Merge pull request #2671 from tonistiigi/bake-net-docs

bake: add network mode support to HCL and docs for network and entitlements
Merge pull request #2673 from crazy-max/update-buildkit
2025-08-15 00:05:57 +08:00 · 2024-09-05 10:17:00 +02:00 · 2024-09-04 21:04:15 +02:00 · 2024-09-04 18:44:07 +02:00 · 2024-09-04 09:02:06 -07:00 · 2024-09-04 09:01:59 -07:00
1139 changed files with 83136 additions and 22796 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -11,5 +11,5 @@ updates:
      # trigger a new version: https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
      - dependency-name: "docker/docs"
    labels:
-      - "dependencies"
+      - "area/dependencies"
      - "bot"
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -0,0 +1,104 @@
+
+# Add 'area/project' label to changes in basic project documentation and .github folder, excluding .github/workflows
+area/project:
+- all:
+  - changed-files:
+    - any-glob-to-any-file: 
+      - .github/**
+      - LICENSE
+      - AUTHORS
+      - MAINTAINERS
+      - PROJECT.md
+      - README.md
+      - .gitignore
+      - codecov.yml
+    - all-globs-to-all-files: '!.github/workflows/*'
+
+# Add 'area/github-actions' label to changes in the .github/workflows folder
+area/ci:
+  - changed-files:
+    - any-glob-to-any-file: '.github/workflows/**'
+
+# Add 'area/bake' label to changes in the bake
+area/bake:
+  - changed-files:
+    - any-glob-to-any-file: 'bake/**'
+
+# Add 'area/bake/compose' label to changes in the bake+compose
+area/bake/compose:
+  - changed-files:
+    - any-glob-to-any-file:
+      - bake/compose.go
+      - bake/compose_test.go
+
+# Add 'area/build' label to changes in build files
+area/build:
+  - changed-files:
+    - any-glob-to-any-file: 'build/**'
+
+# Add 'area/builder' label to changes in builder files
+area/builder:
+  - changed-files:
+    - any-glob-to-any-file: 'builder/**'
+
+# Add 'area/cli' label to changes in the CLI
+area/cli:
+  - changed-files:
+    - any-glob-to-any-file: 
+      - cmd/**
+      - commands/**
+
+# Add 'area/controller' label to changes in the controller
+area/controller:
+  - changed-files:
+    - any-glob-to-any-file: 'controller/**'
+
+# Add 'area/docs' label to markdown files in the docs folder
+area/docs:
+  - changed-files:
+    - any-glob-to-any-file: 'docs/**/*.md'
+
+# Add 'area/dependencies' label to changes in go dependency files
+area/dependencies:
+  - changed-files:
+    - any-glob-to-any-file:
+      - go.mod
+      - go.sum
+      - vendor/**
+
+# Add 'area/driver' label to changes in the driver folder
+area/driver:
+  - changed-files:
+    - any-glob-to-any-file: 'driver/**'
+
+# Add 'area/driver/docker' label to changes in the docker driver
+area/driver/docker:
+  - changed-files:
+    - any-glob-to-any-file: 'driver/docker/**'
+
+# Add 'area/driver/docker-container' label to changes in the docker-container driver
+area/driver/docker-container:
+  - changed-files:
+    - any-glob-to-any-file: 'driver/docker-container/**'
+
+# Add 'area/driver/kubernetes' label to changes in the kubernetes driver
+area/driver/kubernetes:
+  - changed-files:
+    - any-glob-to-any-file: 'driver/kubernetes/**'
+
+# Add 'area/driver/remote' label to changes in the remote driver
+area/driver/remote:
+  - changed-files:
+    - any-glob-to-any-file: 'driver/remote/**'
+
+# Add 'area/hack' label to changes in the hack folder
+area/hack:
+  - changed-files:
+    - any-glob-to-any-file: 'hack/**'
+
+# Add 'area/tests' label to changes in test files
+area/tests:
+  - changed-files:
+    - any-glob-to-any-file: 
+      - tests/**
+      - '**/*_test.go'
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,63 +21,75 @@ on:
 env:
  BUILDX_VERSION: "latest"
  BUILDKIT_IMAGE: "moby/buildkit:latest"
+  SCOUT_VERSION: "1.11.0"
  REPO_SLUG: "docker/buildx-bin"
  DESTDIR: "./bin"
  TEST_CACHE_SCOPE: "test"
  TESTFLAGS: "-v --parallel=6 --timeout=30m"
  GOTESTSUM_FORMAT: "standard-verbose"
-  GO_VERSION: "1.21"
+  GO_VERSION: "1.22"
  GOTESTSUM_VERSION: "v1.9.0"  # same as one in Dockerfile

 jobs:
-  prepare-test-integration:
-    runs-on: ubuntu-22.04
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.BUILDX_VERSION }}
-          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
-          buildkitd-flags: --debug
-      -
-        name: Build
-        uses: docker/bake-action@v4
-        with:
-          targets: integration-test-base
-          set: |
-            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
-            *.cache-to=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
-
  test-integration:
-    runs-on: ubuntu-22.04
-    needs:
-      - prepare-test-integration
+    runs-on: ubuntu-24.04
    env:
      TESTFLAGS_DOCKER: "-v --parallel=1 --timeout=30m"
      TEST_IMAGE_BUILD: "0"
      TEST_IMAGE_ID: "buildx-tests"
+      TEST_COVERAGE: "1"
    strategy:
      fail-fast: false
      matrix:
+        buildkit:
+          - master
+          - latest
+          - buildx-stable-1
+          - v0.14.1
+          - v0.13.2
+          - v0.12.5
        worker:
-          - docker
-          - docker\+containerd  # same as docker, but with containerd snapshotter
          - docker-container
          - remote
        pkg:
          - ./tests
+        mode:
+          - ""
+          - experimental
+        include:
+          - worker: docker
+            pkg: ./tests
+          - worker: docker+containerd  # same as docker, but with containerd snapshotter
+            pkg: ./tests
+          - worker: docker
+            pkg: ./tests
+            mode: experimental
+          - worker: docker+containerd  # same as docker, but with containerd snapshotter
+            pkg: ./tests
+            mode: experimental
    steps:
      -
        name: Prepare
        run: |
-          echo "TESTREPORTS_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          echo "TESTREPORTS_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.buildkit }}-${{ matrix.worker }}-${{ matrix.mode }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          if [ -n "${{ matrix.buildkit }}" ]; then
+            echo "TEST_BUILDKIT_TAG=${{ matrix.buildkit }}" >> $GITHUB_ENV
+          fi
+          testFlags="--run=//worker=$(echo "${{ matrix.worker }}" | sed 's/\+/\\+/g')$"
+          case "${{ matrix.worker }}" in
+            docker | docker+containerd)
+              echo "TESTFLAGS=${{ env.TESTFLAGS_DOCKER }} $testFlags" >> $GITHUB_ENV
+              ;;
+            *)
+              echo "TESTFLAGS=${{ env.TESTFLAGS }} $testFlags" >> $GITHUB_ENV
+              ;;
+          esac
+          if [[ "${{ matrix.worker }}" == "docker"* ]]; then
+            echo "TEST_DOCKERD=1" >> $GITHUB_ENV
+          fi
+          if [ "${{ matrix.mode }}" = "experimental" ]; then
+            echo "TEST_BUILDX_EXPERIMENTAL=1" >> $GITHUB_ENV
+          fi
      -
        name: Checkout
        uses: actions/checkout@v4
@@ -95,11 +107,10 @@ jobs:
          buildkitd-flags: --debug
      -
        name: Build test image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          targets: integration-test
          set: |
-            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
            *.output=type=docker,name=${{ env.TEST_IMAGE_ID }}
      -
        name: Test
@@ -107,8 +118,6 @@ jobs:
          ./hack/test
        env:
          TEST_REPORT_SUFFIX: "-${{ env.TESTREPORTS_NAME }}"
-          TEST_DOCKERD: "${{ startsWith(matrix.worker, 'docker') && '1' || '0' }}"
-          TESTFLAGS: "${{ (matrix.worker == 'docker' || matrix.worker == 'docker\\+containerd') && env.TESTFLAGS_DOCKER || env.TESTFLAGS }} --run=//worker=${{ matrix.worker }}$"
          TESTPKGS: "${{ matrix.pkg }}"
      -
        name: Send to Codecov
@@ -118,6 +127,7 @@ jobs:
          directory: ./bin/testreports
          flags: integration
          token: ${{ secrets.CODECOV_TOKEN }}
+          disable_file_fixes: true
      -
        name: Generate annotations
        if: always()
@@ -138,7 +148,7 @@ jobs:
      fail-fast: false
      matrix:
        os:
-          - ubuntu-22.04
+          - ubuntu-24.04
          - macos-12
          - windows-2022
    env:
@@ -190,6 +200,7 @@ jobs:
          env_vars: RUNNER_OS
          flags: unit
          token: ${{ secrets.CODECOV_TOKEN }}
+          disable_file_fixes: true
      -
        name: Generate annotations
        if: always()
@@ -204,8 +215,38 @@ jobs:
          name: test-reports-${{ env.TESTREPORTS_NAME }}
          path: ${{ env.TESTREPORTS_BASEDIR }}

+  govulncheck:
+    runs-on: ubuntu-24.04
+    permissions:
+      # required to write sarif report
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Run
+        uses: docker/bake-action@v5
+        with:
+          targets: govulncheck
+        env:
+          GOVULNCHECK_FORMAT: sarif
+      -
+        name: Upload SARIF report
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
+
  prepare-binaries:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    outputs:
      matrix: ${{ steps.platforms.outputs.matrix }}
    steps:
@@ -223,7 +264,7 @@ jobs:
          echo ${{ steps.platforms.outputs.matrix }}

  binaries:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - prepare-binaries
    strategy:
@@ -266,7 +307,7 @@ jobs:
          if-no-files-found: error

  bin-image:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - test-integration
      - test-unit
@@ -306,7 +347,7 @@ jobs:
          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
      -
        name: Build and push image
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          files: |
            ./docker-bake.hcl
@@ -318,8 +359,40 @@ jobs:
            *.cache-from=type=gha,scope=bin-image
            *.cache-to=type=gha,scope=bin-image,mode=max

+  scout:
+    runs-on: ubuntu-24.04
+    if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
+    permissions:
+      # required to write sarif report
+      security-events: write
+    needs:
+      - bin-image
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+      -
+        name: Scout
+        id: scout
+        uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4
+        with:
+          version: ${{ env.SCOUT_VERSION }}
+          format: sarif
+          image: registry://${{ env.REPO_SLUG }}:master
+      -
+        name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scout.outputs.result-file }}
+
  release:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - test-integration
      - test-unit
@@ -349,33 +422,9 @@ jobs:
      -
        name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191  # v2.0.8
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          draft: true
          files: ${{ env.DESTDIR }}/*
-
-  buildkit-edge:
-    runs-on: ubuntu-22.04
-    continue-on-error: true
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          version: ${{ env.BUILDX_VERSION }}
-          driver-opts: image=moby/buildkit:master
-          buildkitd-flags: --debug
-      -
-        # Just run a bake target to check eveything runs fine
-        name: Build
-        uses: docker/bake-action@v4
-        with:
-          targets: binaries
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -13,11 +13,11 @@ permissions:
  security-events: write

 env:
-  GO_VERSION: "1.21"
+  GO_VERSION: "1.22"

 jobs:
  codeql:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    steps:
      -
        name: Checkout
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@@ -1,14 +1,19 @@
 name: docs-release

 on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Git tag'
+        required: true
  release:
    types:
      - released

 jobs:
  open-pr:
-    runs-on: ubuntu-22.04
-    if: ${{ github.event.release.prerelease != true && github.repository == 'docker/buildx' }}
+    runs-on: ubuntu-24.04
+    if: ${{ (github.event.release.prerelease != true || github.event.inputs.tag != '') && github.repository == 'docker/buildx' }}
    steps:
      -
        name: Checkout docs repo
@@ -21,16 +26,21 @@ jobs:
        name: Prepare
        run: |
          rm -rf ./data/buildx/*
-          rm -rf ./_vendor/github.com/docker/buildx
+          if [ -n "${{ github.event.inputs.tag }}" ]; then
+            echo "RELEASE_NAME=${{ github.event.inputs.tag }}" >> $GITHUB_ENV
+          else
+            echo "RELEASE_NAME=${{ github.event.release.name }}" >> $GITHUB_ENV
+          fi
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      -
        name: Generate yaml
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
-          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.release.name }}
+          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ env.RELEASE_NAME }}
          targets: update-docs
+          provenance: false
          set: |
            *.output=/tmp/buildx-docs
        env:
@@ -41,23 +51,21 @@ jobs:
          cp /tmp/buildx-docs/out/reference/*.yaml ./data/buildx/
      -
        name: Update vendor
-        uses: docker/bake-action@v4
-        with:
-          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.release.name }}
-          targets: vendor
-          set: |
-            vendor.args.MODULE=github.com/docker/buildx@${{ github.event.release.name }}
+        run: |
+          make vendor
+        env:
+          VENDOR_MODULE: github.com/docker/buildx@${{ env.RELEASE_NAME }}
      -
        name: Create PR on docs repo
-        uses: peter-evans/create-pull-request@a4f52f8033a6168103c2538976c07b467e8163bc
+        uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79  # v7.0.0
        with:
          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
          push-to-fork: docker-tools-robot/docker.github.io
-          commit-message: "vendor: github.com/docker/buildx ${{ github.event.release.name }}"
+          commit-message: "vendor: github.com/docker/buildx ${{ env.RELEASE_NAME }}"
          signoff: true
-          branch: dispatch/buildx-ref-${{ github.event.release.name }}
+          branch: dispatch/buildx-ref-${{ env.RELEASE_NAME }}
          delete-branch: true
-          title: Update buildx reference to ${{ github.event.release.name }}
+          title: Update buildx reference to ${{ env.RELEASE_NAME }}
          body: |
-            Update the buildx reference documentation to keep in sync with the latest release `${{ github.event.release.name }}`
+            Update the buildx reference documentation to keep in sync with the latest release `${{ env.RELEASE_NAME }}`
          draft: false
--- a/.github/workflows/docs-upstream.yml
+++ b/.github/workflows/docs-upstream.yml
@@ -22,7 +22,7 @@ on:

 jobs:
  docs-yaml:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      -
        name: Checkout
@@ -34,9 +34,10 @@ jobs:
          version: latest
      -
        name: Build reference YAML docs
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          targets: update-docs
+          provenance: false
          set: |
            *.output=/tmp/buildx-docs
            *.cache-from=type=gha,scope=docs-yaml
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -22,7 +22,7 @@ env:

 jobs:
  build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -33,7 +33,7 @@ jobs:
          version: latest
      -
        name: Build
-        uses: docker/bake-action@v4
+        uses: docker/bake-action@v5
        with:
          targets: binaries
          set: |
@@ -82,6 +82,10 @@ jobs:
            driver-opt: qemu.install=true
          - driver: remote
            endpoint: tcp://localhost:1234
+          - driver: docker-container
+            metadata-provenance: max
+          - driver: docker-container
+            metadata-warnings: true
        exclude:
          - driver: docker
            multi-node: mnode-true
@@ -129,70 +133,18 @@ jobs:
          else
            echo "MULTI_NODE=0" >> $GITHUB_ENV
          fi
+          if [ -n "${{ matrix.metadata-provenance }}" ]; then
+            echo "BUILDX_METADATA_PROVENANCE=${{ matrix.metadata-provenance }}" >> $GITHUB_ENV
+          fi
+          if [ -n "${{ matrix.metadata-warnings }}" ]; then
+            echo "BUILDX_METADATA_WARNINGS=${{ matrix.metadata-warnings }}" >> $GITHUB_ENV
+          fi
      -
        name: Install k3s
        if: matrix.driver == 'kubernetes'
-        uses: actions/github-script@v7
+        uses: crazy-max/.github/.github/actions/install-k3s@fa6141aedf23596fb8bdcceab9cce8dadaa31bd9
        with:
-          script: |
-            const fs = require('fs');
-            
-            let wait = function(milliseconds) {
-              return new Promise((resolve, reject) => {
-                if (typeof(milliseconds) !== 'number') { 
-                  throw new Error('milleseconds not a number'); 
-                }
-                setTimeout(() => resolve("done!"), milliseconds)
-              });
-            }
-            
-            try {
-              const kubeconfig="/tmp/buildkit-k3s/kubeconfig.yaml";
-              core.info(`storing kubeconfig in ${kubeconfig}`);
-          
-              await exec.exec('docker', ["run", "-d",
-                "--privileged",
-                "--name=buildkit-k3s",
-                "-e", "K3S_KUBECONFIG_OUTPUT="+kubeconfig,
-                "-e", "K3S_KUBECONFIG_MODE=666",
-                "-v", "/tmp/buildkit-k3s:/tmp/buildkit-k3s",
-                "-p", "6443:6443",
-                "-p", "80:80",
-                "-p", "443:443",
-                "-p", "8080:8080",
-                "rancher/k3s:${{ env.K3S_VERSION }}", "server"
-              ]);
-              await wait(10000);
-              
-              core.exportVariable('KUBECONFIG', kubeconfig);
-              
-              let nodeName;
-              for (let count = 1; count <= 5; count++) {
-                try {
-                  const nodeNameOutput = await exec.getExecOutput("kubectl get nodes --no-headers -oname");
-                  nodeName = nodeNameOutput.stdout
-                } catch (error) {
-                  core.info(`Unable to resolve node name (${error.message}). Attempt ${count} of 5.`)
-                } finally {
-                  if (nodeName) {
-                    break;
-                  }
-                  await wait(5000);
-                }
-              }
-              if (!nodeName) {
-                throw new Error(`Unable to resolve node name after 5 attempts.`);
-              }
-              
-              await exec.exec(`kubectl wait --for=condition=Ready ${nodeName}`);
-            } catch (error) {
-              core.setFailed(error.message);
-            }
-      -
-        name: Print KUBECONFIG
-        if: matrix.driver == 'kubernetes'
-        run: |
-          yq ${{ env.KUBECONFIG }}
+          version: ${{ env.K3S_VERSION }}
      -
        name: Launch remote buildkitd
        if: matrix.driver == 'remote'
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -0,0 +1,21 @@
+name: labeler
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  pull_request_target:
+
+jobs:
+  labeler:
+    permissions:
+      contents: read
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Run
+        uses: actions/labeler@v5
+        with:
+          sync-labels: true
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -17,19 +17,70 @@ on:
      - '.github/releases.json'

 jobs:
+  prepare:
+    runs-on: ubuntu-24.04
+    outputs:
+      includes: ${{ steps.matrix.outputs.includes }}
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Matrix
+        id: matrix
+        uses: actions/github-script@v7
+        with:
+          script: |
+            let def = {};
+            await core.group(`Parsing definition`, async () => {
+              const printEnv = Object.assign({}, process.env, {
+                GOLANGCI_LINT_MULTIPLATFORM: process.env.GITHUB_REPOSITORY === 'docker/buildx' ? '1' : ''
+              });
+              const resPrint = await exec.getExecOutput('docker', ['buildx', 'bake', 'validate', '--print'], {
+                ignoreReturnCode: true,
+                env: printEnv
+              });
+              if (resPrint.stderr.length > 0 && resPrint.exitCode != 0) {
+                throw new Error(res.stderr);
+              }
+              def = JSON.parse(resPrint.stdout.trim());
+            });
+            await core.group(`Generating matrix`, async () => {
+              const includes = [];
+              for (const targetName of Object.keys(def.target)) {
+                const target = def.target[targetName];
+                if (target.platforms && target.platforms.length > 0) {
+                  target.platforms.forEach(platform => {
+                    includes.push({
+                      target: targetName,
+                      platform: platform
+                    });
+                  });
+                } else {
+                  includes.push({
+                    target: targetName
+                  });
+                }
+              }
+              core.info(JSON.stringify(includes, null, 2));
+              core.setOutput('includes', JSON.stringify(includes));
+            });
+
  validate:
-    runs-on: ubuntu-22.04
-    env:
-      GOLANGCI_LINT_MULTIPLATFORM: 1
+    runs-on: ubuntu-24.04
+    needs:
+      - prepare
    strategy:
      fail-fast: false
      matrix:
-        target:
-          - lint
-          - validate-vendor
-          - validate-docs
-          - validate-generated-files
+        include: ${{ fromJson(needs.prepare.outputs.includes) }}
    steps:
+      -
+        name: Prepare
+        run: |
+          if [ "$GITHUB_REPOSITORY" = "docker/buildx" ]; then
+            echo "GOLANGCI_LINT_MULTIPLATFORM=1" >> $GITHUB_ENV
+          fi
      -
        name: Checkout
        uses: actions/checkout@v4
@@ -39,6 +90,9 @@ jobs:
        with:
          version: latest
      -
-        name: Run
-        run: |
-          make ${{ matrix.target }}
+        name: Validate
+        uses: docker/bake-action@v5
+        with:
+          targets: ${{ matrix.target }}
+          set: |
+            *.platform=${{ matrix.platform }}
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,12 +1,8 @@
 run:
  timeout: 30m
-  skip-files:
-    - ".*\\.pb\\.go$"

  modules-download-mode: vendor

-  build-tags:
-
 linters:
  enable:
    - gofmt
@@ -25,17 +21,30 @@ linters:
  disable-all: true

 linters-settings:
+  govet:
+    enable:
+      - nilness
+      - unusedwrite
+  # enable-all: true
+  # disable:
+  #   - fieldalignment
+  #   - shadow
  depguard:
    rules:
      main:
        deny:
-          # The io/ioutil package has been deprecated.
-          # https://go.dev/doc/go1.16#ioutil
+          - pkg: "github.com/containerd/containerd/errdefs"
+            desc: The containerd errdefs package was migrated to a separate module. Use github.com/containerd/errdefs instead.
+          - pkg: "github.com/containerd/containerd/log"
+            desc: The containerd log package was migrated to a separate module. Use github.com/containerd/log instead.
+          - pkg: "github.com/containerd/containerd/platforms"
+            desc: The containerd platforms package was migrated to a separate module. Use github.com/containerd/platforms instead.
          - pkg: "io/ioutil"
            desc: The io/ioutil package has been deprecated.
  forbidigo:
    forbid:
      - '^fmt\.Errorf(# use errors\.Errorf instead)?$'
+      - '^platforms\.DefaultString(# use platforms\.Format(platforms\.DefaultSpec()) instead\.)?$'
  gosec:
    excludes:
      - G204  # Audit use of command execution
@@ -44,6 +53,8 @@ linters-settings:
      G306: "0644"

 issues:
+  exclude-files:
+    - ".*\\.pb\\.go$"
  exclude-rules:
    - linters:
        - revive
@@ -64,6 +75,6 @@ issues:
        - revive
      text: "if-return"

-# show all
-max-issues-per-linter: 0
-max-same-issues: 0
+  # show all
+  max-issues-per-linter: 0
+  max-same-issues: 0
--- a/77
+++ b/77
@@ -1,17 +1,23 @@
 # syntax=docker/dockerfile:1

-ARG GO_VERSION=1.21
+ARG GO_VERSION=1.22
 ARG XX_VERSION=1.4.0

-ARG DOCKER_VERSION=25.0.2
+# for testing
+ARG DOCKER_VERSION=27.1.1
+ARG DOCKER_CLI_VERSION=${DOCKER_VERSION}
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG REGISTRY_VERSION=2.8.0
-ARG BUILDKIT_VERSION=v0.12.5
+ARG BUILDKIT_VERSION=v0.14.1
+ARG UNDOCK_VERSION=0.7.0

-# xx is a helper for cross-compilation
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
-
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golatest
+FROM moby/moby-bin:$DOCKER_VERSION AS docker-engine
+FROM dockereng/cli-bin:$DOCKER_CLI_VERSION AS docker-cli
+FROM registry:$REGISTRY_VERSION AS registry
+FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
+FROM crazymax/undock:$UNDOCK_VERSION AS undock

 FROM golatest AS gobase
 COPY --from=xx / /
@@ -20,32 +26,38 @@ ENV GOFLAGS=-mod=vendor
 ENV CGO_ENABLED=0
 WORKDIR /src

-FROM registry:$REGISTRY_VERSION AS registry
-
-FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
-
-FROM gobase AS docker
-ARG TARGETPLATFORM
-ARG DOCKER_VERSION
-WORKDIR /opt/docker
-RUN DOCKER_ARCH=$(case ${TARGETPLATFORM:-linux/amd64} in \
-    "linux/amd64")   echo "x86_64"  ;; \
-    "linux/arm/v6")  echo "armel"   ;; \
-    "linux/arm/v7")  echo "armhf"   ;; \
-    "linux/arm64")   echo "aarch64" ;; \
-    "linux/ppc64le") echo "ppc64le" ;; \
-    "linux/s390x")   echo "s390x"   ;; \
-    *)               echo ""        ;; esac) \
-  && echo "DOCKER_ARCH=$DOCKER_ARCH" \
-  && wget -qO- "https://download.docker.com/linux/static/stable/${DOCKER_ARCH}/docker-${DOCKER_VERSION}.tgz" | tar xvz --strip 1
-RUN ./dockerd --version && ./containerd --version && ./ctr --version && ./runc --version
-
 FROM gobase AS gotestsum
 ARG GOTESTSUM_VERSION
-ENV GOFLAGS=
-RUN --mount=target=/root/.cache,type=cache \
-  GOBIN=/out/ go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" && \
-  /out/gotestsum --version
+ENV GOFLAGS=""
+RUN --mount=target=/root/.cache,type=cache <<EOT
+  set -ex
+  go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}"
+  go install "github.com/wadey/gocovmerge@latest"
+  mkdir /out
+  /go/bin/gotestsum --version
+  mv /go/bin/gotestsum /out
+  mv /go/bin/gocovmerge /out
+EOT
+COPY --chmod=755 <<"EOF" /out/gotestsumandcover
+#!/bin/sh
+set -x
+if [ -z "$GO_TEST_COVERPROFILE" ]; then
+  exec gotestsum "$@"
+fi
+coverdir="$(dirname "$GO_TEST_COVERPROFILE")"
+mkdir -p "$coverdir/helpers"
+gotestsum "$@" "-coverprofile=$GO_TEST_COVERPROFILE"
+ecode=$?
+go tool covdata textfmt -i=$coverdir/helpers -o=$coverdir/helpers-report.txt
+gocovmerge "$coverdir/helpers-report.txt" "$GO_TEST_COVERPROFILE" > "$coverdir/merged-report.txt"
+mv "$coverdir/merged-report.txt" "$GO_TEST_COVERPROFILE"
+rm "$coverdir/helpers-report.txt"
+for f in "$coverdir/helpers"/*; do
+  rm "$f"
+done
+rmdir "$coverdir/helpers"
+exit $ecode
+EOF

 FROM gobase AS buildx-version
 RUN --mount=type=bind,target=. <<EOT
@@ -57,6 +69,7 @@ EOT

 FROM gobase AS buildx-build
 ARG TARGETPLATFORM
+ARG GO_EXTRA_FLAGS
 RUN --mount=type=bind,target=. \
  --mount=type=cache,target=/root/.cache \
  --mount=type=cache,target=/go/pkg/mod \
@@ -103,11 +116,13 @@ RUN apk add --no-cache \
      shadow-uidmap \
      xfsprogs \
      xz
-COPY --link --from=gotestsum /out/gotestsum /usr/bin/
+COPY --link --from=gotestsum /out /usr/bin/
 COPY --link --from=registry /bin/registry /usr/bin/
-COPY --link --from=docker /opt/docker/* /usr/bin/
+COPY --link --from=docker-engine / /usr/bin/
+COPY --link --from=docker-cli / /usr/bin/
 COPY --link --from=buildkit /usr/bin/buildkitd /usr/bin/
 COPY --link --from=buildkit /usr/bin/buildctl /usr/bin/
+COPY --link --from=undock /usr/local/bin/undock /usr/bin/
 COPY --link --from=binaries /buildx /usr/bin/

 FROM integration-test-base AS integration-test
--- a/6
+++ b/6
@@ -153,6 +153,7 @@ made through a pull request.
 			"akihirosuda",
 			"crazy-max",
 			"jedevc",
+			"jsternberg",
 			"tiborvass",
 			"tonistiigi",
 		]
@@ -194,6 +195,11 @@ made through a pull request.
 	Email = "me@jedevc.com"
 	GitHub = "jedevc"

+	[people.jsternberg]
+	Name = "Jonathan Sternberg"
+	Email = "jonathan.sternberg@docker.com"
+	GitHub = "jsternberg"
+
 	[people.thajeztah]
 	Name = "Sebastiaan van Stijn"
 	Email = "github@gone.nl"
--- a/32
+++ b/32
@@ -8,6 +8,8 @@ endif

 export BUILDX_CMD ?= docker buildx

+BAKE_TARGETS := binaries binaries-cross lint lint-gopls validate-vendor validate-docs validate-authors validate-generated-files
+
 .PHONY: all
 all: binaries

@@ -19,13 +21,9 @@ build:
 shell:
 	./hack/shell

-.PHONY: binaries
-binaries:
-	$(BUILDX_CMD) bake binaries
-
-.PHONY: binaries-cross
-binaries-cross:
-	$(BUILDX_CMD) bake binaries-cross
+.PHONY: $(BAKE_TARGETS)
+$(BAKE_TARGETS):
+	$(BUILDX_CMD) bake $@

 .PHONY: install
 install: binaries
@@ -39,10 +37,6 @@ release:
 .PHONY: validate-all
 validate-all: lint test validate-vendor validate-docs validate-generated-files

-.PHONY: lint
-lint:
-	$(BUILDX_CMD) bake lint
-
 .PHONY: test
 test:
 	./hack/test
@@ -55,22 +49,6 @@ test-unit:
 test-integration:
 	TESTPKGS=./tests ./hack/test

-.PHONY: validate-vendor
-validate-vendor:
-	$(BUILDX_CMD) bake validate-vendor
-
-.PHONY: validate-docs
-validate-docs:
-	$(BUILDX_CMD) bake validate-docs
-
-.PHONY: validate-authors
-validate-authors:
-	$(BUILDX_CMD) bake validate-authors
-
-.PHONY: validate-generated-files
-validate-generated-files:
-	$(BUILDX_CMD) bake validate-generated-files
-
 .PHONY: test-driver
 test-driver:
 	./hack/test-driver
--- a/README.md
+++ b/README.md
@@ -56,8 +56,7 @@ For more information on how to use Buildx, see

 Using `buildx` with Docker requires Docker engine 19.03 or newer.

-> **Warning**
->
+> [!WARNING]
 > Using an incompatible version of Docker may result in unexpected behavior,
 > and will likely cause issues, especially when using Buildx builders with more
 > recent versions of BuildKit.
@@ -75,8 +74,7 @@ Docker Engine package repositories contain Docker Buildx packages when installed

 ## Manual download

-> **Important**
->
+> [!IMPORTANT]
 > This section is for unattended installation of the buildx component. These
 > instructions are mostly suitable for testing purposes. We do not recommend
 > installing buildx using manual download in production environments as they
@@ -107,8 +105,7 @@ On Windows:
 * `C:\ProgramData\Docker\cli-plugins`
 * `C:\Program Files\Docker\cli-plugins`

-> **Note**
->
+> [!NOTE]
 > On Unix environments, it may also be necessary to make it executable with `chmod +x`:
 > ```shell
 > $ chmod +x ~/.docker/cli-plugins/docker-buildx
@@ -187,12 +184,12 @@ through various "drivers". Each driver defines how and where a build should
 run, and have different feature sets.

 We currently support the following drivers:
- The `docker` driver ([guide](docs/manuals/drivers/docker.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
- The `docker-container` driver ([guide](docs/manuals/drivers/docker-container.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
- The `kubernetes` driver ([guide](docs/manuals/drivers/kubernetes.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
- The `remote` driver ([guide](docs/manuals/drivers/remote.md))
+- The `docker` driver ([guide](https://docs.docker.com/build/drivers/docker/), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `docker-container` driver ([guide](https://docs.docker.com/build/drivers/docker-container/), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `kubernetes` driver ([guide](https://docs.docker.com/build/drivers/kubernetes/), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `remote` driver ([guide](https://docs.docker.com/build/drivers/remote/))

-For more information on drivers, see the [drivers guide](docs/manuals/drivers/index.md).
+For more information on drivers, see the [drivers guide](https://docs.docker.com/build/drivers/).

 ## Working with builder instances

--- a/bake/bake.go
+++ b/bake/bake.go
@@ -2,7 +2,6 @@ package bake

 import (
 	"context"
-	"encoding/csv"
 	"io"
 	"os"
 	"path"
@@ -26,7 +25,9 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/pkg/errors"
+	"github.com/tonistiigi/go-csvvalue"
 	"github.com/zclconf/go-cty/cty"
 	"github.com/zclconf/go-cty/cty/convert"
 )
@@ -177,7 +178,7 @@ func readWithProgress(r io.Reader, setStatus func(st *client.VertexStatus)) (dt
 }

 func ListTargets(files []File) ([]string, error) {
-	c, err := ParseFiles(files, nil)
+	c, _, err := ParseFiles(files, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -192,7 +193,7 @@ func ListTargets(files []File) ([]string, error) {
 }

 func ReadTargets(ctx context.Context, files []File, targets, overrides []string, defaults map[string]string) (map[string]*Target, map[string]*Group, error) {
-	c, err := ParseFiles(files, defaults)
+	c, _, err := ParseFiles(files, defaults)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -298,7 +299,7 @@ func sliceToMap(env []string) (res map[string]string) {
 	return
 }

-func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error) {
+func ParseFiles(files []File, defaults map[string]string) (_ *Config, _ *hclparser.ParseMeta, err error) {
 	defer func() {
 		err = formatHCLError(err, files)
 	}()
@@ -310,7 +311,7 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 		isCompose, composeErr := validateComposeFile(f.Data, f.Name)
 		if isCompose {
 			if composeErr != nil {
-				return nil, composeErr
+				return nil, nil, composeErr
 			}
 			composeFiles = append(composeFiles, f)
 		}
@@ -318,13 +319,13 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 			hf, isHCL, err := ParseHCLFile(f.Data, f.Name)
 			if isHCL {
 				if err != nil {
-					return nil, err
+					return nil, nil, err
 				}
 				hclFiles = append(hclFiles, hf)
 			} else if composeErr != nil {
-				return nil, errors.Wrapf(err, "failed to parse %s: parsing yaml: %v, parsing hcl", f.Name, composeErr)
+				return nil, nil, errors.Wrapf(err, "failed to parse %s: parsing yaml: %v, parsing hcl", f.Name, composeErr)
 			} else {
-				return nil, err
+				return nil, nil, err
 			}
 		}
 	}
@@ -332,23 +333,24 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 	if len(composeFiles) > 0 {
 		cfg, cmperr := ParseComposeFiles(composeFiles)
 		if cmperr != nil {
-			return nil, errors.Wrap(cmperr, "failed to parse compose file")
+			return nil, nil, errors.Wrap(cmperr, "failed to parse compose file")
 		}
 		c = mergeConfig(c, *cfg)
 		c = dedupeConfig(c)
 	}

+	var pm hclparser.ParseMeta
 	if len(hclFiles) > 0 {
-		renamed, err := hclparser.Parse(hclparser.MergeFiles(hclFiles), hclparser.Opt{
+		res, err := hclparser.Parse(hclparser.MergeFiles(hclFiles), hclparser.Opt{
 			LookupVar:     os.LookupEnv,
 			Vars:          defaults,
 			ValidateLabel: validateTargetName,
 		}, &c)
 		if err.HasErrors() {
-			return nil, err
+			return nil, nil, err
 		}

-		for _, renamed := range renamed {
+		for _, renamed := range res.Renamed {
 			for oldName, newNames := range renamed {
 				newNames = dedupSlice(newNames)
 				if len(newNames) == 1 && oldName == newNames[0] {
@@ -361,9 +363,10 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 			}
 		}
 		c = dedupeConfig(c)
+		pm = *res
 	}

-	return &c, nil
+	return &c, &pm, nil
 }

 func dedupeConfig(c Config) Config {
@@ -388,7 +391,8 @@ func dedupeConfig(c Config) Config {
 }

 func ParseFile(dt []byte, fn string) (*Config, error) {
-	return ParseFiles([]File{{Data: dt, Name: fn}}, nil)
+	c, _, err := ParseFiles([]File{{Data: dt, Name: fn}}, nil)
+	return c, err
 }

 type Config struct {
@@ -491,7 +495,7 @@ func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[st
 				if err != nil {
 					return err
 				}
-				t2.Outputs = nil
+				t2.Outputs = []string{"type=cacheonly"}
 				t2.linked = true
 				m[target] = t2
 			}
@@ -539,7 +543,7 @@ func (c Config) newOverrides(v []string) (map[string]map[string]Override, error)
 			o := t[kk[1]]

 			switch keys[1] {
-			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh", "attest":
+			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh", "attest", "entitlements", "network":
 				if len(parts) == 2 {
 					o.ArrValue = append(o.ArrValue, parts[1])
 				}
@@ -669,13 +673,15 @@ func (c Config) target(name string, visited map[string]*Target, overrides map[st
 }

 type Group struct {
-	Name    string   `json:"-" hcl:"name,label" cty:"name"`
-	Targets []string `json:"targets" hcl:"targets" cty:"targets"`
+	Name        string   `json:"-" hcl:"name,label" cty:"name"`
+	Description string   `json:"description,omitempty" hcl:"description,optional" cty:"description"`
+	Targets     []string `json:"targets" hcl:"targets" cty:"targets"`
 	// Target // TODO?
 }

 type Target struct {
-	Name string `json:"-" hcl:"name,label" cty:"name"`
+	Name        string `json:"-" hcl:"name,label" cty:"name"`
+	Description string `json:"description,omitempty" hcl:"description,optional" cty:"description"`

 	// Inherits is the only field that cannot be overridden with --set
 	Inherits []string `json:"inherits,omitempty" hcl:"inherits,optional" cty:"inherits"`
@@ -698,11 +704,13 @@ type Target struct {
 	Outputs          []string           `json:"output,omitempty" hcl:"output,optional" cty:"output"`
 	Pull             *bool              `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"`
 	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
-	NetworkMode      *string            `json:"-" hcl:"-" cty:"-"`
+	NetworkMode      *string            `json:"network" hcl:"network" cty:"network"`
 	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
 	ShmSize          *string            `json:"shm-size,omitempty" hcl:"shm-size,optional"`
 	Ulimits          []string           `json:"ulimits,omitempty" hcl:"ulimits,optional"`
-	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/bake-reference.md.
+	Call             *string            `json:"call,omitempty" hcl:"call,optional" cty:"call"`
+	Entitlements     []string           `json:"entitlements,omitempty" hcl:"entitlements,optional" cty:"entitlements"`
+	// IMPORTANT: if you add more fields here, do not forget to update newOverrides/AddOverrides and docs/bake-reference.md.

 	// linked is a private field to mark a target used as a linked one
 	linked bool
@@ -726,6 +734,12 @@ func (t *Target) normalize() {
 	t.NoCacheFilter = removeDupes(t.NoCacheFilter)
 	t.Ulimits = removeDupes(t.Ulimits)

+	if t.NetworkMode != nil && *t.NetworkMode == "host" {
+		t.Entitlements = append(t.Entitlements, "network.host")
+	}
+
+	t.Entitlements = removeDupes(t.Entitlements)
+
 	for k, v := range t.Contexts {
 		if v == "" {
 			delete(t.Contexts, k)
@@ -776,6 +790,9 @@ func (t *Target) Merge(t2 *Target) {
 	if t2.Target != nil {
 		t.Target = t2.Target
 	}
+	if t2.Call != nil {
+		t.Call = t2.Call
+	}
 	if t2.Annotations != nil { // merge
 		t.Annotations = append(t.Annotations, t2.Annotations...)
 	}
@@ -819,6 +836,12 @@ func (t *Target) Merge(t2 *Target) {
 	if t2.Ulimits != nil { // merge
 		t.Ulimits = append(t.Ulimits, t2.Ulimits...)
 	}
+	if t2.Description != "" {
+		t.Description = t2.Description
+	}
+	if t2.Entitlements != nil { // merge
+		t.Entitlements = append(t.Entitlements, t2.Entitlements...)
+	}
 	t.Inherits = append(t.Inherits, t2.Inherits...)
 }

@@ -863,6 +886,8 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.CacheTo = o.ArrValue
 		case "target":
 			t.Target = &value
+		case "call":
+			t.Call = &value
 		case "secrets":
 			t.Secrets = o.ArrValue
 		case "ssh":
@@ -871,6 +896,8 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.Platforms = o.ArrValue
 		case "output":
 			t.Outputs = o.ArrValue
+		case "entitlements":
+			t.Entitlements = append(t.Entitlements, o.ArrValue...)
 		case "annotations":
 			t.Annotations = append(t.Annotations, o.ArrValue...)
 		case "attest":
@@ -887,6 +914,8 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.ShmSize = &value
 		case "ulimits":
 			t.Ulimits = o.ArrValue
+		case "network":
+			t.NetworkMode = &value
 		case "pull":
 			pull, err := strconv.ParseBool(value)
 			if err != nil {
@@ -894,19 +923,17 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			}
 			t.Pull = &pull
 		case "push":
-			_, err := strconv.ParseBool(value)
+			push, err := strconv.ParseBool(value)
 			if err != nil {
 				return errors.Errorf("invalid value %s for boolean key push", value)
 			}
-			if len(t.Outputs) == 0 {
-				t.Outputs = append(t.Outputs, "type=image,push=true")
-			} else {
-				for i, output := range t.Outputs {
-					if typ := parseOutputType(output); typ == "image" || typ == "registry" {
-						t.Outputs[i] = t.Outputs[i] + ",push=" + value
-					}
-				}
+			t.Outputs = setPushOverride(t.Outputs, push)
+		case "load":
+			load, err := strconv.ParseBool(value)
+			if err != nil {
+				return errors.Errorf("invalid value %s for boolean key load", value)
 			}
+			t.Outputs = setLoadOverride(t.Outputs, load)
 		default:
 			return errors.Errorf("unknown key: %s", keys[0])
 		}
@@ -1300,6 +1327,12 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 		bo.Target = *t.Target
 	}

+	if t.Call != nil {
+		bo.CallFunc = &build.CallFunc{
+			Name: *t.Call,
+		}
+	}
+
 	cacheImports, err := buildflags.ParseCacheEntry(t.CacheFrom)
 	if err != nil {
 		return nil, err
@@ -1350,6 +1383,10 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 	bo.Ulimits = ulimits

+	for _, ent := range t.Entitlements {
+		bo.Allow = append(bo.Allow, entitlements.Entitlement(ent))
+	}
+
 	return bo, nil
 }

@@ -1394,23 +1431,89 @@ func removeAttestDupes(s []string) []string {
 	return res
 }

-func parseOutputType(str string) string {
-	csvReader := csv.NewReader(strings.NewReader(str))
-	fields, err := csvReader.Read()
+func parseOutput(str string) map[string]string {
+	fields, err := csvvalue.Fields(str, nil)
 	if err != nil {
-		return ""
+		return nil
 	}
+	res := map[string]string{}
 	for _, field := range fields {
 		parts := strings.SplitN(field, "=", 2)
 		if len(parts) == 2 {
-			if parts[0] == "type" {
-				return parts[1]
-			}
+			res[parts[0]] = parts[1]
+		}
+	}
+	return res
+}
+
+func parseOutputType(str string) string {
+	if out := parseOutput(str); out != nil {
+		if v, ok := out["type"]; ok {
+			return v
 		}
 	}
 	return ""
 }

+func setPushOverride(outputs []string, push bool) []string {
+	var out []string
+	setPush := true
+	for _, output := range outputs {
+		typ := parseOutputType(output)
+		if typ == "image" || typ == "registry" {
+			// no need to set push if image or registry types already defined
+			setPush = false
+			if typ == "registry" {
+				if !push {
+					// don't set registry output if "push" is false
+					continue
+				}
+				// no need to set "push" attribute to true for registry
+				out = append(out, output)
+				continue
+			}
+			out = append(out, output+",push="+strconv.FormatBool(push))
+		} else {
+			if typ != "docker" {
+				// if there is any output that is not docker, don't set "push"
+				setPush = false
+			}
+			out = append(out, output)
+		}
+	}
+	if push && setPush {
+		out = append(out, "type=image,push=true")
+	}
+	return out
+}
+
+func setLoadOverride(outputs []string, load bool) []string {
+	if !load {
+		return outputs
+	}
+	setLoad := true
+	for _, output := range outputs {
+		if typ := parseOutputType(output); typ == "docker" {
+			if v := parseOutput(output); v != nil {
+				// dest set means we want to output as tar so don't set load
+				if _, ok := v["dest"]; !ok {
+					setLoad = false
+					break
+				}
+			}
+		} else if typ != "image" && typ != "registry" && typ != "oci" {
+			// if there is any output that is not an image, registry
+			// or oci, don't set "load" similar to push override
+			setLoad = false
+			break
+		}
+	}
+	if setLoad {
+		outputs = append(outputs, "type=docker")
+	}
+	return outputs
+}
+
 func validateTargetName(name string) error {
 	if !targetNamePattern.MatchString(name) {
 		return errors.Errorf("only %q are allowed", validTargetNameChars)
--- a/bake/bake_test.go
+++ b/bake/bake_test.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 	"testing"

+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -217,48 +218,252 @@ target "webapp" {
 }

 func TestPushOverride(t *testing.T) {
-	t.Parallel()
+	t.Run("empty output", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=image,push=true", m["app"].Outputs[0])
+	})

-	fp := File{
-		Name: "docker-bake.hcl",
-		Data: []byte(
-			`target "app" {
+	t.Run("type image", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
 				output = ["type=image,compression=zstd"]
 			}`),
-	}
-	ctx := context.TODO()
-	m, _, err := ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
-	require.NoError(t, err)
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=image,compression=zstd,push=true", m["app"].Outputs[0])
+	})

-	require.Equal(t, 1, len(m["app"].Outputs))
-	require.Equal(t, "type=image,compression=zstd,push=true", m["app"].Outputs[0])
-
-	fp = File{
-		Name: "docker-bake.hcl",
-		Data: []byte(
-			`target "app" {
+	t.Run("type image push false", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
 				output = ["type=image,compression=zstd"]
 			}`),
-	}
-	ctx = context.TODO()
-	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
-	require.NoError(t, err)
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=image,compression=zstd,push=false", m["app"].Outputs[0])
+	})

-	require.Equal(t, 1, len(m["app"].Outputs))
-	require.Equal(t, "type=image,compression=zstd,push=false", m["app"].Outputs[0])
-
-	fp = File{
-		Name: "docker-bake.hcl",
-		Data: []byte(
-			`target "app" {
+	t.Run("type registry", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=registry"]
 			}`),
-	}
-	ctx = context.TODO()
-	m, _, err = ReadTargets(ctx, []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
-	require.NoError(t, err)
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=registry", m["app"].Outputs[0])
+	})

-	require.Equal(t, 1, len(m["app"].Outputs))
-	require.Equal(t, "type=image,push=true", m["app"].Outputs[0])
+	t.Run("type registry push false", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=registry"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.push=false"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 0, len(m["app"].Outputs))
+	})
+
+	t.Run("type local and empty target", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=local,dest=out" ]
+			}
+			target "bar" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m))
+		require.Equal(t, 1, len(m["foo"].Outputs))
+		require.Equal(t, []string{"type=local,dest=out"}, m["foo"].Outputs)
+		require.Equal(t, 1, len(m["bar"].Outputs))
+		require.Equal(t, []string{"type=image,push=true"}, m["bar"].Outputs)
+	})
+}
+
+func TestLoadOverride(t *testing.T) {
+	t.Run("empty output", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, "type=docker", m["app"].Outputs[0])
+	})
+
+	t.Run("type docker", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=docker"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type image", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=image"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=image", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type image load false", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=image"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=false"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=image"}, m["app"].Outputs)
+	})
+
+	t.Run("type registry", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=registry"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=registry", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type oci", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=oci,dest=out"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=oci,dest=out", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type docker with dest", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "app" {
+				output = ["type=docker,dest=out"]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"app"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m["app"].Outputs))
+		require.Equal(t, []string{"type=docker,dest=out", "type=docker"}, m["app"].Outputs)
+	})
+
+	t.Run("type local and empty target", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=local,dest=out" ]
+			}
+			target "bar" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m))
+		require.Equal(t, 1, len(m["foo"].Outputs))
+		require.Equal(t, []string{"type=local,dest=out"}, m["foo"].Outputs)
+		require.Equal(t, 1, len(m["bar"].Outputs))
+		require.Equal(t, []string{"type=docker"}, m["bar"].Outputs)
+	})
+}
+
+func TestLoadAndPushOverride(t *testing.T) {
+	t.Run("type local and empty target", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=local,dest=out" ]
+			}
+			target "bar" {
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo", "bar"}, []string{"*.load=true", "*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 2, len(m))
+
+		require.Equal(t, 1, len(m["foo"].Outputs))
+		sort.Strings(m["foo"].Outputs)
+		require.Equal(t, []string{"type=local,dest=out"}, m["foo"].Outputs)
+
+		require.Equal(t, 2, len(m["bar"].Outputs))
+		sort.Strings(m["bar"].Outputs)
+		require.Equal(t, []string{"type=docker", "type=image,push=true"}, m["bar"].Outputs)
+	})
+
+	t.Run("type registry", func(t *testing.T) {
+		fp := File{
+			Name: "docker-bake.hcl",
+			Data: []byte(
+				`target "foo" {
+		  		output = [ "type=registry" ]
+			}`),
+		}
+		m, _, err := ReadTargets(context.TODO(), []File{fp}, []string{"foo"}, []string{"*.load=true", "*.push=true"}, nil)
+		require.NoError(t, err)
+		require.Equal(t, 1, len(m))
+
+		require.Equal(t, 2, len(m["foo"].Outputs))
+		sort.Strings(m["foo"].Outputs)
+		require.Equal(t, []string{"type=docker", "type=registry"}, m["foo"].Outputs)
+	})
 }

 func TestReadTargetsCompose(t *testing.T) {
@@ -634,7 +839,8 @@ func TestReadContextFromTargetChain(t *testing.T) {

 	mid, ok := m["mid"]
 	require.True(t, ok)
-	require.Equal(t, 0, len(mid.Outputs))
+	require.Equal(t, 1, len(mid.Outputs))
+	require.Equal(t, "type=cacheonly", mid.Outputs[0])
 	require.Equal(t, 1, len(mid.Contexts))

 	base, ok := m["base"]
@@ -1324,7 +1530,7 @@ services:
        v2: "bar"
 `)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.foo"},
 		{Data: dt2, Name: "c2.bar"},
 	}, nil)
@@ -1521,3 +1727,132 @@ func TestAnnotations(t *testing.T) {
 	require.Len(t, bo["app"].Exports, 1)
 	require.Equal(t, "bar", bo["app"].Exports[0].Attrs["annotation-manifest[linux/amd64].foo"])
 }
+
+func TestHCLEntitlements(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				entitlements = ["security.insecure", "network.host"]
+			}`),
+	}
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 2)
+	require.Equal(t, "security.insecure", m["app"].Entitlements[0])
+	require.Equal(t, "network.host", m["app"].Entitlements[1])
+
+	require.Len(t, bo["app"].Allow, 2)
+	require.Equal(t, entitlements.EntitlementSecurityInsecure, bo["app"].Allow[0])
+	require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[1])
+}
+
+func TestEntitlementsForNetHostCompose(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				dockerfile = "app.Dockerfile"
+			}`),
+	}
+
+	fp2 := File{
+		Name: "docker-compose.yml",
+		Data: []byte(
+			`services:
+  app:
+    build:
+      network: "host"
+`),
+	}
+
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 1)
+	require.Equal(t, "network.host", m["app"].Entitlements[0])
+	require.Equal(t, "host", *m["app"].NetworkMode)
+
+	require.Len(t, bo["app"].Allow, 1)
+	require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[0])
+	require.Equal(t, "host", bo["app"].NetworkMode)
+}
+
+func TestEntitlementsForNetHost(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				dockerfile = "app.Dockerfile"
+				network = "host"
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 1)
+	require.Equal(t, "network.host", m["app"].Entitlements[0])
+	require.Equal(t, "host", *m["app"].NetworkMode)
+
+	require.Len(t, bo["app"].Allow, 1)
+	require.Equal(t, entitlements.EntitlementNetworkHost, bo["app"].Allow[0])
+	require.Equal(t, "host", bo["app"].NetworkMode)
+}
+
+func TestNetNone(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				dockerfile = "app.Dockerfile"
+				network = "none"
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Len(t, m["app"].Entitlements, 0)
+	require.Equal(t, "none", *m["app"].NetworkMode)
+
+	require.Len(t, bo["app"].Allow, 0)
+	require.Equal(t, "none", bo["app"].NetworkMode)
+}
--- a/bake/compose.go
+++ b/bake/compose.go
@@ -5,8 +5,10 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"sort"
 	"strings"

+	"github.com/compose-spec/compose-go/v2/consts"
 	"github.com/compose-spec/compose-go/v2/dotenv"
 	"github.com/compose-spec/compose-go/v2/loader"
 	composetypes "github.com/compose-spec/compose-go/v2/types"
@@ -39,7 +41,11 @@ func ParseCompose(cfgs []composetypes.ConfigFile, envs map[string]string) (*Conf
 		ConfigFiles: cfgs,
 		Environment: envs,
 	}, func(options *loader.Options) {
-		options.SetProjectName("bake", false)
+		projectName := "bake"
+		if v, ok := envs[consts.ComposeProjectName]; ok && v != "" {
+			projectName = v
+		}
+		options.SetProjectName(projectName, false)
 		options.SkipNormalization = true
 		options.Profiles = []string{"*"}
 	})
@@ -107,6 +113,13 @@ func ParseCompose(cfgs []composetypes.ConfigFile, envs map[string]string) (*Conf
 				}
 			}

+			var ssh []string
+			for _, bkey := range s.Build.SSH {
+				sshkey := composeToBuildkitSSH(bkey)
+				ssh = append(ssh, sshkey)
+			}
+			sort.Strings(ssh)
+
 			var secrets []string
 			for _, bs := range s.Build.Secrets {
 				secret, err := composeToBuildkitSecret(bs, cfg.Secrets[bs.Source])
@@ -142,6 +155,7 @@ func ParseCompose(cfgs []composetypes.ConfigFile, envs map[string]string) (*Conf
 				CacheFrom:   s.Build.CacheFrom,
 				CacheTo:     s.Build.CacheTo,
 				NetworkMode: &s.Build.Network,
+				SSH:         ssh,
 				Secrets:     secrets,
 				ShmSize:     shmSize,
 				Ulimits:     ulimits,
@@ -275,7 +289,7 @@ type xbake struct {
 	NoCacheFilter stringArray `yaml:"no-cache-filter,omitempty"`
 	Contexts      stringMap   `yaml:"contexts,omitempty"`
 	// don't forget to update documentation if you add a new field:
-	// docs/manuals/bake/compose-file.md#extension-field-with-x-bake
+	// https://github.com/docker/docs/blob/main/content/build/bake/compose-file.md#extension-field-with-x-bake
 }

 type stringMap map[string]string
@@ -325,6 +339,7 @@ func (t *Target) composeExtTarget(exts map[string]interface{}) error {
 	}
 	if len(xb.SSH) > 0 {
 		t.SSH = dedupSlice(append(t.SSH, xb.SSH...))
+		sort.Strings(t.SSH)
 	}
 	if len(xb.Platforms) > 0 {
 		t.Platforms = dedupSlice(append(t.Platforms, xb.Platforms...))
@@ -368,3 +383,17 @@ func composeToBuildkitSecret(inp composetypes.ServiceSecretConfig, psecret compo

 	return strings.Join(bkattrs, ","), nil
 }
+
+// composeToBuildkitSSH converts secret from compose format to buildkit's
+// csv format.
+func composeToBuildkitSSH(sshKey composetypes.SSHKey) string {
+	var bkattrs []string
+
+	bkattrs = append(bkattrs, sshKey.ID)
+
+	if sshKey.Path != "" {
+		bkattrs = append(bkattrs, sshKey.Path)
+	}
+
+	return strings.Join(bkattrs, "=")
+}
--- a/bake/compose_test.go
+++ b/bake/compose_test.go
@@ -32,6 +32,9 @@ services:
        - type=local,src=path/to/cache
      cache_to:
        - type=local,dest=path/to/cache
+      ssh:
+        - key=path/to/key
+        - default
      secrets:
        - token
        - aws
@@ -74,6 +77,7 @@ secrets:
 	require.Equal(t, []string{"type=local,src=path/to/cache"}, c.Targets[1].CacheFrom)
 	require.Equal(t, []string{"type=local,dest=path/to/cache"}, c.Targets[1].CacheTo)
 	require.Equal(t, "none", *c.Targets[1].NetworkMode)
+	require.Equal(t, []string{"default", "key=path/to/key"}, c.Targets[1].SSH)
 	require.Equal(t, []string{
 		"id=token,env=ENV_TOKEN",
 		"id=aws,src=/root/.aws/credentials",
@@ -278,6 +282,8 @@ services:
        - user/app:cache
      tags:
        - ct-addon:baz
+      ssh:
+        key: path/to/key
      args:
        CT_ECR: foo
        CT_TAG: bar
@@ -287,6 +293,9 @@ services:
        tags:
          - ct-addon:foo
          - ct-addon:alp
+        ssh:
+          - default
+          - other=path/to/otherkey
        platforms:
          - linux/amd64
          - linux/arm64
@@ -329,6 +338,7 @@ services:
 	require.Equal(t, []string{"linux/amd64", "linux/arm64"}, c.Targets[0].Platforms)
 	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
 	require.Equal(t, []string{"user/app:cache", "type=local,dest=path/to/cache"}, c.Targets[0].CacheTo)
+	require.Equal(t, []string{"default", "key=path/to/key", "other=path/to/otherkey"}, c.Targets[0].SSH)
 	require.Equal(t, newBool(true), c.Targets[0].Pull)
 	require.Equal(t, map[string]string{"alpine": "docker-image://alpine:3.13"}, c.Targets[0].Contexts)
 	require.Equal(t, []string{"ct-fake-aws:bar"}, c.Targets[1].Tags)
@@ -353,6 +363,8 @@ services:
        - user/app:cache
      tags:
        - ct-addon:foo
+      ssh:
+        - default
      x-bake:
        tags:
          - ct-addon:foo
@@ -362,6 +374,9 @@ services:
          - type=local,src=path/to/cache
        cache-to:
          - type=local,dest=path/to/cache
+        ssh:
+          - default
+          - key=path/to/key
 `)

 	c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
@@ -370,6 +385,7 @@ services:
 	require.Equal(t, []string{"ct-addon:foo", "ct-addon:baz"}, c.Targets[0].Tags)
 	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
 	require.Equal(t, []string{"user/app:cache", "type=local,dest=path/to/cache"}, c.Targets[0].CacheTo)
+	require.Equal(t, []string{"default", "key=path/to/key"}, c.Targets[0].SSH)
 }

 func TestEnv(t *testing.T) {
@@ -742,6 +758,46 @@ services:
 	require.NoError(t, err)
 }

+func TestCgroup(t *testing.T) {
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: ./webapp
+    cgroup: private
+`)
+
+	_, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+}
+
+func TestProjectName(t *testing.T) {
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: ./webapp
+     args:
+       PROJECT_NAME: ${COMPOSE_PROJECT_NAME}
+`)
+
+	t.Run("default", func(t *testing.T) {
+		c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
+		require.NoError(t, err)
+		require.Len(t, c.Targets, 1)
+		require.Len(t, c.Targets[0].Args, 1)
+		require.Equal(t, map[string]*string{"PROJECT_NAME": ptrstr("bake")}, c.Targets[0].Args)
+	})
+
+	t.Run("env", func(t *testing.T) {
+		c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, map[string]string{"COMPOSE_PROJECT_NAME": "foo"})
+		require.NoError(t, err)
+		require.Len(t, c.Targets, 1)
+		require.Len(t, c.Targets[0].Args, 1)
+		require.Equal(t, map[string]*string{"PROJECT_NAME": ptrstr("foo")}, c.Targets[0].Args)
+	})
+}
+
 // chdir changes the current working directory to the named directory,
 // and then restore the original working directory at the end of the test.
 func chdir(t *testing.T, dir string) {
--- a/bake/entitlements.go
+++ b/bake/entitlements.go
@@ -0,0 +1,175 @@
+package bake
+
+import (
+	"bufio"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"slices"
+	"strings"
+
+	"github.com/containerd/console"
+	"github.com/docker/buildx/build"
+	"github.com/moby/buildkit/util/entitlements"
+	"github.com/pkg/errors"
+)
+
+type EntitlementKey string
+
+const (
+	EntitlementKeyNetworkHost      EntitlementKey = "network.host"
+	EntitlementKeySecurityInsecure EntitlementKey = "security.insecure"
+	EntitlementKeyFSRead           EntitlementKey = "fs.read"
+	EntitlementKeyFSWrite          EntitlementKey = "fs.write"
+	EntitlementKeyFS               EntitlementKey = "fs"
+	EntitlementKeyImagePush        EntitlementKey = "image.push"
+	EntitlementKeyImageLoad        EntitlementKey = "image.load"
+	EntitlementKeyImage            EntitlementKey = "image"
+	EntitlementKeySSH              EntitlementKey = "ssh"
+)
+
+type EntitlementConf struct {
+	NetworkHost      bool
+	SecurityInsecure bool
+	FSRead           []string
+	FSWrite          []string
+	ImagePush        []string
+	ImageLoad        []string
+	SSH              bool
+}
+
+func ParseEntitlements(in []string) (EntitlementConf, error) {
+	var conf EntitlementConf
+	for _, e := range in {
+		switch e {
+		case string(EntitlementKeyNetworkHost):
+			conf.NetworkHost = true
+		case string(EntitlementKeySecurityInsecure):
+			conf.SecurityInsecure = true
+		case string(EntitlementKeySSH):
+			conf.SSH = true
+		default:
+			k, v, _ := strings.Cut(e, "=")
+			switch k {
+			case string(EntitlementKeyFSRead):
+				conf.FSRead = append(conf.FSRead, v)
+			case string(EntitlementKeyFSWrite):
+				conf.FSWrite = append(conf.FSWrite, v)
+			case string(EntitlementKeyFS):
+				conf.FSRead = append(conf.FSRead, v)
+				conf.FSWrite = append(conf.FSWrite, v)
+			case string(EntitlementKeyImagePush):
+				conf.ImagePush = append(conf.ImagePush, v)
+			case string(EntitlementKeyImageLoad):
+				conf.ImageLoad = append(conf.ImageLoad, v)
+			case string(EntitlementKeyImage):
+				conf.ImagePush = append(conf.ImagePush, v)
+				conf.ImageLoad = append(conf.ImageLoad, v)
+			default:
+				return conf, errors.Errorf("uknown entitlement key %q", k)
+			}
+
+			// TODO: dedupe slices and parent paths
+		}
+	}
+	return conf, nil
+}
+
+func (c EntitlementConf) Validate(m map[string]build.Options) (EntitlementConf, error) {
+	var expected EntitlementConf
+
+	for _, v := range m {
+		if err := c.check(v, &expected); err != nil {
+			return EntitlementConf{}, err
+		}
+	}
+
+	return expected, nil
+}
+
+func (c EntitlementConf) check(bo build.Options, expected *EntitlementConf) error {
+	for _, e := range bo.Allow {
+		switch e {
+		case entitlements.EntitlementNetworkHost:
+			if !c.NetworkHost {
+				expected.NetworkHost = true
+			}
+		case entitlements.EntitlementSecurityInsecure:
+			if !c.SecurityInsecure {
+				expected.SecurityInsecure = true
+			}
+		}
+	}
+	return nil
+}
+
+func (c EntitlementConf) Prompt(ctx context.Context, out io.Writer) error {
+	var term bool
+	if _, err := console.ConsoleFromFile(os.Stdin); err == nil {
+		term = true
+	}
+
+	var msgs []string
+	var flags []string
+
+	if c.NetworkHost {
+		msgs = append(msgs, " - Running build containers that can access host network")
+		flags = append(flags, "network.host")
+	}
+	if c.SecurityInsecure {
+		msgs = append(msgs, " - Running privileged containers that can make system changes")
+		flags = append(flags, "security.insecure")
+	}
+
+	if len(msgs) == 0 {
+		return nil
+	}
+
+	fmt.Fprintf(out, "Your build is requesting privileges for following possibly insecure capabilities:\n\n")
+	for _, m := range msgs {
+		fmt.Fprintf(out, "%s\n", m)
+	}
+
+	for i, f := range flags {
+		flags[i] = "--allow=" + f
+	}
+
+	if term {
+		fmt.Fprintf(out, "\nIn order to not see this message in the future pass %q to grant requested privileges.\n", strings.Join(flags, " "))
+	} else {
+		fmt.Fprintf(out, "\nPass %q to grant requested privileges.\n", strings.Join(flags, " "))
+	}
+
+	args := append([]string(nil), os.Args...)
+	if v, ok := os.LookupEnv("DOCKER_CLI_PLUGIN_ORIGINAL_CLI_COMMAND"); ok && v != "" {
+		args[0] = v
+	}
+	idx := slices.Index(args, "bake")
+
+	if idx != -1 {
+		fmt.Fprintf(out, "\nYour full command with requested privileges:\n\n")
+		fmt.Fprintf(out, "%s %s %s\n\n", strings.Join(args[:idx+1], " "), strings.Join(flags, " "), strings.Join(args[idx+1:], " "))
+	}
+
+	if term {
+		fmt.Fprintf(out, "Do you want to grant requested privileges and continue? [y/N] ")
+		reader := bufio.NewReader(os.Stdin)
+		answerCh := make(chan string, 1)
+		go func() {
+			answer, _, _ := reader.ReadLine()
+			answerCh <- string(answer)
+			close(answerCh)
+		}()
+
+		select {
+		case <-ctx.Done():
+		case answer := <-answerCh:
+			if strings.ToLower(string(answer)) == "y" {
+				return nil
+			}
+		}
+	}
+
+	return errors.Errorf("additional privileges requested")
+}
--- a/bake/hcl_test.go
+++ b/bake/hcl_test.go
@@ -273,7 +273,7 @@ func TestHCLMultiFileSharedVariables(t *testing.T) {
 		}
 		`)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 	}, nil)
@@ -285,7 +285,7 @@ func TestHCLMultiFileSharedVariables(t *testing.T) {

 	t.Setenv("FOO", "def")

-	c, err = ParseFiles([]File{
+	c, _, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 	}, nil)
@@ -322,7 +322,7 @@ func TestHCLVarsWithVars(t *testing.T) {
 		}
 		`)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 	}, nil)
@@ -334,7 +334,7 @@ func TestHCLVarsWithVars(t *testing.T) {

 	t.Setenv("BASE", "new")

-	c, err = ParseFiles([]File{
+	c, _, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 	}, nil)
@@ -612,7 +612,7 @@ func TestHCLMultiFileAttrs(t *testing.T) {
 		FOO="def"
 		`)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 	}, nil)
@@ -623,7 +623,7 @@ func TestHCLMultiFileAttrs(t *testing.T) {

 	t.Setenv("FOO", "ghi")

-	c, err = ParseFiles([]File{
+	c, _, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 	}, nil)
@@ -647,7 +647,7 @@ func TestHCLMultiFileGlobalAttrs(t *testing.T) {
 		FOO = "def"
 		`)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 	}, nil)
@@ -830,7 +830,7 @@ func TestHCLRenameMultiFile(t *testing.T) {
 		}
 		`)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.hcl"},
 		{Data: dt3, Name: "c3.hcl"},
@@ -1050,7 +1050,7 @@ func TestHCLMatrixArgsOverride(t *testing.T) {
 	}
 	`)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "docker-bake.hcl"},
 	}, map[string]string{"ABC": "11,22,33"})
 	require.NoError(t, err)
@@ -1236,7 +1236,7 @@ services:
        v2: "bar"
 `)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 		{Data: dt2, Name: "c2.yml"},
 	}, nil)
@@ -1258,7 +1258,7 @@ func TestHCLBuiltinVars(t *testing.T) {
 		}
 		`)

-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
 	}, map[string]string{
 		"BAKE_CMD_CONTEXT": "foo",
@@ -1272,7 +1272,7 @@ func TestHCLBuiltinVars(t *testing.T) {
 }

 func TestCombineHCLAndJSONTargets(t *testing.T) {
-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{
 			Name: "docker-bake.hcl",
 			Data: []byte(`
@@ -1348,7 +1348,7 @@ target "b" {
 }

 func TestCombineHCLAndJSONVars(t *testing.T) {
-	c, err := ParseFiles([]File{
+	c, _, err := ParseFiles([]File{
 		{
 			Name: "docker-bake.hcl",
 			Data: []byte(`
@@ -1445,6 +1445,39 @@ func TestVarUnsupportedType(t *testing.T) {
 	require.Error(t, err)
 }

+func TestHCLIndexOfFunc(t *testing.T) {
+	dt := []byte(`
+		variable "APP_VERSIONS" {
+		  default = [
+			"1.42.4",
+			"1.42.3"
+		  ]
+		}
+		target "default" {
+			args = {
+				APP_VERSION = app_version
+			}
+			matrix = {
+				app_version = APP_VERSIONS
+			}
+			name="app-${replace(app_version, ".", "-")}"
+			tags = [
+				"app:${app_version}",
+				indexof(APP_VERSIONS, app_version) == 0 ? "app:latest" : "",
+			]
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "app-1-42-4", c.Targets[0].Name)
+	require.Equal(t, "app:latest", c.Targets[0].Tags[1])
+	require.Equal(t, "app-1-42-3", c.Targets[1].Name)
+	require.Empty(t, c.Targets[1].Tags[1])
+}
+
 func ptrstr(s interface{}) *string {
 	var n *string
 	if reflect.ValueOf(s).Kind() == reflect.String {
--- a/bake/hclparser/hclparser.go
+++ b/bake/hclparser/hclparser.go
@@ -25,9 +25,11 @@ type Opt struct {
 }

 type variable struct {
-	Name    string         `json:"-" hcl:"name,label"`
-	Default *hcl.Attribute `json:"default,omitempty" hcl:"default,optional"`
-	Body    hcl.Body       `json:"-" hcl:",body"`
+	Name        string         `json:"-" hcl:"name,label"`
+	Default     *hcl.Attribute `json:"default,omitempty" hcl:"default,optional"`
+	Description string         `json:"description,omitempty" hcl:"description,optional"`
+	Body        hcl.Body       `json:"-" hcl:",body"`
+	Remain      hcl.Body       `json:"-" hcl:",remain"`
 }

 type functionDef struct {
@@ -73,7 +75,12 @@ type WithGetName interface {
 	GetName(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) (string, error)
 }

-var errUndefined = errors.New("undefined")
+// errUndefined is returned when a variable or function is not defined.
+type errUndefined struct{}
+
+func (errUndefined) Error() string {
+	return "undefined"
+}

 func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map[string]struct{}, allowMissing bool) hcl.Diagnostics {
 	fns, hcldiags := funcCalls(exp)
@@ -83,7 +90,7 @@ func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map

 	for _, fn := range fns {
 		if err := p.resolveFunction(ectx, fn); err != nil {
-			if allowMissing && errors.Is(err, errUndefined) {
+			if allowMissing && errors.Is(err, errUndefined{}) {
 				continue
 			}
 			return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
@@ -137,7 +144,7 @@ func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map
 			}
 			for _, block := range blocks {
 				if err := p.resolveBlock(block, target); err != nil {
-					if allowMissing && errors.Is(err, errUndefined) {
+					if allowMissing && errors.Is(err, errUndefined{}) {
 						continue
 					}
 					return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
@@ -145,7 +152,7 @@ func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map
 			}
 		} else {
 			if err := p.resolveValue(ectx, v.RootName()); err != nil {
-				if allowMissing && errors.Is(err, errUndefined) {
+				if allowMissing && errors.Is(err, errUndefined{}) {
 					continue
 				}
 				return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
@@ -167,7 +174,7 @@ func (p *parser) resolveFunction(ectx *hcl.EvalContext, name string) error {
 	}
 	f, ok := p.funcs[name]
 	if !ok {
-		return errors.Wrapf(errUndefined, "function %q does not exist", name)
+		return errors.Wrapf(errUndefined{}, "function %q does not exist", name)
 	}
 	if _, ok := p.progressF[key(ectx, name)]; ok {
 		return errors.Errorf("function cycle not allowed for %s", name)
@@ -257,7 +264,7 @@ func (p *parser) resolveValue(ectx *hcl.EvalContext, name string) (err error) {
 	if _, builtin := p.opt.Vars[name]; !ok && !builtin {
 		vr, ok := p.vars[name]
 		if !ok {
-			return errors.Wrapf(errUndefined, "variable %q does not exist", name)
+			return errors.Wrapf(errUndefined{}, "variable %q does not exist", name)
 		}
 		def = vr.Default
 		ectx = p.ectx
@@ -534,7 +541,18 @@ func (p *parser) resolveBlockNames(block *hcl.Block) ([]string, error) {
 	return names, nil
 }

-func Parse(b hcl.Body, opt Opt, val interface{}) (map[string]map[string][]string, hcl.Diagnostics) {
+type Variable struct {
+	Name        string
+	Description string
+	Value       *string
+}
+
+type ParseMeta struct {
+	Renamed      map[string]map[string][]string
+	AllVariables []*Variable
+}
+
+func Parse(b hcl.Body, opt Opt, val interface{}) (*ParseMeta, hcl.Diagnostics) {
 	reserved := map[string]struct{}{}
 	schema, _ := gohcl.ImpliedBodySchema(val)

@@ -643,6 +661,7 @@ func Parse(b hcl.Body, opt Opt, val interface{}) (map[string]map[string][]string
 		}
 	}

+	vars := make([]*Variable, 0, len(p.vars))
 	for k := range p.vars {
 		if err := p.resolveValue(p.ectx, k); err != nil {
 			if diags, ok := err.(hcl.Diagnostics); ok {
@@ -651,6 +670,21 @@ func Parse(b hcl.Body, opt Opt, val interface{}) (map[string]map[string][]string
 			r := p.vars[k].Body.MissingItemRange()
 			return nil, wrapErrorDiagnostic("Invalid value", err, &r, &r)
 		}
+		v := &Variable{
+			Name:        p.vars[k].Name,
+			Description: p.vars[k].Description,
+		}
+		if vv := p.ectx.Variables[k]; !vv.IsNull() {
+			var s string
+			switch vv.Type() {
+			case cty.String:
+				s = vv.AsString()
+			case cty.Bool:
+				s = strconv.FormatBool(vv.True())
+			}
+			v.Value = &s
+		}
+		vars = append(vars, v)
 	}

 	for k := range p.funcs {
@@ -795,7 +829,10 @@ func Parse(b hcl.Body, opt Opt, val interface{}) (map[string]map[string][]string
 		}
 	}

-	return renamed, nil
+	return &ParseMeta{
+		Renamed:      renamed,
+		AllVariables: vars,
+	}, nil
 }

 // wrapErrorDiagnostic wraps an error into a hcl.Diagnostics object.
--- a/bake/hclparser/merged.go
+++ b/bake/hclparser/merged.go
@@ -111,21 +111,19 @@ func (mb mergedBodies) JustAttributes() (hcl.Attributes, hcl.Diagnostics) {
 			diags = append(diags, thisDiags...)
 		}

-		if thisAttrs != nil {
-			for name, attr := range thisAttrs {
-				if existing := attrs[name]; existing != nil {
-					diags = diags.Append(&hcl.Diagnostic{
-						Severity: hcl.DiagError,
-						Summary:  "Duplicate argument",
-						Detail: fmt.Sprintf(
-							"Argument %q was already set at %s",
-							name, existing.NameRange.String(),
-						),
-						Subject: thisAttrs[name].NameRange.Ptr(),
-					})
-				}
-				attrs[name] = attr
+		for name, attr := range thisAttrs {
+			if existing := attrs[name]; existing != nil {
+				diags = diags.Append(&hcl.Diagnostic{
+					Severity: hcl.DiagError,
+					Summary:  "Duplicate argument",
+					Detail: fmt.Sprintf(
+						"Argument %q was already set at %s",
+						name, existing.NameRange.String(),
+					),
+					Subject: thisAttrs[name].NameRange.Ptr(),
+				})
 			}
+			attrs[name] = attr
 		}
 	}

--- a/bake/hclparser/stdlib.go
+++ b/bake/hclparser/stdlib.go
@@ -1,6 +1,9 @@
 package hclparser

 import (
+	"errors"
+	"path"
+	"strings"
 	"time"

 	"github.com/hashicorp/go-cty-funcs/cidr"
@@ -14,122 +17,246 @@ import (
 	"github.com/zclconf/go-cty/cty/function/stdlib"
 )

-var stdlibFunctions = map[string]function.Function{
-	"absolute":               stdlib.AbsoluteFunc,
-	"add":                    stdlib.AddFunc,
-	"and":                    stdlib.AndFunc,
-	"base64decode":           encoding.Base64DecodeFunc,
-	"base64encode":           encoding.Base64EncodeFunc,
-	"bcrypt":                 crypto.BcryptFunc,
-	"byteslen":               stdlib.BytesLenFunc,
-	"bytesslice":             stdlib.BytesSliceFunc,
-	"can":                    tryfunc.CanFunc,
-	"ceil":                   stdlib.CeilFunc,
-	"chomp":                  stdlib.ChompFunc,
-	"chunklist":              stdlib.ChunklistFunc,
-	"cidrhost":               cidr.HostFunc,
-	"cidrnetmask":            cidr.NetmaskFunc,
-	"cidrsubnet":             cidr.SubnetFunc,
-	"cidrsubnets":            cidr.SubnetsFunc,
-	"coalesce":               stdlib.CoalesceFunc,
-	"coalescelist":           stdlib.CoalesceListFunc,
-	"compact":                stdlib.CompactFunc,
-	"concat":                 stdlib.ConcatFunc,
-	"contains":               stdlib.ContainsFunc,
-	"convert":                typeexpr.ConvertFunc,
-	"csvdecode":              stdlib.CSVDecodeFunc,
-	"distinct":               stdlib.DistinctFunc,
-	"divide":                 stdlib.DivideFunc,
-	"element":                stdlib.ElementFunc,
-	"equal":                  stdlib.EqualFunc,
-	"flatten":                stdlib.FlattenFunc,
-	"floor":                  stdlib.FloorFunc,
-	"format":                 stdlib.FormatFunc,
-	"formatdate":             stdlib.FormatDateFunc,
-	"formatlist":             stdlib.FormatListFunc,
-	"greaterthan":            stdlib.GreaterThanFunc,
-	"greaterthanorequalto":   stdlib.GreaterThanOrEqualToFunc,
-	"hasindex":               stdlib.HasIndexFunc,
-	"indent":                 stdlib.IndentFunc,
-	"index":                  stdlib.IndexFunc,
-	"int":                    stdlib.IntFunc,
-	"join":                   stdlib.JoinFunc,
-	"jsondecode":             stdlib.JSONDecodeFunc,
-	"jsonencode":             stdlib.JSONEncodeFunc,
-	"keys":                   stdlib.KeysFunc,
-	"length":                 stdlib.LengthFunc,
-	"lessthan":               stdlib.LessThanFunc,
-	"lessthanorequalto":      stdlib.LessThanOrEqualToFunc,
-	"log":                    stdlib.LogFunc,
-	"lookup":                 stdlib.LookupFunc,
-	"lower":                  stdlib.LowerFunc,
-	"max":                    stdlib.MaxFunc,
-	"md5":                    crypto.Md5Func,
-	"merge":                  stdlib.MergeFunc,
-	"min":                    stdlib.MinFunc,
-	"modulo":                 stdlib.ModuloFunc,
-	"multiply":               stdlib.MultiplyFunc,
-	"negate":                 stdlib.NegateFunc,
-	"not":                    stdlib.NotFunc,
-	"notequal":               stdlib.NotEqualFunc,
-	"or":                     stdlib.OrFunc,
-	"parseint":               stdlib.ParseIntFunc,
-	"pow":                    stdlib.PowFunc,
-	"range":                  stdlib.RangeFunc,
-	"regex_replace":          stdlib.RegexReplaceFunc,
-	"regex":                  stdlib.RegexFunc,
-	"regexall":               stdlib.RegexAllFunc,
-	"replace":                stdlib.ReplaceFunc,
-	"reverse":                stdlib.ReverseFunc,
-	"reverselist":            stdlib.ReverseListFunc,
-	"rsadecrypt":             crypto.RsaDecryptFunc,
-	"sethaselement":          stdlib.SetHasElementFunc,
-	"setintersection":        stdlib.SetIntersectionFunc,
-	"setproduct":             stdlib.SetProductFunc,
-	"setsubtract":            stdlib.SetSubtractFunc,
-	"setsymmetricdifference": stdlib.SetSymmetricDifferenceFunc,
-	"setunion":               stdlib.SetUnionFunc,
-	"sha1":                   crypto.Sha1Func,
-	"sha256":                 crypto.Sha256Func,
-	"sha512":                 crypto.Sha512Func,
-	"signum":                 stdlib.SignumFunc,
-	"slice":                  stdlib.SliceFunc,
-	"sort":                   stdlib.SortFunc,
-	"split":                  stdlib.SplitFunc,
-	"strlen":                 stdlib.StrlenFunc,
-	"substr":                 stdlib.SubstrFunc,
-	"subtract":               stdlib.SubtractFunc,
-	"timeadd":                stdlib.TimeAddFunc,
-	"timestamp":              timestampFunc,
-	"title":                  stdlib.TitleFunc,
-	"trim":                   stdlib.TrimFunc,
-	"trimprefix":             stdlib.TrimPrefixFunc,
-	"trimspace":              stdlib.TrimSpaceFunc,
-	"trimsuffix":             stdlib.TrimSuffixFunc,
-	"try":                    tryfunc.TryFunc,
-	"upper":                  stdlib.UpperFunc,
-	"urlencode":              encoding.URLEncodeFunc,
-	"uuidv4":                 uuid.V4Func,
-	"uuidv5":                 uuid.V5Func,
-	"values":                 stdlib.ValuesFunc,
-	"zipmap":                 stdlib.ZipmapFunc,
+type funcDef struct {
+	name    string
+	fn      function.Function
+	factory func() function.Function
+}
+
+var stdlibFunctions = []funcDef{
+	{name: "absolute", fn: stdlib.AbsoluteFunc},
+	{name: "add", fn: stdlib.AddFunc},
+	{name: "and", fn: stdlib.AndFunc},
+	{name: "base64decode", fn: encoding.Base64DecodeFunc},
+	{name: "base64encode", fn: encoding.Base64EncodeFunc},
+	{name: "basename", factory: basenameFunc},
+	{name: "bcrypt", fn: crypto.BcryptFunc},
+	{name: "byteslen", fn: stdlib.BytesLenFunc},
+	{name: "bytesslice", fn: stdlib.BytesSliceFunc},
+	{name: "can", fn: tryfunc.CanFunc},
+	{name: "ceil", fn: stdlib.CeilFunc},
+	{name: "chomp", fn: stdlib.ChompFunc},
+	{name: "chunklist", fn: stdlib.ChunklistFunc},
+	{name: "cidrhost", fn: cidr.HostFunc},
+	{name: "cidrnetmask", fn: cidr.NetmaskFunc},
+	{name: "cidrsubnet", fn: cidr.SubnetFunc},
+	{name: "cidrsubnets", fn: cidr.SubnetsFunc},
+	{name: "coalesce", fn: stdlib.CoalesceFunc},
+	{name: "coalescelist", fn: stdlib.CoalesceListFunc},
+	{name: "compact", fn: stdlib.CompactFunc},
+	{name: "concat", fn: stdlib.ConcatFunc},
+	{name: "contains", fn: stdlib.ContainsFunc},
+	{name: "convert", fn: typeexpr.ConvertFunc},
+	{name: "csvdecode", fn: stdlib.CSVDecodeFunc},
+	{name: "dirname", factory: dirnameFunc},
+	{name: "distinct", fn: stdlib.DistinctFunc},
+	{name: "divide", fn: stdlib.DivideFunc},
+	{name: "element", fn: stdlib.ElementFunc},
+	{name: "equal", fn: stdlib.EqualFunc},
+	{name: "flatten", fn: stdlib.FlattenFunc},
+	{name: "floor", fn: stdlib.FloorFunc},
+	{name: "format", fn: stdlib.FormatFunc},
+	{name: "formatdate", fn: stdlib.FormatDateFunc},
+	{name: "formatlist", fn: stdlib.FormatListFunc},
+	{name: "greaterthan", fn: stdlib.GreaterThanFunc},
+	{name: "greaterthanorequalto", fn: stdlib.GreaterThanOrEqualToFunc},
+	{name: "hasindex", fn: stdlib.HasIndexFunc},
+	{name: "indent", fn: stdlib.IndentFunc},
+	{name: "index", fn: stdlib.IndexFunc},
+	{name: "indexof", factory: indexOfFunc},
+	{name: "int", fn: stdlib.IntFunc},
+	{name: "join", fn: stdlib.JoinFunc},
+	{name: "jsondecode", fn: stdlib.JSONDecodeFunc},
+	{name: "jsonencode", fn: stdlib.JSONEncodeFunc},
+	{name: "keys", fn: stdlib.KeysFunc},
+	{name: "length", fn: stdlib.LengthFunc},
+	{name: "lessthan", fn: stdlib.LessThanFunc},
+	{name: "lessthanorequalto", fn: stdlib.LessThanOrEqualToFunc},
+	{name: "log", fn: stdlib.LogFunc},
+	{name: "lookup", fn: stdlib.LookupFunc},
+	{name: "lower", fn: stdlib.LowerFunc},
+	{name: "max", fn: stdlib.MaxFunc},
+	{name: "md5", fn: crypto.Md5Func},
+	{name: "merge", fn: stdlib.MergeFunc},
+	{name: "min", fn: stdlib.MinFunc},
+	{name: "modulo", fn: stdlib.ModuloFunc},
+	{name: "multiply", fn: stdlib.MultiplyFunc},
+	{name: "negate", fn: stdlib.NegateFunc},
+	{name: "not", fn: stdlib.NotFunc},
+	{name: "notequal", fn: stdlib.NotEqualFunc},
+	{name: "or", fn: stdlib.OrFunc},
+	{name: "parseint", fn: stdlib.ParseIntFunc},
+	{name: "pow", fn: stdlib.PowFunc},
+	{name: "range", fn: stdlib.RangeFunc},
+	{name: "regex_replace", fn: stdlib.RegexReplaceFunc},
+	{name: "regex", fn: stdlib.RegexFunc},
+	{name: "regexall", fn: stdlib.RegexAllFunc},
+	{name: "replace", fn: stdlib.ReplaceFunc},
+	{name: "reverse", fn: stdlib.ReverseFunc},
+	{name: "reverselist", fn: stdlib.ReverseListFunc},
+	{name: "rsadecrypt", fn: crypto.RsaDecryptFunc},
+	{name: "sanitize", factory: sanitizeFunc},
+	{name: "sethaselement", fn: stdlib.SetHasElementFunc},
+	{name: "setintersection", fn: stdlib.SetIntersectionFunc},
+	{name: "setproduct", fn: stdlib.SetProductFunc},
+	{name: "setsubtract", fn: stdlib.SetSubtractFunc},
+	{name: "setsymmetricdifference", fn: stdlib.SetSymmetricDifferenceFunc},
+	{name: "setunion", fn: stdlib.SetUnionFunc},
+	{name: "sha1", fn: crypto.Sha1Func},
+	{name: "sha256", fn: crypto.Sha256Func},
+	{name: "sha512", fn: crypto.Sha512Func},
+	{name: "signum", fn: stdlib.SignumFunc},
+	{name: "slice", fn: stdlib.SliceFunc},
+	{name: "sort", fn: stdlib.SortFunc},
+	{name: "split", fn: stdlib.SplitFunc},
+	{name: "strlen", fn: stdlib.StrlenFunc},
+	{name: "substr", fn: stdlib.SubstrFunc},
+	{name: "subtract", fn: stdlib.SubtractFunc},
+	{name: "timeadd", fn: stdlib.TimeAddFunc},
+	{name: "timestamp", factory: timestampFunc},
+	{name: "title", fn: stdlib.TitleFunc},
+	{name: "trim", fn: stdlib.TrimFunc},
+	{name: "trimprefix", fn: stdlib.TrimPrefixFunc},
+	{name: "trimspace", fn: stdlib.TrimSpaceFunc},
+	{name: "trimsuffix", fn: stdlib.TrimSuffixFunc},
+	{name: "try", fn: tryfunc.TryFunc},
+	{name: "upper", fn: stdlib.UpperFunc},
+	{name: "urlencode", fn: encoding.URLEncodeFunc},
+	{name: "uuidv4", fn: uuid.V4Func},
+	{name: "uuidv5", fn: uuid.V5Func},
+	{name: "values", fn: stdlib.ValuesFunc},
+	{name: "zipmap", fn: stdlib.ZipmapFunc},
+}
+
+// indexOfFunc constructs a function that finds the element index for a given
+// value in a list.
+func indexOfFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "list",
+				Type: cty.DynamicPseudoType,
+			},
+			{
+				Name: "value",
+				Type: cty.DynamicPseudoType,
+			},
+		},
+		Type: function.StaticReturnType(cty.Number),
+		Impl: func(args []cty.Value, retType cty.Type) (ret cty.Value, err error) {
+			if !(args[0].Type().IsListType() || args[0].Type().IsTupleType()) {
+				return cty.NilVal, errors.New("argument must be a list or tuple")
+			}
+
+			if !args[0].IsKnown() {
+				return cty.UnknownVal(cty.Number), nil
+			}
+
+			if args[0].LengthInt() == 0 { // Easy path
+				return cty.NilVal, errors.New("cannot search an empty list")
+			}
+
+			for it := args[0].ElementIterator(); it.Next(); {
+				i, v := it.Element()
+				eq, err := stdlib.Equal(v, args[1])
+				if err != nil {
+					return cty.NilVal, err
+				}
+				if !eq.IsKnown() {
+					return cty.UnknownVal(cty.Number), nil
+				}
+				if eq.True() {
+					return i, nil
+				}
+			}
+			return cty.NilVal, errors.New("item not found")
+
+		},
+	})
+}
+
+// basenameFunc constructs a function that returns the last element of a path.
+func basenameFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "path",
+				Type: cty.String,
+			},
+		},
+		Type: function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			in := args[0].AsString()
+			return cty.StringVal(path.Base(in)), nil
+		},
+	})
+}
+
+// dirnameFunc constructs a function that returns the directory of a path.
+func dirnameFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "path",
+				Type: cty.String,
+			},
+		},
+		Type: function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			in := args[0].AsString()
+			return cty.StringVal(path.Dir(in)), nil
+		},
+	})
+}
+
+// sanitizyFunc constructs a function that replaces all non-alphanumeric characters with a underscore,
+// leaving only characters that are valid for a Bake target name.
+func sanitizeFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{
+			{
+				Name: "name",
+				Type: cty.String,
+			},
+		},
+		Type: function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			in := args[0].AsString()
+			// only [a-zA-Z0-9_-]+ is allowed
+			var b strings.Builder
+			for _, r := range in {
+				if r >= 'a' && r <= 'z' || r >= 'A' && r <= 'Z' || r >= '0' && r <= '9' || r == '_' || r == '-' {
+					b.WriteRune(r)
+				} else {
+					b.WriteRune('_')
+				}
+			}
+			return cty.StringVal(b.String()), nil
+		},
+	})
 }

 // timestampFunc constructs a function that returns a string representation of the current date and time.
 //
 // This function was imported from terraform's datetime utilities.
-var timestampFunc = function.New(&function.Spec{
-	Params: []function.Parameter{},
-	Type:   function.StaticReturnType(cty.String),
-	Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
-		return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
-	},
-})
+func timestampFunc() function.Function {
+	return function.New(&function.Spec{
+		Params: []function.Parameter{},
+		Type:   function.StaticReturnType(cty.String),
+		Impl: func(args []cty.Value, retType cty.Type) (cty.Value, error) {
+			return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
+		},
+	})
+}

 func Stdlib() map[string]function.Function {
 	funcs := make(map[string]function.Function, len(stdlibFunctions))
-	for k, v := range stdlibFunctions {
-		funcs[k] = v
+	for _, v := range stdlibFunctions {
+		if v.factory != nil {
+			funcs[v.name] = v.factory()
+		} else {
+			funcs[v.name] = v.fn
+		}
 	}
 	return funcs
 }
--- a/bake/hclparser/stdlib_test.go
+++ b/bake/hclparser/stdlib_test.go
@@ -0,0 +1,199 @@
+package hclparser
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"github.com/zclconf/go-cty/cty"
+)
+
+func TestIndexOf(t *testing.T) {
+	type testCase struct {
+		input   cty.Value
+		key     cty.Value
+		want    cty.Value
+		wantErr bool
+	}
+	tests := map[string]testCase{
+		"index 0": {
+			input: cty.TupleVal([]cty.Value{cty.StringVal("one"), cty.NumberIntVal(2.0), cty.NumberIntVal(3), cty.StringVal("four")}),
+			key:   cty.StringVal("one"),
+			want:  cty.NumberIntVal(0),
+		},
+		"index 3": {
+			input: cty.TupleVal([]cty.Value{cty.StringVal("one"), cty.NumberIntVal(2.0), cty.NumberIntVal(3), cty.StringVal("four")}),
+			key:   cty.StringVal("four"),
+			want:  cty.NumberIntVal(3),
+		},
+		"index -1": {
+			input:   cty.TupleVal([]cty.Value{cty.StringVal("one"), cty.NumberIntVal(2.0), cty.NumberIntVal(3), cty.StringVal("four")}),
+			key:     cty.StringVal("3"),
+			wantErr: true,
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := indexOfFunc().Call([]cty.Value{test.input, test.key})
+			if test.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, test.want, got)
+			}
+		})
+	}
+}
+
+func TestBasename(t *testing.T) {
+	type testCase struct {
+		input   cty.Value
+		want    cty.Value
+		wantErr bool
+	}
+	tests := map[string]testCase{
+		"empty": {
+			input: cty.StringVal(""),
+			want:  cty.StringVal("."),
+		},
+		"slash": {
+			input: cty.StringVal("/"),
+			want:  cty.StringVal("/"),
+		},
+		"simple": {
+			input: cty.StringVal("/foo/bar"),
+			want:  cty.StringVal("bar"),
+		},
+		"simple no slash": {
+			input: cty.StringVal("foo/bar"),
+			want:  cty.StringVal("bar"),
+		},
+		"dot": {
+			input: cty.StringVal("/foo/bar."),
+			want:  cty.StringVal("bar."),
+		},
+		"dotdot": {
+			input: cty.StringVal("/foo/bar.."),
+			want:  cty.StringVal("bar.."),
+		},
+		"dotdotdot": {
+			input: cty.StringVal("/foo/bar..."),
+			want:  cty.StringVal("bar..."),
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := basenameFunc().Call([]cty.Value{test.input})
+			if test.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, test.want, got)
+			}
+		})
+	}
+}
+
+func TestDirname(t *testing.T) {
+	type testCase struct {
+		input   cty.Value
+		want    cty.Value
+		wantErr bool
+	}
+	tests := map[string]testCase{
+		"empty": {
+			input: cty.StringVal(""),
+			want:  cty.StringVal("."),
+		},
+		"slash": {
+			input: cty.StringVal("/"),
+			want:  cty.StringVal("/"),
+		},
+		"simple": {
+			input: cty.StringVal("/foo/bar"),
+			want:  cty.StringVal("/foo"),
+		},
+		"simple no slash": {
+			input: cty.StringVal("foo/bar"),
+			want:  cty.StringVal("foo"),
+		},
+		"dot": {
+			input: cty.StringVal("/foo/bar."),
+			want:  cty.StringVal("/foo"),
+		},
+		"dotdot": {
+			input: cty.StringVal("/foo/bar.."),
+			want:  cty.StringVal("/foo"),
+		},
+		"dotdotdot": {
+			input: cty.StringVal("/foo/bar..."),
+			want:  cty.StringVal("/foo"),
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := dirnameFunc().Call([]cty.Value{test.input})
+			if test.wantErr {
+				require.Error(t, err)
+			} else {
+				require.NoError(t, err)
+				require.Equal(t, test.want, got)
+			}
+		})
+	}
+}
+
+func TestSanitize(t *testing.T) {
+	type testCase struct {
+		input cty.Value
+		want  cty.Value
+	}
+	tests := map[string]testCase{
+		"empty": {
+			input: cty.StringVal(""),
+			want:  cty.StringVal(""),
+		},
+		"simple": {
+			input: cty.StringVal("foo/bar"),
+			want:  cty.StringVal("foo_bar"),
+		},
+		"simple no slash": {
+			input: cty.StringVal("foobar"),
+			want:  cty.StringVal("foobar"),
+		},
+		"dot": {
+			input: cty.StringVal("foo/bar."),
+			want:  cty.StringVal("foo_bar_"),
+		},
+		"dotdot": {
+			input: cty.StringVal("foo/bar.."),
+			want:  cty.StringVal("foo_bar__"),
+		},
+		"dotdotdot": {
+			input: cty.StringVal("foo/bar..."),
+			want:  cty.StringVal("foo_bar___"),
+		},
+		"utf8": {
+			input: cty.StringVal("foo/🍕bar"),
+			want:  cty.StringVal("foo__bar"),
+		},
+		"symbols": {
+			input: cty.StringVal("foo/bar!@(ba+z)"),
+			want:  cty.StringVal("foo_bar___ba_z_"),
+		},
+	}
+
+	for name, test := range tests {
+		name, test := name, test
+		t.Run(name, func(t *testing.T) {
+			got, err := sanitizeFunc().Call([]cty.Value{test.input})
+			require.NoError(t, err)
+			require.Equal(t, test.want, got)
+		})
+	}
+}
--- a/bake/remote.go
+++ b/bake/remote.go
@@ -4,6 +4,8 @@ import (
 	"archive/tar"
 	"bytes"
 	"context"
+	"os"
+	"strings"

 	"github.com/docker/buildx/builder"
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -23,13 +25,34 @@ type Input struct {
 }

 func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, names []string, pw progress.Writer) ([]File, *Input, error) {
-	var session []session.Attachable
+	var sessions []session.Attachable
 	var filename string
+
 	st, ok := dockerui.DetectGitContext(url, false)
 	if ok {
-		ssh, err := controllerapi.CreateSSH([]*controllerapi.SSH{{ID: "default"}})
-		if err == nil {
-			session = append(session, ssh)
+		if ssh, err := controllerapi.CreateSSH([]*controllerapi.SSH{{
+			ID:    "default",
+			Paths: strings.Split(os.Getenv("BUILDX_BAKE_GIT_SSH"), ","),
+		}}); err == nil {
+			sessions = append(sessions, ssh)
+		}
+		var gitAuthSecrets []*controllerapi.Secret
+		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_TOKEN"); ok {
+			gitAuthSecrets = append(gitAuthSecrets, &controllerapi.Secret{
+				ID:  llb.GitAuthTokenKey,
+				Env: "BUILDX_BAKE_GIT_AUTH_TOKEN",
+			})
+		}
+		if _, ok := os.LookupEnv("BUILDX_BAKE_GIT_AUTH_HEADER"); ok {
+			gitAuthSecrets = append(gitAuthSecrets, &controllerapi.Secret{
+				ID:  llb.GitAuthHeaderKey,
+				Env: "BUILDX_BAKE_GIT_AUTH_HEADER",
+			})
+		}
+		if len(gitAuthSecrets) > 0 {
+			if secrets, err := controllerapi.CreateSecrets(gitAuthSecrets); err == nil {
+				sessions = append(sessions, secrets)
+			}
 		}
 	} else {
 		st, filename, ok = dockerui.DetectHTTPContext(url)
@@ -59,7 +82,7 @@ func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, name

 	ch, done := progress.NewChannel(pw)
 	defer func() { <-done }()
-	_, err = c.Build(ctx, client.SolveOpt{Session: session, Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+	_, err = c.Build(ctx, client.SolveOpt{Session: sessions, Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 		def, err := st.Marshal(ctx)
 		if err != nil {
 			return nil, err
--- a/build/build.go
+++ b/build/build.go
--- a/build/dial.go
+++ b/build/dial.go
@@ -5,7 +5,7 @@ import (
 	stderrors "errors"
 	"net"

-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/util/progress"
 	v1 "github.com/opencontainers/image-spec/specs-go/v1"
--- a/build/driver.go
+++ b/build/driver.go
@@ -3,8 +3,9 @@ package build
 import (
 	"context"
 	"fmt"
+	"sync"

-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/util/progress"
@@ -46,10 +47,22 @@ func (dp resolvedNode) BuildOpts(ctx context.Context) (gateway.BuildOpts, error)

 type matchMaker func(specs.Platform) platforms.MatchComparer

+type cachedGroup[T any] struct {
+	g       flightcontrol.Group[T]
+	cache   map[int]T
+	cacheMu sync.Mutex
+}
+
+func newCachedGroup[T any]() cachedGroup[T] {
+	return cachedGroup[T]{
+		cache: map[int]T{},
+	}
+}
+
 type nodeResolver struct {
-	nodes   []builder.Node
-	clients flightcontrol.Group[*client.Client]
-	opt     flightcontrol.Group[gateway.BuildOpts]
+	nodes     []builder.Node
+	clients   cachedGroup[*client.Client]
+	buildOpts cachedGroup[gateway.BuildOpts]
 }

 func resolveDrivers(ctx context.Context, nodes []builder.Node, opt map[string]Options, pw progress.Writer) (map[string][]*resolvedNode, error) {
@@ -63,7 +76,9 @@ func resolveDrivers(ctx context.Context, nodes []builder.Node, opt map[string]Op

 func newDriverResolver(nodes []builder.Node) *nodeResolver {
 	r := &nodeResolver{
-		nodes: nodes,
+		nodes:     nodes,
+		clients:   newCachedGroup[*client.Client](),
+		buildOpts: newCachedGroup[gateway.BuildOpts](),
 	}
 	return r
 }
@@ -179,6 +194,7 @@ func (r *nodeResolver) resolve(ctx context.Context, ps []specs.Platform, pw prog
 			resolver:    r,
 			driverIndex: 0,
 		})
+		nodeIdxs = append(nodeIdxs, 0)
 	} else {
 		for i, idx := range nodeIdxs {
 			node := &resolvedNode{
@@ -237,11 +253,24 @@ func (r *nodeResolver) boot(ctx context.Context, idxs []int, pw progress.Writer)
 	for i, idx := range idxs {
 		i, idx := i, idx
 		eg.Go(func() error {
-			c, err := r.clients.Do(ctx, fmt.Sprint(idx), func(ctx context.Context) (*client.Client, error) {
+			c, err := r.clients.g.Do(ctx, fmt.Sprint(idx), func(ctx context.Context) (*client.Client, error) {
 				if r.nodes[idx].Driver == nil {
 					return nil, nil
 				}
-				return driver.Boot(ctx, baseCtx, r.nodes[idx].Driver, pw)
+				r.clients.cacheMu.Lock()
+				c, ok := r.clients.cache[idx]
+				r.clients.cacheMu.Unlock()
+				if ok {
+					return c, nil
+				}
+				c, err := driver.Boot(ctx, baseCtx, r.nodes[idx].Driver, pw)
+				if err != nil {
+					return nil, err
+				}
+				r.clients.cacheMu.Lock()
+				r.clients.cache[idx] = c
+				r.clients.cacheMu.Unlock()
+				return c, nil
 			})
 			if err != nil {
 				return err
@@ -272,14 +301,25 @@ func (r *nodeResolver) opts(ctx context.Context, idxs []int, pw progress.Writer)
 			continue
 		}
 		eg.Go(func() error {
-			opt, err := r.opt.Do(ctx, fmt.Sprint(idx), func(ctx context.Context) (gateway.BuildOpts, error) {
-				opt := gateway.BuildOpts{}
+			opt, err := r.buildOpts.g.Do(ctx, fmt.Sprint(idx), func(ctx context.Context) (gateway.BuildOpts, error) {
+				r.buildOpts.cacheMu.Lock()
+				opt, ok := r.buildOpts.cache[idx]
+				r.buildOpts.cacheMu.Unlock()
+				if ok {
+					return opt, nil
+				}
 				_, err := c.Build(ctx, client.SolveOpt{
 					Internal: true,
 				}, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
 					opt = c.BuildOpts()
 					return nil, nil
 				}, nil)
+				if err != nil {
+					return gateway.BuildOpts{}, err
+				}
+				r.buildOpts.cacheMu.Lock()
+				r.buildOpts.cache[idx] = opt
+				r.buildOpts.cacheMu.Unlock()
 				return opt, err
 			})
 			if err != nil {
--- a/build/driver_test.go
+++ b/build/driver_test.go
@@ -5,7 +5,7 @@ import (
 	"sort"
 	"testing"

-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/docker/buildx/builder"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/stretchr/testify/require"
--- a/build/git.go
+++ b/build/git.go
@@ -17,10 +17,19 @@ import (

 const DockerfileLabel = "com.docker.image.source.entrypoint"

-func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (map[string]string, func(*client.SolveOpt), error) {
-	res := make(map[string]string)
+type gitAttrsAppendFunc func(so *client.SolveOpt)
+
+func gitAppendNoneFunc(_ *client.SolveOpt) {}
+
+func getGitAttributes(ctx context.Context, contextPath, dockerfilePath string) (f gitAttrsAppendFunc, err error) {
+	defer func() {
+		if f == nil {
+			f = gitAppendNoneFunc
+		}
+	}()
+
 	if contextPath == "" {
-		return nil, nil, nil
+		return nil, nil
 	}

 	setGitLabels := false
@@ -39,7 +48,7 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	}

 	if !setGitLabels && !setGitInfo {
-		return nil, nil, nil
+		return nil, nil
 	}

 	// figure out in which directory the git command needs to run in
@@ -54,25 +63,27 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 	gitc, err := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
 	if err != nil {
 		if st, err1 := os.Stat(path.Join(wd, ".git")); err1 == nil && st.IsDir() {
-			return res, nil, errors.Wrap(err, "git was not found in the system")
+			return nil, errors.Wrap(err, "git was not found in the system")
 		}
-		return nil, nil, nil
+		return nil, nil
 	}

 	if !gitc.IsInsideWorkTree() {
 		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
-			return res, nil, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
+			return nil, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
 		}
-		return nil, nil, nil
+		return nil, nil
 	}

 	root, err := gitc.RootDir()
 	if err != nil {
-		return res, nil, errors.Wrap(err, "failed to get git root dir")
+		return nil, errors.Wrap(err, "failed to get git root dir")
 	}

+	res := make(map[string]string)
+
 	if sha, err := gitc.FullCommit(); err != nil && !gitutil.IsUnknownRevision(err) {
-		return res, nil, errors.Wrap(err, "failed to get git commit")
+		return nil, errors.Wrap(err, "failed to get git commit")
 	} else if sha != "" {
 		checkDirty := false
 		if v, ok := os.LookupEnv("BUILDX_GIT_CHECK_DIRTY"); ok {
@@ -112,12 +123,24 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 		}
 	}

-	return res, func(so *client.SolveOpt) {
+	return func(so *client.SolveOpt) {
+		if so.FrontendAttrs == nil {
+			so.FrontendAttrs = make(map[string]string)
+		}
+		for k, v := range res {
+			so.FrontendAttrs[k] = v
+		}
+
 		if !setGitInfo || root == "" {
 			return
 		}
-		for k, dir := range so.LocalDirs {
-			dir, err = filepath.EvalSymlinks(dir)
+
+		for key, mount := range so.LocalMounts {
+			fs, ok := mount.(*fs)
+			if !ok {
+				continue
+			}
+			dir, err := filepath.EvalSymlinks(fs.dir) // keep same behavior as fsutil.NewFS
 			if err != nil {
 				continue
 			}
@@ -130,7 +153,7 @@ func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath st
 			}
 			dir = osutil.SanitizePath(dir)
 			if r, err := filepath.Rel(root, dir); err == nil && !strings.HasPrefix(r, "..") {
-				so.FrontendAttrs["vcs:localdir:"+k] = r
+				so.FrontendAttrs["vcs:localdir:"+key] = r
 			}
 		}
 	}, nil
--- a/build/git_test.go
+++ b/build/git_test.go
@@ -31,7 +31,7 @@ func setupTest(tb testing.TB) {
 }

 func TestGetGitAttributesNotGitRepo(t *testing.T) {
-	_, _, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
+	_, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
 	assert.NoError(t, err)
 }

@@ -39,16 +39,18 @@ func TestGetGitAttributesBadGitRepo(t *testing.T) {
 	tmp := t.TempDir()
 	require.NoError(t, os.MkdirAll(path.Join(tmp, ".git"), 0755))

-	_, _, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
+	_, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
 	assert.Error(t, err)
 }

 func TestGetGitAttributesNoContext(t *testing.T) {
 	setupTest(t)

-	gitattrs, _, err := getGitAttributes(context.Background(), "", "Dockerfile")
+	addGitAttrs, err := getGitAttributes(context.Background(), "", "Dockerfile")
 	assert.NoError(t, err)
-	assert.Empty(t, gitattrs)
+	var so client.SolveOpt
+	addGitAttrs(&so)
+	assert.Empty(t, so.FrontendAttrs)
 }

 func TestGetGitAttributes(t *testing.T) {
@@ -115,15 +117,17 @@ func TestGetGitAttributes(t *testing.T) {
 			if tt.envGitInfo != "" {
 				t.Setenv("BUILDX_GIT_INFO", tt.envGitInfo)
 			}
-			gitattrs, _, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+			addGitAttrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
 			require.NoError(t, err)
+			var so client.SolveOpt
+			addGitAttrs(&so)
 			for _, e := range tt.expected {
-				assert.Contains(t, gitattrs, e)
-				assert.NotEmpty(t, gitattrs[e])
+				assert.Contains(t, so.FrontendAttrs, e)
+				assert.NotEmpty(t, so.FrontendAttrs[e])
 				if e == "label:"+DockerfileLabel {
-					assert.Equal(t, "Dockerfile", gitattrs[e])
+					assert.Equal(t, "Dockerfile", so.FrontendAttrs[e])
 				} else if e == "label:"+specs.AnnotationSource || e == "vcs:source" {
-					assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs[e])
+					assert.Equal(t, "git@github.com:docker/buildx.git", so.FrontendAttrs[e])
 				}
 			}
 		})
@@ -140,20 +144,25 @@ func TestGetGitAttributesDirty(t *testing.T) {
 	require.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))

 	t.Setenv("BUILDX_GIT_LABELS", "true")
-	gitattrs, _, _ := getGitAttributes(context.Background(), ".", "Dockerfile")
-	assert.Equal(t, 5, len(gitattrs))
+	addGitAttrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+	require.NoError(t, err)

-	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
-	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
-	assert.Contains(t, gitattrs, "label:"+specs.AnnotationSource)
-	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["label:"+specs.AnnotationSource])
-	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
-	assert.True(t, strings.HasSuffix(gitattrs["label:"+specs.AnnotationRevision], "-dirty"))
+	var so client.SolveOpt
+	addGitAttrs(&so)

-	assert.Contains(t, gitattrs, "vcs:source")
-	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["vcs:source"])
-	assert.Contains(t, gitattrs, "vcs:revision")
-	assert.True(t, strings.HasSuffix(gitattrs["vcs:revision"], "-dirty"))
+	assert.Equal(t, 5, len(so.FrontendAttrs))
+
+	assert.Contains(t, so.FrontendAttrs, "label:"+DockerfileLabel)
+	assert.Equal(t, "Dockerfile", so.FrontendAttrs["label:"+DockerfileLabel])
+	assert.Contains(t, so.FrontendAttrs, "label:"+specs.AnnotationSource)
+	assert.Equal(t, "git@github.com:docker/buildx.git", so.FrontendAttrs["label:"+specs.AnnotationSource])
+	assert.Contains(t, so.FrontendAttrs, "label:"+specs.AnnotationRevision)
+	assert.True(t, strings.HasSuffix(so.FrontendAttrs["label:"+specs.AnnotationRevision], "-dirty"))
+
+	assert.Contains(t, so.FrontendAttrs, "vcs:source")
+	assert.Equal(t, "git@github.com:docker/buildx.git", so.FrontendAttrs["vcs:source"])
+	assert.Contains(t, so.FrontendAttrs, "vcs:revision")
+	assert.True(t, strings.HasSuffix(so.FrontendAttrs["vcs:revision"], "-dirty"))
 }

 func TestLocalDirs(t *testing.T) {
@@ -161,19 +170,19 @@ func TestLocalDirs(t *testing.T) {

 	so := &client.SolveOpt{
 		FrontendAttrs: map[string]string{},
-		LocalDirs: map[string]string{
-			"context":    ".",
-			"dockerfile": ".",
-		},
 	}

-	_, addVCSLocalDir, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+	addGitAttrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
 	require.NoError(t, err)
-	require.NotNil(t, addVCSLocalDir)

-	addVCSLocalDir(so)
+	require.NoError(t, setLocalMount("context", ".", so))
+	require.NoError(t, setLocalMount("dockerfile", ".", so))
+
+	addGitAttrs(so)
+
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:context")
 	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:context"])
+
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:dockerfile")
 	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:dockerfile"])
 }
@@ -195,19 +204,18 @@ func TestLocalDirsSub(t *testing.T) {

 	so := &client.SolveOpt{
 		FrontendAttrs: map[string]string{},
-		LocalDirs: map[string]string{
-			"context":    ".",
-			"dockerfile": "app",
-		},
 	}
+	require.NoError(t, setLocalMount("context", ".", so))
+	require.NoError(t, setLocalMount("dockerfile", "app", so))

-	_, addVCSLocalDir, err := getGitAttributes(context.Background(), ".", "app/Dockerfile")
+	addGitAttrs, err := getGitAttributes(context.Background(), ".", "app/Dockerfile")
 	require.NoError(t, err)
-	require.NotNil(t, addVCSLocalDir)

-	addVCSLocalDir(so)
+	addGitAttrs(so)
+
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:context")
 	assert.Equal(t, ".", so.FrontendAttrs["vcs:localdir:context"])
+
 	require.Contains(t, so.FrontendAttrs, "vcs:localdir:dockerfile")
 	assert.Equal(t, "app", so.FrontendAttrs["vcs:localdir:dockerfile"])
 }
--- a/build/invoke.go
+++ b/build/invoke.go
@@ -37,7 +37,7 @@ func NewContainer(ctx context.Context, resultCtx *ResultHandle, cfg *controllera
 				cancel()
 			}()

-			containerCfg, err := resultCtx.getContainerConfig(ctx, c, cfg)
+			containerCfg, err := resultCtx.getContainerConfig(cfg)
 			if err != nil {
 				return nil, err
 			}
--- a/build/localstate.go
+++ b/build/localstate.go
@@ -15,29 +15,29 @@ func saveLocalState(so *client.SolveOpt, target string, opts Options, node build
 	}
 	lp := opts.Inputs.ContextPath
 	dp := opts.Inputs.DockerfilePath
-	if lp != "" || dp != "" {
-		if lp != "" {
-			lp, err = filepath.Abs(lp)
-			if err != nil {
-				return err
-			}
-		}
-		if dp != "" {
-			dp, err = filepath.Abs(dp)
-			if err != nil {
-				return err
-			}
-		}
-		l, err := localstate.New(configDir)
+	if dp != "" && !IsRemoteURL(lp) && lp != "-" && dp != "-" {
+		dp, err = filepath.Abs(dp)
 		if err != nil {
 			return err
 		}
-		return l.SaveRef(node.Builder, node.Name, so.Ref, localstate.State{
-			Target:         target,
-			LocalPath:      lp,
-			DockerfilePath: dp,
-			GroupRef:       opts.GroupRef,
-		})
 	}
-	return nil
+	if lp != "" && !IsRemoteURL(lp) && lp != "-" {
+		lp, err = filepath.Abs(lp)
+		if err != nil {
+			return err
+		}
+	}
+	if lp == "" && dp == "" {
+		return nil
+	}
+	l, err := localstate.New(configDir)
+	if err != nil {
+		return err
+	}
+	return l.SaveRef(node.Builder, node.Name, so.Ref, localstate.State{
+		Target:         target,
+		LocalPath:      lp,
+		DockerfilePath: dp,
+		GroupRef:       opts.GroupRef,
+	})
 }
--- a/build/opt.go
+++ b/build/opt.go
@@ -0,0 +1,648 @@
+package build
+
+import (
+	"bytes"
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"slices"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/local"
+	"github.com/containerd/platforms"
+	"github.com/distribution/reference"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/osutil"
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/client/ociindex"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/session/upload/uploadprovider"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/util/apicaps"
+	"github.com/moby/buildkit/util/entitlements"
+	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
+	"github.com/tonistiigi/fsutil"
+)
+
+func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Options, bopts gateway.BuildOpts, configDir string, pw progress.Writer, docker *dockerutil.Client) (_ *client.SolveOpt, release func(), err error) {
+	nodeDriver := node.Driver
+	defers := make([]func(), 0, 2)
+	releaseF := func() {
+		for _, f := range defers {
+			f()
+		}
+	}
+
+	defer func() {
+		if err != nil {
+			releaseF()
+		}
+	}()
+
+	// inline cache from build arg
+	if v, ok := opt.BuildArgs["BUILDKIT_INLINE_CACHE"]; ok {
+		if v, _ := strconv.ParseBool(v); v {
+			opt.CacheTo = append(opt.CacheTo, client.CacheOptionsEntry{
+				Type:  "inline",
+				Attrs: map[string]string{},
+			})
+		}
+	}
+
+	for _, e := range opt.CacheTo {
+		if e.Type != "inline" && !nodeDriver.Features(ctx)[driver.CacheExport] {
+			return nil, nil, notSupported(driver.CacheExport, nodeDriver, "https://docs.docker.com/go/build-cache-backends/")
+		}
+	}
+
+	cacheTo := make([]client.CacheOptionsEntry, 0, len(opt.CacheTo))
+	for _, e := range opt.CacheTo {
+		if e.Type == "gha" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.gha")) {
+				continue
+			}
+		} else if e.Type == "s3" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.s3")) {
+				continue
+			}
+		}
+		cacheTo = append(cacheTo, e)
+	}
+
+	cacheFrom := make([]client.CacheOptionsEntry, 0, len(opt.CacheFrom))
+	for _, e := range opt.CacheFrom {
+		if e.Type == "gha" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.gha")) {
+				continue
+			}
+		} else if e.Type == "s3" {
+			if !bopts.LLBCaps.Contains(apicaps.CapID("cache.s3")) {
+				continue
+			}
+		}
+		cacheFrom = append(cacheFrom, e)
+	}
+
+	so := client.SolveOpt{
+		Ref:                 opt.Ref,
+		Frontend:            "dockerfile.v0",
+		FrontendAttrs:       map[string]string{},
+		LocalMounts:         map[string]fsutil.FS{},
+		CacheExports:        cacheTo,
+		CacheImports:        cacheFrom,
+		AllowedEntitlements: opt.Allow,
+		SourcePolicy:        opt.SourcePolicy,
+	}
+
+	if opt.CgroupParent != "" {
+		so.FrontendAttrs["cgroup-parent"] = opt.CgroupParent
+	}
+
+	if v, ok := opt.BuildArgs["BUILDKIT_MULTI_PLATFORM"]; ok {
+		if v, _ := strconv.ParseBool(v); v {
+			so.FrontendAttrs["multi-platform"] = "true"
+		}
+	}
+
+	if multiDriver {
+		// force creation of manifest list
+		so.FrontendAttrs["multi-platform"] = "true"
+	}
+
+	attests := make(map[string]string)
+	for k, v := range opt.Attests {
+		if v != nil {
+			attests[k] = *v
+		}
+	}
+
+	supportAttestations := bopts.LLBCaps.Contains(apicaps.CapID("exporter.image.attestations")) && nodeDriver.Features(ctx)[driver.MultiPlatform]
+	if len(attests) > 0 {
+		if !supportAttestations {
+			if !nodeDriver.Features(ctx)[driver.MultiPlatform] {
+				return nil, nil, notSupported("Attestation", nodeDriver, "https://docs.docker.com/go/attestations/")
+			}
+			return nil, nil, errors.Errorf("Attestations are not supported by the current BuildKit daemon")
+		}
+		for k, v := range attests {
+			so.FrontendAttrs["attest:"+k] = v
+		}
+	}
+
+	if _, ok := opt.Attests["provenance"]; !ok && supportAttestations {
+		const noAttestEnv = "BUILDX_NO_DEFAULT_ATTESTATIONS"
+		var noProv bool
+		if v, ok := os.LookupEnv(noAttestEnv); ok {
+			noProv, err = strconv.ParseBool(v)
+			if err != nil {
+				return nil, nil, errors.Wrap(err, "invalid "+noAttestEnv)
+			}
+		}
+		if !noProv {
+			so.FrontendAttrs["attest:provenance"] = "mode=min,inline-only=true"
+		}
+	}
+
+	switch len(opt.Exports) {
+	case 1:
+		// valid
+	case 0:
+		if !noDefaultLoad() && opt.CallFunc == nil {
+			if nodeDriver.IsMobyDriver() {
+				// backwards compat for docker driver only:
+				// this ensures the build results in a docker image.
+				opt.Exports = []client.ExportEntry{{Type: "image", Attrs: map[string]string{}}}
+			} else if nodeDriver.Features(ctx)[driver.DefaultLoad] {
+				opt.Exports = []client.ExportEntry{{Type: "docker", Attrs: map[string]string{}}}
+			}
+		}
+	default:
+		if err := bopts.LLBCaps.Supports(pb.CapMultipleExporters); err != nil {
+			return nil, nil, errors.Errorf("multiple outputs currently unsupported by the current BuildKit daemon, please upgrade to version v0.13+ or use a single output")
+		}
+	}
+
+	// fill in image exporter names from tags
+	if len(opt.Tags) > 0 {
+		tags := make([]string, len(opt.Tags))
+		for i, tag := range opt.Tags {
+			ref, err := reference.Parse(tag)
+			if err != nil {
+				return nil, nil, errors.Wrapf(err, "invalid tag %q", tag)
+			}
+			tags[i] = ref.String()
+		}
+		for i, e := range opt.Exports {
+			switch e.Type {
+			case "image", "oci", "docker":
+				opt.Exports[i].Attrs["name"] = strings.Join(tags, ",")
+			}
+		}
+	} else {
+		for _, e := range opt.Exports {
+			if e.Type == "image" && e.Attrs["name"] == "" && e.Attrs["push"] != "" {
+				if ok, _ := strconv.ParseBool(e.Attrs["push"]); ok {
+					return nil, nil, errors.Errorf("tag is needed when pushing to registry")
+				}
+			}
+		}
+	}
+
+	// cacheonly is a fake exporter to opt out of default behaviors
+	exports := make([]client.ExportEntry, 0, len(opt.Exports))
+	for _, e := range opt.Exports {
+		if e.Type != "cacheonly" {
+			exports = append(exports, e)
+		}
+	}
+	opt.Exports = exports
+
+	// set up exporters
+	for i, e := range opt.Exports {
+		if e.Type == "oci" && !nodeDriver.Features(ctx)[driver.OCIExporter] {
+			return nil, nil, notSupported(driver.OCIExporter, nodeDriver, "https://docs.docker.com/go/build-exporters/")
+		}
+		if e.Type == "docker" {
+			features := docker.Features(ctx, e.Attrs["context"])
+			if features[dockerutil.OCIImporter] && e.Output == nil {
+				// rely on oci importer if available (which supports
+				// multi-platform images), otherwise fall back to docker
+				opt.Exports[i].Type = "oci"
+			} else if len(opt.Platforms) > 1 || len(attests) > 0 {
+				if e.Output != nil {
+					return nil, nil, errors.Errorf("docker exporter does not support exporting manifest lists, use the oci exporter instead")
+				}
+				return nil, nil, errors.Errorf("docker exporter does not currently support exporting manifest lists")
+			}
+			if e.Output == nil {
+				if nodeDriver.IsMobyDriver() {
+					e.Type = "image"
+				} else {
+					w, cancel, err := docker.LoadImage(ctx, e.Attrs["context"], pw)
+					if err != nil {
+						return nil, nil, err
+					}
+					defers = append(defers, cancel)
+					opt.Exports[i].Output = func(_ map[string]string) (io.WriteCloser, error) {
+						return w, nil
+					}
+				}
+			} else if !nodeDriver.Features(ctx)[driver.DockerExporter] {
+				return nil, nil, notSupported(driver.DockerExporter, nodeDriver, "https://docs.docker.com/go/build-exporters/")
+			}
+		}
+		if e.Type == "image" && nodeDriver.IsMobyDriver() {
+			opt.Exports[i].Type = "moby"
+			if e.Attrs["push"] != "" {
+				if ok, _ := strconv.ParseBool(e.Attrs["push"]); ok {
+					if ok, _ := strconv.ParseBool(e.Attrs["push-by-digest"]); ok {
+						return nil, nil, errors.Errorf("push-by-digest is currently not implemented for docker driver, please create a new builder instance")
+					}
+				}
+			}
+		}
+		if e.Type == "docker" || e.Type == "image" || e.Type == "oci" {
+			// inline buildinfo attrs from build arg
+			if v, ok := opt.BuildArgs["BUILDKIT_INLINE_BUILDINFO_ATTRS"]; ok {
+				opt.Exports[i].Attrs["buildinfo-attrs"] = v
+			}
+		}
+	}
+
+	so.Exports = opt.Exports
+	so.Session = slices.Clone(opt.Session)
+
+	releaseLoad, err := loadInputs(ctx, nodeDriver, opt.Inputs, pw, &so)
+	if err != nil {
+		return nil, nil, err
+	}
+	defers = append(defers, releaseLoad)
+
+	// add node identifier to shared key if one was specified
+	if so.SharedKey != "" {
+		so.SharedKey += ":" + confutil.TryNodeIdentifier(configDir)
+	}
+
+	if opt.Pull {
+		so.FrontendAttrs["image-resolve-mode"] = pb.AttrImageResolveModeForcePull
+	} else if nodeDriver.IsMobyDriver() {
+		// moby driver always resolves local images by default
+		so.FrontendAttrs["image-resolve-mode"] = pb.AttrImageResolveModePreferLocal
+	}
+	if opt.Target != "" {
+		so.FrontendAttrs["target"] = opt.Target
+	}
+	if len(opt.NoCacheFilter) > 0 {
+		so.FrontendAttrs["no-cache"] = strings.Join(opt.NoCacheFilter, ",")
+	}
+	if opt.NoCache {
+		so.FrontendAttrs["no-cache"] = ""
+	}
+	for k, v := range opt.BuildArgs {
+		so.FrontendAttrs["build-arg:"+k] = v
+	}
+	for k, v := range opt.Labels {
+		so.FrontendAttrs["label:"+k] = v
+	}
+
+	for k, v := range node.ProxyConfig {
+		if _, ok := opt.BuildArgs[k]; !ok {
+			so.FrontendAttrs["build-arg:"+k] = v
+		}
+	}
+
+	// set platforms
+	if len(opt.Platforms) != 0 {
+		pp := make([]string, len(opt.Platforms))
+		for i, p := range opt.Platforms {
+			pp[i] = platforms.Format(p)
+		}
+		if len(pp) > 1 && !nodeDriver.Features(ctx)[driver.MultiPlatform] {
+			return nil, nil, notSupported(driver.MultiPlatform, nodeDriver, "https://docs.docker.com/go/build-multi-platform/")
+		}
+		so.FrontendAttrs["platform"] = strings.Join(pp, ",")
+	}
+
+	// setup networkmode
+	switch opt.NetworkMode {
+	case "host":
+		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
+		so.AllowedEntitlements = append(so.AllowedEntitlements, entitlements.EntitlementNetworkHost)
+	case "none":
+		so.FrontendAttrs["force-network-mode"] = opt.NetworkMode
+	case "", "default":
+	default:
+		return nil, nil, errors.Errorf("network mode %q not supported by buildkit - you can define a custom network for your builder using the network driver-opt in buildx create", opt.NetworkMode)
+	}
+
+	// setup extrahosts
+	extraHosts, err := toBuildkitExtraHosts(ctx, opt.ExtraHosts, nodeDriver)
+	if err != nil {
+		return nil, nil, err
+	}
+	if len(extraHosts) > 0 {
+		so.FrontendAttrs["add-hosts"] = extraHosts
+	}
+
+	// setup shm size
+	if opt.ShmSize.Value() > 0 {
+		so.FrontendAttrs["shm-size"] = strconv.FormatInt(opt.ShmSize.Value(), 10)
+	}
+
+	// setup ulimits
+	ulimits, err := toBuildkitUlimits(opt.Ulimits)
+	if err != nil {
+		return nil, nil, err
+	} else if len(ulimits) > 0 {
+		so.FrontendAttrs["ulimit"] = ulimits
+	}
+
+	// mark call request as internal
+	if opt.CallFunc != nil {
+		so.Internal = true
+	}
+
+	return &so, releaseF, nil
+}
+
+func loadInputs(ctx context.Context, d *driver.DriverHandle, inp Inputs, pw progress.Writer, target *client.SolveOpt) (func(), error) {
+	if inp.ContextPath == "" {
+		return nil, errors.New("please specify build context (e.g. \".\" for the current directory)")
+	}
+
+	// TODO: handle stdin, symlinks, remote contexts, check files exist
+
+	var (
+		err              error
+		dockerfileReader io.ReadCloser
+		dockerfileDir    string
+		dockerfileName   = inp.DockerfilePath
+		toRemove         []string
+	)
+
+	switch {
+	case inp.ContextState != nil:
+		if target.FrontendInputs == nil {
+			target.FrontendInputs = make(map[string]llb.State)
+		}
+		target.FrontendInputs["context"] = *inp.ContextState
+		target.FrontendInputs["dockerfile"] = *inp.ContextState
+	case inp.ContextPath == "-":
+		if inp.DockerfilePath == "-" {
+			return nil, errors.Errorf("invalid argument: can't use stdin for both build context and dockerfile")
+		}
+
+		rc := inp.InStream.NewReadCloser()
+		magic, err := inp.InStream.Peek(archiveHeaderSize * 2)
+		if err != nil && err != io.EOF {
+			return nil, errors.Wrap(err, "failed to peek context header from STDIN")
+		}
+		if !(err == io.EOF && len(magic) == 0) {
+			if isArchive(magic) {
+				// stdin is context
+				up := uploadprovider.New()
+				target.FrontendAttrs["context"] = up.Add(rc)
+				target.Session = append(target.Session, up)
+			} else {
+				if inp.DockerfilePath != "" {
+					return nil, errors.Errorf("ambiguous Dockerfile source: both stdin and flag correspond to Dockerfiles")
+				}
+				// stdin is dockerfile
+				dockerfileReader = rc
+				inp.ContextPath, _ = os.MkdirTemp("", "empty-dir")
+				toRemove = append(toRemove, inp.ContextPath)
+				if err := setLocalMount("context", inp.ContextPath, target); err != nil {
+					return nil, err
+				}
+			}
+		}
+	case osutil.IsLocalDir(inp.ContextPath):
+		if err := setLocalMount("context", inp.ContextPath, target); err != nil {
+			return nil, err
+		}
+		sharedKey := inp.ContextPath
+		if p, err := filepath.Abs(sharedKey); err == nil {
+			sharedKey = filepath.Base(p)
+		}
+		target.SharedKey = sharedKey
+		switch inp.DockerfilePath {
+		case "-":
+			dockerfileReader = inp.InStream.NewReadCloser()
+		case "":
+			dockerfileDir = inp.ContextPath
+		default:
+			dockerfileDir = filepath.Dir(inp.DockerfilePath)
+			dockerfileName = filepath.Base(inp.DockerfilePath)
+		}
+	case IsRemoteURL(inp.ContextPath):
+		if inp.DockerfilePath == "-" {
+			dockerfileReader = inp.InStream.NewReadCloser()
+		} else if filepath.IsAbs(inp.DockerfilePath) {
+			dockerfileDir = filepath.Dir(inp.DockerfilePath)
+			dockerfileName = filepath.Base(inp.DockerfilePath)
+			target.FrontendAttrs["dockerfilekey"] = "dockerfile"
+		}
+		target.FrontendAttrs["context"] = inp.ContextPath
+	default:
+		return nil, errors.Errorf("unable to prepare context: path %q not found", inp.ContextPath)
+	}
+
+	if inp.DockerfileInline != "" {
+		dockerfileReader = io.NopCloser(strings.NewReader(inp.DockerfileInline))
+	}
+
+	if dockerfileReader != nil {
+		dockerfileDir, err = createTempDockerfile(dockerfileReader, inp.InStream)
+		if err != nil {
+			return nil, err
+		}
+		toRemove = append(toRemove, dockerfileDir)
+		dockerfileName = "Dockerfile"
+		target.FrontendAttrs["dockerfilekey"] = "dockerfile"
+	}
+	if isHTTPURL(inp.DockerfilePath) {
+		dockerfileDir, err = createTempDockerfileFromURL(ctx, d, inp.DockerfilePath, pw)
+		if err != nil {
+			return nil, err
+		}
+		toRemove = append(toRemove, dockerfileDir)
+		dockerfileName = "Dockerfile"
+		target.FrontendAttrs["dockerfilekey"] = "dockerfile"
+		delete(target.FrontendInputs, "dockerfile")
+	}
+
+	if dockerfileName == "" {
+		dockerfileName = "Dockerfile"
+	}
+
+	if dockerfileDir != "" {
+		if err := setLocalMount("dockerfile", dockerfileDir, target); err != nil {
+			return nil, err
+		}
+		dockerfileName = handleLowercaseDockerfile(dockerfileDir, dockerfileName)
+	}
+
+	target.FrontendAttrs["filename"] = dockerfileName
+
+	for k, v := range inp.NamedContexts {
+		target.FrontendAttrs["frontend.caps"] = "moby.buildkit.frontend.contexts+forward"
+		if v.State != nil {
+			target.FrontendAttrs["context:"+k] = "input:" + k
+			if target.FrontendInputs == nil {
+				target.FrontendInputs = make(map[string]llb.State)
+			}
+			target.FrontendInputs[k] = *v.State
+			continue
+		}
+
+		if IsRemoteURL(v.Path) || strings.HasPrefix(v.Path, "docker-image://") || strings.HasPrefix(v.Path, "target:") {
+			target.FrontendAttrs["context:"+k] = v.Path
+			continue
+		}
+
+		// handle OCI layout
+		if strings.HasPrefix(v.Path, "oci-layout://") {
+			localPath := strings.TrimPrefix(v.Path, "oci-layout://")
+			localPath, dig, hasDigest := strings.Cut(localPath, "@")
+			localPath, tag, hasTag := strings.Cut(localPath, ":")
+			if !hasTag {
+				tag = "latest"
+			}
+			if !hasDigest {
+				dig, err = resolveDigest(localPath, tag)
+				if err != nil {
+					return nil, errors.Wrapf(err, "oci-layout reference %q could not be resolved", v.Path)
+				}
+			}
+			store, err := local.NewStore(localPath)
+			if err != nil {
+				return nil, errors.Wrapf(err, "invalid store at %s", localPath)
+			}
+			storeName := identity.NewID()
+			if target.OCIStores == nil {
+				target.OCIStores = map[string]content.Store{}
+			}
+			target.OCIStores[storeName] = store
+
+			target.FrontendAttrs["context:"+k] = "oci-layout://" + storeName + ":" + tag + "@" + dig
+			continue
+		}
+		st, err := os.Stat(v.Path)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to get build context %v", k)
+		}
+		if !st.IsDir() {
+			return nil, errors.Wrapf(syscall.ENOTDIR, "failed to get build context path %v", v)
+		}
+		localName := k
+		if k == "context" || k == "dockerfile" {
+			localName = "_" + k // underscore to avoid collisions
+		}
+		if err := setLocalMount(localName, v.Path, target); err != nil {
+			return nil, err
+		}
+		target.FrontendAttrs["context:"+k] = "local:" + localName
+	}
+
+	release := func() {
+		for _, dir := range toRemove {
+			_ = os.RemoveAll(dir)
+		}
+	}
+	return release, nil
+}
+
+func resolveDigest(localPath, tag string) (dig string, _ error) {
+	idx := ociindex.NewStoreIndex(localPath)
+
+	// lookup by name
+	desc, err := idx.Get(tag)
+	if err != nil {
+		return "", err
+	}
+	if desc == nil {
+		// lookup single
+		desc, err = idx.GetSingle()
+		if err != nil {
+			return "", err
+		}
+	}
+	if desc == nil {
+		return "", errors.New("failed to resolve digest")
+	}
+
+	dig = string(desc.Digest)
+	_, err = digest.Parse(dig)
+	if err != nil {
+		return "", errors.Wrapf(err, "invalid digest %s", dig)
+	}
+
+	return dig, nil
+}
+
+func setLocalMount(name, dir string, so *client.SolveOpt) error {
+	lm, err := fsutil.NewFS(dir)
+	if err != nil {
+		return err
+	}
+	if so.LocalMounts == nil {
+		so.LocalMounts = map[string]fsutil.FS{}
+	}
+	so.LocalMounts[name] = &fs{FS: lm, dir: dir}
+	return nil
+}
+
+func createTempDockerfile(r io.Reader, multiReader *SyncMultiReader) (string, error) {
+	dir, err := os.MkdirTemp("", "dockerfile")
+	if err != nil {
+		return "", err
+	}
+	f, err := os.Create(filepath.Join(dir, "Dockerfile"))
+	if err != nil {
+		return "", err
+	}
+	defer f.Close()
+
+	if multiReader != nil {
+		dt, err := io.ReadAll(r)
+		if err != nil {
+			return "", err
+		}
+		multiReader.Reset(dt)
+		r = bytes.NewReader(dt)
+	}
+
+	if _, err := io.Copy(f, r); err != nil {
+		return "", err
+	}
+	return dir, err
+}
+
+// handle https://github.com/moby/moby/pull/10858
+func handleLowercaseDockerfile(dir, p string) string {
+	if filepath.Base(p) != "Dockerfile" {
+		return p
+	}
+
+	f, err := os.Open(filepath.Dir(filepath.Join(dir, p)))
+	if err != nil {
+		return p
+	}
+
+	names, err := f.Readdirnames(-1)
+	if err != nil {
+		return p
+	}
+
+	foundLowerCase := false
+	for _, n := range names {
+		if n == "Dockerfile" {
+			return p
+		}
+		if n == "dockerfile" {
+			foundLowerCase = true
+		}
+	}
+	if foundLowerCase {
+		return filepath.Join(filepath.Dir(p), "dockerfile")
+	}
+	return p
+}
+
+type fs struct {
+	fsutil.FS
+	dir string
+}
+
+var _ fsutil.FS = &fs{}
--- a/build/provenance.go
+++ b/build/provenance.go
@@ -0,0 +1,156 @@
+package build
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"io"
+	"strings"
+	"sync"
+
+	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/content/proxy"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/progress"
+	controlapi "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/client"
+	provenancetypes "github.com/moby/buildkit/solver/llbsolver/provenance/types"
+	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type provenancePredicate struct {
+	Builder *provenanceBuilder `json:"builder,omitempty"`
+	provenancetypes.ProvenancePredicate
+}
+
+type provenanceBuilder struct {
+	ID string `json:"id,omitempty"`
+}
+
+func setRecordProvenance(ctx context.Context, c *client.Client, sr *client.SolveResponse, ref string, mode confutil.MetadataProvenanceMode, pw progress.Writer) error {
+	if mode == confutil.MetadataProvenanceModeDisabled {
+		return nil
+	}
+	pw = progress.ResetTime(pw)
+	return progress.Wrap("resolving provenance for metadata file", pw.Write, func(l progress.SubLogger) error {
+		res, err := fetchProvenance(ctx, c, ref, mode)
+		if err != nil {
+			return err
+		}
+		for k, v := range res {
+			sr.ExporterResponse[k] = v
+		}
+		return nil
+	})
+}
+
+func fetchProvenance(ctx context.Context, c *client.Client, ref string, mode confutil.MetadataProvenanceMode) (out map[string]string, err error) {
+	cl, err := c.ControlClient().ListenBuildHistory(ctx, &controlapi.BuildHistoryRequest{
+		Ref:       ref,
+		EarlyExit: true,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var mu sync.Mutex
+	eg, ctx := errgroup.WithContext(ctx)
+	store := proxy.NewContentStore(c.ContentClient())
+	for {
+		ev, err := cl.Recv()
+		if errors.Is(err, io.EOF) {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		if ev.Record == nil {
+			continue
+		}
+		if ev.Record.Result != nil {
+			desc := lookupProvenance(ev.Record.Result)
+			if desc == nil {
+				continue
+			}
+			eg.Go(func() error {
+				dt, err := content.ReadBlob(ctx, store, *desc)
+				if err != nil {
+					return errors.Wrapf(err, "failed to load provenance blob from build record")
+				}
+				prv, err := encodeProvenance(dt, mode)
+				if err != nil {
+					return err
+				}
+				mu.Lock()
+				if out == nil {
+					out = make(map[string]string)
+				}
+				out["buildx.build.provenance"] = prv
+				mu.Unlock()
+				return nil
+			})
+		} else if ev.Record.Results != nil {
+			for platform, res := range ev.Record.Results {
+				platform := platform
+				desc := lookupProvenance(res)
+				if desc == nil {
+					continue
+				}
+				eg.Go(func() error {
+					dt, err := content.ReadBlob(ctx, store, *desc)
+					if err != nil {
+						return errors.Wrapf(err, "failed to load provenance blob from build record")
+					}
+					prv, err := encodeProvenance(dt, mode)
+					if err != nil {
+						return err
+					}
+					mu.Lock()
+					if out == nil {
+						out = make(map[string]string)
+					}
+					out["buildx.build.provenance/"+platform] = prv
+					mu.Unlock()
+					return nil
+				})
+			}
+		}
+	}
+	return out, eg.Wait()
+}
+
+func lookupProvenance(res *controlapi.BuildResultInfo) *ocispecs.Descriptor {
+	for _, a := range res.Attestations {
+		if a.MediaType == "application/vnd.in-toto+json" && strings.HasPrefix(a.Annotations["in-toto.io/predicate-type"], "https://slsa.dev/provenance/") {
+			return &ocispecs.Descriptor{
+				Digest:      a.Digest,
+				Size:        a.Size_,
+				MediaType:   a.MediaType,
+				Annotations: a.Annotations,
+			}
+		}
+	}
+	return nil
+}
+
+func encodeProvenance(dt []byte, mode confutil.MetadataProvenanceMode) (string, error) {
+	var prv provenancePredicate
+	if err := json.Unmarshal(dt, &prv); err != nil {
+		return "", errors.Wrapf(err, "failed to unmarshal provenance")
+	}
+	if prv.Builder != nil && prv.Builder.ID == "" {
+		// reset builder if id is empty
+		prv.Builder = nil
+	}
+	if mode == confutil.MetadataProvenanceModeMin {
+		// reset fields for minimal provenance
+		prv.BuildConfig = nil
+		prv.Metadata = nil
+	}
+	dtprv, err := json.Marshal(prv)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to marshal provenance")
+	}
+	return base64.StdEncoding.EncodeToString(dtprv), nil
+}
--- a/build/replicatedstream.go
+++ b/build/replicatedstream.go
@@ -0,0 +1,164 @@
+package build
+
+import (
+	"bufio"
+	"bytes"
+	"io"
+	"sync"
+)
+
+type SyncMultiReader struct {
+	source  *bufio.Reader
+	buffer  []byte
+	static  []byte
+	mu      sync.Mutex
+	cond    *sync.Cond
+	readers []*syncReader
+	err     error
+	offset  int
+}
+
+type syncReader struct {
+	mr     *SyncMultiReader
+	offset int
+	closed bool
+}
+
+func NewSyncMultiReader(source io.Reader) *SyncMultiReader {
+	mr := &SyncMultiReader{
+		source: bufio.NewReader(source),
+		buffer: make([]byte, 0, 32*1024),
+	}
+	mr.cond = sync.NewCond(&mr.mu)
+	return mr
+}
+
+func (mr *SyncMultiReader) Peek(n int) ([]byte, error) {
+	mr.mu.Lock()
+	defer mr.mu.Unlock()
+
+	if mr.static != nil {
+		return mr.static[min(n, len(mr.static)):], nil
+	}
+
+	return mr.source.Peek(n)
+}
+
+func (mr *SyncMultiReader) Reset(dt []byte) {
+	mr.mu.Lock()
+	defer mr.mu.Unlock()
+
+	mr.static = dt
+}
+
+func (mr *SyncMultiReader) NewReadCloser() io.ReadCloser {
+	mr.mu.Lock()
+	defer mr.mu.Unlock()
+
+	if mr.static != nil {
+		return io.NopCloser(bytes.NewReader(mr.static))
+	}
+
+	reader := &syncReader{
+		mr: mr,
+	}
+	mr.readers = append(mr.readers, reader)
+	return reader
+}
+
+func (sr *syncReader) Read(p []byte) (int, error) {
+	sr.mr.mu.Lock()
+	defer sr.mr.mu.Unlock()
+
+	return sr.read(p)
+}
+
+func (sr *syncReader) read(p []byte) (int, error) {
+	end := sr.mr.offset + len(sr.mr.buffer)
+
+loop0:
+	for {
+		if sr.closed {
+			return 0, io.EOF
+		}
+
+		end := sr.mr.offset + len(sr.mr.buffer)
+
+		if sr.mr.err != nil && sr.offset == end {
+			return 0, sr.mr.err
+		}
+
+		start := sr.offset - sr.mr.offset
+
+		dt := sr.mr.buffer[start:]
+
+		if len(dt) > 0 {
+			n := copy(p, dt)
+			sr.offset += n
+			sr.mr.cond.Broadcast()
+			return n, nil
+		}
+
+		// check for readers that have not caught up
+		hasOpen := false
+		for _, r := range sr.mr.readers {
+			if !r.closed {
+				hasOpen = true
+			} else {
+				continue
+			}
+			if r.offset < end {
+				sr.mr.cond.Wait()
+				continue loop0
+			}
+		}
+
+		if !hasOpen {
+			return 0, io.EOF
+		}
+		break
+	}
+
+	last := sr.mr.offset + len(sr.mr.buffer)
+	// another reader has already updated the buffer
+	if last > end || sr.mr.err != nil {
+		return sr.read(p)
+	}
+
+	sr.mr.offset += len(sr.mr.buffer)
+
+	sr.mr.buffer = sr.mr.buffer[:cap(sr.mr.buffer)]
+	n, err := sr.mr.source.Read(sr.mr.buffer)
+	if n >= 0 {
+		sr.mr.buffer = sr.mr.buffer[:n]
+	} else {
+		sr.mr.buffer = sr.mr.buffer[:0]
+	}
+
+	sr.mr.cond.Broadcast()
+
+	if err != nil {
+		sr.mr.err = err
+		return 0, err
+	}
+
+	nn := copy(p, sr.mr.buffer)
+	sr.offset += nn
+
+	return nn, nil
+}
+
+func (sr *syncReader) Close() error {
+	sr.mr.mu.Lock()
+	defer sr.mr.mu.Unlock()
+
+	if sr.closed {
+		return nil
+	}
+
+	sr.closed = true
+
+	sr.mr.cond.Broadcast()
+
+	return nil
+}
--- a/build/replicatedstream_test.go
+++ b/build/replicatedstream_test.go
@@ -0,0 +1,77 @@
+package build
+
+import (
+	"bytes"
+	"crypto/rand"
+	"io"
+	mathrand "math/rand"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func generateRandomData(size int) []byte {
+	data := make([]byte, size)
+	rand.Read(data)
+	return data
+}
+func TestSyncMultiReaderParallel(t *testing.T) {
+	data := generateRandomData(1024 * 1024)
+	source := bytes.NewReader(data)
+	mr := NewSyncMultiReader(source)
+
+	var wg sync.WaitGroup
+	numReaders := 10
+	bufferSize := 4096 * 4
+
+	readers := make([]io.ReadCloser, numReaders)
+
+	for i := 0; i < numReaders; i++ {
+		readers[i] = mr.NewReadCloser()
+	}
+
+	for i := 0; i < numReaders; i++ {
+		wg.Add(1)
+		go func(readerId int) {
+			defer wg.Done()
+			reader := readers[readerId]
+			defer reader.Close()
+
+			totalRead := 0
+			buf := make([]byte, bufferSize)
+			for totalRead < len(data) {
+				// Simulate random read sizes
+				readSize := mathrand.Intn(bufferSize) //nolint:gosec
+				n, err := reader.Read(buf[:readSize])
+
+				if n > 0 {
+					assert.Equal(t, data[totalRead:totalRead+n], buf[:n], "Reader %d mismatch", readerId)
+					totalRead += n
+				}
+
+				if err == io.EOF {
+					assert.Equal(t, len(data), totalRead, "Reader %d EOF mismatch", readerId)
+					return
+				}
+
+				require.NoError(t, err, "Reader %d error", readerId)
+
+				if mathrand.Intn(1000) == 0 { //nolint:gosec
+					t.Logf("Reader %d closing", readerId)
+					// Simulate random close
+					return
+				}
+
+				// Simulate random timing between reads
+				time.Sleep(time.Millisecond * time.Duration(mathrand.Intn(5))) //nolint:gosec
+			}
+
+			assert.Equal(t, len(data), totalRead, "Reader %d total read mismatch", readerId)
+		}(i)
+	}
+
+	wg.Wait()
+}
--- a/build/result.go
+++ b/build/result.go
@@ -292,10 +292,10 @@ func (r *ResultHandle) build(buildFunc gateway.BuildFunc) (err error) {
 	return err
 }

-func (r *ResultHandle) getContainerConfig(ctx context.Context, c gateway.Client, cfg *controllerapi.InvokeConfig) (containerCfg gateway.NewContainerRequest, _ error) {
+func (r *ResultHandle) getContainerConfig(cfg *controllerapi.InvokeConfig) (containerCfg gateway.NewContainerRequest, _ error) {
 	if r.res != nil && r.solveErr == nil {
 		logrus.Debugf("creating container from successful build")
-		ccfg, err := containerConfigFromResult(ctx, r.res, c, *cfg)
+		ccfg, err := containerConfigFromResult(r.res, *cfg)
 		if err != nil {
 			return containerCfg, err
 		}
@@ -327,7 +327,7 @@ func (r *ResultHandle) getProcessConfig(cfg *controllerapi.InvokeConfig, stdin i
 	return processCfg, nil
 }

-func containerConfigFromResult(ctx context.Context, res *gateway.Result, c gateway.Client, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
+func containerConfigFromResult(res *gateway.Result, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
 	if cfg.Initial {
 		return nil, errors.Errorf("starting from the container from the initial state of the step is supported only on the failed steps")
 	}
--- a/build/utils.go
+++ b/build/utils.go
@@ -5,13 +5,15 @@ import (
 	"bytes"
 	"context"
 	"net"
+	"os"
+	"strconv"
 	"strings"

 	"github.com/docker/buildx/driver"
 	"github.com/docker/cli/opts"
-	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/moby/buildkit/util/gitutil"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 )

 const (
@@ -23,8 +25,15 @@ const (
 	mobyHostGatewayName = "host-gateway"
 )

+// isHTTPURL returns true if the provided str is an HTTP(S) URL by checking if it
+// has a http:// or https:// scheme. No validation is performed to verify if the
+// URL is well-formed.
+func isHTTPURL(str string) bool {
+	return strings.HasPrefix(str, "https://") || strings.HasPrefix(str, "http://")
+}
+
 func IsRemoteURL(c string) bool {
-	if urlutil.IsURL(c) {
+	if isHTTPURL(c) {
 		return true
 	}
 	if _, err := gitutil.ParseGitRef(c); err == nil {
@@ -101,3 +110,21 @@ func toBuildkitUlimits(inp *opts.UlimitOpt) (string, error) {
 	}
 	return strings.Join(ulimits, ","), nil
 }
+
+func notSupported(f driver.Feature, d *driver.DriverHandle, docs string) error {
+	return errors.Errorf(`%s is not supported for the %s driver.
+Switch to a different driver, or turn on the containerd image store, and try again.
+Learn more at %s`, f, d.Factory().Name(), docs)
+}
+
+func noDefaultLoad() bool {
+	v, ok := os.LookupEnv("BUILDX_NO_DEFAULT_LOAD")
+	if !ok {
+		return false
+	}
+	b, err := strconv.ParseBool(v)
+	if err != nil {
+		logrus.Warnf("invalid non-bool value for BUILDX_NO_DEFAULT_LOAD: %s", v)
+	}
+	return b
+}
--- a/builder/builder.go
+++ b/builder/builder.go
@@ -2,7 +2,6 @@ package builder

 import (
 	"context"
-	"encoding/csv"
 	"encoding/json"
 	"net/url"
 	"os"
@@ -27,6 +26,7 @@ import (
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/pkg/errors"
 	"github.com/spf13/pflag"
+	"github.com/tonistiigi/go-csvvalue"
 	"golang.org/x/sync/errgroup"
 )

@@ -601,8 +601,7 @@ func csvToMap(in []string) (map[string]string, error) {
 	}
 	m := make(map[string]string, len(in))
 	for _, s := range in {
-		csvReader := csv.NewReader(strings.NewReader(s))
-		fields, err := csvReader.Read()
+		fields, err := csvvalue.Fields(s, nil)
 		if err != nil {
 			return nil, err
 		}
--- a/builder/node.go
+++ b/builder/node.go
@@ -6,9 +6,8 @@ import (
 	"sort"
 	"strings"

-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/docker/buildx/driver"
-	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/dockerutil"
@@ -18,7 +17,6 @@ import (
 	"github.com/moby/buildkit/util/grpcerrors"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
 	"golang.org/x/sync/errgroup"
 	"google.golang.org/grpc/codes"
 )
@@ -48,8 +46,9 @@ func (b *Builder) Nodes() []Node {
 type LoadNodesOption func(*loadNodesOptions)

 type loadNodesOptions struct {
-	data     bool
-	dialMeta map[string][]string
+	data      bool
+	dialMeta  map[string][]string
+	clientOpt []client.ClientOpt
 }

 func WithData() LoadNodesOption {
@@ -64,6 +63,12 @@ func WithDialMeta(dialMeta map[string][]string) LoadNodesOption {
 	}
 }

+func WithClientOpt(clientOpt ...client.ClientOpt) LoadNodesOption {
+	return func(o *loadNodesOptions) {
+		o.clientOpt = clientOpt
+	}
+}
+
 // LoadNodes loads and returns nodes for this builder.
 // TODO: this should be a method on a Node object and lazy load data for each driver.
 func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []Node, err error) {
@@ -112,37 +117,19 @@ func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []N
 					return nil
 				}

-				contextStore := b.opts.dockerCli.ContextStore()
-
-				var kcc driver.KubeClientConfig
-				kcc, err = ctxkube.ConfigFromEndpoint(n.Endpoint, contextStore)
-				if err != nil {
-					// err is returned if n.Endpoint is non-context name like "unix:///var/run/docker.sock".
-					// try again with name="default".
-					// FIXME(@AkihiroSuda): n should retain real context name.
-					kcc, err = ctxkube.ConfigFromEndpoint("default", contextStore)
-					if err != nil {
-						logrus.Error(err)
-					}
-				}
-
-				tryToUseKubeConfigInCluster := false
-				if kcc == nil {
-					tryToUseKubeConfigInCluster = true
-				} else {
-					if _, err := kcc.ClientConfig(); err != nil {
-						tryToUseKubeConfigInCluster = true
-					}
-				}
-				if tryToUseKubeConfigInCluster {
-					kccInCluster := driver.KubeClientConfigInCluster{}
-					if _, err := kccInCluster.ClientConfig(); err == nil {
-						logrus.Debug("using kube config in cluster")
-						kcc = kccInCluster
-					}
-				}
-
-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.BuildkitdFlags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash, lno.dialMeta)
+				d, err := driver.GetDriver(ctx, factory, driver.InitConfig{
+					Name:            driver.BuilderName(n.Name),
+					EndpointAddr:    n.Endpoint,
+					DockerAPI:       dockerapi,
+					ContextStore:    b.opts.dockerCli.ContextStore(),
+					BuildkitdFlags:  n.BuildkitdFlags,
+					Files:           n.Files,
+					DriverOpts:      n.DriverOpts,
+					Auth:            imageopt.Auth,
+					Platforms:       n.Platforms,
+					ContextPathHash: b.opts.contextPathHash,
+					DialMeta:        lno.dialMeta,
+				})
 				if err != nil {
 					node.Err = err
 					return nil
@@ -151,7 +138,7 @@ func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []N
 				node.ImageOpt = imageopt

 				if lno.data {
-					if err := node.loadData(ctx); err != nil {
+					if err := node.loadData(ctx, lno.clientOpt...); err != nil {
 						node.Err = err
 					}
 				}
@@ -186,7 +173,7 @@ func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []N
 						if pl := di.DriverInfo.DynamicNodes[i].Platforms; len(pl) > 0 {
 							diClone.Platforms = pl
 						}
-						nodes = append(nodes, di)
+						nodes = append(nodes, diClone)
 					}
 					dynamicNodes = append(dynamicNodes, di.DriverInfo.DynamicNodes...)
 				}
@@ -247,7 +234,7 @@ func (n *Node) MarshalJSON() ([]byte, error) {
 	})
 }

-func (n *Node) loadData(ctx context.Context) error {
+func (n *Node) loadData(ctx context.Context, clientOpt ...client.ClientOpt) error {
 	if n.Driver == nil {
 		return nil
 	}
@@ -257,7 +244,7 @@ func (n *Node) loadData(ctx context.Context) error {
 	}
 	n.DriverInfo = info
 	if n.DriverInfo.Status == driver.Running {
-		driverClient, err := n.Driver.Client(ctx)
+		driverClient, err := n.Driver.Client(ctx, clientOpt...)
 		if err != nil {
 			return err
 		}
--- a/cmd/buildx/main.go
+++ b/cmd/buildx/main.go
@@ -1,6 +1,7 @@
 package main

 import (
+	"context"
 	"fmt"
 	"os"

@@ -15,6 +16,7 @@ import (
 	cliflags "github.com/docker/cli/cli/flags"
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/util/stack"
+	"go.opentelemetry.io/otel"

 	//nolint:staticcheck // vendored dependencies may still use this
 	"github.com/containerd/containerd/pkg/seed"
@@ -38,10 +40,27 @@ func runStandalone(cmd *command.DockerCli) error {
 	if err := cmd.Initialize(cliflags.NewClientOptions()); err != nil {
 		return err
 	}
+	defer flushMetrics(cmd)
+
 	rootCmd := commands.NewRootCmd(os.Args[0], false, cmd)
 	return rootCmd.Execute()
 }

+// flushMetrics will manually flush metrics from the configured
+// meter provider. This is needed when running in standalone mode
+// because the meter provider is initialized by the cli library,
+// but the mechanism for forcing it to report is not presently
+// exposed and not invoked when run in standalone mode.
+// There are plans to fix that in the next release, but this is
+// needed temporarily until the API for this is more thorough.
+func flushMetrics(cmd *command.DockerCli) {
+	if mp, ok := cmd.MeterProvider().(command.MeterProvider); ok {
+		if err := mp.ForceFlush(context.Background()); err != nil {
+			otel.Handle(err)
+		}
+	}
+}
+
 func runPlugin(cmd *command.DockerCli) error {
 	rootCmd := commands.NewRootCmd("buildx", true, cmd)
 	return plugin.RunPlugin(cmd, rootCmd, manager.Metadata{
--- a/cmd/buildx/tracing.go
+++ b/cmd/buildx/tracing.go
@@ -4,7 +4,6 @@ import (
 	"github.com/moby/buildkit/util/tracing/detect"
 	"go.opentelemetry.io/otel"

-	_ "github.com/moby/buildkit/util/tracing/detect/delegated"
 	_ "github.com/moby/buildkit/util/tracing/env"
 )

--- a/codecov.yml
+++ b/codecov.yml
@@ -1 +1,4 @@
 comment: false
+
+ignore:
+  - "**/*.pb.go"
--- a/commands/bake.go
+++ b/commands/bake.go
@@ -1,24 +1,36 @@
 package commands

 import (
+	"bytes"
+	"cmp"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
+	"slices"
+	"sort"
 	"strings"
+	"sync"
+	"text/tabwriter"

 	"github.com/containerd/console"
-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/docker/buildx/bake"
+	"github.com/docker/buildx/bake/hclparser"
 	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/localstate"
 	"github.com/docker/buildx/util/buildflags"
+	"github.com/docker/buildx/util/cobrautil"
 	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/desktop"
 	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/osutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/buildx/util/tracing"
 	"github.com/docker/cli/cli/command"
@@ -26,22 +38,29 @@ import (
 	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"go.opentelemetry.io/otel/attribute"
 )

 type bakeOptions struct {
-	files      []string
-	overrides  []string
-	printOnly  bool
-	sbom       string
-	provenance string
+	files       []string
+	overrides   []string
+	printOnly   bool
+	listTargets bool
+	listVars    bool
+	sbom        string
+	provenance  string
+	allow       []string

 	builder      string
 	metadataFile string
 	exportPush   bool
 	exportLoad   bool
+	callFunc     string
 }

 func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in bakeOptions, cFlags commonFlags) (err error) {
+	mp := dockerCli.MeterProvider()
+
 	ctx, end, err := tracing.TraceCurrentCommand(ctx, "bake")
 	if err != nil {
 		return err
@@ -50,34 +69,25 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		end(err)
 	}()

-	var url string
-	cmdContext := "cwd://"
-
-	if len(targets) > 0 {
-		if build.IsRemoteURL(targets[0]) {
-			url = targets[0]
-			targets = targets[1:]
-			if len(targets) > 0 {
-				if build.IsRemoteURL(targets[0]) {
-					cmdContext = targets[0]
-					targets = targets[1:]
-				}
-			}
-		}
-	}
-
+	url, cmdContext, targets := bakeArgs(targets)
 	if len(targets) == 0 {
 		targets = []string{"default"}
 	}

+	callFunc, err := buildflags.ParseCallFunc(in.callFunc)
+	if err != nil {
+		return err
+	}
+
 	overrides := in.overrides
 	if in.exportPush {
-		if in.exportLoad {
-			return errors.Errorf("push and load may not be set together at the moment")
-		}
 		overrides = append(overrides, "*.push=true")
-	} else if in.exportLoad {
-		overrides = append(overrides, "*.output=type=docker")
+	}
+	if in.exportLoad {
+		overrides = append(overrides, "*.load=true")
+	}
+	if callFunc != nil {
+		overrides = append(overrides, fmt.Sprintf("*.call=%s", callFunc.Name))
 	}
 	if cFlags.noCache != nil {
 		overrides = append(overrides, fmt.Sprintf("*.no-cache=%t", *cFlags.noCache))
@@ -93,6 +103,11 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 	}
 	contextPathHash, _ := os.Getwd()

+	ent, err := bake.ParseEntitlements(in.allow)
+	if err != nil {
+		return err
+	}
+
 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()

@@ -100,6 +115,7 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 	var progressConsoleDesc, progressTextDesc string

 	// instance only needed for reading remote bake files or building
+	var driverType string
 	if url != "" || !in.printOnly {
 		b, err := builder.New(dockerCli,
 			builder.WithName(in.builder),
@@ -117,32 +133,33 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		}
 		progressConsoleDesc = fmt.Sprintf("%s:%s", b.Driver, b.Name)
 		progressTextDesc = fmt.Sprintf("building with %q instance using %s driver", b.Name, b.Driver)
+		driverType = b.Driver
 	}

 	var term bool
 	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
 		term = true
 	}
+	attributes := bakeMetricAttributes(dockerCli, driverType, url, cmdContext, targets, &in)

 	progressMode := progressui.DisplayMode(cFlags.progress)
-	printer, err := progress.NewPrinter(ctx2, os.Stderr, progressMode,
-		progress.WithDesc(progressTextDesc, progressConsoleDesc),
-	)
-	if err != nil {
+	var printer *progress.Printer
+
+	makePrinter := func() error {
+		var err error
+		printer, err = progress.NewPrinter(ctx2, os.Stderr, progressMode,
+			progress.WithDesc(progressTextDesc, progressConsoleDesc),
+			progress.WithMetrics(mp, attributes),
+			progress.WithOnClose(func() {
+				printWarnings(os.Stderr, printer.Warnings(), progressMode)
+			}),
+		)
 		return err
 	}

-	defer func() {
-		if printer != nil {
-			err1 := printer.Wait()
-			if err == nil {
-				err = err1
-			}
-			if err == nil && progressMode != progressui.QuietMode && progressMode != progressui.RawJSONMode {
-				desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
-			}
-		}
-	}()
+	if err := makePrinter(); err != nil {
+		return err
+	}

 	files, inp, err := readBakeFiles(ctx, nodes, url, in.files, dockerCli.In(), printer)
 	if err != nil {
@@ -153,12 +170,29 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 		return errors.New("couldn't find a bake definition")
 	}

-	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
+	defaults := map[string]string{
 		// don't forget to update documentation if you add a new
 		// built-in variable: docs/bake-reference.md#built-in-variables
 		"BAKE_CMD_CONTEXT":    cmdContext,
-		"BAKE_LOCAL_PLATFORM": platforms.DefaultString(),
-	})
+		"BAKE_LOCAL_PLATFORM": platforms.Format(platforms.DefaultSpec()),
+	}
+
+	if in.listTargets || in.listVars {
+		cfg, pm, err := bake.ParseFiles(files, defaults)
+		if err != nil {
+			return err
+		}
+		if err = printer.Wait(); err != nil {
+			return err
+		}
+		if in.listTargets {
+			return printTargetList(dockerCli.Out(), cfg)
+		} else if in.listVars {
+			return printVars(dockerCli.Out(), pm.AllVariables)
+		}
+	}
+
+	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, defaults)
 	if err != nil {
 		return err
 	}
@@ -191,57 +225,183 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 	}

 	if in.printOnly {
-		dt, err := json.MarshalIndent(def, "", "  ")
+		if err = printer.Wait(); err != nil {
+			return err
+		}
+		dtdef, err := json.MarshalIndent(def, "", "  ")
 		if err != nil {
 			return err
 		}
-		err = printer.Wait()
-		printer = nil
-		if err != nil {
+		_, err = fmt.Fprintln(dockerCli.Out(), string(dtdef))
+		return err
+	}
+
+	for _, opt := range bo {
+		if opt.CallFunc != nil {
+			cf, err := buildflags.ParseCallFunc(opt.CallFunc.Name)
+			if err != nil {
+				return err
+			}
+			opt.CallFunc.Name = cf.Name
+		}
+	}
+
+	exp, err := ent.Validate(bo)
+	if err != nil {
+		return err
+	}
+	if err := exp.Prompt(ctx, &syncWriter{w: dockerCli.Err(), wait: printer.Wait}); err != nil {
+		return err
+	}
+	if printer.IsDone() {
+		// init new printer as old one was stopped to show the prompt
+		if err := makePrinter(); err != nil {
 			return err
 		}
-		fmt.Fprintln(dockerCli.Out(), string(dt))
-		return nil
 	}

-	// local state group
-	groupRef := identity.NewID()
-	var refs []string
-	for k, b := range bo {
-		b.Ref = identity.NewID()
-		b.GroupRef = groupRef
-		refs = append(refs, b.Ref)
-		bo[k] = b
-	}
-	dt, err := json.Marshal(def)
-	if err != nil {
-		return err
-	}
-	if err := saveLocalStateGroup(dockerCli, groupRef, localstate.StateGroup{
-		Definition: dt,
-		Targets:    targets,
-		Inputs:     overrides,
-		Refs:       refs,
-	}); err != nil {
+	if err := saveLocalStateGroup(dockerCli, in, targets, bo, overrides, def); err != nil {
 		return err
 	}

-	resp, err := build.Build(ctx, nodes, bo, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), printer)
+	done := timeBuildCommand(mp, attributes)
+	resp, retErr := build.Build(ctx, nodes, bo, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), printer)
+	if err := printer.Wait(); retErr == nil {
+		retErr = err
+	}
+	if retErr != nil {
+		err = wrapBuildError(retErr, true)
+	}
+	done(err)
+
 	if err != nil {
-		return wrapBuildError(err, true)
+		return err
 	}

+	if progressMode != progressui.QuietMode && progressMode != progressui.RawJSONMode {
+		desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
+	}
 	if len(in.metadataFile) > 0 {
 		dt := make(map[string]interface{})
 		for t, r := range resp {
 			dt[t] = decodeExporterResponse(r.ExporterResponse)
 		}
+		if callFunc == nil {
+			if warnings := printer.Warnings(); len(warnings) > 0 && confutil.MetadataWarningsEnabled() {
+				dt["buildx.build.warnings"] = warnings
+			}
+		}
 		if err := writeMetadataFile(in.metadataFile, dt); err != nil {
 			return err
 		}
 	}

-	return err
+	var callFormatJSON bool
+	jsonResults := map[string]map[string]any{}
+	if callFunc != nil {
+		callFormatJSON = callFunc.Format == "json"
+	}
+	var sep bool
+	var exitCode int
+
+	names := make([]string, 0, len(bo))
+	for name := range bo {
+		names = append(names, name)
+	}
+	slices.Sort(names)
+
+	for _, name := range names {
+		req := bo[name]
+		if req.CallFunc == nil {
+			continue
+		}
+
+		pf := &pb.CallFunc{
+			Name:         req.CallFunc.Name,
+			Format:       req.CallFunc.Format,
+			IgnoreStatus: req.CallFunc.IgnoreStatus,
+		}
+
+		if callFunc != nil {
+			pf.Format = callFunc.Format
+			pf.IgnoreStatus = callFunc.IgnoreStatus
+		}
+
+		var res map[string]string
+		if sp, ok := resp[name]; ok {
+			res = sp.ExporterResponse
+		}
+
+		if callFormatJSON {
+			jsonResults[name] = map[string]any{}
+			buf := &bytes.Buffer{}
+			if code, err := printResult(buf, pf, res); err != nil {
+				jsonResults[name]["error"] = err.Error()
+				exitCode = 1
+			} else if code != 0 && exitCode == 0 {
+				exitCode = code
+			}
+			m := map[string]*json.RawMessage{}
+			if err := json.Unmarshal(buf.Bytes(), &m); err == nil {
+				for k, v := range m {
+					jsonResults[name][k] = v
+				}
+			} else {
+				jsonResults[name][pf.Name] = json.RawMessage(buf.Bytes())
+			}
+		} else {
+			if sep {
+				fmt.Fprintln(dockerCli.Out())
+			} else {
+				sep = true
+			}
+			fmt.Fprintf(dockerCli.Out(), "%s\n", name)
+			if descr := tgts[name].Description; descr != "" {
+				fmt.Fprintf(dockerCli.Out(), "%s\n", descr)
+			}
+
+			fmt.Fprintln(dockerCli.Out())
+			if code, err := printResult(dockerCli.Out(), pf, res); err != nil {
+				fmt.Fprintf(dockerCli.Out(), "error: %v\n", err)
+				exitCode = 1
+			} else if code != 0 && exitCode == 0 {
+				exitCode = code
+			}
+		}
+	}
+	if callFormatJSON {
+		out := struct {
+			Group  map[string]*bake.Group    `json:"group,omitempty"`
+			Target map[string]map[string]any `json:"target"`
+		}{
+			Group:  grps,
+			Target: map[string]map[string]any{},
+		}
+
+		for name, def := range tgts {
+			out.Target[name] = map[string]any{
+				"build": def,
+			}
+			if res, ok := jsonResults[name]; ok {
+				printName := bo[name].CallFunc.Name
+				if printName == "lint" {
+					printName = "check"
+				}
+				out.Target[name][printName] = res
+			}
+		}
+		dt, err := json.MarshalIndent(out, "", "  ")
+		if err != nil {
+			return err
+		}
+		fmt.Fprintln(dockerCli.Out(), string(dt))
+	}
+
+	if exitCode != 0 {
+		os.Exit(exitCode)
+	}
+
+	return nil
 }

 func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
@@ -277,18 +437,68 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--set=*.attest=type=sbom"`)
 	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--set=*.attest=type=provenance"`)
 	flags.StringArrayVar(&options.overrides, "set", nil, `Override target value (e.g., "targetpattern.key=value")`)
+	flags.StringVar(&options.callFunc, "call", "build", `Set method for evaluating build ("check", "outline", "targets")`)
+	flags.StringArrayVar(&options.allow, "allow", nil, "Allow build to access specified resources")
+
+	flags.VarPF(callAlias(&options.callFunc, "check"), "check", "", `Shorthand for "--call=check"`)
+	flags.Lookup("check").NoOptDefVal = "true"
+
+	flags.BoolVar(&options.listTargets, "list-targets", false, "List available targets")
+	cobrautil.MarkFlagsExperimental(flags, "list-targets")
+	flags.MarkHidden("list-targets")
+
+	flags.BoolVar(&options.listVars, "list-variables", false, "List defined variables")
+	cobrautil.MarkFlagsExperimental(flags, "list-variables")
+	flags.MarkHidden("list-variables")

 	commonBuildFlags(&cFlags, flags)

 	return cmd
 }

-func saveLocalStateGroup(dockerCli command.Cli, ref string, lsg localstate.StateGroup) error {
+func saveLocalStateGroup(dockerCli command.Cli, in bakeOptions, targets []string, bo map[string]build.Options, overrides []string, def any) error {
+	prm := confutil.MetadataProvenance()
+	if len(in.metadataFile) == 0 {
+		prm = confutil.MetadataProvenanceModeDisabled
+	}
+	groupRef := identity.NewID()
+	refs := make([]string, 0, len(bo))
+	for k, b := range bo {
+		b.Ref = identity.NewID()
+		b.GroupRef = groupRef
+		b.ProvenanceResponseMode = prm
+		refs = append(refs, b.Ref)
+		bo[k] = b
+	}
 	l, err := localstate.New(confutil.ConfigDir(dockerCli))
 	if err != nil {
 		return err
 	}
-	return l.SaveGroup(ref, lsg)
+	dtdef, err := json.MarshalIndent(def, "", "  ")
+	if err != nil {
+		return err
+	}
+	return l.SaveGroup(groupRef, localstate.StateGroup{
+		Definition: dtdef,
+		Targets:    targets,
+		Inputs:     overrides,
+		Refs:       refs,
+	})
+}
+
+// bakeArgs will retrieve the remote url, command context, and targets
+// from the command line arguments.
+func bakeArgs(args []string) (url, cmdContext string, targets []string) {
+	cmdContext, targets = "cwd://", args
+	if len(targets) == 0 || !build.IsRemoteURL(targets[0]) {
+		return url, cmdContext, targets
+	}
+	url, targets = targets[0], targets[1:]
+	if len(targets) == 0 || !build.IsRemoteURL(targets[0]) {
+		return url, cmdContext, targets
+	}
+	cmdContext, targets = targets[0], targets[1:]
+	return url, cmdContext, targets
 }

 func readBakeFiles(ctx context.Context, nodes []builder.Node, url string, names []string, stdin io.Reader, pw progress.Writer) (files []bake.File, inp *bake.Input, err error) {
@@ -333,3 +543,157 @@ func readBakeFiles(ctx context.Context, nodes []builder.Node, url string, names

 	return
 }
+
+func printVars(w io.Writer, vars []*hclparser.Variable) error {
+	slices.SortFunc(vars, func(a, b *hclparser.Variable) int {
+		return cmp.Compare(a.Name, b.Name)
+	})
+	tw := tabwriter.NewWriter(w, 1, 8, 1, '\t', 0)
+	defer tw.Flush()
+
+	tw.Write([]byte("VARIABLE\tVALUE\tDESCRIPTION\n"))
+
+	for _, v := range vars {
+		var value string
+		if v.Value != nil {
+			value = *v.Value
+		} else {
+			value = "<null>"
+		}
+		fmt.Fprintf(tw, "%s\t%s\t%s\n", v.Name, value, v.Description)
+	}
+	return nil
+}
+
+func printTargetList(w io.Writer, cfg *bake.Config) error {
+	tw := tabwriter.NewWriter(w, 1, 8, 1, '\t', 0)
+	defer tw.Flush()
+
+	tw.Write([]byte("TARGET\tDESCRIPTION\n"))
+
+	type targetOrGroup struct {
+		name   string
+		target *bake.Target
+		group  *bake.Group
+	}
+
+	list := make([]targetOrGroup, 0, len(cfg.Targets)+len(cfg.Groups))
+	for _, tgt := range cfg.Targets {
+		list = append(list, targetOrGroup{name: tgt.Name, target: tgt})
+	}
+	for _, grp := range cfg.Groups {
+		list = append(list, targetOrGroup{name: grp.Name, group: grp})
+	}
+
+	slices.SortFunc(list, func(a, b targetOrGroup) int {
+		return cmp.Compare(a.name, b.name)
+	})
+
+	for _, tgt := range list {
+		if strings.HasPrefix(tgt.name, "_") {
+			// convention for a private target
+			continue
+		}
+		var descr string
+		if tgt.target != nil {
+			descr = tgt.target.Description
+		} else if tgt.group != nil {
+			descr = tgt.group.Description
+
+			if len(tgt.group.Targets) > 0 {
+				slices.Sort(tgt.group.Targets)
+				names := strings.Join(tgt.group.Targets, ", ")
+				if descr != "" {
+					descr += " (" + names + ")"
+				} else {
+					descr = names
+				}
+			}
+		}
+		fmt.Fprintf(tw, "%s\t%s\n", tgt.name, descr)
+	}
+
+	return nil
+}
+
+func bakeMetricAttributes(dockerCli command.Cli, driverType, url, cmdContext string, targets []string, options *bakeOptions) attribute.Set {
+	return attribute.NewSet(
+		commandNameAttribute.String("bake"),
+		attribute.Stringer(string(commandOptionsHash), &bakeOptionsHash{
+			bakeOptions: options,
+			configDir:   confutil.ConfigDir(dockerCli),
+			url:         url,
+			cmdContext:  cmdContext,
+			targets:     targets,
+		}),
+		driverNameAttribute.String(options.builder),
+		driverTypeAttribute.String(driverType),
+	)
+}
+
+type bakeOptionsHash struct {
+	*bakeOptions
+	configDir  string
+	url        string
+	cmdContext string
+	targets    []string
+	result     string
+	resultOnce sync.Once
+}
+
+func (o *bakeOptionsHash) String() string {
+	o.resultOnce.Do(func() {
+		url := o.url
+		cmdContext := o.cmdContext
+		if cmdContext == "cwd://" {
+			// Resolve the directory if the cmdContext is the current working directory.
+			cmdContext = osutil.GetWd()
+		}
+
+		// Sort the inputs for files and targets since the ordering
+		// doesn't matter, but avoid modifying the original slice.
+		files := immutableSort(o.files)
+		targets := immutableSort(o.targets)
+
+		joinedFiles := strings.Join(files, ",")
+		joinedTargets := strings.Join(targets, ",")
+		salt := confutil.TryNodeIdentifier(o.configDir)
+
+		h := sha256.New()
+		for _, s := range []string{url, cmdContext, joinedFiles, joinedTargets, salt} {
+			_, _ = io.WriteString(h, s)
+			h.Write([]byte{0})
+		}
+		o.result = hex.EncodeToString(h.Sum(nil))
+	})
+	return o.result
+}
+
+// immutableSort will sort the entries in s without modifying the original slice.
+func immutableSort(s []string) []string {
+	if !sort.StringsAreSorted(s) {
+		cpy := make([]string, len(s))
+		copy(cpy, s)
+		sort.Strings(cpy)
+		return cpy
+	}
+	return s
+}
+
+type syncWriter struct {
+	w    io.Writer
+	once sync.Once
+	wait func() error
+}
+
+func (w *syncWriter) Write(p []byte) (n int, err error) {
+	w.once.Do(func() {
+		if w.wait != nil {
+			err = w.wait()
+		}
+	})
+	if err != nil {
+		return 0, err
+	}
+	return w.w.Write(p)
+}
--- a/commands/build.go
+++ b/commands/build.go
@@ -5,12 +5,10 @@ import (
 	"context"
 	"crypto/sha256"
 	"encoding/base64"
-	"encoding/csv"
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -39,7 +37,6 @@ import (
 	"github.com/docker/buildx/util/osutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/buildx/util/tracing"
-	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	dockeropts "github.com/docker/cli/opts"
@@ -48,6 +45,7 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/frontend/subrequests"
+	"github.com/moby/buildkit/frontend/subrequests/lint"
 	"github.com/moby/buildkit/frontend/subrequests/outline"
 	"github.com/moby/buildkit/frontend/subrequests/targets"
 	"github.com/moby/buildkit/solver/errdefs"
@@ -58,6 +56,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+	"github.com/tonistiigi/go-csvvalue"
 	"go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/metric"
 	"google.golang.org/grpc/codes"
@@ -80,7 +79,7 @@ type buildOptions struct {
 	noCacheFilter  []string
 	outputs        []string
 	platforms      []string
-	printFunc      string
+	callFunc       string
 	secrets        []string
 	shmSize        dockeropts.MemBytes
 	ssh            []string
@@ -200,11 +199,17 @@ func (o *buildOptions) toControllerOptions() (*controllerapi.BuildOptions, error
 		return nil, err
 	}

-	opts.PrintFunc, err = buildflags.ParsePrintFunc(o.printFunc)
+	opts.CallFunc, err = buildflags.ParseCallFunc(o.callFunc)
 	if err != nil {
 		return nil, err
 	}

+	prm := confutil.MetadataProvenance()
+	if opts.CallFunc != nil || len(o.metadataFile) == 0 {
+		prm = confutil.MetadataProvenanceModeDisabled
+	}
+	opts.ProvenanceResponseMode = string(prm)
+
 	return &opts, nil
 }

@@ -219,15 +224,22 @@ func (o *buildOptions) toDisplayMode() (progressui.DisplayMode, error) {
 	return progress, nil
 }

-func buildMetricAttributes(dockerCli command.Cli, b *builder.Builder, options *buildOptions) attribute.Set {
+const (
+	commandNameAttribute = attribute.Key("command.name")
+	commandOptionsHash   = attribute.Key("command.options.hash")
+	driverNameAttribute  = attribute.Key("driver.name")
+	driverTypeAttribute  = attribute.Key("driver.type")
+)
+
+func buildMetricAttributes(dockerCli command.Cli, driverType string, options *buildOptions) attribute.Set {
 	return attribute.NewSet(
-		attribute.String("command.name", "build"),
-		attribute.Stringer("command.options.hash", &buildOptionsHash{
+		commandNameAttribute.String("build"),
+		attribute.Stringer(string(commandOptionsHash), &buildOptionsHash{
 			buildOptions: options,
 			configDir:    confutil.ConfigDir(dockerCli),
 		}),
-		attribute.String("driver.name", options.builder),
-		attribute.String("driver.type", b.Driver),
+		driverNameAttribute.String(options.builder),
+		driverTypeAttribute.String(driverType),
 	)
 }

@@ -266,11 +278,7 @@ func (o *buildOptionsHash) String() string {
 }

 func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions) (err error) {
-	mp, err := metricutil.NewMeterProvider(ctx, dockerCli)
-	if err != nil {
-		return err
-	}
-	defer mp.Report(context.Background())
+	mp := dockerCli.MeterProvider()

 	ctx, end, err := tracing.TraceCurrentCommand(ctx, "build")
 	if err != nil {
@@ -307,12 +315,13 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)
 	if err != nil {
 		return err
 	}
+	driverType := b.Driver

 	var term bool
 	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
 		term = true
 	}
-	attributes := buildMetricAttributes(dockerCli, b, &options)
+	attributes := buildMetricAttributes(dockerCli, driverType, &options)

 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
@@ -338,10 +347,10 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)
 	done := timeBuildCommand(mp, attributes)
 	var resp *client.SolveResponse
 	var retErr error
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		resp, retErr = runControllerBuild(ctx, dockerCli, opts, options, printer)
 	} else {
-		resp, retErr = runBasicBuild(ctx, dockerCli, opts, options, printer)
+		resp, retErr = runBasicBuild(ctx, dockerCli, opts, printer)
 	}

 	if err := printer.Wait(); retErr == nil {
@@ -367,13 +376,21 @@ func runBuild(ctx context.Context, dockerCli command.Cli, options buildOptions)
 		}
 	}
 	if options.metadataFile != "" {
-		if err := writeMetadataFile(options.metadataFile, decodeExporterResponse(resp.ExporterResponse)); err != nil {
+		dt := decodeExporterResponse(resp.ExporterResponse)
+		if opts.CallFunc == nil {
+			if warnings := printer.Warnings(); len(warnings) > 0 && confutil.MetadataWarningsEnabled() {
+				dt["buildx.build.warnings"] = warnings
+			}
+		}
+		if err := writeMetadataFile(options.metadataFile, dt); err != nil {
 			return err
 		}
 	}
-	if opts.PrintFunc != nil {
-		if err := printResult(opts.PrintFunc, resp.ExporterResponse); err != nil {
+	if opts.CallFunc != nil {
+		if exitcode, err := printResult(dockerCli.Out(), opts.CallFunc, resp.ExporterResponse); err != nil {
 			return err
+		} else if exitcode != 0 {
+			os.Exit(exitcode)
 		}
 	}
 	return nil
@@ -388,7 +405,7 @@ func getImageID(resp map[string]string) string {
 	return dgst
 }

-func runBasicBuild(ctx context.Context, dockerCli command.Cli, opts *controllerapi.BuildOptions, options buildOptions, printer *progress.Printer) (*client.SolveResponse, error) {
+func runBasicBuild(ctx context.Context, dockerCli command.Cli, opts *controllerapi.BuildOptions, printer *progress.Printer) (*client.SolveResponse, error) {
 	resp, res, err := cbuild.RunBuild(ctx, dockerCli, *opts, dockerCli.In(), printer, false)
 	if res != nil {
 		res.Done()
@@ -421,14 +438,22 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 	var ref string
 	var retErr error
 	var resp *client.SolveResponse
-	f := ioset.NewSingleForwarder()
-	f.SetReader(dockerCli.In())
-	pr, pw := io.Pipe()
-	f.SetWriter(pw, func() io.WriteCloser {
-		pw.Close() // propagate EOF
-		logrus.Debug("propagating stdin close")
-		return nil
-	})
+
+	var f *ioset.SingleForwarder
+	var pr io.ReadCloser
+	var pw io.WriteCloser
+	if options.invokeConfig == nil {
+		pr = dockerCli.In()
+	} else {
+		f = ioset.NewSingleForwarder()
+		f.SetReader(dockerCli.In())
+		pr, pw = io.Pipe()
+		f.SetWriter(pw, func() io.WriteCloser {
+			pw.Close() // propagate EOF
+			logrus.Debug("propagating stdin close")
+			return nil
+		})
+	}

 	ref, resp, err = c.Build(ctx, *opts, pr, printer)
 	if err != nil {
@@ -442,11 +467,13 @@ func runControllerBuild(ctx context.Context, dockerCli command.Cli, opts *contro
 		}
 	}

-	if err := pw.Close(); err != nil {
-		logrus.Debug("failed to close stdin pipe writer")
-	}
-	if err := pr.Close(); err != nil {
-		logrus.Debug("failed to close stdin pipe reader")
+	if options.invokeConfig != nil {
+		if err := pw.Close(); err != nil {
+			logrus.Debug("failed to close stdin pipe writer")
+		}
+		if err := pr.Close(); err != nil {
+			logrus.Debug("failed to close stdin pipe reader")
+		}
 	}

 	if options.invokeConfig != nil && options.invokeConfig.needsDebug(retErr) {
@@ -514,9 +541,12 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D

 	cmd := &cobra.Command{
 		Use:     "build [OPTIONS] PATH | URL | -",
-		Aliases: []string{"b"},
 		Short:   "Start a build",
 		Args:    cli.ExactArgs(1),
+		Aliases: []string{"b"},
+		Annotations: map[string]string{
+			"aliases": "docker build, docker builder build, docker image build, docker buildx b",
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			options.contextPath = args[0]
 			options.builder = rootOpts.builder
@@ -555,7 +585,6 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags := cmd.Flags()

 	flags.StringSliceVar(&options.extraHosts, "add-host", []string{}, `Add a custom host-to-IP mapping (format: "host:ip")`)
-	flags.SetAnnotation("add-host", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#add-host"})

 	flags.StringSliceVar(&options.allow, "allow", []string{}, `Allow extra privileged entitlement (e.g., "network.host", "security.insecure")`)

@@ -568,14 +597,12 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags.StringArrayVar(&options.cacheTo, "cache-to", []string{}, `Cache export destinations (e.g., "user/app:cache", "type=local,dest=path/to/dir")`)

 	flags.StringVar(&options.cgroupParent, "cgroup-parent", "", `Set the parent cgroup for the "RUN" instructions during build`)
-	flags.SetAnnotation("cgroup-parent", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#cgroup-parent"})

 	flags.StringArrayVar(&options.contexts, "build-context", []string{}, "Additional build contexts (e.g., name=path)")

 	flags.StringVarP(&options.dockerfileName, "file", "f", "", `Name of the Dockerfile (default: "PATH/Dockerfile")`)
-	flags.SetAnnotation("file", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#file"})

-	flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to the file")
+	flags.StringVar(&options.imageIDFile, "iidfile", "", "Write the image ID to a file")

 	flags.StringArrayVar(&options.labels, "label", []string{}, "Set metadata for an image")

@@ -589,11 +616,6 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D

 	flags.StringArrayVar(&options.platforms, "platform", platformsDefault, "Set target platform for build")

-	if isExperimental() {
-		flags.StringVar(&options.printFunc, "print", "", "Print result of information request (e.g., outline, targets)")
-		cobrautil.MarkFlagsExperimental(flags, "print")
-	}
-
 	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--output=type=registry"`)

 	flags.BoolVarP(&options.quiet, "quiet", "q", false, "Suppress the build output and print image ID on success")
@@ -605,10 +627,8 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags.StringArrayVar(&options.ssh, "ssh", []string{}, `SSH agent socket or keys to expose to the build (format: "default|<id>[=<socket>|<key>[,<key>]]")`)

 	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, `Name and optionally a tag (format: "name:tag")`)
-	flags.SetAnnotation("tag", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#tag"})

 	flags.StringVar(&options.target, "target", "", "Set the target build stage to build")
-	flags.SetAnnotation("target", annotation.ExternalURL, []string{"https://docs.docker.com/reference/cli/docker/image/build/#target"})

 	options.ulimits = dockeropts.NewUlimitOpt(nil)
 	flags.Var(options.ulimits, "ulimit", "Ulimit options")
@@ -617,7 +637,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--attest=type=sbom"`)
 	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--attest=type=provenance"`)

-	if isExperimental() {
+	if confutil.IsExperimental() {
 		// TODO: move this to debug command if needed
 		flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect")
 		flags.BoolVar(&options.Detach, "detach", false, "Detach buildx server (supported only on linux)")
@@ -625,12 +645,20 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions, debugConfig *debug.D
 		cobrautil.MarkFlagsExperimental(flags, "root", "detach", "server-config")
 	}

+	flags.StringVar(&options.callFunc, "call", "build", `Set method for evaluating build ("check", "outline", "targets")`)
+	flags.VarPF(callAlias(&options.callFunc, "check"), "check", "", `Shorthand for "--call=check"`)
+	flags.Lookup("check").NoOptDefVal = "true"
+
 	// hidden flags
 	var ignore string
 	var ignoreSlice []string
 	var ignoreBool bool
 	var ignoreInt int64

+	flags.StringVar(&options.callFunc, "print", "", "Print result of information request (e.g., outline, targets)")
+	cobrautil.MarkFlagsExperimental(flags, "print")
+	flags.MarkHidden("print")
+
 	flags.BoolVar(&ignoreBool, "compress", false, "Compress the build context using gzip")
 	flags.MarkHidden("compress")

@@ -688,9 +716,9 @@ type commonFlags struct {

 func commonBuildFlags(options *commonFlags, flags *pflag.FlagSet) {
 	options.noCache = flags.Bool("no-cache", false, "Do not use cache when building the image")
-	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
+	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty", "rawjson"). Use plain to show container output`)
 	options.pull = flags.Bool("pull", false, "Always attempt to pull all referenced images")
-	flags.StringVar(&options.metadataFile, "metadata-file", "", "Write build result metadata to the file")
+	flags.StringVar(&options.metadataFile, "metadata-file", "", "Write build result metadata to a file")
 }

 func checkWarnedFlags(f *pflag.Flag) {
@@ -714,9 +742,17 @@ func writeMetadataFile(filename string, dt interface{}) error {
 }

 func decodeExporterResponse(exporterResponse map[string]string) map[string]interface{} {
+	decFunc := func(k, v string) ([]byte, error) {
+		if k == "result.json" {
+			// result.json is part of metadata response for subrequests which
+			// is already a JSON object: https://github.com/moby/buildkit/blob/f6eb72f2f5db07ddab89ac5e2bd3939a6444f4be/frontend/dockerui/requests.go#L100-L102
+			return []byte(v), nil
+		}
+		return base64.StdEncoding.DecodeString(v)
+	}
 	out := make(map[string]interface{})
 	for k, v := range exporterResponse {
-		dt, err := base64.StdEncoding.DecodeString(v)
+		dt, err := decFunc(k, v)
 		if err != nil {
 			out[k] = v
 			continue
@@ -762,14 +798,6 @@ func (w *wrapped) Unwrap() error {
 	return w.err
 }

-func isExperimental() bool {
-	if v, ok := os.LookupEnv("BUILDX_EXPERIMENTAL"); ok {
-		vv, _ := strconv.ParseBool(v)
-		return vv
-	}
-	return false
-}
-
 func updateLastActivity(dockerCli command.Cli, ng *store.NodeGroup) error {
 	txn, release, err := storeutil.GetStore(dockerCli)
 	if err != nil {
@@ -826,7 +854,7 @@ func printWarnings(w io.Writer, warnings []client.VertexWarning, mode progressui
 		fmt.Fprintf(sb, "%d warnings found", len(warnings))
 	}
 	if logrus.GetLevel() < logrus.DebugLevel {
-		fmt.Fprintf(sb, " (use --debug to expand)")
+		fmt.Fprintf(sb, " (use docker --debug to expand)")
 	}
 	fmt.Fprintf(sb, ":\n")
 	fmt.Fprint(w, aec.Apply(sb.String(), aec.YellowF))
@@ -854,38 +882,95 @@ func printWarnings(w io.Writer, warnings []client.VertexWarning, mode progressui
 	}
 }

-func printResult(f *controllerapi.PrintFunc, res map[string]string) error {
+func printResult(w io.Writer, f *controllerapi.CallFunc, res map[string]string) (int, error) {
 	switch f.Name {
 	case "outline":
-		return printValue(outline.PrintOutline, outline.SubrequestsOutlineDefinition.Version, f.Format, res)
+		return 0, printValue(w, outline.PrintOutline, outline.SubrequestsOutlineDefinition.Version, f.Format, res)
 	case "targets":
-		return printValue(targets.PrintTargets, targets.SubrequestsTargetsDefinition.Version, f.Format, res)
+		return 0, printValue(w, targets.PrintTargets, targets.SubrequestsTargetsDefinition.Version, f.Format, res)
 	case "subrequests.describe":
-		return printValue(subrequests.PrintDescribe, subrequests.SubrequestsDescribeDefinition.Version, f.Format, res)
+		return 0, printValue(w, subrequests.PrintDescribe, subrequests.SubrequestsDescribeDefinition.Version, f.Format, res)
+	case "lint":
+		lintResults := lint.LintResults{}
+		if result, ok := res["result.json"]; ok {
+			if err := json.Unmarshal([]byte(result), &lintResults); err != nil {
+				return 0, err
+			}
+		}
+
+		warningCount := len(lintResults.Warnings)
+		if f.Format != "json" && warningCount > 0 {
+			var warningCountMsg string
+			if warningCount == 1 {
+				warningCountMsg = "1 warning has been found!"
+			} else if warningCount > 1 {
+				warningCountMsg = fmt.Sprintf("%d warnings have been found!", warningCount)
+			}
+			fmt.Fprintf(w, "Check complete, %s\n", warningCountMsg)
+		}
+
+		err := printValue(w, printLintViolationsWrapper, lint.SubrequestLintDefinition.Version, f.Format, res)
+		if err != nil {
+			return 0, err
+		}
+
+		if lintResults.Error != nil {
+			// Print the error message and the source
+			// Normally, we would use `errdefs.WithSource` to attach the source to the
+			// error and let the error be printed by the handling that's already in place,
+			// but here we want to print the error in a way that's consistent with how
+			// the lint warnings are printed via the `lint.PrintLintViolations` function,
+			// which differs from the default error printing.
+			if f.Format != "json" && len(lintResults.Warnings) > 0 {
+				fmt.Fprintln(w)
+			}
+			lintBuf := bytes.NewBuffer([]byte(lintResults.Error.Message + "\n"))
+			sourceInfo := lintResults.Sources[lintResults.Error.Location.SourceIndex]
+			source := errdefs.Source{
+				Info:   sourceInfo,
+				Ranges: lintResults.Error.Location.Ranges,
+			}
+			source.Print(lintBuf)
+			return 0, errors.New(lintBuf.String())
+		} else if len(lintResults.Warnings) == 0 && f.Format != "json" {
+			fmt.Fprintln(w, "Check complete, no warnings found.")
+		}
 	default:
-		if dt, ok := res["result.txt"]; ok {
-			fmt.Print(dt)
+		if dt, ok := res["result.json"]; ok && f.Format == "json" {
+			fmt.Fprintln(w, dt)
+		} else if dt, ok := res["result.txt"]; ok {
+			fmt.Fprint(w, dt)
 		} else {
-			log.Printf("%s %+v", f, res)
+			fmt.Fprintf(w, "%s %+v\n", f, res)
 		}
 	}
-	return nil
+	if v, ok := res["result.statuscode"]; !f.IgnoreStatus && ok {
+		if n, err := strconv.Atoi(v); err == nil && n != 0 {
+			return n, nil
+		}
+	}
+	return 0, nil
 }

-type printFunc func([]byte, io.Writer) error
+type callFunc func([]byte, io.Writer) error

-func printValue(printer printFunc, version string, format string, res map[string]string) error {
+func printValue(w io.Writer, printer callFunc, version string, format string, res map[string]string) error {
 	if format == "json" {
-		fmt.Fprintln(os.Stdout, res["result.json"])
+		fmt.Fprintln(w, res["result.json"])
 		return nil
 	}

 	if res["version"] != "" && versions.LessThan(version, res["version"]) && res["result.txt"] != "" {
 		// structure is too new and we don't know how to print it
-		fmt.Fprint(os.Stdout, res["result.txt"])
+		fmt.Fprint(w, res["result.txt"])
 		return nil
 	}
-	return printer([]byte(res["result.json"]), os.Stdout)
+	return printer([]byte(res["result.json"]), w)
+}
+
+// FIXME: remove once https://github.com/docker/buildx/pull/2672 is sorted
+func printLintViolationsWrapper(dt []byte, w io.Writer) error {
+	return lint.PrintLintViolations(dt, w, nil)
 }

 type invokeConfig struct {
@@ -935,9 +1020,9 @@ func (cfg *invokeConfig) parseInvokeConfig(invoke, on string) error {
 		return nil
 	}

-	csvReader := csv.NewReader(strings.NewReader(invoke))
-	csvReader.LazyQuotes = true
-	fields, err := csvReader.Read()
+	csvParser := csvvalue.NewParser()
+	csvParser.LazyQuotes = true
+	fields, err := csvParser.Fields(invoke, nil)
 	if err != nil {
 		return err
 	}
@@ -993,6 +1078,20 @@ func maybeJSONArray(v string) []string {
 	return []string{v}
 }

+func callAlias(target *string, value string) cobrautil.BoolFuncValue {
+	return func(s string) error {
+		v, err := strconv.ParseBool(s)
+		if err != nil {
+			return err
+		}
+
+		if v {
+			*target = value
+		}
+		return nil
+	}
+}
+
 // timeBuildCommand will start a timer for timing the build command. It records the time when the returned
 // function is invoked into a metric.
 func timeBuildCommand(mp metric.MeterProvider, attrs attribute.Set) func(err error) {
--- a/commands/debug/root.go
+++ b/commands/debug/root.go
@@ -80,7 +80,7 @@ func RootCmd(dockerCli command.Cli, children ...DebuggableCmd) *cobra.Command {
 	flags.StringVar(&controlOptions.Root, "root", "", "Specify root directory of server to connect for the monitor")
 	flags.BoolVar(&controlOptions.Detach, "detach", runtime.GOOS == "linux", "Detach buildx server for the monitor (supported only on linux)")
 	flags.StringVar(&controlOptions.ServerConfig, "server-config", "", "Specify buildx server config file for the monitor (used only when launching new server)")
-	flags.StringVar(&progressMode, "progress", "auto", `Set type of progress output ("auto", "plain", "tty") for the monitor. Use plain to show container output`)
+	flags.StringVar(&progressMode, "progress", "auto", `Set type of progress output ("auto", "plain", "tty", "rawjson") for the monitor. Use plain to show container output`)

 	cobrautil.MarkFlagsExperimental(flags, "invoke", "on", "root", "detach", "server-config")

--- a/commands/dial_stdio.go
+++ b/commands/dial_stdio.go
@@ -5,7 +5,7 @@ import (
 	"net"
 	"os"

-	"github.com/containerd/containerd/platforms"
+	"github.com/containerd/platforms"
 	"github.com/docker/buildx/build"
 	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/util/progress"
@@ -125,8 +125,7 @@ func dialStdioCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	}

 	flags := cmd.Flags()
-	cmd.Flags()
 	flags.StringVar(&opts.platform, "platform", os.Getenv("DOCKER_DEFAULT_PLATFORM"), "Target platform: this is used for node selection")
-	flags.StringVar(&opts.progress, "progress", "quiet", "Set type of progress output (auto, plain, tty).")
+	flags.StringVar(&opts.progress, "progress", "quiet", `Set type of progress output ("auto", "plain", "tty", "rawjson"). Use plain to show container output`)
 	return cmd
 }
--- a/commands/imagetools/create.go
+++ b/commands/imagetools/create.go
@@ -9,6 +9,7 @@ import (

 	"github.com/distribution/reference"
 	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/buildflags"
 	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/buildx/util/progress"
@@ -29,6 +30,7 @@ type createOptions struct {
 	dryrun       bool
 	actionAppend bool
 	progress     string
+	preferIndex  bool
 }

 func runCreate(ctx context.Context, dockerCli command.Cli, in createOptions, args []string) error {
@@ -153,7 +155,12 @@ func runCreate(ctx context.Context, dockerCli command.Cli, in createOptions, arg
 		}
 	}

-	dt, desc, err := r.Combine(ctx, srcs, in.annotations)
+	annotations, err := buildflags.ParseAnnotations(in.annotations)
+	if err != nil {
+		return errors.Wrapf(err, "failed to parse annotations")
+	}
+
+	dt, desc, err := r.Combine(ctx, srcs, annotations, in.preferIndex)
 	if err != nil {
 		return err
 	}
@@ -281,8 +288,9 @@ func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	flags.StringArrayVarP(&options.tags, "tag", "t", []string{}, "Set reference for new image")
 	flags.BoolVar(&options.dryrun, "dry-run", false, "Show final image instead of pushing")
 	flags.BoolVar(&options.actionAppend, "append", false, "Append to existing manifest")
-	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
+	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty", "rawjson"). Use plain to show container output`)
 	flags.StringArrayVarP(&options.annotations, "annotation", "", []string{}, "Add annotation to the image")
+	flags.BoolVar(&options.preferIndex, "prefer-index", true, "When only a single source is specified, prefer outputting an image index or manifest list instead of performing a carbon copy")

 	return cmd
 }
--- a/commands/install.go
+++ b/commands/install.go
@@ -15,7 +15,7 @@ import (
 type installOptions struct {
 }

-func runInstall(dockerCli command.Cli, in installOptions) error {
+func runInstall(_ command.Cli, _ installOptions) error {
 	dir := config.Dir()
 	if err := os.MkdirAll(dir, 0755); err != nil {
 		return errors.Wrap(err, "could not create docker config")
--- a/commands/prune.go
+++ b/commands/prune.go
@@ -195,6 +195,8 @@ func toBuildkitPruneInfo(f filters.Args) (*client.PruneInfo, error) {
 		case 1:
 			if filterKey == "id" {
 				filters = append(filters, filterKey+"~="+values[0])
+			} else if strings.HasSuffix(filterKey, "!") || strings.HasSuffix(filterKey, "~") {
+				filters = append(filters, filterKey+"="+values[0])
 			} else {
 				filters = append(filters, filterKey+"=="+values[0])
 			}
--- a/commands/root.go
+++ b/commands/root.go
@@ -7,6 +7,7 @@ import (
 	imagetoolscmd "github.com/docker/buildx/commands/imagetools"
 	"github.com/docker/buildx/controller/remote"
 	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/confutil"
 	"github.com/docker/buildx/util/logutil"
 	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
@@ -20,6 +21,7 @@ import (
 )

 func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Command {
+	var opt rootOptions
 	cmd := &cobra.Command{
 		Short: "Docker Buildx",
 		Long:  `Extended build capabilities with BuildKit`,
@@ -31,6 +33,10 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 			HiddenDefaultCmd: true,
 		},
 		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			if opt.debug {
+				debug.Enable()
+			}
+
 			cmd.SetContext(appcontext.Context())
 			if !isPlugin {
 				return nil
@@ -46,11 +52,6 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		cmd.TraverseChildren = true
 		cmd.DisableFlagsInUseLine = true
 		cli.DisableFlagsInUseLine(cmd)
-
-		// DEBUG=1 should perform the same as --debug at the docker root level
-		if debug.IsEnabled() {
-			debug.Enable()
-		}
 	}

 	logrus.SetFormatter(&logutil.Formatter{})
@@ -63,20 +64,20 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		"using default config store",
 	))

-	if !isExperimental() {
+	if !confutil.IsExperimental() {
 		cmd.SetHelpTemplate(cmd.HelpTemplate() + "\nExperimental commands and flags are hidden. Set BUILDX_EXPERIMENTAL=1 to show them.\n")
 	}

-	addCommands(cmd, dockerCli)
+	addCommands(cmd, &opt, dockerCli)
 	return cmd
 }

 type rootOptions struct {
 	builder string
+	debug   bool
 }

-func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
-	opts := &rootOptions{}
+func addCommands(cmd *cobra.Command, opts *rootOptions, dockerCli command.Cli) {
 	rootFlags(opts, cmd.PersistentFlags())

 	cmd.AddCommand(
@@ -96,7 +97,7 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		duCmd(dockerCli, opts),
 		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: &opts.builder}),
 	)
-	if isExperimental() {
+	if confutil.IsExperimental() {
 		cmd.AddCommand(debugcmd.RootCmd(dockerCli,
 			newDebuggableBuild(dockerCli, opts),
 		))
@@ -111,4 +112,5 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {

 func rootFlags(options *rootOptions, flags *pflag.FlagSet) {
 	flags.StringVar(&options.builder, "builder", os.Getenv("BUILDX_BUILDER"), "Override the configured builder instance")
+	flags.BoolVarP(&options.debug, "debug", "D", debug.IsEnabled(), "Enable debug logging")
 }
--- a/commands/uninstall.go
+++ b/commands/uninstall.go
@@ -15,7 +15,7 @@ import (
 type uninstallOptions struct {
 }

-func runUninstall(dockerCli command.Cli, in uninstallOptions) error {
+func runUninstall(_ command.Cli, _ uninstallOptions) error {
 	dir := config.Dir()
 	cfg, err := config.Load(dir)
 	if err != nil {
--- a/commands/util.go
+++ b/commands/util.go
@@ -1,17 +1,22 @@
 package commands

 import (
+	"bufio"
 	"context"
+	"fmt"
 	"io"
+	"os"
+	"runtime"
+	"strings"

-	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/streams"
 )

 func prompt(ctx context.Context, ins io.Reader, out io.Writer, msg string) (bool, error) {
 	done := make(chan struct{})
 	var ok bool
 	go func() {
-		ok = command.PromptForConfirmation(ins, out, msg)
+		ok = promptForConfirmation(ins, out, msg)
 		close(done)
 	}()
 	select {
@@ -21,3 +26,32 @@ func prompt(ctx context.Context, ins io.Reader, out io.Writer, msg string) (bool
 		return ok, nil
 	}
 }
+
+// promptForConfirmation requests and checks confirmation from user.
+// This will display the provided message followed by ' [y/N] '. If
+// the user input 'y' or 'Y' it returns true other false.  If no
+// message is provided "Are you sure you want to proceed? [y/N] "
+// will be used instead.
+//
+// Copied from github.com/docker/cli since the upstream version changed
+// recently with an incompatible change.
+//
+// See https://github.com/docker/buildx/pull/2359#discussion_r1544736494
+// for discussion on the issue.
+func promptForConfirmation(ins io.Reader, outs io.Writer, message string) bool {
+	if message == "" {
+		message = "Are you sure you want to proceed?"
+	}
+	message += " [y/N] "
+
+	_, _ = fmt.Fprint(outs, message)
+
+	// On Windows, force the use of the regular OS stdin stream.
+	if runtime.GOOS == "windows" {
+		ins = streams.NewIn(os.Stdin)
+	}
+
+	reader := bufio.NewReader(ins)
+	answer, _, _ := reader.ReadLine()
+	return strings.ToLower(string(answer)) == "y"
+}
--- a/commands/version.go
+++ b/commands/version.go
@@ -11,7 +11,7 @@ import (
 	"github.com/spf13/cobra"
 )

-func runVersion(dockerCli command.Cli) error {
+func runVersion(_ command.Cli) error {
 	fmt.Println(version.Package, version.Version, version.Revision)
 	return nil
 }
--- a/controller/build/build.go
+++ b/controller/build/build.go
@@ -3,7 +3,6 @@ package build
 import (
 	"context"
 	"io"
-	"os"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -19,9 +18,8 @@ import (
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/config"
 	dockeropts "github.com/docker/cli/opts"
-	"github.com/docker/go-units"
+	"github.com/docker/docker/api/types/container"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/session/auth/authprovider"
 	"github.com/moby/buildkit/util/grpcerrors"
@@ -50,23 +48,24 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 		Inputs: build.Inputs{
 			ContextPath:    in.ContextPath,
 			DockerfilePath: in.DockerfileName,
-			InStream:       inStream,
+			InStream:       build.NewSyncMultiReader(inStream),
 			NamedContexts:  contexts,
 		},
-		Ref:           in.Ref,
-		BuildArgs:     in.BuildArgs,
-		CgroupParent:  in.CgroupParent,
-		ExtraHosts:    in.ExtraHosts,
-		Labels:        in.Labels,
-		NetworkMode:   in.NetworkMode,
-		NoCache:       in.NoCache,
-		NoCacheFilter: in.NoCacheFilter,
-		Pull:          in.Pull,
-		ShmSize:       dockeropts.MemBytes(in.ShmSize),
-		Tags:          in.Tags,
-		Target:        in.Target,
-		Ulimits:       controllerUlimitOpt2DockerUlimit(in.Ulimits),
-		GroupRef:      in.GroupRef,
+		Ref:                    in.Ref,
+		BuildArgs:              in.BuildArgs,
+		CgroupParent:           in.CgroupParent,
+		ExtraHosts:             in.ExtraHosts,
+		Labels:                 in.Labels,
+		NetworkMode:            in.NetworkMode,
+		NoCache:                in.NoCache,
+		NoCacheFilter:          in.NoCacheFilter,
+		Pull:                   in.Pull,
+		ShmSize:                dockeropts.MemBytes(in.ShmSize),
+		Tags:                   in.Tags,
+		Target:                 in.Target,
+		Ulimits:                controllerUlimitOpt2DockerUlimit(in.Ulimits),
+		GroupRef:               in.GroupRef,
+		ProvenanceResponseMode: confutil.ParseMetadataProvenance(in.ProvenanceResponseMode),
 	}

 	platforms, err := platformutil.Parse(in.Platforms)
@@ -75,7 +74,7 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 	}
 	opts.Platforms = platforms

-	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	dockerConfig := dockerCli.ConfigFile()
 	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(dockerConfig, nil))

 	secrets, err := controllerapi.CreateSecrets(in.Secrets)
@@ -99,44 +98,45 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 		return nil, nil, err
 	}
 	if in.ExportPush {
-		if in.ExportLoad {
-			return nil, nil, errors.Errorf("push and load may not be set together at the moment")
+		var pushUsed bool
+		for i := range outputs {
+			if outputs[i].Type == client.ExporterImage {
+				outputs[i].Attrs["push"] = "true"
+				pushUsed = true
+			}
 		}
-		if len(outputs) == 0 {
-			outputs = []client.ExportEntry{{
-				Type: "image",
+		if !pushUsed {
+			outputs = append(outputs, client.ExportEntry{
+				Type: client.ExporterImage,
 				Attrs: map[string]string{
 					"push": "true",
 				},
-			}}
-		} else {
-			switch outputs[0].Type {
-			case "image":
-				outputs[0].Attrs["push"] = "true"
-			default:
-				return nil, nil, errors.Errorf("push and %q output can't be used together", outputs[0].Type)
-			}
+			})
 		}
 	}
 	if in.ExportLoad {
-		if len(outputs) == 0 {
-			outputs = []client.ExportEntry{{
-				Type:  "docker",
-				Attrs: map[string]string{},
-			}}
-		} else {
-			switch outputs[0].Type {
-			case "docker":
-			default:
-				return nil, nil, errors.Errorf("load and %q output can't be used together", outputs[0].Type)
+		var loadUsed bool
+		for i := range outputs {
+			if outputs[i].Type == client.ExporterDocker {
+				if _, ok := outputs[i].Attrs["dest"]; !ok {
+					loadUsed = true
+					break
+				}
 			}
 		}
+		if !loadUsed {
+			outputs = append(outputs, client.ExportEntry{
+				Type:  client.ExporterDocker,
+				Attrs: map[string]string{},
+			})
+		}
 	}

 	annotations, err := buildflags.ParseAnnotations(in.Annotations)
 	if err != nil {
-		return nil, nil, err
+		return nil, nil, errors.Wrap(err, "parse annotations")
 	}
+
 	for _, o := range outputs {
 		for k, v := range annotations {
 			o.Attrs[k.String()] = v
@@ -158,10 +158,11 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 	}
 	opts.Allow = allow

-	if in.PrintFunc != nil {
-		opts.PrintFunc = &build.PrintFunc{
-			Name:   in.PrintFunc.Name,
-			Format: in.PrintFunc.Format,
+	if in.CallFunc != nil {
+		opts.CallFunc = &build.CallFunc{
+			Name:         in.CallFunc.Name,
+			Format:       in.CallFunc.Format,
+			IgnoreStatus: in.CallFunc.IgnoreStatus,
 		}
 	}

@@ -187,7 +188,7 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 		return nil, nil, err
 	}

-	resp, res, err := buildTargets(ctx, dockerCli, b.NodeGroup, nodes, map[string]build.Options{defaultTargetName: opts}, progress, generateResult)
+	resp, res, err := buildTargets(ctx, dockerCli, nodes, map[string]build.Options{defaultTargetName: opts}, progress, generateResult)
 	err = wrapBuildError(err, false)
 	if err != nil {
 		// NOTE: buildTargets can return *build.ResultHandle even on error.
@@ -201,7 +202,7 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 // NOTE: When an error happens during the build and this function acquires the debuggable *build.ResultHandle,
 // this function returns it in addition to the error (i.e. it does "return nil, res, err"). The caller can
 // inspect the result and debug the cause of that error.
-func buildTargets(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, nodes []builder.Node, opts map[string]build.Options, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, error) {
+func buildTargets(ctx context.Context, dockerCli command.Cli, nodes []builder.Node, opts map[string]build.Options, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, error) {
 	var res *build.ResultHandle
 	var resp map[string]*client.SolveResponse
 	var err error
@@ -268,9 +269,9 @@ func controllerUlimitOpt2DockerUlimit(u *controllerapi.UlimitOpt) *dockeropts.Ul
 	if u == nil {
 		return nil
 	}
-	values := make(map[string]*units.Ulimit)
+	values := make(map[string]*container.Ulimit)
 	for k, v := range u.Values {
-		values[k] = &units.Ulimit{
+		values[k] = &container.Ulimit{
 			Name: v.Name,
 			Hard: v.Hard,
 			Soft: v.Soft,
--- a/controller/pb/controller.pb.go
+++ b/controller/pb/controller.pb.go
@@ -271,40 +271,41 @@ func (m *BuildRequest) GetOptions() *BuildOptions {
 }

 type BuildOptions struct {
-	ContextPath          string               `protobuf:"bytes,1,opt,name=ContextPath,proto3" json:"ContextPath,omitempty"`
-	DockerfileName       string               `protobuf:"bytes,2,opt,name=DockerfileName,proto3" json:"DockerfileName,omitempty"`
-	PrintFunc            *PrintFunc           `protobuf:"bytes,3,opt,name=PrintFunc,proto3" json:"PrintFunc,omitempty"`
-	NamedContexts        map[string]string    `protobuf:"bytes,4,rep,name=NamedContexts,proto3" json:"NamedContexts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	Allow                []string             `protobuf:"bytes,5,rep,name=Allow,proto3" json:"Allow,omitempty"`
-	Attests              []*Attest            `protobuf:"bytes,6,rep,name=Attests,proto3" json:"Attests,omitempty"`
-	BuildArgs            map[string]string    `protobuf:"bytes,7,rep,name=BuildArgs,proto3" json:"BuildArgs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	CacheFrom            []*CacheOptionsEntry `protobuf:"bytes,8,rep,name=CacheFrom,proto3" json:"CacheFrom,omitempty"`
-	CacheTo              []*CacheOptionsEntry `protobuf:"bytes,9,rep,name=CacheTo,proto3" json:"CacheTo,omitempty"`
-	CgroupParent         string               `protobuf:"bytes,10,opt,name=CgroupParent,proto3" json:"CgroupParent,omitempty"`
-	Exports              []*ExportEntry       `protobuf:"bytes,11,rep,name=Exports,proto3" json:"Exports,omitempty"`
-	ExtraHosts           []string             `protobuf:"bytes,12,rep,name=ExtraHosts,proto3" json:"ExtraHosts,omitempty"`
-	Labels               map[string]string    `protobuf:"bytes,13,rep,name=Labels,proto3" json:"Labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
-	NetworkMode          string               `protobuf:"bytes,14,opt,name=NetworkMode,proto3" json:"NetworkMode,omitempty"`
-	NoCacheFilter        []string             `protobuf:"bytes,15,rep,name=NoCacheFilter,proto3" json:"NoCacheFilter,omitempty"`
-	Platforms            []string             `protobuf:"bytes,16,rep,name=Platforms,proto3" json:"Platforms,omitempty"`
-	Secrets              []*Secret            `protobuf:"bytes,17,rep,name=Secrets,proto3" json:"Secrets,omitempty"`
-	ShmSize              int64                `protobuf:"varint,18,opt,name=ShmSize,proto3" json:"ShmSize,omitempty"`
-	SSH                  []*SSH               `protobuf:"bytes,19,rep,name=SSH,proto3" json:"SSH,omitempty"`
-	Tags                 []string             `protobuf:"bytes,20,rep,name=Tags,proto3" json:"Tags,omitempty"`
-	Target               string               `protobuf:"bytes,21,opt,name=Target,proto3" json:"Target,omitempty"`
-	Ulimits              *UlimitOpt           `protobuf:"bytes,22,opt,name=Ulimits,proto3" json:"Ulimits,omitempty"`
-	Builder              string               `protobuf:"bytes,23,opt,name=Builder,proto3" json:"Builder,omitempty"`
-	NoCache              bool                 `protobuf:"varint,24,opt,name=NoCache,proto3" json:"NoCache,omitempty"`
-	Pull                 bool                 `protobuf:"varint,25,opt,name=Pull,proto3" json:"Pull,omitempty"`
-	ExportPush           bool                 `protobuf:"varint,26,opt,name=ExportPush,proto3" json:"ExportPush,omitempty"`
-	ExportLoad           bool                 `protobuf:"varint,27,opt,name=ExportLoad,proto3" json:"ExportLoad,omitempty"`
-	SourcePolicy         *pb.Policy           `protobuf:"bytes,28,opt,name=SourcePolicy,proto3" json:"SourcePolicy,omitempty"`
-	Ref                  string               `protobuf:"bytes,29,opt,name=Ref,proto3" json:"Ref,omitempty"`
-	GroupRef             string               `protobuf:"bytes,30,opt,name=GroupRef,proto3" json:"GroupRef,omitempty"`
-	Annotations          []string             `protobuf:"bytes,31,rep,name=Annotations,proto3" json:"Annotations,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}             `json:"-"`
-	XXX_unrecognized     []byte               `json:"-"`
-	XXX_sizecache        int32                `json:"-"`
+	ContextPath            string               `protobuf:"bytes,1,opt,name=ContextPath,proto3" json:"ContextPath,omitempty"`
+	DockerfileName         string               `protobuf:"bytes,2,opt,name=DockerfileName,proto3" json:"DockerfileName,omitempty"`
+	CallFunc               *CallFunc            `protobuf:"bytes,3,opt,name=CallFunc,proto3" json:"CallFunc,omitempty"`
+	NamedContexts          map[string]string    `protobuf:"bytes,4,rep,name=NamedContexts,proto3" json:"NamedContexts,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	Allow                  []string             `protobuf:"bytes,5,rep,name=Allow,proto3" json:"Allow,omitempty"`
+	Attests                []*Attest            `protobuf:"bytes,6,rep,name=Attests,proto3" json:"Attests,omitempty"`
+	BuildArgs              map[string]string    `protobuf:"bytes,7,rep,name=BuildArgs,proto3" json:"BuildArgs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	CacheFrom              []*CacheOptionsEntry `protobuf:"bytes,8,rep,name=CacheFrom,proto3" json:"CacheFrom,omitempty"`
+	CacheTo                []*CacheOptionsEntry `protobuf:"bytes,9,rep,name=CacheTo,proto3" json:"CacheTo,omitempty"`
+	CgroupParent           string               `protobuf:"bytes,10,opt,name=CgroupParent,proto3" json:"CgroupParent,omitempty"`
+	Exports                []*ExportEntry       `protobuf:"bytes,11,rep,name=Exports,proto3" json:"Exports,omitempty"`
+	ExtraHosts             []string             `protobuf:"bytes,12,rep,name=ExtraHosts,proto3" json:"ExtraHosts,omitempty"`
+	Labels                 map[string]string    `protobuf:"bytes,13,rep,name=Labels,proto3" json:"Labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
+	NetworkMode            string               `protobuf:"bytes,14,opt,name=NetworkMode,proto3" json:"NetworkMode,omitempty"`
+	NoCacheFilter          []string             `protobuf:"bytes,15,rep,name=NoCacheFilter,proto3" json:"NoCacheFilter,omitempty"`
+	Platforms              []string             `protobuf:"bytes,16,rep,name=Platforms,proto3" json:"Platforms,omitempty"`
+	Secrets                []*Secret            `protobuf:"bytes,17,rep,name=Secrets,proto3" json:"Secrets,omitempty"`
+	ShmSize                int64                `protobuf:"varint,18,opt,name=ShmSize,proto3" json:"ShmSize,omitempty"`
+	SSH                    []*SSH               `protobuf:"bytes,19,rep,name=SSH,proto3" json:"SSH,omitempty"`
+	Tags                   []string             `protobuf:"bytes,20,rep,name=Tags,proto3" json:"Tags,omitempty"`
+	Target                 string               `protobuf:"bytes,21,opt,name=Target,proto3" json:"Target,omitempty"`
+	Ulimits                *UlimitOpt           `protobuf:"bytes,22,opt,name=Ulimits,proto3" json:"Ulimits,omitempty"`
+	Builder                string               `protobuf:"bytes,23,opt,name=Builder,proto3" json:"Builder,omitempty"`
+	NoCache                bool                 `protobuf:"varint,24,opt,name=NoCache,proto3" json:"NoCache,omitempty"`
+	Pull                   bool                 `protobuf:"varint,25,opt,name=Pull,proto3" json:"Pull,omitempty"`
+	ExportPush             bool                 `protobuf:"varint,26,opt,name=ExportPush,proto3" json:"ExportPush,omitempty"`
+	ExportLoad             bool                 `protobuf:"varint,27,opt,name=ExportLoad,proto3" json:"ExportLoad,omitempty"`
+	SourcePolicy           *pb.Policy           `protobuf:"bytes,28,opt,name=SourcePolicy,proto3" json:"SourcePolicy,omitempty"`
+	Ref                    string               `protobuf:"bytes,29,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	GroupRef               string               `protobuf:"bytes,30,opt,name=GroupRef,proto3" json:"GroupRef,omitempty"`
+	Annotations            []string             `protobuf:"bytes,31,rep,name=Annotations,proto3" json:"Annotations,omitempty"`
+	ProvenanceResponseMode string               `protobuf:"bytes,32,opt,name=ProvenanceResponseMode,proto3" json:"ProvenanceResponseMode,omitempty"`
+	XXX_NoUnkeyedLiteral   struct{}             `json:"-"`
+	XXX_unrecognized       []byte               `json:"-"`
+	XXX_sizecache          int32                `json:"-"`
 }

 func (m *BuildOptions) Reset()         { *m = BuildOptions{} }
@@ -345,9 +346,9 @@ func (m *BuildOptions) GetDockerfileName() string {
 	return ""
 }

-func (m *BuildOptions) GetPrintFunc() *PrintFunc {
+func (m *BuildOptions) GetCallFunc() *CallFunc {
 	if m != nil {
-		return m.PrintFunc
+		return m.CallFunc
 	}
 	return nil
 }
@@ -548,6 +549,13 @@ func (m *BuildOptions) GetAnnotations() []string {
 	return nil
 }

+func (m *BuildOptions) GetProvenanceResponseMode() string {
+	if m != nil {
+		return m.ProvenanceResponseMode
+	}
+	return ""
+}
+
 type ExportEntry struct {
 	Type                 string            `protobuf:"bytes,1,opt,name=Type,proto3" json:"Type,omitempty"`
 	Attrs                map[string]string `protobuf:"bytes,2,rep,name=Attrs,proto3" json:"Attrs,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
@@ -802,52 +810,60 @@ func (m *Secret) GetEnv() string {
 	return ""
 }

-type PrintFunc struct {
+type CallFunc struct {
 	Name                 string   `protobuf:"bytes,1,opt,name=Name,proto3" json:"Name,omitempty"`
 	Format               string   `protobuf:"bytes,2,opt,name=Format,proto3" json:"Format,omitempty"`
+	IgnoreStatus         bool     `protobuf:"varint,3,opt,name=IgnoreStatus,proto3" json:"IgnoreStatus,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
 }

-func (m *PrintFunc) Reset()         { *m = PrintFunc{} }
-func (m *PrintFunc) String() string { return proto.CompactTextString(m) }
-func (*PrintFunc) ProtoMessage()    {}
-func (*PrintFunc) Descriptor() ([]byte, []int) {
+func (m *CallFunc) Reset()         { *m = CallFunc{} }
+func (m *CallFunc) String() string { return proto.CompactTextString(m) }
+func (*CallFunc) ProtoMessage()    {}
+func (*CallFunc) Descriptor() ([]byte, []int) {
 	return fileDescriptor_ed7f10298fa1d90f, []int{12}
 }
-func (m *PrintFunc) XXX_Unmarshal(b []byte) error {
-	return xxx_messageInfo_PrintFunc.Unmarshal(m, b)
+func (m *CallFunc) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_CallFunc.Unmarshal(m, b)
 }
-func (m *PrintFunc) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
-	return xxx_messageInfo_PrintFunc.Marshal(b, m, deterministic)
+func (m *CallFunc) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_CallFunc.Marshal(b, m, deterministic)
 }
-func (m *PrintFunc) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_PrintFunc.Merge(m, src)
+func (m *CallFunc) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_CallFunc.Merge(m, src)
 }
-func (m *PrintFunc) XXX_Size() int {
-	return xxx_messageInfo_PrintFunc.Size(m)
+func (m *CallFunc) XXX_Size() int {
+	return xxx_messageInfo_CallFunc.Size(m)
 }
-func (m *PrintFunc) XXX_DiscardUnknown() {
-	xxx_messageInfo_PrintFunc.DiscardUnknown(m)
+func (m *CallFunc) XXX_DiscardUnknown() {
+	xxx_messageInfo_CallFunc.DiscardUnknown(m)
 }

-var xxx_messageInfo_PrintFunc proto.InternalMessageInfo
+var xxx_messageInfo_CallFunc proto.InternalMessageInfo

-func (m *PrintFunc) GetName() string {
+func (m *CallFunc) GetName() string {
 	if m != nil {
 		return m.Name
 	}
 	return ""
 }

-func (m *PrintFunc) GetFormat() string {
+func (m *CallFunc) GetFormat() string {
 	if m != nil {
 		return m.Format
 	}
 	return ""
 }

+func (m *CallFunc) GetIgnoreStatus() bool {
+	if m != nil {
+		return m.IgnoreStatus
+	}
+	return false
+}
+
 type InspectRequest struct {
 	Ref                  string   `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
@@ -2046,7 +2062,7 @@ func init() {
 	proto.RegisterType((*Attest)(nil), "buildx.controller.v1.Attest")
 	proto.RegisterType((*SSH)(nil), "buildx.controller.v1.SSH")
 	proto.RegisterType((*Secret)(nil), "buildx.controller.v1.Secret")
-	proto.RegisterType((*PrintFunc)(nil), "buildx.controller.v1.PrintFunc")
+	proto.RegisterType((*CallFunc)(nil), "buildx.controller.v1.CallFunc")
 	proto.RegisterType((*InspectRequest)(nil), "buildx.controller.v1.InspectRequest")
 	proto.RegisterType((*InspectResponse)(nil), "buildx.controller.v1.InspectResponse")
 	proto.RegisterType((*UlimitOpt)(nil), "buildx.controller.v1.UlimitOpt")
@@ -2078,128 +2094,130 @@ func init() {
 func init() { proto.RegisterFile("controller.proto", fileDescriptor_ed7f10298fa1d90f) }

 var fileDescriptor_ed7f10298fa1d90f = []byte{
-	// 1922 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x58, 0x5f, 0x73, 0x1b, 0x49,
-	0x11, 0x67, 0x25, 0x59, 0x7f, 0x5a, 0x96, 0xcf, 0x19, 0x9c, 0x30, 0xd9, 0xe4, 0x12, 0x67, 0x93,
-	0x1c, 0x2a, 0x42, 0xc9, 0x77, 0x3e, 0x82, 0x2f, 0x97, 0xbb, 0x2a, 0x6c, 0xd9, 0xc2, 0xbe, 0x4a,
-	0x6c, 0xd7, 0xca, 0xc9, 0x15, 0x50, 0xc5, 0xd5, 0x5a, 0x1a, 0xcb, 0x5b, 0x5a, 0xed, 0x88, 0x9d,
-	0x91, 0x6d, 0xf1, 0xc4, 0x03, 0xbc, 0x51, 0x14, 0x5f, 0x83, 0xe2, 0x23, 0xf0, 0xc4, 0x37, 0xe2,
-	0x23, 0x50, 0xd3, 0x33, 0xbb, 0x5a, 0x59, 0x5a, 0xd9, 0x86, 0x27, 0x4d, 0xf7, 0xfe, 0xba, 0x7b,
-	0xba, 0xa7, 0xa7, 0xbb, 0x47, 0xb0, 0xda, 0xe1, 0xa1, 0x8c, 0x78, 0x10, 0xb0, 0xa8, 0x31, 0x8c,
-	0xb8, 0xe4, 0x64, 0xed, 0x74, 0xe4, 0x07, 0xdd, 0xab, 0x46, 0xea, 0xc3, 0xc5, 0x17, 0xf6, 0xdb,
-	0x9e, 0x2f, 0xcf, 0x47, 0xa7, 0x8d, 0x0e, 0x1f, 0x6c, 0x0c, 0xf8, 0xe9, 0x78, 0x03, 0x51, 0x7d,
-	0x5f, 0x6e, 0x78, 0x43, 0x7f, 0x43, 0xb0, 0xe8, 0xc2, 0xef, 0x30, 0xb1, 0x61, 0x84, 0xe2, 0x5f,
-	0xad, 0xd2, 0x7e, 0x9d, 0x29, 0x2c, 0xf8, 0x28, 0xea, 0xb0, 0x21, 0x0f, 0xfc, 0xce, 0x78, 0x63,
-	0x78, 0xba, 0xa1, 0x57, 0x5a, 0xcc, 0xa9, 0xc3, 0xda, 0x3b, 0x5f, 0xc8, 0xe3, 0x88, 0x77, 0x98,
-	0x10, 0x4c, 0xb8, 0xec, 0x0f, 0x23, 0x26, 0x24, 0x59, 0x85, 0xbc, 0xcb, 0xce, 0xa8, 0xb5, 0x6e,
-	0xd5, 0x2b, 0xae, 0x5a, 0x3a, 0xc7, 0x70, 0xff, 0x1a, 0x52, 0x0c, 0x79, 0x28, 0x18, 0xd9, 0x82,
-	0xa5, 0x83, 0xf0, 0x8c, 0x0b, 0x6a, 0xad, 0xe7, 0xeb, 0xd5, 0xcd, 0x67, 0x8d, 0x79, 0xce, 0x35,
-	0x8c, 0x9c, 0x42, 0xba, 0x1a, 0xef, 0x08, 0xa8, 0xa6, 0xb8, 0xe4, 0x31, 0x54, 0x62, 0x72, 0xd7,
-	0x18, 0x9e, 0x30, 0x48, 0x0b, 0x96, 0x0f, 0xc2, 0x0b, 0xde, 0x67, 0x4d, 0x1e, 0x9e, 0xf9, 0x3d,
-	0x9a, 0x5b, 0xb7, 0xea, 0xd5, 0x4d, 0x67, 0xbe, 0xb1, 0x34, 0xd2, 0x9d, 0x92, 0x73, 0xbe, 0x03,
-	0xba, 0xeb, 0x8b, 0x0e, 0x0f, 0x43, 0xd6, 0x89, 0x9d, 0xc9, 0x74, 0x7a, 0x7a, 0x4f, 0xb9, 0x6b,
-	0x7b, 0x72, 0x1e, 0xc1, 0xc3, 0x39, 0xba, 0x74, 0x58, 0x9c, 0xdf, 0xc3, 0xf2, 0x8e, 0xda, 0x5b,
-	0xb6, 0xf2, 0x6f, 0xa0, 0x74, 0x34, 0x94, 0x3e, 0x0f, 0xc5, 0x62, 0x6f, 0x50, 0x8d, 0x41, 0xba,
-	0xb1, 0x88, 0xf3, 0xf7, 0x65, 0x63, 0xc0, 0x30, 0xc8, 0x3a, 0x54, 0x9b, 0x3c, 0x94, 0xec, 0x4a,
-	0x1e, 0x7b, 0xf2, 0xdc, 0x18, 0x4a, 0xb3, 0xc8, 0x67, 0xb0, 0xb2, 0xcb, 0x3b, 0x7d, 0x16, 0x9d,
-	0xf9, 0x01, 0x3b, 0xf4, 0x06, 0xcc, 0xb8, 0x74, 0x8d, 0x4b, 0xbe, 0x55, 0x5e, 0xfb, 0xa1, 0x6c,
-	0x8d, 0xc2, 0x0e, 0xcd, 0xe3, 0xd6, 0x9e, 0x66, 0x9d, 0xaa, 0x81, 0xb9, 0x13, 0x09, 0xf2, 0x3b,
-	0xa8, 0x29, 0x35, 0x5d, 0x63, 0x5a, 0xd0, 0x02, 0x26, 0xc6, 0xeb, 0x9b, 0xbd, 0x6b, 0x4c, 0xc9,
-	0xed, 0x85, 0x32, 0x1a, 0xbb, 0xd3, 0xba, 0xc8, 0x1a, 0x2c, 0x6d, 0x07, 0x01, 0xbf, 0xa4, 0x4b,
-	0xeb, 0xf9, 0x7a, 0xc5, 0xd5, 0x04, 0xf9, 0x25, 0x94, 0xb6, 0xa5, 0x64, 0x42, 0x0a, 0x5a, 0x44,
-	0x63, 0x8f, 0xe7, 0x1b, 0xd3, 0x20, 0x37, 0x06, 0x93, 0x23, 0xa8, 0xa0, 0xfd, 0xed, 0xa8, 0x27,
-	0x68, 0x09, 0x25, 0xbf, 0xb8, 0xc5, 0x36, 0x13, 0x19, 0xbd, 0xc5, 0x89, 0x0e, 0xb2, 0x07, 0x95,
-	0xa6, 0xd7, 0x39, 0x67, 0xad, 0x88, 0x0f, 0x68, 0x19, 0x15, 0xfe, 0x74, 0xbe, 0x42, 0x84, 0x19,
-	0x85, 0x46, 0x4d, 0x22, 0x49, 0xb6, 0xa1, 0x84, 0xc4, 0x09, 0xa7, 0x95, 0xbb, 0x29, 0x89, 0xe5,
-	0x88, 0x03, 0xcb, 0xcd, 0x5e, 0xc4, 0x47, 0xc3, 0x63, 0x2f, 0x62, 0xa1, 0xa4, 0x80, 0x47, 0x3d,
-	0xc5, 0x23, 0x6f, 0xa1, 0xb4, 0x77, 0x35, 0xe4, 0x91, 0x14, 0xb4, 0xba, 0xe8, 0xf2, 0x6a, 0x90,
-	0x31, 0x60, 0x24, 0xc8, 0x13, 0x80, 0xbd, 0x2b, 0x19, 0x79, 0xfb, 0x5c, 0x85, 0x7d, 0x19, 0x8f,
-	0x23, 0xc5, 0x21, 0x2d, 0x28, 0xbe, 0xf3, 0x4e, 0x59, 0x20, 0x68, 0x0d, 0x75, 0x37, 0x6e, 0x11,
-	0x58, 0x2d, 0xa0, 0x0d, 0x19, 0x69, 0x95, 0xd7, 0x87, 0x4c, 0x5e, 0xf2, 0xa8, 0xff, 0x9e, 0x77,
-	0x19, 0x5d, 0xd1, 0x79, 0x9d, 0x62, 0x91, 0x17, 0x50, 0x3b, 0xe4, 0x3a, 0x78, 0x7e, 0x20, 0x59,
-	0x44, 0x3f, 0xc1, 0xcd, 0x4c, 0x33, 0xf1, 0x2e, 0x07, 0x9e, 0x3c, 0xe3, 0xd1, 0x40, 0xd0, 0x55,
-	0x44, 0x4c, 0x18, 0x2a, 0x83, 0xda, 0xac, 0x13, 0x31, 0x29, 0xe8, 0xbd, 0x45, 0x19, 0xa4, 0x41,
-	0x6e, 0x0c, 0x26, 0x14, 0x4a, 0xed, 0xf3, 0x41, 0xdb, 0xff, 0x23, 0xa3, 0x64, 0xdd, 0xaa, 0xe7,
-	0xdd, 0x98, 0x24, 0xaf, 0x20, 0xdf, 0x6e, 0xef, 0xd3, 0x1f, 0xa3, 0xb6, 0x87, 0x19, 0xda, 0xda,
-	0xfb, 0xae, 0x42, 0x11, 0x02, 0x85, 0x13, 0xaf, 0x27, 0xe8, 0x1a, 0xee, 0x0b, 0xd7, 0xe4, 0x01,
-	0x14, 0x4f, 0xbc, 0xa8, 0xc7, 0x24, 0xbd, 0x8f, 0x3e, 0x1b, 0x8a, 0xbc, 0x81, 0xd2, 0x87, 0xc0,
-	0x1f, 0xf8, 0x52, 0xd0, 0x07, 0x8b, 0x2e, 0xa7, 0x06, 0x1d, 0x0d, 0xa5, 0x1b, 0xe3, 0xd5, 0x6e,
-	0x31, 0xde, 0x2c, 0xa2, 0x3f, 0x41, 0x9d, 0x31, 0xa9, 0xbe, 0x98, 0x70, 0x51, 0xba, 0x6e, 0xd5,
-	0xcb, 0x6e, 0x4c, 0xaa, 0xad, 0x1d, 0x8f, 0x82, 0x80, 0x3e, 0x44, 0x36, 0xae, 0xf5, 0xd9, 0xab,
-	0x34, 0x38, 0x1e, 0x89, 0x73, 0x6a, 0xe3, 0x97, 0x14, 0x67, 0xf2, 0xfd, 0x1d, 0xf7, 0xba, 0xf4,
-	0x51, 0xfa, 0xbb, 0xe2, 0x90, 0x03, 0x58, 0x6e, 0x63, 0x5b, 0x3a, 0xc6, 0x66, 0x44, 0x1f, 0xa3,
-	0x1f, 0x2f, 0x1b, 0xaa, 0x73, 0x35, 0xe2, 0xce, 0xa5, 0x7c, 0x48, 0x37, 0xaf, 0x86, 0x06, 0xbb,
-	0x53, 0xa2, 0x71, 0x5d, 0xfd, 0x74, 0x52, 0x57, 0x6d, 0x28, 0xff, 0x5a, 0x25, 0xb9, 0x62, 0x3f,
-	0x41, 0x76, 0x42, 0xab, 0x64, 0xda, 0x0e, 0x43, 0x2e, 0x3d, 0x5d, 0x77, 0x9f, 0x62, 0xb8, 0xd3,
-	0x2c, 0xfb, 0x57, 0x40, 0x66, 0xab, 0x90, 0xb2, 0xd2, 0x67, 0xe3, 0xb8, 0x7a, 0xf7, 0xd9, 0x58,
-	0x15, 0xa2, 0x0b, 0x2f, 0x18, 0xc5, 0x35, 0x54, 0x13, 0x5f, 0xe7, 0xbe, 0xb2, 0xec, 0x6f, 0x60,
-	0x65, 0xba, 0x40, 0xdc, 0x49, 0xfa, 0x0d, 0x54, 0x53, 0xb7, 0xe0, 0x2e, 0xa2, 0xce, 0xbf, 0x2d,
-	0xa8, 0xa6, 0xae, 0x2a, 0x26, 0xd5, 0x78, 0xc8, 0x8c, 0x30, 0xae, 0xc9, 0x0e, 0x2c, 0x6d, 0x4b,
-	0x19, 0xa9, 0x96, 0xa3, 0xf2, 0xf2, 0xe7, 0x37, 0x5e, 0xf8, 0x06, 0xc2, 0xf5, 0x95, 0xd4, 0xa2,
-	0x2a, 0x88, 0xbb, 0x4c, 0x48, 0x3f, 0xc4, 0x90, 0x61, 0x87, 0xa8, 0xb8, 0x69, 0x96, 0xfd, 0x15,
-	0xc0, 0x44, 0xec, 0x4e, 0x3e, 0xfc, 0xd3, 0x82, 0x7b, 0x33, 0x55, 0x6d, 0xae, 0x27, 0xfb, 0xd3,
-	0x9e, 0x6c, 0xde, 0xb2, 0x42, 0xce, 0xfa, 0xf3, 0x7f, 0xec, 0xf6, 0x10, 0x8a, 0xba, 0x95, 0xcc,
-	0xdd, 0xa1, 0x0d, 0xe5, 0x5d, 0x5f, 0x78, 0xa7, 0x01, 0xeb, 0xa2, 0x68, 0xd9, 0x4d, 0x68, 0xec,
-	0x63, 0xb8, 0x7b, 0x1d, 0x3d, 0x4d, 0x38, 0xba, 0x66, 0x90, 0x15, 0xc8, 0x25, 0x33, 0x50, 0xee,
-	0x60, 0x57, 0x81, 0x55, 0x03, 0xd7, 0xae, 0x56, 0x5c, 0x4d, 0x38, 0x2d, 0x28, 0xea, 0x2a, 0x34,
-	0x83, 0xb7, 0xa1, 0xdc, 0xf2, 0x03, 0x86, 0x73, 0x80, 0xde, 0x73, 0x42, 0x2b, 0xf7, 0xf6, 0xc2,
-	0x0b, 0x63, 0x56, 0x2d, 0x9d, 0xad, 0x54, 0xbb, 0x57, 0x7e, 0xe0, 0x64, 0x60, 0xfc, 0xc0, 0x79,
-	0xe0, 0x01, 0x14, 0x5b, 0x3c, 0x1a, 0x78, 0xd2, 0x28, 0x33, 0x94, 0xe3, 0xc0, 0xca, 0x41, 0x28,
-	0x86, 0xac, 0x23, 0xb3, 0xc7, 0xc6, 0x23, 0xf8, 0x24, 0xc1, 0x98, 0x81, 0x31, 0x35, 0xf7, 0x58,
-	0x77, 0x9f, 0x7b, 0xfe, 0x61, 0x41, 0x25, 0xa9, 0x6c, 0xa4, 0x09, 0x45, 0x3c, 0x8d, 0x78, 0xfa,
-	0x7c, 0x75, 0x43, 0x29, 0x6c, 0x7c, 0x44, 0xb4, 0xe9, 0x30, 0x5a, 0xd4, 0xfe, 0x1e, 0xaa, 0x29,
-	0xf6, 0x9c, 0x04, 0xd8, 0x4c, 0x27, 0x40, 0x66, 0x6b, 0xd0, 0x46, 0xd2, 0xe9, 0xb1, 0x0b, 0x45,
-	0xcd, 0x9c, 0x1b, 0x56, 0x02, 0x85, 0x7d, 0x2f, 0xd2, 0xa9, 0x91, 0x77, 0x71, 0xad, 0x78, 0x6d,
-	0x7e, 0x26, 0xf1, 0x78, 0xf2, 0x2e, 0xae, 0x9d, 0x7f, 0x59, 0x50, 0x33, 0xa3, 0xa4, 0x89, 0x20,
-	0x83, 0x55, 0x7d, 0x43, 0x59, 0x14, 0xf3, 0x8c, 0xff, 0x6f, 0x16, 0x84, 0x32, 0x86, 0x36, 0xae,
-	0xcb, 0xea, 0x68, 0xcc, 0xa8, 0xb4, 0x9b, 0x70, 0x7f, 0x2e, 0xf4, 0x4e, 0x57, 0xe4, 0x25, 0xdc,
-	0x9b, 0x0c, 0xc9, 0xd9, 0x79, 0xb2, 0x06, 0x24, 0x0d, 0x33, 0x43, 0xf4, 0x53, 0xa8, 0xaa, 0x47,
-	0x47, 0xb6, 0x98, 0x03, 0xcb, 0x1a, 0x60, 0x22, 0x43, 0xa0, 0xd0, 0x67, 0x63, 0x9d, 0x0d, 0x15,
-	0x17, 0xd7, 0xce, 0xdf, 0x2c, 0xf5, 0x76, 0x18, 0x8e, 0xe4, 0x7b, 0x26, 0x84, 0xd7, 0x53, 0x09,
-	0x58, 0x38, 0x08, 0x7d, 0x69, 0xb2, 0xef, 0xb3, 0xac, 0x37, 0xc4, 0x70, 0x24, 0x15, 0xcc, 0x48,
-	0xed, 0xff, 0xc8, 0x45, 0x29, 0xb2, 0x05, 0x85, 0x5d, 0x4f, 0x7a, 0x26, 0x17, 0x32, 0x26, 0x26,
-	0x85, 0x48, 0x09, 0x2a, 0x72, 0xa7, 0xa4, 0x1e, 0x4a, 0xc3, 0x91, 0x74, 0x5e, 0xc0, 0xea, 0x75,
-	0xed, 0x73, 0x5c, 0xfb, 0x12, 0xaa, 0x29, 0x2d, 0x78, 0x6f, 0x8f, 0x5a, 0x08, 0x28, 0xbb, 0x6a,
-	0xa9, 0x7c, 0x4d, 0x36, 0xb2, 0xac, 0x6d, 0x38, 0x9f, 0x40, 0x0d, 0x55, 0x27, 0x11, 0xfc, 0x53,
-	0x0e, 0x4a, 0xb1, 0x8a, 0xad, 0x29, 0xbf, 0x9f, 0x65, 0xf9, 0x3d, 0xeb, 0xf2, 0x6b, 0x28, 0xa8,
-	0xfa, 0x61, 0x5c, 0xce, 0x18, 0x37, 0x5a, 0xdd, 0x94, 0x98, 0x82, 0x93, 0x6f, 0xa1, 0xe8, 0x32,
-	0xa1, 0x46, 0x23, 0xfd, 0x88, 0x78, 0x3e, 0x5f, 0x50, 0x63, 0x26, 0xc2, 0x46, 0x48, 0x89, 0xb7,
-	0xfd, 0x5e, 0xe8, 0x05, 0xb4, 0xb0, 0x48, 0x5c, 0x63, 0x52, 0xe2, 0x9a, 0x31, 0x09, 0xf7, 0x5f,
-	0x2c, 0xa8, 0x2e, 0x0c, 0xf5, 0xe2, 0x67, 0xde, 0xcc, 0xd3, 0x33, 0xff, 0x3f, 0x3e, 0x3d, 0xff,
-	0x9c, 0x9b, 0x56, 0x84, 0x53, 0x92, 0xba, 0x4f, 0x43, 0xee, 0x87, 0xd2, 0xa4, 0x6c, 0x8a, 0xa3,
-	0x36, 0xda, 0x1c, 0x74, 0x4d, 0xd1, 0x57, 0x4b, 0x75, 0xcd, 0x0e, 0xb9, 0xe2, 0x55, 0x31, 0x0d,
-	0x34, 0x31, 0x29, 0xe9, 0x79, 0x53, 0xd2, 0x55, 0x6a, 0x7c, 0x10, 0x2c, 0xc2, 0xc0, 0x55, 0x5c,
-	0x5c, 0xab, 0x2a, 0x7e, 0xc8, 0x91, 0xbb, 0x84, 0xc2, 0x86, 0x42, 0x2b, 0x97, 0x5d, 0x5a, 0xd4,
-	0xe1, 0x68, 0x5e, 0xc6, 0x56, 0x2e, 0xbb, 0xb4, 0x94, 0x58, 0xb9, 0x44, 0x2b, 0x27, 0x72, 0x4c,
-	0xcb, 0x3a, 0x01, 0x4f, 0xe4, 0x58, 0xb5, 0x19, 0x97, 0x07, 0xc1, 0xa9, 0xd7, 0xe9, 0xd3, 0x8a,
-	0xee, 0x6f, 0x31, 0xad, 0xe6, 0x49, 0x15, 0x73, 0xdf, 0x0b, 0xf0, 0xe5, 0x51, 0x76, 0x63, 0xd2,
-	0xd9, 0x86, 0x4a, 0x92, 0x2a, 0xaa, 0x73, 0xb5, 0xba, 0x78, 0x14, 0x35, 0x37, 0xd7, 0xea, 0xc6,
-	0x59, 0x9e, 0x9b, 0xcd, 0xf2, 0x7c, 0x2a, 0xcb, 0xb7, 0xa0, 0x36, 0x95, 0x34, 0x0a, 0xe4, 0xf2,
-	0x4b, 0x61, 0x14, 0xe1, 0x5a, 0xf1, 0x9a, 0x3c, 0xd0, 0x6f, 0xeb, 0x9a, 0x8b, 0x6b, 0xe7, 0x39,
-	0xd4, 0xa6, 0xd2, 0x65, 0x5e, 0x5d, 0x76, 0x9e, 0x41, 0xad, 0x2d, 0x3d, 0x39, 0x5a, 0xf0, 0x67,
-	0xc8, 0x7f, 0x2c, 0x58, 0x89, 0x31, 0xa6, 0xf2, 0xfc, 0x02, 0xca, 0x17, 0x2c, 0x92, 0xec, 0x2a,
-	0xe9, 0x45, 0x74, 0x76, 0x9c, 0xfd, 0x88, 0x08, 0x37, 0x41, 0x92, 0xaf, 0xa1, 0x2c, 0x50, 0x0f,
-	0x8b, 0xe7, 0x98, 0x27, 0x59, 0x52, 0xc6, 0x5e, 0x82, 0x27, 0x1b, 0x50, 0x08, 0x78, 0x4f, 0xe0,
-	0xb9, 0x57, 0x37, 0x1f, 0x65, 0xc9, 0xbd, 0xe3, 0x3d, 0x17, 0x81, 0xe4, 0x2d, 0x94, 0x2f, 0xbd,
-	0x28, 0xf4, 0xc3, 0x5e, 0xfc, 0x26, 0x7f, 0x9a, 0x25, 0xf4, 0xbd, 0xc6, 0xb9, 0x89, 0x80, 0x53,
-	0x53, 0x97, 0xe8, 0x8c, 0x9b, 0x98, 0x38, 0xbf, 0x51, 0xb9, 0xac, 0x48, 0xe3, 0xfe, 0x01, 0xd4,
-	0xf4, 0x7d, 0xf8, 0xc8, 0x22, 0xa1, 0xa6, 0x42, 0x6b, 0xd1, 0x9d, 0xdd, 0x49, 0x43, 0xdd, 0x69,
-	0x49, 0xe7, 0x07, 0xd3, 0xee, 0x62, 0x86, 0xca, 0xa5, 0xa1, 0xd7, 0xe9, 0x7b, 0xbd, 0xf8, 0x9c,
-	0x62, 0x52, 0x7d, 0xb9, 0x30, 0xf6, 0xf4, 0xb5, 0x8d, 0x49, 0x95, 0x9b, 0x11, 0xbb, 0xf0, 0xc5,
-	0x64, 0x40, 0x4d, 0xe8, 0xcd, 0xbf, 0x96, 0x00, 0x9a, 0xc9, 0x7e, 0xc8, 0x31, 0x2c, 0xa1, 0x3d,
-	0xe2, 0x2c, 0x6c, 0x9e, 0xe8, 0xb7, 0xfd, 0xfc, 0x16, 0x0d, 0x96, 0x7c, 0x54, 0xc9, 0x8f, 0x43,
-	0x0f, 0x79, 0x91, 0x55, 0x26, 0xd2, 0x73, 0x93, 0xfd, 0xf2, 0x06, 0x94, 0xd1, 0xfb, 0x01, 0x8a,
-	0x3a, 0x0b, 0x48, 0x56, 0x2d, 0x4c, 0xe7, 0xad, 0xfd, 0x62, 0x31, 0x48, 0x2b, 0xfd, 0xdc, 0x22,
-	0xae, 0xa9, 0x94, 0xc4, 0x59, 0xd0, 0x0a, 0xcd, 0x8d, 0xc9, 0x0a, 0xc0, 0x54, 0xd7, 0xa9, 0x5b,
-	0xe4, 0x3b, 0x28, 0xea, 0x5a, 0x47, 0x3e, 0x9d, 0x2f, 0x10, 0xeb, 0x5b, 0xfc, 0xb9, 0x6e, 0x7d,
-	0x6e, 0x91, 0xf7, 0x50, 0x50, 0x4d, 0x9e, 0x64, 0x74, 0xac, 0xd4, 0x84, 0x60, 0x3b, 0x8b, 0x20,
-	0x26, 0x8a, 0x3f, 0x00, 0x4c, 0x46, 0x0d, 0x92, 0xf1, 0xcf, 0xca, 0xcc, 0xcc, 0x62, 0xd7, 0x6f,
-	0x06, 0x1a, 0x03, 0xef, 0x55, 0x9f, 0x3d, 0xe3, 0x24, 0xb3, 0xc3, 0x26, 0xd7, 0xc8, 0x76, 0x16,
-	0x41, 0x8c, 0xba, 0x73, 0xa8, 0x4d, 0xfd, 0xf3, 0x4a, 0x7e, 0x96, 0xed, 0xe4, 0xf5, 0x3f, 0x72,
-	0xed, 0x57, 0xb7, 0xc2, 0x1a, 0x4b, 0x32, 0x3d, 0xab, 0x99, 0xcf, 0xa4, 0x71, 0x93, 0xdf, 0xd3,
-	0xff, 0xa2, 0xda, 0x1b, 0xb7, 0xc6, 0x6b, 0xab, 0x3b, 0x85, 0xdf, 0xe6, 0x86, 0xa7, 0xa7, 0x45,
-	0xfc, 0x43, 0xfa, 0xcb, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0xe3, 0x77, 0x0e, 0x2f, 0x2e, 0x17,
-	0x00, 0x00,
+	// 1961 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x58, 0x5f, 0x73, 0x1b, 0xb7,
+	0x11, 0xef, 0x91, 0x14, 0xff, 0x2c, 0x45, 0xd9, 0x46, 0x6d, 0x17, 0x3e, 0x3b, 0xb6, 0x7c, 0xb6,
+	0x53, 0x4e, 0xdd, 0xa1, 0x12, 0xa5, 0x8e, 0xe3, 0x38, 0x9d, 0xa9, 0x44, 0x89, 0x95, 0x32, 0xb6,
+	0xa4, 0x01, 0x65, 0x67, 0x9a, 0xce, 0x34, 0x73, 0x22, 0x21, 0xea, 0x46, 0xa7, 0x03, 0x7b, 0x00,
+	0xf5, 0xa7, 0x4f, 0x7d, 0x68, 0xdf, 0x3a, 0xfd, 0x1e, 0x9d, 0x7e, 0x84, 0x3e, 0xf5, 0xa1, 0xdf,
+	0xa7, 0x1f, 0xa1, 0x83, 0x05, 0xee, 0x78, 0x14, 0x79, 0x94, 0xd4, 0x3c, 0x11, 0xbb, 0xf8, 0xed,
+	0x2e, 0x76, 0x6f, 0xb1, 0xbb, 0x20, 0xdc, 0xee, 0x89, 0x48, 0xc5, 0x22, 0x0c, 0x79, 0xdc, 0x1a,
+	0xc6, 0x42, 0x09, 0x72, 0xf7, 0x60, 0x14, 0x84, 0xfd, 0xf3, 0x56, 0x66, 0xe3, 0xf4, 0x73, 0xf7,
+	0xed, 0x20, 0x50, 0x47, 0xa3, 0x83, 0x56, 0x4f, 0x9c, 0xac, 0x9c, 0x88, 0x83, 0x8b, 0x15, 0x44,
+	0x1d, 0x07, 0x6a, 0xc5, 0x1f, 0x06, 0x2b, 0x92, 0xc7, 0xa7, 0x41, 0x8f, 0xcb, 0x15, 0x2b, 0x94,
+	0xfc, 0x1a, 0x95, 0xee, 0xab, 0x5c, 0x61, 0x29, 0x46, 0x71, 0x8f, 0x0f, 0x45, 0x18, 0xf4, 0x2e,
+	0x56, 0x86, 0x07, 0x2b, 0x66, 0x65, 0xc4, 0xbc, 0x26, 0xdc, 0x7d, 0x17, 0x48, 0xb5, 0x17, 0x8b,
+	0x1e, 0x97, 0x92, 0x4b, 0xc6, 0xff, 0x38, 0xe2, 0x52, 0x91, 0xdb, 0x50, 0x64, 0xfc, 0x90, 0x3a,
+	0xcb, 0x4e, 0xb3, 0xc6, 0xf4, 0xd2, 0xdb, 0x83, 0x7b, 0x97, 0x90, 0x72, 0x28, 0x22, 0xc9, 0xc9,
+	0x6b, 0x58, 0xd8, 0x8e, 0x0e, 0x85, 0xa4, 0xce, 0x72, 0xb1, 0x59, 0x5f, 0x7d, 0xda, 0x9a, 0xe5,
+	0x5c, 0xcb, 0xca, 0x69, 0x24, 0x33, 0x78, 0x4f, 0x42, 0x3d, 0xc3, 0x25, 0x8f, 0xa0, 0x96, 0x90,
+	0x1b, 0xd6, 0xf0, 0x98, 0x41, 0x3a, 0xb0, 0xb8, 0x1d, 0x9d, 0x8a, 0x63, 0xde, 0x16, 0xd1, 0x61,
+	0x30, 0xa0, 0x85, 0x65, 0xa7, 0x59, 0x5f, 0xf5, 0x66, 0x1b, 0xcb, 0x22, 0xd9, 0x84, 0x9c, 0xf7,
+	0x2d, 0xd0, 0x8d, 0x40, 0xf6, 0x44, 0x14, 0xf1, 0x5e, 0xe2, 0x4c, 0xae, 0xd3, 0x93, 0x67, 0x2a,
+	0x5c, 0x3a, 0x93, 0xf7, 0x10, 0x1e, 0xcc, 0xd0, 0x65, 0xc2, 0xe2, 0xfd, 0x01, 0x16, 0xd7, 0xf5,
+	0xd9, 0xf2, 0x95, 0x7f, 0x03, 0x95, 0xdd, 0xa1, 0x0a, 0x44, 0x24, 0xe7, 0x7b, 0x83, 0x6a, 0x2c,
+	0x92, 0x25, 0x22, 0xde, 0x7f, 0x16, 0xad, 0x01, 0xcb, 0x20, 0xcb, 0x50, 0x6f, 0x8b, 0x48, 0xf1,
+	0x73, 0xb5, 0xe7, 0xab, 0x23, 0x6b, 0x28, 0xcb, 0x22, 0x9f, 0xc2, 0xd2, 0x86, 0xe8, 0x1d, 0xf3,
+	0xf8, 0x30, 0x08, 0xf9, 0x8e, 0x7f, 0xc2, 0xad, 0x4b, 0x97, 0xb8, 0xe4, 0x6b, 0xa8, 0xb6, 0xfd,
+	0x30, 0xec, 0x8c, 0xa2, 0x1e, 0x2d, 0xe2, 0xc9, 0x1e, 0xcf, 0x3e, 0x59, 0x82, 0x62, 0x29, 0x9e,
+	0xfc, 0x1e, 0x1a, 0x5a, 0x47, 0xdf, 0xda, 0x95, 0xb4, 0x84, 0x59, 0xf1, 0xea, 0x6a, 0xd7, 0x5a,
+	0x13, 0x72, 0x9b, 0x91, 0x8a, 0x2f, 0xd8, 0xa4, 0x2e, 0x72, 0x17, 0x16, 0xd6, 0xc2, 0x50, 0x9c,
+	0xd1, 0x85, 0xe5, 0x62, 0xb3, 0xc6, 0x0c, 0x41, 0xbe, 0x84, 0xca, 0x9a, 0x52, 0x5c, 0x2a, 0x49,
+	0xcb, 0x68, 0xec, 0xd1, 0x6c, 0x63, 0x06, 0xc4, 0x12, 0x30, 0xd9, 0x85, 0x1a, 0xda, 0x5f, 0x8b,
+	0x07, 0x92, 0x56, 0x50, 0xf2, 0xf3, 0x6b, 0x1c, 0x33, 0x95, 0x31, 0x47, 0x1c, 0xeb, 0x20, 0x9b,
+	0x50, 0x6b, 0xfb, 0xbd, 0x23, 0xde, 0x89, 0xc5, 0x09, 0xad, 0xa2, 0xc2, 0x9f, 0xe7, 0x05, 0xae,
+	0x77, 0xc4, 0xad, 0x42, 0xab, 0x26, 0x95, 0x24, 0x6b, 0x50, 0x41, 0x62, 0x5f, 0xd0, 0xda, 0xcd,
+	0x94, 0x24, 0x72, 0xc4, 0x83, 0xc5, 0xf6, 0x20, 0x16, 0xa3, 0xe1, 0x9e, 0x1f, 0xf3, 0x48, 0x51,
+	0xc0, 0xef, 0x3c, 0xc1, 0x23, 0x6f, 0xa1, 0xb2, 0x79, 0x3e, 0x14, 0xb1, 0x92, 0xb4, 0x3e, 0xef,
+	0xe6, 0x1a, 0x90, 0x35, 0x60, 0x25, 0xc8, 0x63, 0x80, 0xcd, 0x73, 0x15, 0xfb, 0x5b, 0x42, 0x87,
+	0x7d, 0x11, 0x3f, 0x47, 0x86, 0x43, 0x3a, 0x50, 0x7e, 0xe7, 0x1f, 0xf0, 0x50, 0xd2, 0x06, 0xea,
+	0x6e, 0x5d, 0x23, 0xb0, 0x46, 0xc0, 0x18, 0xb2, 0xd2, 0x3a, 0xa9, 0x77, 0xb8, 0x3a, 0x13, 0xf1,
+	0xf1, 0x7b, 0xd1, 0xe7, 0x74, 0xc9, 0x24, 0x75, 0x86, 0x45, 0x9e, 0x43, 0x63, 0x47, 0x98, 0xe0,
+	0x05, 0xa1, 0xe2, 0x31, 0xbd, 0x85, 0x87, 0x99, 0x64, 0xe2, 0x45, 0x0e, 0x7d, 0x75, 0x28, 0xe2,
+	0x13, 0x49, 0x6f, 0x23, 0x62, 0xcc, 0xd0, 0x19, 0xd4, 0xe5, 0xbd, 0x98, 0x2b, 0x49, 0xef, 0xcc,
+	0xcb, 0x20, 0x03, 0x62, 0x09, 0x98, 0x50, 0xa8, 0x74, 0x8f, 0x4e, 0xba, 0xc1, 0x9f, 0x38, 0x25,
+	0xcb, 0x4e, 0xb3, 0xc8, 0x12, 0x92, 0xbc, 0x84, 0x62, 0xb7, 0xbb, 0x45, 0x7f, 0x8a, 0xda, 0x1e,
+	0xe4, 0x68, 0xeb, 0x6e, 0x31, 0x8d, 0x22, 0x04, 0x4a, 0xfb, 0xfe, 0x40, 0xd2, 0xbb, 0x78, 0x2e,
+	0x5c, 0x93, 0xfb, 0x50, 0xde, 0xf7, 0xe3, 0x01, 0x57, 0xf4, 0x1e, 0xfa, 0x6c, 0x29, 0xf2, 0x06,
+	0x2a, 0x1f, 0xc2, 0xe0, 0x24, 0x50, 0x92, 0xde, 0xc7, 0xab, 0xf9, 0x64, 0xb6, 0x72, 0x03, 0xda,
+	0x1d, 0x2a, 0x96, 0xe0, 0xf5, 0x69, 0x31, 0xde, 0x3c, 0xa6, 0x3f, 0x43, 0x9d, 0x09, 0xa9, 0x77,
+	0x6c, 0xb8, 0x28, 0x5d, 0x76, 0x9a, 0x55, 0x96, 0x90, 0xfa, 0x68, 0x7b, 0xa3, 0x30, 0xa4, 0x0f,
+	0x90, 0x8d, 0x6b, 0xf3, 0xed, 0x75, 0x1a, 0xec, 0x8d, 0xe4, 0x11, 0x75, 0x71, 0x27, 0xc3, 0x19,
+	0xef, 0xbf, 0x13, 0x7e, 0x9f, 0x3e, 0xcc, 0xee, 0x6b, 0x0e, 0xd9, 0x86, 0xc5, 0x2e, 0xf6, 0xa4,
+	0x3d, 0xec, 0x44, 0xf4, 0x11, 0xfa, 0xf1, 0xa2, 0xa5, 0xdb, 0x56, 0x2b, 0x69, 0x5b, 0xda, 0x87,
+	0x6c, 0xe7, 0x6a, 0x19, 0x30, 0x9b, 0x10, 0x4d, 0x8a, 0xea, 0x27, 0xe3, 0xa2, 0xea, 0x42, 0xf5,
+	0xb7, 0x3a, 0xc9, 0x35, 0xfb, 0x31, 0xb2, 0x53, 0x5a, 0x27, 0xd3, 0x5a, 0x14, 0x09, 0xe5, 0x9b,
+	0xa2, 0xfb, 0x04, 0xc3, 0x9d, 0x65, 0x91, 0x2f, 0xe1, 0xfe, 0x5e, 0x2c, 0x4e, 0x79, 0xe4, 0x47,
+	0x3d, 0x9e, 0x94, 0x72, 0xcc, 0xbc, 0x65, 0xd4, 0x95, 0xb3, 0xeb, 0xfe, 0x06, 0xc8, 0x74, 0xf5,
+	0xd2, 0xa7, 0x3b, 0xe6, 0x17, 0x49, 0xc9, 0x3f, 0xe6, 0x17, 0xba, 0x80, 0x9d, 0xfa, 0xe1, 0x28,
+	0x29, 0xbc, 0x86, 0xf8, 0xba, 0xf0, 0x95, 0xe3, 0x7e, 0x03, 0x4b, 0x93, 0x85, 0xe5, 0x46, 0xd2,
+	0x6f, 0xa0, 0x9e, 0xb9, 0x3d, 0x37, 0x11, 0xf5, 0xfe, 0xed, 0x40, 0x3d, 0x73, 0xc5, 0x31, 0x19,
+	0x2f, 0x86, 0xdc, 0x0a, 0xe3, 0x9a, 0xac, 0xc3, 0xc2, 0x9a, 0x52, 0xb1, 0xee, 0x53, 0x3a, 0x9f,
+	0x7f, 0x79, 0x65, 0xa1, 0x68, 0x21, 0xdc, 0x5c, 0x65, 0x23, 0xaa, 0x83, 0xbf, 0xc1, 0xa5, 0x0a,
+	0x22, 0x0c, 0x35, 0xf6, 0x95, 0x1a, 0xcb, 0xb2, 0xdc, 0xaf, 0x00, 0xc6, 0x62, 0x37, 0xf2, 0xe1,
+	0x9f, 0x0e, 0xdc, 0x99, 0xaa, 0x86, 0x33, 0x3d, 0xd9, 0x9a, 0xf4, 0x64, 0xf5, 0x9a, 0x95, 0x75,
+	0xda, 0x9f, 0x1f, 0x71, 0xda, 0x1d, 0x28, 0x9b, 0x16, 0x34, 0xf3, 0x84, 0x2e, 0x54, 0x37, 0x02,
+	0xe9, 0x1f, 0x84, 0xbc, 0x8f, 0xa2, 0x55, 0x96, 0xd2, 0xd8, 0xff, 0xf0, 0xf4, 0x26, 0x7a, 0x86,
+	0xf0, 0x4c, 0xad, 0x21, 0x4b, 0x50, 0x48, 0x07, 0xa7, 0xc2, 0xf6, 0x86, 0x06, 0xeb, 0xae, 0x6f,
+	0x5c, 0xad, 0x31, 0x43, 0x78, 0x1d, 0x28, 0x9b, 0xea, 0x35, 0x85, 0x77, 0xa1, 0xda, 0x09, 0x42,
+	0x8e, 0xc3, 0x83, 0x39, 0x73, 0x4a, 0x6b, 0xf7, 0x36, 0xa3, 0x53, 0x6b, 0x56, 0x2f, 0xbd, 0xef,
+	0xc7, 0x33, 0x82, 0x76, 0x03, 0xa7, 0x09, 0xeb, 0x06, 0xce, 0x10, 0xf7, 0xa1, 0xdc, 0x11, 0xf1,
+	0x89, 0xaf, 0xac, 0x2e, 0x4b, 0xe9, 0xce, 0xb4, 0x3d, 0x88, 0x44, 0xcc, 0xbb, 0xca, 0x57, 0x23,
+	0xe3, 0x49, 0x95, 0x4d, 0xf0, 0x3c, 0x0f, 0x96, 0xb6, 0x23, 0x39, 0xe4, 0x3d, 0x95, 0x3f, 0x8e,
+	0xee, 0xc2, 0xad, 0x14, 0x63, 0x07, 0xd1, 0xcc, 0x3c, 0xe5, 0xdc, 0x7c, 0x9e, 0xfa, 0x87, 0x03,
+	0xb5, 0xb4, 0x68, 0x92, 0x36, 0x94, 0xf1, 0x83, 0x25, 0x53, 0xed, 0xcb, 0x2b, 0xaa, 0x6c, 0xeb,
+	0x23, 0xa2, 0x6d, 0xf3, 0x32, 0xa2, 0xee, 0x77, 0x50, 0xcf, 0xb0, 0x67, 0xe4, 0xc8, 0x6a, 0x36,
+	0x47, 0x72, 0xbb, 0x8e, 0x31, 0x92, 0xcd, 0xa0, 0x0d, 0x28, 0x1b, 0xe6, 0xcc, 0xd0, 0x13, 0x28,
+	0x6d, 0xf9, 0xb1, 0xc9, 0x9e, 0x22, 0xc3, 0xb5, 0xe6, 0x75, 0xc5, 0xa1, 0xc2, 0x70, 0x17, 0x19,
+	0xae, 0xbd, 0x7f, 0x39, 0xd0, 0xb0, 0x23, 0xaa, 0x8d, 0x20, 0x87, 0xdb, 0xe6, 0x12, 0xf3, 0x38,
+	0xe1, 0x59, 0xff, 0xdf, 0xcc, 0x09, 0x65, 0x02, 0x6d, 0x5d, 0x96, 0x35, 0xd1, 0x98, 0x52, 0xe9,
+	0xb6, 0xe1, 0xde, 0x4c, 0xe8, 0x8d, 0x6e, 0xd1, 0x0b, 0xb8, 0x33, 0x1e, 0xbe, 0xf3, 0xf3, 0xe4,
+	0x2e, 0x90, 0x2c, 0xcc, 0x0e, 0xe7, 0x4f, 0xa0, 0xae, 0x1f, 0x33, 0xf9, 0x62, 0x1e, 0x2c, 0x1a,
+	0x80, 0x8d, 0x0c, 0x81, 0xd2, 0x31, 0xbf, 0x30, 0xd9, 0x50, 0x63, 0xb8, 0xf6, 0xfe, 0xee, 0xe8,
+	0x37, 0xc9, 0x70, 0xa4, 0xde, 0x73, 0x29, 0xfd, 0x81, 0x4e, 0xc0, 0xd2, 0x76, 0x14, 0x28, 0x9b,
+	0x7d, 0x9f, 0xe6, 0xbd, 0x4d, 0x86, 0x23, 0xa5, 0x61, 0x56, 0x6a, 0xeb, 0x27, 0x0c, 0xa5, 0xc8,
+	0x6b, 0x28, 0x6d, 0xf8, 0xca, 0xb7, 0xb9, 0x90, 0x33, 0x8c, 0x69, 0x44, 0x46, 0x50, 0x93, 0xeb,
+	0x15, 0xfd, 0x00, 0x1b, 0x8e, 0x94, 0xf7, 0x1c, 0x6e, 0x5f, 0xd6, 0x3e, 0xc3, 0xb5, 0x2f, 0xa0,
+	0x9e, 0xd1, 0x82, 0x57, 0x7b, 0xb7, 0x83, 0x80, 0x2a, 0xd3, 0x4b, 0xed, 0x6b, 0x7a, 0x90, 0x45,
+	0x63, 0xc3, 0xbb, 0x05, 0x0d, 0x54, 0x9d, 0x46, 0xf0, 0xcf, 0x05, 0xa8, 0x24, 0x2a, 0x5e, 0x4f,
+	0xf8, 0xfd, 0x34, 0xcf, 0xef, 0x69, 0x97, 0x5f, 0x41, 0x49, 0x97, 0x18, 0xeb, 0x72, 0xce, 0x24,
+	0xd3, 0xe9, 0x67, 0xc4, 0x34, 0x9c, 0xfc, 0x1a, 0xca, 0x8c, 0x4b, 0x3d, 0x75, 0x99, 0xd7, 0xc9,
+	0xb3, 0xd9, 0x82, 0x06, 0x33, 0x16, 0xb6, 0x42, 0x5a, 0xbc, 0x1b, 0x0c, 0x22, 0x3f, 0xa4, 0xa5,
+	0x79, 0xe2, 0x06, 0x93, 0x11, 0x37, 0x8c, 0x71, 0xb8, 0xff, 0xea, 0x40, 0x7d, 0x6e, 0xa8, 0xe7,
+	0x3f, 0x1f, 0xa7, 0x9e, 0xb4, 0xc5, 0xff, 0xf3, 0x49, 0xfb, 0x97, 0xc2, 0xa4, 0x22, 0x1c, 0xc0,
+	0xf4, 0x7d, 0x1a, 0x8a, 0x20, 0x52, 0x36, 0x65, 0x33, 0x1c, 0x7d, 0xd0, 0xf6, 0x49, 0xdf, 0xf6,
+	0x05, 0xbd, 0xd4, 0xd7, 0x6c, 0x47, 0x68, 0x5e, 0x1d, 0xd3, 0xc0, 0x10, 0xe3, 0xaa, 0x5f, 0xb4,
+	0x55, 0x5f, 0xa7, 0xc6, 0x07, 0xc9, 0x63, 0x0c, 0x5c, 0x8d, 0xe1, 0x5a, 0x57, 0xfa, 0x1d, 0x81,
+	0xdc, 0x05, 0x14, 0xb6, 0x14, 0x5a, 0x39, 0xeb, 0xd3, 0xb2, 0x09, 0x47, 0xfb, 0x2c, 0xb1, 0x72,
+	0xd6, 0xa7, 0x95, 0xd4, 0xca, 0x19, 0x5a, 0xd9, 0x57, 0x17, 0xb4, 0x6a, 0x12, 0x70, 0x5f, 0x5d,
+	0xe8, 0x4e, 0xc4, 0x44, 0x18, 0x1e, 0xf8, 0xbd, 0x63, 0x5a, 0x33, 0x2d, 0x30, 0xa1, 0xf5, 0xa8,
+	0xaa, 0x63, 0x1e, 0xf8, 0x21, 0x3e, 0x6a, 0xaa, 0x2c, 0x21, 0xbd, 0x35, 0xa8, 0xa5, 0xa9, 0xa2,
+	0x9b, 0x5b, 0xa7, 0x8f, 0x9f, 0xa2, 0xc1, 0x0a, 0x9d, 0x7e, 0x92, 0xe5, 0x85, 0xe9, 0x2c, 0x2f,
+	0x66, 0xb2, 0xfc, 0x35, 0x34, 0x26, 0x92, 0x46, 0x83, 0x98, 0x38, 0x93, 0x56, 0x11, 0xae, 0x35,
+	0xaf, 0x2d, 0x42, 0xf3, 0x66, 0x6f, 0x30, 0x5c, 0x7b, 0xcf, 0xa0, 0x31, 0x91, 0x2e, 0xb3, 0xea,
+	0xb2, 0xf7, 0x14, 0x1a, 0xa6, 0xc1, 0xe5, 0x97, 0x9d, 0xff, 0x3a, 0xb0, 0x94, 0x60, 0x6c, 0xe5,
+	0xf9, 0x15, 0x54, 0x4f, 0x79, 0xac, 0xf8, 0x79, 0xda, 0x8b, 0xe8, 0xf4, 0xa4, 0xfc, 0x11, 0x11,
+	0x2c, 0x45, 0xea, 0x27, 0xbc, 0x44, 0x3d, 0x3c, 0x19, 0x75, 0x1e, 0xe7, 0x49, 0x59, 0x7b, 0x29,
+	0x9e, 0xac, 0x40, 0x29, 0x14, 0x03, 0x89, 0xdf, 0xbd, 0xbe, 0xfa, 0x30, 0x4f, 0xee, 0x9d, 0x18,
+	0x30, 0x04, 0x92, 0xb7, 0x50, 0x3d, 0xf3, 0xe3, 0x28, 0x88, 0x06, 0xc9, 0x73, 0xff, 0x49, 0x9e,
+	0xd0, 0x77, 0x06, 0xc7, 0x52, 0x01, 0xaf, 0xa1, 0x2f, 0xd1, 0xa1, 0xb0, 0x31, 0xf1, 0x7e, 0xa7,
+	0x73, 0x59, 0x93, 0xd6, 0xfd, 0x6d, 0x68, 0x98, 0xfb, 0xf0, 0x91, 0xc7, 0x52, 0x0f, 0x8e, 0xce,
+	0xbc, 0x3b, 0xbb, 0x9e, 0x85, 0xb2, 0x49, 0x49, 0xef, 0x07, 0xdb, 0xee, 0x12, 0x86, 0xce, 0xa5,
+	0xa1, 0xdf, 0x3b, 0xf6, 0x07, 0xc9, 0x77, 0x4a, 0x48, 0xbd, 0x73, 0x6a, 0xed, 0x99, 0x6b, 0x9b,
+	0x90, 0x3a, 0x37, 0x63, 0x7e, 0x1a, 0xc8, 0xf1, 0x0c, 0x9b, 0xd2, 0xab, 0x7f, 0xab, 0x00, 0xb4,
+	0xd3, 0xf3, 0x90, 0x3d, 0x58, 0x40, 0x7b, 0xc4, 0x9b, 0xdb, 0x3c, 0xd1, 0x6f, 0xf7, 0xd9, 0x35,
+	0x1a, 0x2c, 0xf9, 0xa8, 0x93, 0x1f, 0x87, 0x1e, 0xf2, 0x3c, 0xaf, 0x4c, 0x64, 0xe7, 0x26, 0xf7,
+	0xc5, 0x15, 0x28, 0xab, 0xf7, 0x03, 0x94, 0x4d, 0x16, 0x90, 0xbc, 0x5a, 0x98, 0xcd, 0x5b, 0xf7,
+	0xf9, 0x7c, 0x90, 0x51, 0xfa, 0x99, 0x43, 0x98, 0xad, 0x94, 0xc4, 0x9b, 0xd3, 0x0a, 0xed, 0x8d,
+	0xc9, 0x0b, 0xc0, 0x44, 0xd7, 0x69, 0x3a, 0xe4, 0x5b, 0x28, 0x9b, 0x5a, 0x47, 0x3e, 0x99, 0x2d,
+	0x90, 0xe8, 0x9b, 0xbf, 0xdd, 0x74, 0x3e, 0x73, 0xc8, 0x7b, 0x28, 0xe9, 0x26, 0x4f, 0x72, 0x3a,
+	0x56, 0x66, 0x42, 0x70, 0xbd, 0x79, 0x10, 0x1b, 0xc5, 0x1f, 0x00, 0xc6, 0xa3, 0x06, 0xc9, 0xf9,
+	0xd3, 0x66, 0x6a, 0x66, 0x71, 0x9b, 0x57, 0x03, 0xad, 0x81, 0xf7, 0xba, 0xcf, 0x1e, 0x0a, 0x92,
+	0xdb, 0x61, 0xd3, 0x6b, 0xe4, 0x7a, 0xf3, 0x20, 0x56, 0xdd, 0x11, 0x34, 0x26, 0xfe, 0xd1, 0x25,
+	0xbf, 0xc8, 0x77, 0xf2, 0xf2, 0x1f, 0xc4, 0xee, 0xcb, 0x6b, 0x61, 0xad, 0x25, 0x95, 0x9d, 0xd5,
+	0xec, 0x36, 0x69, 0x5d, 0xe5, 0xf7, 0xe4, 0xbf, 0xb3, 0xee, 0xca, 0xb5, 0xf1, 0xc6, 0xea, 0x7a,
+	0xe9, 0xfb, 0xc2, 0xf0, 0xe0, 0xa0, 0x8c, 0x7f, 0x74, 0x7f, 0xf1, 0xbf, 0x00, 0x00, 0x00, 0xff,
+	0xff, 0xc9, 0xe6, 0x4b, 0xb6, 0x86, 0x17, 0x00, 0x00,
 }

 // Reference imports to suppress errors if they are not otherwise used.
--- a/controller/pb/controller.proto
+++ b/controller/pb/controller.proto
@@ -49,7 +49,7 @@ message BuildRequest {
 message BuildOptions {
  string ContextPath = 1;
  string DockerfileName = 2;
-  PrintFunc PrintFunc = 3;
+  CallFunc CallFunc = 3;
  map<string, string> NamedContexts = 4;

  repeated string Allow = 5;
@@ -80,6 +80,7 @@ message BuildOptions {
  string Ref = 29;
  string GroupRef = 30;
  repeated string Annotations = 31;
+  string ProvenanceResponseMode = 32;
 }

 message ExportEntry {
@@ -110,9 +111,10 @@ message Secret {
  string Env = 3;
 }

-message PrintFunc {
-	string Name = 1;
-	string Format = 2;
+message CallFunc {
+  string Name = 1;
+  string Format = 2;
+  bool IgnoreStatus = 3;
 }

 message InspectRequest {
--- a/controller/pb/path.go
+++ b/controller/pb/path.go
@@ -4,7 +4,6 @@ import (
 	"path/filepath"
 	"strings"

-	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/moby/buildkit/util/gitutil"
 )

@@ -22,7 +21,7 @@ func ResolveOptionPaths(options *BuildOptions) (_ *BuildOptions, err error) {
 		}
 	}
 	if options.DockerfileName != "" && options.DockerfileName != "-" {
-		if localContext && !urlutil.IsURL(options.DockerfileName) {
+		if localContext && !isHTTPURL(options.DockerfileName) {
 			options.DockerfileName, err = filepath.Abs(options.DockerfileName)
 			if err != nil {
 				return nil, err
@@ -164,8 +163,15 @@ func ResolveOptionPaths(options *BuildOptions) (_ *BuildOptions, err error) {
 	return options, nil
 }

+// isHTTPURL returns true if the provided str is an HTTP(S) URL by checking if it
+// has a http:// or https:// scheme. No validation is performed to verify if the
+// URL is well-formed.
+func isHTTPURL(str string) bool {
+	return strings.HasPrefix(str, "https://") || strings.HasPrefix(str, "http://")
+}
+
 func isRemoteURL(c string) bool {
-	if urlutil.IsURL(c) {
+	if isHTTPURL(c) {
 		return true
 	}
 	if _, err := gitutil.ParseGitRef(c); err == nil {
--- a/controller/remote/client.go
+++ b/controller/remote/client.go
@@ -210,7 +210,7 @@ func (c *Client) build(ctx context.Context, ref string, options pb.BuildOptions,
 						}
 						return err
 					} else if n > 0 {
-						if stream.Send(&pb.InputMessage{
+						if err := stream.Send(&pb.InputMessage{
 							Input: &pb.InputMessage_Data{
 								Data: &pb.DataMessage{
 									Data: buf[:n],
--- a/controller/remote/io.go
+++ b/controller/remote/io.go
@@ -207,6 +207,7 @@ func attachIO(ctx context.Context, stream msgStream, initMessage *pb.InitMessage

 	if cfg.signal != nil {
 		eg.Go(func() error {
+			names := signalNames()
 			for {
 				var sig syscall.Signal
 				select {
@@ -216,7 +217,7 @@ func attachIO(ctx context.Context, stream msgStream, initMessage *pb.InitMessage
 				case <-ctx.Done():
 					return nil
 				}
-				name := sigToName[sig]
+				name := names[sig]
 				if name == "" {
 					continue
 				}
@@ -358,7 +359,7 @@ func copyToStream(fd uint32, snd msgStream, r io.Reader) error {
 			}
 			return err
 		} else if n > 0 {
-			if snd.Send(&pb.Message{
+			if err := snd.Send(&pb.Message{
 				Input: &pb.Message_File{
 					File: &pb.FdMessage{
 						Fd:   fd,
@@ -380,12 +381,12 @@ func copyToStream(fd uint32, snd msgStream, r io.Reader) error {
 	})
 }

-var sigToName = map[syscall.Signal]string{}
-
-func init() {
+func signalNames() map[syscall.Signal]string {
+	m := make(map[syscall.Signal]string, len(signal.SignalMap))
 	for name, value := range signal.SignalMap {
-		sigToName[value] = name
+		m[value] = name
 	}
+	return m
 }

 type debugStream struct {
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -7,9 +7,12 @@ variable "DOCS_FORMATS" {
 variable "DESTDIR" {
  default = "./bin"
 }
-variable "GOLANGCI_LINT_MULTIPLATFORM" {
+variable "TEST_COVERAGE" {
  default = null
 }
+variable "GOLANGCI_LINT_MULTIPLATFORM" {
+  default = ""
+}

 # Special target: https://github.com/docker/metadata-action#bake-definition
 target "meta-helper" {
@@ -28,14 +31,14 @@ group "default" {
 }

 group "validate" {
-  targets = ["lint", "validate-vendor", "validate-docs"]
+  targets = ["lint", "lint-gopls", "validate-golangci", "validate-vendor", "validate-docs"]
 }

 target "lint" {
  inherits = ["_common"]
  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
  output = ["type=cacheonly"]
-  platforms = GOLANGCI_LINT_MULTIPLATFORM != null ? [
+  platforms = GOLANGCI_LINT_MULTIPLATFORM != "" ? [
    "darwin/amd64",
    "darwin/arm64",
    "linux/amd64",
@@ -48,6 +51,19 @@ target "lint" {
  ] : []
 }

+target "validate-golangci" {
+  description = "Validate .golangci.yml schema (does not run Go linter)"
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/lint.Dockerfile"
+  target = "validate-golangci"
+  output = ["type=cacheonly"]
+}
+
+target "lint-gopls" {
+  inherits = ["lint"]
+  target = "gopls-analyze"
+}
+
 target "validate-vendor" {
  inherits = ["_common"]
  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
@@ -180,13 +196,18 @@ variable "HTTPS_PROXY" {
 variable "NO_PROXY" {
  default = ""
 }
+variable "TEST_BUILDKIT_TAG" {
+  default = null
+}

 target "integration-test-base" {
  inherits = ["_common"]
  args = {
+    GO_EXTRA_FLAGS = TEST_COVERAGE == "1" ? "-cover" : null
    HTTP_PROXY = HTTP_PROXY
    HTTPS_PROXY = HTTPS_PROXY
    NO_PROXY = NO_PROXY
+    BUILDKIT_VERSION = TEST_BUILDKIT_TAG
  }
  target = "integration-test-base"
  output = ["type=cacheonly"]
@@ -196,3 +217,18 @@ target "integration-test" {
  inherits = ["integration-test-base"]
  target = "integration-test"
 }
+
+variable "GOVULNCHECK_FORMAT" {
+  default = null
+}
+
+target "govulncheck" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/govulncheck.Dockerfile"
+  target = "output"
+  args = {
+    FORMAT = GOVULNCHECK_FORMAT
+  }
+  no-cache-filter = ["run"]
+  output = ["${DESTDIR}"]
+}
--- a/docs/bake-reference.md
+++ b/docs/bake-reference.md
@@ -1,4 +1,6 @@
-# Bake file reference
+---
+title: Bake file reference
+---

 The Bake file is a file for defining workflows that you run using `docker buildx bake`.

@@ -441,8 +443,7 @@ COPY --from=src . .

 #### Use another target as base

-> **Note**
->
+> [!NOTE]
 > You should prefer to use regular multi-stage builds over this option. You can
 > Use this feature when you have multiple Dockerfiles that can't be easily
 > merged into one.
@@ -504,6 +505,25 @@ $ docker buildx bake --print -f - <<< 'target "default" {}'
 }
 ```

+### `target.entitlements`
+
+Entitlements are permissions that the build process requires to run.
+
+Currently supported entitlements are:
+
+- `network.host`: Allows the build to use commands that access the host network. In Dockerfile, use [`RUN --network=host`](https://docs.docker.com/reference/dockerfile/#run---networkhost) to run a command with host network enabled.
+
+- `security.insecure`: Allows the build to run commands in privileged containers that are not limited by the default security sandbox. Such container may potentially access and modify system resources. In Dockerfile, use [`RUN --security=insecure`](https://docs.docker.com/reference/dockerfile/#run---security) to run a command in a privileged container.
+
+```hcl
+target "integration-tests" {
+  # this target requires privileged containers to run nested containers
+  entitlements = ["security.insecure"]
+}
+```
+
+Entitlements are enabled with a two-step process. First, a target must declare the entitlements it requires. Secondly, when invoking the `bake` command, the user must grant the entitlements by passing the `--allow` flag or confirming the entitlements when prompted in an interactive terminal. This is to ensure that the user is aware of the possibly insecure permissions they are granting to the build process.
+
 ### `target.inherits`

 A target can inherit attributes from other targets.
@@ -748,6 +768,27 @@ target "app" {
 }
 ```

+### `target.network`
+
+Specify the network mode for the whole build request. This will override the default network mode
+for all the `RUN` instructions in the Dockerfile. Accepted values are `default`, `host`, and `none`.
+
+Usually, a better approach to set the network mode for your build steps is to instead use `RUN --network=<value>`
+in your Dockerfile. This way, you can set the network mode for individual build steps and everyone building
+the Dockerfile gets consistent behavior without needing to pass additional flags to the build command.
+
+If you set network mode to `host` in your Bake file, you must also grant `network.host` entitlement when
+invoking the `bake` command. This is because `host` network mode requires elevated privileges and can be a security risk.
+You can pass `--allow=network.host` to the `docker buildx bake` command to grant the entitlement, or you can
+confirm the entitlement when prompted if you are using an interactive terminal.
+
+```hcl
+target "app" {
+  # make sure this build does not access internet
+  network = "none"
+}
+```
+
 ### `target.no-cache-filter`

 Don't use build cache for the specified stages.
@@ -851,8 +892,7 @@ target "default" {
 }
 ```

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
@@ -917,14 +957,12 @@ target "app" {
 }
 ```

-> **Note**
->
+> [!NOTE]
 > If you do not provide a `hard limit`, the `soft limit` is used
 > for both values. If no `ulimits` are set, they are inherited from
 > the default `ulimits` set on the daemon.

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
@@ -1112,8 +1150,7 @@ target "webapp-dev" {
 }
 ```

-> **Note**
->
+> [!NOTE]
 > See [User defined HCL functions][hcl-funcs] page for more details.

 <!-- external links -->
--- a/docs/guides/debugging.md
+++ b/docs/guides/debugging.md
@@ -4,8 +4,7 @@ To assist with creating and debugging complex builds, Buildx provides a
 debugger to help you step through the build process and easily inspect the
 state of the build environment at any point.

-> **Note**
->
+> [!NOTE]
 > The debug monitor is a new experimental feature in recent versions of Buildx.
 > There are rough edges, known bugs, and missing features. Please try it out
 > and let us know what you think!
--- a/docs/guides/cicd.md
+++ b/docs/guides/cicd.md
@@ -1,3 +0,0 @@
-# CI/CD
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/)
--- a/docs/guides/cni-networking.md
+++ b/docs/guides/cni-networking.md
@@ -1,3 +0,0 @@
-# CNI networking
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/buildkit/configure/#cni-networking)
--- a/docs/guides/color-output.md
+++ b/docs/guides/color-output.md
@@ -1,3 +0,0 @@
-# Color output controls
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/env-vars/#buildkit_colors)
--- a/docs/guides/custom-network.md
+++ b/docs/guides/custom-network.md
@@ -1,3 +0,0 @@
-# Using a custom network
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/drivers/docker-container/#custom-network)
--- a/docs/guides/custom-registry-config.md
+++ b/docs/guides/custom-registry-config.md
@@ -1,3 +0,0 @@
-# Using a custom registry configuration
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/buildkit/configure/#setting-registry-certificates)
--- a/docs/guides/opentelemetry.md
+++ b/docs/guides/opentelemetry.md
@@ -1,3 +0,0 @@
-# OpenTelemetry support
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/opentelemetry/)
--- a/docs/guides/registry-mirror.md
+++ b/docs/guides/registry-mirror.md
@@ -1,3 +0,0 @@
-# Registry mirror
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/buildkit/configure/#registry-mirror)
--- a/docs/guides/resource-limiting.md
+++ b/docs/guides/resource-limiting.md
@@ -1,3 +0,0 @@
-# Resource limiting
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/buildkit/configure/#resource-limiting)
--- a/docs/manuals/bake/build-contexts.md
+++ b/docs/manuals/bake/build-contexts.md
@@ -1,3 +0,0 @@
-# Defining additional build contexts and linking targets
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/bake/build-contexts)
--- a/docs/manuals/bake/compose-file.md
+++ b/docs/manuals/bake/compose-file.md
@@ -1,3 +0,0 @@
-# Building from Compose file
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/bake/compose-file)
--- a/docs/manuals/bake/configuring-build.md
+++ b/docs/manuals/bake/configuring-build.md
@@ -1,3 +0,0 @@
-# Configuring builds
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/bake/configuring-build)
--- a/docs/manuals/bake/file-definition.md
+++ b/docs/manuals/bake/file-definition.md
@@ -1,3 +0,0 @@
-# Bake file definition
-
-This page has moved to [docs/bake-reference.md](../../bake-reference.md)
--- a/docs/manuals/bake/hcl-funcs.md
+++ b/docs/manuals/bake/hcl-funcs.md
@@ -1,3 +0,0 @@
-# User defined HCL functions
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/bake/hcl-funcs)
--- a/docs/manuals/bake/index.md
+++ b/docs/manuals/bake/index.md
@@ -1,3 +0,0 @@
-# High-level build options with Bake
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/bake)
--- a/docs/manuals/cache/backends/azblob.md
+++ b/docs/manuals/cache/backends/azblob.md
@@ -1,3 +0,0 @@
-# Azure Blob Storage cache storage
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/cache/backends/azblob)
--- a/docs/manuals/cache/backends/gha.md
+++ b/docs/manuals/cache/backends/gha.md
@@ -1,3 +0,0 @@
-# GitHub Actions cache storage
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/cache/backends/gha)
--- a/docs/manuals/cache/backends/index.md
+++ b/docs/manuals/cache/backends/index.md
@@ -1,3 +0,0 @@
-# Cache storage backends
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/cache/backends)
--- a/docs/manuals/cache/backends/inline.md
+++ b/docs/manuals/cache/backends/inline.md
@@ -1,3 +0,0 @@
-# Inline cache storage
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/cache/backends/inline)
--- a/docs/manuals/cache/backends/local.md
+++ b/docs/manuals/cache/backends/local.md
@@ -1,3 +0,0 @@
-# Local cache storage
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/cache/backends/local)
--- a/docs/manuals/cache/backends/registry.md
+++ b/docs/manuals/cache/backends/registry.md
@@ -1,3 +0,0 @@
-# Registry cache storage
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/cache/backends/registry)
--- a/docs/manuals/cache/backends/s3.md
+++ b/docs/manuals/cache/backends/s3.md
@@ -1,3 +0,0 @@
-# Amazon S3 cache storage
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/cache/backends/s3)
--- a/docs/manuals/drivers/docker-container.md
+++ b/docs/manuals/drivers/docker-container.md
@@ -1,3 +0,0 @@
-# Docker container driver
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/drivers/docker-container)
--- a/docs/manuals/drivers/docker.md
+++ b/docs/manuals/drivers/docker.md
@@ -1,3 +0,0 @@
-# Docker driver
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/drivers/docker)
--- a/docs/manuals/drivers/index.md
+++ b/docs/manuals/drivers/index.md
@@ -1,3 +0,0 @@
-# Buildx drivers overview
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/drivers)
--- a/docs/manuals/drivers/kubernetes.md
+++ b/docs/manuals/drivers/kubernetes.md
@@ -1,3 +0,0 @@
-# Kubernetes driver
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/drivers/kubernetes)
--- a/docs/manuals/drivers/remote.md
+++ b/docs/manuals/drivers/remote.md
@@ -1,3 +0,0 @@
-# Remote driver
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/drivers/remote)
--- a/docs/manuals/exporters/image-registry.md
+++ b/docs/manuals/exporters/image-registry.md
@@ -1,3 +0,0 @@
-# Image and registry exporters
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/exporters/image-registry)
--- a/docs/manuals/exporters/index.md
+++ b/docs/manuals/exporters/index.md
@@ -1,3 +0,0 @@
-# Exporters overview
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/exporters)
--- a/docs/manuals/exporters/local-tar.md
+++ b/docs/manuals/exporters/local-tar.md
@@ -1,3 +0,0 @@
-# Local and tar exporters
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/exporters/local-tar)
--- a/docs/manuals/exporters/oci-docker.md
+++ b/docs/manuals/exporters/oci-docker.md
@@ -1,3 +0,0 @@
-# OCI and Docker exporters
-
-This page has moved to [Docker Docs website](https://docs.docker.com/build/building/exporters/oci-docker)
--- a/docs/reference/buildx.md
+++ b/docs/reference/buildx.md
@@ -32,6 +32,7 @@ Extended build capabilities with BuildKit
 | Name                    | Type     | Default | Description                              |
 |:------------------------|:---------|:--------|:-----------------------------------------|
 | [`--builder`](#builder) | `string` |         | Override the configured builder instance |
+| `-D`, `--debug`         | `bool`   |         | Enable debug logging                     |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_bake.md
+++ b/docs/reference/buildx_bake.md
@@ -13,20 +13,24 @@ Build from a file

 ### Options

-| Name                             | Type          | Default | Description                                                                              |
-|:---------------------------------|:--------------|:--------|:-----------------------------------------------------------------------------------------|
-| [`--builder`](#builder)          | `string`      |         | Override the configured builder instance                                                 |
-| [`-f`](#file), [`--file`](#file) | `stringArray` |         | Build definition file                                                                    |
-| `--load`                         |               |         | Shorthand for `--set=*.output=type=docker`                                               |
-| `--metadata-file`                | `string`      |         | Write build result metadata to the file                                                  |
-| [`--no-cache`](#no-cache)        |               |         | Do not use cache when building the image                                                 |
-| [`--print`](#print)              |               |         | Print the options without building                                                       |
-| [`--progress`](#progress)        | `string`      | `auto`  | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
-| [`--provenance`](#provenance)    | `string`      |         | Shorthand for `--set=*.attest=type=provenance`                                           |
-| [`--pull`](#pull)                |               |         | Always attempt to pull all referenced images                                             |
-| `--push`                         |               |         | Shorthand for `--set=*.output=type=registry`                                             |
-| [`--sbom`](#sbom)                | `string`      |         | Shorthand for `--set=*.attest=type=sbom`                                                 |
-| [`--set`](#set)                  | `stringArray` |         | Override target value (e.g., `targetpattern.key=value`)                                  |
+| Name                                | Type          | Default | Description                                                                                         |
+|:------------------------------------|:--------------|:--------|:----------------------------------------------------------------------------------------------------|
+| `--allow`                           | `stringArray` |         | Allow build to access specified resources                                                           |
+| [`--builder`](#builder)             | `string`      |         | Override the configured builder instance                                                            |
+| [`--call`](#call)                   | `string`      | `build` | Set method for evaluating build (`check`, `outline`, `targets`)                                     |
+| [`--check`](#check)                 | `bool`        |         | Shorthand for `--call=check`                                                                        |
+| `-D`, `--debug`                     | `bool`        |         | Enable debug logging                                                                                |
+| [`-f`](#file), [`--file`](#file)    | `stringArray` |         | Build definition file                                                                               |
+| `--load`                            | `bool`        |         | Shorthand for `--set=*.output=type=docker`                                                          |
+| [`--metadata-file`](#metadata-file) | `string`      |         | Write build result metadata to a file                                                               |
+| [`--no-cache`](#no-cache)           | `bool`        |         | Do not use cache when building the image                                                            |
+| [`--print`](#print)                 | `bool`        |         | Print the options without building                                                                  |
+| [`--progress`](#progress)           | `string`      | `auto`  | Set type of progress output (`auto`, `plain`, `tty`, `rawjson`). Use plain to show container output |
+| [`--provenance`](#provenance)       | `string`      |         | Shorthand for `--set=*.attest=type=provenance`                                                      |
+| [`--pull`](#pull)                   | `bool`        |         | Always attempt to pull all referenced images                                                        |
+| `--push`                            | `bool`        |         | Shorthand for `--set=*.output=type=registry`                                                        |
+| [`--sbom`](#sbom)                   | `string`      |         | Shorthand for `--set=*.attest=type=sbom`                                                            |
+| [`--set`](#set)                     | `stringArray` |         | Override target value (e.g., `targetpattern.key=value`)                                             |


 <!---MARKER_GEN_END-->
@@ -39,8 +43,7 @@ as part of the build.
 Read [High-level build options with Bake](https://docs.docker.com/build/bake/)
 guide for introduction to writing bake files.

-> **Note**
->
+> [!NOTE]
 > `buildx bake` command may receive backwards incompatible features in the future
 > if needed. We are looking for feedback on improving the command and extending
 > the functionality further.
@@ -51,6 +54,14 @@ guide for introduction to writing bake files.

 Same as [`buildx --builder`](buildx.md#builder).

+### <a name="call"></a> Invoke a frontend method (--call)
+
+Same as [`build --call`](buildx_build.md#call).
+
+#### <a name="check"></a> Call: check (--check)
+
+Same as [`build --check`](buildx_build.md#check).
+
 ### <a name="file"></a> Specify a build definition file (-f, --file)

 Use the `-f` / `--file` option to specify the build definition file to use.
@@ -90,6 +101,82 @@ $ docker buildx bake -f docker-bake.dev.hcl db webapp-release
 See the [Bake file reference](https://docs.docker.com/build/bake/reference/)
 for more details.

+### <a name="metadata-file"></a> Write build results metadata to a file (--metadata-file)
+
+Similar to [`buildx build --metadata-file`](buildx_build.md#metadata-file) but
+writes a map of results for each target such as:
+
+```hcl
+# docker-bake.hcl
+group "default" {
+  targets = ["db", "webapp-dev"]
+}
+
+target "db" {
+  dockerfile = "Dockerfile.db"
+  tags = ["docker.io/username/db"]
+}
+
+target "webapp-dev" {
+  dockerfile = "Dockerfile.webapp"
+  tags = ["docker.io/username/webapp"]
+}
+```
+
+```console
+$ docker buildx bake --load --metadata-file metadata.json .
+$ cat metadata.json
+```
+
+```json
+{
+  "buildx.build.warnings": {},
+  "db": {
+    "buildx.build.provenance": {},
+    "buildx.build.ref": "mybuilder/mybuilder0/0fjb6ubs52xx3vygf6fgdl611",
+    "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+    "containerimage.descriptor": {
+      "annotations": {
+        "config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+        "org.opencontainers.image.created": "2022-02-08T21:28:03Z"
+      },
+      "digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3",
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "size": 506
+    },
+    "containerimage.digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3"
+  },
+  "webapp-dev": {
+    "buildx.build.provenance": {},
+    "buildx.build.ref": "mybuilder/mybuilder0/kamngmcgyzebqxwu98b4lfv3n",
+    "containerimage.config.digest": "sha256:9651cc2b3c508f697c9c43b67b64c8359c2865c019e680aac1c11f4b875b67e0",
+    "containerimage.descriptor": {
+      "annotations": {
+        "config.digest": "sha256:9651cc2b3c508f697c9c43b67b64c8359c2865c019e680aac1c11f4b875b67e0",
+        "org.opencontainers.image.created": "2022-02-08T21:28:15Z"
+      },
+      "digest": "sha256:6d9ac9237a84afe1516540f40a0fafdc86859b2141954b4d643af7066d598b74",
+      "mediaType": "application/vnd.oci.image.manifest.v1+json",
+      "size": 506
+    },
+    "containerimage.digest": "sha256:6d9ac9237a84afe1516540f40a0fafdc86859b2141954b4d643af7066d598b74"
+  }
+}
+```
+
+> [!NOTE]
+> Build record [provenance](https://docs.docker.com/build/metadata/attestations/slsa-provenance/#provenance-attestation-example)
+> (`buildx.build.provenance`) includes minimal provenance by default. Set the
+> `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
+> * `min` sets minimal provenance (default).
+> * `max` sets full provenance.
+> * `disabled`, `false` or `0` does not set any provenance.
+
+> [!NOTE]
+> Build warnings (`buildx.build.warnings`) are not included by default. Set the
+> `BUILDX_METADATA_WARNINGS` environment variable to `1` or `true` to
+> include them.
+
 ### <a name="no-cache"></a> Don't use cache when building the image (--no-cache)

 Same as `build --no-cache`. Don't use cache when building the image.
@@ -162,6 +249,7 @@ You can override the following fields:
 * `context`
 * `dockerfile`
 * `labels`
+* `load`
 * `no-cache`
 * `no-cache-filter`
 * `output`
--- a/docs/reference/buildx_build.md
+++ b/docs/reference/buildx_build.md
@@ -9,48 +9,50 @@ Start a build

 ### Aliases

-`docker buildx build`, `docker buildx b`
+`docker build`, `docker builder build`, `docker image build`, `docker buildx b`

 ### Options

-| Name                                                                                                                                               | Type          | Default   | Description                                                                                         |
-|:---------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
-| [`--add-host`](https://docs.docker.com/reference/cli/docker/image/build/#add-host)                                                                 | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
-| [`--allow`](#allow)                                                                                                                                | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
-| [`--annotation`](#annotation)                                                                                                                      | `stringArray` |           | Add annotation to the image                                                                         |
-| [`--attest`](#attest)                                                                                                                              | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
-| [`--build-arg`](#build-arg)                                                                                                                        | `stringArray` |           | Set build-time variables                                                                            |
-| [`--build-context`](#build-context)                                                                                                                | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
-| [`--builder`](#builder)                                                                                                                            | `string`      |           | Override the configured builder instance                                                            |
-| [`--cache-from`](#cache-from)                                                                                                                      | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
-| [`--cache-to`](#cache-to)                                                                                                                          | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
-| [`--cgroup-parent`](https://docs.docker.com/reference/cli/docker/image/build/#cgroup-parent)                                                       | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
-| `--detach`                                                                                                                                         |               |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
-| [`-f`](https://docs.docker.com/reference/cli/docker/image/build/#file), [`--file`](https://docs.docker.com/reference/cli/docker/image/build/#file) | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
-| `--iidfile`                                                                                                                                        | `string`      |           | Write the image ID to the file                                                                      |
-| `--label`                                                                                                                                          | `stringArray` |           | Set metadata for an image                                                                           |
-| [`--load`](#load)                                                                                                                                  |               |           | Shorthand for `--output=type=docker`                                                                |
-| [`--metadata-file`](#metadata-file)                                                                                                                | `string`      |           | Write build result metadata to the file                                                             |
-| `--network`                                                                                                                                        | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
-| `--no-cache`                                                                                                                                       |               |           | Do not use cache when building the image                                                            |
-| [`--no-cache-filter`](#no-cache-filter)                                                                                                            | `stringArray` |           | Do not cache specified stages                                                                       |
-| [`-o`](#output), [`--output`](#output)                                                                                                             | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
-| [`--platform`](#platform)                                                                                                                          | `stringArray` |           | Set target platform for build                                                                       |
-| `--print`                                                                                                                                          | `string`      |           | Print result of information request (e.g., outline, targets) (EXPERIMENTAL)                         |
-| [`--progress`](#progress)                                                                                                                          | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output            |
-| [`--provenance`](#provenance)                                                                                                                      | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
-| `--pull`                                                                                                                                           |               |           | Always attempt to pull all referenced images                                                        |
-| [`--push`](#push)                                                                                                                                  |               |           | Shorthand for `--output=type=registry`                                                              |
-| `-q`, `--quiet`                                                                                                                                    |               |           | Suppress the build output and print image ID on success                                             |
-| `--root`                                                                                                                                           | `string`      |           | Specify root directory of server to connect (EXPERIMENTAL)                                          |
-| [`--sbom`](#sbom)                                                                                                                                  | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
-| [`--secret`](#secret)                                                                                                                              | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
-| `--server-config`                                                                                                                                  | `string`      |           | Specify buildx server config file (used only when launching new server) (EXPERIMENTAL)              |
-| [`--shm-size`](#shm-size)                                                                                                                          | `bytes`       | `0`       | Shared memory size for build containers                                                             |
-| [`--ssh`](#ssh)                                                                                                                                    | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
-| [`-t`](https://docs.docker.com/reference/cli/docker/image/build/#tag), [`--tag`](https://docs.docker.com/reference/cli/docker/image/build/#tag)    | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
-| [`--target`](https://docs.docker.com/reference/cli/docker/image/build/#target)                                                                     | `string`      |           | Set the target build stage to build                                                                 |
-| [`--ulimit`](#ulimit)                                                                                                                              | `ulimit`      |           | Ulimit options                                                                                      |
+| Name                                    | Type          | Default   | Description                                                                                         |
+|:----------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
+| [`--add-host`](#add-host)               | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
+| [`--allow`](#allow)                     | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
+| [`--annotation`](#annotation)           | `stringArray` |           | Add annotation to the image                                                                         |
+| [`--attest`](#attest)                   | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
+| [`--build-arg`](#build-arg)             | `stringArray` |           | Set build-time variables                                                                            |
+| [`--build-context`](#build-context)     | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
+| [`--builder`](#builder)                 | `string`      |           | Override the configured builder instance                                                            |
+| [`--cache-from`](#cache-from)           | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
+| [`--cache-to`](#cache-to)               | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
+| [`--call`](#call)                       | `string`      | `build`   | Set method for evaluating build (`check`, `outline`, `targets`)                                     |
+| [`--cgroup-parent`](#cgroup-parent)     | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
+| [`--check`](#check)                     | `bool`        |           | Shorthand for `--call=check`                                                                        |
+| `-D`, `--debug`                         | `bool`        |           | Enable debug logging                                                                                |
+| `--detach`                              | `bool`        |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
+| [`-f`](#file), [`--file`](#file)        | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
+| `--iidfile`                             | `string`      |           | Write the image ID to a file                                                                        |
+| `--label`                               | `stringArray` |           | Set metadata for an image                                                                           |
+| [`--load`](#load)                       | `bool`        |           | Shorthand for `--output=type=docker`                                                                |
+| [`--metadata-file`](#metadata-file)     | `string`      |           | Write build result metadata to a file                                                               |
+| [`--network`](#network)                 | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
+| `--no-cache`                            | `bool`        |           | Do not use cache when building the image                                                            |
+| [`--no-cache-filter`](#no-cache-filter) | `stringArray` |           | Do not cache specified stages                                                                       |
+| [`-o`](#output), [`--output`](#output)  | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
+| [`--platform`](#platform)               | `stringArray` |           | Set target platform for build                                                                       |
+| [`--progress`](#progress)               | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`, `rawjson`). Use plain to show container output |
+| [`--provenance`](#provenance)           | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
+| `--pull`                                | `bool`        |           | Always attempt to pull all referenced images                                                        |
+| [`--push`](#push)                       | `bool`        |           | Shorthand for `--output=type=registry`                                                              |
+| `-q`, `--quiet`                         | `bool`        |           | Suppress the build output and print image ID on success                                             |
+| `--root`                                | `string`      |           | Specify root directory of server to connect (EXPERIMENTAL)                                          |
+| [`--sbom`](#sbom)                       | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
+| [`--secret`](#secret)                   | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
+| `--server-config`                       | `string`      |           | Specify buildx server config file (used only when launching new server) (EXPERIMENTAL)              |
+| [`--shm-size`](#shm-size)               | `bytes`       | `0`       | Shared memory size for build containers                                                             |
+| [`--ssh`](#ssh)                         | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
+| [`-t`](#tag), [`--tag`](#tag)           | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
+| [`--target`](#target)                   | `string`      |           | Set the target build stage to build                                                                 |
+| [`--ulimit`](#ulimit)                   | `ulimit`      |           | Ulimit options                                                                                      |


 <!---MARKER_GEN_END-->
@@ -60,15 +62,36 @@ Flags marked with `[experimental]` need to be explicitly enabled by setting the

 ## Description

-The `buildx build` command starts a build using BuildKit. This command is similar
-to the UI of `docker build` command and takes the same flags and arguments.
-
-For documentation on most of these flags, refer to the [`docker build`
-documentation](https://docs.docker.com/reference/cli/docker/image/build/).
-This page describes a subset of the new flags.
+The `docker buildx build` command starts a build using BuildKit.

 ## Examples

+### <a name="add-host"></a> Add entries to container hosts file (--add-host)
+
+You can add other hosts into a build container's `/etc/hosts` file by using one
+or more `--add-host` flags. This example adds static addresses for hosts named
+`my-hostname` and `my_hostname_v6`:
+
+```console
+$ docker buildx build --add-host my_hostname=8.8.8.8 --add-host my_hostname_v6=2001:4860:4860::8888 .
+```
+
+If you need your build to connect to services running on the host, you can use
+the special `host-gateway` value for `--add-host`. In the following example,
+build containers resolve `host.docker.internal` to the host's gateway IP.
+
+```console
+$ docker buildx build --add-host host.docker.internal=host-gateway .
+```
+
+You can wrap an IPv6 address in square brackets.
+`=` and `:` are both valid separators.
+Both formats in the following example are valid:
+
+```console
+$ docker buildx build --add-host my-hostname:10.180.0.1 --add-host my-hostname_v6=[2001:4860:4860::8888] .
+```
+
 ### <a name="annotation"></a> Create annotations (--annotation)

 ```text
@@ -122,7 +145,7 @@ For more information about annotations, see
 --attest=type=provenance,...
 ```

-Create [image attestations](https://docs.docker.com/build/attestations/).
+Create [image attestations](https://docs.docker.com/build/metadata/attestations/).
 BuildKit currently supports:

 - `sbom` - Software Bill of Materials.
@@ -130,7 +153,7 @@ BuildKit currently supports:
  Use `--attest=type=sbom` to generate an SBOM for an image at build-time.
  Alternatively, you can use the [`--sbom` shorthand](#sbom).

-  For more information, see [here](https://docs.docker.com/build/attestations/sbom/).
+  For more information, see [here](https://docs.docker.com/build/metadata/attestations/sbom/).

 - `provenance` - SLSA Provenance

@@ -140,7 +163,7 @@ BuildKit currently supports:
  By default, a minimal provenance attestation will be created for the build
  result, which will only be attached for images pushed to registries.

-  For more information, see [here](https://docs.docker.com/build/attestations/slsa-provenance/).
+  For more information, see [here](https://docs.docker.com/build/metadata/attestations/slsa-provenance/).

 ### <a name="allow"></a> Allow extra privileged entitlement (--allow)

@@ -152,7 +175,7 @@ Allow extra privileged entitlement. List of entitlements:

 - `network.host` - Allows executions with host networking.
 - `security.insecure` - Allows executions without sandbox. See
-  [related Dockerfile extensions](https://docs.docker.com/reference/dockerfile/#run---securitysandbox).
+  [related Dockerfile extensions](https://docs.docker.com/reference/dockerfile/#run---security).

 For entitlements to be enabled, the BuildKit daemon also needs to allow them
 with `--allow-insecure-entitlement` (see [`create --buildkitd-flags`](buildx_create.md#buildkitd-flags)).
@@ -164,7 +187,40 @@ $ docker buildx build --allow security.insecure .

 ### <a name="build-arg"></a> Set build-time variables (--build-arg)

-Same as [`docker build` command](https://docs.docker.com/reference/cli/docker/image/build/#build-arg).
+You can use `ENV` instructions in a Dockerfile to define variable values. These
+values persist in the built image. Often persistence isn't what you want. Users
+want to specify variables differently depending on which host they build an
+image on.
+
+A good example is `http_proxy` or source versions for pulling intermediate
+files. The `ARG` instruction lets Dockerfile authors define values that users
+can set at build-time using the  `--build-arg` flag:
+
+```console
+$ docker buildx build --build-arg HTTP_PROXY=http://10.20.30.2:1234 --build-arg FTP_PROXY=http://40.50.60.5:4567 .
+```
+
+This flag allows you to pass the build-time variables that are
+accessed like regular environment variables in the `RUN` instruction of the
+Dockerfile. These values don't persist in the intermediate or final images
+like `ENV` values do. You must add `--build-arg` for each build argument.
+
+Using this flag doesn't alter the output you see when the build process echoes the`ARG` lines from the
+Dockerfile.
+
+For detailed information on using `ARG` and `ENV` instructions, see the
+[Dockerfile reference](https://docs.docker.com/reference/dockerfile/).
+
+You can also use the `--build-arg` flag without a value, in which case the daemon
+propagates the value from the local environment into the Docker container it's building:
+
+```console
+$ export HTTP_PROXY=http://10.20.30.2:1234
+$ docker buildx build --build-arg HTTP_PROXY .
+```
+
+This example is similar to how `docker run -e` works. Refer to the [`docker run` documentation](container_run.md#env)
+for more information.

 There are also useful built-in build arguments, such as:

@@ -270,6 +326,167 @@ $ docker buildx build --cache-from=type=s3,region=eu-west-1,bucket=mybucket .

 More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache

+### <a name="call"></a> Invoke a frontend method (--call)
+
+```text
+--call=[build|check|outline|targets]
+```
+
+BuildKit frontends can support alternative modes of executions for builds,
+using frontend methods. Frontend methods are a way to change or extend the
+behavior of a build invocation, which lets you, for example, inspect, validate,
+or generate alternative outputs from a build.
+
+The `--call` flag for `docker buildx build` lets you specify the frontend
+method that you want to execute. If this flag is unspecified, it defaults to
+executing the build and evaluating [build checks](https://docs.docker.com/reference/build-checks/).
+
+For Dockerfiles, the available methods are:
+
+| Command                        | Description                                                                                                         |
+| ------------------------------ | ------------------------------------------------------------------------------------------------------------------- |
+| `build` (default)              | Execute the build and evaluate build checks for the current build target.                                           |
+| `check`                        | Evaluate build checks for the either the entire Dockerfile or the selected target, without executing a build.       |
+| `outline`                      | Show the build arguments that you can set for a target, and their default values.                                   |
+| `targets`                      | List all the build targets in the Dockerfile.                                                                       |
+| `subrequests.describe`         | List all the frontend methods that the current frontend supports.                                                   |
+
+Note that other frontends may implement these or other methods.
+To see the list of available methods for the frontend you're using,
+use `--call=subrequests.describe`.
+
+```console
+$ docker buildx build -q --call=subrequests.describe .
+
+NAME                 VERSION DESCRIPTION
+outline              1.0.0   List all parameters current build target supports
+targets              1.0.0   List all targets current build supports
+subrequests.describe 1.0.0   List available subrequest types
+```
+
+#### Descriptions
+
+The [`--call=targets`](#call-targets) and [`--call=outline`](#call-outline)
+methods include descriptions for build targets and arguments, if available.
+Descriptions are generated from comments in the Dockerfile. A comment on the
+line before a `FROM` instruction becomes the description of a build target, and
+a comment before an `ARG` instruction the description of a build argument. The
+comment must lead with the name of the stage or argument, for example:
+
+```dockerfile
+# syntax=docker/dockerfile:1
+
+# GO_VERSION sets the Go version for the build
+ARG GO_VERSION=1.22
+
+# base-builder is the base stage for building the project
+FROM golang:${GO_VERSION} AS base-builder
+```
+
+When you run `docker buildx build --call=outline`, the output includes the
+descriptions, as follows:
+
+```console
+$ docker buildx build -q --call=outline .
+
+TARGET:      base-builder
+DESCRIPTION: is the base stage for building the project
+
+BUILD ARG    VALUE   DESCRIPTION
+GO_VERSION   1.22    sets the Go version for the build
+```
+
+For more examples on how to write Dockerfile docstrings,
+check out [the Dockerfile for Docker docs](https://github.com/docker/docs/blob/main/Dockerfile).
+
+#### <a name="check"></a> Call: check (--check)
+
+The `check` method evaluates build checks without executing the build. The
+`--check` flag is a convenient shorthand for `--call=check`. Use the `check`
+method to validate the build configuration before starting the build.
+
+```console
+$ docker buildx build -q --check https://github.com/docker/docs.git
+
+WARNING: InvalidBaseImagePlatform
+Base image wjdp/htmltest:v0.17.0 was pulled with platform "linux/amd64", expected "linux/arm64" for current build
+Dockerfile:43
+--------------------
+  41 |         "#content/desktop/previous-versions/*.md"
+  42 |
+  43 | >>> FROM wjdp/htmltest:v${HTMLTEST_VERSION} AS test
+  44 |     WORKDIR /test
+  45 |     COPY --from=build /out ./public
+--------------------
+```
+
+Using `--check` without specifying a target evaluates the entire Dockerfile.
+If you want to evaluate a specific target, use the `--target` flag.
+
+#### Call: outline
+
+The `outline` method prints the name of the specified target (or the default
+target, if `--target` isn't specified), and the build arguments that the target
+consumes, along with their default values, if set.
+
+The following example shows the default target `release` and its build arguments:
+
+```console
+$ docker buildx build -q --call=outline https://github.com/docker/docs.git
+
+TARGET:      release
+DESCRIPTION: is an empty scratch image with only compiled assets
+
+BUILD ARG          VALUE     DESCRIPTION
+GO_VERSION         1.22      sets the Go version for the base stage
+HUGO_VERSION       0.127.0
+HUGO_ENV                     sets the hugo.Environment (production, development, preview)
+DOCS_URL                     sets the base URL for the site
+PAGEFIND_VERSION   1.1.0
+```
+
+This means that the `release` target is configurable using these build arguments:
+
+```console
+$ docker buildx build \
+  --build-arg GO_VERSION=1.22 \
+  --build-arg HUGO_VERSION=0.127.0 \
+  --build-arg HUGO_ENV=production \
+  --build-arg DOCS_URL=https://example.com \
+  --build-arg PAGEFIND_VERSION=1.1.0 \
+  --target release https://github.com/docker/docs.git
+```
+
+#### Call: targets
+
+The `targets` method lists all the build targets in the Dockerfile. These are
+the stages that you can build using the `--target` flag. It also indicates the
+default target, which is the target that will be built when you don't specify a
+target.
+
+```console
+$ docker buildx build -q --call=targets https://github.com/docker/docs.git
+
+TARGET            DESCRIPTION
+base              is the base stage with build dependencies
+node              installs Node.js dependencies
+hugo              downloads and extracts the Hugo binary
+build-base        is the base stage for building the site
+dev               is for local development with Docker Compose
+build             creates production builds with Hugo
+lint              lints markdown files
+test              validates HTML output and checks for broken links
+update-modules    downloads and vendors Hugo modules
+vendor            is an empty stage with only vendored Hugo modules
+build-upstream    builds an upstream project with a replacement module
+validate-upstream validates HTML output for upstream builds
+unused-media      checks for unused graphics and other media
+pagefind          installs the Pagefind runtime
+index             generates a Pagefind index
+test-go-redirects checks that the /go/ redirects are valid
+release (default) is an empty scratch image with only compiled assets
+```
+
 ### <a name="cache-to"></a> Export build cache to an external cache destination (--cache-to)

 ```text
@@ -309,12 +526,33 @@ $ docker buildx build --cache-to=type=s3,region=eu-west-1,bucket=mybucket .

 More info about cache exporters and available attributes: https://github.com/moby/buildkit#export-cache

+### <a name="cgroup-parent"></a> Use a custom parent cgroup (--cgroup-parent)
+
+When you run `docker buildx build` with the `--cgroup-parent` option,
+the daemon runs the containers used in the build with the
+[corresponding `docker run` flag](container_run.md#cgroup-parent).
+
+### <a name="file"></a> Specify a Dockerfile (-f, --file)
+
+```console
+$ docker buildx build -f <filepath> .
+```
+
+Specifies the filepath of the Dockerfile to use.
+If unspecified, a file named `Dockerfile` at the root of the build context is used by default.
+
+To read a Dockerfile from stdin, you can use `-` as the argument for `--file`.
+
+```console
+$ cat Dockerfile | docker buildx build -f - .
+```
+
 ### <a name="load"></a> Load the single-platform build result to `docker images` (--load)

 Shorthand for [`--output=type=docker`](#docker). Will automatically load the
 single-platform build result to `docker images`.

-### <a name="metadata-file"></a> Write build result metadata to the file (--metadata-file)
+### <a name="metadata-file"></a> Write build result metadata to a file (--metadata-file)

 To output build metadata such as the image digest, pass the `--metadata-file` flag.
 The metadata will be written as a JSON object to the specified file. The
@@ -327,7 +565,9 @@ $ cat metadata.json

 ```json
 {
+  "buildx.build.provenance": {},
  "buildx.build.ref": "mybuilder/mybuilder0/0fjb6ubs52xx3vygf6fgdl611",
+  "buildx.build.warnings": {},
  "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
  "containerimage.descriptor": {
    "annotations": {
@@ -342,6 +582,30 @@ $ cat metadata.json
 }
 ```

+> [!NOTE]
+> Build record [provenance](https://docs.docker.com/build/metadata/attestations/slsa-provenance/#provenance-attestation-example)
+> (`buildx.build.provenance`) includes minimal provenance by default. Set the
+> `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
+>
+> - `min` sets minimal provenance (default).
+> - `max` sets full provenance.
+> - `disabled`, `false` or `0` doesn't set any provenance.
+
+> [!NOTE]
+> Build warnings (`buildx.build.warnings`) are not included by default. Set the
+> `BUILDX_METADATA_WARNINGS` environment variable to `1` or `true` to
+> include them.
+
+### <a name="network"></a> Set the networking mode for the RUN instructions during build (--network)
+
+Available options for the networking mode are:
+
+- `default` (default): Run in the default network.
+- `none`: Run with no network access.
+- `host`: Run in the host’s network environment.
+
+Find more details in the [Dockerfile reference](https://docs.docker.com/reference/dockerfile/#run---network).
+
 ### <a name="no-cache-filter"></a> Ignore build cache for specific stages (--no-cache-filter)

 The `--no-cache-filter` lets you specify one or more stages of a multi-stage
@@ -403,33 +667,40 @@ The arguments for the `--no-cache-filter` flag must be names of stages.
 -o, --output=[PATH,-,type=TYPE[,KEY=VALUE]
 ```

-Sets the export action for the build result. In `docker build` all builds finish
-by creating a container image and exporting it to `docker images`. `buildx` makes
-this step configurable allowing results to be exported directly to the client,
-OCI image tarballs, registry etc.
+Sets the export action for the build result. The default output, when using the
+`docker` [build driver](https://docs.docker.com/build/builders/drivers/), is a container
+image exported to the local image store. The `--output` flag makes this step
+configurable allows export of results directly to the client's filesystem, an
+OCI image tarball, a registry, and more.

-Buildx with `docker` driver currently only supports local, tarball exporter and
-image exporter. `docker-container` driver supports all the exporters.
+Buildx with `docker` driver only supports the local, tarball, and image
+[exporters](https://docs.docker.com/build/exporters/). The `docker-container`
+driver supports all exporters.

-If just the path is specified as a value, `buildx` will use the local exporter
-with this path as the destination. If the value is "-", `buildx` will use `tar`
-exporter and write to `stdout`.
+If you only specify a filepath as the argument to `--output`, Buildx uses the
+local exporter. If the value is `-`, Buildx uses the `tar` exporter and writes
+the output to stdout.

 ```console
 $ docker buildx build -o . .
 $ docker buildx build -o outdir .
-$ docker buildx build -o - - > out.tar
+$ docker buildx build -o - . > out.tar
 $ docker buildx build -o type=docker .
 $ docker buildx build -o type=docker,dest=- . > myimage.tar
 $ docker buildx build -t tonistiigi/foo -o type=registry
 ```

-> **Note **
->
-> Since BuildKit v0.13.0 multiple outputs can be specified by repeating the flag.
+You can export multiple outputs by repeating the flag.

 Supported exported types are:

+- [`local`](#local)
+- [`tar`](#tar)
+- [`oci`](#oci)
+- [`docker`](#docker)
+- [`image`](#image)
+- [`registry`](#registry)
+
 #### `local`

 The `local` export type writes all result files to a directory on the client. The
@@ -440,6 +711,9 @@ Attribute key:

 - `dest` - destination directory where files will be written

+For more information, see
+[Local and tar exporters](https://docs.docker.com/build/exporters/local-tar/).
+
 #### `tar`

 The `tar` export type writes all result files as a single tarball on the client.
@@ -449,6 +723,9 @@ Attribute key:

 - `dest` - destination path where tarball will be written. “-” writes to stdout.

+For more information, see
+[Local and tar exporters](https://docs.docker.com/build/exporters/local-tar/).
+
 #### `oci`

 The `oci` export type writes the result image or manifest list as an [OCI image
@@ -459,6 +736,9 @@ Attribute key:

 - `dest` - destination path where tarball will be written. “-” writes to stdout.

+For more information, see
+[OCI and Docker exporters](https://docs.docker.com/build/exporters/oci-docker/).
+
 #### `docker`

 The `docker` export type writes the single-platform result image as a [Docker image
@@ -475,6 +755,9 @@ Attribute keys:
  the tar will be loaded automatically to the local image store.
 - `context` - name for the Docker context where to import the result

+For more information, see
+[OCI and Docker exporters](https://docs.docker.com/build/exporters/oci-docker/).
+
 #### `image`

 The `image` exporter writes the build result as an image or a manifest list. When
@@ -486,10 +769,16 @@ Attribute keys:
 - `name` - name (references) for the new image.
 - `push` - Boolean to automatically push the image.

+For more information, see
+[Image and registry exporters](https://docs.docker.com/build/exporters/image-registry/).
+
 #### `registry`

 The `registry` exporter is a shortcut for `type=image,push=true`.

+For more information, see
+[Image and registry exporters](https://docs.docker.com/build/exporters/image-registry/).
+
 ### <a name="platform"></a> Set the target platforms for the build (--platform)

 ```text
@@ -516,13 +805,12 @@ support for the specified platform. In a clean setup, you can only execute `RUN`
 commands for your system architecture.
 If your kernel supports [`binfmt_misc`](https://en.wikipedia.org/wiki/Binfmt_misc)
 launchers for secondary architectures, buildx will pick them up automatically.
-Docker desktop releases come with `binfmt_misc` automatically configured for `arm64`
+Docker Desktop releases come with `binfmt_misc` automatically configured for `arm64`
 and `arm` architectures. You can see what runtime platforms your current builder
 instance supports by running `docker buildx inspect --bootstrap`.

 Inside a `Dockerfile`, you can access the current platform value through
-`TARGETPLATFORM` build argument. Refer to the [`docker build`
-documentation](https://docs.docker.com/reference/dockerfile/#automatic-platform-args-in-the-global-scope)
+`TARGETPLATFORM` build argument. Refer to the [Dockerfile reference](https://docs.docker.com/reference/dockerfile/#automatic-platform-args-in-the-global-scope)
 for the full description of automatic platform argument variants .

 You can find the formatting definition for the platform specifier in the
@@ -540,11 +828,10 @@ $ docker buildx build --platform=darwin .
 --progress=VALUE
 ```

-Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container
-output (default "auto").
+Set type of progress output (`auto`, `plain`, `tty`, `rawjson`). Use `plain` to show container
+output (default `auto`).

-> **Note**
->
+> [!NOTE]
 > You can also use the `BUILDKIT_PROGRESS` environment variable to set its value.

 The following example uses `plain` output during the build:
@@ -562,10 +849,12 @@ $ docker buildx build --load --progress=plain .
 ...
 ```

-> **Note**
->
-> Check also our [Color output controls guide](https://github.com/docker/buildx/blob/master/docs/guides/color-output.md)
-> for modifying the colors that are used to output information to the terminal.
+> [!NOTE]
+> Check also the [`BUILDKIT_COLORS`](https://docs.docker.com/build/building/variables/#buildkit_colors)
+> environment variable for modifying the colors of the terminal output.
+
+The `rawjson` output marshals the solve status events from BuildKit to JSON lines.
+This mode is designed to be read by an external program.

 ### <a name="provenance"></a> Create provenance attestations (--provenance)

@@ -585,7 +874,7 @@ to a registry if you use the default image store. Alternatively, you can switch
 to using the containerd image store.

 For more information about provenance attestations, see
-[here](https://docs.docker.com/build/attestations/slsa-provenance/).
+[here](https://docs.docker.com/build/metadata/attestations/slsa-provenance/).

 ### <a name="push"></a> Push the build result to a registry (--push)

@@ -607,7 +896,7 @@ attestations. Provenance attestations only persist for images pushed directly
 to a registry if you use the default image store. Alternatively, you can switch
 to using the containerd image store.

-For more information, see [here](https://docs.docker.com/build/attestations/sbom/).
+For more information, see [here](https://docs.docker.com/build/metadata/attestations/sbom/).

 ### <a name="secret"></a> Secret to expose to the build (--secret)

@@ -615,10 +904,18 @@ For more information, see [here](https://docs.docker.com/build/attestations/sbom
 --secret=[type=TYPE[,KEY=VALUE]
 ```

-Exposes secret to the build. The secret can be used by the build using
-[`RUN --mount=type=secret` mount](https://docs.docker.com/reference/dockerfile/#run---mounttypesecret).
+Exposes secrets (authentication credentials, tokens) to the build.
+A secret can be mounted into the build using a `RUN --mount=type=secret` mount in the
+[Dockerfile](https://docs.docker.com/reference/dockerfile/#run---mounttypesecret).
+For more information about how to use build secrets, see
+[Build secrets](https://docs.docker.com/build/building/secrets/).

-If `type` is unset it will be detected. Supported types are:
+Supported types are:
+
+- [`file`](#file)
+- [`env`](#env)
+
+Buildx attempts to detect the `type` automatically if unset.

 #### `file`

@@ -667,8 +964,7 @@ The format is `<number><unit>`. `number` must be greater than `0`. Unit is
 optional and can be `b` (bytes), `k` (kilobytes), `m` (megabytes), or `g`
 (gigabytes). If you omit the unit, the system uses bytes.

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
@@ -704,6 +1000,46 @@ $ ssh-add ~/.ssh/id_rsa
 $ docker buildx build --ssh default=$SSH_AUTH_SOCK .
 ```

+### <a name="tag"></a> Tag an image (-t, --tag)
+
+```console
+$ docker buildx build -t docker/apache:2.0 .
+```
+
+This examples builds in the same way as the previous example, but it then tags the resulting
+image. The repository name will be `docker/apache` and the tag `2.0`.
+
+[Read more about valid tags](https://docs.docker.com/reference/cli/docker/image/tag/).
+
+You can apply multiple tags to an image. For example, you can apply the `latest`
+tag to a newly built image and add another tag that references a specific
+version.
+
+For example, to tag an image both as `docker/fedora-jboss:latest` and
+`docker/fedora-jboss:v2.1`, use the following:
+
+```console
+$ docker buildx build -t docker/fedora-jboss:latest -t docker/fedora-jboss:v2.1 .
+```
+
+### <a name="target"></a> Specifying target build stage (--target)
+
+When building a Dockerfile with multiple build stages, use the `--target`
+option to specify an intermediate build stage by name as a final stage for the
+resulting image. The builder skips commands after the target stage.
+
+```dockerfile
+FROM debian AS build-env
+# ...
+
+FROM alpine AS production-env
+# ...
+```
+
+```console
+$ docker buildx build -t mybuildimage --target build-env .
+```
+
 ### <a name="ulimit"></a> Set ulimits (--ulimit)

 `--ulimit` overrides the default ulimits of build's containers when using `RUN`
@@ -714,14 +1050,12 @@ instructions and are specified with a soft and hard limit as such:
 $ docker buildx build --ulimit nofile=1024:1024 .
 ```

-> **Note**
->
+> [!NOTE]
 > If you don't provide a `hard limit`, the `soft limit` is used
 > for both values. If no `ulimits` are set, they're inherited from
 > the default `ulimits` set on the daemon.

-> **Note**
->
+> [!NOTE]
 > In most cases, it is recommended to let the builder automatically determine
 > the appropriate configurations. Manual adjustments should only be considered
 > when specific performance tuning is required for complex build scenarios.
--- a/docs/reference/buildx_create.md
+++ b/docs/reference/buildx_create.md
@@ -11,17 +11,18 @@ Create a new builder instance

 | Name                                      | Type          | Default | Description                                                           |
 |:------------------------------------------|:--------------|:--------|:----------------------------------------------------------------------|
-| [`--append`](#append)                     |               |         | Append a node to builder instead of changing it                       |
-| `--bootstrap`                             |               |         | Boot builder after creation                                           |
+| [`--append`](#append)                     | `bool`        |         | Append a node to builder instead of changing it                       |
+| `--bootstrap`                             | `bool`        |         | Boot builder after creation                                           |
 | [`--buildkitd-config`](#buildkitd-config) | `string`      |         | BuildKit daemon config file                                           |
 | [`--buildkitd-flags`](#buildkitd-flags)   | `string`      |         | BuildKit daemon flags                                                 |
+| `-D`, `--debug`                           | `bool`        |         | Enable debug logging                                                  |
 | [`--driver`](#driver)                     | `string`      |         | Driver to use (available: `docker-container`, `kubernetes`, `remote`) |
 | [`--driver-opt`](#driver-opt)             | `stringArray` |         | Options for the driver                                                |
-| [`--leave`](#leave)                       |               |         | Remove a node from builder instead of changing it                     |
+| [`--leave`](#leave)                       | `bool`        |         | Remove a node from builder instead of changing it                     |
 | [`--name`](#name)                         | `string`      |         | Builder instance name                                                 |
 | [`--node`](#node)                         | `string`      |         | Create/modify node with given name                                    |
 | [`--platform`](#platform)                 | `stringArray` |         | Fixed platforms for current node                                      |
-| [`--use`](#use)                           |               |         | Set the current builder instance                                      |
+| [`--use`](#use)                           | `bool`        |         | Set the current builder instance                                      |


 <!---MARKER_GEN_END-->
@@ -101,8 +102,7 @@ value is `auto` and can be one of `bridge`, `cni`, `host`:
 --buildkitd-flags '--oci-worker-net bridge'
 ```

-> **Note**
->
+> [!NOTE]
 > Network mode "bridge" is supported since BuildKit v0.13 and will become the
 > default in next v0.14.

@@ -120,7 +120,7 @@ backend. Buildx supports the following drivers:
 * `kubernetes`
 * `remote`

-For more information about build drivers, see [here](https://docs.docker.com/build/drivers/).
+For more information about build drivers, see [here](https://docs.docker.com/build/builders/drivers/).

 #### `docker` driver

@@ -167,10 +167,10 @@ Passes additional driver-specific options.
 For information about available driver options, refer to the detailed
 documentation for the specific driver:

-* [`docker` driver](https://docs.docker.com/build/drivers/docker/)
-* [`docker-container` driver](https://docs.docker.com/build/drivers/docker-container/)
-* [`kubernetes` driver](https://docs.docker.com/build/drivers/kubernetes/)
-* [`remote` driver](https://docs.docker.com/build/drivers/remote/)
+* [`docker` driver](https://docs.docker.com/build/builders/drivers/docker/)
+* [`docker-container` driver](https://docs.docker.com/build/builders/drivers/docker-container/)
+* [`kubernetes` driver](https://docs.docker.com/build/builders/drivers/kubernetes/)
+* [`remote` driver](https://docs.docker.com/build/builders/drivers/remote/)

 ### <a name="leave"></a> Remove a node from a builder (--leave)

--- a/docs/reference/buildx_debug.md
+++ b/docs/reference/buildx_debug.md
@@ -12,15 +12,16 @@ Start debugger (EXPERIMENTAL)

 ### Options

-| Name              | Type     | Default | Description                                                                                              |
-|:------------------|:---------|:--------|:---------------------------------------------------------------------------------------------------------|
-| `--builder`       | `string` |         | Override the configured builder instance                                                                 |
-| `--detach`        | `bool`   | `true`  | Detach buildx server for the monitor (supported only on linux) (EXPERIMENTAL)                            |
-| `--invoke`        | `string` |         | Launch a monitor with executing specified command (EXPERIMENTAL)                                         |
-| `--on`            | `string` | `error` | When to launch the monitor ([always, error]) (EXPERIMENTAL)                                              |
-| `--progress`      | `string` | `auto`  | Set type of progress output (`auto`, `plain`, `tty`) for the monitor. Use plain to show container output |
-| `--root`          | `string` |         | Specify root directory of server to connect for the monitor (EXPERIMENTAL)                               |
-| `--server-config` | `string` |         | Specify buildx server config file for the monitor (used only when launching new server) (EXPERIMENTAL)   |
+| Name              | Type     | Default | Description                                                                                                         |
+|:------------------|:---------|:--------|:--------------------------------------------------------------------------------------------------------------------|
+| `--builder`       | `string` |         | Override the configured builder instance                                                                            |
+| `-D`, `--debug`   | `bool`   |         | Enable debug logging                                                                                                |
+| `--detach`        | `bool`   | `true`  | Detach buildx server for the monitor (supported only on linux) (EXPERIMENTAL)                                       |
+| `--invoke`        | `string` |         | Launch a monitor with executing specified command (EXPERIMENTAL)                                                    |
+| `--on`            | `string` | `error` | When to launch the monitor ([always, error]) (EXPERIMENTAL)                                                         |
+| `--progress`      | `string` | `auto`  | Set type of progress output (`auto`, `plain`, `tty`, `rawjson`) for the monitor. Use plain to show container output |
+| `--root`          | `string` |         | Specify root directory of server to connect for the monitor (EXPERIMENTAL)                                          |
+| `--server-config` | `string` |         | Specify buildx server config file for the monitor (used only when launching new server) (EXPERIMENTAL)              |


 <!---MARKER_GEN_END-->
--- a/docs/reference/buildx_debug_build.md
+++ b/docs/reference/buildx_debug_build.md
@@ -5,48 +5,50 @@ Start a build

 ### Aliases

-`docker buildx debug build`, `docker buildx debug b`
+`docker build`, `docker builder build`, `docker image build`, `docker buildx b`

 ### Options

-| Name                                                                                                                                               | Type          | Default   | Description                                                                                         |
-|:---------------------------------------------------------------------------------------------------------------------------------------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
-| [`--add-host`](https://docs.docker.com/reference/cli/docker/image/build/#add-host)                                                                 | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
-| `--allow`                                                                                                                                          | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
-| `--annotation`                                                                                                                                     | `stringArray` |           | Add annotation to the image                                                                         |
-| `--attest`                                                                                                                                         | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
-| `--build-arg`                                                                                                                                      | `stringArray` |           | Set build-time variables                                                                            |
-| `--build-context`                                                                                                                                  | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
-| `--builder`                                                                                                                                        | `string`      |           | Override the configured builder instance                                                            |
-| `--cache-from`                                                                                                                                     | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
-| `--cache-to`                                                                                                                                       | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
-| [`--cgroup-parent`](https://docs.docker.com/reference/cli/docker/image/build/#cgroup-parent)                                                       | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
-| `--detach`                                                                                                                                         |               |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
-| [`-f`](https://docs.docker.com/reference/cli/docker/image/build/#file), [`--file`](https://docs.docker.com/reference/cli/docker/image/build/#file) | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
-| `--iidfile`                                                                                                                                        | `string`      |           | Write the image ID to the file                                                                      |
-| `--label`                                                                                                                                          | `stringArray` |           | Set metadata for an image                                                                           |
-| `--load`                                                                                                                                           |               |           | Shorthand for `--output=type=docker`                                                                |
-| `--metadata-file`                                                                                                                                  | `string`      |           | Write build result metadata to the file                                                             |
-| `--network`                                                                                                                                        | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
-| `--no-cache`                                                                                                                                       |               |           | Do not use cache when building the image                                                            |
-| `--no-cache-filter`                                                                                                                                | `stringArray` |           | Do not cache specified stages                                                                       |
-| `-o`, `--output`                                                                                                                                   | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
-| `--platform`                                                                                                                                       | `stringArray` |           | Set target platform for build                                                                       |
-| `--print`                                                                                                                                          | `string`      |           | Print result of information request (e.g., outline, targets) (EXPERIMENTAL)                         |
-| `--progress`                                                                                                                                       | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output            |
-| `--provenance`                                                                                                                                     | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
-| `--pull`                                                                                                                                           |               |           | Always attempt to pull all referenced images                                                        |
-| `--push`                                                                                                                                           |               |           | Shorthand for `--output=type=registry`                                                              |
-| `-q`, `--quiet`                                                                                                                                    |               |           | Suppress the build output and print image ID on success                                             |
-| `--root`                                                                                                                                           | `string`      |           | Specify root directory of server to connect (EXPERIMENTAL)                                          |
-| `--sbom`                                                                                                                                           | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
-| `--secret`                                                                                                                                         | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
-| `--server-config`                                                                                                                                  | `string`      |           | Specify buildx server config file (used only when launching new server) (EXPERIMENTAL)              |
-| `--shm-size`                                                                                                                                       | `bytes`       | `0`       | Shared memory size for build containers                                                             |
-| `--ssh`                                                                                                                                            | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
-| [`-t`](https://docs.docker.com/reference/cli/docker/image/build/#tag), [`--tag`](https://docs.docker.com/reference/cli/docker/image/build/#tag)    | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
-| [`--target`](https://docs.docker.com/reference/cli/docker/image/build/#target)                                                                     | `string`      |           | Set the target build stage to build                                                                 |
-| `--ulimit`                                                                                                                                         | `ulimit`      |           | Ulimit options                                                                                      |
+| Name                | Type          | Default   | Description                                                                                         |
+|:--------------------|:--------------|:----------|:----------------------------------------------------------------------------------------------------|
+| `--add-host`        | `stringSlice` |           | Add a custom host-to-IP mapping (format: `host:ip`)                                                 |
+| `--allow`           | `stringSlice` |           | Allow extra privileged entitlement (e.g., `network.host`, `security.insecure`)                      |
+| `--annotation`      | `stringArray` |           | Add annotation to the image                                                                         |
+| `--attest`          | `stringArray` |           | Attestation parameters (format: `type=sbom,generator=image`)                                        |
+| `--build-arg`       | `stringArray` |           | Set build-time variables                                                                            |
+| `--build-context`   | `stringArray` |           | Additional build contexts (e.g., name=path)                                                         |
+| `--builder`         | `string`      |           | Override the configured builder instance                                                            |
+| `--cache-from`      | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
+| `--cache-to`        | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
+| `--call`            | `string`      | `build`   | Set method for evaluating build (`check`, `outline`, `targets`)                                     |
+| `--cgroup-parent`   | `string`      |           | Set the parent cgroup for the `RUN` instructions during build                                       |
+| `--check`           | `bool`        |           | Shorthand for `--call=check`                                                                        |
+| `-D`, `--debug`     | `bool`        |           | Enable debug logging                                                                                |
+| `--detach`          | `bool`        |           | Detach buildx server (supported only on linux) (EXPERIMENTAL)                                       |
+| `-f`, `--file`      | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
+| `--iidfile`         | `string`      |           | Write the image ID to a file                                                                        |
+| `--label`           | `stringArray` |           | Set metadata for an image                                                                           |
+| `--load`            | `bool`        |           | Shorthand for `--output=type=docker`                                                                |
+| `--metadata-file`   | `string`      |           | Write build result metadata to a file                                                               |
+| `--network`         | `string`      | `default` | Set the networking mode for the `RUN` instructions during build                                     |
+| `--no-cache`        | `bool`        |           | Do not use cache when building the image                                                            |
+| `--no-cache-filter` | `stringArray` |           | Do not cache specified stages                                                                       |
+| `-o`, `--output`    | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
+| `--platform`        | `stringArray` |           | Set target platform for build                                                                       |
+| `--progress`        | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`, `rawjson`). Use plain to show container output |
+| `--provenance`      | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
+| `--pull`            | `bool`        |           | Always attempt to pull all referenced images                                                        |
+| `--push`            | `bool`        |           | Shorthand for `--output=type=registry`                                                              |
+| `-q`, `--quiet`     | `bool`        |           | Suppress the build output and print image ID on success                                             |
+| `--root`            | `string`      |           | Specify root directory of server to connect (EXPERIMENTAL)                                          |
+| `--sbom`            | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
+| `--secret`          | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
+| `--server-config`   | `string`      |           | Specify buildx server config file (used only when launching new server) (EXPERIMENTAL)              |
+| `--shm-size`        | `bytes`       | `0`       | Shared memory size for build containers                                                             |
+| `--ssh`             | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
+| `-t`, `--tag`       | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
+| `--target`          | `string`      |           | Set the target build stage to build                                                                 |
+| `--ulimit`          | `ulimit`      |           | Ulimit options                                                                                      |


 <!---MARKER_GEN_END-->
--- a/Show More
+++ b/Show More