` - This field is present only for legacy
+	// compatibility with Docker and should not be used by new image builders.
+	// It is used by Docker for Windows images to indicate that the `Entrypoint`
+	// or `Cmd` or both, contains only a single element array, that is a
+	// pre-escaped, and combined into a single string `CommandLine`. If `true`
+	// the value in `Entrypoint` or `Cmd` should be used as-is to avoid double
+	// escaping.
+	ArgsEscaped bool `json:"ArgsEscaped,omitempty"`
 }
 
 // RootFS describes a layer content addresses

vendor/github.com/opencontainers/image-spec/specs-go/v1/descriptor.go

@@ -1,4 +1,4 @@
-// Copyright 2016 The Linux Foundation
+// Copyright 2016-2022 The Linux Foundation
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -44,6 +44,9 @@ type Descriptor struct {
 	//
 	// This should only be used when referring to a manifest.
 	Platform *Platform `json:"platform,omitempty"`
+
+	// ArtifactType is the IANA media type of this artifact.
+	ArtifactType string `json:"artifactType,omitempty"`
 }
 
 // Platform describes the platform which the image in the manifest runs on.

vendor/github.com/opencontainers/image-spec/specs-go/v1/manifest.go

@@ -1,4 +1,4 @@
-// Copyright 2016 The Linux Foundation
+// Copyright 2016-2022 The Linux Foundation
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -30,6 +30,9 @@ type Manifest struct {
 	// Layers is an indexed list of layers referenced by the manifest.
 	Layers []Descriptor `json:"layers"`
 
+	// Subject is an optional link from the image manifest to another manifest forming an association between the image manifest and the other manifest.
+	Subject *Descriptor `json:"subject,omitempty"`
+
 	// Annotations contains arbitrary metadata for the image manifest.
 	Annotations map[string]string `json:"annotations,omitempty"`
 }

vendor/github.com/opencontainers/image-spec/specs-go/v1/mediatype.go

@@ -54,4 +54,7 @@ const (
 
 	// MediaTypeImageConfig specifies the media type for the image configuration.
 	MediaTypeImageConfig = "application/vnd.oci.image.config.v1+json"
+
+	// MediaTypeArtifactManifest specifies the media type for a content descriptor.
+	MediaTypeArtifactManifest = "application/vnd.oci.artifact.manifest.v1+json"
 )

vendor/github.com/opencontainers/image-spec/specs-go/version.go

@@ -20,9 +20,9 @@ const (
 	// VersionMajor is for an API incompatible changes
 	VersionMajor = 1
 	// VersionMinor is for functionality in a backwards-compatible manner
-	VersionMinor = 0
+	VersionMinor = 1
 	// VersionPatch is for backwards-compatible bug fixes
-	VersionPatch = 2
+	VersionPatch = 0
 
 	// VersionDev indicates development branch. Releases will be empty string.
 	VersionDev = "-dev"

vendor/modules.txt

@@ -150,7 +150,7 @@ github.com/compose-spec/compose-go/types
 # github.com/containerd/console v1.0.3
 ## explicit; go 1.13
 github.com/containerd/console
-# github.com/containerd/containerd v1.6.16-0.20230124210447-1709cfe273d9
+# github.com/containerd/containerd v1.6.20
 ## explicit; go 1.17
 github.com/containerd/containerd/api/services/content/v1
 github.com/containerd/containerd/archive/compression
@@ -181,7 +181,7 @@ github.com/containerd/containerd/version
 ## explicit; go 1.17
 github.com/containerd/continuity/fs
 github.com/containerd/continuity/sysx
-# github.com/containerd/ttrpc v1.1.0
+# github.com/containerd/ttrpc v1.1.1
 ## explicit; go 1.13
 github.com/containerd/ttrpc
 # github.com/containerd/typeurl v1.0.2
@@ -433,7 +433,7 @@ github.com/mitchellh/go-wordwrap
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
 github.com/mitchellh/mapstructure
-# github.com/moby/buildkit v0.11.2
+# github.com/moby/buildkit v0.11.7-0.20230519102302-348e79dfed17
 ## explicit; go 1.18
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types
@@ -536,11 +536,11 @@ github.com/morikuni/aec
 # github.com/opencontainers/go-digest v1.0.0
 ## explicit; go 1.13
 github.com/opencontainers/go-digest
-# github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
-## explicit; go 1.16
+# github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
+## explicit; go 1.17
 github.com/opencontainers/image-spec/specs-go
 github.com/opencontainers/image-spec/specs-go/v1
-# github.com/opencontainers/runc v1.1.3
+# github.com/opencontainers/runc v1.1.5
 ## explicit; go 1.16
 github.com/opencontainers/runc/libcontainer/user
 # github.com/pelletier/go-toml v1.9.5