Merge pull request #2630 from crazy-max/v0.16.2_cherry-picks

[v0.16] cherry-picks for v0.16.2

Dockerfile

@@ -4,7 +4,7 @@ ARG GO_VERSION=1.22
 ARG XX_VERSION=1.4.0
 
 # for testing
-ARG DOCKER_VERSION=27.0.0-rc.2
+ARG DOCKER_VERSION=27.0.3
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG REGISTRY_VERSION=2.8.0
 ARG BUILDKIT_VERSION=v0.14.1

bake/bake.go

@@ -494,7 +494,7 @@ func (c Config) loadLinks(name string, t *Target, m map[string]*Target, o map[st
 				if err != nil {
 					return err
 				}
-				t2.Outputs = nil
+				t2.Outputs = []string{"type=cacheonly"}
 				t2.linked = true
 				m[target] = t2
 			}

bake/bake_test.go

@@ -838,7 +838,8 @@ func TestReadContextFromTargetChain(t *testing.T) {
 
 	mid, ok := m["mid"]
 	require.True(t, ok)
-	require.Equal(t, 0, len(mid.Outputs))
+	require.Equal(t, 1, len(mid.Outputs))
+	require.Equal(t, "type=cacheonly", mid.Outputs[0])
 	require.Equal(t, 1, len(mid.Contexts))
 
 	base, ok := m["base"]

bake/compose.go

@@ -8,6 +8,7 @@ import (
 	"sort"
 	"strings"
 
+	"github.com/compose-spec/compose-go/v2/consts"
 	"github.com/compose-spec/compose-go/v2/dotenv"
 	"github.com/compose-spec/compose-go/v2/loader"
 	composetypes "github.com/compose-spec/compose-go/v2/types"
@@ -40,7 +41,11 @@ func ParseCompose(cfgs []composetypes.ConfigFile, envs map[string]string) (*Conf
 		ConfigFiles: cfgs,
 		Environment: envs,
 	}, func(options *loader.Options) {
-		options.SetProjectName("bake", false)
+		projectName := "bake"
+		if v, ok := envs[consts.ComposeProjectName]; ok && v != "" {
+			projectName = v
+		}
+		options.SetProjectName(projectName, false)
 		options.SkipNormalization = true
 		options.Profiles = []string{"*"}
 	})

bake/compose_test.go

@@ -771,6 +771,33 @@ services:
 	require.NoError(t, err)
 }
 
+func TestProjectName(t *testing.T) {
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: ./webapp
+     args:
+       PROJECT_NAME: ${COMPOSE_PROJECT_NAME}
+`)
+
+	t.Run("default", func(t *testing.T) {
+		c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, nil)
+		require.NoError(t, err)
+		require.Len(t, c.Targets, 1)
+		require.Len(t, c.Targets[0].Args, 1)
+		require.Equal(t, map[string]*string{"PROJECT_NAME": ptrstr("bake")}, c.Targets[0].Args)
+	})
+
+	t.Run("env", func(t *testing.T) {
+		c, err := ParseCompose([]composetypes.ConfigFile{{Content: dt}}, map[string]string{"COMPOSE_PROJECT_NAME": "foo"})
+		require.NoError(t, err)
+		require.Len(t, c.Targets, 1)
+		require.Len(t, c.Targets[0].Args, 1)
+		require.Equal(t, map[string]*string{"PROJECT_NAME": ptrstr("foo")}, c.Targets[0].Args)
+	})
+}
+
 // chdir changes the current working directory to the named directory,
 // and then restore the original working directory at the end of the test.
 func chdir(t *testing.T, dir string) {

builder/node.go

@@ -48,8 +48,9 @@ func (b *Builder) Nodes() []Node {
 type LoadNodesOption func(*loadNodesOptions)
 
 type loadNodesOptions struct {
-	data     bool
-	dialMeta map[string][]string
+	data      bool
+	dialMeta  map[string][]string
+	clientOpt []client.ClientOpt
 }
 
 func WithData() LoadNodesOption {
@@ -64,6 +65,12 @@ func WithDialMeta(dialMeta map[string][]string) LoadNodesOption {
 	}
 }
 
+func WithClientOpt(clientOpt ...client.ClientOpt) LoadNodesOption {
+	return func(o *loadNodesOptions) {
+		o.clientOpt = clientOpt
+	}
+}
+
 // LoadNodes loads and returns nodes for this builder.
 // TODO: this should be a method on a Node object and lazy load data for each driver.
 func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []Node, err error) {
@@ -151,7 +158,7 @@ func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []N
 				node.ImageOpt = imageopt
 
 				if lno.data {
-					if err := node.loadData(ctx); err != nil {
+					if err := node.loadData(ctx, lno.clientOpt...); err != nil {
 						node.Err = err
 					}
 				}
@@ -247,7 +254,7 @@ func (n *Node) MarshalJSON() ([]byte, error) {
 	})
 }
 
-func (n *Node) loadData(ctx context.Context) error {
+func (n *Node) loadData(ctx context.Context, clientOpt ...client.ClientOpt) error {
 	if n.Driver == nil {
 		return nil
 	}
@@ -257,7 +264,7 @@ func (n *Node) loadData(ctx context.Context) error {
 	}
 	n.DriverInfo = info
 	if n.DriverInfo.Status == driver.Running {
-		driverClient, err := n.Driver.Client(ctx)
+		driverClient, err := n.Driver.Client(ctx, clientOpt...)
 		if err != nil {
 			return err
 		}

commands/bake.go

@@ -146,7 +146,9 @@ func runBake(ctx context.Context, dockerCli command.Cli, targets []string, in ba
 	printer, err = progress.NewPrinter(ctx2, os.Stderr, progressMode,
 		progress.WithDesc(progressTextDesc, progressConsoleDesc),
 		progress.WithOnClose(func() {
-			printWarnings(os.Stderr, printer.Warnings(), progressMode)
+			if p := printer; p != nil {
+				printWarnings(os.Stderr, p.Warnings(), progressMode)
+			}
 		}),
 	)
 	if err != nil {

commands/build.go

@@ -835,7 +835,7 @@ func printWarnings(w io.Writer, warnings []client.VertexWarning, mode progressui
 		fmt.Fprintf(sb, "%d warnings found", len(warnings))
 	}
 	if logrus.GetLevel() < logrus.DebugLevel {
-		fmt.Fprintf(sb, " (use --debug to expand)")
+		fmt.Fprintf(sb, " (use docker --debug to expand)")
 	}
 	fmt.Fprintf(sb, ":\n")
 	fmt.Fprint(w, aec.Apply(sb.String(), aec.YellowF))

driver/manager.go

@@ -155,9 +155,9 @@ type DriverHandle struct {
 	historyAPISupported     bool
 }
 
-func (d *DriverHandle) Client(ctx context.Context) (*client.Client, error) {
+func (d *DriverHandle) Client(ctx context.Context, opt ...client.ClientOpt) (*client.Client, error) {
 	d.once.Do(func() {
-		d.client, d.err = d.Driver.Client(ctx, d.getClientOptions()...)
+		d.client, d.err = d.Driver.Client(ctx, append(d.getClientOptions(), opt...)...)
 	})
 	return d.client, d.err
 }

go.mod

@@ -20,7 +20,7 @@ require (
 	github.com/docker/cli-docs-tool v0.8.0
 	github.com/docker/docker v27.0.3+incompatible
 	github.com/docker/go-units v0.5.0
-	github.com/gofrs/flock v0.12.0
+	github.com/gofrs/flock v0.12.1
 	github.com/gogo/protobuf v1.3.2
 	github.com/golang/protobuf v1.5.4
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
@@ -29,7 +29,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.20.1
 	github.com/in-toto/in-toto-golang v0.5.0
 	github.com/mitchellh/hashstructure/v2 v2.0.2
-	github.com/moby/buildkit v0.15.0-rc1
+	github.com/moby/buildkit v0.15.1
 	github.com/moby/sys/mountinfo v0.7.1
 	github.com/moby/sys/signal v0.7.0
 	github.com/morikuni/aec v1.0.0
@@ -43,7 +43,7 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.9.0
 	github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c
-	github.com/tonistiigi/go-csvvalue v0.0.0-20240619222358-bb8dd5cba3c2
+	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4
 	github.com/zclconf/go-cty v1.14.4
 	go.opentelemetry.io/otel v1.21.0
 	go.opentelemetry.io/otel/metric v1.21.0
@@ -51,7 +51,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.21.0
 	golang.org/x/mod v0.17.0
 	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.21.0
+	golang.org/x/sys v0.22.0
 	golang.org/x/term v0.20.0
 	golang.org/x/text v0.15.0
 	google.golang.org/grpc v1.59.0

go.sum

@@ -184,8 +184,8 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
 github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/gofrs/flock v0.12.0 h1:xHW8t8GPAiGtqz7KxiSqfOEXwpOaqhpYZrTE2MQBgXY=
-github.com/gofrs/flock v0.12.0/go.mod h1:FirDy1Ing0mI2+kB6wk+vyyAH+e6xiE+EYA0jnzV9jc=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/gogo/googleapis v1.4.1 h1:1Yx4Myt7BxzvUr5ldGSbwYiZG6t9wGBZ+8/fX3Wvtq0=
 github.com/gogo/googleapis v1.4.1/go.mod h1:2lpHqI5OcWCtVElxXnPt+s8oJvMpySlOyM6xDCrzib4=
 github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
@@ -306,8 +306,8 @@ github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/z
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.15.0-rc1 h1:74cW+CaRhCX8b/0sTEwWM6zPxgHJb90imPZMf+E42TY=
-github.com/moby/buildkit v0.15.0-rc1/go.mod h1:ik25J3PkZrQc2dDquClV6jXMjjtoXDCLFySlfZDk5j0=
+github.com/moby/buildkit v0.15.1 h1:J6wrew7hphKqlq1wuu6yaUb/1Ra7gEzDAovylGztAKM=
+github.com/moby/buildkit v0.15.1/go.mod h1:Yis8ZMUJTHX9XhH9zVyK2igqSHV3sxi3UN0uztZocZk=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
@@ -442,8 +442,8 @@ github.com/theupdateframework/notary v0.7.0 h1:QyagRZ7wlSpjT5N2qQAh/pN+DVqgekv4D
 github.com/theupdateframework/notary v0.7.0/go.mod h1:c9DRxcmhHmVLDay4/2fUYdISnHqbFDGRSlXPO0AhYWw=
 github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c h1:+6wg/4ORAbnSoGDzg2Q1i3CeMcT/jjhye/ZfnBHy7/M=
 github.com/tonistiigi/fsutil v0.0.0-20240424095704-91a3fc46842c/go.mod h1:vbbYqJlnswsbJqWUcJN8fKtBhnEgldDrcagTgnBVKKM=
-github.com/tonistiigi/go-csvvalue v0.0.0-20240619222358-bb8dd5cba3c2 h1:4dXTcm/McJMoXXFhqr+4rNL4WkLqMoHkdMhT4nU0Z28=
-github.com/tonistiigi/go-csvvalue v0.0.0-20240619222358-bb8dd5cba3c2/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=
+github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 h1:7I5c2Ig/5FgqkYOh/N87NzoyI9U15qUPXhDD8uCupv8=
+github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea/go.mod h1:WPnis/6cRcDZSUvVmezrxJPkiO87ThFYsoUiMwWNDJk=
 github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab h1:H6aJ0yKQ0gF49Qb2z5hI1UHxSQt4JMyxebFR15KnApw=
@@ -549,8 +549,8 @@ golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.21.0 h1:rF+pYz3DAGSQAxAu1CbC7catZg4ebC4UIeIhKxBZvws=
-golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=

tests/bake.go

@@ -1,6 +1,7 @@
 package tests
 
 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
 	"os"
@@ -9,6 +10,7 @@ import (
 	"testing"
 
 	"github.com/containerd/continuity/fs/fstest"
+	"github.com/docker/buildx/bake"
 	"github.com/docker/buildx/util/gitutil"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/identity"
@@ -28,6 +30,7 @@ func bakeCmd(sb integration.Sandbox, opts ...cmdOpt) (string, error) {
 }
 
 var bakeTests = []func(t *testing.T, sb integration.Sandbox){
+	testBakePrint,
 	testBakeLocal,
 	testBakeLocalMulti,
 	testBakeRemote,
@@ -55,6 +58,49 @@ var bakeTests = []func(t *testing.T, sb integration.Sandbox){
 	testBakeCallCheckFlag,
 }
 
+func testBakePrint(t *testing.T, sb integration.Sandbox) {
+	dockerfile := []byte(`
+FROM busybox
+ARG HELLO
+RUN echo "Hello ${HELLO}"
+	`)
+	bakefile := []byte(`
+target "build" {
+  args = {
+    HELLO = "foo"
+  }
+}
+`)
+	dir := tmpdir(
+		t,
+		fstest.CreateFile("docker-bake.hcl", bakefile, 0600),
+		fstest.CreateFile("Dockerfile", dockerfile, 0600),
+	)
+
+	cmd := buildxCmd(sb, withDir(dir), withArgs("bake", "--print", "build"))
+	stdout := bytes.Buffer{}
+	stderr := bytes.Buffer{}
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	require.NoError(t, cmd.Run(), stdout.String(), stderr.String())
+
+	var def struct {
+		Group  map[string]*bake.Group  `json:"group,omitempty"`
+		Target map[string]*bake.Target `json:"target"`
+	}
+	require.NoError(t, json.Unmarshal(stdout.Bytes(), &def))
+
+	require.Len(t, def.Group, 1)
+	require.Contains(t, def.Group, "default")
+
+	require.Equal(t, []string{"build"}, def.Group["default"].Targets)
+	require.Len(t, def.Target, 1)
+	require.Contains(t, def.Target, "build")
+	require.Equal(t, ".", *def.Target["build"].Context)
+	require.Equal(t, "Dockerfile", *def.Target["build"].Dockerfile)
+	require.Equal(t, map[string]*string{"HELLO": ptrstr("foo")}, def.Target["build"].Args)
+}
+
 func testBakeLocal(t *testing.T, sb integration.Sandbox) {
 	dockerfile := []byte(`
 FROM scratch
@@ -1074,15 +1120,16 @@ target "another" {
 	require.Contains(t, out, "another")
 	require.Contains(t, out, "UndefinedVar")
 
-	out, err = bakeCmd(
+	cmd := buildxCmd(
 		sb,
 		withDir(dir),
-		withArgs("build", "another", "--call", "check,format=json"),
+		withArgs("bake", "--progress=quiet", "build", "another", "--call", "check,format=json"),
 	)
-	require.Error(t, err, out)
+	outB, err := cmd.Output()
+	require.Error(t, err, string(outB))
 
 	var res map[string]any
-	err = json.Unmarshal([]byte(out), &res)
+	err = json.Unmarshal(outB, &res)
 	require.NoError(t, err, out)
 
 	targets, ok := res["target"].(map[string]any)

tests/integration.go

@@ -4,6 +4,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"reflect"
 	"strconv"
 	"strings"
 	"sync"
@@ -208,3 +209,12 @@ func skipNoCompatBuildKit(t *testing.T, sb integration.Sandbox, constraint strin
 		t.Skipf("buildkit version %s does not match %s constraint (%s)", buildkitVersion(t, sb), constraint, msg)
 	}
 }
+
+func ptrstr(s interface{}) *string {
+	var n *string
+	if reflect.ValueOf(s).Kind() == reflect.String {
+		ss := s.(string)
+		n = &ss
+	}
+	return n
+}

vendor/github.com/gofrs/flock/README.md

@@ -1,7 +1,7 @@
 # flock
 
 [![Go Reference](https://pkg.go.dev/badge/github.com/gofrs/flock.svg)](https://pkg.go.dev/github.com/gofrs/flock)
-[![License](https://img.shields.io/badge/license-BSD_3--Clause-brightgreen.svg?style=flat)](https://github.com/gofrs/flock/blob/master/LICENSE)
+[![License](https://img.shields.io/badge/license-BSD_3--Clause-brightgreen.svg?style=flat)](https://github.com/gofrs/flock/blob/main/LICENSE)
 [![Go Report Card](https://goreportcard.com/badge/github.com/gofrs/flock)](https://goreportcard.com/report/github.com/gofrs/flock)
 
 `flock` implements a thread-safe file lock.

vendor/github.com/gofrs/flock/flock.go

@@ -163,9 +163,9 @@ func tryCtx(ctx context.Context, fn func() (bool, error), retryDelay time.Durati
 	}
 }
 
-func (f *Flock) setFh() error {
+func (f *Flock) setFh(flag int) error {
 	// open a new os.File instance
-	fh, err := os.OpenFile(f.path, f.flag, f.perm)
+	fh, err := os.OpenFile(f.path, flag, f.perm)
 	if err != nil {
 		return err
 	}
@@ -176,9 +176,11 @@ func (f *Flock) setFh() error {
 	return nil
 }
 
-// ensure the file handle is closed if no lock is held.
-func (f *Flock) ensureFhState() {
-	if f.l || f.r || f.fh == nil {
+// resetFh resets file handle:
+// - tries to close the file (ignore errors)
+// - sets fh to nil.
+func (f *Flock) resetFh() {
+	if f.fh == nil {
 		return
 	}
 
@@ -187,11 +189,18 @@ func (f *Flock) ensureFhState() {
 	f.fh = nil
 }
 
+// ensure the file handle is closed if no lock is held.
+func (f *Flock) ensureFhState() {
+	if f.l || f.r || f.fh == nil {
+		return
+	}
+
+	f.resetFh()
+}
+
 func (f *Flock) reset() {
 	f.l = false
 	f.r = false
 
-	_ = f.fh.Close()
-
-	f.fh = nil
+	f.resetFh()
 }

vendor/github.com/gofrs/flock/flock_unix.go

@@ -50,7 +50,7 @@ func (f *Flock) lock(locked *bool, flag int) error {
 	}
 
 	if f.fh == nil {
-		if err := f.setFh(); err != nil {
+		if err := f.setFh(f.flag); err != nil {
 			return err
 		}
 
@@ -147,7 +147,7 @@ func (f *Flock) try(locked *bool, flag int) (bool, error) {
 	}
 
 	if f.fh == nil {
-		if err := f.setFh(); err != nil {
+		if err := f.setFh(f.flag); err != nil {
 			return false, err
 		}
 
@@ -183,6 +183,7 @@ retry:
 // This comes from `util-linux/sys-utils/flock.c`:
 // > Since Linux 3.4 (commit 55725513)
 // > Probably NFSv4 where flock() is emulated by fcntl().
+// > https://github.com/util-linux/util-linux/blob/198e920aa24743ef6ace4e07cf6237de527f9261/sys-utils/flock.c#L374-L390
 func (f *Flock) reopenFDOnError(err error) (bool, error) {
 	if !errors.Is(err, unix.EIO) && !errors.Is(err, unix.EBADF) {
 		return false, nil
@@ -197,16 +198,13 @@ func (f *Flock) reopenFDOnError(err error) (bool, error) {
 		return false, nil
 	}
 
-	_ = f.fh.Close()
-	f.fh = nil
+	f.resetFh()
 
 	// reopen in read-write mode and set the file handle
-	fh, err := os.OpenFile(f.path, f.flag, f.perm)
+	err = f.setFh(f.flag | os.O_RDWR)
 	if err != nil {
 		return false, err
 	}
 
-	f.fh = fh
-
 	return true, nil
 }

vendor/github.com/gofrs/flock/flock_unix_fcntl.go

@@ -112,7 +112,7 @@ func (f *Flock) lock(locked *bool, flag lockType) error {
 	}
 
 	if f.fh == nil {
-		if err := f.setFh(); err != nil {
+		if err := f.setFh(f.flag); err != nil {
 			return err
 		}
 
@@ -359,7 +359,7 @@ func (f *Flock) try(locked *bool, flag lockType) (bool, error) {
 	}
 
 	if f.fh == nil {
-		if err := f.setFh(); err != nil {
+		if err := f.setFh(f.flag); err != nil {
 			return false, err
 		}
 

vendor/github.com/gofrs/flock/flock_windows.go

@@ -56,7 +56,7 @@ func (f *Flock) lock(locked *bool, flag uint32) error {
 	}
 
 	if f.fh == nil {
-		if err := f.setFh(); err != nil {
+		if err := f.setFh(f.flag); err != nil {
 			return err
 		}
 
@@ -136,7 +136,7 @@ func (f *Flock) try(locked *bool, flag uint32) (bool, error) {
 	}
 
 	if f.fh == nil {
-		if err := f.setFh(); err != nil {
+		if err := f.setFh(f.flag); err != nil {
 			return false, err
 		}
 

vendor/github.com/moby/buildkit/frontend/dockerfile/linter/ruleset.go

@@ -148,4 +148,20 @@ var (
 			return fmt.Sprintf("Default value for ARG %v results in empty or invalid base image name", baseName)
 		},
 	}
+	RuleFromPlatformFlagConstDisallowed = LinterRule[func(string) string]{
+		Name:        "FromPlatformFlagConstDisallowed",
+		Description: "FROM --platform flag should not use a constant value",
+		URL:         "https://docs.docker.com/go/dockerfile/rule/from-platform-flag-const-disallowed/",
+		Format: func(platform string) string {
+			return fmt.Sprintf("FROM --platform flag should not use constant value %q", platform)
+		},
+	}
+	RuleCopyIgnoredFile = LinterRule[func(string, string) string]{
+		Name:        "CopyIgnoredFile",
+		Description: "Attempting to Copy file that is excluded by .dockerignore",
+		URL:         "https://docs.docker.com/go/dockerfile/rule/copy-ignored-file/",
+		Format: func(cmd, file string) string {
+			return fmt.Sprintf("Attempting to %s file %q that is excluded by .dockerignore", cmd, file)
+		},
+	}
 )

vendor/github.com/moby/buildkit/frontend/dockerui/config.go

@@ -45,28 +45,30 @@ const (
 
 	// Don't forget to update frontend documentation if you add
 	// a new build-arg: frontend/dockerfile/docs/reference.md
-	keyCacheNSArg           = "build-arg:BUILDKIT_CACHE_MOUNT_NS"
-	keyMultiPlatformArg     = "build-arg:BUILDKIT_MULTI_PLATFORM"
-	keyHostnameArg          = "build-arg:BUILDKIT_SANDBOX_HOSTNAME"
-	keyDockerfileLintArg    = "build-arg:BUILDKIT_DOCKERFILE_CHECK"
-	keyContextKeepGitDirArg = "build-arg:BUILDKIT_CONTEXT_KEEP_GIT_DIR"
-	keySourceDateEpoch      = "build-arg:SOURCE_DATE_EPOCH"
+	keyCacheNSArg              = "build-arg:BUILDKIT_CACHE_MOUNT_NS"
+	keyMultiPlatformArg        = "build-arg:BUILDKIT_MULTI_PLATFORM"
+	keyHostnameArg             = "build-arg:BUILDKIT_SANDBOX_HOSTNAME"
+	keyDockerfileLintArg       = "build-arg:BUILDKIT_DOCKERFILE_CHECK"
+	keyContextKeepGitDirArg    = "build-arg:BUILDKIT_CONTEXT_KEEP_GIT_DIR"
+	keySourceDateEpoch         = "build-arg:SOURCE_DATE_EPOCH"
+	keyCopyIgnoredCheckEnabled = "build-arg:BUILDKIT_DOCKERFILE_CHECK_COPYIGNORED_EXPERIMENT"
 )
 
 type Config struct {
-	BuildArgs        map[string]string
-	CacheIDNamespace string
-	CgroupParent     string
-	Epoch            *time.Time
-	ExtraHosts       []llb.HostIP
-	Hostname         string
-	ImageResolveMode llb.ResolveMode
-	Labels           map[string]string
-	NetworkMode      pb.NetMode
-	ShmSize          int64
-	Target           string
-	Ulimits          []pb.Ulimit
-	LinterConfig     *linter.Config
+	BuildArgs               map[string]string
+	CacheIDNamespace        string
+	CgroupParent            string
+	Epoch                   *time.Time
+	ExtraHosts              []llb.HostIP
+	Hostname                string
+	ImageResolveMode        llb.ResolveMode
+	Labels                  map[string]string
+	NetworkMode             pb.NetMode
+	ShmSize                 int64
+	Target                  string
+	Ulimits                 []pb.Ulimit
+	LinterConfig            *linter.Config
+	CopyIgnoredCheckEnabled bool
 
 	CacheImports           []client.CacheOptionsEntry
 	TargetPlatforms        []ocispecs.Platform // nil means default
@@ -286,6 +288,16 @@ func (bc *Client) init() error {
 			return errors.Wrapf(err, "failed to parse %s", keyDockerfileLintArg)
 		}
 	}
+
+	// CopyIgnoredCheckEnabled is an experimental feature to check if COPY is ignored by .dockerignore,
+	// and it is disabled by default. It is expected that this feature will be enabled by default in a future
+	// release, and this build-arg will be removed.
+	if v, ok := opts[keyCopyIgnoredCheckEnabled]; ok {
+		bc.CopyIgnoredCheckEnabled, err = strconv.ParseBool(v)
+		if err != nil {
+			return errors.Wrapf(err, "failed to parse %s", keyCopyIgnoredCheckEnabled)
+		}
+	}
 	return nil
 }
 
@@ -410,44 +422,9 @@ func (bc *Client) MainContext(ctx context.Context, opts ...llb.LocalOption) (*ll
 		return bctx.context, nil
 	}
 
-	if bc.dockerignore == nil {
-		st := llb.Local(bctx.contextLocalName,
-			llb.SessionID(bc.bopts.SessionID),
-			llb.FollowPaths([]string{DefaultDockerignoreName}),
-			llb.SharedKeyHint(bctx.contextLocalName+"-"+DefaultDockerignoreName),
-			WithInternalName("load "+DefaultDockerignoreName),
-			llb.Differ(llb.DiffNone, false),
-		)
-		def, err := st.Marshal(ctx, bc.marshalOpts()...)
-		if err != nil {
-			return nil, err
-		}
-		res, err := bc.client.Solve(ctx, client.SolveRequest{
-			Definition: def.ToPB(),
-		})
-		if err != nil {
-			return nil, err
-		}
-		ref, err := res.SingleRef()
-		if err != nil {
-			return nil, err
-		}
-		dt, _ := ref.ReadFile(ctx, client.ReadRequest{ // ignore error
-			Filename: DefaultDockerignoreName,
-		})
-		if dt == nil {
-			dt = []byte{}
-		}
-		bc.dockerignore = dt
-		bc.dockerignoreName = DefaultDockerignoreName
-	}
-
-	var excludes []string
-	if len(bc.dockerignore) != 0 {
-		excludes, err = ignorefile.ReadAll(bytes.NewBuffer(bc.dockerignore))
-		if err != nil {
-			return nil, errors.Wrapf(err, "failed parsing %s", bc.dockerignoreName)
-		}
+	excludes, err := bc.dockerIgnorePatterns(ctx, bctx)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to read dockerignore patterns")
 	}
 
 	opts = append([]llb.LocalOption{
@@ -493,6 +470,21 @@ func (bc *Client) IsNoCache(name string) bool {
 	return false
 }
 
+func (bc *Client) DockerIgnorePatterns(ctx context.Context) ([]string, error) {
+	if bc == nil {
+		return nil, nil
+	}
+	bctx, err := bc.buildContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+	if bctx.context != nil {
+		return nil, nil
+	}
+
+	return bc.dockerIgnorePatterns(ctx, bctx)
+}
+
 func DefaultMainContext(opts ...llb.LocalOption) *llb.State {
 	opts = append([]llb.LocalOption{
 		llb.SharedKeyHint(DefaultLocalNameContext),
@@ -505,3 +497,46 @@ func DefaultMainContext(opts ...llb.LocalOption) *llb.State {
 func WithInternalName(name string) llb.ConstraintsOpt {
 	return llb.WithCustomName("[internal] " + name)
 }
+
+func (bc *Client) dockerIgnorePatterns(ctx context.Context, bctx *buildContext) ([]string, error) {
+	if bc.dockerignore == nil {
+		st := llb.Local(bctx.contextLocalName,
+			llb.SessionID(bc.bopts.SessionID),
+			llb.FollowPaths([]string{DefaultDockerignoreName}),
+			llb.SharedKeyHint(bctx.contextLocalName+"-"+DefaultDockerignoreName),
+			WithInternalName("load "+DefaultDockerignoreName),
+			llb.Differ(llb.DiffNone, false),
+		)
+		def, err := st.Marshal(ctx, bc.marshalOpts()...)
+		if err != nil {
+			return nil, err
+		}
+		res, err := bc.client.Solve(ctx, client.SolveRequest{
+			Definition: def.ToPB(),
+		})
+		if err != nil {
+			return nil, err
+		}
+		ref, err := res.SingleRef()
+		if err != nil {
+			return nil, err
+		}
+		dt, _ := ref.ReadFile(ctx, client.ReadRequest{ // ignore error
+			Filename: DefaultDockerignoreName,
+		})
+		if dt == nil {
+			dt = []byte{}
+		}
+		bc.dockerignore = dt
+		bc.dockerignoreName = DefaultDockerignoreName
+	}
+	var err error
+	var excludes []string
+	if len(bc.dockerignore) != 0 {
+		excludes, err = ignorefile.ReadAll(bytes.NewBuffer(bc.dockerignore))
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed parsing %s", bc.dockerignoreName)
+		}
+	}
+	return excludes, nil
+}

vendor/github.com/moby/buildkit/util/testutil/integration/run.go

@@ -13,6 +13,7 @@ import (
 	"runtime"
 	"sort"
 	"strings"
+	"sync"
 	"testing"
 	"time"
 
@@ -161,10 +162,7 @@ func Run(t *testing.T, testCases []Test, opt ...TestOpt) {
 		o(&tc)
 	}
 
-	mirror, cleanup, err := runMirror(t, tc.mirroredImages)
-	require.NoError(t, err)
-
-	t.Cleanup(func() { _ = cleanup() })
+	getMirror := lazyMirrorRunnerFunc(t, tc.mirroredImages)
 
 	matrix := prepareValueMatrix(tc)
 
@@ -200,7 +198,7 @@ func Run(t *testing.T, testCases []Test, opt ...TestOpt) {
 						ctx, cancel := context.WithCancelCause(ctx)
 						defer cancel(errors.WithStack(context.Canceled))
 
-						sb, closer, err := newSandbox(ctx, br, mirror, mv)
+						sb, closer, err := newSandbox(ctx, br, getMirror(), mv)
 						require.NoError(t, err)
 						t.Cleanup(func() { _ = closer() })
 						defer func() {
@@ -238,6 +236,11 @@ func copyImagesLocal(t *testing.T, host string, images map[string]string) error
 		}
 		localImageCache[host][to] = struct{}{}
 
+		// already exists check
+		if _, _, err := docker.NewResolver(docker.ResolverOptions{}).Resolve(context.TODO(), host+"/"+to); err == nil {
+			continue
+		}
+
 		var desc ocispecs.Descriptor
 		var provider content.Provider
 		var err error
@@ -257,12 +260,6 @@ func copyImagesLocal(t *testing.T, host string, images map[string]string) error
 			}
 		}
 
-		// already exists check
-		_, _, err = docker.NewResolver(docker.ResolverOptions{}).Resolve(context.TODO(), host+"/"+to)
-		if err == nil {
-			continue
-		}
-
 		ingester, err := contentutil.IngesterFromRef(host + "/" + to)
 		if err != nil {
 			return err
@@ -329,6 +326,20 @@ func WriteConfig(updaters []ConfigUpdater) (string, error) {
 	return filepath.Join(tmpdir, buildkitdConfigFile), nil
 }
 
+func lazyMirrorRunnerFunc(t *testing.T, images map[string]string) func() string {
+	var once sync.Once
+	var mirror string
+	return func() string {
+		once.Do(func() {
+			host, cleanup, err := runMirror(t, images)
+			require.NoError(t, err)
+			t.Cleanup(func() { _ = cleanup() })
+			mirror = host
+		})
+		return mirror
+	}
+}
+
 func runMirror(t *testing.T, mirroredImages map[string]string) (host string, _ func() error, err error) {
 	mirrorDir := os.Getenv("BUILDKIT_REGISTRY_MIRROR_DIR")
 

vendor/github.com/tonistiigi/go-csvvalue/csvvalue.go

@@ -126,6 +126,7 @@ parseField:
 					appendToLast(dst, "\"")
 					line = line[quoteLen:]
 					pos += quoteLen
+					halfOpen = true
 				case rn == r.Comma:
 					// `",` sequence (end of field).
 					line = line[commaLen:]

vendor/golang.org/x/sys/unix/mremap.go

@@ -50,3 +50,8 @@ func (m *mremapMmapper) Mremap(oldData []byte, newLength int, flags int) (data [
 func Mremap(oldData []byte, newLength int, flags int) (data []byte, err error) {
 	return mapper.Mremap(oldData, newLength, flags)
 }
+
+func MremapPtr(oldAddr unsafe.Pointer, oldSize uintptr, newAddr unsafe.Pointer, newSize uintptr, flags int) (ret unsafe.Pointer, err error) {
+	xaddr, err := mapper.mremap(uintptr(oldAddr), oldSize, newSize, flags, uintptr(newAddr))
+	return unsafe.Pointer(xaddr), err
+}

vendor/golang.org/x/sys/unix/syscall_darwin.go

@@ -542,6 +542,18 @@ func SysctlKinfoProcSlice(name string, args ...int) ([]KinfoProc, error) {
 	}
 }
 
+//sys	pthread_chdir_np(path string) (err error)
+
+func PthreadChdir(path string) (err error) {
+	return pthread_chdir_np(path)
+}
+
+//sys	pthread_fchdir_np(fd int) (err error)
+
+func PthreadFchdir(fd int) (err error) {
+	return pthread_fchdir_np(fd)
+}
+
 //sys	sendfile(infd int, outfd int, offset int64, len *int64, hdtr unsafe.Pointer, flags int) (err error)
 
 //sys	shmat(id int, addr uintptr, flag int) (ret uintptr, err error)

vendor/golang.org/x/sys/unix/syscall_unix.go

@@ -154,6 +154,15 @@ func Munmap(b []byte) (err error) {
 	return mapper.Munmap(b)
 }
 
+func MmapPtr(fd int, offset int64, addr unsafe.Pointer, length uintptr, prot int, flags int) (ret unsafe.Pointer, err error) {
+	xaddr, err := mapper.mmap(uintptr(addr), length, prot, flags, fd, offset)
+	return unsafe.Pointer(xaddr), err
+}
+
+func MunmapPtr(addr unsafe.Pointer, length uintptr) (err error) {
+	return mapper.munmap(uintptr(addr), length)
+}
+
 func Read(fd int, p []byte) (n int, err error) {
 	n, err = read(fd, p)
 	if raceenabled {

vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.go

@@ -760,6 +760,39 @@ var libc_sysctl_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func pthread_chdir_np(path string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall(libc_pthread_chdir_np_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pthread_chdir_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pthread_chdir_np pthread_chdir_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pthread_fchdir_np(fd int) (err error) {
+	_, _, e1 := syscall_syscall(libc_pthread_fchdir_np_trampoline_addr, uintptr(fd), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pthread_fchdir_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pthread_fchdir_np pthread_fchdir_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func sendfile(infd int, outfd int, offset int64, len *int64, hdtr unsafe.Pointer, flags int) (err error) {
 	_, _, e1 := syscall_syscall6(libc_sendfile_trampoline_addr, uintptr(infd), uintptr(outfd), uintptr(offset), uintptr(unsafe.Pointer(len)), uintptr(hdtr), uintptr(flags))
 	if e1 != 0 {

vendor/golang.org/x/sys/unix/zsyscall_darwin_amd64.s

@@ -228,6 +228,16 @@ TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sysctl_trampoline_addr(SB)/8, $libc_sysctl_trampoline<>(SB)
 
+TEXT libc_pthread_chdir_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pthread_chdir_np(SB)
+GLOBL	·libc_pthread_chdir_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pthread_chdir_np_trampoline_addr(SB)/8, $libc_pthread_chdir_np_trampoline<>(SB)
+
+TEXT libc_pthread_fchdir_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pthread_fchdir_np(SB)
+GLOBL	·libc_pthread_fchdir_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pthread_fchdir_np_trampoline_addr(SB)/8, $libc_pthread_fchdir_np_trampoline<>(SB)
+
 TEXT libc_sendfile_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendfile(SB)
 GLOBL	·libc_sendfile_trampoline_addr(SB), RODATA, $8

vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.go

@@ -760,6 +760,39 @@ var libc_sysctl_trampoline_addr uintptr
 
 // THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
 
+func pthread_chdir_np(path string) (err error) {
+	var _p0 *byte
+	_p0, err = BytePtrFromString(path)
+	if err != nil {
+		return
+	}
+	_, _, e1 := syscall_syscall(libc_pthread_chdir_np_trampoline_addr, uintptr(unsafe.Pointer(_p0)), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pthread_chdir_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pthread_chdir_np pthread_chdir_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
+func pthread_fchdir_np(fd int) (err error) {
+	_, _, e1 := syscall_syscall(libc_pthread_fchdir_np_trampoline_addr, uintptr(fd), 0, 0)
+	if e1 != 0 {
+		err = errnoErr(e1)
+	}
+	return
+}
+
+var libc_pthread_fchdir_np_trampoline_addr uintptr
+
+//go:cgo_import_dynamic libc_pthread_fchdir_np pthread_fchdir_np "/usr/lib/libSystem.B.dylib"
+
+// THIS FILE IS GENERATED BY THE COMMAND AT THE TOP; DO NOT EDIT
+
 func sendfile(infd int, outfd int, offset int64, len *int64, hdtr unsafe.Pointer, flags int) (err error) {
 	_, _, e1 := syscall_syscall6(libc_sendfile_trampoline_addr, uintptr(infd), uintptr(outfd), uintptr(offset), uintptr(unsafe.Pointer(len)), uintptr(hdtr), uintptr(flags))
 	if e1 != 0 {

vendor/golang.org/x/sys/unix/zsyscall_darwin_arm64.s

@@ -228,6 +228,16 @@ TEXT libc_sysctl_trampoline<>(SB),NOSPLIT,$0-0
 GLOBL	·libc_sysctl_trampoline_addr(SB), RODATA, $8
 DATA	·libc_sysctl_trampoline_addr(SB)/8, $libc_sysctl_trampoline<>(SB)
 
+TEXT libc_pthread_chdir_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pthread_chdir_np(SB)
+GLOBL	·libc_pthread_chdir_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pthread_chdir_np_trampoline_addr(SB)/8, $libc_pthread_chdir_np_trampoline<>(SB)
+
+TEXT libc_pthread_fchdir_np_trampoline<>(SB),NOSPLIT,$0-0
+	JMP	libc_pthread_fchdir_np(SB)
+GLOBL	·libc_pthread_fchdir_np_trampoline_addr(SB), RODATA, $8
+DATA	·libc_pthread_fchdir_np_trampoline_addr(SB)/8, $libc_pthread_fchdir_np_trampoline<>(SB)
+
 TEXT libc_sendfile_trampoline<>(SB),NOSPLIT,$0-0
 	JMP	libc_sendfile(SB)
 GLOBL	·libc_sendfile_trampoline_addr(SB), RODATA, $8

vendor/golang.org/x/sys/windows/security_windows.go

@@ -894,7 +894,7 @@ type ACL struct {
 	aclRevision byte
 	sbz1        byte
 	aclSize     uint16
-	aceCount    uint16
+	AceCount    uint16
 	sbz2        uint16
 }
 
@@ -1087,6 +1087,27 @@ type EXPLICIT_ACCESS struct {
 	Trustee           TRUSTEE
 }
 
+// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header
+type ACE_HEADER struct {
+	AceType  uint8
+	AceFlags uint8
+	AceSize  uint16
+}
+
+// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-access_allowed_ace
+type ACCESS_ALLOWED_ACE struct {
+	Header   ACE_HEADER
+	Mask     ACCESS_MASK
+	SidStart uint32
+}
+
+const (
+	// Constants for AceType
+	// https://learn.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-ace_header
+	ACCESS_ALLOWED_ACE_TYPE = 0
+	ACCESS_DENIED_ACE_TYPE  = 1
+)
+
 // This type is the union inside of TRUSTEE and must be created using one of the TrusteeValueFrom* functions.
 type TrusteeValue uintptr
 
@@ -1158,6 +1179,7 @@ type OBJECTS_AND_NAME struct {
 //sys	makeSelfRelativeSD(absoluteSD *SECURITY_DESCRIPTOR, selfRelativeSD *SECURITY_DESCRIPTOR, selfRelativeSDSize *uint32) (err error) = advapi32.MakeSelfRelativeSD
 
 //sys	setEntriesInAcl(countExplicitEntries uint32, explicitEntries *EXPLICIT_ACCESS, oldACL *ACL, newACL **ACL) (ret error) = advapi32.SetEntriesInAclW
+//sys	GetAce(acl *ACL, aceIndex uint32, pAce **ACCESS_ALLOWED_ACE) (ret error) = advapi32.GetAce
 
 // Control returns the security descriptor control bits.
 func (sd *SECURITY_DESCRIPTOR) Control() (control SECURITY_DESCRIPTOR_CONTROL, revision uint32, err error) {

vendor/golang.org/x/sys/windows/zsyscall_windows.go

@@ -91,6 +91,7 @@ var (
 	procEnumServicesStatusExW                                = modadvapi32.NewProc("EnumServicesStatusExW")
 	procEqualSid                                             = modadvapi32.NewProc("EqualSid")
 	procFreeSid                                              = modadvapi32.NewProc("FreeSid")
+	procGetAce                                               = modadvapi32.NewProc("GetAce")
 	procGetLengthSid                                         = modadvapi32.NewProc("GetLengthSid")
 	procGetNamedSecurityInfoW                                = modadvapi32.NewProc("GetNamedSecurityInfoW")
 	procGetSecurityDescriptorControl                         = modadvapi32.NewProc("GetSecurityDescriptorControl")
@@ -1224,6 +1225,14 @@ func setEntriesInAcl(countExplicitEntries uint32, explicitEntries *EXPLICIT_ACCE
 	return
 }
 
+func GetAce(acl *ACL, aceIndex uint32, pAce **ACCESS_ALLOWED_ACE) (ret error) {
+	r0, _, _ := syscall.Syscall(procGetAce.Addr(), 3, uintptr(unsafe.Pointer(acl)), uintptr(aceIndex), uintptr(unsafe.Pointer(pAce)))
+	if r0 == 0 {
+		ret = GetLastError()
+	}
+	return
+}
+
 func SetKernelObjectSecurity(handle Handle, securityInformation SECURITY_INFORMATION, securityDescriptor *SECURITY_DESCRIPTOR) (err error) {
 	r1, _, e1 := syscall.Syscall(procSetKernelObjectSecurity.Addr(), 3, uintptr(handle), uintptr(securityInformation), uintptr(unsafe.Pointer(securityDescriptor)))
 	if r1 == 0 {

vendor/modules.txt

@@ -357,7 +357,7 @@ github.com/go-openapi/swag
 ## explicit; go 1.18
 github.com/go-viper/mapstructure/v2
 github.com/go-viper/mapstructure/v2/internal/errors
-# github.com/gofrs/flock v0.12.0
+# github.com/gofrs/flock v0.12.1
 ## explicit; go 1.21.0
 github.com/gofrs/flock
 # github.com/gogo/googleapis v1.4.1
@@ -518,7 +518,7 @@ github.com/mitchellh/go-wordwrap
 github.com/mitchellh/hashstructure/v2
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
-# github.com/moby/buildkit v0.15.0-rc1
+# github.com/moby/buildkit v0.15.1
 ## explicit; go 1.21.0
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types
@@ -728,7 +728,7 @@ github.com/theupdateframework/notary/tuf/validation
 ## explicit; go 1.20
 github.com/tonistiigi/fsutil
 github.com/tonistiigi/fsutil/types
-# github.com/tonistiigi/go-csvvalue v0.0.0-20240619222358-bb8dd5cba3c2
+# github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4
 ## explicit; go 1.16
 github.com/tonistiigi/go-csvvalue
 # github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea
@@ -897,7 +897,7 @@ golang.org/x/oauth2/internal
 ## explicit; go 1.18
 golang.org/x/sync/errgroup
 golang.org/x/sync/semaphore
-# golang.org/x/sys v0.21.0
+# golang.org/x/sys v0.22.0
 ## explicit; go 1.18
 golang.org/x/sys/cpu
 golang.org/x/sys/plan9