Merge pull request #2115 from crazy-max/rework-driver-resolution2

build: rework node resolution
2025-08-15 00:05:57 +08:00 · 2023-11-14 08:43:03 -08:00 · 2023-11-14 15:08:30 +01:00 · 2023-11-13 18:24:48 -08:00 · 2023-11-13 09:10:07 -08:00 · 2023-11-07 14:41:33 -08:00
3792 changed files with 402129 additions and 111330 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,3 +1 @@
 bin/
-cross-out/
-release-out/
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
@@ -116,6 +116,60 @@ commit automatically with `git commit -s`.

 ### Run the unit- and integration-tests

+Running tests:
+
+```bash
+make test
+```
+
+This runs all unit and integration tests, in a containerized environment.
+Locally, every package can be tested separately with standard Go tools, but
+integration tests are skipped if local user doesn't have enough permissions or
+worker binaries are not installed.
+
+```bash
+# run unit tests only
+make test-unit
+
+# run integration tests only
+make test-integration
+
+# test a specific package
+TESTPKGS=./bake make test
+
+# run all integration tests with a specific worker
+TESTFLAGS="--run=//worker=remote -v" make test-integration
+
+# run a specific integration test
+TESTFLAGS="--run /TestBuild/worker=remote/ -v" make test-integration
+
+# run a selection of integration tests using a regexp
+TESTFLAGS="--run /TestBuild.*/worker=remote/ -v" make test-integration
+```
+
+> **Note**
+>
+> Set `TEST_KEEP_CACHE=1` for the test framework to keep external dependant
+> images in a docker volume if you are repeatedly calling `make test`. This
+> helps to avoid rate limiting on the remote registry side.
+
+> **Note**
+>
+> Set `TEST_DOCKERD=1` for the test framework to enable the docker workers,
+> specifically the `docker` and `docker-container` drivers.
+>
+> The docker tests cannot be run in parallel, so require passing `--parallel=1`
+> in `TESTFLAGS`.
+
+> **Note**
+>
+> If you are working behind a proxy, you can set some of or all
+> `HTTP_PROXY=http://ip:port`, `HTTPS_PROXY=http://ip:port`, `NO_PROXY=http://ip:port`
+> for the test framework to specify the proxy build args.
+
+
+### Run the helper commands
+
 To enter a demo container environment and experiment, you may run:

 ```
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -0,0 +1,124 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Bug Report
+description: Report a bug
+labels:
+  - status/triage
+
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thank you for taking the time to report a bug!
+        If this is a security issue please report it to the [Docker Security team](mailto:security@docker.com).
+
+  - type: checkboxes
+    attributes:
+      label: Contributing guidelines
+      description: |
+        Please read the contributing guidelines before proceeding.
+      options:
+        - label: I've read the [contributing guidelines](https://github.com/docker/buildx/blob/master/.github/CONTRIBUTING.md) and wholeheartedly agree
+          required: true
+
+  - type: checkboxes
+    attributes:
+      label: I've found a bug and checked that ...
+      description: |
+        Make sure that your request fulfills all of the following requirements.
+        If one requirement cannot be satisfied, explain in detail why.
+      options:
+        - label: ... the documentation does not mention anything about my problem
+        - label: ... there are no open or closed issues that are related to my problem
+
+  - type: textarea
+    attributes:
+      label: Description
+      description: |
+        Please provide a brief description of the bug in 1-2 sentences.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Expected behaviour
+      description: |
+        Please describe precisely what you'd expect to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Actual behaviour
+      description: |
+        Please describe precisely what is actually happening.
+    validations:
+      required: true
+
+  - type: input
+    attributes:
+      label: Buildx version
+      description: |
+        Output of `docker buildx version` command.
+        Example: `github.com/docker/buildx v0.8.1 5fac64c2c49dae1320f2b51f1a899ca451935554`
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Docker info
+      description: |
+        Output of `docker info` command.
+      render: text
+
+  - type: textarea
+    attributes:
+      label: Builders list
+      description: |
+        Output of `docker buildx ls` command.
+      render: text
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Configuration
+      description: >
+        Please provide a minimal Dockerfile, bake definition (if applicable) and
+        invoked commands to help reproducing your issue.
+      placeholder: |
+        ```dockerfile
+        FROM alpine
+        echo hello
+        ```
+        
+        ```hcl
+        group "default" {
+          targets = ["app"]
+        }
+        target "app" {
+          dockerfile = "Dockerfile"
+          target = "build"
+        }
+        ```
+        
+        ```console
+        $ docker buildx build .
+        $ docker buildx bake
+        ```
+    validations:
+      required: true
+
+  - type: textarea
+    attributes:
+      label: Build logs
+      description: |
+        Please provide logs output (and/or BuildKit logs if applicable).
+      render: text
+    validations:
+      required: false
+
+  - type: textarea
+    attributes:
+      label: Additional info
+      description: |
+        Please provide any additional information that could be useful.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,12 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/configuring-issue-templates-for-your-repository#configuring-the-template-chooser
+blank_issues_enabled: true
+contact_links:
+  - name: Questions and Discussions
+    url: https://github.com/docker/buildx/discussions/new
+    about: Use Github Discussions to ask questions and/or open discussion topics.
+  - name: Command line reference
+    url: https://docs.docker.com/engine/reference/commandline/buildx/
+    about: Read the command line reference.
+  - name: Documentation
+    url: https://docs.docker.com/build/
+    about: Read the documentation.
--- a/.github/ISSUE_TEMPLATE/feature.yml
+++ b/.github/ISSUE_TEMPLATE/feature.yml
@@ -0,0 +1,15 @@
+# https://docs.github.com/en/communities/using-templates-to-encourage-useful-issues-and-pull-requests/syntax-for-githubs-form-schema
+name: Feature request
+description: Missing functionality? Come tell us about it!
+labels:
+  - kind/enhancement
+  - status/triage
+
+body:
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: What is the feature you want to see?
+    validations:
+      required: true
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -0,0 +1,12 @@
+# Reporting security issues
+
+The project maintainers take security seriously. If you discover a security
+issue, please bring it to their attention right away!
+
+**Please _DO NOT_ file a public issue**, instead send your report privately to
+[security@docker.com](mailto:security@docker.com).
+
+Security reports are greatly appreciated, and we will publicly thank you for it.
+We also like to send gifts&mdash;if you're into schwag, make sure to let
+us know. We currently do not offer a paid security bounty program, but are not
+ruling it out in the future.
--- a/.github/releases.json
+++ b/.github/releases.json
@@ -0,0 +1,735 @@
+{
+  "latest": {
+    "id": 90741208,
+    "tag_name": "v0.10.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/checksums.txt"
+    ]
+  },
+  "v0.10.2": {
+    "id": 90741208,
+    "tag_name": "v0.10.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/buildx-v0.10.2.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.2/checksums.txt"
+    ]
+  },
+  "v0.10.1": {
+    "id": 90346950,
+    "tag_name": "v0.10.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/buildx-v0.10.1.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.1/checksums.txt"
+    ]
+  },
+  "v0.10.0": {
+    "id": 88388110,
+    "tag_name": "v0.10.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/buildx-v0.10.0.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0/checksums.txt"
+    ]
+  },
+  "v0.10.0-rc3": {
+    "id": 88191592,
+    "tag_name": "v0.10.0-rc3",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0-rc3",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/buildx-v0.10.0-rc3.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc3/checksums.txt"
+    ]
+  },
+  "v0.10.0-rc2": {
+    "id": 86248476,
+    "tag_name": "v0.10.0-rc2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0-rc2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.darwin-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v6.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v6.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v7.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm-v7.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-ppc64le.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-ppc64le.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-riscv64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-riscv64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-s390x.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.linux-s390x.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-amd64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-amd64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-arm64.provenance.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/buildx-v0.10.0-rc2.windows-arm64.sbom.json",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc2/checksums.txt"
+    ]
+  },
+  "v0.10.0-rc1": {
+    "id": 85963900,
+    "tag_name": "v0.10.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.10.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/buildx-v0.10.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.10.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.9.1": {
+    "id": 74760068,
+    "tag_name": "v0.9.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/buildx-v0.9.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.1/checksums.txt"
+    ]
+  },
+  "v0.9.0": {
+    "id": 74546589,
+    "tag_name": "v0.9.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/buildx-v0.9.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0/checksums.txt"
+    ]
+  },
+  "v0.9.0-rc2": {
+    "id": 74052235,
+    "tag_name": "v0.9.0-rc2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.0-rc2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/buildx-v0.9.0-rc2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc2/checksums.txt"
+    ]
+  },
+  "v0.9.0-rc1": {
+    "id": 73389692,
+    "tag_name": "v0.9.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.9.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/buildx-v0.9.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.9.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.8.2": {
+    "id": 63479740,
+    "tag_name": "v0.8.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/buildx-v0.8.2.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.2/checksums.txt"
+    ]
+  },
+  "v0.8.1": {
+    "id": 62289050,
+    "tag_name": "v0.8.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/buildx-v0.8.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.1/checksums.txt"
+    ]
+  },
+  "v0.8.0": {
+    "id": 61423774,
+    "tag_name": "v0.8.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/buildx-v0.8.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0/checksums.txt"
+    ]
+  },
+  "v0.8.0-rc1": {
+    "id": 60513568,
+    "tag_name": "v0.8.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.8.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/buildx-v0.8.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.8.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.7.1": {
+    "id": 54098347,
+    "tag_name": "v0.7.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.7.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/buildx-v0.7.1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.1/checksums.txt"
+    ]
+  },
+  "v0.7.0": {
+    "id": 53109422,
+    "tag_name": "v0.7.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.7.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/buildx-v0.7.0.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0/checksums.txt"
+    ]
+  },
+  "v0.7.0-rc1": {
+    "id": 52726324,
+    "tag_name": "v0.7.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.7.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/buildx-v0.7.0-rc1.windows-arm64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.7.0-rc1/checksums.txt"
+    ]
+  },
+  "v0.6.3": {
+    "id": 48691641,
+    "tag_name": "v0.6.3",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.3",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.3/buildx-v0.6.3.windows-arm64.exe"
+    ]
+  },
+  "v0.6.2": {
+    "id": 48207405,
+    "tag_name": "v0.6.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.2/buildx-v0.6.2.windows-arm64.exe"
+    ]
+  },
+  "v0.6.1": {
+    "id": 47064772,
+    "tag_name": "v0.6.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.1/buildx-v0.6.1.windows-arm64.exe"
+    ]
+  },
+  "v0.6.0": {
+    "id": 46343260,
+    "tag_name": "v0.6.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.0/buildx-v0.6.0.windows-arm64.exe"
+    ]
+  },
+  "v0.6.0-rc1": {
+    "id": 46230351,
+    "tag_name": "v0.6.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.6.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-riscv64",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.windows-amd64.exe",
+      "https://github.com/docker/buildx/releases/download/v0.6.0-rc1/buildx-v0.6.0-rc1.windows-arm64.exe"
+    ]
+  },
+  "v0.5.1": {
+    "id": 35276550,
+    "tag_name": "v0.5.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.5.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.darwin-universal",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.5.1/buildx-v0.5.1.windows-amd64.exe"
+    ]
+  },
+  "v0.5.0": {
+    "id": 35268960,
+    "tag_name": "v0.5.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.5.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.darwin-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.darwin-universal",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.5.0/buildx-v0.5.0.windows-amd64.exe"
+    ]
+  },
+  "v0.5.0-rc1": {
+    "id": 35015334,
+    "tag_name": "v0.5.0-rc1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.5.0-rc1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.5.0-rc1/buildx-v0.5.0-rc1.windows-amd64.exe"
+    ]
+  },
+  "v0.4.2": {
+    "id": 30007794,
+    "tag_name": "v0.4.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.4.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.4.2/buildx-v0.4.2.windows-amd64.exe"
+    ]
+  },
+  "v0.4.1": {
+    "id": 26067509,
+    "tag_name": "v0.4.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.4.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.4.1/buildx-v0.4.1.windows-amd64.exe"
+    ]
+  },
+  "v0.4.0": {
+    "id": 26028174,
+    "tag_name": "v0.4.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.4.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.4.0/buildx-v0.4.0.windows-amd64.exe"
+    ]
+  },
+  "v0.3.1": {
+    "id": 20316235,
+    "tag_name": "v0.3.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.3.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.3.1/buildx-v0.3.1.windows-amd64.exe"
+    ]
+  },
+  "v0.3.0": {
+    "id": 19029664,
+    "tag_name": "v0.3.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.3.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.3.0/buildx-v0.3.0.windows-amd64.exe"
+    ]
+  },
+  "v0.2.2": {
+    "id": 17671545,
+    "tag_name": "v0.2.2",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.2.2",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.2.2/buildx-v0.2.2.windows-amd64.exe"
+    ]
+  },
+  "v0.2.1": {
+    "id": 17582885,
+    "tag_name": "v0.2.1",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.2.1",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.2.1/buildx-v0.2.1.windows-amd64.exe"
+    ]
+  },
+  "v0.2.0": {
+    "id": 16965310,
+    "tag_name": "v0.2.0",
+    "html_url": "https://github.com/docker/buildx/releases/tag/v0.2.0",
+    "assets": [
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.darwin-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-amd64",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-arm-v6",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-arm-v7",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-arm64",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-ppc64le",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.linux-s390x",
+      "https://github.com/docker/buildx/releases/download/v0.2.0/buildx-v0.2.0.windows-amd64.exe"
+    ]
+  }
+}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,66 +13,147 @@ on:
    tags:
      - 'v*'
  pull_request:
-    branches:
-      - 'master'
-      - 'v[0-9]*'
+    paths-ignore:
+      - '.github/releases.json'
+      - 'README.md'
+      - 'docs/**'

 env:
+  BUILDX_VERSION: "latest"
+  BUILDKIT_IMAGE: "moby/buildkit:latest"
  REPO_SLUG: "docker/buildx-bin"
-  RELEASE_OUT: "./release-out"
+  DESTDIR: "./bin"
+  TEST_CACHE_SCOPE: "test"

 jobs:
-  test:
-    runs-on: ubuntu-latest
+  prepare-test:
+    runs-on: ubuntu-22.04
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build
+        uses: docker/bake-action@v4
+        with:
+          targets: integration-test-base
+          set: |
+            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
+            *.cache-to=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
+
+  test:
+    runs-on: ubuntu-22.04
+    needs:
+      - prepare-test
+    env:
+      TESTFLAGS: "-v --parallel=6 --timeout=30m"
+      TESTFLAGS_DOCKER: "-v --parallel=1 --timeout=30m"
+      GOTESTSUM_FORMAT: "standard-verbose"
+      TEST_IMAGE_BUILD: "0"
+      TEST_IMAGE_ID: "buildx-tests"
+    strategy:
+      fail-fast: false
+      matrix:
+        worker:
+          - docker
+          - docker\+containerd  # same as docker, but with containerd snapshotter
+          - docker-container
+          - remote
+        pkg:
+          - ./tests
+        include:
+          - pkg: ./...
+            skip-integration-tests: 1
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Build test image
+        uses: docker/bake-action@v4
+        with:
+          targets: integration-test
+          set: |
+            *.cache-from=type=gha,scope=${{ env.TEST_CACHE_SCOPE }}
+            *.output=type=docker,name=${{ env.TEST_IMAGE_ID }}
      -
        name: Test
-        uses: docker/bake-action@v2
-        with:
-          targets: test
-          set: |
-            *.cache-from=type=gha,scope=test
-            *.cache-to=type=gha,scope=test
+        run: |
+          export TEST_REPORT_SUFFIX=-${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')
+          ./hack/test
+        env:
+          TEST_DOCKERD: "${{ startsWith(matrix.worker, 'docker') && '1' || '0' }}"
+          TESTFLAGS: "${{ (matrix.worker == 'docker' || matrix.worker == 'docker\\+containerd') && env.TESTFLAGS_DOCKER || env.TESTFLAGS }} --run=//worker=${{ matrix.worker }}$"
+          TESTPKGS: "${{ matrix.pkg }}"
+          SKIP_INTEGRATION_TESTS: "${{ matrix.skip-integration-tests }}"
      -
-        name: Upload coverage
+        name: Send to Codecov
+        if: always()
        uses: codecov/codecov-action@v3
        with:
-          file: ./coverage/coverage.txt
+          directory: ./bin/testreports
+      -
+        name: Generate annotations
+        if: always()
+        uses: crazy-max/.github/.github/actions/gotest-annotations@1a64ea6d01db9a48aa61954cb20e265782c167d9
+        with:
+          directory: ./bin/testreports
+      -
+        name: Upload test reports
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: test-reports
+          path: ./bin/testreports

-  prepare:
-    runs-on: ubuntu-latest
+  prepare-binaries:
+    runs-on: ubuntu-22.04
    outputs:
      matrix: ${{ steps.platforms.outputs.matrix }}
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Create matrix
        id: platforms
        run: |
-          echo ::set-output name=matrix::$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')
+          echo "matrix=$(docker buildx bake binaries-cross --print | jq -cr '.target."binaries-cross".platforms')" >>${GITHUB_OUTPUT}
      -
        name: Show matrix
        run: |
          echo ${{ steps.platforms.outputs.matrix }}

  binaries:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs:
-      - prepare
+      - prepare-binaries
    strategy:
      fail-fast: false
      matrix:
-        platform: ${{ fromJson(needs.prepare.outputs.matrix) }}
+        platform: ${{ fromJson(needs.prepare-binaries.outputs.matrix) }}
    steps:
      -
        name: Prepare
@@ -81,51 +162,56 @@ jobs:
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Build
-        uses: docker/bake-action@v2
-        with:
-          targets: release
-          set: |
-            *.platform=${{ matrix.platform }}
-            *.cache-from=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-            *.cache-to=type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
+        run: |
+          make release
+        env:
+          PLATFORMS: ${{ matrix.platform }}
+          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }},mode=max
      -
        name: Upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: buildx
-          path: ${{ env.RELEASE_OUT }}/*
+          path: ${{ env.DESTDIR }}/*
          if-no-files-found: error

  bin-image:
-    runs-on: ubuntu-latest
-    if: ${{ github.event_name != 'pull_request' }}
+    runs-on: ubuntu-22.04
+    needs:
+      - test
+    if: ${{ github.event_name != 'pull_request' && github.repository == 'docker/buildx' }}
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
      -
        name: Docker meta
        id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
        with:
          images: |
            ${{ env.REPO_SLUG }}
@@ -137,78 +223,80 @@ jobs:
      -
        name: Login to DockerHub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      -
        name: Build and push image
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          files: |
            ./docker-bake.hcl
            ${{ steps.meta.outputs.bake-file }}
          targets: image-cross
          push: ${{ github.event_name != 'pull_request' }}
+          sbom: true
          set: |
            *.cache-from=type=gha,scope=bin-image
            *.cache-to=type=gha,scope=bin-image,mode=max

  release:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    needs:
+      - test
      - binaries
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Download binaries
        uses: actions/download-artifact@v3
        with:
          name: buildx
-          path: ${{ env.RELEASE_OUT }}
+          path: ${{ env.DESTDIR }}
      -
        name: Create checksums
        run: ./hack/hash-files
      -
        name: List artifacts
        run: |
-          tree -nh ${{ env.RELEASE_OUT }}
+          tree -nh ${{ env.DESTDIR }}
      -
        name: Check artifacts
        run: |
-          find ${{ env.RELEASE_OUT }} -type f -exec file -e ascii -- {} +
+          find ${{ env.DESTDIR }} -type f -exec file -e ascii -- {} +
      -
        name: GitHub Release
        if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          draft: true
-          files: ${{ env.RELEASE_OUT }}/*
+          files: ${{ env.DESTDIR }}/*

  buildkit-edge:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    continue-on-error: true
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
-          version: latest
+          version: ${{ env.BUILDX_VERSION }}
          driver-opts: image=moby/buildkit:master
          buildkitd-flags: --debug
      -
        # Just run a bake target to check eveything runs fine
        name: Build
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: binaries
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,42 @@
+name: codeql
+
+on:
+  push:
+    branches:
+      - 'master'
+      - 'v[0-9]*'
+  pull_request:
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+env:
+  GO_VERSION: 1.21.3
+
+jobs:
+  codeql:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      -
+        name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: go
+      -
+        name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+      -
+        name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:go"
--- a/.github/workflows/docs-release.yml
+++ b/.github/workflows/docs-release.yml
@@ -2,29 +2,31 @@ name: docs-release

 on:
  release:
-    types: [ released ]
+    types:
+      - released

 jobs:
  open-pr:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
+    if: ${{ github.event.release.prerelease != true && github.repository == 'docker/buildx' }}
    steps:
      -
        name: Checkout docs repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
-          repository: docker/docker.github.io
-          ref: master
+          repository: docker/docs
+          ref: main
      -
        name: Prepare
        run: |
          rm -rf ./_data/buildx/*
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
      -
        name: Build docs
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          source: ${{ github.server_url }}/${{ github.repository }}.git#${{ github.event.release.name }}
          targets: update-docs
@@ -42,7 +44,7 @@ jobs:
          git add -A .
      -
        name: Create PR on docs repo
-        uses: peter-evans/create-pull-request@923ad837f191474af6b1721408744feb989a4c27 # v4.0.4
+        uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38
        with:
          token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
          push-to-fork: docker-tools-robot/docker.github.io
--- a/.github/workflows/docs-upstream.yml
+++ b/.github/workflows/docs-upstream.yml
@@ -22,19 +22,19 @@ on:

 jobs:
  docs-yaml:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
          version: latest
      -
        name: Build reference YAML docs
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: update-docs
          set: |
@@ -52,67 +52,11 @@ jobs:
          retention-days: 1

  validate:
-    runs-on: ubuntu-latest
+    uses: docker/docs/.github/workflows/validate-upstream.yml@main
    needs:
      - docs-yaml
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v3
-        with:
-          repository: docker/docker.github.io
-      -
-        name: Install js-yaml
-        run: npm install js-yaml
-      -
-        # use the actual buildx ref that triggers this workflow, so we make
-        # sure pages fetched by docs repo are still valid
-        # https://github.com/docker/docker.github.io/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/_config.yml#L164-L173
-        name: Set correct ref to fetch remote resources
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const fs = require('fs');
-            const yaml = require('js-yaml');
-
-            const configFile = '_config.yml'
-            const config = yaml.load(fs.readFileSync(configFile, 'utf8'));
-            for (const remote of config['fetch-remote']) {
-              if (remote['repo'] != 'https://github.com/docker/buildx') {
-                continue;
-              }
-              remote['ref'] = "${{ github.ref }}";
-            }
-
-            try {
-              fs.writeFileSync(configFile, yaml.dump(config), 'utf8')
-            } catch (err) {
-              console.error(err.message)
-              process.exit(1)
-            }
-      -
-        name: Prepare
-        run: |
-          # print docs jekyll config updated in previous step
-          yq _config.yml
-          # cleanup reference yaml docs and js-yaml module
-          rm -rf ./_data/buildx/* ./node_modules
-      -
-        name: Download built reference YAML docs
-        uses: actions/download-artifact@v3
-        with:
-          name: docs-yaml
-          path: ./_data/buildx/
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-        with:
-          version: latest
-      -
-        name: Validate
-        uses: docker/bake-action@v2
-        with:
-          targets: validate
-          set: |
-            *.cache-from=type=gha,scope=docs-upstream
-            *.cache-to=type=gha,scope=docs-upstream,mode=max
+    with:
+      module-name: docker/buildx
+      data-files-id: docs-yaml
+      data-files-folder: buildx
+      data-files-placeholder-folder: engine/reference/commandline
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -11,26 +11,29 @@ on:
      - 'master'
      - 'v[0-9]*'
  pull_request:
-    branches:
-      - 'master'
-      - 'v[0-9]*'
+    paths-ignore:
+      - '.github/releases.json'
+      - 'README.md'
+      - 'docs/**'
+
+env:
+  DESTDIR: "./bin"
+  K3S_VERSION: "v1.21.2-k3s1"

 jobs:
  build:
-    runs-on: ubuntu-20.04
-    env:
-      BIN_OUT: ./bin
+    runs-on: ubuntu-22.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
          version: latest
      -
        name: Build
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v4
        with:
          targets: binaries
          set: |
@@ -40,13 +43,13 @@ jobs:
      -
        name: Rename binary
        run: |
-          mv ${{ env.BIN_OUT }}/buildx ${{ env.BIN_OUT }}/docker-buildx
+          mv ${{ env.DESTDIR }}/build/buildx ${{ env.DESTDIR }}/build/docker-buildx
      -
        name: Upload artifacts
        uses: actions/upload-artifact@v3
        with:
          name: binary
-          path: ${{ env.BIN_OUT }}
+          path: ${{ env.DESTDIR }}/build
          if-no-files-found: error
          retention-days: 7

@@ -93,10 +96,10 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
        if: matrix.driver == 'docker' || matrix.driver == 'docker-container'
      -
        name: Install buildx
@@ -129,20 +132,67 @@ jobs:
      -
        name: Install k3s
        if: matrix.driver == 'kubernetes'
-        uses: debianmaster/actions-k3s@b9cf3f599fd118699a3c8a0d18a2f2bda6cf4ce4
-        id: k3s
+        uses: actions/github-script@v6
        with:
-          version: v1.21.2-k3s1
+          script: |
+            const fs = require('fs');
+            
+            let wait = function(milliseconds) {
+              return new Promise((resolve, reject) => {
+                if (typeof(milliseconds) !== 'number') { 
+                  throw new Error('milleseconds not a number'); 
+                }
+                setTimeout(() => resolve("done!"), milliseconds)
+              });
+            }
+            
+            try {
+              const kubeconfig="/tmp/buildkit-k3s/kubeconfig.yaml";
+              core.info(`storing kubeconfig in ${kubeconfig}`);
+          
+              await exec.exec('docker', ["run", "-d",
+                "--privileged",
+                "--name=buildkit-k3s",
+                "-e", "K3S_KUBECONFIG_OUTPUT="+kubeconfig,
+                "-e", "K3S_KUBECONFIG_MODE=666",
+                "-v", "/tmp/buildkit-k3s:/tmp/buildkit-k3s",
+                "-p", "6443:6443",
+                "-p", "80:80",
+                "-p", "443:443",
+                "-p", "8080:8080",
+                "rancher/k3s:${{ env.K3S_VERSION }}", "server"
+              ]);
+              await wait(10000);
+              
+              core.exportVariable('KUBECONFIG', kubeconfig);
+              
+              let nodeName;
+              for (let count = 1; count <= 5; count++) {
+                try {
+                  const nodeNameOutput = await exec.getExecOutput("kubectl get nodes --no-headers -oname");
+                  nodeName = nodeNameOutput.stdout
+                } catch (error) {
+                  core.info(`Unable to resolve node name (${error.message}). Attempt ${count} of 5.`)
+                } finally {
+                  if (nodeName) {
+                    break;
+                  }
+                  await wait(5000);
+                }
+              }
+              if (!nodeName) {
+                throw new Error(`Unable to resolve node name after 5 attempts.`);
+              }
+              
+              await exec.exec(`kubectl wait --for=condition=Ready ${nodeName}`);
+            } catch (error) {
+              core.setFailed(error.message);
+            }
      -
-        name: Config k3s
+        name: Print KUBECONFIG
        if: matrix.driver == 'kubernetes'
        run: |
-          (set -x ; cat ${{ steps.k3s.outputs.kubeconfig }})
-      -
-        name: Check k3s nodes
-        if: matrix.driver == 'kubernetes'
-        run: |
-          kubectl get nodes
+          yq ${{ env.KUBECONFIG }}
      -
        name: Launch remote buildkitd
        if: matrix.driver == 'remote'
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -13,13 +13,12 @@ on:
    tags:
      - 'v*'
  pull_request:
-    branches:
-      - 'master'
-      - 'v[0-9]*'
+    paths-ignore:
+      - '.github/releases.json'

 jobs:
  validate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
    strategy:
      fail-fast: false
      matrix:
@@ -27,13 +26,14 @@ jobs:
          - lint
          - validate-vendor
          - validate-docs
+          - validate-generated-files
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
          version: latest
      -
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1 @@
-bin
-coverage
-cross-out
-release-out
+/bin
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -11,30 +11,59 @@ linters:
  enable:
    - gofmt
    - govet
-    - deadcode
    - depguard
    - goimports
    - ineffassign
    - misspell
    - unused
-    - varcheck
    - revive
    - staticcheck
    - typecheck
-    - structcheck
+    - nolintlint
+    - gosec
+    - forbidigo
  disable-all: true

 linters-settings:
  depguard:
-    list-type: blacklist
-    include-go-root: true
-    packages:
-      # The io/ioutil package has been deprecated.
-      # https://go.dev/doc/go1.16#ioutil
-      - io/ioutil
+    rules:
+      main:
+        deny:
+          # The io/ioutil package has been deprecated.
+          # https://go.dev/doc/go1.16#ioutil
+          - pkg: "io/ioutil"
+            desc: The io/ioutil package has been deprecated.
+  forbidigo:
+    forbid:
+      - '^fmt\.Errorf(# use errors\.Errorf instead)?$'
+  gosec:
+    excludes:
+      - G204  # Audit use of command execution
+      - G402  # TLS MinVersion too low
+    config:
+      G306: "0644"

 issues:
  exclude-rules:
    - linters:
        - revive
      text: "stutters"
+    - linters:
+        - revive
+      text: "empty-block"
+    - linters:
+        - revive
+      text: "superfluous-else"
+    - linters:
+        - revive
+      text: "unused-parameter"
+    - linters:
+        - revive
+      text: "redefines-builtin-id"
+    - linters:
+        - revive
+      text: "if-return"
+
+# show all
+max-issues-per-linter: 0
+max-same-issues: 0
--- a/97
+++ b/97
@@ -1,10 +1,12 @@
-# syntax=docker/dockerfile:1.4
+# syntax=docker/dockerfile:1

-ARG GO_VERSION=1.18
-ARG XX_VERSION=1.1.2
-ARG DOCKERD_VERSION=20.10.14
+ARG GO_VERSION=1.21.3
+ARG XX_VERSION=1.2.1

-FROM docker:$DOCKERD_VERSION AS dockerd-release
+ARG DOCKER_VERSION=24.0.6
+ARG GOTESTSUM_VERSION=v1.9.0
+ARG REGISTRY_VERSION=2.8.0
+ARG BUILDKIT_VERSION=v0.11.6

 # xx is a helper for cross-compilation
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
@@ -18,23 +20,55 @@ ENV GOFLAGS=-mod=vendor
 ENV CGO_ENABLED=0
 WORKDIR /src

+FROM registry:$REGISTRY_VERSION AS registry
+
+FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
+
+FROM gobase AS docker
+ARG TARGETPLATFORM
+ARG DOCKER_VERSION
+WORKDIR /opt/docker
+RUN DOCKER_ARCH=$(case ${TARGETPLATFORM:-linux/amd64} in \
+    "linux/amd64")   echo "x86_64"  ;; \
+    "linux/arm/v6")  echo "armel"   ;; \
+    "linux/arm/v7")  echo "armhf"   ;; \
+    "linux/arm64")   echo "aarch64" ;; \
+    "linux/ppc64le") echo "ppc64le" ;; \
+    "linux/s390x")   echo "s390x"   ;; \
+    *)               echo ""        ;; esac) \
+  && echo "DOCKER_ARCH=$DOCKER_ARCH" \
+  && wget -qO- "https://download.docker.com/linux/static/stable/${DOCKER_ARCH}/docker-${DOCKER_VERSION}.tgz" | tar xvz --strip 1
+RUN ./dockerd --version && ./containerd --version && ./ctr --version && ./runc --version
+
+FROM gobase AS gotestsum
+ARG GOTESTSUM_VERSION
+ENV GOFLAGS=
+RUN --mount=target=/root/.cache,type=cache \
+  GOBIN=/out/ go install "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" && \
+  /out/gotestsum --version
+
 FROM gobase AS buildx-version
-RUN --mount=target=. \
-  PKG=github.com/docker/buildx VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); \
-  echo "-X ${PKG}/version.Version=${VERSION} -X ${PKG}/version.Revision=${REVISION} -X ${PKG}/version.Package=${PKG}" | tee /tmp/.ldflags; \
-  echo -n "${VERSION}" | tee /tmp/.version;
+RUN --mount=type=bind,target=. <<EOT
+  set -e
+  mkdir /buildx-version
+  echo -n "$(./hack/git-meta version)" | tee /buildx-version/version
+  echo -n "$(./hack/git-meta revision)" | tee /buildx-version/revision
+EOT

 FROM gobase AS buildx-build
-ARG LDFLAGS="-w -s"
 ARG TARGETPLATFORM
 RUN --mount=type=bind,target=. \
  --mount=type=cache,target=/root/.cache \
  --mount=type=cache,target=/go/pkg/mod \
-  --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=buildx-version \
-  set -x; xx-go build -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/buildx ./cmd/buildx && \
-  xx-verify --static /usr/bin/buildx
+  --mount=type=bind,from=buildx-version,source=/buildx-version,target=/buildx-version <<EOT
+  set -e
+  xx-go --wrap
+  DESTDIR=/usr/bin VERSION=$(cat /buildx-version/version) REVISION=$(cat /buildx-version/revision) GO_EXTRA_LDFLAGS="-s -w" ./hack/build
+  xx-verify --static /usr/bin/docker-buildx
+EOT

 FROM gobase AS test
+ENV SKIP_INTEGRATION_TESTS=1
 RUN --mount=type=bind,target=. \
  --mount=type=cache,target=/root/.cache \
  --mount=type=cache,target=/go/pkg/mod \
@@ -45,29 +79,56 @@ FROM scratch AS test-coverage
 COPY --from=test /tmp/coverage.txt /coverage.txt

 FROM scratch AS binaries-unix
-COPY --link --from=buildx-build /usr/bin/buildx /
+COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx

 FROM binaries-unix AS binaries-darwin
 FROM binaries-unix AS binaries-linux

 FROM scratch AS binaries-windows
-COPY --link --from=buildx-build /usr/bin/buildx /buildx.exe
+COPY --link --from=buildx-build /usr/bin/docker-buildx /buildx.exe

 FROM binaries-$TARGETOS AS binaries
+# enable scanning for this stage
+ARG BUILDKIT_SBOM_SCAN_STAGE=true
+
+FROM gobase AS integration-test-base
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
+RUN apk add --no-cache \
+      btrfs-progs \
+      e2fsprogs \
+      e2fsprogs-extra \
+      ip6tables \
+      iptables \
+      openssl \
+      shadow-uidmap \
+      xfsprogs \
+      xz
+COPY --link --from=gotestsum /out/gotestsum /usr/bin/
+COPY --link --from=registry /bin/registry /usr/bin/
+COPY --link --from=docker /opt/docker/* /usr/bin/
+COPY --link --from=buildkit /usr/bin/buildkitd /usr/bin/
+COPY --link --from=buildkit /usr/bin/buildctl /usr/bin/
+COPY --link --from=binaries /buildx /usr/bin/
+
+FROM integration-test-base AS integration-test
+COPY . .

 # Release
 FROM --platform=$BUILDPLATFORM alpine AS releaser
 WORKDIR /work
 ARG TARGETPLATFORM
 RUN --mount=from=binaries \
-  --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=buildx-version \
-  mkdir -p /out && cp buildx* "/out/buildx-$(cat /tmp/.version).$(echo $TARGETPLATFORM | sed 's/\//-/g')$(ls buildx* | sed -e 's/^buildx//')"
+  --mount=type=bind,from=buildx-version,source=/buildx-version,target=/buildx-version <<EOT
+  set -e
+  mkdir -p /out
+  cp buildx* "/out/buildx-$(cat /buildx-version/version).$(echo $TARGETPLATFORM | sed 's/\//-/g')$(ls buildx* | sed -e 's/^buildx//')"
+EOT

 FROM scratch AS release
 COPY --from=releaser /out/ /

 # Shell
-FROM docker:$DOCKERD_VERSION AS dockerd-release
+FROM docker:$DOCKER_VERSION AS dockerd-release
 FROM alpine AS shell
 RUN apk add --no-cache iptables tmux git vim less openssh
 RUN mkdir -p /usr/local/lib/docker/cli-plugins && ln -s /usr/local/bin/buildx /usr/local/lib/docker/cli-plugins/docker-buildx
--- a/50
+++ b/50
@@ -4,59 +4,93 @@ else ifneq (, $(shell docker buildx version))
 	export BUILDX_CMD = docker buildx
 else ifneq (, $(shell which buildx))
 	export BUILDX_CMD = $(which buildx)
-else
-	$(error "Buildx is required: https://github.com/docker/buildx#installing")
 endif

-export BIN_OUT = ./bin
-export RELEASE_OUT = ./release-out
+export BUILDX_CMD ?= docker buildx

+.PHONY: all
+all: binaries
+
+.PHONY: build
+build:
+	./hack/build
+
+.PHONY: shell
 shell:
 	./hack/shell

+.PHONY: binaries
 binaries:
 	$(BUILDX_CMD) bake binaries

+.PHONY: binaries-cross
 binaries-cross:
 	$(BUILDX_CMD) bake binaries-cross

+.PHONY: install
 install: binaries
 	mkdir -p ~/.docker/cli-plugins
-	install bin/buildx ~/.docker/cli-plugins/docker-buildx
+	install bin/build/buildx ~/.docker/cli-plugins/docker-buildx

+.PHONY: release
 release:
 	./hack/release

-validate-all: lint test validate-vendor validate-docs
+.PHONY: validate-all
+validate-all: lint test validate-vendor validate-docs validate-generated-files

+.PHONY: lint
 lint:
 	$(BUILDX_CMD) bake lint

+.PHONY: test
 test:
-	$(BUILDX_CMD) bake test
+	./hack/test

+.PHONY: test-unit
+test-unit:
+	TESTPKGS=./... SKIP_INTEGRATION_TESTS=1 ./hack/test
+
+.PHONY: test
+test-integration:
+	TESTPKGS=./tests ./hack/test
+
+.PHONY: validate-vendor
 validate-vendor:
 	$(BUILDX_CMD) bake validate-vendor

+.PHONY: validate-docs
 validate-docs:
 	$(BUILDX_CMD) bake validate-docs

+.PHONY: validate-authors
 validate-authors:
 	$(BUILDX_CMD) bake validate-authors

+.PHONY: validate-generated-files
+validate-generated-files:
+	$(BUILDX_CMD) bake validate-generated-files
+
+.PHONY: test-driver
 test-driver:
 	./hack/test-driver

+.PHONY: vendor
 vendor:
 	./hack/update-vendor

+.PHONY: docs
 docs:
 	./hack/update-docs

+.PHONY: authors
 authors:
 	$(BUILDX_CMD) bake update-authors

+.PHONY: mod-outdated
 mod-outdated:
 	$(BUILDX_CMD) bake mod-outdated

-.PHONY: shell binaries binaries-cross install release validate-all lint validate-vendor validate-docs validate-authors vendor docs authors
+.PHONY: generated-files
+generated-files:
+	$(BUILDX_CMD) bake update-generated-files
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@

 [![GitHub release](https://img.shields.io/github/release/docker/buildx.svg?style=flat-square)](https://github.com/docker/buildx/releases/latest)
 [![PkgGoDev](https://img.shields.io/badge/go.dev-docs-007d9c?style=flat-square&logo=go&logoColor=white)](https://pkg.go.dev/github.com/docker/buildx)
-[![Build Status](https://img.shields.io/github/workflow/status/docker/buildx/build?label=build&logo=github&style=flat-square)](https://github.com/docker/buildx/actions?query=workflow%3Abuild)
+[![Build Status](https://img.shields.io/github/actions/workflow/status/docker/buildx/build.yml?branch=master&label=build&logo=github&style=flat-square)](https://github.com/docker/buildx/actions?query=workflow%3Abuild)
 [![Go Report Card](https://goreportcard.com/badge/github.com/docker/buildx?style=flat-square)](https://goreportcard.com/report/github.com/docker/buildx)
 [![codecov](https://img.shields.io/codecov/c/github/docker/buildx?logo=codecov&style=flat-square)](https://codecov.io/gh/docker/buildx)

@@ -32,16 +32,6 @@ Key features:
  - [Building with buildx](#building-with-buildx)
  - [Working with builder instances](#working-with-builder-instances)
  - [Building multi-platform images](#building-multi-platform-images)
- [Guides](docs/guides)
-  - [High-level build options with Bake](docs/guides/bake/index.md)
-  - [CI/CD](docs/guides/cicd.md)
-  - [CNI networking](docs/guides/cni-networking.md)
-  - [Using a custom network](docs/guides/custom-network.md)
-  - [Using a custom registry configuration](docs/guides/custom-registry-config.md)
-  - [OpenTelemetry support](docs/guides/opentelemetry.md)
-  - [Registry mirror](docs/guides/registry-mirror.md)
-  - [Drivers](docs/guides/drivers/index.md)
-  - [Resource limiting](docs/guides/resource-limiting.md)
 - [Reference](docs/reference/buildx.md)
  - [`buildx bake`](docs/reference/buildx_bake.md)
  - [`buildx build`](docs/reference/buildx_build.md)
@@ -51,21 +41,26 @@ Key features:
    - [`buildx imagetools create`](docs/reference/buildx_imagetools_create.md)
    - [`buildx imagetools inspect`](docs/reference/buildx_imagetools_inspect.md)
  - [`buildx inspect`](docs/reference/buildx_inspect.md)
-  - [`buildx install`](docs/reference/buildx_install.md)
  - [`buildx ls`](docs/reference/buildx_ls.md)
  - [`buildx prune`](docs/reference/buildx_prune.md)
  - [`buildx rm`](docs/reference/buildx_rm.md)
  - [`buildx stop`](docs/reference/buildx_stop.md)
-  - [`buildx uninstall`](docs/reference/buildx_uninstall.md)
  - [`buildx use`](docs/reference/buildx_use.md)
  - [`buildx version`](docs/reference/buildx_version.md)
 - [Contributing](#contributing)

+For more information on how to use Buildx, see
+[Docker Build docs](https://docs.docker.com/build/).
+
 # Installing

-Using `buildx` as a docker CLI plugin requires using Docker 19.03 or newer.
-A limited set of functionality works with older versions of Docker when
-invoking the binary directly.
+Using `buildx` with Docker requires Docker engine 19.03 or newer.
+
+> **Warning**
+>
+> Using an incompatible version of Docker may result in unexpected behavior,
+> and will likely cause issues, especially when using Buildx builders with more
+> recent versions of BuildKit.

 ## Windows and macOS

@@ -74,8 +69,9 @@ for Windows and macOS.

 ## Linux packages

-Docker Linux packages also include Docker Buildx when installed using the
-[DEB or RPM packages](https://docs.docker.com/engine/install/).
+Docker Engine package repositories contain Docker Buildx packages when installed according to the
+[Docker Engine install documentation](https://docs.docker.com/engine/install/). Install the
+`docker-buildx-plugin` package to install the Buildx plugin.

 ## Manual download

@@ -123,7 +119,8 @@ On Windows:
 Here is how to install and use Buildx inside a Dockerfile through the
 [`docker/buildx-bin`](https://hub.docker.com/r/docker/buildx-bin) image:

-```Dockerfile
+```dockerfile
+# syntax=docker/dockerfile:1
 FROM docker
 COPY --from=docker/buildx-bin /buildx /usr/libexec/docker/cli-plugins/docker-buildx
 RUN docker buildx version
@@ -143,14 +140,14 @@ To remove this alias, run [`docker buildx uninstall`](docs/reference/buildx_unin
 # Buildx 0.6+
 $ docker buildx bake "https://github.com/docker/buildx.git"
 $ mkdir -p ~/.docker/cli-plugins
-$ mv ./bin/buildx ~/.docker/cli-plugins/docker-buildx
+$ mv ./bin/build/buildx ~/.docker/cli-plugins/docker-buildx

 # Docker 19.03+
 $ DOCKER_BUILDKIT=1 docker build --platform=local -o . "https://github.com/docker/buildx.git"
 $ mkdir -p ~/.docker/cli-plugins
 $ mv buildx ~/.docker/cli-plugins/docker-buildx

-# Local 
+# Local
 $ git clone https://github.com/docker/buildx.git && cd buildx
 $ make install
 ```
@@ -190,12 +187,12 @@ through various "drivers". Each driver defines how and where a build should
 run, and have different feature sets.

 We currently support the following drivers:
- The `docker` driver ([guide](docs/guides/drivers/docker.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
- The `docker-container` driver ([guide](docs/guides/drivers/docker-container.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
- The `kubernetes` driver ([guide](docs/guides/drivers/kubernetes.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
- The `remote` driver ([guide](docs/guides/drivers/remote.md))
+- The `docker` driver ([guide](docs/manuals/drivers/docker.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `docker-container` driver ([guide](docs/manuals/drivers/docker-container.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `kubernetes` driver ([guide](docs/manuals/drivers/kubernetes.md), [reference](https://docs.docker.com/engine/reference/commandline/buildx_create/#driver))
+- The `remote` driver ([guide](docs/manuals/drivers/remote.md))

-For more information on drivers, see the [drivers guide](docs/guides/drivers/index.md).
+For more information on drivers, see the [drivers guide](docs/manuals/drivers/index.md).

 ## Working with builder instances

@@ -242,7 +239,7 @@ When you invoke a build, you can set the `--platform` flag to specify the target
 platform for the build output, (for example, `linux/amd64`, `linux/arm64`, or
 `darwin/amd64`).

-When the current builder instance is backed by the `docker-container` or 
+When the current builder instance is backed by the `docker-container` or
 `kubernetes` driver, you can specify multiple platforms together. In this case,
 it builds a manifest list which contains images for all specified architectures.
 When you use this image in [`docker run`](https://docs.docker.com/engine/reference/commandline/run/)
@@ -298,6 +295,7 @@ inside your Dockerfile and can be leveraged by the processes running as part
 of your build.

 ```dockerfile
+# syntax=docker/dockerfile:1
 FROM --platform=$BUILDPLATFORM golang:alpine AS build
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
@@ -311,7 +309,7 @@ cross-compilation helpers for more advanced use-cases.

 ## High-level build options

-See [`docs/guides/bake/index.md`](docs/guides/bake/index.md) for more details.
+See [High-level builds with Bake](https://docs.docker.com/build/bake/) for more details.

 # Contributing

--- a/bake/bake.go
+++ b/bake/bake.go
@@ -3,7 +3,6 @@ package bake
 import (
 	"context"
 	"encoding/csv"
-	"fmt"
 	"io"
 	"os"
 	"path"
@@ -12,23 +11,26 @@ import (
 	"sort"
 	"strconv"
 	"strings"
+	"time"

+	composecli "github.com/compose-spec/compose-go/cli"
 	"github.com/docker/buildx/bake/hclparser"
 	"github.com/docker/buildx/build"
+	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/util/buildflags"
 	"github.com/docker/buildx/util/platformutil"
+	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/config"
-	"github.com/docker/docker/builder/remotecontext/urlutil"
 	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/session/auth/authprovider"
 	"github.com/pkg/errors"
+	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/convert"
 )

 var (
-	httpPrefix                   = regexp.MustCompile(`^https?://`)
-	gitURLPathWithFragmentSuffix = regexp.MustCompile(`\.git(?:#.+)?$`)
-
 	validTargetNameChars = `[a-zA-Z0-9_-]+`
 	targetNamePattern    = regexp.MustCompile(`^` + validTargetNameChars + `$`)
 )
@@ -44,17 +46,18 @@ type Override struct {
 }

 func defaultFilenames() []string {
-	return []string{
-		"docker-compose.yml",  // support app
-		"docker-compose.yaml", // support app
+	names := []string{}
+	names = append(names, composecli.DefaultFileNames...)
+	names = append(names, []string{
 		"docker-bake.json",
 		"docker-bake.override.json",
 		"docker-bake.hcl",
 		"docker-bake.override.hcl",
-	}
+	}...)
+	return names
 }

-func ReadLocalFiles(names []string) ([]File, error) {
+func ReadLocalFiles(names []string, stdin io.Reader, l progress.SubLogger) ([]File, error) {
 	isDefault := false
 	if len(names) == 0 {
 		isDefault = true
@@ -62,20 +65,26 @@ func ReadLocalFiles(names []string) ([]File, error) {
 	}
 	out := make([]File, 0, len(names))

+	setStatus := func(st *client.VertexStatus) {
+		if l != nil {
+			l.SetStatus(st)
+		}
+	}
+
 	for _, n := range names {
 		var dt []byte
 		var err error
 		if n == "-" {
-			dt, err = io.ReadAll(os.Stdin)
+			dt, err = readWithProgress(stdin, setStatus)
 			if err != nil {
 				return nil, err
 			}
 		} else {
-			dt, err = os.ReadFile(n)
+			dt, err = readFileWithProgress(n, isDefault, setStatus)
+			if dt == nil && err == nil {
+				continue
+			}
 			if err != nil {
-				if isDefault && errors.Is(err, os.ErrNotExist) {
-					continue
-				}
 				return nil, err
 			}
 		}
@@ -84,7 +93,104 @@ func ReadLocalFiles(names []string) ([]File, error) {
 	return out, nil
 }

-func ReadTargets(ctx context.Context, files []File, targets, overrides []string, defaults map[string]string) (map[string]*Target, []*Group, error) {
+func readFileWithProgress(fname string, isDefault bool, setStatus func(st *client.VertexStatus)) (dt []byte, err error) {
+	st := &client.VertexStatus{
+		ID: "reading " + fname,
+	}
+
+	defer func() {
+		now := time.Now()
+		st.Completed = &now
+		if dt != nil || err != nil {
+			setStatus(st)
+		}
+	}()
+
+	now := time.Now()
+	st.Started = &now
+
+	f, err := os.Open(fname)
+	if err != nil {
+		if isDefault && errors.Is(err, os.ErrNotExist) {
+			return nil, nil
+		}
+		return nil, err
+	}
+	defer f.Close()
+	setStatus(st)
+
+	info, err := f.Stat()
+	if err != nil {
+		return nil, err
+	}
+	st.Total = info.Size()
+	setStatus(st)
+
+	buf := make([]byte, 1024)
+	for {
+		n, err := f.Read(buf)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		dt = append(dt, buf[:n]...)
+		st.Current += int64(n)
+		setStatus(st)
+	}
+
+	return dt, nil
+}
+
+func readWithProgress(r io.Reader, setStatus func(st *client.VertexStatus)) (dt []byte, err error) {
+	st := &client.VertexStatus{
+		ID: "reading from stdin",
+	}
+
+	defer func() {
+		now := time.Now()
+		st.Completed = &now
+		setStatus(st)
+	}()
+
+	now := time.Now()
+	st.Started = &now
+	setStatus(st)
+
+	buf := make([]byte, 1024)
+	for {
+		n, err := r.Read(buf)
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+		dt = append(dt, buf[:n]...)
+		st.Current += int64(n)
+		setStatus(st)
+	}
+
+	return dt, nil
+}
+
+func ListTargets(files []File) ([]string, error) {
+	c, err := ParseFiles(files, nil)
+	if err != nil {
+		return nil, err
+	}
+	var targets []string
+	for _, g := range c.Groups {
+		targets = append(targets, g.Name)
+	}
+	for _, t := range c.Targets {
+		targets = append(targets, t.Name)
+	}
+	return dedupSlice(targets), nil
+}
+
+func ReadTargets(ctx context.Context, files []File, targets, overrides []string, defaults map[string]string) (map[string]*Target, map[string]*Group, error) {
 	c, err := ParseFiles(files, defaults)
 	if err != nil {
 		return nil, nil, err
@@ -99,42 +205,39 @@ func ReadTargets(ctx context.Context, files []File, targets, overrides []string,
 		return nil, nil, err
 	}
 	m := map[string]*Target{}
-	for _, n := range targets {
-		for _, n := range c.ResolveGroup(n) {
-			t, err := c.ResolveTarget(n, o)
+	n := map[string]*Group{}
+	for _, target := range targets {
+		ts, gs := c.ResolveGroup(target)
+		for _, tname := range ts {
+			t, err := c.ResolveTarget(tname, o)
 			if err != nil {
 				return nil, nil, err
 			}
 			if t != nil {
-				m[n] = t
+				m[tname] = t
+			}
+		}
+		for _, gname := range gs {
+			for _, group := range c.Groups {
+				if group.Name == gname {
+					n[gname] = group
+					break
+				}
 			}
 		}
 	}

-	var g []*Group
-	if len(targets) == 0 || (len(targets) == 1 && targets[0] == "default") {
-		for _, group := range c.Groups {
-			if group.Name != "default" {
-				continue
-			}
-			g = []*Group{{Targets: group.Targets}}
+	for _, target := range targets {
+		if target == "default" {
+			continue
 		}
-	} else {
-		var gt []string
-		for _, target := range targets {
-			isGroup := false
-			for _, group := range c.Groups {
-				if target == group.Name {
-					gt = append(gt, group.Targets...)
-					isGroup = true
-					break
-				}
-			}
-			if !isGroup {
-				gt = append(gt, target)
-			}
+		if _, ok := n["default"]; !ok {
+			n["default"] = &Group{Name: "default"}
 		}
-		g = []*Group{{Targets: dedupSlice(gt)}}
+		n["default"].Targets = append(n["default"].Targets, target)
+	}
+	if g, ok := n["default"]; ok {
+		g.Targets = dedupSlice(g.Targets)
 	}

 	for name, t := range m {
@@ -143,7 +246,7 @@ func ReadTargets(ctx context.Context, files []File, targets, overrides []string,
 		}
 	}

-	return m, g, nil
+	return m, n, nil
 }

 func dedupSlice(s []string) []string {
@@ -218,7 +321,7 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 				}
 				hclFiles = append(hclFiles, hf)
 			} else if composeErr != nil {
-				return nil, fmt.Errorf("failed to parse %s: parsing yaml: %v, parsing hcl: %w", f.Name, composeErr, err)
+				return nil, errors.Wrapf(err, "failed to parse %s: parsing yaml: %v, parsing hcl", f.Name, composeErr)
 			} else {
 				return nil, err
 			}
@@ -235,13 +338,28 @@ func ParseFiles(files []File, defaults map[string]string) (_ *Config, err error)
 	}

 	if len(hclFiles) > 0 {
-		if err := hclparser.Parse(hcl.MergeFiles(hclFiles), hclparser.Opt{
+		renamed, err := hclparser.Parse(hclparser.MergeFiles(hclFiles), hclparser.Opt{
 			LookupVar:     os.LookupEnv,
 			Vars:          defaults,
 			ValidateLabel: validateTargetName,
-		}, &c); err.HasErrors() {
+		}, &c)
+		if err.HasErrors() {
 			return nil, err
 		}
+
+		for _, renamed := range renamed {
+			for oldName, newNames := range renamed {
+				newNames = dedupSlice(newNames)
+				if len(newNames) == 1 && oldName == newNames[0] {
+					continue
+				}
+				c.Groups = append(c.Groups, &Group{
+					Name:    oldName,
+					Targets: newNames,
+				})
+			}
+		}
+		c = dedupeConfig(c)
 	}

 	return &c, nil
@@ -273,8 +391,8 @@ func ParseFile(dt []byte, fn string) (*Config, error) {
 }

 type Config struct {
-	Groups  []*Group  `json:"group" hcl:"group,block"`
-	Targets []*Target `json:"target" hcl:"target,block"`
+	Groups  []*Group  `json:"group" hcl:"group,block" cty:"group"`
+	Targets []*Target `json:"target" hcl:"target,block" cty:"target"`
 }

 func mergeConfig(c1, c2 Config) Config {
@@ -420,7 +538,7 @@ func (c Config) newOverrides(v []string) (map[string]map[string]Override, error)
 			o := t[kk[1]]

 			switch keys[1] {
-			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh":
+			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh", "attest":
 				if len(parts) == 2 {
 					o.ArrValue = append(o.ArrValue, parts[1])
 				}
@@ -453,13 +571,19 @@ func (c Config) newOverrides(v []string) (map[string]map[string]Override, error)
 	return m, nil
 }

-func (c Config) ResolveGroup(name string) []string {
-	return dedupSlice(c.group(name, map[string][]string{}))
+func (c Config) ResolveGroup(name string) ([]string, []string) {
+	targets, groups := c.group(name, map[string]visit{})
+	return dedupSlice(targets), dedupSlice(groups)
 }

-func (c Config) group(name string, visited map[string][]string) []string {
-	if _, ok := visited[name]; ok {
-		return visited[name]
+type visit struct {
+	target []string
+	group  []string
+}
+
+func (c Config) group(name string, visited map[string]visit) ([]string, []string) {
+	if v, ok := visited[name]; ok {
+		return v.target, v.group
 	}
 	var g *Group
 	for _, group := range c.Groups {
@@ -469,20 +593,24 @@ func (c Config) group(name string, visited map[string][]string) []string {
 		}
 	}
 	if g == nil {
-		return []string{name}
+		return []string{name}, nil
 	}
-	visited[name] = []string{}
+	visited[name] = visit{}
 	targets := make([]string, 0, len(g.Targets))
+	groups := []string{name}
 	for _, t := range g.Targets {
-		tgroup := c.group(t, visited)
-		if len(tgroup) > 0 {
-			targets = append(targets, tgroup...)
+		ttarget, tgroup := c.group(t, visited)
+		if len(ttarget) > 0 {
+			targets = append(targets, ttarget...)
 		} else {
 			targets = append(targets, t)
 		}
+		if len(tgroup) > 0 {
+			groups = append(groups, tgroup...)
+		}
 	}
-	visited[name] = targets
-	return targets
+	visited[name] = visit{target: targets, group: groups}
+	return targets, groups
 }

 func (c Config) ResolveTarget(name string, overrides map[string]map[string]Override) (*Target, error) {
@@ -540,42 +668,51 @@ func (c Config) target(name string, visited map[string]*Target, overrides map[st
 }

 type Group struct {
-	Name    string   `json:"-" hcl:"name,label"`
-	Targets []string `json:"targets" hcl:"targets"`
+	Name    string   `json:"-" hcl:"name,label" cty:"name"`
+	Targets []string `json:"targets" hcl:"targets" cty:"targets"`
 	// Target // TODO?
 }

 type Target struct {
-	Name string `json:"-" hcl:"name,label"`
+	Name string `json:"-" hcl:"name,label" cty:"name"`

 	// Inherits is the only field that cannot be overridden with --set
-	Inherits []string `json:"inherits,omitempty" hcl:"inherits,optional"`
+	Inherits []string `json:"inherits,omitempty" hcl:"inherits,optional" cty:"inherits"`

-	Context          *string           `json:"context,omitempty" hcl:"context,optional"`
-	Contexts         map[string]string `json:"contexts,omitempty" hcl:"contexts,optional"`
-	Dockerfile       *string           `json:"dockerfile,omitempty" hcl:"dockerfile,optional"`
-	DockerfileInline *string           `json:"dockerfile-inline,omitempty" hcl:"dockerfile-inline,optional"`
-	Args             map[string]string `json:"args,omitempty" hcl:"args,optional"`
-	Labels           map[string]string `json:"labels,omitempty" hcl:"labels,optional"`
-	Tags             []string          `json:"tags,omitempty" hcl:"tags,optional"`
-	CacheFrom        []string          `json:"cache-from,omitempty"  hcl:"cache-from,optional"`
-	CacheTo          []string          `json:"cache-to,omitempty"  hcl:"cache-to,optional"`
-	Target           *string           `json:"target,omitempty" hcl:"target,optional"`
-	Secrets          []string          `json:"secret,omitempty" hcl:"secret,optional"`
-	SSH              []string          `json:"ssh,omitempty" hcl:"ssh,optional"`
-	Platforms        []string          `json:"platforms,omitempty" hcl:"platforms,optional"`
-	Outputs          []string          `json:"output,omitempty" hcl:"output,optional"`
-	Pull             *bool             `json:"pull,omitempty" hcl:"pull,optional"`
-	NoCache          *bool             `json:"no-cache,omitempty" hcl:"no-cache,optional"`
-	NetworkMode      *string           `json:"-" hcl:"-"`
-	NoCacheFilter    []string          `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional"`
-	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/guides/bake/file-definition.md.
+	Annotations      []string           `json:"annotations,omitempty" hcl:"annotations,optional" cty:"annotations"`
+	Attest           []string           `json:"attest,omitempty" hcl:"attest,optional" cty:"attest"`
+	Context          *string            `json:"context,omitempty" hcl:"context,optional" cty:"context"`
+	Contexts         map[string]string  `json:"contexts,omitempty" hcl:"contexts,optional" cty:"contexts"`
+	Dockerfile       *string            `json:"dockerfile,omitempty" hcl:"dockerfile,optional" cty:"dockerfile"`
+	DockerfileInline *string            `json:"dockerfile-inline,omitempty" hcl:"dockerfile-inline,optional" cty:"dockerfile-inline"`
+	Args             map[string]*string `json:"args,omitempty" hcl:"args,optional" cty:"args"`
+	Labels           map[string]*string `json:"labels,omitempty" hcl:"labels,optional" cty:"labels"`
+	Tags             []string           `json:"tags,omitempty" hcl:"tags,optional" cty:"tags"`
+	CacheFrom        []string           `json:"cache-from,omitempty"  hcl:"cache-from,optional" cty:"cache-from"`
+	CacheTo          []string           `json:"cache-to,omitempty"  hcl:"cache-to,optional" cty:"cache-to"`
+	Target           *string            `json:"target,omitempty" hcl:"target,optional" cty:"target"`
+	Secrets          []string           `json:"secret,omitempty" hcl:"secret,optional" cty:"secret"`
+	SSH              []string           `json:"ssh,omitempty" hcl:"ssh,optional" cty:"ssh"`
+	Platforms        []string           `json:"platforms,omitempty" hcl:"platforms,optional" cty:"platforms"`
+	Outputs          []string           `json:"output,omitempty" hcl:"output,optional" cty:"output"`
+	Pull             *bool              `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"`
+	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
+	NetworkMode      *string            `json:"-" hcl:"-" cty:"-"`
+	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
+	// IMPORTANT: if you add more fields here, do not forget to update newOverrides and docs/bake-reference.md.

 	// linked is a private field to mark a target used as a linked one
 	linked bool
 }

+var _ hclparser.WithEvalContexts = &Target{}
+var _ hclparser.WithGetName = &Target{}
+var _ hclparser.WithEvalContexts = &Group{}
+var _ hclparser.WithGetName = &Group{}
+
 func (t *Target) normalize() {
+	t.Annotations = removeDupes(t.Annotations)
+	t.Attest = removeAttestDupes(t.Attest)
 	t.Tags = removeDupes(t.Tags)
 	t.Secrets = removeDupes(t.Secrets)
 	t.SSH = removeDupes(t.SSH)
@@ -606,8 +743,11 @@ func (t *Target) Merge(t2 *Target) {
 		t.DockerfileInline = t2.DockerfileInline
 	}
 	for k, v := range t2.Args {
+		if v == nil {
+			continue
+		}
 		if t.Args == nil {
-			t.Args = map[string]string{}
+			t.Args = map[string]*string{}
 		}
 		t.Args[k] = v
 	}
@@ -618,8 +758,11 @@ func (t *Target) Merge(t2 *Target) {
 		t.Contexts[k] = v
 	}
 	for k, v := range t2.Labels {
+		if v == nil {
+			continue
+		}
 		if t.Labels == nil {
-			t.Labels = map[string]string{}
+			t.Labels = map[string]*string{}
 		}
 		t.Labels[k] = v
 	}
@@ -629,6 +772,13 @@ func (t *Target) Merge(t2 *Target) {
 	if t2.Target != nil {
 		t.Target = t2.Target
 	}
+	if t2.Annotations != nil { // merge
+		t.Annotations = append(t.Annotations, t2.Annotations...)
+	}
+	if t2.Attest != nil { // merge
+		t.Attest = append(t.Attest, t2.Attest...)
+		t.Attest = removeAttestDupes(t.Attest)
+	}
 	if t2.Secrets != nil { // merge
 		t.Secrets = append(t.Secrets, t2.Secrets...)
 	}
@@ -676,9 +826,9 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 				return errors.Errorf("args require name")
 			}
 			if t.Args == nil {
-				t.Args = map[string]string{}
+				t.Args = map[string]*string{}
 			}
-			t.Args[keys[1]] = value
+			t.Args[keys[1]] = &value
 		case "contexts":
 			if len(keys) != 2 {
 				return errors.Errorf("contexts require name")
@@ -692,9 +842,9 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 				return errors.Errorf("labels require name")
 			}
 			if t.Labels == nil {
-				t.Labels = map[string]string{}
+				t.Labels = map[string]*string{}
 			}
-			t.Labels[keys[1]] = value
+			t.Labels[keys[1]] = &value
 		case "tags":
 			t.Tags = o.ArrValue
 		case "cache-from":
@@ -711,6 +861,10 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.Platforms = o.ArrValue
 		case "output":
 			t.Outputs = o.ArrValue
+		case "annotations":
+			t.Annotations = append(t.Annotations, o.ArrValue...)
+		case "attest":
+			t.Attest = append(t.Attest, o.ArrValue...)
 		case "no-cache":
 			noCache, err := strconv.ParseBool(value)
 			if err != nil {
@@ -746,6 +900,116 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 	return nil
 }

+func (g *Group) GetEvalContexts(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) ([]*hcl.EvalContext, error) {
+	content, _, err := block.Body.PartialContent(&hcl.BodySchema{
+		Attributes: []hcl.AttributeSchema{{Name: "matrix"}},
+	})
+	if err != nil {
+		return nil, err
+	}
+	if _, ok := content.Attributes["matrix"]; ok {
+		return nil, errors.Errorf("matrix is not supported for groups")
+	}
+	return []*hcl.EvalContext{ectx}, nil
+}
+
+func (t *Target) GetEvalContexts(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) ([]*hcl.EvalContext, error) {
+	content, _, err := block.Body.PartialContent(&hcl.BodySchema{
+		Attributes: []hcl.AttributeSchema{{Name: "matrix"}},
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	attr, ok := content.Attributes["matrix"]
+	if !ok {
+		return []*hcl.EvalContext{ectx}, nil
+	}
+	if diags := loadDeps(attr.Expr); diags.HasErrors() {
+		return nil, diags
+	}
+	value, err := attr.Expr.Value(ectx)
+	if err != nil {
+		return nil, err
+	}
+
+	if !value.Type().IsMapType() && !value.Type().IsObjectType() {
+		return nil, errors.Errorf("matrix must be a map")
+	}
+	matrix := value.AsValueMap()
+
+	ectxs := []*hcl.EvalContext{ectx}
+	for k, expr := range matrix {
+		if !expr.CanIterateElements() {
+			return nil, errors.Errorf("matrix values must be a list")
+		}
+
+		ectxs2 := []*hcl.EvalContext{}
+		for _, v := range expr.AsValueSlice() {
+			for _, e := range ectxs {
+				e2 := ectx.NewChild()
+				e2.Variables = make(map[string]cty.Value)
+				if e != ectx {
+					for k, v := range e.Variables {
+						e2.Variables[k] = v
+					}
+				}
+				e2.Variables[k] = v
+				ectxs2 = append(ectxs2, e2)
+			}
+		}
+		ectxs = ectxs2
+	}
+	return ectxs, nil
+}
+
+func (g *Group) GetName(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) (string, error) {
+	content, _, diags := block.Body.PartialContent(&hcl.BodySchema{
+		Attributes: []hcl.AttributeSchema{{Name: "name"}, {Name: "matrix"}},
+	})
+	if diags != nil {
+		return "", diags
+	}
+
+	if _, ok := content.Attributes["name"]; ok {
+		return "", errors.Errorf("name is not supported for groups")
+	}
+	if _, ok := content.Attributes["matrix"]; ok {
+		return "", errors.Errorf("matrix is not supported for groups")
+	}
+	return block.Labels[0], nil
+}
+
+func (t *Target) GetName(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) (string, error) {
+	content, _, diags := block.Body.PartialContent(&hcl.BodySchema{
+		Attributes: []hcl.AttributeSchema{{Name: "name"}, {Name: "matrix"}},
+	})
+	if diags != nil {
+		return "", diags
+	}
+
+	attr, ok := content.Attributes["name"]
+	if !ok {
+		return block.Labels[0], nil
+	}
+	if _, ok := content.Attributes["matrix"]; !ok {
+		return "", errors.Errorf("name requires matrix")
+	}
+	if diags := loadDeps(attr.Expr); diags.HasErrors() {
+		return "", diags
+	}
+	value, diags := attr.Expr.Value(ectx)
+	if diags != nil {
+		return "", diags
+	}
+
+	value, err := convert.Convert(value, cty.String)
+	if err != nil {
+		return "", err
+	}
+	return value.AsString(), nil
+}
+
 func TargetsToBuildOpt(m map[string]*Target, inp *Input) (map[string]build.Options, error) {
 	m2 := make(map[string]build.Options, len(m))
 	for k, v := range m {
@@ -770,7 +1034,7 @@ func updateContext(t *build.Inputs, inp *Input) {
 		if strings.HasPrefix(v.Path, "cwd://") || strings.HasPrefix(v.Path, "target:") || strings.HasPrefix(v.Path, "docker-image:") {
 			continue
 		}
-		if IsRemoteURL(v.Path) {
+		if build.IsRemoteURL(v.Path) {
 			continue
 		}
 		st := llb.Scratch().File(llb.Copy(*inp.State, v.Path, "/"), llb.WithCustomNamef("set context %s to %s", k, v.Path))
@@ -784,10 +1048,15 @@ func updateContext(t *build.Inputs, inp *Input) {
 	if strings.HasPrefix(t.ContextPath, "cwd://") {
 		return
 	}
-	if IsRemoteURL(t.ContextPath) {
+	if build.IsRemoteURL(t.ContextPath) {
 		return
 	}
-	st := llb.Scratch().File(llb.Copy(*inp.State, t.ContextPath, "/"), llb.WithCustomNamef("set context to %s", t.ContextPath))
+	st := llb.Scratch().File(
+		llb.Copy(*inp.State, t.ContextPath, "/", &llb.CopyInfo{
+			CopyDirContentsOnly: true,
+		}),
+		llb.WithCustomNamef("set context to %s", t.ContextPath),
+	)
 	t.ContextState = &st
 }

@@ -820,7 +1089,7 @@ func validateContextsEntitlements(t build.Inputs, inp *Input) error {
 }

 func checkPath(p string) error {
-	if IsRemoteURL(p) || strings.HasPrefix(p, "target:") || strings.HasPrefix(p, "docker-image:") {
+	if build.IsRemoteURL(p) || strings.HasPrefix(p, "target:") || strings.HasPrefix(p, "docker-image:") {
 		return nil
 	}
 	p, err := filepath.EvalSymlinks(p)
@@ -830,6 +1099,10 @@ func checkPath(p string) error {
 		}
 		return err
 	}
+	p, err = filepath.Abs(p)
+	if err != nil {
+		return err
+	}
 	wd, err := os.Getwd()
 	if err != nil {
 		return err
@@ -838,7 +1111,8 @@ func checkPath(p string) error {
 	if err != nil {
 		return err
 	}
-	if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
+	parts := strings.Split(rel, string(os.PathSeparator))
+	if parts[0] == ".." {
 		return errors.Errorf("path %s is outside of the working directory, please set BAKE_ALLOW_REMOTE_FS_ACCESS=1", p)
 	}
 	return nil
@@ -856,16 +1130,90 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	if t.Context != nil {
 		contextPath = *t.Context
 	}
-	if !strings.HasPrefix(contextPath, "cwd://") && !IsRemoteURL(contextPath) {
+	if !strings.HasPrefix(contextPath, "cwd://") && !build.IsRemoteURL(contextPath) {
 		contextPath = path.Clean(contextPath)
 	}
 	dockerfilePath := "Dockerfile"
 	if t.Dockerfile != nil {
 		dockerfilePath = *t.Dockerfile
 	}
+	if !strings.HasPrefix(dockerfilePath, "cwd://") {
+		dockerfilePath = path.Clean(dockerfilePath)
+	}

-	if !isRemoteResource(contextPath) && !path.IsAbs(dockerfilePath) {
-		dockerfilePath = path.Join(contextPath, dockerfilePath)
+	bi := build.Inputs{
+		ContextPath:    contextPath,
+		DockerfilePath: dockerfilePath,
+		NamedContexts:  toNamedContexts(t.Contexts),
+	}
+	if t.DockerfileInline != nil {
+		bi.DockerfileInline = *t.DockerfileInline
+	}
+	updateContext(&bi, inp)
+	if strings.HasPrefix(bi.DockerfilePath, "cwd://") {
+		// If Dockerfile is local for a remote invocation, we first check if
+		// it's not outside the working directory and then resolve it to an
+		// absolute path.
+		bi.DockerfilePath = path.Clean(strings.TrimPrefix(bi.DockerfilePath, "cwd://"))
+		if err := checkPath(bi.DockerfilePath); err != nil {
+			return nil, err
+		}
+		var err error
+		bi.DockerfilePath, err = filepath.Abs(bi.DockerfilePath)
+		if err != nil {
+			return nil, err
+		}
+	} else if !build.IsRemoteURL(bi.DockerfilePath) && strings.HasPrefix(bi.ContextPath, "cwd://") && (inp != nil && build.IsRemoteURL(inp.URL)) {
+		// We don't currently support reading a remote Dockerfile with a local
+		// context when doing a remote invocation because we automatically
+		// derive the dockerfile from the context atm:
+		//
+		// target "default" {
+		//  context = BAKE_CMD_CONTEXT
+		//  dockerfile = "Dockerfile.app"
+		// }
+		//
+		// > docker buildx bake https://github.com/foo/bar.git
+		// failed to solve: failed to read dockerfile: open /var/lib/docker/tmp/buildkit-mount3004544897/Dockerfile.app: no such file or directory
+		//
+		// To avoid mistakenly reading a local Dockerfile, we check if the
+		// Dockerfile exists locally and if so, we error out.
+		if _, err := os.Stat(filepath.Join(path.Clean(strings.TrimPrefix(bi.ContextPath, "cwd://")), bi.DockerfilePath)); err == nil {
+			return nil, errors.Errorf("reading a dockerfile for a remote build invocation is currently not supported")
+		}
+	}
+	if strings.HasPrefix(bi.ContextPath, "cwd://") {
+		bi.ContextPath = path.Clean(strings.TrimPrefix(bi.ContextPath, "cwd://"))
+	}
+	if !build.IsRemoteURL(bi.ContextPath) && bi.ContextState == nil && !path.IsAbs(bi.DockerfilePath) {
+		bi.DockerfilePath = path.Join(bi.ContextPath, bi.DockerfilePath)
+	}
+	for k, v := range bi.NamedContexts {
+		if strings.HasPrefix(v.Path, "cwd://") {
+			bi.NamedContexts[k] = build.NamedContext{Path: path.Clean(strings.TrimPrefix(v.Path, "cwd://"))}
+		}
+	}
+
+	if err := validateContextsEntitlements(bi, inp); err != nil {
+		return nil, err
+	}
+
+	t.Context = &bi.ContextPath
+
+	args := map[string]string{}
+	for k, v := range t.Args {
+		if v == nil {
+			continue
+		}
+		args[k] = *v
+	}
+
+	labels := map[string]string{}
+	for k, v := range t.Labels {
+		if v == nil {
+			continue
+		}
+		labels[k] = *v
 	}

 	noCache := false
@@ -881,35 +1229,11 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 		networkMode = *t.NetworkMode
 	}

-	bi := build.Inputs{
-		ContextPath:    contextPath,
-		DockerfilePath: dockerfilePath,
-		NamedContexts:  toNamedContexts(t.Contexts),
-	}
-	if t.DockerfileInline != nil {
-		bi.DockerfileInline = *t.DockerfileInline
-	}
-	updateContext(&bi, inp)
-	if strings.HasPrefix(bi.ContextPath, "cwd://") {
-		bi.ContextPath = path.Clean(strings.TrimPrefix(bi.ContextPath, "cwd://"))
-	}
-	for k, v := range bi.NamedContexts {
-		if strings.HasPrefix(v.Path, "cwd://") {
-			bi.NamedContexts[k] = build.NamedContext{Path: path.Clean(strings.TrimPrefix(v.Path, "cwd://"))}
-		}
-	}
-
-	if err := validateContextsEntitlements(bi, inp); err != nil {
-		return nil, err
-	}
-
-	t.Context = &bi.ContextPath
-
 	bo := &build.Options{
 		Inputs:        bi,
 		Tags:          t.Tags,
-		BuildArgs:     t.Args,
-		Labels:        t.Labels,
+		BuildArgs:     args,
+		Labels:        labels,
 		NoCache:       noCache,
 		NoCacheFilter: t.NoCacheFilter,
 		Pull:          pull,
@@ -924,23 +1248,30 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	bo.Platforms = platforms

 	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
-	bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(dockerConfig))
+	bo.Session = append(bo.Session, authprovider.NewDockerAuthProvider(dockerConfig, nil))

 	secrets, err := buildflags.ParseSecretSpecs(t.Secrets)
 	if err != nil {
 		return nil, err
 	}
-	bo.Session = append(bo.Session, secrets)
-
-	sshSpecs := t.SSH
-	if len(sshSpecs) == 0 && buildflags.IsGitSSH(contextPath) {
-		sshSpecs = []string{"default"}
-	}
-	ssh, err := buildflags.ParseSSHSpecs(sshSpecs)
+	secretAttachment, err := controllerapi.CreateSecrets(secrets)
 	if err != nil {
 		return nil, err
 	}
-	bo.Session = append(bo.Session, ssh)
+	bo.Session = append(bo.Session, secretAttachment)
+
+	sshSpecs, err := buildflags.ParseSSHSpecs(t.SSH)
+	if err != nil {
+		return nil, err
+	}
+	if len(sshSpecs) == 0 && (buildflags.IsGitSSH(bi.ContextPath) || (inp != nil && buildflags.IsGitSSH(inp.URL))) {
+		sshSpecs = append(sshSpecs, &controllerapi.SSH{ID: "default"})
+	}
+	sshAttachment, err := controllerapi.CreateSSH(sshSpecs)
+	if err != nil {
+		return nil, err
+	}
+	bo.Session = append(bo.Session, sshAttachment)

 	if t.Target != nil {
 		bo.Target = *t.Target
@@ -950,19 +1281,43 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	if err != nil {
 		return nil, err
 	}
-	bo.CacheFrom = cacheImports
+	bo.CacheFrom = controllerapi.CreateCaches(cacheImports)

 	cacheExports, err := buildflags.ParseCacheEntry(t.CacheTo)
 	if err != nil {
 		return nil, err
 	}
-	bo.CacheTo = cacheExports
+	bo.CacheTo = controllerapi.CreateCaches(cacheExports)

-	outputs, err := buildflags.ParseOutputs(t.Outputs)
+	outputs, err := buildflags.ParseExports(t.Outputs)
+	if err != nil {
+		return nil, err
+	}
+	bo.Exports, err = controllerapi.CreateExports(outputs)
+	if err != nil {
+		return nil, err
+	}
+
+	annotations, err := buildflags.ParseAnnotations(t.Annotations)
+	if err != nil {
+		return nil, err
+	}
+	for _, e := range bo.Exports {
+		for k, v := range annotations {
+			e.Attrs[k.String()] = v
+		}
+	}
+
+	attests, err := buildflags.ParseAttests(t.Attest)
+	if err != nil {
+		return nil, err
+	}
+	bo.Attests = controllerapi.CreateAttestations(attests)
+
+	bo.SourcePolicy, err = build.ReadSourcePolicy()
 	if err != nil {
 		return nil, err
 	}
-	bo.Exports = outputs

 	return bo, nil
 }
@@ -988,8 +1343,24 @@ func removeDupes(s []string) []string {
 	return s[:i]
 }

-func isRemoteResource(str string) bool {
-	return urlutil.IsGitURL(str) || urlutil.IsURL(str)
+func removeAttestDupes(s []string) []string {
+	res := []string{}
+	m := map[string]int{}
+	for _, v := range s {
+		att, err := buildflags.ParseAttest(v)
+		if err != nil {
+			res = append(res, v)
+			continue
+		}
+
+		if i, ok := m[att.Type]; ok {
+			res[i] = v
+		} else {
+			m[att.Type] = len(res)
+			res = append(res, v)
+		}
+	}
+	return res
 }

 func parseOutputType(str string) string {
--- a/bake/bake_test.go
+++ b/bake/bake_test.go
@@ -3,15 +3,16 @@ package bake
 import (
 	"context"
 	"os"
+	"path/filepath"
 	"sort"
+	"strings"
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

 func TestReadTargets(t *testing.T) {
-	t.Parallel()
-
 	fp := File{
 		Name: "config.hcl",
 		Data: []byte(`
@@ -35,21 +36,23 @@ target "webapp" {
 	ctx := context.TODO()

 	t.Run("NoOverrides", func(t *testing.T) {
+		t.Parallel()
 		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, nil, nil)
 		require.NoError(t, err)
 		require.Equal(t, 1, len(m))

 		require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
 		require.Equal(t, ".", *m["webapp"].Context)
-		require.Equal(t, "webDEP", m["webapp"].Args["VAR_INHERITED"])
+		require.Equal(t, ptrstr("webDEP"), m["webapp"].Args["VAR_INHERITED"])
 		require.Equal(t, true, *m["webapp"].NoCache)
 		require.Nil(t, m["webapp"].Pull)

 		require.Equal(t, 1, len(g))
-		require.Equal(t, []string{"webapp"}, g[0].Targets)
+		require.Equal(t, []string{"webapp"}, g["default"].Targets)
 	})

 	t.Run("InvalidTargetOverrides", func(t *testing.T) {
+		t.Parallel()
 		_, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"nosuchtarget.context=foo"}, nil)
 		require.NotNil(t, err)
 		require.Equal(t, err.Error(), "could not find any target matching 'nosuchtarget'")
@@ -57,8 +60,7 @@ target "webapp" {

 	t.Run("ArgsOverrides", func(t *testing.T) {
 		t.Run("leaf", func(t *testing.T) {
-			os.Setenv("VAR_FROMENV"+t.Name(), "fromEnv")
-			defer os.Unsetenv("VAR_FROM_ENV" + t.Name())
+			t.Setenv("VAR_FROMENV"+t.Name(), "fromEnv")

 			m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{
 				"webapp.args.VAR_UNSET",
@@ -79,33 +81,35 @@ target "webapp" {
 			_, isSet = m["webapp"].Args["VAR_EMPTY"]
 			require.True(t, isSet, m["webapp"].Args["VAR_EMPTY"])

-			require.Equal(t, m["webapp"].Args["VAR_SET"], "bananas")
+			require.Equal(t, ptrstr("bananas"), m["webapp"].Args["VAR_SET"])

-			require.Equal(t, m["webapp"].Args["VAR_FROMENV"+t.Name()], "fromEnv")
+			require.Equal(t, ptrstr("fromEnv"), m["webapp"].Args["VAR_FROMENV"+t.Name()])

-			require.Equal(t, m["webapp"].Args["VAR_BOTH"], "webapp")
-			require.Equal(t, m["webapp"].Args["VAR_INHERITED"], "override")
+			require.Equal(t, ptrstr("webapp"), m["webapp"].Args["VAR_BOTH"])
+			require.Equal(t, ptrstr("override"), m["webapp"].Args["VAR_INHERITED"])

 			require.Equal(t, 1, len(g))
-			require.Equal(t, []string{"webapp"}, g[0].Targets)
+			require.Equal(t, []string{"webapp"}, g["default"].Targets)
 		})

 		// building leaf but overriding parent fields
 		t.Run("parent", func(t *testing.T) {
+			t.Parallel()
 			m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{
 				"webDEP.args.VAR_INHERITED=override",
 				"webDEP.args.VAR_BOTH=override",
 			}, nil)

 			require.NoError(t, err)
-			require.Equal(t, m["webapp"].Args["VAR_INHERITED"], "override")
-			require.Equal(t, m["webapp"].Args["VAR_BOTH"], "webapp")
+			require.Equal(t, ptrstr("override"), m["webapp"].Args["VAR_INHERITED"])
+			require.Equal(t, ptrstr("webapp"), m["webapp"].Args["VAR_BOTH"])
 			require.Equal(t, 1, len(g))
-			require.Equal(t, []string{"webapp"}, g[0].Targets)
+			require.Equal(t, []string{"webapp"}, g["default"].Targets)
 		})
 	})

 	t.Run("ContextOverride", func(t *testing.T) {
+		t.Parallel()
 		_, _, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.context"}, nil)
 		require.NotNil(t, err)

@@ -113,44 +117,47 @@ target "webapp" {
 		require.NoError(t, err)
 		require.Equal(t, "foo", *m["webapp"].Context)
 		require.Equal(t, 1, len(g))
-		require.Equal(t, []string{"webapp"}, g[0].Targets)
+		require.Equal(t, []string{"webapp"}, g["default"].Targets)
 	})

 	t.Run("NoCacheOverride", func(t *testing.T) {
+		t.Parallel()
 		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.no-cache=false"}, nil)
 		require.NoError(t, err)
 		require.Equal(t, false, *m["webapp"].NoCache)
 		require.Equal(t, 1, len(g))
-		require.Equal(t, []string{"webapp"}, g[0].Targets)
+		require.Equal(t, []string{"webapp"}, g["default"].Targets)
 	})

 	t.Run("PullOverride", func(t *testing.T) {
+		t.Parallel()
 		m, g, err := ReadTargets(ctx, []File{fp}, []string{"webapp"}, []string{"webapp.pull=false"}, nil)
 		require.NoError(t, err)
 		require.Equal(t, false, *m["webapp"].Pull)
 		require.Equal(t, 1, len(g))
-		require.Equal(t, []string{"webapp"}, g[0].Targets)
+		require.Equal(t, []string{"webapp"}, g["default"].Targets)
 	})

 	t.Run("PatternOverride", func(t *testing.T) {
+		t.Parallel()
 		// same check for two cases
-		multiTargetCheck := func(t *testing.T, m map[string]*Target, g []*Group, err error) {
+		multiTargetCheck := func(t *testing.T, m map[string]*Target, g map[string]*Group, err error) {
 			require.NoError(t, err)
 			require.Equal(t, 2, len(m))
 			require.Equal(t, "foo", *m["webapp"].Dockerfile)
-			require.Equal(t, "webDEP", m["webapp"].Args["VAR_INHERITED"])
+			require.Equal(t, ptrstr("webDEP"), m["webapp"].Args["VAR_INHERITED"])
 			require.Equal(t, "foo", *m["webDEP"].Dockerfile)
-			require.Equal(t, "webDEP", m["webDEP"].Args["VAR_INHERITED"])
+			require.Equal(t, ptrstr("webDEP"), m["webDEP"].Args["VAR_INHERITED"])
 			require.Equal(t, 1, len(g))
-			sort.Strings(g[0].Targets)
-			require.Equal(t, []string{"webDEP", "webapp"}, g[0].Targets)
+			sort.Strings(g["default"].Targets)
+			require.Equal(t, []string{"webDEP", "webapp"}, g["default"].Targets)
 		}

 		cases := []struct {
 			name      string
 			targets   []string
 			overrides []string
-			check     func(*testing.T, map[string]*Target, []*Group, error)
+			check     func(*testing.T, map[string]*Target, map[string]*Group, error)
 		}{
 			{
 				name:      "multi target single pattern",
@@ -168,20 +175,20 @@ target "webapp" {
 				name:      "single target",
 				targets:   []string{"webapp"},
 				overrides: []string{"web*.dockerfile=foo"},
-				check: func(t *testing.T, m map[string]*Target, g []*Group, err error) {
+				check: func(t *testing.T, m map[string]*Target, g map[string]*Group, err error) {
 					require.NoError(t, err)
 					require.Equal(t, 1, len(m))
 					require.Equal(t, "foo", *m["webapp"].Dockerfile)
-					require.Equal(t, "webDEP", m["webapp"].Args["VAR_INHERITED"])
+					require.Equal(t, ptrstr("webDEP"), m["webapp"].Args["VAR_INHERITED"])
 					require.Equal(t, 1, len(g))
-					require.Equal(t, []string{"webapp"}, g[0].Targets)
+					require.Equal(t, []string{"webapp"}, g["default"].Targets)
 				},
 			},
 			{
 				name:      "nomatch",
 				targets:   []string{"webapp"},
 				overrides: []string{"nomatch*.dockerfile=foo"},
-				check: func(t *testing.T, m map[string]*Target, g []*Group, err error) {
+				check: func(t *testing.T, m map[string]*Target, g map[string]*Group, err error) {
 					// NOTE: I am unsure whether failing to match should always error out
 					// instead of simply skipping that override.
 					// Let's enforce the error and we can relax it later if users complain.
@@ -290,6 +297,9 @@ services:

 	ctx := context.TODO()

+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
 	m, g, err := ReadTargets(ctx, []File{fp, fp2, fp3}, []string{"default"}, nil, nil)
 	require.NoError(t, err)

@@ -298,13 +308,13 @@ services:

 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["webapp"].Dockerfile)
-	require.Equal(t, ".", *m["webapp"].Context)
-	require.Equal(t, "1", m["webapp"].Args["buildno"])
-	require.Equal(t, "12", m["webapp"].Args["buildno2"])
+	require.Equal(t, cwd, *m["webapp"].Context)
+	require.Equal(t, ptrstr("1"), m["webapp"].Args["buildno"])
+	require.Equal(t, ptrstr("12"), m["webapp"].Args["buildno2"])

 	require.Equal(t, 1, len(g))
-	sort.Strings(g[0].Targets)
-	require.Equal(t, []string{"db", "newservice", "webapp"}, g[0].Targets)
+	sort.Strings(g["default"].Targets)
+	require.Equal(t, []string{"db", "newservice", "webapp"}, g["default"].Targets)
 }

 func TestReadTargetsWithDotCompose(t *testing.T) {
@@ -337,13 +347,16 @@ services:

 	ctx := context.TODO()

+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
 	m, _, err := ReadTargets(ctx, []File{fp}, []string{"web.app"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(m))
 	_, ok := m["web_app"]
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
-	require.Equal(t, "1", m["web_app"].Args["buildno"])
+	require.Equal(t, ptrstr("1"), m["web_app"].Args["buildno"])

 	m, _, err = ReadTargets(ctx, []File{fp2}, []string{"web_app"}, nil, nil)
 	require.NoError(t, err)
@@ -351,7 +364,7 @@ services:
 	_, ok = m["web_app"]
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile", *m["web_app"].Dockerfile)
-	require.Equal(t, "12", m["web_app"].Args["buildno2"])
+	require.Equal(t, ptrstr("12"), m["web_app"].Args["buildno2"])

 	m, g, err := ReadTargets(ctx, []File{fp, fp2}, []string{"default"}, nil, nil)
 	require.NoError(t, err)
@@ -359,16 +372,16 @@ services:
 	_, ok = m["web_app"]
 	require.True(t, ok)
 	require.Equal(t, "Dockerfile.webapp", *m["web_app"].Dockerfile)
-	require.Equal(t, ".", *m["web_app"].Context)
-	require.Equal(t, "1", m["web_app"].Args["buildno"])
-	require.Equal(t, "12", m["web_app"].Args["buildno2"])
+	require.Equal(t, cwd, *m["web_app"].Context)
+	require.Equal(t, ptrstr("1"), m["web_app"].Args["buildno"])
+	require.Equal(t, ptrstr("12"), m["web_app"].Args["buildno2"])

 	require.Equal(t, 1, len(g))
-	sort.Strings(g[0].Targets)
-	require.Equal(t, []string{"web_app"}, g[0].Targets)
+	sort.Strings(g["default"].Targets)
+	require.Equal(t, []string{"web_app"}, g["default"].Targets)
 }

-func TestHCLCwdPrefix(t *testing.T) {
+func TestHCLContextCwdPrefix(t *testing.T) {
 	fp := File{
 		Name: "docker-bake.hcl",
 		Data: []byte(
@@ -381,18 +394,49 @@ func TestHCLCwdPrefix(t *testing.T) {
 	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
 	require.NoError(t, err)

-	require.Equal(t, 1, len(m))
-	_, ok := m["app"]
-	require.True(t, ok)
-
-	_, err = TargetsToBuildOpt(m, &Input{})
+	bo, err := TargetsToBuildOpt(m, &Input{})
 	require.NoError(t, err)

-	require.Equal(t, "test", *m["app"].Dockerfile)
-	require.Equal(t, "foo", *m["app"].Context)
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	assert.Equal(t, "test", *m["app"].Dockerfile)
+	assert.Equal(t, "foo", *m["app"].Context)
+	assert.Equal(t, "foo/test", bo["app"].Inputs.DockerfilePath)
+	assert.Equal(t, "foo", bo["app"].Inputs.ContextPath)
+}
+
+func TestHCLDockerfileCwdPrefix(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				context = "."
+				dockerfile = "cwd://Dockerfile.app"
+			}`),
+	}
+	ctx := context.TODO()
+
+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)

 	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"app"}, g[0].Targets)
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	assert.Equal(t, "cwd://Dockerfile.app", *m["app"].Dockerfile)
+	assert.Equal(t, ".", *m["app"].Context)
+	assert.Equal(t, filepath.Join(cwd, "Dockerfile.app"), bo["app"].Inputs.DockerfilePath)
+	assert.Equal(t, ".", bo["app"].Inputs.ContextPath)
 }

 func TestOverrideMerge(t *testing.T) {
@@ -537,6 +581,9 @@ services:

 	ctx := context.TODO()

+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
 	m, _, err := ReadTargets(ctx, []File{fp, fp2}, []string{"app1", "app2"}, nil, nil)
 	require.NoError(t, err)

@@ -549,7 +596,7 @@ services:
 	require.Equal(t, "Dockerfile", *m["app1"].Dockerfile)
 	require.Equal(t, ".", *m["app1"].Context)
 	require.Equal(t, "Dockerfile", *m["app2"].Dockerfile)
-	require.Equal(t, ".", *m["app2"].Context)
+	require.Equal(t, cwd, *m["app2"].Context)
 }

 func TestReadContextFromTargetChain(t *testing.T) {
@@ -696,7 +743,7 @@ target "image" {
 	m, g, err := ReadTargets(ctx, []File{f}, []string{"image"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image"}, g[0].Targets)
+	require.Equal(t, []string{"image"}, g["default"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "test", *m["image"].Dockerfile)
 }
@@ -717,8 +764,9 @@ target "image" {

 	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
 	require.NoError(t, err)
-	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image"}, g[0].Targets)
+	require.Equal(t, 2, len(g))
+	require.Equal(t, []string{"foo"}, g["default"].Targets)
+	require.Equal(t, []string{"image"}, g["foo"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "test", *m["image"].Dockerfile)
 }
@@ -742,15 +790,17 @@ target "image" {

 	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
 	require.NoError(t, err)
-	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image"}, g[0].Targets)
+	require.Equal(t, 2, len(g))
+	require.Equal(t, []string{"foo"}, g["default"].Targets)
+	require.Equal(t, []string{"image"}, g["foo"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "test", *m["image"].Dockerfile)

 	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "foo"}, nil, nil)
 	require.NoError(t, err)
-	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image"}, g[0].Targets)
+	require.Equal(t, 2, len(g))
+	require.Equal(t, []string{"foo"}, g["default"].Targets)
+	require.Equal(t, []string{"image"}, g["foo"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "test", *m["image"].Dockerfile)
 }
@@ -829,7 +879,7 @@ services:
 	m, g, err := ReadTargets(ctx, []File{fhcl}, []string{"default"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image"}, g[0].Targets)
+	require.Equal(t, []string{"image"}, g["default"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, 1, len(m["image"].Outputs))
 	require.Equal(t, "type=docker", m["image"].Outputs[0])
@@ -837,7 +887,7 @@ services:
 	m, g, err = ReadTargets(ctx, []File{fhcl}, []string{"image-release"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image-release"}, g[0].Targets)
+	require.Equal(t, []string{"image-release"}, g["default"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, 1, len(m["image-release"].Outputs))
 	require.Equal(t, "type=image,push=true", m["image-release"].Outputs[0])
@@ -845,7 +895,7 @@ services:
 	m, g, err = ReadTargets(ctx, []File{fhcl}, []string{"image", "image-release"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image", "image-release"}, g[0].Targets)
+	require.Equal(t, []string{"image", "image-release"}, g["default"].Targets)
 	require.Equal(t, 2, len(m))
 	require.Equal(t, ".", *m["image"].Context)
 	require.Equal(t, 1, len(m["image-release"].Outputs))
@@ -854,22 +904,22 @@ services:
 	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"default"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image"}, g[0].Targets)
+	require.Equal(t, []string{"image"}, g["default"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, ".", *m["image"].Context)

 	m, g, err = ReadTargets(ctx, []File{fjson}, []string{"default"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"image"}, g[0].Targets)
+	require.Equal(t, []string{"image"}, g["default"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, ".", *m["image"].Context)

 	m, g, err = ReadTargets(ctx, []File{fyml}, []string{"default"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	sort.Strings(g[0].Targets)
-	require.Equal(t, []string{"addon", "aws"}, g[0].Targets)
+	sort.Strings(g["default"].Targets)
+	require.Equal(t, []string{"addon", "aws"}, g["default"].Targets)
 	require.Equal(t, 2, len(m))
 	require.Equal(t, "./Dockerfile", *m["addon"].Dockerfile)
 	require.Equal(t, "./aws.Dockerfile", *m["aws"].Dockerfile)
@@ -877,8 +927,8 @@ services:
 	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"addon", "aws"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	sort.Strings(g[0].Targets)
-	require.Equal(t, []string{"addon", "aws"}, g[0].Targets)
+	sort.Strings(g["default"].Targets)
+	require.Equal(t, []string{"addon", "aws"}, g["default"].Targets)
 	require.Equal(t, 2, len(m))
 	require.Equal(t, "./Dockerfile", *m["addon"].Dockerfile)
 	require.Equal(t, "./aws.Dockerfile", *m["aws"].Dockerfile)
@@ -886,8 +936,8 @@ services:
 	m, g, err = ReadTargets(ctx, []File{fyml, fhcl}, []string{"addon", "aws", "image"}, nil, nil)
 	require.NoError(t, err)
 	require.Equal(t, 1, len(g))
-	sort.Strings(g[0].Targets)
-	require.Equal(t, []string{"addon", "aws", "image"}, g[0].Targets)
+	sort.Strings(g["default"].Targets)
+	require.Equal(t, []string{"addon", "aws", "image"}, g["default"].Targets)
 	require.Equal(t, 3, len(m))
 	require.Equal(t, ".", *m["image"].Context)
 	require.Equal(t, "./Dockerfile", *m["addon"].Dockerfile)
@@ -913,15 +963,17 @@ target "image" {

 	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
 	require.NoError(t, err)
-	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"foo"}, g[0].Targets)
+	require.Equal(t, 2, len(g))
+	require.Equal(t, []string{"foo"}, g["default"].Targets)
+	require.Equal(t, []string{"foo"}, g["foo"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "bar", *m["foo"].Dockerfile)

 	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "foo"}, nil, nil)
 	require.NoError(t, err)
-	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"foo"}, g[0].Targets)
+	require.Equal(t, 2, len(g))
+	require.Equal(t, []string{"foo"}, g["default"].Targets)
+	require.Equal(t, []string{"foo"}, g["foo"].Targets)
 	require.Equal(t, 1, len(m))
 	require.Equal(t, "bar", *m["foo"].Dockerfile)
 }
@@ -945,16 +997,18 @@ target "image" {

 	m, g, err := ReadTargets(ctx, []File{f}, []string{"foo"}, nil, nil)
 	require.NoError(t, err)
-	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"foo", "image"}, g[0].Targets)
+	require.Equal(t, 2, len(g))
+	require.Equal(t, []string{"foo"}, g["default"].Targets)
+	require.Equal(t, []string{"foo", "image"}, g["foo"].Targets)
 	require.Equal(t, 2, len(m))
 	require.Equal(t, "bar", *m["foo"].Dockerfile)
 	require.Equal(t, "type=docker", m["image"].Outputs[0])

 	m, g, err = ReadTargets(ctx, []File{f}, []string{"foo", "image"}, nil, nil)
 	require.NoError(t, err)
-	require.Equal(t, 1, len(g))
-	require.Equal(t, []string{"foo", "image"}, g[0].Targets)
+	require.Equal(t, 2, len(g))
+	require.Equal(t, []string{"foo", "image"}, g["default"].Targets)
+	require.Equal(t, []string{"foo", "image"}, g["foo"].Targets)
 	require.Equal(t, 2, len(m))
 	require.Equal(t, "bar", *m["foo"].Dockerfile)
 	require.Equal(t, "type=docker", m["image"].Outputs[0])
@@ -991,22 +1045,22 @@ target "d" {
 	cases := []struct {
 		name      string
 		overrides []string
-		want      map[string]string
+		want      map[string]*string
 	}{
 		{
 			name:      "nested simple",
 			overrides: nil,
-			want:      map[string]string{"bar": "234", "baz": "890", "foo": "123"},
+			want:      map[string]*string{"bar": ptrstr("234"), "baz": ptrstr("890"), "foo": ptrstr("123")},
 		},
 		{
 			name:      "nested with overrides first",
 			overrides: []string{"a.args.foo=321", "b.args.bar=432"},
-			want:      map[string]string{"bar": "234", "baz": "890", "foo": "321"},
+			want:      map[string]*string{"bar": ptrstr("234"), "baz": ptrstr("890"), "foo": ptrstr("321")},
 		},
 		{
 			name:      "nested with overrides last",
 			overrides: []string{"a.args.foo=321", "c.args.bar=432"},
-			want:      map[string]string{"bar": "432", "baz": "890", "foo": "321"},
+			want:      map[string]*string{"bar": ptrstr("432"), "baz": ptrstr("890"), "foo": ptrstr("321")},
 		},
 	}
 	for _, tt := range cases {
@@ -1015,7 +1069,7 @@ target "d" {
 			m, g, err := ReadTargets(ctx, []File{f}, []string{"d"}, tt.overrides, nil)
 			require.NoError(t, err)
 			require.Equal(t, 1, len(g))
-			require.Equal(t, []string{"d"}, g[0].Targets)
+			require.Equal(t, []string{"d"}, g["default"].Targets)
 			require.Equal(t, 1, len(m))
 			require.Equal(t, tt.want, m["d"].Args)
 		})
@@ -1059,26 +1113,26 @@ group "default" {
 	cases := []struct {
 		name      string
 		overrides []string
-		wantch1   map[string]string
-		wantch2   map[string]string
+		wantch1   map[string]*string
+		wantch2   map[string]*string
 	}{
 		{
 			name:      "nested simple",
 			overrides: nil,
-			wantch1:   map[string]string{"BAR": "fuu", "FOO": "bar"},
-			wantch2:   map[string]string{"BAR": "fuu", "FOO": "bar", "FOO2": "bar2"},
+			wantch1:   map[string]*string{"BAR": ptrstr("fuu"), "FOO": ptrstr("bar")},
+			wantch2:   map[string]*string{"BAR": ptrstr("fuu"), "FOO": ptrstr("bar"), "FOO2": ptrstr("bar2")},
 		},
 		{
 			name:      "nested with overrides first",
 			overrides: []string{"grandparent.args.BAR=fii", "child1.args.FOO=baaar"},
-			wantch1:   map[string]string{"BAR": "fii", "FOO": "baaar"},
-			wantch2:   map[string]string{"BAR": "fii", "FOO": "bar", "FOO2": "bar2"},
+			wantch1:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("baaar")},
+			wantch2:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("bar"), "FOO2": ptrstr("bar2")},
 		},
 		{
 			name:      "nested with overrides last",
 			overrides: []string{"grandparent.args.BAR=fii", "child2.args.FOO=baaar"},
-			wantch1:   map[string]string{"BAR": "fii", "FOO": "bar"},
-			wantch2:   map[string]string{"BAR": "fii", "FOO": "baaar", "FOO2": "bar2"},
+			wantch1:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("bar")},
+			wantch2:   map[string]*string{"BAR": ptrstr("fii"), "FOO": ptrstr("baaar"), "FOO2": ptrstr("bar2")},
 		},
 	}
 	for _, tt := range cases {
@@ -1087,7 +1141,7 @@ group "default" {
 			m, g, err := ReadTargets(ctx, []File{f}, []string{"default"}, tt.overrides, nil)
 			require.NoError(t, err)
 			require.Equal(t, 1, len(g))
-			require.Equal(t, []string{"child1", "child2"}, g[0].Targets)
+			require.Equal(t, []string{"child1", "child2"}, g["default"].Targets)
 			require.Equal(t, 2, len(m))
 			require.Equal(t, tt.wantch1, m["child1"].Args)
 			require.Equal(t, []string{"type=docker"}, m["child1"].Outputs)
@@ -1184,44 +1238,67 @@ target "f" {
 }`)}

 	cases := []struct {
-		name     string
-		targets  []string
-		ntargets int
+		names   []string
+		targets []string
+		groups  []string
+		count   int
 	}{
 		{
-			name:     "a",
-			targets:  []string{"b", "c"},
-			ntargets: 1,
+			names:   []string{"a"},
+			targets: []string{"a"},
+			groups:  []string{"default", "a", "b", "c"},
+			count:   1,
 		},
 		{
-			name:     "b",
-			targets:  []string{"d"},
-			ntargets: 1,
+			names:   []string{"b"},
+			targets: []string{"b"},
+			groups:  []string{"default", "b"},
+			count:   1,
 		},
 		{
-			name:     "c",
-			targets:  []string{"b"},
-			ntargets: 1,
+			names:   []string{"c"},
+			targets: []string{"c"},
+			groups:  []string{"default", "b", "c"},
+			count:   1,
 		},
 		{
-			name:     "d",
-			targets:  []string{"d"},
-			ntargets: 1,
+			names:   []string{"d"},
+			targets: []string{"d"},
+			groups:  []string{"default"},
+			count:   1,
 		},
 		{
-			name:     "e",
-			targets:  []string{"a", "f"},
-			ntargets: 2,
+			names:   []string{"e"},
+			targets: []string{"e"},
+			groups:  []string{"default", "a", "b", "c", "e"},
+			count:   2,
+		},
+		{
+			names:   []string{"a", "e"},
+			targets: []string{"a", "e"},
+			groups:  []string{"default", "a", "b", "c", "e"},
+			count:   2,
 		},
 	}
 	for _, tt := range cases {
 		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			m, g, err := ReadTargets(ctx, []File{f}, []string{tt.name}, nil, nil)
+		t.Run(strings.Join(tt.names, "+"), func(t *testing.T) {
+			m, g, err := ReadTargets(ctx, []File{f}, tt.names, nil, nil)
 			require.NoError(t, err)
-			require.Equal(t, 1, len(g))
-			require.Equal(t, tt.targets, g[0].Targets)
-			require.Equal(t, tt.ntargets, len(m))
+
+			var gnames []string
+			for _, g := range g {
+				gnames = append(gnames, g.Name)
+			}
+			sort.Strings(gnames)
+			sort.Strings(tt.groups)
+			require.Equal(t, tt.groups, gnames)
+
+			sort.Strings(g["default"].Targets)
+			sort.Strings(tt.targets)
+			require.Equal(t, tt.targets, g["default"].Targets)
+
+			require.Equal(t, tt.count, len(m))
 			require.Equal(t, ".", *m["d"].Context)
 			require.Equal(t, "./testdockerfile", *m["d"].Dockerfile)
 		})
@@ -1254,8 +1331,192 @@ services:

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, "app", c.Targets[0].Name)
-	require.Equal(t, "foo", c.Targets[0].Args["v1"])
-	require.Equal(t, "bar", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("foo"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["v2"])
 	require.Equal(t, "dir", *c.Targets[0].Context)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[0].Dockerfile)
 }
+
+func TestHCLNullVars(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`variable "FOO" {
+				default = null
+			}
+			variable "BAR" {
+				default = null
+			}
+			target "default" {
+				args = {
+					foo = FOO
+					bar = "baz"
+				}
+				labels = {
+					"com.docker.app.bar" = BAR
+					"com.docker.app.baz" = "foo"
+				}
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(m))
+	_, ok := m["default"]
+	require.True(t, ok)
+
+	_, err = TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, m["default"].Args)
+	require.Equal(t, map[string]*string{"com.docker.app.baz": ptrstr("foo")}, m["default"].Labels)
+}
+
+func TestJSONNullVars(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.json",
+		Data: []byte(
+			`{
+				"variable": {
+					"FOO": {
+						"default": null
+					}
+				},
+				"target": {
+					"default": {
+						"args": {
+							"foo": "${FOO}",
+							"bar": "baz"
+						}
+					}
+				}
+			}`),
+	}
+
+	ctx := context.TODO()
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(m))
+	_, ok := m["default"]
+	require.True(t, ok)
+
+	_, err = TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, m["default"].Args)
+}
+
+func TestReadLocalFilesDefault(t *testing.T) {
+	tests := []struct {
+		filenames []string
+		expected  []string
+	}{
+		{
+			filenames: []string{"abc.yml", "docker-compose.yml"},
+			expected:  []string{"docker-compose.yml"},
+		},
+		{
+			filenames: []string{"test.foo", "compose.yml", "docker-bake.hcl"},
+			expected:  []string{"compose.yml", "docker-bake.hcl"},
+		},
+		{
+			filenames: []string{"compose.yaml", "docker-compose.yml", "docker-bake.hcl"},
+			expected:  []string{"compose.yaml", "docker-compose.yml", "docker-bake.hcl"},
+		},
+		{
+			filenames: []string{"test.txt", "compsoe.yaml"}, // intentional misspell
+			expected:  []string{},
+		},
+	}
+	pwd, err := os.Getwd()
+	require.NoError(t, err)
+
+	for _, tt := range tests {
+		t.Run(strings.Join(tt.filenames, "-"), func(t *testing.T) {
+			dir := t.TempDir()
+			t.Cleanup(func() { _ = os.Chdir(pwd) })
+			require.NoError(t, os.Chdir(dir))
+			for _, tf := range tt.filenames {
+				require.NoError(t, os.WriteFile(tf, []byte(tf), 0644))
+			}
+			files, err := ReadLocalFiles(nil, nil, nil)
+			require.NoError(t, err)
+			if len(files) == 0 {
+				require.Equal(t, len(tt.expected), len(files))
+			} else {
+				found := false
+				for _, exp := range tt.expected {
+					for _, f := range files {
+						if f.Name == exp {
+							found = true
+							break
+						}
+					}
+					require.True(t, found, exp)
+				}
+			}
+		})
+	}
+}
+
+func TestAttestDuplicates(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "default" {
+                attest = ["type=sbom", "type=sbom,generator=custom", "type=sbom,foo=bar", "type=provenance,mode=max"]
+            }`),
+	}
+	ctx := context.TODO()
+
+	m, _, err := ReadTargets(ctx, []File{fp}, []string{"default"}, nil, nil)
+	require.Equal(t, []string{"type=sbom,foo=bar", "type=provenance,mode=max"}, m["default"].Attest)
+	require.NoError(t, err)
+
+	opts, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{
+		"sbom":       ptrstr("type=sbom,foo=bar"),
+		"provenance": ptrstr("type=provenance,mode=max"),
+	}, opts["default"].Attests)
+
+	m, _, err = ReadTargets(ctx, []File{fp}, []string{"default"}, []string{"*.attest=type=sbom,disabled=true"}, nil)
+	require.Equal(t, []string{"type=sbom,disabled=true", "type=provenance,mode=max"}, m["default"].Attest)
+	require.NoError(t, err)
+
+	opts, err = TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{
+		"sbom":       nil,
+		"provenance": ptrstr("type=provenance,mode=max"),
+	}, opts["default"].Attests)
+}
+
+func TestAnnotations(t *testing.T) {
+	fp := File{
+		Name: "docker-bake.hcl",
+		Data: []byte(
+			`target "app" {
+				output = ["type=image,name=foo"]
+				annotations = ["manifest[linux/amd64]:foo=bar"]
+			}`),
+	}
+	ctx := context.TODO()
+	m, g, err := ReadTargets(ctx, []File{fp}, []string{"app"}, nil, nil)
+	require.NoError(t, err)
+
+	bo, err := TargetsToBuildOpt(m, &Input{})
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(g))
+	require.Equal(t, []string{"app"}, g["default"].Targets)
+
+	require.Equal(t, 1, len(m))
+	require.Contains(t, m, "app")
+	require.Equal(t, "type=image,name=foo", m["app"].Outputs[0])
+	require.Equal(t, "manifest[linux/amd64]:foo=bar", m["app"].Annotations[0])
+
+	require.Len(t, bo["app"].Exports, 1)
+	require.Equal(t, "bar", bo["app"].Exports[0].Attrs["annotation-manifest[linux/amd64].foo"])
+}
--- a/bake/compose.go
+++ b/bake/compose.go
@@ -1,6 +1,7 @@
 package bake

 import (
+	"context"
 	"os"
 	"path/filepath"
 	"strings"
@@ -28,11 +29,16 @@ func ParseComposeFiles(fs []File) (*Config, error) {
 }

 func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, error) {
-	cfg, err := loader.Load(compose.ConfigDetails{
+	if envs == nil {
+		envs = make(map[string]string)
+	}
+	cfg, err := loader.LoadWithContext(context.Background(), compose.ConfigDetails{
 		ConfigFiles: cfgs,
 		Environment: envs,
 	}, func(options *loader.Options) {
+		options.SetProjectName("bake", false)
 		options.SkipNormalization = true
+		options.Profiles = []string{"*"}
 	})
 	if err != nil {
 		return nil, err
@@ -46,6 +52,7 @@ func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, e
 		g := &Group{Name: "default"}

 		for _, s := range cfg.Services {
+			s := s
 			if s.Build == nil {
 				continue
 			}
@@ -65,6 +72,19 @@ func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, e
 				dockerfilePath := s.Build.Dockerfile
 				dockerfilePathP = &dockerfilePath
 			}
+			var dockerfileInlineP *string
+			if s.Build.DockerfileInline != "" {
+				dockerfileInline := s.Build.DockerfileInline
+				dockerfileInlineP = &dockerfileInline
+			}
+
+			var additionalContexts map[string]string
+			if s.Build.AdditionalContexts != nil {
+				additionalContexts = map[string]string{}
+				for k, v := range s.Build.AdditionalContexts {
+					additionalContexts[k] = v
+				}
+			}

 			var secrets []string
 			for _, bs := range s.Build.Secrets {
@@ -75,13 +95,22 @@ func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, e
 				secrets = append(secrets, secret)
 			}

+			// compose does not support nil values for labels
+			labels := map[string]*string{}
+			for k, v := range s.Build.Labels {
+				v := v
+				labels[k] = &v
+			}
+
 			g.Targets = append(g.Targets, targetName)
 			t := &Target{
-				Name:       targetName,
-				Context:    contextPathP,
-				Dockerfile: dockerfilePathP,
-				Tags:       s.Build.Tags,
-				Labels:     s.Build.Labels,
+				Name:             targetName,
+				Context:          contextPathP,
+				Contexts:         additionalContexts,
+				Dockerfile:       dockerfilePathP,
+				DockerfileInline: dockerfileInlineP,
+				Tags:             s.Build.Tags,
+				Labels:           labels,
 				Args: flatten(s.Build.Args.Resolve(func(val string) (string, bool) {
 					if val, ok := s.Environment[val]; ok && val != nil {
 						return *val, true
@@ -138,6 +167,7 @@ func validateCompose(dt []byte, envs map[string]string) error {
 		},
 		Environment: envs,
 	}, func(options *loader.Options) {
+		options.SetProjectName("bake", false)
 		options.SkipNormalization = true
 		// consistency is checked later in ParseCompose to ensure multiple
 		// compose files can be merged together
@@ -178,7 +208,7 @@ func loadDotEnv(curenv map[string]string, workingDir string) (map[string]string,
 		return nil, err
 	}

-	envs, err := dotenv.UnmarshalBytes(dt)
+	envs, err := dotenv.UnmarshalBytesWithLookup(dt, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -193,16 +223,16 @@ func loadDotEnv(curenv map[string]string, workingDir string) (map[string]string,
 	return curenv, nil
 }

-func flatten(in compose.MappingWithEquals) compose.Mapping {
+func flatten(in compose.MappingWithEquals) map[string]*string {
 	if len(in) == 0 {
 		return nil
 	}
-	out := compose.Mapping{}
+	out := map[string]*string{}
 	for k, v := range in {
 		if v == nil {
 			continue
 		}
-		out[k] = *v
+		out[k] = v
 	}
 	return out
 }
@@ -222,7 +252,7 @@ type xbake struct {
 	NoCacheFilter stringArray `yaml:"no-cache-filter,omitempty"`
 	Contexts      stringMap   `yaml:"contexts,omitempty"`
 	// don't forget to update documentation if you add a new field:
-	// docs/guides/bake/compose-file.md#extension-field-with-x-bake
+	// docs/manuals/bake/compose-file.md#extension-field-with-x-bake
 }

 type stringMap map[string]string
--- a/bake/compose_test.go
+++ b/bake/compose_test.go
@@ -21,6 +21,8 @@ services:
  webapp:
    build:
      context: ./dir
+      additional_contexts:
+        foo: ./bar
      dockerfile: Dockerfile-alternate
      network:
        none
@@ -33,6 +35,13 @@ services:
      secrets:
        - token
        - aws
+  webapp2:
+    profiles:
+      - test
+    build:
+      context: ./dir
+      dockerfile_inline: |
+        FROM alpine
 secrets:
  token:
    environment: ENV_TOKEN
@@ -40,27 +49,31 @@ secrets:
    file: /root/.aws/credentials
 `)

+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
 	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)

 	require.Equal(t, 1, len(c.Groups))
 	require.Equal(t, "default", c.Groups[0].Name)
 	sort.Strings(c.Groups[0].Targets)
-	require.Equal(t, []string{"db", "webapp"}, c.Groups[0].Targets)
+	require.Equal(t, []string{"db", "webapp", "webapp2"}, c.Groups[0].Targets)

-	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, 3, len(c.Targets))
 	sort.Slice(c.Targets, func(i, j int) bool {
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
 	require.Equal(t, "db", c.Targets[0].Name)
-	require.Equal(t, "./db", *c.Targets[0].Context)
+	require.Equal(t, filepath.Join(cwd, "db"), *c.Targets[0].Context)
 	require.Equal(t, []string{"docker.io/tonistiigi/db"}, c.Targets[0].Tags)

 	require.Equal(t, "webapp", c.Targets[1].Name)
-	require.Equal(t, "./dir", *c.Targets[1].Context)
+	require.Equal(t, filepath.Join(cwd, "dir"), *c.Targets[1].Context)
+	require.Equal(t, map[string]string{"foo": filepath.Join(cwd, "bar")}, c.Targets[1].Contexts)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[1].Dockerfile)
 	require.Equal(t, 1, len(c.Targets[1].Args))
-	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])
 	require.Equal(t, []string{"type=local,src=path/to/cache"}, c.Targets[1].CacheFrom)
 	require.Equal(t, []string{"type=local,dest=path/to/cache"}, c.Targets[1].CacheTo)
 	require.Equal(t, "none", *c.Targets[1].NetworkMode)
@@ -68,6 +81,10 @@ secrets:
 		"id=token,env=ENV_TOKEN",
 		"id=aws,src=/root/.aws/credentials",
 	}, c.Targets[1].Secrets)
+
+	require.Equal(t, "webapp2", c.Targets[2].Name)
+	require.Equal(t, filepath.Join(cwd, "dir"), *c.Targets[2].Context)
+	require.Equal(t, "FROM alpine\n", *c.Targets[2].DockerfileInline)
 }

 func TestNoBuildOutOfTreeService(t *testing.T) {
@@ -149,18 +166,15 @@ services:
        BRB: FOO
 `)

-	os.Setenv("FOO", "bar")
-	defer os.Unsetenv("FOO")
-	os.Setenv("BAR", "foo")
-	defer os.Unsetenv("BAR")
-	os.Setenv("ZZZ_BAR", "zzz_foo")
-	defer os.Unsetenv("ZZZ_BAR")
+	t.Setenv("FOO", "bar")
+	t.Setenv("BAR", "foo")
+	t.Setenv("ZZZ_BAR", "zzz_foo")

 	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, sliceToMap(os.Environ()))
 	require.NoError(t, err)
-	require.Equal(t, "bar", c.Targets[0].Args["FOO"])
-	require.Equal(t, "zzz_foo", c.Targets[0].Args["BAR"])
-	require.Equal(t, "FOO", c.Targets[0].Args["BRB"])
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["FOO"])
+	require.Equal(t, ptrstr("zzz_foo"), c.Targets[0].Args["BAR"])
+	require.Equal(t, ptrstr("FOO"), c.Targets[0].Args["BRB"])
 }

 func TestInconsistentComposeFile(t *testing.T) {
@@ -308,7 +322,7 @@ services:
 	sort.Slice(c.Targets, func(i, j int) bool {
 		return c.Targets[i].Name < c.Targets[j].Name
 	})
-	require.Equal(t, map[string]string{"CT_ECR": "foo", "CT_TAG": "bar"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"CT_ECR": ptrstr("foo"), "CT_TAG": ptrstr("bar")}, c.Targets[0].Args)
 	require.Equal(t, []string{"ct-addon:baz", "ct-addon:foo", "ct-addon:alp"}, c.Targets[0].Tags)
 	require.Equal(t, []string{"linux/amd64", "linux/arm64"}, c.Targets[0].Platforms)
 	require.Equal(t, []string{"user/app:cache", "type=local,src=path/to/cache"}, c.Targets[0].CacheFrom)
@@ -381,7 +395,7 @@ services:

 	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
 	require.NoError(t, err)
-	require.Equal(t, map[string]string{"CT_ECR": "foo", "FOO": "bsdf -csdf", "NODE_ENV": "test"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"CT_ECR": ptrstr("foo"), "FOO": ptrstr("bsdf -csdf"), "NODE_ENV": ptrstr("test")}, c.Targets[0].Args)
 }

 func TestDotEnv(t *testing.T) {
@@ -405,7 +419,7 @@ services:
 		Data: dt,
 	}})
 	require.NoError(t, err)
-	require.Equal(t, map[string]string{"FOO": "bar"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"FOO": ptrstr("bar")}, c.Targets[0].Args)
 }

 func TestPorts(t *testing.T) {
@@ -629,6 +643,101 @@ target "default" {
 	}
 }

+func TestComposeNullArgs(t *testing.T) {
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: .
+     args:
+        FOO: null
+        bar: "baz"
+`)
+
+	c, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+	require.Equal(t, map[string]*string{"bar": ptrstr("baz")}, c.Targets[0].Args)
+}
+
+func TestDependsOn(t *testing.T) {
+	var dt = []byte(`
+services:
+  foo:
+    build:
+     context: .
+    ports:
+      - 3306:3306
+    depends_on:
+      - bar
+  bar:
+    build:
+     context: .
+`)
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+}
+
+func TestInclude(t *testing.T) {
+	tmpdir := t.TempDir()
+
+	err := os.WriteFile(filepath.Join(tmpdir, "compose-foo.yml"), []byte(`
+services:
+  foo:
+    build:
+     context: .
+     target: buildfoo
+    ports:
+      - 3306:3306
+`), 0644)
+	require.NoError(t, err)
+
+	var dt = []byte(`
+include:
+  - compose-foo.yml
+
+services:
+  bar:
+    build:
+     context: .
+     target: buildbar
+`)
+
+	chdir(t, tmpdir)
+	c, err := ParseComposeFiles([]File{{
+		Name: "compose.yml",
+		Data: dt,
+	}})
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	sort.Slice(c.Targets, func(i, j int) bool {
+		return c.Targets[i].Name < c.Targets[j].Name
+	})
+	require.Equal(t, "bar", c.Targets[0].Name)
+	require.Equal(t, "buildbar", *c.Targets[0].Target)
+	require.Equal(t, "foo", c.Targets[1].Name)
+	require.Equal(t, "buildfoo", *c.Targets[1].Target)
+}
+
+func TestDevelop(t *testing.T) {
+	var dt = []byte(`
+services:
+  scratch:
+    build:
+     context: ./webapp
+    develop:
+      watch: 
+        - path: ./webapp/html
+          action: sync
+          target: /var/www
+          ignore:
+            - node_modules/
+`)
+
+	_, err := ParseCompose([]compose.ConfigFile{{Content: dt}}, nil)
+	require.NoError(t, err)
+}
+
 // chdir changes the current working directory to the named directory,
 // and then restore the original working directory at the end of the test.
 func chdir(t *testing.T, dir string) {
--- a/bake/hcl_test.go
+++ b/bake/hcl_test.go
@@ -1,7 +1,7 @@
 package bake

 import (
-	"os"
+	"reflect"
 	"testing"

 	"github.com/stretchr/testify/require"
@@ -54,7 +54,7 @@ func TestHCLBasic(t *testing.T) {

 	require.Equal(t, c.Targets[1].Name, "webapp")
 	require.Equal(t, 1, len(c.Targets[1].Args))
-	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])

 	require.Equal(t, c.Targets[2].Name, "cross")
 	require.Equal(t, 2, len(c.Targets[2].Platforms))
@@ -62,7 +62,7 @@ func TestHCLBasic(t *testing.T) {

 	require.Equal(t, c.Targets[3].Name, "webapp-plus")
 	require.Equal(t, 1, len(c.Targets[3].Args))
-	require.Equal(t, map[string]string{"IAMCROSS": "true"}, c.Targets[3].Args)
+	require.Equal(t, map[string]*string{"IAMCROSS": ptrstr("true")}, c.Targets[3].Args)
 }

 func TestHCLBasicInJSON(t *testing.T) {
@@ -114,7 +114,7 @@ func TestHCLBasicInJSON(t *testing.T) {

 	require.Equal(t, c.Targets[1].Name, "webapp")
 	require.Equal(t, 1, len(c.Targets[1].Args))
-	require.Equal(t, "123", c.Targets[1].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[1].Args["buildno"])

 	require.Equal(t, c.Targets[2].Name, "cross")
 	require.Equal(t, 2, len(c.Targets[2].Platforms))
@@ -122,7 +122,7 @@ func TestHCLBasicInJSON(t *testing.T) {

 	require.Equal(t, c.Targets[3].Name, "webapp-plus")
 	require.Equal(t, 1, len(c.Targets[3].Args))
-	require.Equal(t, map[string]string{"IAMCROSS": "true"}, c.Targets[3].Args)
+	require.Equal(t, map[string]*string{"IAMCROSS": ptrstr("true")}, c.Targets[3].Args)
 }

 func TestHCLWithFunctions(t *testing.T) {
@@ -147,7 +147,7 @@ func TestHCLWithFunctions(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "124", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("124"), c.Targets[0].Args["buildno"])
 }

 func TestHCLWithUserDefinedFunctions(t *testing.T) {
@@ -177,7 +177,7 @@ func TestHCLWithUserDefinedFunctions(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "124", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("124"), c.Targets[0].Args["buildno"])
 }

 func TestHCLWithVariables(t *testing.T) {
@@ -206,9 +206,9 @@ func TestHCLWithVariables(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "123", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("123"), c.Targets[0].Args["buildno"])

-	os.Setenv("BUILD_NUMBER", "456")
+	t.Setenv("BUILD_NUMBER", "456")

 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)
@@ -219,7 +219,7 @@ func TestHCLWithVariables(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "webapp")
-	require.Equal(t, "456", c.Targets[0].Args["buildno"])
+	require.Equal(t, ptrstr("456"), c.Targets[0].Args["buildno"])
 }

 func TestHCLWithVariablesInFunctions(t *testing.T) {
@@ -244,7 +244,7 @@ func TestHCLWithVariablesInFunctions(t *testing.T) {
 	require.Equal(t, c.Targets[0].Name, "webapp")
 	require.Equal(t, []string{"user/repo:v1"}, c.Targets[0].Tags)

-	os.Setenv("REPO", "docker/buildx")
+	t.Setenv("REPO", "docker/buildx")

 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)
@@ -280,10 +280,10 @@ func TestHCLMultiFileSharedVariables(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-abc", c.Targets[0].Args["v1"])
-	require.Equal(t, "abc-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre-abc"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("abc-post"), c.Targets[0].Args["v2"])

-	os.Setenv("FOO", "def")
+	t.Setenv("FOO", "def")

 	c, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
@@ -293,12 +293,11 @@ func TestHCLMultiFileSharedVariables(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-def", c.Targets[0].Args["v1"])
-	require.Equal(t, "def-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre-def"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("def-post"), c.Targets[0].Args["v2"])
 }

 func TestHCLVarsWithVars(t *testing.T) {
-	os.Unsetenv("FOO")
 	dt := []byte(`
 		variable "FOO" {
 			default = upper("${BASE}def")
@@ -330,10 +329,10 @@ func TestHCLVarsWithVars(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre--ABCDEF-", c.Targets[0].Args["v1"])
-	require.Equal(t, "ABCDEF-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre--ABCDEF-"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("ABCDEF-post"), c.Targets[0].Args["v2"])

-	os.Setenv("BASE", "new")
+	t.Setenv("BASE", "new")

 	c, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
@@ -343,12 +342,11 @@ func TestHCLVarsWithVars(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre--NEWDEF-", c.Targets[0].Args["v1"])
-	require.Equal(t, "NEWDEF-post", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("pre--NEWDEF-"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("NEWDEF-post"), c.Targets[0].Args["v2"])
 }

 func TestHCLTypedVariables(t *testing.T) {
-	os.Unsetenv("FOO")
 	dt := []byte(`
 		variable "FOO" {
 			default = 3
@@ -369,33 +367,80 @@ func TestHCLTypedVariables(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "lower", c.Targets[0].Args["v1"])
-	require.Equal(t, "yes", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("lower"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("yes"), c.Targets[0].Args["v2"])

-	os.Setenv("FOO", "5.1")
-	os.Setenv("IS_FOO", "0")
+	t.Setenv("FOO", "5.1")
+	t.Setenv("IS_FOO", "0")

 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "higher", c.Targets[0].Args["v1"])
-	require.Equal(t, "no", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("higher"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("no"), c.Targets[0].Args["v2"])

-	os.Setenv("FOO", "NaN")
+	t.Setenv("FOO", "NaN")
 	_, err = ParseFile(dt, "docker-bake.hcl")
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to parse FOO as number")

-	os.Setenv("FOO", "0")
-	os.Setenv("IS_FOO", "maybe")
+	t.Setenv("FOO", "0")
+	t.Setenv("IS_FOO", "maybe")

 	_, err = ParseFile(dt, "docker-bake.hcl")
 	require.Error(t, err)
 	require.Contains(t, err.Error(), "failed to parse IS_FOO as bool")
 }

+func TestHCLNullVariables(t *testing.T) {
+	dt := []byte(`
+		variable "FOO" {
+			default = null
+		}
+		target "default" {
+			args = {
+				foo = FOO
+			}
+		}`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr(nil), c.Targets[0].Args["foo"])
+
+	t.Setenv("FOO", "bar")
+	c, err = ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["foo"])
+}
+
+func TestJSONNullVariables(t *testing.T) {
+	dt := []byte(`{
+		"variable": {
+			"FOO": {
+				"default": null
+			}
+		},
+		"target": {
+			"default": {
+				"args": {
+					"foo": "${FOO}"
+				}
+			}
+		}
+	}`)
+
+	c, err := ParseFile(dt, "docker-bake.json")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr(nil), c.Targets[0].Args["foo"])
+
+	t.Setenv("FOO", "bar")
+	c, err = ParseFile(dt, "docker-bake.json")
+	require.NoError(t, err)
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["foo"])
+}
+
 func TestHCLVariableCycle(t *testing.T) {
 	dt := []byte(`
 		variable "FOO" {
@@ -431,19 +476,107 @@ func TestHCLAttrs(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "attr-abcdef", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("attr-abcdef"), c.Targets[0].Args["v1"])

 	// env does not apply if no variable
-	os.Setenv("FOO", "bar")
+	t.Setenv("FOO", "bar")
 	c, err = ParseFile(dt, "docker-bake.hcl")
 	require.NoError(t, err)

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "attr-abcdef", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("attr-abcdef"), c.Targets[0].Args["v1"])
 	// attr-multifile
 }

+func TestHCLTargetAttrs(t *testing.T) {
+	dt := []byte(`
+		target "foo" {
+			dockerfile = "xxx"
+			context = target.bar.context
+			target = target.foo.dockerfile
+		}
+		
+		target "bar" {
+			dockerfile = target.foo.dockerfile
+			context = "yyy"
+			target = target.bar.context
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "foo", c.Targets[0].Name)
+	require.Equal(t, "bar", c.Targets[1].Name)
+
+	require.Equal(t, "xxx", *c.Targets[0].Dockerfile)
+	require.Equal(t, "yyy", *c.Targets[0].Context)
+	require.Equal(t, "xxx", *c.Targets[0].Target)
+
+	require.Equal(t, "xxx", *c.Targets[1].Dockerfile)
+	require.Equal(t, "yyy", *c.Targets[1].Context)
+	require.Equal(t, "yyy", *c.Targets[1].Target)
+}
+
+func TestHCLTargetGlobal(t *testing.T) {
+	dt := []byte(`
+		target "foo" {
+			dockerfile = "x"
+		}
+		x = target.foo.dockerfile
+		y = x
+		target "bar" {
+			dockerfile = y
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "foo", c.Targets[0].Name)
+	require.Equal(t, "bar", c.Targets[1].Name)
+
+	require.Equal(t, "x", *c.Targets[0].Dockerfile)
+	require.Equal(t, "x", *c.Targets[1].Dockerfile)
+}
+
+func TestHCLTargetAttrName(t *testing.T) {
+	dt := []byte(`
+		target "foo" {
+			dockerfile = target.foo.name
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, "foo", c.Targets[0].Name)
+	require.Equal(t, "foo", *c.Targets[0].Dockerfile)
+}
+
+func TestHCLTargetAttrEmptyChain(t *testing.T) {
+	dt := []byte(`
+		target "foo" {
+			# dockerfile = Dockerfile
+			context = target.foo.dockerfile
+			target = target.foo.context
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, "foo", c.Targets[0].Name)
+	require.Nil(t, c.Targets[0].Dockerfile)
+	require.Nil(t, c.Targets[0].Context)
+	require.Nil(t, c.Targets[0].Target)
+}
+
 func TestHCLAttrsCustomType(t *testing.T) {
 	dt := []byte(`
 		platforms=["linux/arm64", "linux/amd64"]
@@ -461,11 +594,10 @@ func TestHCLAttrsCustomType(t *testing.T) {
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
 	require.Equal(t, []string{"linux/arm64", "linux/amd64"}, c.Targets[0].Platforms)
-	require.Equal(t, "linux/arm64", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("linux/arm64"), c.Targets[0].Args["v1"])
 }

 func TestHCLMultiFileAttrs(t *testing.T) {
-	os.Unsetenv("FOO")
 	dt := []byte(`
 		variable "FOO" {
 			default = "abc"
@@ -487,9 +619,9 @@ func TestHCLMultiFileAttrs(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-def", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-def"), c.Targets[0].Args["v1"])

-	os.Setenv("FOO", "ghi")
+	t.Setenv("FOO", "ghi")

 	c, err = ParseFiles([]File{
 		{Data: dt, Name: "c1.hcl"},
@@ -499,7 +631,507 @@ func TestHCLMultiFileAttrs(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-ghi", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-ghi"), c.Targets[0].Args["v1"])
+}
+
+func TestHCLMultiFileGlobalAttrs(t *testing.T) {
+	dt := []byte(`
+		FOO = "abc"
+		target "app" {
+			args = {
+				v1 = "pre-${FOO}"
+			}
+		}
+		`)
+	dt2 := []byte(`
+		FOO = "def"
+		`)
+
+	c, err := ParseFiles([]File{
+		{Data: dt, Name: "c1.hcl"},
+		{Data: dt2, Name: "c2.hcl"},
+	}, nil)
+	require.NoError(t, err)
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, c.Targets[0].Name, "app")
+	require.Equal(t, "pre-def", *c.Targets[0].Args["v1"])
+}
+
+func TestHCLDuplicateTarget(t *testing.T) {
+	dt := []byte(`
+		target "app" {
+			dockerfile = "x"
+		}
+		target "app" {
+			dockerfile = "y"
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, "app", c.Targets[0].Name)
+	require.Equal(t, "y", *c.Targets[0].Dockerfile)
+}
+
+func TestHCLRenameTarget(t *testing.T) {
+	dt := []byte(`
+		target "abc" {
+			name = "xyz"
+			dockerfile = "foo"
+		}
+		`)
+
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.ErrorContains(t, err, "requires matrix")
+}
+
+func TestHCLRenameGroup(t *testing.T) {
+	dt := []byte(`
+		group "foo" {
+			name = "bar"
+			targets = ["x", "y"]
+		}
+		`)
+
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.ErrorContains(t, err, "not supported")
+
+	dt = []byte(`
+		group "foo" {
+			matrix = {
+				name = ["x", "y"]
+			}
+		}
+		`)
+
+	_, err = ParseFile(dt, "docker-bake.hcl")
+	require.ErrorContains(t, err, "not supported")
+}
+
+func TestHCLRenameTargetAttrs(t *testing.T) {
+	dt := []byte(`
+		target "abc" {
+			name = "xyz"
+			matrix = {}
+			dockerfile = "foo"
+		}
+
+		target "def" {
+			dockerfile = target.xyz.dockerfile
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "xyz", c.Targets[0].Name)
+	require.Equal(t, "foo", *c.Targets[0].Dockerfile)
+	require.Equal(t, "def", c.Targets[1].Name)
+	require.Equal(t, "foo", *c.Targets[1].Dockerfile)
+
+	dt = []byte(`
+		target "def" {
+			dockerfile = target.xyz.dockerfile
+		}
+
+		target "abc" {
+			name = "xyz"
+			matrix = {}
+			dockerfile = "foo"
+		}
+		`)
+
+	c, err = ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "def", c.Targets[0].Name)
+	require.Equal(t, "foo", *c.Targets[0].Dockerfile)
+	require.Equal(t, "xyz", c.Targets[1].Name)
+	require.Equal(t, "foo", *c.Targets[1].Dockerfile)
+
+	dt = []byte(`
+		target "abc" {
+			name = "xyz"
+			matrix  = {}
+			dockerfile = "foo"
+		}
+
+		target "def" {
+			dockerfile = target.abc.dockerfile
+		}
+		`)
+
+	_, err = ParseFile(dt, "docker-bake.hcl")
+	require.ErrorContains(t, err, "abc")
+
+	dt = []byte(`
+		target "def" {
+			dockerfile = target.abc.dockerfile
+		}
+
+		target "abc" {
+			name = "xyz"
+			matrix = {}
+			dockerfile = "foo"
+		}
+		`)
+
+	_, err = ParseFile(dt, "docker-bake.hcl")
+	require.ErrorContains(t, err, "abc")
+}
+
+func TestHCLRenameSplit(t *testing.T) {
+	dt := []byte(`
+		target "x" {
+			name = "y"
+			matrix = {}
+			dockerfile = "foo"
+		}
+
+		target "x" {
+			name = "z"
+			matrix = {}
+			dockerfile = "bar"
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "y", c.Targets[0].Name)
+	require.Equal(t, "foo", *c.Targets[0].Dockerfile)
+	require.Equal(t, "z", c.Targets[1].Name)
+	require.Equal(t, "bar", *c.Targets[1].Dockerfile)
+
+	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, "x", c.Groups[0].Name)
+	require.Equal(t, []string{"y", "z"}, c.Groups[0].Targets)
+}
+
+func TestHCLRenameMultiFile(t *testing.T) {
+	dt := []byte(`
+		target "foo" {
+			name = "bar"
+			matrix = {}
+			dockerfile = "x"
+		}
+		`)
+	dt2 := []byte(`
+		target "foo" {
+			context = "y"
+		}
+		`)
+	dt3 := []byte(`
+		target "bar" {
+			target = "z"
+		}
+		`)
+
+	c, err := ParseFiles([]File{
+		{Data: dt, Name: "c1.hcl"},
+		{Data: dt2, Name: "c2.hcl"},
+		{Data: dt3, Name: "c3.hcl"},
+	}, nil)
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+
+	require.Equal(t, c.Targets[0].Name, "bar")
+	require.Equal(t, *c.Targets[0].Dockerfile, "x")
+	require.Equal(t, *c.Targets[0].Target, "z")
+
+	require.Equal(t, c.Targets[1].Name, "foo")
+	require.Equal(t, *c.Targets[1].Context, "y")
+}
+
+func TestHCLMatrixBasic(t *testing.T) {
+	dt := []byte(`
+		target "default" {
+			matrix = {
+				foo = ["x", "y"]
+			}
+			name = foo
+			dockerfile = "${foo}.Dockerfile"
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, c.Targets[0].Name, "x")
+	require.Equal(t, c.Targets[1].Name, "y")
+	require.Equal(t, *c.Targets[0].Dockerfile, "x.Dockerfile")
+	require.Equal(t, *c.Targets[1].Dockerfile, "y.Dockerfile")
+
+	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, "default", c.Groups[0].Name)
+	require.Equal(t, []string{"x", "y"}, c.Groups[0].Targets)
+}
+
+func TestHCLMatrixMultipleKeys(t *testing.T) {
+	dt := []byte(`
+		target "default" {
+			matrix = {
+				foo = ["a"]
+				bar = ["b", "c"]
+				baz = ["d", "e", "f"]
+			}
+			name = "${foo}-${bar}-${baz}"
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 6, len(c.Targets))
+	names := make([]string, len(c.Targets))
+	for i, t := range c.Targets {
+		names[i] = t.Name
+	}
+	require.ElementsMatch(t, []string{"a-b-d", "a-b-e", "a-b-f", "a-c-d", "a-c-e", "a-c-f"}, names)
+
+	require.Equal(t, 1, len(c.Groups))
+	require.Equal(t, "default", c.Groups[0].Name)
+	require.ElementsMatch(t, []string{"a-b-d", "a-b-e", "a-b-f", "a-c-d", "a-c-e", "a-c-f"}, c.Groups[0].Targets)
+}
+
+func TestHCLMatrixLists(t *testing.T) {
+	dt := []byte(`
+	target "foo" {
+		matrix = {
+			aa = [["aa", "bb"], ["cc", "dd"]]
+		}
+		name = aa[0]
+		args = {
+			target = "val${aa[1]}"
+		}
+	}
+	`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "aa", c.Targets[0].Name)
+	require.Equal(t, ptrstr("valbb"), c.Targets[0].Args["target"])
+	require.Equal(t, "cc", c.Targets[1].Name)
+	require.Equal(t, ptrstr("valdd"), c.Targets[1].Args["target"])
+}
+
+func TestHCLMatrixMaps(t *testing.T) {
+	dt := []byte(`
+	target "foo" {
+		matrix = {
+			aa = [
+				{
+					foo = "aa"
+					bar = "bb"
+				},
+				{
+					foo = "cc"
+					bar = "dd"
+				}
+			]
+		}
+		name = aa.foo
+		args = {
+			target = "val${aa.bar}"
+		}
+	}
+	`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, c.Targets[0].Name, "aa")
+	require.Equal(t, c.Targets[0].Args["target"], ptrstr("valbb"))
+	require.Equal(t, c.Targets[1].Name, "cc")
+	require.Equal(t, c.Targets[1].Args["target"], ptrstr("valdd"))
+}
+
+func TestHCLMatrixMultipleTargets(t *testing.T) {
+	dt := []byte(`
+		target "x" {
+			matrix = {
+				foo = ["a", "b"]
+			}
+			name = foo
+		}
+		target "y" {
+			matrix = {
+				bar = ["c", "d"]
+			}
+			name = bar
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 4, len(c.Targets))
+	names := make([]string, len(c.Targets))
+	for i, t := range c.Targets {
+		names[i] = t.Name
+	}
+	require.ElementsMatch(t, []string{"a", "b", "c", "d"}, names)
+
+	require.Equal(t, 2, len(c.Groups))
+	names = make([]string, len(c.Groups))
+	for i, c := range c.Groups {
+		names[i] = c.Name
+	}
+	require.ElementsMatch(t, []string{"x", "y"}, names)
+
+	for _, g := range c.Groups {
+		switch g.Name {
+		case "x":
+			require.Equal(t, []string{"a", "b"}, g.Targets)
+		case "y":
+			require.Equal(t, []string{"c", "d"}, g.Targets)
+		}
+	}
+}
+
+func TestHCLMatrixDuplicateNames(t *testing.T) {
+	dt := []byte(`
+		target "default" {
+			matrix = {
+				foo = ["a", "b"]
+			}
+			name = "c"
+		}
+		`)
+
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+}
+
+func TestHCLMatrixArgs(t *testing.T) {
+	dt := []byte(`
+		a = 1
+		variable "b" {
+			default = 2
+		}
+		target "default" {
+			matrix = {
+				foo = [a, b]
+			}
+			name = foo
+		}
+		`)
+
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "1", c.Targets[0].Name)
+	require.Equal(t, "2", c.Targets[1].Name)
+}
+
+func TestHCLMatrixArgsOverride(t *testing.T) {
+	dt := []byte(`
+	variable "ABC" {
+		default = "def"
+	}
+
+	target "bar" {
+		matrix = {
+			aa = split(",", ABC)
+		}
+		name = "bar-${aa}"
+		args = {
+			foo = aa
+		}
+	}
+	`)
+
+	c, err := ParseFiles([]File{
+		{Data: dt, Name: "docker-bake.hcl"},
+	}, map[string]string{"ABC": "11,22,33"})
+	require.NoError(t, err)
+
+	require.Equal(t, 3, len(c.Targets))
+	require.Equal(t, "bar-11", c.Targets[0].Name)
+	require.Equal(t, "bar-22", c.Targets[1].Name)
+	require.Equal(t, "bar-33", c.Targets[2].Name)
+
+	require.Equal(t, ptrstr("11"), c.Targets[0].Args["foo"])
+	require.Equal(t, ptrstr("22"), c.Targets[1].Args["foo"])
+	require.Equal(t, ptrstr("33"), c.Targets[2].Args["foo"])
+}
+
+func TestHCLMatrixBadTypes(t *testing.T) {
+	dt := []byte(`
+		target "default" {
+			matrix = "test"
+		}
+		`)
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+
+	dt = []byte(`
+		target "default" {
+			matrix = ["test"]
+		}
+		`)
+	_, err = ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+
+	dt = []byte(`
+		target "default" {
+			matrix = {
+				["a"] = ["b"]
+			}
+		}
+		`)
+	_, err = ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+
+	dt = []byte(`
+		target "default" {
+			matrix = {
+				1 = 2
+			}
+		}
+		`)
+	_, err = ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+
+	dt = []byte(`
+		target "default" {
+			matrix = {
+				a = "b"
+			}
+		}
+		`)
+	_, err = ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+}
+
+func TestHCLMatrixWithGlobalTarget(t *testing.T) {
+	dt := []byte(`
+		target "x" {
+			tags = ["a", "b"]
+		}
+		
+		target "default" {
+			tags = target.x.tags
+			matrix = {
+				dummy = [""]
+			}
+		}
+	`)
+	c, err := ParseFile(dt, "docker-bake.hcl")
+	require.NoError(t, err)
+	require.Equal(t, 2, len(c.Targets))
+	require.Equal(t, "x", c.Targets[0].Name)
+	require.Equal(t, "default", c.Targets[1].Name)
+	require.Equal(t, []string{"a", "b"}, c.Targets[1].Tags)
 }

 func TestJSONAttributes(t *testing.T) {
@@ -510,7 +1142,7 @@ func TestJSONAttributes(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-abc-def", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-abc-def"), c.Targets[0].Args["v1"])
 }

 func TestJSONFunctions(t *testing.T) {
@@ -535,7 +1167,25 @@ func TestJSONFunctions(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "pre-<FOO-abc>", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("pre-<FOO-abc>"), c.Targets[0].Args["v1"])
+}
+
+func TestJSONInvalidFunctions(t *testing.T) {
+	dt := []byte(`{
+	"target": {
+		"app": {
+			"args": {
+				"v1": "myfunc(\"foo\")"
+			}
+		}
+	}}`)
+
+	c, err := ParseFile(dt, "docker-bake.json")
+	require.NoError(t, err)
+
+	require.Equal(t, 1, len(c.Targets))
+	require.Equal(t, c.Targets[0].Name, "app")
+	require.Equal(t, ptrstr(`myfunc("foo")`), c.Targets[0].Args["v1"])
 }

 func TestHCLFunctionInAttr(t *testing.T) {
@@ -563,7 +1213,7 @@ func TestHCLFunctionInAttr(t *testing.T) {

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "FOO <> [baz]", c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("FOO <> [baz]"), c.Targets[0].Args["v1"])
 }

 func TestHCLCombineCompose(t *testing.T) {
@@ -594,8 +1244,8 @@ services:

 	require.Equal(t, 1, len(c.Targets))
 	require.Equal(t, c.Targets[0].Name, "app")
-	require.Equal(t, "foo", c.Targets[0].Args["v1"])
-	require.Equal(t, "bar", c.Targets[0].Args["v2"])
+	require.Equal(t, ptrstr("foo"), c.Targets[0].Args["v1"])
+	require.Equal(t, ptrstr("bar"), c.Targets[0].Args["v2"])
 	require.Equal(t, "dir", *c.Targets[0].Context)
 	require.Equal(t, "Dockerfile-alternate", *c.Targets[0].Dockerfile)
 }
@@ -740,10 +1390,10 @@ target "two" {
 	require.Equal(t, 2, len(c.Targets))

 	require.Equal(t, c.Targets[0].Name, "one")
-	require.Equal(t, map[string]string{"a": "pre-ghi-jkl"}, c.Targets[0].Args)
+	require.Equal(t, map[string]*string{"a": ptrstr("pre-ghi-jkl")}, c.Targets[0].Args)

 	require.Equal(t, c.Targets[1].Name, "two")
-	require.Equal(t, map[string]string{"b": "pre-jkl"}, c.Targets[1].Args)
+	require.Equal(t, map[string]*string{"b": ptrstr("pre-jkl")}, c.Targets[1].Args)
 }

 func TestEmptyVariableJSON(t *testing.T) {
@@ -782,3 +1432,24 @@ func TestFunctionNoResult(t *testing.T) {
 	_, err := ParseFile(dt, "docker-bake.hcl")
 	require.Error(t, err)
 }
+
+func TestVarUnsupportedType(t *testing.T) {
+	dt := []byte(`
+		variable "FOO" {
+			default = []
+		}
+		target "default" {}`)
+
+	t.Setenv("FOO", "bar")
+	_, err := ParseFile(dt, "docker-bake.hcl")
+	require.Error(t, err)
+}
+
+func ptrstr(s interface{}) *string {
+	var n *string
+	if reflect.ValueOf(s).Kind() == reflect.String {
+		ss := s.(string)
+		n = &ss
+	}
+	return n
+}
--- a/bake/hclparser/body.go
+++ b/bake/hclparser/body.go
@@ -0,0 +1,103 @@
+package hclparser
+
+import (
+	"github.com/hashicorp/hcl/v2"
+)
+
+type filterBody struct {
+	body    hcl.Body
+	schema  *hcl.BodySchema
+	exclude bool
+}
+
+func FilterIncludeBody(body hcl.Body, schema *hcl.BodySchema) hcl.Body {
+	return &filterBody{
+		body:   body,
+		schema: schema,
+	}
+}
+
+func FilterExcludeBody(body hcl.Body, schema *hcl.BodySchema) hcl.Body {
+	return &filterBody{
+		body:    body,
+		schema:  schema,
+		exclude: true,
+	}
+}
+
+func (b *filterBody) Content(schema *hcl.BodySchema) (*hcl.BodyContent, hcl.Diagnostics) {
+	if b.exclude {
+		schema = subtractSchemas(schema, b.schema)
+	} else {
+		schema = intersectSchemas(schema, b.schema)
+	}
+	content, _, diag := b.body.PartialContent(schema)
+	return content, diag
+}
+
+func (b *filterBody) PartialContent(schema *hcl.BodySchema) (*hcl.BodyContent, hcl.Body, hcl.Diagnostics) {
+	if b.exclude {
+		schema = subtractSchemas(schema, b.schema)
+	} else {
+		schema = intersectSchemas(schema, b.schema)
+	}
+	return b.body.PartialContent(schema)
+}
+
+func (b *filterBody) JustAttributes() (hcl.Attributes, hcl.Diagnostics) {
+	return b.body.JustAttributes()
+}
+
+func (b *filterBody) MissingItemRange() hcl.Range {
+	return b.body.MissingItemRange()
+}
+
+func intersectSchemas(a, b *hcl.BodySchema) *hcl.BodySchema {
+	result := &hcl.BodySchema{}
+	for _, blockA := range a.Blocks {
+		for _, blockB := range b.Blocks {
+			if blockA.Type == blockB.Type {
+				result.Blocks = append(result.Blocks, blockA)
+				break
+			}
+		}
+	}
+	for _, attrA := range a.Attributes {
+		for _, attrB := range b.Attributes {
+			if attrA.Name == attrB.Name {
+				result.Attributes = append(result.Attributes, attrA)
+				break
+			}
+		}
+	}
+	return result
+}
+
+func subtractSchemas(a, b *hcl.BodySchema) *hcl.BodySchema {
+	result := &hcl.BodySchema{}
+	for _, blockA := range a.Blocks {
+		found := false
+		for _, blockB := range b.Blocks {
+			if blockA.Type == blockB.Type {
+				found = true
+				break
+			}
+		}
+		if !found {
+			result.Blocks = append(result.Blocks, blockA)
+		}
+	}
+	for _, attrA := range a.Attributes {
+		found := false
+		for _, attrB := range b.Attributes {
+			if attrA.Name == attrB.Name {
+				found = true
+				break
+			}
+		}
+		if !found {
+			result.Attributes = append(result.Attributes, attrA)
+		}
+	}
+	return result
+}
--- a/bake/hclparser/expr.go
+++ b/bake/hclparser/expr.go
@@ -14,15 +14,7 @@ func funcCalls(exp hcl.Expression) ([]string, hcl.Diagnostics) {
 	if !ok {
 		fns, err := jsonFuncCallsRecursive(exp)
 		if err != nil {
-			return nil, hcl.Diagnostics{
-				&hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid expression",
-					Detail:   err.Error(),
-					Subject:  exp.Range().Ptr(),
-					Context:  exp.Range().Ptr(),
-				},
-			}
+			return nil, wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
 		}
 		return fns, nil
 	}
@@ -83,11 +75,11 @@ func appendJSONFuncCalls(exp hcl.Expression, m map[string]struct{}) error {

 	// hcl/v2/json/ast#stringVal
 	val := src.FieldByName("Value")
-	if val.IsZero() {
+	if !val.IsValid() || val.IsZero() {
 		return nil
 	}
 	rng := src.FieldByName("SrcRange")
-	if val.IsZero() {
+	if rng.IsZero() {
 		return nil
 	}
 	var stringVal struct {
--- a/bake/hclparser/hclparser.go
+++ b/bake/hclparser/hclparser.go
@@ -1,7 +1,9 @@
 package hclparser

 import (
+	"encoding/binary"
 	"fmt"
+	"hash/fnv"
 	"math"
 	"math/big"
 	"reflect"
@@ -13,6 +15,7 @@ import (
 	"github.com/hashicorp/hcl/v2/gohcl"
 	"github.com/pkg/errors"
 	"github.com/zclconf/go-cty/cty"
+	"github.com/zclconf/go-cty/cty/gocty"
 )

 type Opt struct {
@@ -48,30 +51,42 @@ type parser struct {
 	attrs map[string]*hcl.Attribute
 	funcs map[string]*functionDef

+	blocks       map[string]map[string][]*hcl.Block
+	blockValues  map[*hcl.Block][]reflect.Value
+	blockEvalCtx map[*hcl.Block][]*hcl.EvalContext
+	blockNames   map[*hcl.Block][]string
+	blockTypes   map[string]reflect.Type
+
 	ectx *hcl.EvalContext

-	progress  map[string]struct{}
-	progressF map[string]struct{}
-	doneF     map[string]struct{}
+	progressV map[uint64]struct{}
+	progressF map[uint64]struct{}
+	progressB map[uint64]map[string]struct{}
+	doneB     map[uint64]map[string]struct{}
 }

-func (p *parser) loadDeps(exp hcl.Expression, exclude map[string]struct{}) hcl.Diagnostics {
+type WithEvalContexts interface {
+	GetEvalContexts(base *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) ([]*hcl.EvalContext, error)
+}
+
+type WithGetName interface {
+	GetName(ectx *hcl.EvalContext, block *hcl.Block, loadDeps func(hcl.Expression) hcl.Diagnostics) (string, error)
+}
+
+var errUndefined = errors.New("undefined")
+
+func (p *parser) loadDeps(ectx *hcl.EvalContext, exp hcl.Expression, exclude map[string]struct{}, allowMissing bool) hcl.Diagnostics {
 	fns, hcldiags := funcCalls(exp)
 	if hcldiags.HasErrors() {
 		return hcldiags
 	}

 	for _, fn := range fns {
-		if err := p.resolveFunction(fn); err != nil {
-			return hcl.Diagnostics{
-				&hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid expression",
-					Detail:   err.Error(),
-					Subject:  exp.Range().Ptr(),
-					Context:  exp.Range().Ptr(),
-				},
+		if err := p.resolveFunction(ectx, fn); err != nil {
+			if allowMissing && errors.Is(err, errUndefined) {
+				continue
 			}
+			return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
 		}
 	}

@@ -79,15 +94,61 @@ func (p *parser) loadDeps(exp hcl.Expression, exclude map[string]struct{}) hcl.D
 		if _, ok := exclude[v.RootName()]; ok {
 			continue
 		}
-		if err := p.resolveValue(v.RootName()); err != nil {
-			return hcl.Diagnostics{
-				&hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid expression",
-					Detail:   err.Error(),
-					Subject:  v.SourceRange().Ptr(),
-					Context:  v.SourceRange().Ptr(),
-				},
+		if _, ok := p.blockTypes[v.RootName()]; ok {
+			blockType := v.RootName()
+
+			split := v.SimpleSplit().Rel
+			if len(split) == 0 {
+				return hcl.Diagnostics{
+					&hcl.Diagnostic{
+						Severity: hcl.DiagError,
+						Summary:  "Invalid expression",
+						Detail:   fmt.Sprintf("cannot access %s as a variable", blockType),
+						Subject:  exp.Range().Ptr(),
+						Context:  exp.Range().Ptr(),
+					},
+				}
+			}
+			blockName, ok := split[0].(hcl.TraverseAttr)
+			if !ok {
+				return hcl.Diagnostics{
+					&hcl.Diagnostic{
+						Severity: hcl.DiagError,
+						Summary:  "Invalid expression",
+						Detail:   fmt.Sprintf("cannot traverse %s without attribute", blockType),
+						Subject:  exp.Range().Ptr(),
+						Context:  exp.Range().Ptr(),
+					},
+				}
+			}
+			blocks := p.blocks[blockType][blockName.Name]
+			if len(blocks) == 0 {
+				continue
+			}
+
+			var target *hcl.BodySchema
+			if len(split) > 1 {
+				if attr, ok := split[1].(hcl.TraverseAttr); ok {
+					target = &hcl.BodySchema{
+						Attributes: []hcl.AttributeSchema{{Name: attr.Name}},
+						Blocks:     []hcl.BlockHeaderSchema{{Type: attr.Name}},
+					}
+				}
+			}
+			for _, block := range blocks {
+				if err := p.resolveBlock(block, target); err != nil {
+					if allowMissing && errors.Is(err, errUndefined) {
+						continue
+					}
+					return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
+				}
+			}
+		} else {
+			if err := p.resolveValue(ectx, v.RootName()); err != nil {
+				if allowMissing && errors.Is(err, errUndefined) {
+					continue
+				}
+				return wrapErrorDiagnostic("Invalid expression", err, exp.Range().Ptr(), exp.Range().Ptr())
 			}
 		}
 	}
@@ -95,21 +156,23 @@ func (p *parser) loadDeps(exp hcl.Expression, exclude map[string]struct{}) hcl.D
 	return nil
 }

-func (p *parser) resolveFunction(name string) error {
-	if _, ok := p.doneF[name]; ok {
+// resolveFunction forces evaluation of a function, storing the result into the
+// parser.
+func (p *parser) resolveFunction(ectx *hcl.EvalContext, name string) error {
+	if _, ok := p.ectx.Functions[name]; ok {
+		return nil
+	}
+	if _, ok := ectx.Functions[name]; ok {
 		return nil
 	}
 	f, ok := p.funcs[name]
 	if !ok {
-		if _, ok := p.ectx.Functions[name]; ok {
-			return nil
-		}
-		return errors.Errorf("undefined function %s", name)
+		return errors.Wrapf(errUndefined, "function %q does not exist", name)
 	}
-	if _, ok := p.progressF[name]; ok {
+	if _, ok := p.progressF[key(ectx, name)]; ok {
 		return errors.Errorf("function cycle not allowed for %s", name)
 	}
-	p.progressF[name] = struct{}{}
+	p.progressF[key(ectx, name)] = struct{}{}

 	if f.Result == nil {
 		return errors.Errorf("empty result not allowed for %s", name)
@@ -154,7 +217,7 @@ func (p *parser) resolveFunction(name string) error {
 		return diags
 	}

-	if diags := p.loadDeps(f.Result.Expr, params); diags.HasErrors() {
+	if diags := p.loadDeps(p.ectx, f.Result.Expr, params, false); diags.HasErrors() {
 		return diags
 	}

@@ -164,20 +227,24 @@ func (p *parser) resolveFunction(name string) error {
 	if diags.HasErrors() {
 		return diags
 	}
-	p.doneF[name] = struct{}{}
 	p.ectx.Functions[name] = v

 	return nil
 }

-func (p *parser) resolveValue(name string) (err error) {
+// resolveValue forces evaluation of a named value, storing the result into the
+// parser.
+func (p *parser) resolveValue(ectx *hcl.EvalContext, name string) (err error) {
 	if _, ok := p.ectx.Variables[name]; ok {
 		return nil
 	}
-	if _, ok := p.progress[name]; ok {
+	if _, ok := ectx.Variables[name]; ok {
+		return nil
+	}
+	if _, ok := p.progressV[key(ectx, name)]; ok {
 		return errors.Errorf("variable cycle not allowed for %s", name)
 	}
-	p.progress[name] = struct{}{}
+	p.progressV[key(ectx, name)] = struct{}{}

 	var v *cty.Value
 	defer func() {
@@ -190,9 +257,10 @@ func (p *parser) resolveValue(name string) (err error) {
 	if _, builtin := p.opt.Vars[name]; !ok && !builtin {
 		vr, ok := p.vars[name]
 		if !ok {
-			return errors.Errorf("undefined variable %q", name)
+			return errors.Wrapf(errUndefined, "variable %q does not exist", name)
 		}
 		def = vr.Default
+		ectx = p.ectx
 	}

 	if def == nil {
@@ -205,10 +273,10 @@ func (p *parser) resolveValue(name string) (err error) {
 		return
 	}

-	if diags := p.loadDeps(def.Expr, nil); diags.HasErrors() {
+	if diags := p.loadDeps(ectx, def.Expr, nil, true); diags.HasErrors() {
 		return diags
 	}
-	vv, diags := def.Expr.Value(p.ectx)
+	vv, diags := def.Expr.Value(ectx)
 	if diags.HasErrors() {
 		return diags
 	}
@@ -216,19 +284,16 @@ func (p *parser) resolveValue(name string) (err error) {
 	_, isVar := p.vars[name]

 	if envv, ok := p.opt.LookupVar(name); ok && isVar {
-		if vv.Type().Equals(cty.Bool) {
+		switch {
+		case vv.Type().Equals(cty.Bool):
 			b, err := strconv.ParseBool(envv)
 			if err != nil {
 				return errors.Wrapf(err, "failed to parse %s as bool", name)
 			}
-			vv := cty.BoolVal(b)
-			v = &vv
-			return nil
-		} else if vv.Type().Equals(cty.String) {
-			vv := cty.StringVal(envv)
-			v = &vv
-			return nil
-		} else if vv.Type().Equals(cty.Number) {
+			vv = cty.BoolVal(b)
+		case vv.Type().Equals(cty.String), vv.Type().Equals(cty.DynamicPseudoType):
+			vv = cty.StringVal(envv)
+		case vv.Type().Equals(cty.Number):
 			n, err := strconv.ParseFloat(envv, 64)
 			if err == nil && (math.IsNaN(n) || math.IsInf(n, 0)) {
 				err = errors.Errorf("invalid number value")
@@ -236,19 +301,240 @@ func (p *parser) resolveValue(name string) (err error) {
 			if err != nil {
 				return errors.Wrapf(err, "failed to parse %s as number", name)
 			}
-			vv := cty.NumberVal(big.NewFloat(n))
-			v = &vv
-			return nil
-		} else {
+			vv = cty.NumberVal(big.NewFloat(n))
+		default:
 			// TODO: support lists with csv values
-			return errors.Errorf("unsupported type %s for variable %s", v.Type(), name)
+			return errors.Errorf("unsupported type %s for variable %s", vv.Type().FriendlyName(), name)
 		}
 	}
 	v = &vv
 	return nil
 }

-func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
+// resolveBlock force evaluates a block, storing the result in the parser. If a
+// target schema is provided, only the attributes and blocks present in the
+// schema will be evaluated.
+func (p *parser) resolveBlock(block *hcl.Block, target *hcl.BodySchema) (err error) {
+	// prepare the variable map for this type
+	if _, ok := p.ectx.Variables[block.Type]; !ok {
+		p.ectx.Variables[block.Type] = cty.MapValEmpty(cty.Map(cty.String))
+	}
+
+	// prepare the output destination and evaluation context
+	t, ok := p.blockTypes[block.Type]
+	if !ok {
+		return nil
+	}
+	var outputs []reflect.Value
+	var ectxs []*hcl.EvalContext
+	if prev, ok := p.blockValues[block]; ok {
+		outputs = prev
+		ectxs = p.blockEvalCtx[block]
+	} else {
+		if v, ok := reflect.New(t).Interface().(WithEvalContexts); ok {
+			ectxs, err = v.GetEvalContexts(p.ectx, block, func(expr hcl.Expression) hcl.Diagnostics {
+				return p.loadDeps(p.ectx, expr, nil, true)
+			})
+			if err != nil {
+				return err
+			}
+			for _, ectx := range ectxs {
+				if ectx != p.ectx && ectx.Parent() != p.ectx {
+					return errors.Errorf("EvalContext must return a context with the correct parent")
+				}
+			}
+		} else {
+			ectxs = append([]*hcl.EvalContext{}, p.ectx)
+		}
+		for range ectxs {
+			outputs = append(outputs, reflect.New(t))
+		}
+	}
+	p.blockValues[block] = outputs
+	p.blockEvalCtx[block] = ectxs
+
+	for i, output := range outputs {
+		target := target
+		ectx := ectxs[i]
+		name := block.Labels[0]
+		if names, ok := p.blockNames[block]; ok {
+			name = names[i]
+		}
+
+		if _, ok := p.doneB[key(block, ectx)]; !ok {
+			p.doneB[key(block, ectx)] = map[string]struct{}{}
+		}
+		if _, ok := p.progressB[key(block, ectx)]; !ok {
+			p.progressB[key(block, ectx)] = map[string]struct{}{}
+		}
+
+		if target != nil {
+			// filter out attributes and blocks that are already evaluated
+			original := target
+			target = &hcl.BodySchema{}
+			for _, a := range original.Attributes {
+				if _, ok := p.doneB[key(block, ectx)][a.Name]; !ok {
+					target.Attributes = append(target.Attributes, a)
+				}
+			}
+			for _, b := range original.Blocks {
+				if _, ok := p.doneB[key(block, ectx)][b.Type]; !ok {
+					target.Blocks = append(target.Blocks, b)
+				}
+			}
+			if len(target.Attributes) == 0 && len(target.Blocks) == 0 {
+				return nil
+			}
+		}
+
+		if target != nil {
+			// detect reference cycles
+			for _, a := range target.Attributes {
+				if _, ok := p.progressB[key(block, ectx)][a.Name]; ok {
+					return errors.Errorf("reference cycle not allowed for %s.%s.%s", block.Type, name, a.Name)
+				}
+			}
+			for _, b := range target.Blocks {
+				if _, ok := p.progressB[key(block, ectx)][b.Type]; ok {
+					return errors.Errorf("reference cycle not allowed for %s.%s.%s", block.Type, name, b.Type)
+				}
+			}
+			for _, a := range target.Attributes {
+				p.progressB[key(block, ectx)][a.Name] = struct{}{}
+			}
+			for _, b := range target.Blocks {
+				p.progressB[key(block, ectx)][b.Type] = struct{}{}
+			}
+		}
+
+		// create a filtered body that contains only the target properties
+		body := func() hcl.Body {
+			if target != nil {
+				return FilterIncludeBody(block.Body, target)
+			}
+
+			filter := &hcl.BodySchema{}
+			for k := range p.doneB[key(block, ectx)] {
+				filter.Attributes = append(filter.Attributes, hcl.AttributeSchema{Name: k})
+				filter.Blocks = append(filter.Blocks, hcl.BlockHeaderSchema{Type: k})
+			}
+			return FilterExcludeBody(block.Body, filter)
+		}
+
+		// load dependencies from all targeted properties
+		schema, _ := gohcl.ImpliedBodySchema(reflect.New(t).Interface())
+		content, _, diag := body().PartialContent(schema)
+		if diag.HasErrors() {
+			return diag
+		}
+		for _, a := range content.Attributes {
+			diag := p.loadDeps(ectx, a.Expr, nil, true)
+			if diag.HasErrors() {
+				return diag
+			}
+		}
+		for _, b := range content.Blocks {
+			err := p.resolveBlock(b, nil)
+			if err != nil {
+				return err
+			}
+		}
+
+		// decode!
+		diag = gohcl.DecodeBody(body(), ectx, output.Interface())
+		if diag.HasErrors() {
+			return diag
+		}
+
+		// mark all targeted properties as done
+		for _, a := range content.Attributes {
+			p.doneB[key(block, ectx)][a.Name] = struct{}{}
+		}
+		for _, b := range content.Blocks {
+			p.doneB[key(block, ectx)][b.Type] = struct{}{}
+		}
+		if target != nil {
+			for _, a := range target.Attributes {
+				p.doneB[key(block, ectx)][a.Name] = struct{}{}
+			}
+			for _, b := range target.Blocks {
+				p.doneB[key(block, ectx)][b.Type] = struct{}{}
+			}
+		}
+
+		// store the result into the evaluation context (so it can be referenced)
+		outputType, err := gocty.ImpliedType(output.Interface())
+		if err != nil {
+			return err
+		}
+		outputValue, err := gocty.ToCtyValue(output.Interface(), outputType)
+		if err != nil {
+			return err
+		}
+		var m map[string]cty.Value
+		if m2, ok := p.ectx.Variables[block.Type]; ok {
+			m = m2.AsValueMap()
+		}
+		if m == nil {
+			m = map[string]cty.Value{}
+		}
+		m[name] = outputValue
+		p.ectx.Variables[block.Type] = cty.MapVal(m)
+	}
+
+	return nil
+}
+
+// resolveBlockNames returns the names of the block, calling resolveBlock to
+// evaluate any label fields to correctly resolve the name.
+func (p *parser) resolveBlockNames(block *hcl.Block) ([]string, error) {
+	if names, ok := p.blockNames[block]; ok {
+		return names, nil
+	}
+
+	if err := p.resolveBlock(block, &hcl.BodySchema{}); err != nil {
+		return nil, err
+	}
+
+	names := make([]string, 0, len(p.blockValues[block]))
+	for i, val := range p.blockValues[block] {
+		ectx := p.blockEvalCtx[block][i]
+
+		name := block.Labels[0]
+		if err := p.opt.ValidateLabel(name); err != nil {
+			return nil, err
+		}
+
+		if v, ok := val.Interface().(WithGetName); ok {
+			var err error
+			name, err = v.GetName(ectx, block, func(expr hcl.Expression) hcl.Diagnostics {
+				return p.loadDeps(ectx, expr, nil, true)
+			})
+			if err != nil {
+				return nil, err
+			}
+			if err := p.opt.ValidateLabel(name); err != nil {
+				return nil, err
+			}
+		}
+
+		setName(val, name)
+		names = append(names, name)
+	}
+
+	found := map[string]struct{}{}
+	for _, name := range names {
+		if _, ok := found[name]; ok {
+			return nil, errors.Errorf("duplicate name %q", name)
+		}
+		found[name] = struct{}{}
+	}
+
+	p.blockNames[block] = names
+	return names, nil
+}
+
+func Parse(b hcl.Body, opt Opt, val interface{}) (map[string]map[string][]string, hcl.Diagnostics) {
 	reserved := map[string]struct{}{}
 	schema, _ := gohcl.ImpliedBodySchema(val)

@@ -261,7 +547,7 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {

 	var defs inputs
 	if err := gohcl.DecodeBody(b, nil, &defs); err != nil {
-		return err
+		return nil, err
 	}
 	defsSchema, _ := gohcl.ImpliedBodySchema(defs)

@@ -284,13 +570,20 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 		attrs: map[string]*hcl.Attribute{},
 		funcs: map[string]*functionDef{},

-		progress:  map[string]struct{}{},
-		progressF: map[string]struct{}{},
-		doneF:     map[string]struct{}{},
+		blocks:       map[string]map[string][]*hcl.Block{},
+		blockValues:  map[*hcl.Block][]reflect.Value{},
+		blockEvalCtx: map[*hcl.Block][]*hcl.EvalContext{},
+		blockNames:   map[*hcl.Block][]string{},
+		blockTypes:   map[string]reflect.Type{},
 		ectx: &hcl.EvalContext{
 			Variables: map[string]cty.Value{},
-			Functions: stdlibFunctions,
+			Functions: Stdlib(),
 		},
+
+		progressV: map[uint64]struct{}{},
+		progressF: map[uint64]struct{}{},
+		progressB: map[uint64]map[string]struct{}{},
+		doneB:     map[uint64]map[string]struct{}{},
 	}

 	for _, v := range defs.Variables {
@@ -310,18 +603,18 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {

 	content, b, diags := b.PartialContent(schema)
 	if diags.HasErrors() {
-		return diags
+		return nil, diags
 	}

 	blocks, b, diags := b.PartialContent(defsSchema)
 	if diags.HasErrors() {
-		return diags
+		return nil, diags
 	}

 	attrs, diags := b.JustAttributes()
 	if diags.HasErrors() {
-		if d := removeAttributesDiags(diags, reserved, p.vars); len(d) > 0 {
-			return d
+		if d := removeAttributesDiags(diags, reserved, p.vars, attrs); len(d) > 0 {
+			return nil, d
 		}
 	}

@@ -334,112 +627,55 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 	delete(p.attrs, "function")

 	for k := range p.opt.Vars {
-		_ = p.resolveValue(k)
-	}
-
-	for k := range p.attrs {
-		if err := p.resolveValue(k); err != nil {
-			if diags, ok := err.(hcl.Diagnostics); ok {
-				return diags
-			}
-			return hcl.Diagnostics{
-				&hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid attribute",
-					Detail:   err.Error(),
-					Subject:  &p.attrs[k].Range,
-					Context:  &p.attrs[k].Range,
-				},
-			}
-		}
-	}
-
-	for k := range p.vars {
-		if err := p.resolveValue(k); err != nil {
-			if diags, ok := err.(hcl.Diagnostics); ok {
-				return diags
-			}
-			r := p.vars[k].Body.MissingItemRange()
-			return hcl.Diagnostics{
-				&hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid value",
-					Detail:   err.Error(),
-					Subject:  &r,
-					Context:  &r,
-				},
-			}
-		}
-	}
-
-	for k := range p.funcs {
-		if err := p.resolveFunction(k); err != nil {
-			if diags, ok := err.(hcl.Diagnostics); ok {
-				return diags
-			}
-			var subject *hcl.Range
-			var context *hcl.Range
-			if p.funcs[k].Params != nil {
-				subject = &p.funcs[k].Params.Range
-				context = subject
-			} else {
-				for _, block := range blocks.Blocks {
-					if block.Type == "function" && len(block.Labels) == 1 && block.Labels[0] == k {
-						subject = &block.LabelRanges[0]
-						context = &block.DefRange
-						break
-					}
-				}
-			}
-			return hcl.Diagnostics{
-				&hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid function",
-					Detail:   err.Error(),
-					Subject:  subject,
-					Context:  context,
-				},
-			}
-		}
+		_ = p.resolveValue(p.ectx, k)
 	}

 	for _, a := range content.Attributes {
-		return hcl.Diagnostics{
+		a := a
+		return nil, hcl.Diagnostics{
 			&hcl.Diagnostic{
 				Severity: hcl.DiagError,
 				Summary:  "Invalid attribute",
 				Detail:   "global attributes currently not supported",
-				Subject:  &a.Range,
-				Context:  &a.Range,
+				Subject:  a.Range.Ptr(),
+				Context:  a.Range.Ptr(),
 			},
 		}
 	}

-	m := map[string]map[string][]*hcl.Block{}
-	for _, b := range content.Blocks {
-		if len(b.Labels) == 0 || len(b.Labels) > 1 {
-			return hcl.Diagnostics{
-				&hcl.Diagnostic{
-					Severity: hcl.DiagError,
-					Summary:  "Invalid block",
-					Detail:   fmt.Sprintf("invalid block label: %v", b.Labels),
-					Subject:  &b.LabelRanges[0],
-					Context:  &b.LabelRanges[0],
-				},
+	for k := range p.vars {
+		if err := p.resolveValue(p.ectx, k); err != nil {
+			if diags, ok := err.(hcl.Diagnostics); ok {
+				return nil, diags
 			}
+			r := p.vars[k].Body.MissingItemRange()
+			return nil, wrapErrorDiagnostic("Invalid value", err, &r, &r)
 		}
-		bm, ok := m[b.Type]
-		if !ok {
-			bm = map[string][]*hcl.Block{}
-			m[b.Type] = bm
-		}
-
-		lbl := b.Labels[0]
-		bm[lbl] = append(bm[lbl], b)
 	}

-	vt := reflect.ValueOf(val).Elem().Type()
-	numFields := vt.NumField()
+	for k := range p.funcs {
+		if err := p.resolveFunction(p.ectx, k); err != nil {
+			if diags, ok := err.(hcl.Diagnostics); ok {
+				return nil, diags
+			}
+			var subject *hcl.Range
+			var context *hcl.Range
+			if p.funcs[k].Params != nil {
+				subject = p.funcs[k].Params.Range.Ptr()
+				context = subject
+			} else {
+				for _, block := range blocks.Blocks {
+					block := block
+					if block.Type == "function" && len(block.Labels) == 1 && block.Labels[0] == k {
+						subject = block.LabelRanges[0].Ptr()
+						context = block.DefRange.Ptr()
+						break
+					}
+				}
+			}
+			return nil, wrapErrorDiagnostic("Invalid function", err, subject, context)
+		}
+	}

 	type value struct {
 		reflect.Value
@@ -451,96 +687,177 @@ func Parse(b hcl.Body, opt Opt, val interface{}) hcl.Diagnostics {
 		values map[string]value
 	}
 	types := map[string]field{}
-
-	for i := 0; i < numFields; i++ {
+	renamed := map[string]map[string][]string{}
+	vt := reflect.ValueOf(val).Elem().Type()
+	for i := 0; i < vt.NumField(); i++ {
 		tags := strings.Split(vt.Field(i).Tag.Get("hcl"), ",")

+		p.blockTypes[tags[0]] = vt.Field(i).Type.Elem().Elem()
 		types[tags[0]] = field{
 			idx:    i,
 			typ:    vt.Field(i).Type,
 			values: make(map[string]value),
 		}
+		renamed[tags[0]] = map[string][]string{}
 	}

-	diags = hcl.Diagnostics{}
+	tmpBlocks := map[string]map[string][]*hcl.Block{}
 	for _, b := range content.Blocks {
-		v := reflect.ValueOf(val)
-
-		t, ok := types[b.Type]
-		if !ok {
-			continue
-		}
-
-		vv := reflect.New(t.typ.Elem().Elem())
-		diag := gohcl.DecodeBody(b.Body, p.ectx, vv.Interface())
-		if diag.HasErrors() {
-			diags = append(diags, diag...)
-			continue
-		}
-
-		if err := opt.ValidateLabel(b.Labels[0]); err != nil {
-			return hcl.Diagnostics{
+		if len(b.Labels) == 0 || len(b.Labels) > 1 {
+			return nil, hcl.Diagnostics{
 				&hcl.Diagnostic{
 					Severity: hcl.DiagError,
-					Summary:  "Invalid name",
-					Detail:   err.Error(),
+					Summary:  "Invalid block",
+					Detail:   fmt.Sprintf("invalid block label: %v", b.Labels),
 					Subject:  &b.LabelRanges[0],
+					Context:  &b.LabelRanges[0],
 				},
 			}
 		}

-		lblIndex := setLabel(vv, b.Labels[0])
+		bm, ok := tmpBlocks[b.Type]
+		if !ok {
+			bm = map[string][]*hcl.Block{}
+			tmpBlocks[b.Type] = bm
+		}

-		oldValue, exists := t.values[b.Labels[0]]
-		if !exists && lblIndex != -1 {
-			if v.Elem().Field(t.idx).Type().Kind() == reflect.Slice {
-				for i := 0; i < v.Elem().Field(t.idx).Len(); i++ {
-					if b.Labels[0] == v.Elem().Field(t.idx).Index(i).Elem().Field(lblIndex).String() {
-						exists = true
-						oldValue = value{Value: v.Elem().Field(t.idx).Index(i), idx: i}
-						break
+		names, err := p.resolveBlockNames(b)
+		if err != nil {
+			return nil, wrapErrorDiagnostic("Invalid name", err, &b.LabelRanges[0], &b.LabelRanges[0])
+		}
+		for _, name := range names {
+			bm[name] = append(bm[name], b)
+			renamed[b.Type][b.Labels[0]] = append(renamed[b.Type][b.Labels[0]], name)
+		}
+	}
+	p.blocks = tmpBlocks
+
+	diags = hcl.Diagnostics{}
+	for _, b := range content.Blocks {
+		b := b
+		v := reflect.ValueOf(val)
+
+		err := p.resolveBlock(b, nil)
+		if err != nil {
+			if diag, ok := err.(hcl.Diagnostics); ok {
+				if diag.HasErrors() {
+					diags = append(diags, diag...)
+					continue
+				}
+			} else {
+				return nil, wrapErrorDiagnostic("Invalid block", err, b.LabelRanges[0].Ptr(), b.DefRange.Ptr())
+			}
+		}
+
+		vvs := p.blockValues[b]
+		for _, vv := range vvs {
+			t := types[b.Type]
+			lblIndex, lblExists := getNameIndex(vv)
+			lblName, _ := getName(vv)
+			oldValue, exists := t.values[lblName]
+			if !exists && lblExists {
+				if v.Elem().Field(t.idx).Type().Kind() == reflect.Slice {
+					for i := 0; i < v.Elem().Field(t.idx).Len(); i++ {
+						if lblName == v.Elem().Field(t.idx).Index(i).Elem().Field(lblIndex).String() {
+							exists = true
+							oldValue = value{Value: v.Elem().Field(t.idx).Index(i), idx: i}
+							break
+						}
 					}
 				}
 			}
-
-		}
-		if exists {
-			if m := oldValue.Value.MethodByName("Merge"); m.IsValid() {
-				m.Call([]reflect.Value{vv})
+			if exists {
+				if m := oldValue.Value.MethodByName("Merge"); m.IsValid() {
+					m.Call([]reflect.Value{vv})
+				} else {
+					v.Elem().Field(t.idx).Index(oldValue.idx).Set(vv)
+				}
 			} else {
-				v.Elem().Field(t.idx).Index(oldValue.idx).Set(vv)
+				slice := v.Elem().Field(t.idx)
+				if slice.IsNil() {
+					slice = reflect.New(t.typ).Elem()
+				}
+				t.values[lblName] = value{Value: vv, idx: slice.Len()}
+				v.Elem().Field(t.idx).Set(reflect.Append(slice, vv))
 			}
-		} else {
-			slice := v.Elem().Field(t.idx)
-			if slice.IsNil() {
-				slice = reflect.New(t.typ).Elem()
-			}
-			t.values[b.Labels[0]] = value{Value: vv, idx: slice.Len()}
-			v.Elem().Field(t.idx).Set(reflect.Append(slice, vv))
 		}
 	}
 	if diags.HasErrors() {
-		return diags
+		return nil, diags
 	}

-	return nil
+	for k := range p.attrs {
+		if err := p.resolveValue(p.ectx, k); err != nil {
+			if diags, ok := err.(hcl.Diagnostics); ok {
+				return nil, diags
+			}
+			return nil, wrapErrorDiagnostic("Invalid attribute", err, &p.attrs[k].Range, &p.attrs[k].Range)
+		}
+	}
+
+	return renamed, nil
 }

-func setLabel(v reflect.Value, lbl string) int {
-	// cache field index?
+// wrapErrorDiagnostic wraps an error into a hcl.Diagnostics object.
+// If the error is already an hcl.Diagnostics object, it is returned as is.
+func wrapErrorDiagnostic(message string, err error, subject *hcl.Range, context *hcl.Range) hcl.Diagnostics {
+	switch err := err.(type) {
+	case *hcl.Diagnostic:
+		return hcl.Diagnostics{err}
+	case hcl.Diagnostics:
+		return err
+	default:
+		return hcl.Diagnostics{
+			&hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  message,
+				Detail:   err.Error(),
+				Subject:  subject,
+				Context:  context,
+			},
+		}
+	}
+}
+
+func setName(v reflect.Value, name string) {
 	numFields := v.Elem().Type().NumField()
 	for i := 0; i < numFields; i++ {
-		for _, t := range strings.Split(v.Elem().Type().Field(i).Tag.Get("hcl"), ",") {
+		parts := strings.Split(v.Elem().Type().Field(i).Tag.Get("hcl"), ",")
+		for _, t := range parts[1:] {
 			if t == "label" {
-				v.Elem().Field(i).Set(reflect.ValueOf(lbl))
-				return i
+				v.Elem().Field(i).Set(reflect.ValueOf(name))
 			}
 		}
 	}
-	return -1
 }

-func removeAttributesDiags(diags hcl.Diagnostics, reserved map[string]struct{}, vars map[string]*variable) hcl.Diagnostics {
+func getName(v reflect.Value) (string, bool) {
+	numFields := v.Elem().Type().NumField()
+	for i := 0; i < numFields; i++ {
+		parts := strings.Split(v.Elem().Type().Field(i).Tag.Get("hcl"), ",")
+		for _, t := range parts[1:] {
+			if t == "label" {
+				return v.Elem().Field(i).String(), true
+			}
+		}
+	}
+	return "", false
+}
+
+func getNameIndex(v reflect.Value) (int, bool) {
+	numFields := v.Elem().Type().NumField()
+	for i := 0; i < numFields; i++ {
+		parts := strings.Split(v.Elem().Type().Field(i).Tag.Get("hcl"), ",")
+		for _, t := range parts[1:] {
+			if t == "label" {
+				return i, true
+			}
+		}
+	}
+	return 0, false
+}
+
+func removeAttributesDiags(diags hcl.Diagnostics, reserved map[string]struct{}, vars map[string]*variable, attrs hcl.Attributes) hcl.Diagnostics {
 	var fdiags hcl.Diagnostics
 	for _, d := range diags {
 		if fout := func(d *hcl.Diagnostic) bool {
@@ -562,6 +879,12 @@ func removeAttributesDiags(diags hcl.Diagnostics, reserved map[string]struct{},
 					return true
 				}
 			}
+			for a := range attrs {
+				// Do the same for attributes
+				if strings.HasPrefix(d.Detail, fmt.Sprintf(`Argument "%s" was already set at `, a)) {
+					return true
+				}
+			}
 			return false
 		}(d); !fout {
 			fdiags = append(fdiags, d)
@@ -569,3 +892,21 @@ func removeAttributesDiags(diags hcl.Diagnostics, reserved map[string]struct{},
 	}
 	return fdiags
 }
+
+// key returns a unique hash for the given values
+func key(ks ...any) uint64 {
+	hash := fnv.New64a()
+	for _, k := range ks {
+		v := reflect.ValueOf(k)
+		switch v.Kind() {
+		case reflect.String:
+			hash.Write([]byte(v.String()))
+		case reflect.Pointer:
+			ptr := reflect.ValueOf(k).Pointer()
+			binary.Write(hash, binary.LittleEndian, uint64(ptr))
+		default:
+			panic(fmt.Sprintf("unknown key kind %s", v.Kind().String()))
+		}
+	}
+	return hash.Sum64()
+}
--- a/bake/hclparser/merged.go
+++ b/bake/hclparser/merged.go
@@ -0,0 +1,230 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+// Forked from https://github.com/hashicorp/hcl/blob/4679383728fe331fc8a6b46036a27b8f818d9bc0/merged.go
+
+package hclparser
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/hcl/v2"
+)
+
+// MergeFiles combines the given files to produce a single body that contains
+// configuration from all of the given files.
+//
+// The ordering of the given files decides the order in which contained
+// elements will be returned. If any top-level attributes are defined with
+// the same name across multiple files, a diagnostic will be produced from
+// the Content and PartialContent methods describing this error in a
+// user-friendly way.
+func MergeFiles(files []*hcl.File) hcl.Body {
+	var bodies []hcl.Body
+	for _, file := range files {
+		bodies = append(bodies, file.Body)
+	}
+	return MergeBodies(bodies)
+}
+
+// MergeBodies is like MergeFiles except it deals directly with bodies, rather
+// than with entire files.
+func MergeBodies(bodies []hcl.Body) hcl.Body {
+	if len(bodies) == 0 {
+		// Swap out for our singleton empty body, to reduce the number of
+		// empty slices we have hanging around.
+		return emptyBody
+	}
+
+	// If any of the given bodies are already merged bodies, we'll unpack
+	// to flatten to a single mergedBodies, since that's conceptually simpler.
+	// This also, as a side-effect, eliminates any empty bodies, since
+	// empties are merged bodies with no inner bodies.
+	var newLen int
+	var flatten bool
+	for _, body := range bodies {
+		if children, merged := body.(mergedBodies); merged {
+			newLen += len(children)
+			flatten = true
+		} else {
+			newLen++
+		}
+	}
+
+	if !flatten { // not just newLen == len, because we might have mergedBodies with single bodies inside
+		return mergedBodies(bodies)
+	}
+
+	if newLen == 0 {
+		// Don't allocate a new empty when we already have one
+		return emptyBody
+	}
+
+	n := make([]hcl.Body, 0, newLen)
+	for _, body := range bodies {
+		if children, merged := body.(mergedBodies); merged {
+			n = append(n, children...)
+		} else {
+			n = append(n, body)
+		}
+	}
+	return mergedBodies(n)
+}
+
+var emptyBody = mergedBodies([]hcl.Body{})
+
+// EmptyBody returns a body with no content. This body can be used as a
+// placeholder when a body is required but no body content is available.
+func EmptyBody() hcl.Body {
+	return emptyBody
+}
+
+type mergedBodies []hcl.Body
+
+// Content returns the content produced by applying the given schema to all
+// of the merged bodies and merging the result.
+//
+// Although required attributes _are_ supported, they should be used sparingly
+// with merged bodies since in this case there is no contextual information
+// with which to return good diagnostics. Applications working with merged
+// bodies may wish to mark all attributes as optional and then check for
+// required attributes afterwards, to produce better diagnostics.
+func (mb mergedBodies) Content(schema *hcl.BodySchema) (*hcl.BodyContent, hcl.Diagnostics) {
+	// the returned body will always be empty in this case, because mergedContent
+	// will only ever call Content on the child bodies.
+	content, _, diags := mb.mergedContent(schema, false)
+	return content, diags
+}
+
+func (mb mergedBodies) PartialContent(schema *hcl.BodySchema) (*hcl.BodyContent, hcl.Body, hcl.Diagnostics) {
+	return mb.mergedContent(schema, true)
+}
+
+func (mb mergedBodies) JustAttributes() (hcl.Attributes, hcl.Diagnostics) {
+	attrs := make(map[string]*hcl.Attribute)
+	var diags hcl.Diagnostics
+
+	for _, body := range mb {
+		thisAttrs, thisDiags := body.JustAttributes()
+
+		if len(thisDiags) != 0 {
+			diags = append(diags, thisDiags...)
+		}
+
+		if thisAttrs != nil {
+			for name, attr := range thisAttrs {
+				if existing := attrs[name]; existing != nil {
+					diags = diags.Append(&hcl.Diagnostic{
+						Severity: hcl.DiagError,
+						Summary:  "Duplicate argument",
+						Detail: fmt.Sprintf(
+							"Argument %q was already set at %s",
+							name, existing.NameRange.String(),
+						),
+						Subject: thisAttrs[name].NameRange.Ptr(),
+					})
+				}
+				attrs[name] = attr
+			}
+		}
+	}
+
+	return attrs, diags
+}
+
+func (mb mergedBodies) MissingItemRange() hcl.Range {
+	if len(mb) == 0 {
+		// Nothing useful to return here, so we'll return some garbage.
+		return hcl.Range{
+			Filename: "<empty>",
+		}
+	}
+
+	// arbitrarily use the first body's missing item range
+	return mb[0].MissingItemRange()
+}
+
+func (mb mergedBodies) mergedContent(schema *hcl.BodySchema, partial bool) (*hcl.BodyContent, hcl.Body, hcl.Diagnostics) {
+	// We need to produce a new schema with none of the attributes marked as
+	// required, since _any one_ of our bodies can contribute an attribute value.
+	// We'll separately check that all required attributes are present at
+	// the end.
+	mergedSchema := &hcl.BodySchema{
+		Blocks: schema.Blocks,
+	}
+	for _, attrS := range schema.Attributes {
+		mergedAttrS := attrS
+		mergedAttrS.Required = false
+		mergedSchema.Attributes = append(mergedSchema.Attributes, mergedAttrS)
+	}
+
+	var mergedLeftovers []hcl.Body
+	content := &hcl.BodyContent{
+		Attributes: map[string]*hcl.Attribute{},
+	}
+
+	var diags hcl.Diagnostics
+	for _, body := range mb {
+		var thisContent *hcl.BodyContent
+		var thisLeftovers hcl.Body
+		var thisDiags hcl.Diagnostics
+
+		if partial {
+			thisContent, thisLeftovers, thisDiags = body.PartialContent(mergedSchema)
+		} else {
+			thisContent, thisDiags = body.Content(mergedSchema)
+		}
+
+		if thisLeftovers != nil {
+			mergedLeftovers = append(mergedLeftovers, thisLeftovers)
+		}
+		if len(thisDiags) != 0 {
+			diags = append(diags, thisDiags...)
+		}
+
+		if thisContent.Attributes != nil {
+			for name, attr := range thisContent.Attributes {
+				if existing := content.Attributes[name]; existing != nil {
+					diags = diags.Append(&hcl.Diagnostic{
+						Severity: hcl.DiagError,
+						Summary:  "Duplicate argument",
+						Detail: fmt.Sprintf(
+							"Argument %q was already set at %s",
+							name, existing.NameRange.String(),
+						),
+						Subject: thisContent.Attributes[name].NameRange.Ptr(),
+					})
+				}
+				content.Attributes[name] = attr
+			}
+		}
+
+		if len(thisContent.Blocks) != 0 {
+			content.Blocks = append(content.Blocks, thisContent.Blocks...)
+		}
+	}
+
+	// Finally, we check for required attributes.
+	for _, attrS := range schema.Attributes {
+		if !attrS.Required {
+			continue
+		}
+
+		if content.Attributes[attrS.Name] == nil {
+			// We don't have any context here to produce a good diagnostic,
+			// which is why we warn in the Content docstring to minimize the
+			// use of required attributes on merged bodies.
+			diags = diags.Append(&hcl.Diagnostic{
+				Severity: hcl.DiagError,
+				Summary:  "Missing required argument",
+				Detail: fmt.Sprintf(
+					"The argument %q is required, but was not set.",
+					attrS.Name,
+				),
+			})
+		}
+	}
+
+	leftoverBody := MergeBodies(mergedLeftovers)
+	return content, leftoverBody, diags
+}
--- a/bake/hclparser/stdlib.go
+++ b/bake/hclparser/stdlib.go
@@ -31,21 +31,21 @@ var stdlibFunctions = map[string]function.Function{
 	"cidrnetmask":            cidr.NetmaskFunc,
 	"cidrsubnet":             cidr.SubnetFunc,
 	"cidrsubnets":            cidr.SubnetsFunc,
-	"csvdecode":              stdlib.CSVDecodeFunc,
 	"coalesce":               stdlib.CoalesceFunc,
 	"coalescelist":           stdlib.CoalesceListFunc,
 	"compact":                stdlib.CompactFunc,
 	"concat":                 stdlib.ConcatFunc,
 	"contains":               stdlib.ContainsFunc,
 	"convert":                typeexpr.ConvertFunc,
+	"csvdecode":              stdlib.CSVDecodeFunc,
 	"distinct":               stdlib.DistinctFunc,
 	"divide":                 stdlib.DivideFunc,
 	"element":                stdlib.ElementFunc,
 	"equal":                  stdlib.EqualFunc,
 	"flatten":                stdlib.FlattenFunc,
 	"floor":                  stdlib.FloorFunc,
-	"formatdate":             stdlib.FormatDateFunc,
 	"format":                 stdlib.FormatFunc,
+	"formatdate":             stdlib.FormatDateFunc,
 	"formatlist":             stdlib.FormatListFunc,
 	"greaterthan":            stdlib.GreaterThanFunc,
 	"greaterthanorequalto":   stdlib.GreaterThanOrEqualToFunc,
@@ -53,10 +53,10 @@ var stdlibFunctions = map[string]function.Function{
 	"indent":                 stdlib.IndentFunc,
 	"index":                  stdlib.IndexFunc,
 	"int":                    stdlib.IntFunc,
+	"join":                   stdlib.JoinFunc,
 	"jsondecode":             stdlib.JSONDecodeFunc,
 	"jsonencode":             stdlib.JSONEncodeFunc,
 	"keys":                   stdlib.KeysFunc,
-	"join":                   stdlib.JoinFunc,
 	"length":                 stdlib.LengthFunc,
 	"lessthan":               stdlib.LessThanFunc,
 	"lessthanorequalto":      stdlib.LessThanOrEqualToFunc,
@@ -70,15 +70,16 @@ var stdlibFunctions = map[string]function.Function{
 	"modulo":                 stdlib.ModuloFunc,
 	"multiply":               stdlib.MultiplyFunc,
 	"negate":                 stdlib.NegateFunc,
-	"notequal":               stdlib.NotEqualFunc,
 	"not":                    stdlib.NotFunc,
+	"notequal":               stdlib.NotEqualFunc,
 	"or":                     stdlib.OrFunc,
 	"parseint":               stdlib.ParseIntFunc,
 	"pow":                    stdlib.PowFunc,
 	"range":                  stdlib.RangeFunc,
-	"regexall":               stdlib.RegexAllFunc,
-	"regex":                  stdlib.RegexFunc,
 	"regex_replace":          stdlib.RegexReplaceFunc,
+	"regex":                  stdlib.RegexFunc,
+	"regexall":               stdlib.RegexAllFunc,
+	"replace":                stdlib.ReplaceFunc,
 	"reverse":                stdlib.ReverseFunc,
 	"reverselist":            stdlib.ReverseListFunc,
 	"rsadecrypt":             crypto.RsaDecryptFunc,
@@ -124,3 +125,11 @@ var timestampFunc = function.New(&function.Spec{
 		return cty.StringVal(time.Now().UTC().Format(time.RFC3339)), nil
 	},
 })
+
+func Stdlib() map[string]function.Function {
+	funcs := make(map[string]function.Function, len(stdlibFunctions))
+	for k, v := range stdlibFunctions {
+		funcs[k] = v
+	}
+	return funcs
+}
--- a/bake/remote.go
+++ b/bake/remote.go
@@ -4,14 +4,16 @@ import (
 	"archive/tar"
 	"bytes"
 	"context"
-	"strings"

-	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/driver"
 	"github.com/docker/buildx/util/progress"
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
+	"github.com/moby/buildkit/frontend/dockerui"
 	gwclient "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/session"
 	"github.com/pkg/errors"
 )

@@ -20,11 +22,17 @@ type Input struct {
 	URL   string
 }

-func ReadRemoteFiles(ctx context.Context, dis []build.DriverInfo, url string, names []string, pw progress.Writer) ([]File, *Input, error) {
+func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, names []string, pw progress.Writer) ([]File, *Input, error) {
+	var session []session.Attachable
 	var filename string
-	st, ok := detectGitContext(url)
-	if !ok {
-		st, filename, ok = detectHTTPContext(url)
+	st, ok := dockerui.DetectGitContext(url, false)
+	if ok {
+		ssh, err := controllerapi.CreateSSH([]*controllerapi.SSH{{ID: "default"}})
+		if err == nil {
+			session = append(session, ssh)
+		}
+	} else {
+		st, filename, ok = dockerui.DetectHTTPContext(url)
 		if !ok {
 			return nil, nil, errors.Errorf("not url context")
 		}
@@ -33,25 +41,25 @@ func ReadRemoteFiles(ctx context.Context, dis []build.DriverInfo, url string, na
 	inp := &Input{State: st, URL: url}
 	var files []File

-	var di *build.DriverInfo
-	for _, d := range dis {
-		if d.Err == nil {
-			di = &d
+	var node *builder.Node
+	for i, n := range nodes {
+		if n.Err == nil {
+			node = &nodes[i]
 			continue
 		}
 	}
-	if di == nil {
+	if node == nil {
 		return nil, nil, nil
 	}

-	c, err := driver.Boot(ctx, ctx, di.Driver, pw)
+	c, err := driver.Boot(ctx, ctx, node.Driver, pw)
 	if err != nil {
 		return nil, nil, err
 	}

 	ch, done := progress.NewChannel(pw)
 	defer func() { <-done }()
-	_, err = c.Build(ctx, client.SolveOpt{}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+	_, err = c.Build(ctx, client.SolveOpt{Session: session, Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 		def, err := st.Marshal(ctx)
 		if err != nil {
 			return nil, err
@@ -83,51 +91,6 @@ func ReadRemoteFiles(ctx context.Context, dis []build.DriverInfo, url string, na
 	return files, inp, nil
 }

-func IsRemoteURL(url string) bool {
-	if _, _, ok := detectHTTPContext(url); ok {
-		return true
-	}
-	if _, ok := detectGitContext(url); ok {
-		return true
-	}
-	return false
-}
-
-func detectHTTPContext(url string) (*llb.State, string, bool) {
-	if httpPrefix.MatchString(url) {
-		httpContext := llb.HTTP(url, llb.Filename("context"), llb.WithCustomName("[internal] load remote build context"))
-		return &httpContext, "context", true
-	}
-	return nil, "", false
-}
-
-func detectGitContext(ref string) (*llb.State, bool) {
-	found := false
-	if httpPrefix.MatchString(ref) && gitURLPathWithFragmentSuffix.MatchString(ref) {
-		found = true
-	}
-
-	for _, prefix := range []string{"git://", "github.com/", "git@"} {
-		if strings.HasPrefix(ref, prefix) {
-			found = true
-			break
-		}
-	}
-	if !found {
-		return nil, false
-	}
-
-	parts := strings.SplitN(ref, "#", 2)
-	branch := ""
-	if len(parts) > 1 {
-		branch = parts[1]
-	}
-	gitOpts := []llb.GitOption{llb.WithCustomName("[internal] load git source " + ref)}
-
-	st := llb.Git(parts[0], branch, gitOpts...)
-	return &st, true
-}
-
 func isArchive(header []byte) bool {
 	for _, m := range [][]byte{
 		{0x42, 0x5A, 0x68},                   // bzip2
--- a/build/build.go
+++ b/build/build.go
--- a/build/driver.go
+++ b/build/driver.go
@@ -0,0 +1,305 @@
+package build
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/util/flightcontrol"
+	"github.com/moby/buildkit/util/tracing"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"go.opentelemetry.io/otel/trace"
+	"golang.org/x/sync/errgroup"
+)
+
+type resolvedNode struct {
+	resolver    *nodeResolver
+	driverIndex int
+	platforms   []specs.Platform
+}
+
+func (dp resolvedNode) Node() builder.Node {
+	return dp.resolver.nodes[dp.driverIndex]
+}
+
+func (dp resolvedNode) Client(ctx context.Context) (*client.Client, error) {
+	clients, err := dp.resolver.boot(ctx, []int{dp.driverIndex}, nil)
+	if err != nil {
+		return nil, err
+	}
+	return clients[0], nil
+}
+
+func (dp resolvedNode) BuildOpts(ctx context.Context) (gateway.BuildOpts, error) {
+	opts, err := dp.resolver.opts(ctx, []int{dp.driverIndex}, nil)
+	if err != nil {
+		return gateway.BuildOpts{}, err
+	}
+	return opts[0], nil
+}
+
+type matchMaker func(specs.Platform) platforms.MatchComparer
+
+type nodeResolver struct {
+	nodes   []builder.Node
+	clients flightcontrol.Group[*client.Client]
+	opt     flightcontrol.Group[gateway.BuildOpts]
+}
+
+func resolveDrivers(ctx context.Context, nodes []builder.Node, opt map[string]Options, pw progress.Writer) (map[string][]*resolvedNode, error) {
+	driverRes := newDriverResolver(nodes)
+	drivers, err := driverRes.Resolve(ctx, opt, pw)
+	if err != nil {
+		return nil, err
+	}
+	return drivers, err
+}
+
+func newDriverResolver(nodes []builder.Node) *nodeResolver {
+	r := &nodeResolver{
+		nodes: nodes,
+	}
+	return r
+}
+
+func (r *nodeResolver) Resolve(ctx context.Context, opt map[string]Options, pw progress.Writer) (map[string][]*resolvedNode, error) {
+	if len(r.nodes) == 0 {
+		return nil, nil
+	}
+
+	nodes := map[string][]*resolvedNode{}
+	for k, opt := range opt {
+		node, perfect, err := r.resolve(ctx, opt.Platforms, pw, platforms.OnlyStrict, nil)
+		if err != nil {
+			return nil, err
+		}
+		if !perfect {
+			break
+		}
+		nodes[k] = node
+	}
+	if len(nodes) != len(opt) {
+		// if we didn't get a perfect match, we need to boot all drivers
+		allIndexes := make([]int, len(r.nodes))
+		for i := range allIndexes {
+			allIndexes[i] = i
+		}
+
+		clients, err := r.boot(ctx, allIndexes, pw)
+		if err != nil {
+			return nil, err
+		}
+		eg, egCtx := errgroup.WithContext(ctx)
+		workers := make([][]specs.Platform, len(clients))
+		for i, c := range clients {
+			i, c := i, c
+			if c == nil {
+				continue
+			}
+			eg.Go(func() error {
+				ww, err := c.ListWorkers(egCtx)
+				if err != nil {
+					return errors.Wrap(err, "listing workers")
+				}
+
+				ps := make(map[string]specs.Platform, len(ww))
+				for _, w := range ww {
+					for _, p := range w.Platforms {
+						pk := platforms.Format(platforms.Normalize(p))
+						ps[pk] = p
+					}
+				}
+				for _, p := range ps {
+					workers[i] = append(workers[i], p)
+				}
+				return nil
+			})
+		}
+		if err := eg.Wait(); err != nil {
+			return nil, err
+		}
+
+		// then we can attempt to match against all the available platforms
+		// (this time we don't care about imperfect matches)
+		nodes = map[string][]*resolvedNode{}
+		for k, opt := range opt {
+			node, _, err := r.resolve(ctx, opt.Platforms, pw, platforms.Only, func(idx int, n builder.Node) []specs.Platform {
+				return workers[idx]
+			})
+			if err != nil {
+				return nil, err
+			}
+			nodes[k] = node
+		}
+	}
+
+	idxs := make([]int, 0, len(r.nodes))
+	for _, nodes := range nodes {
+		for _, node := range nodes {
+			idxs = append(idxs, node.driverIndex)
+		}
+	}
+
+	// preload capabilities
+	span, ctx := tracing.StartSpan(ctx, "load buildkit capabilities", trace.WithSpanKind(trace.SpanKindInternal))
+	_, err := r.opts(ctx, idxs, pw)
+	tracing.FinishWithError(span, err)
+	if err != nil {
+		return nil, err
+	}
+
+	return nodes, nil
+}
+
+func (r *nodeResolver) resolve(ctx context.Context, ps []specs.Platform, pw progress.Writer, matcher matchMaker, additional func(idx int, n builder.Node) []specs.Platform) ([]*resolvedNode, bool, error) {
+	if len(r.nodes) == 0 {
+		return nil, true, nil
+	}
+
+	if len(ps) == 0 {
+		ps = []specs.Platform{platforms.DefaultSpec()}
+	}
+
+	perfect := true
+	nodeIdxs := make([]int, 0)
+	for _, p := range ps {
+		idx := r.get(p, matcher, additional)
+		if idx == -1 {
+			idx = 0
+			perfect = false
+		}
+		nodeIdxs = append(nodeIdxs, idx)
+	}
+
+	var nodes []*resolvedNode
+	for i, idx := range nodeIdxs {
+		nodes = append(nodes, &resolvedNode{
+			resolver:    r,
+			driverIndex: idx,
+			platforms:   []specs.Platform{ps[i]},
+		})
+	}
+	nodes = recombineNodes(nodes)
+	if _, err := r.boot(ctx, nodeIdxs, pw); err != nil {
+		return nil, false, err
+	}
+	return nodes, perfect, nil
+}
+
+func (r *nodeResolver) get(p specs.Platform, matcher matchMaker, additionalPlatforms func(int, builder.Node) []specs.Platform) int {
+	best := -1
+	bestPlatform := specs.Platform{}
+	for i, node := range r.nodes {
+		platforms := node.Platforms
+		if additionalPlatforms != nil {
+			platforms = append([]specs.Platform{}, platforms...)
+			platforms = append(platforms, additionalPlatforms(i, node)...)
+		}
+		for _, p2 := range platforms {
+			m := matcher(p2)
+			if !m.Match(p) {
+				continue
+			}
+
+			if best == -1 {
+				best = i
+				bestPlatform = p2
+				continue
+			}
+			if matcher(p2).Less(p, bestPlatform) {
+				best = i
+				bestPlatform = p2
+			}
+		}
+	}
+	return best
+}
+
+func (r *nodeResolver) boot(ctx context.Context, idxs []int, pw progress.Writer) ([]*client.Client, error) {
+	clients := make([]*client.Client, len(idxs))
+
+	baseCtx := ctx
+	eg, ctx := errgroup.WithContext(ctx)
+
+	for i, idx := range idxs {
+		i, idx := i, idx
+		eg.Go(func() error {
+			c, err := r.clients.Do(ctx, fmt.Sprint(idx), func(ctx context.Context) (*client.Client, error) {
+				if r.nodes[idx].Driver == nil {
+					return nil, nil
+				}
+				return driver.Boot(ctx, baseCtx, r.nodes[idx].Driver, pw)
+			})
+			if err != nil {
+				return err
+			}
+			clients[i] = c
+			return nil
+		})
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	return clients, nil
+}
+
+func (r *nodeResolver) opts(ctx context.Context, idxs []int, pw progress.Writer) ([]gateway.BuildOpts, error) {
+	clients, err := r.boot(ctx, idxs, pw)
+	if err != nil {
+		return nil, err
+	}
+
+	bopts := make([]gateway.BuildOpts, len(clients))
+	eg, ctx := errgroup.WithContext(ctx)
+	for i, idxs := range idxs {
+		i, idx := i, idxs
+		c := clients[i]
+		if c == nil {
+			continue
+		}
+		eg.Go(func() error {
+			opt, err := r.opt.Do(ctx, fmt.Sprint(idx), func(ctx context.Context) (gateway.BuildOpts, error) {
+				opt := gateway.BuildOpts{}
+				_, err := c.Build(ctx, client.SolveOpt{
+					Internal: true,
+				}, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+					opt = c.BuildOpts()
+					return nil, nil
+				}, nil)
+				return opt, err
+			})
+			if err != nil {
+				return err
+			}
+			bopts[i] = opt
+			return nil
+		})
+	}
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+	return bopts, nil
+}
+
+// recombineDriverPairs recombines resolved nodes that are on the same driver
+// back together into a single node.
+func recombineNodes(nodes []*resolvedNode) []*resolvedNode {
+	result := make([]*resolvedNode, 0, len(nodes))
+	lookup := map[int]int{}
+	for _, node := range nodes {
+		if idx, ok := lookup[node.driverIndex]; ok {
+			result[idx].platforms = append(result[idx].platforms, node.platforms...)
+		} else {
+			lookup[node.driverIndex] = len(result)
+			result = append(result, node)
+		}
+	}
+	return result
+}
--- a/build/driver_test.go
+++ b/build/driver_test.go
@@ -0,0 +1,313 @@
+package build
+
+import (
+	"context"
+	"sort"
+	"testing"
+
+	"github.com/containerd/containerd/platforms"
+	"github.com/docker/buildx/builder"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFindDriverSanity(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.DefaultSpec()},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.DefaultSpec()}, nil, platforms.OnlyStrict, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 0, res[0].driverIndex)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+}
+
+func TestFindDriverEmpty(t *testing.T) {
+	r := makeTestResolver(nil)
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.DefaultSpec()}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Nil(t, res)
+}
+
+func TestFindDriverWeirdName(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/foobar")},
+	})
+
+	// find first platform
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/foobar")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 1, res[0].driverIndex)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+}
+
+func TestFindDriverUnknown(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/riscv64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.False(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 0, res[0].driverIndex)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+}
+
+func TestSelectNodeSinglePlatform(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/riscv64")},
+	})
+
+	// find first platform
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/amd64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 0, res[0].driverIndex)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+
+	// find second platform
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/riscv64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 1, res[0].driverIndex)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+
+	// find an unknown platform, should match the first driver
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/s390x")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.False(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 0, res[0].driverIndex)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+}
+
+func TestSelectNodeMultiPlatform(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64"), platforms.MustParse("linux/arm64")},
+		"bbb": {platforms.MustParse("linux/riscv64")},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/amd64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 0, res[0].driverIndex)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 0, res[0].driverIndex)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/riscv64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, 1, res[0].driverIndex)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+}
+
+func TestSelectNodeNonStrict(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/arm64")},
+	})
+
+	// arm64 should match itself
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+
+	// arm64 may support arm/v8
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v8")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+
+	// arm64 may support arm/v7
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v7")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+}
+
+func TestSelectNodeNonStrictARM(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/arm64")},
+		"ccc": {platforms.MustParse("linux/arm/v8")},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v8")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "ccc", res[0].Node().Builder)
+
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v7")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "ccc", res[0].Node().Builder)
+}
+
+func TestSelectNodeNonStrictLower(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/arm/v7")},
+	})
+
+	// v8 can't be built on v7 (so we should select the default)...
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v8")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.False(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+
+	// ...but v6 can be built on v8
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v6")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+}
+
+func TestSelectNodePreferStart(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/riscv64")},
+		"ccc": {platforms.MustParse("linux/riscv64")},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/riscv64")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+}
+
+func TestSelectNodePreferExact(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/arm/v8")},
+		"bbb": {platforms.MustParse("linux/arm/v7")},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v7")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+}
+
+func TestSelectNodeCurrentPlatform(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/foobar")},
+		"bbb": {platforms.DefaultSpec()},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+}
+
+func TestSelectNodeAdditionalPlatforms(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/arm/v8")},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v7")}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "bbb", res[0].Node().Builder)
+
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{platforms.MustParse("linux/arm/v7")}, nil, platforms.Only, func(idx int, n builder.Node) []specs.Platform {
+		if n.Builder == "aaa" {
+			return []specs.Platform{platforms.MustParse("linux/arm/v7")}
+		}
+		return nil
+	})
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+}
+
+func TestSplitNodeMultiPlatform(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64"), platforms.MustParse("linux/arm64")},
+		"bbb": {platforms.MustParse("linux/riscv64")},
+	})
+
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{
+		platforms.MustParse("linux/amd64"),
+		platforms.MustParse("linux/arm64"),
+	}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 1)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+
+	res, perfect, err = r.resolve(context.TODO(), []specs.Platform{
+		platforms.MustParse("linux/amd64"),
+		platforms.MustParse("linux/riscv64"),
+	}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 2)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+	require.Equal(t, "bbb", res[1].Node().Builder)
+}
+
+func TestSplitNodeMultiPlatformNoUnify(t *testing.T) {
+	r := makeTestResolver(map[string][]specs.Platform{
+		"aaa": {platforms.MustParse("linux/amd64")},
+		"bbb": {platforms.MustParse("linux/amd64"), platforms.MustParse("linux/riscv64")},
+	})
+
+	// the "best" choice would be the node with both platforms, but we're using
+	// a naive algorithm that doesn't try to unify the platforms
+	res, perfect, err := r.resolve(context.TODO(), []specs.Platform{
+		platforms.MustParse("linux/amd64"),
+		platforms.MustParse("linux/riscv64"),
+	}, nil, platforms.Only, nil)
+	require.NoError(t, err)
+	require.True(t, perfect)
+	require.Len(t, res, 2)
+	require.Equal(t, "aaa", res[0].Node().Builder)
+	require.Equal(t, "bbb", res[1].Node().Builder)
+}
+
+func makeTestResolver(nodes map[string][]specs.Platform) *nodeResolver {
+	var ns []builder.Node
+	for name, platforms := range nodes {
+		ns = append(ns, builder.Node{
+			Builder:   name,
+			Platforms: platforms,
+		})
+	}
+	sort.Slice(ns, func(i, j int) bool {
+		return ns[i].Builder < ns[j].Builder
+	})
+	return newDriverResolver(ns)
+}
--- a/build/git.go
+++ b/build/git.go
@@ -0,0 +1,115 @@
+package build
+
+import (
+	"context"
+	"os"
+	"path"
+	"path/filepath"
+	"strconv"
+	"strings"
+
+	"github.com/docker/buildx/util/gitutil"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+)
+
+const DockerfileLabel = "com.docker.image.source.entrypoint"
+
+func getGitAttributes(ctx context.Context, contextPath string, dockerfilePath string) (res map[string]string, _ error) {
+	res = make(map[string]string)
+	if contextPath == "" {
+		return
+	}
+
+	setGitLabels := false
+	if v, ok := os.LookupEnv("BUILDX_GIT_LABELS"); ok {
+		if v == "full" { // backward compatibility with old "full" mode
+			setGitLabels = true
+		} else if v, err := strconv.ParseBool(v); err == nil {
+			setGitLabels = v
+		}
+	}
+	setGitInfo := true
+	if v, ok := os.LookupEnv("BUILDX_GIT_INFO"); ok {
+		if v, err := strconv.ParseBool(v); err == nil {
+			setGitInfo = v
+		}
+	}
+
+	if !setGitLabels && !setGitInfo {
+		return
+	}
+
+	// figure out in which directory the git command needs to run in
+	var wd string
+	if filepath.IsAbs(contextPath) {
+		wd = contextPath
+	} else {
+		cwd, _ := os.Getwd()
+		wd, _ = filepath.Abs(filepath.Join(cwd, contextPath))
+	}
+
+	gitc, err := gitutil.New(gitutil.WithContext(ctx), gitutil.WithWorkingDir(wd))
+	if err != nil {
+		if st, err1 := os.Stat(path.Join(wd, ".git")); err1 == nil && st.IsDir() {
+			return res, errors.Wrap(err, "git was not found in the system")
+		}
+		return
+	}
+
+	if !gitc.IsInsideWorkTree() {
+		if st, err := os.Stat(path.Join(wd, ".git")); err == nil && st.IsDir() {
+			return res, errors.New("failed to read current commit information with git rev-parse --is-inside-work-tree")
+		}
+		return res, nil
+	}
+
+	if sha, err := gitc.FullCommit(); err != nil && !gitutil.IsUnknownRevision(err) {
+		return res, errors.Wrap(err, "failed to get git commit")
+	} else if sha != "" {
+		checkDirty := false
+		if v, ok := os.LookupEnv("BUILDX_GIT_CHECK_DIRTY"); ok {
+			if v, err := strconv.ParseBool(v); err == nil {
+				checkDirty = v
+			}
+		}
+		if checkDirty && gitc.IsDirty() {
+			sha += "-dirty"
+		}
+		if setGitLabels {
+			res["label:"+specs.AnnotationRevision] = sha
+		}
+		if setGitInfo {
+			res["vcs:revision"] = sha
+		}
+	}
+
+	if rurl, err := gitc.RemoteURL(); err == nil && rurl != "" {
+		if setGitLabels {
+			res["label:"+specs.AnnotationSource] = rurl
+		}
+		if setGitInfo {
+			res["vcs:source"] = rurl
+		}
+	}
+
+	if setGitLabels {
+		if root, err := gitc.RootDir(); err != nil {
+			return res, errors.Wrap(err, "failed to get git root dir")
+		} else if root != "" {
+			if dockerfilePath == "" {
+				dockerfilePath = filepath.Join(wd, "Dockerfile")
+			}
+			if !filepath.IsAbs(dockerfilePath) {
+				cwd, _ := os.Getwd()
+				dockerfilePath = filepath.Join(cwd, dockerfilePath)
+			}
+			dockerfilePath, _ = filepath.Rel(root, dockerfilePath)
+			if !strings.HasPrefix(dockerfilePath, "..") {
+				res["label:"+DockerfileLabel] = dockerfilePath
+			}
+		}
+	}
+
+	return
+}
--- a/build/git_test.go
+++ b/build/git_test.go
@@ -0,0 +1,156 @@
+package build
+
+import (
+	"context"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/docker/buildx/util/gitutil"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func setupTest(tb testing.TB) {
+	gitutil.Mktmp(tb)
+
+	c, err := gitutil.New()
+	require.NoError(tb, err)
+	gitutil.GitInit(c, tb)
+
+	df := []byte("FROM alpine:latest\n")
+	assert.NoError(tb, os.WriteFile("Dockerfile", df, 0644))
+
+	gitutil.GitAdd(c, tb, "Dockerfile")
+	gitutil.GitCommit(c, tb, "initial commit")
+	gitutil.GitSetRemote(c, tb, "origin", "git@github.com:docker/buildx.git")
+}
+
+func TestGetGitAttributesNotGitRepo(t *testing.T) {
+	_, err := getGitAttributes(context.Background(), t.TempDir(), "Dockerfile")
+	assert.NoError(t, err)
+}
+
+func TestGetGitAttributesBadGitRepo(t *testing.T) {
+	tmp := t.TempDir()
+	require.NoError(t, os.MkdirAll(path.Join(tmp, ".git"), 0755))
+
+	_, err := getGitAttributes(context.Background(), tmp, "Dockerfile")
+	assert.Error(t, err)
+}
+
+func TestGetGitAttributesNoContext(t *testing.T) {
+	setupTest(t)
+
+	gitattrs, err := getGitAttributes(context.Background(), "", "Dockerfile")
+	assert.NoError(t, err)
+	assert.Empty(t, gitattrs)
+}
+
+func TestGetGitAttributes(t *testing.T) {
+	cases := []struct {
+		name         string
+		envGitLabels string
+		envGitInfo   string
+		expected     []string
+	}{
+		{
+			name:         "default",
+			envGitLabels: "",
+			envGitInfo:   "",
+			expected: []string{
+				"vcs:revision",
+				"vcs:source",
+			},
+		},
+		{
+			name:         "none",
+			envGitLabels: "false",
+			envGitInfo:   "false",
+			expected:     []string{},
+		},
+		{
+			name:         "gitinfo",
+			envGitLabels: "false",
+			envGitInfo:   "true",
+			expected: []string{
+				"vcs:revision",
+				"vcs:source",
+			},
+		},
+		{
+			name:         "gitlabels",
+			envGitLabels: "true",
+			envGitInfo:   "false",
+			expected: []string{
+				"label:" + DockerfileLabel,
+				"label:" + specs.AnnotationRevision,
+				"label:" + specs.AnnotationSource,
+			},
+		},
+		{
+			name:         "both",
+			envGitLabels: "true",
+			envGitInfo:   "",
+			expected: []string{
+				"label:" + DockerfileLabel,
+				"label:" + specs.AnnotationRevision,
+				"label:" + specs.AnnotationSource,
+				"vcs:revision",
+				"vcs:source",
+			},
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			setupTest(t)
+			if tt.envGitLabels != "" {
+				t.Setenv("BUILDX_GIT_LABELS", tt.envGitLabels)
+			}
+			if tt.envGitInfo != "" {
+				t.Setenv("BUILDX_GIT_INFO", tt.envGitInfo)
+			}
+			gitattrs, err := getGitAttributes(context.Background(), ".", "Dockerfile")
+			require.NoError(t, err)
+			for _, e := range tt.expected {
+				assert.Contains(t, gitattrs, e)
+				assert.NotEmpty(t, gitattrs[e])
+				if e == "label:"+DockerfileLabel {
+					assert.Equal(t, "Dockerfile", gitattrs[e])
+				} else if e == "label:"+specs.AnnotationSource || e == "vcs:source" {
+					assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs[e])
+				}
+			}
+		})
+	}
+}
+
+func TestGetGitAttributesDirty(t *testing.T) {
+	setupTest(t)
+	t.Setenv("BUILDX_GIT_CHECK_DIRTY", "true")
+
+	// make a change to test dirty flag
+	df := []byte("FROM alpine:edge\n")
+	require.NoError(t, os.Mkdir("dir", 0755))
+	require.NoError(t, os.WriteFile(filepath.Join("dir", "Dockerfile"), df, 0644))
+
+	t.Setenv("BUILDX_GIT_LABELS", "true")
+	gitattrs, _ := getGitAttributes(context.Background(), ".", "Dockerfile")
+	assert.Equal(t, 5, len(gitattrs))
+
+	assert.Contains(t, gitattrs, "label:"+DockerfileLabel)
+	assert.Equal(t, "Dockerfile", gitattrs["label:"+DockerfileLabel])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationSource)
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["label:"+specs.AnnotationSource])
+	assert.Contains(t, gitattrs, "label:"+specs.AnnotationRevision)
+	assert.True(t, strings.HasSuffix(gitattrs["label:"+specs.AnnotationRevision], "-dirty"))
+
+	assert.Contains(t, gitattrs, "vcs:source")
+	assert.Equal(t, "git@github.com:docker/buildx.git", gitattrs["vcs:source"])
+	assert.Contains(t, gitattrs, "vcs:revision")
+	assert.True(t, strings.HasSuffix(gitattrs["vcs:revision"], "-dirty"))
+}
--- a/build/invoke.go
+++ b/build/invoke.go
@@ -0,0 +1,138 @@
+package build
+
+import (
+	"context"
+	_ "crypto/sha256" // ensure digests can be computed
+	"io"
+	"sync"
+	"sync/atomic"
+	"syscall"
+
+	controllerapi "github.com/docker/buildx/controller/pb"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+type Container struct {
+	cancelOnce      sync.Once
+	containerCancel func()
+	isUnavailable   atomic.Bool
+	initStarted     atomic.Bool
+	container       gateway.Container
+	releaseCh       chan struct{}
+	resultCtx       *ResultHandle
+}
+
+func NewContainer(ctx context.Context, resultCtx *ResultHandle, cfg *controllerapi.InvokeConfig) (*Container, error) {
+	mainCtx := ctx
+
+	ctrCh := make(chan *Container)
+	errCh := make(chan error)
+	go func() {
+		err := resultCtx.build(func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+			ctx, cancel := context.WithCancel(ctx)
+			go func() {
+				<-mainCtx.Done()
+				cancel()
+			}()
+
+			containerCfg, err := resultCtx.getContainerConfig(ctx, c, cfg)
+			if err != nil {
+				return nil, err
+			}
+			containerCtx, containerCancel := context.WithCancel(ctx)
+			defer containerCancel()
+			bkContainer, err := c.NewContainer(containerCtx, containerCfg)
+			if err != nil {
+				return nil, err
+			}
+			releaseCh := make(chan struct{})
+			container := &Container{
+				containerCancel: containerCancel,
+				container:       bkContainer,
+				releaseCh:       releaseCh,
+				resultCtx:       resultCtx,
+			}
+			doneCh := make(chan struct{})
+			defer close(doneCh)
+			resultCtx.registerCleanup(func() {
+				container.Cancel()
+				<-doneCh
+			})
+			ctrCh <- container
+			<-container.releaseCh
+
+			return nil, bkContainer.Release(ctx)
+		})
+		if err != nil {
+			errCh <- err
+		}
+	}()
+	select {
+	case ctr := <-ctrCh:
+		return ctr, nil
+	case err := <-errCh:
+		return nil, err
+	case <-mainCtx.Done():
+		return nil, mainCtx.Err()
+	}
+}
+
+func (c *Container) Cancel() {
+	c.markUnavailable()
+	c.cancelOnce.Do(func() {
+		if c.containerCancel != nil {
+			c.containerCancel()
+		}
+		close(c.releaseCh)
+	})
+}
+
+func (c *Container) IsUnavailable() bool {
+	return c.isUnavailable.Load()
+}
+
+func (c *Container) markUnavailable() {
+	c.isUnavailable.Store(true)
+}
+
+func (c *Container) Exec(ctx context.Context, cfg *controllerapi.InvokeConfig, stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
+	if isInit := c.initStarted.CompareAndSwap(false, true); isInit {
+		defer func() {
+			// container can't be used after init exits
+			c.markUnavailable()
+		}()
+	}
+	err := exec(ctx, c.resultCtx, cfg, c.container, stdin, stdout, stderr)
+	if err != nil {
+		// Container becomes unavailable if one of the processes fails in it.
+		c.markUnavailable()
+	}
+	return err
+}
+
+func exec(ctx context.Context, resultCtx *ResultHandle, cfg *controllerapi.InvokeConfig, ctr gateway.Container, stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
+	processCfg, err := resultCtx.getProcessConfig(cfg, stdin, stdout, stderr)
+	if err != nil {
+		return err
+	}
+	proc, err := ctr.Start(ctx, processCfg)
+	if err != nil {
+		return errors.Errorf("failed to start container: %v", err)
+	}
+
+	doneCh := make(chan struct{})
+	defer close(doneCh)
+	go func() {
+		select {
+		case <-ctx.Done():
+			if err := proc.Signal(ctx, syscall.SIGKILL); err != nil {
+				logrus.Warnf("failed to kill process: %v", err)
+			}
+		case <-doneCh:
+		}
+	}()
+
+	return proc.Wait()
+}
--- a/build/localstate.go
+++ b/build/localstate.go
@@ -0,0 +1,43 @@
+package build
+
+import (
+	"path/filepath"
+
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/localstate"
+	"github.com/moby/buildkit/client"
+)
+
+func saveLocalState(so *client.SolveOpt, target string, opts Options, node builder.Node, configDir string) error {
+	var err error
+	if so.Ref == "" {
+		return nil
+	}
+	lp := opts.Inputs.ContextPath
+	dp := opts.Inputs.DockerfilePath
+	if lp != "" || dp != "" {
+		if lp != "" {
+			lp, err = filepath.Abs(lp)
+			if err != nil {
+				return err
+			}
+		}
+		if dp != "" {
+			dp, err = filepath.Abs(dp)
+			if err != nil {
+				return err
+			}
+		}
+		l, err := localstate.New(configDir)
+		if err != nil {
+			return err
+		}
+		return l.SaveRef(node.Builder, node.Name, so.Ref, localstate.State{
+			Target:         target,
+			LocalPath:      lp,
+			DockerfilePath: dp,
+			GroupRef:       opts.GroupRef,
+		})
+	}
+	return nil
+}
--- a/build/result.go
+++ b/build/result.go
@@ -0,0 +1,495 @@
+package build
+
+import (
+	"context"
+	_ "crypto/sha256" // ensure digests can be computed
+	"encoding/json"
+	"io"
+	"sync"
+
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/exporter/containerimage/exptypes"
+	gateway "github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/solver/errdefs"
+	"github.com/moby/buildkit/solver/pb"
+	"github.com/moby/buildkit/solver/result"
+	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+// NewResultHandle makes a call to client.Build, additionally returning a
+// opaque ResultHandle alongside the standard response and error.
+//
+// This ResultHandle can be used to execute additional build steps in the same
+// context as the build occurred, which can allow easy debugging of build
+// failures and successes.
+//
+// If the returned ResultHandle is not nil, the caller must call Done() on it.
+func NewResultHandle(ctx context.Context, cc *client.Client, opt client.SolveOpt, product string, buildFunc gateway.BuildFunc, ch chan *client.SolveStatus) (*ResultHandle, *client.SolveResponse, error) {
+	// Create a new context to wrap the original, and cancel it when the
+	// caller-provided context is cancelled.
+	//
+	// We derive the context from the background context so that we can forbid
+	// cancellation of the build request after <-done is closed (which we do
+	// before returning the ResultHandle).
+	baseCtx := ctx
+	ctx, cancel := context.WithCancelCause(context.Background())
+	done := make(chan struct{})
+	go func() {
+		select {
+		case <-baseCtx.Done():
+			cancel(baseCtx.Err())
+		case <-done:
+			// Once done is closed, we've recorded a ResultHandle, so we
+			// shouldn't allow cancelling the underlying build request anymore.
+		}
+	}()
+
+	// Create a new channel to forward status messages to the original.
+	//
+	// We do this so that we can discard status messages after the main portion
+	// of the build is complete. This is necessary for the solve error case,
+	// where the original gateway is kept open until the ResultHandle is
+	// closed - we don't want progress messages from operations in that
+	// ResultHandle to display after this function exits.
+	//
+	// Additionally, callers should wait for the progress channel to be closed.
+	// If we keep the session open and never close the progress channel, the
+	// caller will likely hang.
+	baseCh := ch
+	ch = make(chan *client.SolveStatus)
+	go func() {
+		for {
+			s, ok := <-ch
+			if !ok {
+				return
+			}
+			select {
+			case <-baseCh:
+				// base channel is closed, discard status messages
+			default:
+				baseCh <- s
+			}
+		}
+	}()
+	defer close(baseCh)
+
+	var resp *client.SolveResponse
+	var respErr error
+	var respHandle *ResultHandle
+
+	go func() {
+		defer cancel(context.Canceled) // ensure no dangling processes
+
+		var res *gateway.Result
+		var err error
+		resp, err = cc.Build(ctx, opt, product, func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+			var err error
+			res, err = buildFunc(ctx, c)
+
+			if res != nil && err == nil {
+				// Force evaluation of the build result (otherwise, we likely
+				// won't get a solve error)
+				def, err2 := getDefinition(ctx, res)
+				if err2 != nil {
+					return nil, err2
+				}
+				res, err = evalDefinition(ctx, c, def)
+			}
+
+			if err != nil {
+				// Scenario 1: we failed to evaluate a node somewhere in the
+				// build graph.
+				//
+				// In this case, we construct a ResultHandle from this
+				// original Build session, and return it alongside the original
+				// build error. We then need to keep the gateway session open
+				// until the caller explicitly closes the ResultHandle.
+
+				var se *errdefs.SolveError
+				if errors.As(err, &se) {
+					respHandle = &ResultHandle{
+						done:     make(chan struct{}),
+						solveErr: se,
+						gwClient: c,
+						gwCtx:    ctx,
+					}
+					respErr = err // return original error to preserve stacktrace
+					close(done)
+
+					// Block until the caller closes the ResultHandle.
+					select {
+					case <-respHandle.done:
+					case <-ctx.Done():
+					}
+				}
+			}
+			return res, err
+		}, ch)
+		if respHandle != nil {
+			return
+		}
+		if err != nil {
+			// Something unexpected failed during the build, we didn't succeed,
+			// but we also didn't make it far enough to create a ResultHandle.
+			respErr = err
+			close(done)
+			return
+		}
+
+		// Scenario 2: we successfully built the image with no errors.
+		//
+		// In this case, the original gateway session has now been closed
+		// since the Build has been completed. So, we need to create a new
+		// gateway session to populate the ResultHandle. To do this, we
+		// need to re-evaluate the target result, in this new session. This
+		// should be instantaneous since the result should be cached.
+
+		def, err := getDefinition(ctx, res)
+		if err != nil {
+			respErr = err
+			close(done)
+			return
+		}
+
+		// NOTE: ideally this second connection should be lazily opened
+		opt := opt
+		opt.Ref = ""
+		opt.Exports = nil
+		opt.CacheExports = nil
+		opt.Internal = true
+		_, respErr = cc.Build(ctx, opt, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
+			res, err := evalDefinition(ctx, c, def)
+			if err != nil {
+				// This should probably not happen, since we've previously
+				// successfully evaluated the same result with no issues.
+				return nil, errors.Wrap(err, "inconsistent solve result")
+			}
+			respHandle = &ResultHandle{
+				done:     make(chan struct{}),
+				res:      res,
+				gwClient: c,
+				gwCtx:    ctx,
+			}
+			close(done)
+
+			// Block until the caller closes the ResultHandle.
+			select {
+			case <-respHandle.done:
+			case <-ctx.Done():
+			}
+			return nil, ctx.Err()
+		}, nil)
+		if respHandle != nil {
+			return
+		}
+		close(done)
+	}()
+
+	// Block until the other thread signals that it's completed the build.
+	select {
+	case <-done:
+	case <-baseCtx.Done():
+		if respErr == nil {
+			respErr = baseCtx.Err()
+		}
+	}
+	return respHandle, resp, respErr
+}
+
+// getDefinition converts a gateway result into a collection of definitions for
+// each ref in the result.
+func getDefinition(ctx context.Context, res *gateway.Result) (*result.Result[*pb.Definition], error) {
+	return result.ConvertResult(res, func(ref gateway.Reference) (*pb.Definition, error) {
+		st, err := ref.ToState()
+		if err != nil {
+			return nil, err
+		}
+		def, err := st.Marshal(ctx)
+		if err != nil {
+			return nil, err
+		}
+		return def.ToPB(), nil
+	})
+}
+
+// evalDefinition performs the reverse of getDefinition, converting a
+// collection of definitions into a gateway result.
+func evalDefinition(ctx context.Context, c gateway.Client, defs *result.Result[*pb.Definition]) (*gateway.Result, error) {
+	// force evaluation of all targets in parallel
+	results := make(map[*pb.Definition]*gateway.Result)
+	resultsMu := sync.Mutex{}
+	eg, egCtx := errgroup.WithContext(ctx)
+	defs.EachRef(func(def *pb.Definition) error {
+		eg.Go(func() error {
+			res, err := c.Solve(egCtx, gateway.SolveRequest{
+				Evaluate:   true,
+				Definition: def,
+			})
+			if err != nil {
+				return err
+			}
+			resultsMu.Lock()
+			results[def] = res
+			resultsMu.Unlock()
+			return nil
+		})
+		return nil
+	})
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+	res, _ := result.ConvertResult(defs, func(def *pb.Definition) (gateway.Reference, error) {
+		if res, ok := results[def]; ok {
+			return res.Ref, nil
+		}
+		return nil, nil
+	})
+	return res, nil
+}
+
+// ResultHandle is a build result with the client that built it.
+type ResultHandle struct {
+	res      *gateway.Result
+	solveErr *errdefs.SolveError
+
+	done     chan struct{}
+	doneOnce sync.Once
+
+	gwClient gateway.Client
+	gwCtx    context.Context
+
+	cleanups   []func()
+	cleanupsMu sync.Mutex
+}
+
+func (r *ResultHandle) Done() {
+	r.doneOnce.Do(func() {
+		r.cleanupsMu.Lock()
+		cleanups := r.cleanups
+		r.cleanups = nil
+		r.cleanupsMu.Unlock()
+		for _, f := range cleanups {
+			f()
+		}
+
+		close(r.done)
+		<-r.gwCtx.Done()
+	})
+}
+
+func (r *ResultHandle) registerCleanup(f func()) {
+	r.cleanupsMu.Lock()
+	r.cleanups = append(r.cleanups, f)
+	r.cleanupsMu.Unlock()
+}
+
+func (r *ResultHandle) build(buildFunc gateway.BuildFunc) (err error) {
+	_, err = buildFunc(r.gwCtx, r.gwClient)
+	return err
+}
+
+func (r *ResultHandle) getContainerConfig(ctx context.Context, c gateway.Client, cfg *controllerapi.InvokeConfig) (containerCfg gateway.NewContainerRequest, _ error) {
+	if r.res != nil && r.solveErr == nil {
+		logrus.Debugf("creating container from successful build")
+		ccfg, err := containerConfigFromResult(ctx, r.res, c, *cfg)
+		if err != nil {
+			return containerCfg, err
+		}
+		containerCfg = *ccfg
+	} else {
+		logrus.Debugf("creating container from failed build %+v", cfg)
+		ccfg, err := containerConfigFromError(r.solveErr, *cfg)
+		if err != nil {
+			return containerCfg, errors.Wrapf(err, "no result nor error is available")
+		}
+		containerCfg = *ccfg
+	}
+	return containerCfg, nil
+}
+
+func (r *ResultHandle) getProcessConfig(cfg *controllerapi.InvokeConfig, stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) (_ gateway.StartRequest, err error) {
+	processCfg := newStartRequest(stdin, stdout, stderr)
+	if r.res != nil && r.solveErr == nil {
+		logrus.Debugf("creating container from successful build")
+		if err := populateProcessConfigFromResult(&processCfg, r.res, *cfg); err != nil {
+			return processCfg, err
+		}
+	} else {
+		logrus.Debugf("creating container from failed build %+v", cfg)
+		if err := populateProcessConfigFromError(&processCfg, r.solveErr, *cfg); err != nil {
+			return processCfg, err
+		}
+	}
+	return processCfg, nil
+}
+
+func containerConfigFromResult(ctx context.Context, res *gateway.Result, c gateway.Client, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
+	if cfg.Initial {
+		return nil, errors.Errorf("starting from the container from the initial state of the step is supported only on the failed steps")
+	}
+
+	ps, err := exptypes.ParsePlatforms(res.Metadata)
+	if err != nil {
+		return nil, err
+	}
+	ref, ok := res.FindRef(ps.Platforms[0].ID)
+	if !ok {
+		return nil, errors.Errorf("no reference found")
+	}
+
+	return &gateway.NewContainerRequest{
+		Mounts: []gateway.Mount{
+			{
+				Dest:      "/",
+				MountType: pb.MountType_BIND,
+				Ref:       ref,
+			},
+		},
+	}, nil
+}
+
+func populateProcessConfigFromResult(req *gateway.StartRequest, res *gateway.Result, cfg controllerapi.InvokeConfig) error {
+	imgData := res.Metadata[exptypes.ExporterImageConfigKey]
+	var img *specs.Image
+	if len(imgData) > 0 {
+		img = &specs.Image{}
+		if err := json.Unmarshal(imgData, img); err != nil {
+			return err
+		}
+	}
+
+	user := ""
+	if !cfg.NoUser {
+		user = cfg.User
+	} else if img != nil {
+		user = img.Config.User
+	}
+
+	cwd := ""
+	if !cfg.NoCwd {
+		cwd = cfg.Cwd
+	} else if img != nil {
+		cwd = img.Config.WorkingDir
+	}
+
+	env := []string{}
+	if img != nil {
+		env = append(env, img.Config.Env...)
+	}
+	env = append(env, cfg.Env...)
+
+	args := []string{}
+	if cfg.Entrypoint != nil {
+		args = append(args, cfg.Entrypoint...)
+	} else if img != nil {
+		args = append(args, img.Config.Entrypoint...)
+	}
+	if !cfg.NoCmd {
+		args = append(args, cfg.Cmd...)
+	} else if img != nil {
+		args = append(args, img.Config.Cmd...)
+	}
+
+	req.Args = args
+	req.Env = env
+	req.User = user
+	req.Cwd = cwd
+	req.Tty = cfg.Tty
+
+	return nil
+}
+
+func containerConfigFromError(solveErr *errdefs.SolveError, cfg controllerapi.InvokeConfig) (*gateway.NewContainerRequest, error) {
+	exec, err := execOpFromError(solveErr)
+	if err != nil {
+		return nil, err
+	}
+	var mounts []gateway.Mount
+	for i, mnt := range exec.Mounts {
+		rid := solveErr.Solve.MountIDs[i]
+		if cfg.Initial {
+			rid = solveErr.Solve.InputIDs[i]
+		}
+		mounts = append(mounts, gateway.Mount{
+			Selector:  mnt.Selector,
+			Dest:      mnt.Dest,
+			ResultID:  rid,
+			Readonly:  mnt.Readonly,
+			MountType: mnt.MountType,
+			CacheOpt:  mnt.CacheOpt,
+			SecretOpt: mnt.SecretOpt,
+			SSHOpt:    mnt.SSHOpt,
+		})
+	}
+	return &gateway.NewContainerRequest{
+		Mounts:  mounts,
+		NetMode: exec.Network,
+	}, nil
+}
+
+func populateProcessConfigFromError(req *gateway.StartRequest, solveErr *errdefs.SolveError, cfg controllerapi.InvokeConfig) error {
+	exec, err := execOpFromError(solveErr)
+	if err != nil {
+		return err
+	}
+	meta := exec.Meta
+	user := ""
+	if !cfg.NoUser {
+		user = cfg.User
+	} else {
+		user = meta.User
+	}
+
+	cwd := ""
+	if !cfg.NoCwd {
+		cwd = cfg.Cwd
+	} else {
+		cwd = meta.Cwd
+	}
+
+	env := append(meta.Env, cfg.Env...)
+
+	args := []string{}
+	if cfg.Entrypoint != nil {
+		args = append(args, cfg.Entrypoint...)
+	}
+	if cfg.Cmd != nil {
+		args = append(args, cfg.Cmd...)
+	}
+	if len(args) == 0 {
+		args = meta.Args
+	}
+
+	req.Args = args
+	req.Env = env
+	req.User = user
+	req.Cwd = cwd
+	req.Tty = cfg.Tty
+
+	return nil
+}
+
+func execOpFromError(solveErr *errdefs.SolveError) (*pb.ExecOp, error) {
+	if solveErr == nil {
+		return nil, errors.Errorf("no error is available")
+	}
+	switch op := solveErr.Solve.Op.GetOp().(type) {
+	case *pb.Op_Exec:
+		return op.Exec, nil
+	default:
+		return nil, errors.Errorf("invoke: unsupported error type")
+	}
+	// TODO: support other ops
+}
+
+func newStartRequest(stdin io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) gateway.StartRequest {
+	return gateway.StartRequest{
+		Stdin:  stdin,
+		Stdout: stdout,
+		Stderr: stderr,
+	}
+}
--- a/build/url.go
+++ b/build/url.go
@@ -13,7 +13,7 @@ import (
 	"github.com/pkg/errors"
 )

-func createTempDockerfileFromURL(ctx context.Context, d driver.Driver, url string, pw progress.Writer) (string, error) {
+func createTempDockerfileFromURL(ctx context.Context, d *driver.DriverHandle, url string, pw progress.Writer) (string, error) {
 	c, err := driver.Boot(ctx, ctx, d, pw)
 	if err != nil {
 		return "", err
@@ -21,7 +21,7 @@ func createTempDockerfileFromURL(ctx context.Context, d driver.Driver, url strin
 	var out string
 	ch, done := progress.NewChannel(pw)
 	defer func() { <-done }()
-	_, err = c.Build(ctx, client.SolveOpt{}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+	_, err = c.Build(ctx, client.SolveOpt{Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 		def, err := llb.HTTP(url, llb.Filename("Dockerfile"), llb.WithCustomNamef("[internal] load %s", url)).Marshal(ctx)
 		if err != nil {
 			return nil, err
--- a/build/utils.go
+++ b/build/utils.go
@@ -3,16 +3,36 @@ package build
 import (
 	"archive/tar"
 	"bytes"
+	"context"
 	"net"
 	"os"
 	"strings"

+	"github.com/docker/buildx/driver"
 	"github.com/docker/cli/opts"
+	"github.com/docker/docker/builder/remotecontext/urlutil"
+	"github.com/moby/buildkit/util/gitutil"
 	"github.com/pkg/errors"
 )

-// archiveHeaderSize is the number of bytes in an archive header
-const archiveHeaderSize = 512
+const (
+	// archiveHeaderSize is the number of bytes in an archive header
+	archiveHeaderSize = 512
+	// mobyHostGatewayName defines a special string which users can append to
+	// --add-host to add an extra entry in /etc/hosts that maps
+	// host.docker.internal to the host IP
+	mobyHostGatewayName = "host-gateway"
+)
+
+func IsRemoteURL(c string) bool {
+	if urlutil.IsURL(c) {
+		return true
+	}
+	if _, err := gitutil.ParseGitRef(c); err == nil {
+		return true
+	}
+	return false
+}

 func isLocalDir(c string) bool {
 	st, err := os.Stat(c)
@@ -39,18 +59,28 @@ func isArchive(header []byte) bool {
 }

 // toBuildkitExtraHosts converts hosts from docker key:value format to buildkit's csv format
-func toBuildkitExtraHosts(inp []string) (string, error) {
+func toBuildkitExtraHosts(ctx context.Context, inp []string, nodeDriver *driver.DriverHandle) (string, error) {
 	if len(inp) == 0 {
 		return "", nil
 	}
 	hosts := make([]string, 0, len(inp))
 	for _, h := range inp {
-		parts := strings.Split(h, ":")
-
-		if len(parts) != 2 || parts[0] == "" || net.ParseIP(parts[1]) == nil {
+		host, ip, ok := strings.Cut(h, ":")
+		if !ok || host == "" || ip == "" {
 			return "", errors.Errorf("invalid host %s", h)
 		}
-		hosts = append(hosts, parts[0]+"="+parts[1])
+		// If the IP Address is a "host-gateway", replace this value with the
+		// IP address provided by the worker's label.
+		if ip == mobyHostGatewayName {
+			hgip, err := nodeDriver.HostGatewayIP(ctx)
+			if err != nil {
+				return "", errors.Wrap(err, "unable to derive the IP value for host-gateway")
+			}
+			ip = hgip.String()
+		} else if net.ParseIP(ip) == nil {
+			return "", errors.Errorf("invalid host %s", h)
+		}
+		hosts = append(hosts, host+"="+ip)
 	}
 	return strings.Join(hosts, ","), nil
 }
--- a/builder/builder.go
+++ b/builder/builder.go
@@ -0,0 +1,299 @@
+package builder
+
+import (
+	"context"
+	"os"
+	"sort"
+	"sync"
+
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/util/progress/progressui"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+// Builder represents an active builder object
+type Builder struct {
+	*store.NodeGroup
+	driverFactory driverFactory
+	nodes         []Node
+	opts          builderOpts
+	err           error
+}
+
+type builderOpts struct {
+	dockerCli       command.Cli
+	name            string
+	txn             *store.Txn
+	contextPathHash string
+	validate        bool
+}
+
+// Option provides a variadic option for configuring the builder.
+type Option func(b *Builder)
+
+// WithName sets builder name.
+func WithName(name string) Option {
+	return func(b *Builder) {
+		b.opts.name = name
+	}
+}
+
+// WithStore sets a store instance used at init.
+func WithStore(txn *store.Txn) Option {
+	return func(b *Builder) {
+		b.opts.txn = txn
+	}
+}
+
+// WithContextPathHash is used for determining pods in k8s driver instance.
+func WithContextPathHash(contextPathHash string) Option {
+	return func(b *Builder) {
+		b.opts.contextPathHash = contextPathHash
+	}
+}
+
+// WithSkippedValidation skips builder context validation.
+func WithSkippedValidation() Option {
+	return func(b *Builder) {
+		b.opts.validate = false
+	}
+}
+
+// New initializes a new builder client
+func New(dockerCli command.Cli, opts ...Option) (_ *Builder, err error) {
+	b := &Builder{
+		opts: builderOpts{
+			dockerCli: dockerCli,
+			validate:  true,
+		},
+	}
+	for _, opt := range opts {
+		opt(b)
+	}
+
+	if b.opts.txn == nil {
+		// if store instance is nil we create a short-lived one using the
+		// default store and ensure we release it on completion
+		var release func()
+		b.opts.txn, release, err = storeutil.GetStore(dockerCli)
+		if err != nil {
+			return nil, err
+		}
+		defer release()
+	}
+
+	if b.opts.name != "" {
+		if b.NodeGroup, err = storeutil.GetNodeGroup(b.opts.txn, dockerCli, b.opts.name); err != nil {
+			return nil, err
+		}
+	} else {
+		if b.NodeGroup, err = storeutil.GetCurrentInstance(b.opts.txn, dockerCli); err != nil {
+			return nil, err
+		}
+	}
+	if b.opts.validate {
+		if err = b.Validate(); err != nil {
+			return nil, err
+		}
+	}
+
+	return b, nil
+}
+
+// Validate validates builder context
+func (b *Builder) Validate() error {
+	if b.NodeGroup != nil && b.NodeGroup.DockerContext {
+		list, err := b.opts.dockerCli.ContextStore().List()
+		if err != nil {
+			return err
+		}
+		currentContext := b.opts.dockerCli.CurrentContext()
+		for _, l := range list {
+			if l.Name == b.Name && l.Name != currentContext {
+				return errors.Errorf("use `docker --context=%s buildx` to switch to context %q", l.Name, l.Name)
+			}
+		}
+	}
+	return nil
+}
+
+// ContextName returns builder context name if available.
+func (b *Builder) ContextName() string {
+	ctxbuilders, err := b.opts.dockerCli.ContextStore().List()
+	if err != nil {
+		return ""
+	}
+	for _, cb := range ctxbuilders {
+		if b.NodeGroup.Driver == "docker" && len(b.NodeGroup.Nodes) == 1 && b.NodeGroup.Nodes[0].Endpoint == cb.Name {
+			return cb.Name
+		}
+	}
+	return ""
+}
+
+// ImageOpt returns registry auth configuration
+func (b *Builder) ImageOpt() (imagetools.Opt, error) {
+	return storeutil.GetImageConfig(b.opts.dockerCli, b.NodeGroup)
+}
+
+// Boot bootstrap a builder
+func (b *Builder) Boot(ctx context.Context) (bool, error) {
+	toBoot := make([]int, 0, len(b.nodes))
+	for idx, d := range b.nodes {
+		if d.Err != nil || d.Driver == nil || d.DriverInfo == nil {
+			continue
+		}
+		if d.DriverInfo.Status != driver.Running {
+			toBoot = append(toBoot, idx)
+		}
+	}
+	if len(toBoot) == 0 {
+		return false, nil
+	}
+
+	printer, err := progress.NewPrinter(context.TODO(), os.Stderr, progressui.AutoMode)
+	if err != nil {
+		return false, err
+	}
+
+	baseCtx := ctx
+	eg, _ := errgroup.WithContext(ctx)
+	errCh := make(chan error, len(toBoot))
+	for _, idx := range toBoot {
+		func(idx int) {
+			eg.Go(func() error {
+				pw := progress.WithPrefix(printer, b.NodeGroup.Nodes[idx].Name, len(toBoot) > 1)
+				_, err := driver.Boot(ctx, baseCtx, b.nodes[idx].Driver, pw)
+				if err != nil {
+					b.nodes[idx].Err = err
+					errCh <- err
+				}
+				return nil
+			})
+		}(idx)
+	}
+
+	err = eg.Wait()
+	close(errCh)
+	err1 := printer.Wait()
+	if err == nil {
+		err = err1
+	}
+
+	if err == nil && len(errCh) == len(toBoot) {
+		return false, <-errCh
+	}
+	return true, err
+}
+
+// Inactive checks if all nodes are inactive for this builder.
+func (b *Builder) Inactive() bool {
+	for _, d := range b.nodes {
+		if d.DriverInfo != nil && d.DriverInfo.Status == driver.Running {
+			return false
+		}
+	}
+	return true
+}
+
+// Err returns error if any.
+func (b *Builder) Err() error {
+	return b.err
+}
+
+type driverFactory struct {
+	driver.Factory
+	once sync.Once
+}
+
+// Factory returns the driver factory.
+func (b *Builder) Factory(ctx context.Context, dialMeta map[string][]string) (_ driver.Factory, err error) {
+	b.driverFactory.once.Do(func() {
+		if b.Driver != "" {
+			b.driverFactory.Factory, err = driver.GetFactory(b.Driver, true)
+			if err != nil {
+				return
+			}
+		} else {
+			// empty driver means nodegroup was implicitly created as a default
+			// driver for a docker context and allows falling back to a
+			// docker-container driver for older daemon that doesn't support
+			// buildkit (< 18.06).
+			ep := b.NodeGroup.Nodes[0].Endpoint
+			var dockerapi *dockerutil.ClientAPI
+			dockerapi, err = dockerutil.NewClientAPI(b.opts.dockerCli, b.NodeGroup.Nodes[0].Endpoint)
+			if err != nil {
+				return
+			}
+			// check if endpoint is healthy is needed to determine the driver type.
+			// if this fails then can't continue with driver selection.
+			if _, err = dockerapi.Ping(ctx); err != nil {
+				return
+			}
+			b.driverFactory.Factory, err = driver.GetDefaultFactory(ctx, ep, dockerapi, false, dialMeta)
+			if err != nil {
+				return
+			}
+			b.Driver = b.driverFactory.Factory.Name()
+		}
+	})
+	return b.driverFactory.Factory, err
+}
+
+// GetBuilders returns all builders
+func GetBuilders(dockerCli command.Cli, txn *store.Txn) ([]*Builder, error) {
+	storeng, err := txn.List()
+	if err != nil {
+		return nil, err
+	}
+
+	builders := make([]*Builder, len(storeng))
+	seen := make(map[string]struct{})
+	for i, ng := range storeng {
+		b, err := New(dockerCli,
+			WithName(ng.Name),
+			WithStore(txn),
+			WithSkippedValidation(),
+		)
+		if err != nil {
+			return nil, err
+		}
+		builders[i] = b
+		seen[b.NodeGroup.Name] = struct{}{}
+	}
+
+	contexts, err := dockerCli.ContextStore().List()
+	if err != nil {
+		return nil, err
+	}
+	sort.Slice(contexts, func(i, j int) bool {
+		return contexts[i].Name < contexts[j].Name
+	})
+
+	for _, c := range contexts {
+		// if a context has the same name as an instance from the store, do not
+		// add it to the builders list. An instance from the store takes
+		// precedence over context builders.
+		if _, ok := seen[c.Name]; ok {
+			continue
+		}
+		b, err := New(dockerCli,
+			WithName(c.Name),
+			WithStore(txn),
+			WithSkippedValidation(),
+		)
+		if err != nil {
+			return nil, err
+		}
+		builders = append(builders, b)
+	}
+
+	return builders, nil
+}
--- a/builder/node.go
+++ b/builder/node.go
@@ -0,0 +1,243 @@
+package builder
+
+import (
+	"context"
+	"sort"
+
+	"github.com/docker/buildx/driver"
+	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/imagetools"
+	"github.com/docker/buildx/util/platformutil"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/util/grpcerrors"
+	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc/codes"
+)
+
+type Node struct {
+	store.Node
+	Builder     string
+	Driver      *driver.DriverHandle
+	DriverInfo  *driver.Info
+	ImageOpt    imagetools.Opt
+	ProxyConfig map[string]string
+	Version     string
+	Err         error
+
+	// worker settings
+	IDs       []string
+	Platforms []ocispecs.Platform
+	GCPolicy  []client.PruneInfo
+	Labels    map[string]string
+}
+
+// Nodes returns nodes for this builder.
+func (b *Builder) Nodes() []Node {
+	return b.nodes
+}
+
+type LoadNodesOption func(*loadNodesOptions)
+
+type loadNodesOptions struct {
+	data     bool
+	dialMeta map[string][]string
+}
+
+func WithData() LoadNodesOption {
+	return func(o *loadNodesOptions) {
+		o.data = true
+	}
+}
+
+func WithDialMeta(dialMeta map[string][]string) LoadNodesOption {
+	return func(o *loadNodesOptions) {
+		o.dialMeta = dialMeta
+	}
+}
+
+// LoadNodes loads and returns nodes for this builder.
+// TODO: this should be a method on a Node object and lazy load data for each driver.
+func (b *Builder) LoadNodes(ctx context.Context, opts ...LoadNodesOption) (_ []Node, err error) {
+	lno := loadNodesOptions{
+		data: false,
+	}
+	for _, opt := range opts {
+		opt(&lno)
+	}
+
+	eg, _ := errgroup.WithContext(ctx)
+	b.nodes = make([]Node, len(b.NodeGroup.Nodes))
+
+	defer func() {
+		if b.err == nil && err != nil {
+			b.err = err
+		}
+	}()
+
+	factory, err := b.Factory(ctx, lno.dialMeta)
+	if err != nil {
+		return nil, err
+	}
+
+	imageopt, err := b.ImageOpt()
+	if err != nil {
+		return nil, err
+	}
+
+	for i, n := range b.NodeGroup.Nodes {
+		func(i int, n store.Node) {
+			eg.Go(func() error {
+				node := Node{
+					Node:        n,
+					ProxyConfig: storeutil.GetProxyConfig(b.opts.dockerCli),
+					Platforms:   n.Platforms,
+					Builder:     b.Name,
+				}
+				defer func() {
+					b.nodes[i] = node
+				}()
+
+				dockerapi, err := dockerutil.NewClientAPI(b.opts.dockerCli, n.Endpoint)
+				if err != nil {
+					node.Err = err
+					return nil
+				}
+
+				contextStore := b.opts.dockerCli.ContextStore()
+
+				var kcc driver.KubeClientConfig
+				kcc, err = ctxkube.ConfigFromEndpoint(n.Endpoint, contextStore)
+				if err != nil {
+					// err is returned if n.Endpoint is non-context name like "unix:///var/run/docker.sock".
+					// try again with name="default".
+					// FIXME(@AkihiroSuda): n should retain real context name.
+					kcc, err = ctxkube.ConfigFromEndpoint("default", contextStore)
+					if err != nil {
+						logrus.Error(err)
+					}
+				}
+
+				tryToUseKubeConfigInCluster := false
+				if kcc == nil {
+					tryToUseKubeConfigInCluster = true
+				} else {
+					if _, err := kcc.ClientConfig(); err != nil {
+						tryToUseKubeConfigInCluster = true
+					}
+				}
+				if tryToUseKubeConfigInCluster {
+					kccInCluster := driver.KubeClientConfigInCluster{}
+					if _, err := kccInCluster.ClientConfig(); err == nil {
+						logrus.Debug("using kube config in cluster")
+						kcc = kccInCluster
+					}
+				}
+
+				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, factory, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, b.opts.contextPathHash, lno.dialMeta)
+				if err != nil {
+					node.Err = err
+					return nil
+				}
+				node.Driver = d
+				node.ImageOpt = imageopt
+
+				if lno.data {
+					if err := node.loadData(ctx); err != nil {
+						node.Err = err
+					}
+				}
+				return nil
+			})
+		}(i, n)
+	}
+
+	if err := eg.Wait(); err != nil {
+		return nil, err
+	}
+
+	// TODO: This should be done in the routine loading driver data
+	if lno.data {
+		kubernetesDriverCount := 0
+		for _, d := range b.nodes {
+			if d.DriverInfo != nil && len(d.DriverInfo.DynamicNodes) > 0 {
+				kubernetesDriverCount++
+			}
+		}
+
+		isAllKubernetesDrivers := len(b.nodes) == kubernetesDriverCount
+		if isAllKubernetesDrivers {
+			var nodes []Node
+			var dynamicNodes []store.Node
+			for _, di := range b.nodes {
+				// dynamic nodes are used in Kubernetes driver.
+				// Kubernetes' pods are dynamically mapped to BuildKit Nodes.
+				if di.DriverInfo != nil && len(di.DriverInfo.DynamicNodes) > 0 {
+					for i := 0; i < len(di.DriverInfo.DynamicNodes); i++ {
+						diClone := di
+						if pl := di.DriverInfo.DynamicNodes[i].Platforms; len(pl) > 0 {
+							diClone.Platforms = pl
+						}
+						nodes = append(nodes, di)
+					}
+					dynamicNodes = append(dynamicNodes, di.DriverInfo.DynamicNodes...)
+				}
+			}
+
+			// not append (remove the static nodes in the store)
+			b.NodeGroup.Nodes = dynamicNodes
+			b.nodes = nodes
+			b.NodeGroup.Dynamic = true
+		}
+	}
+
+	return b.nodes, nil
+}
+
+func (n *Node) loadData(ctx context.Context) error {
+	if n.Driver == nil {
+		return nil
+	}
+	info, err := n.Driver.Info(ctx)
+	if err != nil {
+		return err
+	}
+	n.DriverInfo = info
+	if n.DriverInfo.Status == driver.Running {
+		driverClient, err := n.Driver.Client(ctx)
+		if err != nil {
+			return err
+		}
+		workers, err := driverClient.ListWorkers(ctx)
+		if err != nil {
+			return errors.Wrap(err, "listing workers")
+		}
+		for idx, w := range workers {
+			n.IDs = append(n.IDs, w.ID)
+			n.Platforms = append(n.Platforms, w.Platforms...)
+			if idx == 0 {
+				n.GCPolicy = w.GCPolicy
+				n.Labels = w.Labels
+			}
+		}
+		sort.Strings(n.IDs)
+		n.Platforms = platformutil.Dedupe(n.Platforms)
+		inf, err := driverClient.Info(ctx)
+		if err != nil {
+			if st, ok := grpcerrors.AsGRPCStatus(err); ok && st.Code() == codes.Unimplemented {
+				n.Version, err = n.Driver.Version(ctx)
+				if err != nil {
+					return errors.Wrap(err, "getting version")
+				}
+			}
+		} else {
+			n.Version = inf.BuildkitVersion.Version
+		}
+	}
+	return nil
+}
--- a/cmd/buildx/main.go
+++ b/cmd/buildx/main.go
@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"os"

-	"github.com/containerd/containerd/pkg/seed"
 	"github.com/docker/buildx/commands"
+	"github.com/docker/buildx/util/desktop"
 	"github.com/docker/buildx/version"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/manager"
@@ -16,10 +16,10 @@ import (
 	"github.com/moby/buildkit/solver/errdefs"
 	"github.com/moby/buildkit/util/stack"

-	_ "k8s.io/client-go/plugin/pkg/client/auth/azure"
-	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
+	//nolint:staticcheck // vendored dependencies may still use this
+	"github.com/containerd/containerd/pkg/seed"
+
 	_ "k8s.io/client-go/plugin/pkg/client/auth/oidc"
-	_ "k8s.io/client-go/plugin/pkg/client/auth/openstack"

 	_ "github.com/docker/buildx/driver/docker"
 	_ "github.com/docker/buildx/driver/docker-container"
@@ -28,7 +28,9 @@ import (
 )

 func init() {
+	//nolint:staticcheck
 	seed.WithTimeAndRand()
+
 	stack.SetVersionInfo(version.Version, version.Revision)
 }

@@ -85,6 +87,9 @@ func main() {
 	} else {
 		fmt.Fprintf(cmd.Err(), "ERROR: %v\n", err)
 	}
+	if ebr, ok := err.(*desktop.ErrorWithBuildRef); ok {
+		ebr.Print(cmd.Err())
+	}

 	os.Exit(1)
 }
--- a/commands/bake.go
+++ b/commands/bake.go
@@ -4,28 +4,45 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"os"
+	"strings"

+	"github.com/containerd/console"
 	"github.com/containerd/containerd/platforms"
 	"github.com/docker/buildx/bake"
 	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/localstate"
+	"github.com/docker/buildx/util/buildflags"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/desktop"
+	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/buildx/util/tracing"
 	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/util/appcontext"
+	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )

 type bakeOptions struct {
-	files     []string
-	overrides []string
-	printOnly bool
-	commonOptions
+	files      []string
+	overrides  []string
+	printOnly  bool
+	sbom       string
+	provenance string
+
+	builder      string
+	metadataFile string
+	exportPush   bool
+	exportLoad   bool
 }

-func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error) {
+func runBake(dockerCli command.Cli, targets []string, in bakeOptions, cFlags commonFlags) (err error) {
 	ctx := appcontext.Context()

 	ctx, end, err := tracing.TraceCurrentCommand(ctx, "bake")
@@ -40,11 +57,11 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 	cmdContext := "cwd://"

 	if len(targets) > 0 {
-		if bake.IsRemoteURL(targets[0]) {
+		if build.IsRemoteURL(targets[0]) {
 			url = targets[0]
 			targets = targets[1:]
 			if len(targets) > 0 {
-				if bake.IsRemoteURL(targets[0]) {
+				if build.IsRemoteURL(targets[0]) {
 					cmdContext = targets[0]
 					targets = targets[1:]
 				}
@@ -65,17 +82,58 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 	} else if in.exportLoad {
 		overrides = append(overrides, "*.output=type=docker")
 	}
-	if in.noCache != nil {
-		overrides = append(overrides, fmt.Sprintf("*.no-cache=%t", *in.noCache))
+	if cFlags.noCache != nil {
+		overrides = append(overrides, fmt.Sprintf("*.no-cache=%t", *cFlags.noCache))
 	}
-	if in.pull != nil {
-		overrides = append(overrides, fmt.Sprintf("*.pull=%t", *in.pull))
+	if cFlags.pull != nil {
+		overrides = append(overrides, fmt.Sprintf("*.pull=%t", *cFlags.pull))
+	}
+	if in.sbom != "" {
+		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("sbom", in.sbom)))
+	}
+	if in.provenance != "" {
+		overrides = append(overrides, fmt.Sprintf("*.attest=%s", buildflags.CanonicalizeAttest("provenance", in.provenance)))
 	}
 	contextPathHash, _ := os.Getwd()

 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
-	printer := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, in.progress)
+
+	var nodes []builder.Node
+	var progressConsoleDesc, progressTextDesc string
+
+	// instance only needed for reading remote bake files or building
+	if url != "" || !in.printOnly {
+		b, err := builder.New(dockerCli,
+			builder.WithName(in.builder),
+			builder.WithContextPathHash(contextPathHash),
+		)
+		if err != nil {
+			return err
+		}
+		if err = updateLastActivity(dockerCli, b.NodeGroup); err != nil {
+			return errors.Wrapf(err, "failed to update builder last activity time")
+		}
+		nodes, err = b.LoadNodes(ctx)
+		if err != nil {
+			return err
+		}
+		progressConsoleDesc = fmt.Sprintf("%s:%s", b.Driver, b.Name)
+		progressTextDesc = fmt.Sprintf("building with %q instance using %s driver", b.Name, b.Driver)
+	}
+
+	var term bool
+	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
+		term = true
+	}
+
+	progressMode := progressui.DisplayMode(cFlags.progress)
+	printer, err := progress.NewPrinter(ctx2, os.Stderr, progressMode,
+		progress.WithDesc(progressTextDesc, progressConsoleDesc),
+	)
+	if err != nil {
+		return err
+	}

 	defer func() {
 		if printer != nil {
@@ -83,29 +141,24 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 			if err == nil {
 				err = err1
 			}
+			if err == nil && progressMode != progressui.QuietMode {
+				desktop.PrintBuildDetails(os.Stderr, printer.BuildRefs(), term)
+			}
 		}
 	}()

-	dis, err := getInstanceOrDefault(ctx, dockerCli, in.builder, contextPathHash)
+	files, inp, err := readBakeFiles(ctx, nodes, url, in.files, dockerCli.In(), printer)
 	if err != nil {
 		return err
 	}

-	var files []bake.File
-	var inp *bake.Input
-
-	if url != "" {
-		files, inp, err = bake.ReadRemoteFiles(ctx, dis, url, in.files, printer)
-	} else {
-		files, err = bake.ReadLocalFiles(in.files)
-	}
-	if err != nil {
-		return err
+	if len(files) == 0 {
+		return errors.New("couldn't find a bake definition")
 	}

 	tgts, grps, err := bake.ReadTargets(ctx, files, targets, overrides, map[string]string{
 		// don't forget to update documentation if you add a new
-		// built-in variable: docs/guides/bake/file-definition.md#built-in-variables
+		// built-in variable: docs/bake-reference.md#built-in-variables
 		"BAKE_CMD_CONTEXT":    cmdContext,
 		"BAKE_LOCAL_PLATFORM": platforms.DefaultString(),
 	})
@@ -113,26 +166,35 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		return err
 	}

+	if v := os.Getenv("SOURCE_DATE_EPOCH"); v != "" {
+		// TODO: extract env var parsing to a method easily usable by library consumers
+		for _, t := range tgts {
+			if _, ok := t.Args["SOURCE_DATE_EPOCH"]; ok {
+				continue
+			}
+			if t.Args == nil {
+				t.Args = map[string]*string{}
+			}
+			t.Args["SOURCE_DATE_EPOCH"] = &v
+		}
+	}
+
 	// this function can update target context string from the input so call before printOnly check
 	bo, err := bake.TargetsToBuildOpt(tgts, inp)
 	if err != nil {
 		return err
 	}

+	def := struct {
+		Group  map[string]*bake.Group  `json:"group,omitempty"`
+		Target map[string]*bake.Target `json:"target"`
+	}{
+		Group:  grps,
+		Target: tgts,
+	}
+
 	if in.printOnly {
-		var defg map[string]*bake.Group
-		if len(grps) == 1 {
-			defg = map[string]*bake.Group{
-				"default": grps[0],
-			}
-		}
-		dt, err := json.MarshalIndent(struct {
-			Group  map[string]*bake.Group  `json:"group,omitempty"`
-			Target map[string]*bake.Target `json:"target"`
-		}{
-			defg,
-			tgts,
-		}, "", "  ")
+		dt, err := json.MarshalIndent(def, "", "  ")
 		if err != nil {
 			return err
 		}
@@ -145,7 +207,29 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error
 		return nil
 	}

-	resp, err := build.Build(ctx, dis, bo, dockerAPI(dockerCli), confutil.ConfigDir(dockerCli), printer)
+	// local state group
+	groupRef := identity.NewID()
+	var refs []string
+	for k, b := range bo {
+		b.Ref = identity.NewID()
+		b.GroupRef = groupRef
+		refs = append(refs, b.Ref)
+		bo[k] = b
+	}
+	dt, err := json.Marshal(def)
+	if err != nil {
+		return err
+	}
+	if err := saveLocalStateGroup(dockerCli, groupRef, localstate.StateGroup{
+		Definition: dt,
+		Targets:    targets,
+		Inputs:     overrides,
+		Refs:       refs,
+	}); err != nil {
+		return err
+	}
+
+	resp, err := build.Build(ctx, nodes, bo, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), printer)
 	if err != nil {
 		return wrapBuildError(err, true)
 	}
@@ -165,6 +249,7 @@ func runBake(dockerCli command.Cli, targets []string, in bakeOptions) (err error

 func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	var options bakeOptions
+	var cFlags commonFlags

 	cmd := &cobra.Command{
 		Use:     "bake [OPTIONS] [TARGET...]",
@@ -173,14 +258,17 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// reset to nil to avoid override is unset
 			if !cmd.Flags().Lookup("no-cache").Changed {
-				options.noCache = nil
+				cFlags.noCache = nil
 			}
 			if !cmd.Flags().Lookup("pull").Changed {
-				options.pull = nil
+				cFlags.pull = nil
 			}
-			options.commonOptions.builder = rootOpts.builder
-			return runBake(dockerCli, args, options)
+			options.builder = rootOpts.builder
+			options.metadataFile = cFlags.metadataFile
+			// Other common flags (noCache, pull and progress) are processed in runBake function.
+			return runBake(dockerCli, args, options, cFlags)
 		},
+		ValidArgsFunction: completion.BakeTargets(options.files),
 	}

 	flags := cmd.Flags()
@@ -189,9 +277,58 @@ func bakeCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.BoolVar(&options.exportLoad, "load", false, `Shorthand for "--set=*.output=type=docker"`)
 	flags.BoolVar(&options.printOnly, "print", false, "Print the options without building")
 	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--set=*.output=type=registry"`)
+	flags.StringVar(&options.sbom, "sbom", "", `Shorthand for "--set=*.attest=type=sbom"`)
+	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--set=*.attest=type=provenance"`)
 	flags.StringArrayVar(&options.overrides, "set", nil, `Override target value (e.g., "targetpattern.key=value")`)

-	commonBuildFlags(&options.commonOptions, flags)
+	commonBuildFlags(&cFlags, flags)

 	return cmd
 }
+
+func saveLocalStateGroup(dockerCli command.Cli, ref string, lsg localstate.StateGroup) error {
+	l, err := localstate.New(confutil.ConfigDir(dockerCli))
+	if err != nil {
+		return err
+	}
+	return l.SaveGroup(ref, lsg)
+}
+
+func readBakeFiles(ctx context.Context, nodes []builder.Node, url string, names []string, stdin io.Reader, pw progress.Writer) (files []bake.File, inp *bake.Input, err error) {
+	var lnames []string
+	var rnames []string
+	for _, v := range names {
+		if strings.HasPrefix(v, "cwd://") {
+			lnames = append(lnames, strings.TrimPrefix(v, "cwd://"))
+		} else {
+			rnames = append(rnames, v)
+		}
+	}
+
+	if url != "" {
+		var rfiles []bake.File
+		rfiles, inp, err = bake.ReadRemoteFiles(ctx, nodes, url, rnames, pw)
+		if err != nil {
+			return nil, nil, err
+		}
+		files = append(files, rfiles...)
+	}
+
+	if len(lnames) > 0 || url == "" {
+		var lfiles []bake.File
+		progress.Wrap("[internal] load local bake definitions", pw.Write, func(sub progress.SubLogger) error {
+			if url != "" {
+				lfiles, err = bake.ReadLocalFiles(lnames, stdin, sub)
+			} else {
+				lfiles, err = bake.ReadLocalFiles(append(lnames, rnames...), stdin, sub)
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, nil, err
+		}
+		files = append(files, lfiles...)
+	}
+
+	return
+}
--- a/commands/build.go
+++ b/commands/build.go
--- a/commands/create.go
+++ b/commands/create.go
@@ -10,13 +10,20 @@ import (
 	"strings"
 	"time"

+	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/driver"
+	k8sutil "github.com/docker/buildx/driver/kubernetes/util"
+	remoteutil "github.com/docker/buildx/driver/remote/util"
+	"github.com/docker/buildx/localstate"
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	dopts "github.com/docker/cli/opts"
 	"github.com/google/shlex"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/pkg/errors"
@@ -65,6 +72,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	if err != nil {
 		return err
 	}
+	// Ensure the file lock gets released no matter what happens.
 	defer release()

 	name := in.name
@@ -115,7 +123,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 			if len(args) > 0 {
 				arg = args[0]
 			}
-			f, err := driver.GetDefaultFactory(ctx, arg, dockerCli.Client(), true)
+			f, err := driver.GetDefaultFactory(ctx, arg, dockerCli.Client(), true, nil)
 			if err != nil {
 				return err
 			}
@@ -165,18 +173,34 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		if err := ng.Leave(in.nodeName); err != nil {
 			return err
 		}
+		ls, err := localstate.New(confutil.ConfigDir(dockerCli))
+		if err != nil {
+			return err
+		}
+		if err := ls.RemoveBuilderNode(ng.Name, in.nodeName); err != nil {
+			return err
+		}
 	} else {
 		switch {
 		case driverName == "kubernetes":
 			if len(args) > 0 {
 				logrus.Warnf("kubernetes driver does not support endpoint args %q", args[0])
 			}
+			// generate node name if not provided to avoid duplicated endpoint
+			// error: https://github.com/docker/setup-buildx-action/issues/215
+			nodeName := in.nodeName
+			if nodeName == "" {
+				nodeName, err = k8sutil.GenerateNodeName(name, txn)
+				if err != nil {
+					return err
+				}
+			}
 			// naming endpoint to make --append works
 			ep = (&url.URL{
 				Scheme: driverName,
-				Path:   "/" + in.name,
+				Path:   "/" + name,
 				RawQuery: (&url.Values{
-					"deployment": {in.nodeName},
+					"deployment": {nodeName},
 					"kubeconfig": {os.Getenv("KUBECONFIG")},
 				}).Encode(),
 			}).String()
@@ -204,7 +228,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 			if dockerCli.CurrentContext() == "default" && dockerCli.DockerEndpoint().TLSData != nil {
 				return errors.Errorf("could not create a builder instance with TLS data loaded from environment. Please use `docker context create <context-name>` to create a context for current environment and then create a builder instance with `docker buildx create <context-name>`")
 			}
-			ep, err = storeutil.GetCurrentEndpoint(dockerCli)
+			ep, err = dockerutil.GetCurrentEndpoint(dockerCli)
 			if err != nil {
 				return err
 			}
@@ -234,17 +258,26 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		return err
 	}

-	ngi := &nginfo{ng: ng}
+	b, err := builder.New(dockerCli,
+		builder.WithName(ng.Name),
+		builder.WithStore(txn),
+		builder.WithSkippedValidation(),
+	)
+	if err != nil {
+		return err
+	}

 	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
 	defer cancel()

-	if err = loadNodeGroupData(timeoutCtx, dockerCli, ngi); err != nil {
+	nodes, err := b.LoadNodes(timeoutCtx, builder.WithData())
+	if err != nil {
 		return err
 	}
-	for _, info := range ngi.drivers {
-		if err := info.di.Err; err != nil {
-			err := errors.Errorf("failed to initialize builder %s (%s): %s", ng.Name, info.di.Name, err)
+
+	for _, node := range nodes {
+		if err := node.Err; err != nil {
+			err := errors.Errorf("failed to initialize builder %s (%s): %s", ng.Name, node.Name, err)
 			var err2 error
 			if ngOriginal == nil {
 				err2 = txn.Remove(ng.Name)
@@ -259,7 +292,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	}

 	if in.use && ep != "" {
-		current, err := storeutil.GetCurrentEndpoint(dockerCli)
+		current, err := dockerutil.GetCurrentEndpoint(dockerCli)
 		if err != nil {
 			return err
 		}
@@ -268,8 +301,12 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}

+	// The store is no longer used from this point.
+	// Release it so we aren't holding the file lock during the boot.
+	release()
+
 	if in.bootstrap {
-		if _, err = boot(ctx, ngi); err != nil {
+		if _, err = b.Boot(ctx); err != nil {
 			return err
 		}
 	}
@@ -296,6 +333,7 @@ func createCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runCreate(dockerCli, options, args)
 		},
+		ValidArgsFunction: completion.Disable,
 	}

 	flags := cmd.Flags()
@@ -340,3 +378,27 @@ func csvToMap(in []string) (map[string]string, error) {
 	}
 	return m, nil
 }
+
+// validateEndpoint validates that endpoint is either a context or a docker host
+func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
+	dem, err := dockerutil.GetDockerEndpoint(dockerCli, ep)
+	if err == nil && dem != nil {
+		if ep == "default" {
+			return dem.Host, nil
+		}
+		return ep, nil
+	}
+	h, err := dopts.ParseHost(true, ep)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to parse endpoint %s", ep)
+	}
+	return h, nil
+}
+
+// validateBuildkitEndpoint validates that endpoint is a valid buildkit host
+func validateBuildkitEndpoint(ep string) (string, error) {
+	if err := remoteutil.IsValidEndpoint(ep); err != nil {
+		return "", err
+	}
+	return ep, nil
+}
--- a/commands/debug/root.go
+++ b/commands/debug/root.go
@@ -0,0 +1,96 @@
+package debug
+
+import (
+	"context"
+	"os"
+	"runtime"
+
+	"github.com/containerd/console"
+	"github.com/docker/buildx/controller"
+	"github.com/docker/buildx/controller/control"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/monitor"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/util/progress/progressui"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+)
+
+// DebugConfig is a user-specified configuration for the debugger.
+type DebugConfig struct {
+	// InvokeFlag is a flag to configure the launched debugger and the commaned executed on the debugger.
+	InvokeFlag string
+
+	// OnFlag is a flag to configure the timing of launching the debugger.
+	OnFlag string
+}
+
+// DebuggableCmd is a command that supports debugger with recognizing the user-specified DebugConfig.
+type DebuggableCmd interface {
+	// NewDebugger returns the new *cobra.Command with support for the debugger with recognizing DebugConfig.
+	NewDebugger(*DebugConfig) *cobra.Command
+}
+
+func RootCmd(dockerCli command.Cli, children ...DebuggableCmd) *cobra.Command {
+	var controlOptions control.ControlOptions
+	var progressMode string
+	var options DebugConfig
+
+	cmd := &cobra.Command{
+		Use:   "debug",
+		Short: "Start debugger",
+		Args:  cobra.NoArgs,
+		Annotations: map[string]string{
+			"experimentalCLI": "",
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			printer, err := progress.NewPrinter(context.TODO(), os.Stderr, progressui.DisplayMode(progressMode))
+			if err != nil {
+				return err
+			}
+
+			ctx := context.TODO()
+			c, err := controller.NewController(ctx, controlOptions, dockerCli, printer)
+			if err != nil {
+				return err
+			}
+			defer func() {
+				if err := c.Close(); err != nil {
+					logrus.Warnf("failed to close server connection %v", err)
+				}
+			}()
+			con := console.Current()
+			if err := con.SetRaw(); err != nil {
+				return errors.Errorf("failed to configure terminal: %v", err)
+			}
+
+			_, err = monitor.RunMonitor(ctx, "", nil, controllerapi.InvokeConfig{
+				Tty: true,
+			}, c, dockerCli.In(), os.Stdout, os.Stderr, printer)
+			con.Reset()
+			return err
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&options.InvokeFlag, "invoke", "", "Launch a monitor with executing specified command")
+	flags.SetAnnotation("invoke", "experimentalCLI", nil)
+	flags.StringVar(&options.OnFlag, "on", "error", "When to launch the monitor ([always, error])")
+	flags.SetAnnotation("on", "experimentalCLI", nil)
+
+	flags.StringVar(&controlOptions.Root, "root", "", "Specify root directory of server to connect for the monitor")
+	flags.SetAnnotation("root", "experimentalCLI", nil)
+	flags.BoolVar(&controlOptions.Detach, "detach", runtime.GOOS == "linux", "Detach buildx server for the monitor (supported only on linux)")
+	flags.SetAnnotation("detach", "experimentalCLI", nil)
+	flags.StringVar(&controlOptions.ServerConfig, "server-config", "", "Specify buildx server config file for the monitor (used only when launching new server)")
+	flags.SetAnnotation("server-config", "experimentalCLI", nil)
+	flags.StringVar(&progressMode, "progress", "auto", `Set type of progress output ("auto", "plain", "tty") for the monitor. Use plain to show container output`)
+
+	for _, c := range children {
+		cmd.AddCommand(c.NewDebugger(&options))
+	}
+
+	return cmd
+}
--- a/commands/diskusage.go
+++ b/commands/diskusage.go
@@ -8,7 +8,8 @@ import (
 	"text/tabwriter"
 	"time"

-	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/opts"
@@ -33,25 +34,29 @@ func runDiskUsage(dockerCli command.Cli, opts duOptions) error {
 		return err
 	}

-	dis, err := getInstanceOrDefault(ctx, dockerCli, opts.builder, "")
+	b, err := builder.New(dockerCli, builder.WithName(opts.builder))
 	if err != nil {
 		return err
 	}

-	for _, di := range dis {
-		if di.Err != nil {
-			return err
+	nodes, err := b.LoadNodes(ctx)
+	if err != nil {
+		return err
+	}
+	for _, node := range nodes {
+		if node.Err != nil {
+			return node.Err
 		}
 	}

-	out := make([][]*client.UsageInfo, len(dis))
+	out := make([][]*client.UsageInfo, len(nodes))

 	eg, ctx := errgroup.WithContext(ctx)
-	for i, di := range dis {
-		func(i int, di build.DriverInfo) {
+	for i, node := range nodes {
+		func(i int, node builder.Node) {
 			eg.Go(func() error {
-				if di.Driver != nil {
-					c, err := di.Driver.Client(ctx)
+				if node.Driver != nil {
+					c, err := node.Driver.Client(ctx)
 					if err != nil {
 						return err
 					}
@@ -64,7 +69,7 @@ func runDiskUsage(dockerCli command.Cli, opts duOptions) error {
 				}
 				return nil
 			})
-		}(i, di)
+		}(i, node)
 	}

 	if err := eg.Wait(); err != nil {
@@ -111,6 +116,7 @@ func duCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			options.builder = rootOpts.builder
 			return runDiskUsage(dockerCli, options)
 		},
+		ValidArgsFunction: completion.Disable,
 	}

 	flags := cmd.Flags()
--- a/commands/imagetools/create.go
+++ b/commands/imagetools/create.go
@@ -7,13 +7,14 @@ import (
 	"os"
 	"strings"

-	"github.com/docker/buildx/store"
-	"github.com/docker/buildx/store/storeutil"
+	"github.com/distribution/reference"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/buildx/util/progress"
 	"github.com/docker/cli/cli/command"
-	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/appcontext"
+	"github.com/moby/buildkit/util/progress/progressui"
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
@@ -25,6 +26,7 @@ type createOptions struct {
 	builder      string
 	files        []string
 	tags         []string
+	annotations  []string
 	dryrun       bool
 	actionAppend bool
 	progress     string
@@ -90,47 +92,34 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 	}

 	for i, s := range srcs {
-		if s.Ref == nil && s.Desc.MediaType == "" && s.Desc.Digest != "" {
+		if s.Ref == nil {
 			if defaultRepo == nil {
 				return errors.Errorf("multiple repositories specified, cannot infer repository for %q", args[i])
 			}
-
 			n, err := reference.ParseNormalizedNamed(*defaultRepo)
 			if err != nil {
 				return err
 			}
-			r, err := reference.WithDigest(n, s.Desc.Digest)
-			if err != nil {
-				return err
+			if s.Desc.MediaType == "" && s.Desc.Digest != "" {
+				r, err := reference.WithDigest(n, s.Desc.Digest)
+				if err != nil {
+					return err
+				}
+				srcs[i].Ref = r
+				sourceRefs = true
+			} else {
+				srcs[i].Ref = reference.TagNameOnly(n)
 			}
-			srcs[i].Ref = r
-			sourceRefs = true
 		}
 	}

 	ctx := appcontext.Context()

-	txn, release, err := storeutil.GetStore(dockerCli)
+	b, err := builder.New(dockerCli, builder.WithName(in.builder))
 	if err != nil {
 		return err
 	}
-	defer release()
-
-	var ng *store.NodeGroup
-
-	if in.builder != "" {
-		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
-		if err != nil {
-			return err
-		}
-	} else {
-		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
-		if err != nil {
-			return err
-		}
-	}
-
-	imageopt, err := storeutil.GetImageConfig(dockerCli, ng)
+	imageopt, err := b.ImageOpt()
 	if err != nil {
 		return err
 	}
@@ -167,7 +156,7 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {
 		}
 	}

-	dt, desc, err := r.Combine(ctx, srcs)
+	dt, desc, err := r.Combine(ctx, srcs, in.annotations)
 	if err != nil {
 		return err
 	}
@@ -182,7 +171,10 @@ func runCreate(dockerCli command.Cli, in createOptions, args []string) error {

 	ctx2, cancel := context.WithCancel(context.TODO())
 	defer cancel()
-	printer := progress.NewPrinter(ctx2, os.Stderr, os.Stderr, in.progress)
+	printer, err := progress.NewPrinter(ctx2, os.Stderr, progressui.DisplayMode(in.progress))
+	if err != nil {
+		return err
+	}

 	eg, _ := errgroup.WithContext(ctx)
 	pw := progress.WithPrefix(printer, "internal", true)
@@ -284,6 +276,7 @@ func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 			options.builder = *opts.Builder
 			return runCreate(dockerCli, options, args)
 		},
+		ValidArgsFunction: completion.Disable,
 	}

 	flags := cmd.Flags()
@@ -292,6 +285,7 @@ func createCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	flags.BoolVar(&options.dryrun, "dry-run", false, "Show final image instead of pushing")
 	flags.BoolVar(&options.actionAppend, "append", false, "Append to existing manifest")
 	flags.StringVar(&options.progress, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
+	flags.StringArrayVarP(&options.annotations, "annotation", "", []string{}, "Add annotation to the image")

 	return cmd
 }
--- a/commands/imagetools/inspect.go
+++ b/commands/imagetools/inspect.go
@@ -1,8 +1,8 @@
 package commands

 import (
-	"github.com/docker/buildx/store"
-	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/imagetools"
 	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
@@ -25,27 +25,11 @@ func runInspect(dockerCli command.Cli, in inspectOptions, name string) error {
 		return errors.Errorf("format and raw cannot be used together")
 	}

-	txn, release, err := storeutil.GetStore(dockerCli)
+	b, err := builder.New(dockerCli, builder.WithName(in.builder))
 	if err != nil {
 		return err
 	}
-	defer release()
-
-	var ng *store.NodeGroup
-
-	if in.builder != "" {
-		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
-		if err != nil {
-			return err
-		}
-	} else {
-		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
-		if err != nil {
-			return err
-		}
-	}
-
-	imageopt, err := storeutil.GetImageConfig(dockerCli, ng)
+	imageopt, err := b.ImageOpt()
 	if err != nil {
 		return err
 	}
@@ -69,6 +53,7 @@ func inspectCmd(dockerCli command.Cli, rootOpts RootOptions) *cobra.Command {
 			options.builder = *rootOpts.Builder
 			return runInspect(dockerCli, options, args[0])
 		},
+		ValidArgsFunction: completion.Disable,
 	}

 	flags := cmd.Flags()
--- a/commands/imagetools/root.go
+++ b/commands/imagetools/root.go
@@ -1,6 +1,7 @@
 package commands

 import (
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli/command"
 	"github.com/spf13/cobra"
 )
@@ -11,8 +12,9 @@ type RootOptions struct {

 func RootCmd(dockerCli command.Cli, opts RootOptions) *cobra.Command {
 	cmd := &cobra.Command{
-		Use:   "imagetools",
-		Short: "Commands to work on images in registry",
+		Use:               "imagetools",
+		Short:             "Commands to work on images in registry",
+		ValidArgsFunction: completion.Disable,
 	}

 	cmd.AddCommand(
--- a/commands/inspect.go
+++ b/commands/inspect.go
@@ -4,15 +4,19 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"sort"
 	"strings"
 	"text/tabwriter"
 	"time"

-	"github.com/docker/buildx/store"
-	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/driver"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/debug"
+	"github.com/docker/go-units"
 	"github.com/moby/buildkit/util/appcontext"
 	"github.com/spf13/cobra"
 )
@@ -25,71 +29,46 @@ type inspectOptions struct {
 func runInspect(dockerCli command.Cli, in inspectOptions) error {
 	ctx := appcontext.Context()

-	txn, release, err := storeutil.GetStore(dockerCli)
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.builder),
+		builder.WithSkippedValidation(),
+	)
 	if err != nil {
 		return err
 	}
-	defer release()
-
-	var ng *store.NodeGroup
-
-	if in.builder != "" {
-		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
-		if err != nil {
-			return err
-		}
-	} else {
-		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
-		if err != nil {
-			return err
-		}
-	}
-
-	if ng == nil {
-		ng = &store.NodeGroup{
-			Name: "default",
-			Nodes: []store.Node{{
-				Name:     "default",
-				Endpoint: "default",
-			}},
-		}
-	}
-
-	ngi := &nginfo{ng: ng}

 	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
 	defer cancel()

-	err = loadNodeGroupData(timeoutCtx, dockerCli, ngi)
-
-	var bootNgi *nginfo
+	nodes, err := b.LoadNodes(timeoutCtx, builder.WithData())
 	if in.bootstrap {
 		var ok bool
-		ok, err = boot(ctx, ngi)
+		ok, err = b.Boot(ctx)
 		if err != nil {
 			return err
 		}
-		bootNgi = ngi
 		if ok {
-			ngi = &nginfo{ng: ng}
-			err = loadNodeGroupData(ctx, dockerCli, ngi)
+			nodes, err = b.LoadNodes(timeoutCtx, builder.WithData())
 		}
 	}

 	w := tabwriter.NewWriter(os.Stdout, 0, 0, 1, ' ', 0)
-	fmt.Fprintf(w, "Name:\t%s\n", ngi.ng.Name)
-	fmt.Fprintf(w, "Driver:\t%s\n", ngi.ng.Driver)
+	fmt.Fprintf(w, "Name:\t%s\n", b.Name)
+	fmt.Fprintf(w, "Driver:\t%s\n", b.Driver)
+	if !b.NodeGroup.LastActivity.IsZero() {
+		fmt.Fprintf(w, "Last Activity:\t%v\n", b.NodeGroup.LastActivity)
+	}

 	if err != nil {
 		fmt.Fprintf(w, "Error:\t%s\n", err.Error())
-	} else if ngi.err != nil {
-		fmt.Fprintf(w, "Error:\t%s\n", ngi.err.Error())
+	} else if b.Err() != nil {
+		fmt.Fprintf(w, "Error:\t%s\n", b.Err().Error())
 	}
 	if err == nil {
 		fmt.Fprintln(w, "")
 		fmt.Fprintln(w, "Nodes:")

-		for i, n := range ngi.ng.Nodes {
+		for i, n := range nodes {
 			if i != 0 {
 				fmt.Fprintln(w, "")
 			}
@@ -104,21 +83,52 @@ func runInspect(dockerCli command.Cli, in inspectOptions) error {
 				fmt.Fprintf(w, "Driver Options:\t%s\n", strings.Join(driverOpts, " "))
 			}

-			if err := ngi.drivers[i].di.Err; err != nil {
+			if err := n.Err; err != nil {
 				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
-			} else if err := ngi.drivers[i].err; err != nil {
-				fmt.Fprintf(w, "Error:\t%s\n", err.Error())
-			} else if bootNgi != nil && len(bootNgi.drivers) > i && bootNgi.drivers[i].err != nil {
-				fmt.Fprintf(w, "Error:\t%s\n", bootNgi.drivers[i].err.Error())
 			} else {
-				fmt.Fprintf(w, "Status:\t%s\n", ngi.drivers[i].info.Status)
+				fmt.Fprintf(w, "Status:\t%s\n", nodes[i].DriverInfo.Status)
 				if len(n.Flags) > 0 {
 					fmt.Fprintf(w, "Flags:\t%s\n", strings.Join(n.Flags, " "))
 				}
-				if ngi.drivers[i].version != "" {
-					fmt.Fprintf(w, "Buildkit:\t%s\n", ngi.drivers[i].version)
+				if nodes[i].Version != "" {
+					fmt.Fprintf(w, "Buildkit:\t%s\n", nodes[i].Version)
+				}
+				platforms := platformutil.FormatInGroups(n.Node.Platforms, n.Platforms)
+				if len(platforms) > 0 {
+					fmt.Fprintf(w, "Platforms:\t%s\n", strings.Join(platforms, ", "))
+				}
+				if debug.IsEnabled() {
+					fmt.Fprintf(w, "Features:\n")
+					features := nodes[i].Driver.Features(ctx)
+					featKeys := make([]string, 0, len(features))
+					for k := range features {
+						featKeys = append(featKeys, string(k))
+					}
+					sort.Strings(featKeys)
+					for _, k := range featKeys {
+						fmt.Fprintf(w, "\t%s:\t%t\n", k, features[driver.Feature(k)])
+					}
+				}
+				if len(nodes[i].Labels) > 0 {
+					fmt.Fprintf(w, "Labels:\n")
+					for _, k := range sortedKeys(nodes[i].Labels) {
+						v := nodes[i].Labels[k]
+						fmt.Fprintf(w, "\t%s:\t%s\n", k, v)
+					}
+				}
+				for ri, rule := range nodes[i].GCPolicy {
+					fmt.Fprintf(w, "GC Policy rule#%d:\n", ri)
+					fmt.Fprintf(w, "\tAll:\t%v\n", rule.All)
+					if len(rule.Filter) > 0 {
+						fmt.Fprintf(w, "\tFilters:\t%s\n", strings.Join(rule.Filter, " "))
+					}
+					if rule.KeepDuration > 0 {
+						fmt.Fprintf(w, "\tKeep Duration:\t%v\n", rule.KeepDuration.String())
+					}
+					if rule.KeepBytes > 0 {
+						fmt.Fprintf(w, "\tKeep Bytes:\t%s\n", units.BytesSize(float64(rule.KeepBytes)))
+					}
 				}
-				fmt.Fprintf(w, "Platforms:\t%s\n", strings.Join(platformutil.FormatInGroups(n.Platforms, ngi.drivers[i].platforms), ", "))
 			}
 		}
 	}
@@ -142,6 +152,7 @@ func inspectCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			}
 			return runInspect(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}

 	flags := cmd.Flags()
@@ -149,3 +160,14 @@ func inspectCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {

 	return cmd
 }
+
+func sortedKeys(m map[string]string) []string {
+	s := make([]string, len(m))
+	i := 0
+	for k := range m {
+		s[i] = k
+		i++
+	}
+	sort.Strings(s)
+	return s
+}
--- a/commands/install.go
+++ b/commands/install.go
@@ -4,6 +4,7 @@ import (
 	"os"

 	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
@@ -46,7 +47,8 @@ func installCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runInstall(dockerCli, options)
 		},
-		Hidden: true,
+		Hidden:            true,
+		ValidArgsFunction: completion.Disable,
 	}

 	// hide builder persistent flag for this command
--- a/commands/ls.go
+++ b/commands/ls.go
@@ -4,14 +4,14 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"sort"
 	"strings"
 	"text/tabwriter"
 	"time"

-	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/store/storeutil"
 	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/platformutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -32,52 +32,24 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 	}
 	defer release()

-	ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	current, err := storeutil.GetCurrentInstance(txn, dockerCli)
+	if err != nil {
+		return err
+	}
+
+	builders, err := builder.GetBuilders(dockerCli, txn)
+	if err != nil {
+		return err
+	}
+
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
 	defer cancel()

-	ll, err := txn.List()
-	if err != nil {
-		return err
-	}
-
-	builders := make([]*nginfo, len(ll))
-	for i, ng := range ll {
-		builders[i] = &nginfo{ng: ng}
-	}
-
-	contexts, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return err
-	}
-	sort.Slice(contexts, func(i, j int) bool {
-		return contexts[i].Name < contexts[j].Name
-	})
-	for _, c := range contexts {
-		ngi := &nginfo{ng: &store.NodeGroup{
-			Name: c.Name,
-			Nodes: []store.Node{{
-				Name:     c.Name,
-				Endpoint: c.Name,
-			}},
-		}}
-		// if a context has the same name as an instance from the store, do not
-		// add it to the builders list. An instance from the store takes
-		// precedence over context builders.
-		if hasNodeGroup(builders, ngi) {
-			continue
-		}
-		builders = append(builders, ngi)
-	}
-
-	eg, _ := errgroup.WithContext(ctx)
-
+	eg, _ := errgroup.WithContext(timeoutCtx)
 	for _, b := range builders {
-		func(b *nginfo) {
+		func(b *builder.Builder) {
 			eg.Go(func() error {
-				err = loadNodeGroupData(ctx, dockerCli, b)
-				if b.err == nil && err != nil {
-					b.err = err
-				}
+				_, _ = b.LoadNodes(timeoutCtx, builder.WithData())
 				return nil
 			})
 		}(b)
@@ -87,29 +59,15 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 		return err
 	}

-	currentName := "default"
-	current, err := storeutil.GetCurrentInstance(txn, dockerCli)
-	if err != nil {
-		return err
-	}
-	if current != nil {
-		currentName = current.Name
-		if current.Name == "default" {
-			currentName = current.Nodes[0].Endpoint
-		}
-	}
-
 	w := tabwriter.NewWriter(dockerCli.Out(), 0, 0, 1, ' ', 0)
 	fmt.Fprintf(w, "NAME/NODE\tDRIVER/ENDPOINT\tSTATUS\tBUILDKIT\tPLATFORMS\n")

-	currentSet := false
 	printErr := false
 	for _, b := range builders {
-		if !currentSet && b.ng.Name == currentName {
-			b.ng.Name += " *"
-			currentSet = true
+		if current.Name == b.Name {
+			b.Name += " *"
 		}
-		if ok := printngi(w, b); !ok {
+		if ok := printBuilder(w, b); !ok {
 			printErr = true
 		}
 	}
@@ -119,19 +77,12 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 	if printErr {
 		_, _ = fmt.Fprintf(dockerCli.Err(), "\n")
 		for _, b := range builders {
-			if b.err != nil {
-				_, _ = fmt.Fprintf(dockerCli.Err(), "Cannot load builder %s: %s\n", b.ng.Name, strings.TrimSpace(b.err.Error()))
+			if b.Err() != nil {
+				_, _ = fmt.Fprintf(dockerCli.Err(), "Cannot load builder %s: %s\n", b.Name, strings.TrimSpace(b.Err().Error()))
 			} else {
-				for idx, n := range b.ng.Nodes {
-					d := b.drivers[idx]
-					var nodeErr string
-					if d.err != nil {
-						nodeErr = d.err.Error()
-					} else if d.di.Err != nil {
-						nodeErr = d.di.Err.Error()
-					}
-					if nodeErr != "" {
-						_, _ = fmt.Fprintf(dockerCli.Err(), "Failed to get status for %s (%s): %s\n", b.ng.Name, n.Name, strings.TrimSpace(nodeErr))
+				for _, d := range b.Nodes() {
+					if d.Err != nil {
+						_, _ = fmt.Fprintf(dockerCli.Err(), "Failed to get status for %s (%s): %s\n", b.Name, d.Name, strings.TrimSpace(d.Err.Error()))
 					}
 				}
 			}
@@ -141,26 +92,25 @@ func runLs(dockerCli command.Cli, in lsOptions) error {
 	return nil
 }

-func printngi(w io.Writer, ngi *nginfo) (ok bool) {
+func printBuilder(w io.Writer, b *builder.Builder) (ok bool) {
 	ok = true
 	var err string
-	if ngi.err != nil {
+	if b.Err() != nil {
 		ok = false
 		err = "error"
 	}
-	fmt.Fprintf(w, "%s\t%s\t%s\t\t\n", ngi.ng.Name, ngi.ng.Driver, err)
-	if ngi.err == nil {
-		for idx, n := range ngi.ng.Nodes {
-			d := ngi.drivers[idx]
+	fmt.Fprintf(w, "%s\t%s\t%s\t\t\n", b.Name, b.Driver, err)
+	if b.Err() == nil {
+		for _, n := range b.Nodes() {
 			var status string
-			if d.info != nil {
-				status = d.info.Status.String()
+			if n.DriverInfo != nil {
+				status = n.DriverInfo.Status.String()
 			}
-			if d.err != nil || d.di.Err != nil {
+			if n.Err != nil {
 				ok = false
 				fmt.Fprintf(w, "  %s\t%s\t%s\t\t\n", n.Name, n.Endpoint, "error")
 			} else {
-				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, d.version, strings.Join(platformutil.FormatInGroups(n.Platforms, d.platforms), ", "))
+				fmt.Fprintf(w, "  %s\t%s\t%s\t%s\t%s\n", n.Name, n.Endpoint, status, n.Version, strings.Join(platformutil.FormatInGroups(n.Node.Platforms, n.Platforms), ", "))
 			}
 		}
 	}
@@ -177,6 +127,7 @@ func lsCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runLs(dockerCli, options)
 		},
+		ValidArgsFunction: completion.Disable,
 	}

 	// hide builder persistent flag for this command
--- a/commands/print.go
+++ b/commands/print.go
@@ -1,48 +0,0 @@
-package commands
-
-import (
-	"fmt"
-	"io"
-	"log"
-	"os"
-
-	"github.com/docker/buildx/build"
-	"github.com/docker/docker/api/types/versions"
-	"github.com/moby/buildkit/frontend/subrequests"
-	"github.com/moby/buildkit/frontend/subrequests/outline"
-	"github.com/moby/buildkit/frontend/subrequests/targets"
-)
-
-func printResult(f *build.PrintFunc, res map[string]string) error {
-	switch f.Name {
-	case "outline":
-		return printValue(outline.PrintOutline, outline.SubrequestsOutlineDefinition.Version, f.Format, res)
-	case "targets":
-		return printValue(targets.PrintTargets, targets.SubrequestsTargetsDefinition.Version, f.Format, res)
-	case "subrequests.describe":
-		return printValue(subrequests.PrintDescribe, subrequests.SubrequestsDescribeDefinition.Version, f.Format, res)
-	default:
-		if dt, ok := res["result.txt"]; ok {
-			fmt.Print(dt)
-		} else {
-			log.Printf("%s %+v", f, res)
-		}
-	}
-	return nil
-}
-
-type printFunc func([]byte, io.Writer) error
-
-func printValue(printer printFunc, version string, format string, res map[string]string) error {
-	if format == "json" {
-		fmt.Fprintln(os.Stdout, res["result.json"])
-		return nil
-	}
-
-	if res["version"] != "" && versions.LessThan(version, res["version"]) && res["result.txt"] != "" {
-		// structure is too new and we don't know how to print it
-		fmt.Fprint(os.Stdout, res["result.txt"])
-		return nil
-	}
-	return printer([]byte(res["result.json"]), os.Stdout)
-}
--- a/commands/prune.go
+++ b/commands/prune.go
@@ -7,7 +7,8 @@ import (
 	"text/tabwriter"
 	"time"

-	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/opts"
@@ -54,14 +55,18 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 		return nil
 	}

-	dis, err := getInstanceOrDefault(ctx, dockerCli, opts.builder, "")
+	b, err := builder.New(dockerCli, builder.WithName(opts.builder))
 	if err != nil {
 		return err
 	}

-	for _, di := range dis {
-		if di.Err != nil {
-			return err
+	nodes, err := b.LoadNodes(ctx)
+	if err != nil {
+		return err
+	}
+	for _, node := range nodes {
+		if node.Err != nil {
+			return node.Err
 		}
 	}

@@ -90,11 +95,11 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 	}()

 	eg, ctx := errgroup.WithContext(ctx)
-	for _, di := range dis {
-		func(di build.DriverInfo) {
+	for _, node := range nodes {
+		func(node builder.Node) {
 			eg.Go(func() error {
-				if di.Driver != nil {
-					c, err := di.Driver.Client(ctx)
+				if node.Driver != nil {
+					c, err := node.Driver.Client(ctx)
 					if err != nil {
 						return err
 					}
@@ -109,7 +114,7 @@ func runPrune(dockerCli command.Cli, opts pruneOptions) error {
 				}
 				return nil
 			})
-		}(di)
+		}(node)
 	}

 	if err := eg.Wait(); err != nil {
@@ -135,6 +140,7 @@ func pruneCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			options.builder = rootOpts.builder
 			return runPrune(dockerCli, options)
 		},
+		ValidArgsFunction: completion.Disable,
 	}

 	flags := cmd.Flags()
--- a/commands/rm.go
+++ b/commands/rm.go
@@ -5,8 +5,10 @@ import (
 	"fmt"
 	"time"

+	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/store"
 	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
@@ -44,41 +46,33 @@ func runRm(dockerCli command.Cli, in rmOptions) error {
 		return rmAllInactive(ctx, txn, dockerCli, in)
 	}

-	var ng *store.NodeGroup
-	if in.builder != "" {
-		ng, err = storeutil.GetNodeGroup(txn, dockerCli, in.builder)
-		if err != nil {
-			return err
-		}
-	} else {
-		ng, err = storeutil.GetCurrentInstance(txn, dockerCli)
-		if err != nil {
-			return err
-		}
-	}
-	if ng == nil {
-		return nil
-	}
-
-	ctxbuilders, err := dockerCli.ContextStore().List()
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.builder),
+		builder.WithStore(txn),
+		builder.WithSkippedValidation(),
+	)
 	if err != nil {
 		return err
 	}
-	for _, cb := range ctxbuilders {
-		if ng.Driver == "docker" && len(ng.Nodes) == 1 && ng.Nodes[0].Endpoint == cb.Name {
-			return errors.Errorf("context builder cannot be removed, run `docker context rm %s` to remove this context", cb.Name)
-		}
+
+	nodes, err := b.LoadNodes(ctx)
+	if err != nil {
+		return err
 	}

-	err1 := rm(ctx, dockerCli, in, ng)
-	if err := txn.Remove(ng.Name); err != nil {
+	if cb := b.ContextName(); cb != "" {
+		return errors.Errorf("context builder cannot be removed, run `docker context rm %s` to remove this context", cb)
+	}
+
+	err1 := rm(ctx, nodes, in)
+	if err := txn.Remove(b.Name); err != nil {
 		return err
 	}
 	if err1 != nil {
 		return err1
 	}

-	_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", ng.Name)
+	_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.Name)
 	return nil
 }

@@ -99,6 +93,7 @@ func rmCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			}
 			return runRm(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}

 	flags := cmd.Flags()
@@ -110,61 +105,53 @@ func rmCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	return cmd
 }

-func rm(ctx context.Context, dockerCli command.Cli, in rmOptions, ng *store.NodeGroup) error {
-	dis, err := driversForNodeGroup(ctx, dockerCli, ng, "")
-	if err != nil {
-		return err
-	}
-	for _, di := range dis {
-		if di.Driver == nil {
+func rm(ctx context.Context, nodes []builder.Node, in rmOptions) (err error) {
+	for _, node := range nodes {
+		if node.Driver == nil {
 			continue
 		}
 		// Do not stop the buildkitd daemon when --keep-daemon is provided
 		if !in.keepDaemon {
-			if err := di.Driver.Stop(ctx, true); err != nil {
+			if err := node.Driver.Stop(ctx, true); err != nil {
 				return err
 			}
 		}
-		if err := di.Driver.Rm(ctx, true, !in.keepState, !in.keepDaemon); err != nil {
+		if err := node.Driver.Rm(ctx, true, !in.keepState, !in.keepDaemon); err != nil {
 			return err
 		}
-		if di.Err != nil {
-			err = di.Err
+		if node.Err != nil {
+			err = node.Err
 		}
 	}
 	return err
 }

 func rmAllInactive(ctx context.Context, txn *store.Txn, dockerCli command.Cli, in rmOptions) error {
-	ctx, cancel := context.WithTimeout(ctx, 20*time.Second)
-	defer cancel()
-
-	ll, err := txn.List()
+	builders, err := builder.GetBuilders(dockerCli, txn)
 	if err != nil {
 		return err
 	}

-	builders := make([]*nginfo, len(ll))
-	for i, ng := range ll {
-		builders[i] = &nginfo{ng: ng}
-	}
+	timeoutCtx, cancel := context.WithTimeout(ctx, 20*time.Second)
+	defer cancel()

-	eg, _ := errgroup.WithContext(ctx)
+	eg, _ := errgroup.WithContext(timeoutCtx)
 	for _, b := range builders {
-		func(b *nginfo) {
+		func(b *builder.Builder) {
 			eg.Go(func() error {
-				if err := loadNodeGroupData(ctx, dockerCli, b); err != nil {
-					return errors.Wrapf(err, "cannot load %s", b.ng.Name)
+				nodes, err := b.LoadNodes(timeoutCtx, builder.WithData())
+				if err != nil {
+					return errors.Wrapf(err, "cannot load %s", b.Name)
 				}
-				if b.ng.Dynamic {
+				if b.Dynamic {
 					return nil
 				}
-				if b.inactive() {
-					rmerr := rm(ctx, dockerCli, in, b.ng)
-					if err := txn.Remove(b.ng.Name); err != nil {
+				if b.Inactive() {
+					rmerr := rm(ctx, nodes, in)
+					if err := txn.Remove(b.Name); err != nil {
 						return err
 					}
-					_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.ng.Name)
+					_, _ = fmt.Fprintf(dockerCli.Err(), "%s removed\n", b.Name)
 					return rmerr
 				}
 				return nil
--- a/commands/root.go
+++ b/commands/root.go
@@ -3,12 +3,16 @@ package commands
 import (
 	"os"

+	debugcmd "github.com/docker/buildx/commands/debug"
 	imagetoolscmd "github.com/docker/buildx/commands/imagetools"
+	"github.com/docker/buildx/controller/remote"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/util/logutil"
 	"github.com/docker/cli-docs-tool/annotation"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli-plugins/plugin"
 	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/debug"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
@@ -22,6 +26,9 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		Annotations: map[string]string{
 			annotation.CodeDelimiter: `"`,
 		},
+		CompletionOptions: cobra.CompletionOptions{
+			HiddenDefaultCmd: true,
+		},
 	}
 	if isPlugin {
 		cmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
@@ -35,6 +42,11 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		cmd.TraverseChildren = true
 		cmd.DisableFlagsInUseLine = true
 		cli.DisableFlagsInUseLine(cmd)
+
+		// DEBUG=1 should perform the same as --debug at the docker root level
+		if debug.IsEnabled() {
+			debug.Enable()
+		}
 	}

 	logrus.SetFormatter(&logutil.Formatter{})
@@ -47,17 +59,6 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		"using default config store",
 	))

-	// filter out useless commandConn.CloseWrite warning message that can occur
-	// when listing builder instances with "buildx ls" for those that are
-	// unreachable: "commandConn.CloseWrite: commandconn: failed to wait: signal: killed"
-	// https://github.com/docker/cli/blob/3fb4fb83dfb5db0c0753a8316f21aea54dab32c5/cli/connhelper/commandconn/commandconn.go#L203-L214
-	logrus.AddHook(logutil.NewFilter([]logrus.Level{
-		logrus.WarnLevel,
-	},
-		"commandConn.CloseWrite:",
-		"commandConn.CloseRead:",
-	))
-
 	addCommands(cmd, dockerCli)
 	return cmd
 }
@@ -71,7 +72,7 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 	rootFlags(opts, cmd.PersistentFlags())

 	cmd.AddCommand(
-		buildCmd(dockerCli, opts),
+		buildCmd(dockerCli, opts, nil),
 		bakeCmd(dockerCli, opts),
 		createCmd(dockerCli),
 		rmCmd(dockerCli, opts),
@@ -86,6 +87,17 @@ func addCommands(cmd *cobra.Command, dockerCli command.Cli) {
 		duCmd(dockerCli, opts),
 		imagetoolscmd.RootCmd(dockerCli, imagetoolscmd.RootOptions{Builder: &opts.builder}),
 	)
+	if isExperimental() {
+		cmd.AddCommand(debugcmd.RootCmd(dockerCli,
+			newDebuggableBuild(dockerCli, opts),
+		))
+		remote.AddControllerCommands(cmd, dockerCli)
+	}
+
+	cmd.RegisterFlagCompletionFunc( //nolint:errcheck
+		"builder",
+		completion.BuilderNames(dockerCli),
+	)
 }

 func rootFlags(options *rootOptions, flags *pflag.FlagSet) {
--- a/commands/stop.go
+++ b/commands/stop.go
@@ -3,8 +3,8 @@ package commands
 import (
 	"context"

-	"github.com/docker/buildx/store"
-	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/builder"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/moby/buildkit/util/appcontext"
@@ -18,32 +18,19 @@ type stopOptions struct {
 func runStop(dockerCli command.Cli, in stopOptions) error {
 	ctx := appcontext.Context()

-	txn, release, err := storeutil.GetStore(dockerCli)
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.builder),
+		builder.WithSkippedValidation(),
+	)
 	if err != nil {
 		return err
 	}
-	defer release()
-
-	if in.builder != "" {
-		ng, err := storeutil.GetNodeGroup(txn, dockerCli, in.builder)
-		if err != nil {
-			return err
-		}
-		if err := stop(ctx, dockerCli, ng); err != nil {
-			return err
-		}
-		return nil
-	}
-
-	ng, err := storeutil.GetCurrentInstance(txn, dockerCli)
+	nodes, err := b.LoadNodes(ctx)
 	if err != nil {
 		return err
 	}
-	if ng != nil {
-		return stop(ctx, dockerCli, ng)
-	}

-	return stopCurrent(ctx, dockerCli)
+	return stop(ctx, nodes)
 }

 func stopCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
@@ -60,42 +47,21 @@ func stopCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			}
 			return runStop(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}

 	return cmd
 }

-func stop(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup) error {
-	dis, err := driversForNodeGroup(ctx, dockerCli, ng, "")
-	if err != nil {
-		return err
-	}
-	for _, di := range dis {
-		if di.Driver != nil {
-			if err := di.Driver.Stop(ctx, true); err != nil {
+func stop(ctx context.Context, nodes []builder.Node) (err error) {
+	for _, node := range nodes {
+		if node.Driver != nil {
+			if err := node.Driver.Stop(ctx, true); err != nil {
 				return err
 			}
 		}
-		if di.Err != nil {
-			err = di.Err
-		}
-	}
-	return err
-}
-
-func stopCurrent(ctx context.Context, dockerCli command.Cli) error {
-	dis, err := getDefaultDrivers(ctx, dockerCli, false, "")
-	if err != nil {
-		return err
-	}
-	for _, di := range dis {
-		if di.Driver != nil {
-			if err := di.Driver.Stop(ctx, true); err != nil {
-				return err
-			}
-		}
-		if di.Err != nil {
-			err = di.Err
+		if node.Err != nil {
+			err = node.Err
 		}
 	}
 	return err
--- a/commands/uninstall.go
+++ b/commands/uninstall.go
@@ -4,6 +4,7 @@ import (
 	"os"

 	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/config"
@@ -52,7 +53,8 @@ func uninstallCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runUninstall(dockerCli, options)
 		},
-		Hidden: true,
+		Hidden:            true,
+		ValidArgsFunction: completion.Disable,
 	}

 	// hide builder persistent flag for this command
--- a/commands/use.go
+++ b/commands/use.go
@@ -4,6 +4,8 @@ import (
 	"os"

 	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/cobrautil/completion"
+	"github.com/docker/buildx/util/dockerutil"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/pkg/errors"
@@ -29,14 +31,11 @@ func runUse(dockerCli command.Cli, in useOptions) error {
 				return errors.Errorf("run `docker context use default` to switch to default context")
 			}
 			if in.builder == "default" || in.builder == dockerCli.CurrentContext() {
-				ep, err := storeutil.GetCurrentEndpoint(dockerCli)
+				ep, err := dockerutil.GetCurrentEndpoint(dockerCli)
 				if err != nil {
 					return err
 				}
-				if err := txn.SetCurrent(ep, "", false, false); err != nil {
-					return err
-				}
-				return nil
+				return txn.SetCurrent(ep, "", false, false)
 			}
 			list, err := dockerCli.ContextStore().List()
 			if err != nil {
@@ -52,15 +51,11 @@ func runUse(dockerCli command.Cli, in useOptions) error {
 		return errors.Wrapf(err, "failed to find instance %q", in.builder)
 	}

-	ep, err := storeutil.GetCurrentEndpoint(dockerCli)
+	ep, err := dockerutil.GetCurrentEndpoint(dockerCli)
 	if err != nil {
 		return err
 	}
-	if err := txn.SetCurrent(ep, in.builder, in.isGlobal, in.isDefault); err != nil {
-		return err
-	}
-
-	return nil
+	return txn.SetCurrent(ep, in.builder, in.isGlobal, in.isDefault)
 }

 func useCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
@@ -77,6 +72,7 @@ func useCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 			}
 			return runUse(dockerCli, options)
 		},
+		ValidArgsFunction: completion.BuilderNames(dockerCli),
 	}

 	flags := cmd.Flags()
--- a/commands/util.go
+++ b/commands/util.go
@@ -1,487 +0,0 @@
-package commands
-
-import (
-	"context"
-	"net/url"
-	"os"
-	"strings"
-
-	"github.com/docker/buildx/build"
-	"github.com/docker/buildx/driver"
-	ctxkube "github.com/docker/buildx/driver/kubernetes/context"
-	remoteutil "github.com/docker/buildx/driver/remote/util"
-	"github.com/docker/buildx/store"
-	"github.com/docker/buildx/store/storeutil"
-	"github.com/docker/buildx/util/platformutil"
-	"github.com/docker/buildx/util/progress"
-	"github.com/docker/cli/cli/command"
-	"github.com/docker/cli/cli/context/docker"
-	ctxstore "github.com/docker/cli/cli/context/store"
-	dopts "github.com/docker/cli/opts"
-	dockerclient "github.com/docker/docker/client"
-	"github.com/moby/buildkit/util/grpcerrors"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
-	"github.com/pkg/errors"
-	"github.com/sirupsen/logrus"
-	"golang.org/x/sync/errgroup"
-	"google.golang.org/grpc/codes"
-	"k8s.io/client-go/tools/clientcmd"
-)
-
-// validateEndpoint validates that endpoint is either a context or a docker host
-func validateEndpoint(dockerCli command.Cli, ep string) (string, error) {
-	de, err := storeutil.GetDockerEndpoint(dockerCli, ep)
-	if err == nil && de != "" {
-		if ep == "default" {
-			return de, nil
-		}
-		return ep, nil
-	}
-	h, err := dopts.ParseHost(true, ep)
-	if err != nil {
-		return "", errors.Wrapf(err, "failed to parse endpoint %s", ep)
-	}
-	return h, nil
-}
-
-// validateBuildkitEndpoint validates that endpoint is a valid buildkit host
-func validateBuildkitEndpoint(ep string) (string, error) {
-	if err := remoteutil.IsValidEndpoint(ep); err != nil {
-		return "", err
-	}
-	return ep, nil
-}
-
-// driversForNodeGroup returns drivers for a nodegroup instance
-func driversForNodeGroup(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, contextPathHash string) ([]build.DriverInfo, error) {
-	eg, _ := errgroup.WithContext(ctx)
-
-	dis := make([]build.DriverInfo, len(ng.Nodes))
-
-	var f driver.Factory
-	if ng.Driver != "" {
-		var err error
-		f, err = driver.GetFactory(ng.Driver, true)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		// empty driver means nodegroup was implicitly created as a default
-		// driver for a docker context and allows falling back to a
-		// docker-container driver for older daemon that doesn't support
-		// buildkit (< 18.06).
-		ep := ng.Nodes[0].Endpoint
-		dockerapi, err := clientForEndpoint(dockerCli, ep)
-		if err != nil {
-			return nil, err
-		}
-		// check if endpoint is healthy is needed to determine the driver type.
-		// if this fails then can't continue with driver selection.
-		if _, err = dockerapi.Ping(ctx); err != nil {
-			return nil, err
-		}
-		f, err = driver.GetDefaultFactory(ctx, ep, dockerapi, false)
-		if err != nil {
-			return nil, err
-		}
-		ng.Driver = f.Name()
-	}
-	imageopt, err := storeutil.GetImageConfig(dockerCli, ng)
-	if err != nil {
-		return nil, err
-	}
-
-	for i, n := range ng.Nodes {
-		func(i int, n store.Node) {
-			eg.Go(func() error {
-				di := build.DriverInfo{
-					Name:        n.Name,
-					Platform:    n.Platforms,
-					ProxyConfig: storeutil.GetProxyConfig(dockerCli),
-				}
-				defer func() {
-					dis[i] = di
-				}()
-
-				dockerapi, err := clientForEndpoint(dockerCli, n.Endpoint)
-				if err != nil {
-					di.Err = err
-					return nil
-				}
-				// TODO: replace the following line with dockerclient.WithAPIVersionNegotiation option in clientForEndpoint
-				dockerapi.NegotiateAPIVersion(ctx)
-
-				contextStore := dockerCli.ContextStore()
-
-				var kcc driver.KubeClientConfig
-				kcc, err = configFromContext(n.Endpoint, contextStore)
-				if err != nil {
-					// err is returned if n.Endpoint is non-context name like "unix:///var/run/docker.sock".
-					// try again with name="default".
-					// FIXME: n should retain real context name.
-					kcc, err = configFromContext("default", contextStore)
-					if err != nil {
-						logrus.Error(err)
-					}
-				}
-
-				tryToUseKubeConfigInCluster := false
-				if kcc == nil {
-					tryToUseKubeConfigInCluster = true
-				} else {
-					if _, err := kcc.ClientConfig(); err != nil {
-						tryToUseKubeConfigInCluster = true
-					}
-				}
-				if tryToUseKubeConfigInCluster {
-					kccInCluster := driver.KubeClientConfigInCluster{}
-					if _, err := kccInCluster.ClientConfig(); err == nil {
-						logrus.Debug("using kube config in cluster")
-						kcc = kccInCluster
-					}
-				}
-
-				d, err := driver.GetDriver(ctx, "buildx_buildkit_"+n.Name, f, n.Endpoint, dockerapi, imageopt.Auth, kcc, n.Flags, n.Files, n.DriverOpts, n.Platforms, contextPathHash)
-				if err != nil {
-					di.Err = err
-					return nil
-				}
-				di.Driver = d
-				di.ImageOpt = imageopt
-				return nil
-			})
-		}(i, n)
-	}
-
-	if err := eg.Wait(); err != nil {
-		return nil, err
-	}
-
-	return dis, nil
-}
-
-func configFromContext(endpointName string, s ctxstore.Reader) (clientcmd.ClientConfig, error) {
-	if strings.HasPrefix(endpointName, "kubernetes://") {
-		u, _ := url.Parse(endpointName)
-		if kubeconfig := u.Query().Get("kubeconfig"); kubeconfig != "" {
-			_ = os.Setenv(clientcmd.RecommendedConfigPathEnvVar, kubeconfig)
-		}
-		rules := clientcmd.NewDefaultClientConfigLoadingRules()
-		apiConfig, err := rules.Load()
-		if err != nil {
-			return nil, err
-		}
-		return clientcmd.NewDefaultClientConfig(*apiConfig, &clientcmd.ConfigOverrides{}), nil
-	}
-	return ctxkube.ConfigFromContext(endpointName, s)
-}
-
-// clientForEndpoint returns a docker client for an endpoint
-func clientForEndpoint(dockerCli command.Cli, name string) (dockerclient.APIClient, error) {
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return nil, err
-	}
-	for _, l := range list {
-		if l.Name == name {
-			dep, ok := l.Endpoints["docker"]
-			if !ok {
-				return nil, errors.Errorf("context %q does not have a Docker endpoint", name)
-			}
-			epm, ok := dep.(docker.EndpointMeta)
-			if !ok {
-				return nil, errors.Errorf("endpoint %q is not of type EndpointMeta, %T", dep, dep)
-			}
-			ep, err := docker.WithTLSData(dockerCli.ContextStore(), name, epm)
-			if err != nil {
-				return nil, err
-			}
-			clientOpts, err := ep.ClientOpts()
-			if err != nil {
-				return nil, err
-			}
-			return dockerclient.NewClientWithOpts(clientOpts...)
-		}
-	}
-
-	ep := docker.Endpoint{
-		EndpointMeta: docker.EndpointMeta{
-			Host: name,
-		},
-	}
-
-	clientOpts, err := ep.ClientOpts()
-	if err != nil {
-		return nil, err
-	}
-
-	return dockerclient.NewClientWithOpts(clientOpts...)
-}
-
-func getInstanceOrDefault(ctx context.Context, dockerCli command.Cli, instance, contextPathHash string) ([]build.DriverInfo, error) {
-	var defaultOnly bool
-
-	if instance == "default" && instance != dockerCli.CurrentContext() {
-		return nil, errors.Errorf("use `docker --context=default buildx` to switch to default context")
-	}
-	if instance == "default" || instance == dockerCli.CurrentContext() {
-		instance = ""
-		defaultOnly = true
-	}
-	list, err := dockerCli.ContextStore().List()
-	if err != nil {
-		return nil, err
-	}
-	for _, l := range list {
-		if l.Name == instance {
-			return nil, errors.Errorf("use `docker --context=%s buildx` to switch to context %s", instance, instance)
-		}
-	}
-
-	if instance != "" {
-		return getInstanceByName(ctx, dockerCli, instance, contextPathHash)
-	}
-	return getDefaultDrivers(ctx, dockerCli, defaultOnly, contextPathHash)
-}
-
-func getInstanceByName(ctx context.Context, dockerCli command.Cli, instance, contextPathHash string) ([]build.DriverInfo, error) {
-	txn, release, err := storeutil.GetStore(dockerCli)
-	if err != nil {
-		return nil, err
-	}
-	defer release()
-
-	ng, err := txn.NodeGroupByName(instance)
-	if err != nil {
-		return nil, err
-	}
-	return driversForNodeGroup(ctx, dockerCli, ng, contextPathHash)
-}
-
-// getDefaultDrivers returns drivers based on current cli config
-func getDefaultDrivers(ctx context.Context, dockerCli command.Cli, defaultOnly bool, contextPathHash string) ([]build.DriverInfo, error) {
-	txn, release, err := storeutil.GetStore(dockerCli)
-	if err != nil {
-		return nil, err
-	}
-	defer release()
-
-	if !defaultOnly {
-		ng, err := storeutil.GetCurrentInstance(txn, dockerCli)
-		if err != nil {
-			return nil, err
-		}
-
-		if ng != nil {
-			return driversForNodeGroup(ctx, dockerCli, ng, contextPathHash)
-		}
-	}
-
-	imageopt, err := storeutil.GetImageConfig(dockerCli, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	d, err := driver.GetDriver(ctx, "buildx_buildkit_default", nil, "", dockerCli.Client(), imageopt.Auth, nil, nil, nil, nil, nil, contextPathHash)
-	if err != nil {
-		return nil, err
-	}
-	return []build.DriverInfo{
-		{
-			Name:        "default",
-			Driver:      d,
-			ImageOpt:    imageopt,
-			ProxyConfig: storeutil.GetProxyConfig(dockerCli),
-		},
-	}, nil
-}
-
-func loadInfoData(ctx context.Context, d *dinfo) error {
-	if d.di.Driver == nil {
-		return nil
-	}
-	info, err := d.di.Driver.Info(ctx)
-	if err != nil {
-		return err
-	}
-	d.info = info
-	if info.Status == driver.Running {
-		c, err := d.di.Driver.Client(ctx)
-		if err != nil {
-			return err
-		}
-		workers, err := c.ListWorkers(ctx)
-		if err != nil {
-			return errors.Wrap(err, "listing workers")
-		}
-		for _, w := range workers {
-			d.platforms = append(d.platforms, w.Platforms...)
-		}
-		d.platforms = platformutil.Dedupe(d.platforms)
-		inf, err := c.Info(ctx)
-		if err != nil {
-			if st, ok := grpcerrors.AsGRPCStatus(err); ok && st.Code() == codes.Unimplemented {
-				d.version, err = d.di.Driver.Version(ctx)
-				if err != nil {
-					return errors.Wrap(err, "getting version")
-				}
-			}
-		} else {
-			d.version = inf.BuildkitVersion.Version
-		}
-	}
-	return nil
-}
-
-func loadNodeGroupData(ctx context.Context, dockerCli command.Cli, ngi *nginfo) error {
-	eg, _ := errgroup.WithContext(ctx)
-
-	dis, err := driversForNodeGroup(ctx, dockerCli, ngi.ng, "")
-	if err != nil {
-		return err
-	}
-	ngi.drivers = make([]dinfo, len(dis))
-	for i, di := range dis {
-		d := di
-		ngi.drivers[i].di = &d
-		func(d *dinfo) {
-			eg.Go(func() error {
-				if err := loadInfoData(ctx, d); err != nil {
-					d.err = err
-				}
-				return nil
-			})
-		}(&ngi.drivers[i])
-	}
-
-	if eg.Wait(); err != nil {
-		return err
-	}
-
-	kubernetesDriverCount := 0
-
-	for _, di := range ngi.drivers {
-		if di.info != nil && len(di.info.DynamicNodes) > 0 {
-			kubernetesDriverCount++
-		}
-	}
-
-	isAllKubernetesDrivers := len(ngi.drivers) == kubernetesDriverCount
-
-	if isAllKubernetesDrivers {
-		var drivers []dinfo
-		var dynamicNodes []store.Node
-
-		for _, di := range ngi.drivers {
-			// dynamic nodes are used in Kubernetes driver.
-			// Kubernetes pods are dynamically mapped to BuildKit Nodes.
-			if di.info != nil && len(di.info.DynamicNodes) > 0 {
-				for i := 0; i < len(di.info.DynamicNodes); i++ {
-					// all []dinfo share *build.DriverInfo and *driver.Info
-					diClone := di
-					if pl := di.info.DynamicNodes[i].Platforms; len(pl) > 0 {
-						diClone.platforms = pl
-					}
-					drivers = append(drivers, di)
-				}
-				dynamicNodes = append(dynamicNodes, di.info.DynamicNodes...)
-			}
-		}
-
-		// not append (remove the static nodes in the store)
-		ngi.ng.Nodes = dynamicNodes
-		ngi.drivers = drivers
-		ngi.ng.Dynamic = true
-	}
-
-	return nil
-}
-
-func hasNodeGroup(list []*nginfo, ngi *nginfo) bool {
-	for _, l := range list {
-		if ngi.ng.Name == l.ng.Name {
-			return true
-		}
-	}
-	return false
-}
-
-func dockerAPI(dockerCli command.Cli) *api {
-	return &api{dockerCli: dockerCli}
-}
-
-type api struct {
-	dockerCli command.Cli
-}
-
-func (a *api) DockerAPI(name string) (dockerclient.APIClient, error) {
-	if name == "" {
-		name = a.dockerCli.CurrentContext()
-	}
-	return clientForEndpoint(a.dockerCli, name)
-}
-
-type dinfo struct {
-	di        *build.DriverInfo
-	info      *driver.Info
-	platforms []specs.Platform
-	version   string
-	err       error
-}
-
-type nginfo struct {
-	ng      *store.NodeGroup
-	drivers []dinfo
-	err     error
-}
-
-// inactive checks if all nodes are inactive for this builder
-func (n *nginfo) inactive() bool {
-	for idx := range n.ng.Nodes {
-		d := n.drivers[idx]
-		if d.info != nil && d.info.Status == driver.Running {
-			return false
-		}
-	}
-	return true
-}
-
-func boot(ctx context.Context, ngi *nginfo) (bool, error) {
-	toBoot := make([]int, 0, len(ngi.drivers))
-	for i, d := range ngi.drivers {
-		if d.err != nil || d.di.Err != nil || d.di.Driver == nil || d.info == nil {
-			continue
-		}
-		if d.info.Status != driver.Running {
-			toBoot = append(toBoot, i)
-		}
-	}
-	if len(toBoot) == 0 {
-		return false, nil
-	}
-
-	printer := progress.NewPrinter(context.TODO(), os.Stderr, os.Stderr, "auto")
-
-	baseCtx := ctx
-	eg, _ := errgroup.WithContext(ctx)
-	for _, idx := range toBoot {
-		func(idx int) {
-			eg.Go(func() error {
-				pw := progress.WithPrefix(printer, ngi.ng.Nodes[idx].Name, len(toBoot) > 1)
-				_, err := driver.Boot(ctx, baseCtx, ngi.drivers[idx].di.Driver, pw)
-				if err != nil {
-					ngi.drivers[idx].err = err
-				}
-				return nil
-			})
-		}(idx)
-	}
-
-	err := eg.Wait()
-	err1 := printer.Wait()
-	if err == nil {
-		err = err1
-	}
-
-	return true, err
-}
--- a/commands/version.go
+++ b/commands/version.go
@@ -4,6 +4,7 @@ import (
 	"fmt"

 	"github.com/docker/buildx/util/cobrautil"
+	"github.com/docker/buildx/util/cobrautil/completion"
 	"github.com/docker/buildx/version"
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
@@ -23,6 +24,7 @@ func versionCmd(dockerCli command.Cli) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return runVersion(dockerCli)
 		},
+		ValidArgsFunction: completion.Disable,
 	}

 	// hide builder persistent flag for this command
--- a/controller/build/build.go
+++ b/controller/build/build.go
@@ -0,0 +1,280 @@
+package build
+
+import (
+	"context"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+
+	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/builder"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/store"
+	"github.com/docker/buildx/store/storeutil"
+	"github.com/docker/buildx/util/buildflags"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/dockerutil"
+	"github.com/docker/buildx/util/platformutil"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/cli/cli/config"
+	dockeropts "github.com/docker/cli/opts"
+	"github.com/docker/go-units"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/util/grpcerrors"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+)
+
+const defaultTargetName = "default"
+
+// RunBuild runs the specified build and returns the result.
+//
+// NOTE: When an error happens during the build and this function acquires the debuggable *build.ResultHandle,
+// this function returns it in addition to the error (i.e. it does "return nil, res, err"). The caller can
+// inspect the result and debug the cause of that error.
+func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.BuildOptions, inStream io.Reader, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, error) {
+	if in.NoCache && len(in.NoCacheFilter) > 0 {
+		return nil, nil, errors.Errorf("--no-cache and --no-cache-filter cannot currently be used together")
+	}
+
+	contexts := map[string]build.NamedContext{}
+	for name, path := range in.NamedContexts {
+		contexts[name] = build.NamedContext{Path: path}
+	}
+
+	opts := build.Options{
+		Inputs: build.Inputs{
+			ContextPath:    in.ContextPath,
+			DockerfilePath: in.DockerfileName,
+			InStream:       inStream,
+			NamedContexts:  contexts,
+		},
+		Ref:           in.Ref,
+		BuildArgs:     in.BuildArgs,
+		CgroupParent:  in.CgroupParent,
+		ExtraHosts:    in.ExtraHosts,
+		Labels:        in.Labels,
+		NetworkMode:   in.NetworkMode,
+		NoCache:       in.NoCache,
+		NoCacheFilter: in.NoCacheFilter,
+		Pull:          in.Pull,
+		ShmSize:       dockeropts.MemBytes(in.ShmSize),
+		Tags:          in.Tags,
+		Target:        in.Target,
+		Ulimits:       controllerUlimitOpt2DockerUlimit(in.Ulimits),
+		GroupRef:      in.GroupRef,
+	}
+
+	platforms, err := platformutil.Parse(in.Platforms)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Platforms = platforms
+
+	dockerConfig := config.LoadDefaultConfigFile(os.Stderr)
+	opts.Session = append(opts.Session, authprovider.NewDockerAuthProvider(dockerConfig, nil))
+
+	secrets, err := controllerapi.CreateSecrets(in.Secrets)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Session = append(opts.Session, secrets)
+
+	sshSpecs := in.SSH
+	if len(sshSpecs) == 0 && buildflags.IsGitSSH(in.ContextPath) {
+		sshSpecs = append(sshSpecs, &controllerapi.SSH{ID: "default"})
+	}
+	ssh, err := controllerapi.CreateSSH(sshSpecs)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Session = append(opts.Session, ssh)
+
+	outputs, err := controllerapi.CreateExports(in.Exports)
+	if err != nil {
+		return nil, nil, err
+	}
+	if in.ExportPush {
+		if in.ExportLoad {
+			return nil, nil, errors.Errorf("push and load may not be set together at the moment")
+		}
+		if len(outputs) == 0 {
+			outputs = []client.ExportEntry{{
+				Type: "image",
+				Attrs: map[string]string{
+					"push": "true",
+				},
+			}}
+		} else {
+			switch outputs[0].Type {
+			case "image":
+				outputs[0].Attrs["push"] = "true"
+			default:
+				return nil, nil, errors.Errorf("push and %q output can't be used together", outputs[0].Type)
+			}
+		}
+	}
+	if in.ExportLoad {
+		if len(outputs) == 0 {
+			outputs = []client.ExportEntry{{
+				Type:  "docker",
+				Attrs: map[string]string{},
+			}}
+		} else {
+			switch outputs[0].Type {
+			case "docker":
+			default:
+				return nil, nil, errors.Errorf("load and %q output can't be used together", outputs[0].Type)
+			}
+		}
+	}
+
+	annotations, err := buildflags.ParseAnnotations(in.Annotations)
+	if err != nil {
+		return nil, nil, err
+	}
+	for _, o := range outputs {
+		for k, v := range annotations {
+			o.Attrs[k.String()] = v
+		}
+	}
+
+	opts.Exports = outputs
+
+	opts.CacheFrom = controllerapi.CreateCaches(in.CacheFrom)
+	opts.CacheTo = controllerapi.CreateCaches(in.CacheTo)
+
+	opts.Attests = controllerapi.CreateAttestations(in.Attests)
+
+	opts.SourcePolicy = in.SourcePolicy
+
+	allow, err := buildflags.ParseEntitlements(in.Allow)
+	if err != nil {
+		return nil, nil, err
+	}
+	opts.Allow = allow
+
+	if in.PrintFunc != nil {
+		opts.PrintFunc = &build.PrintFunc{
+			Name:   in.PrintFunc.Name,
+			Format: in.PrintFunc.Format,
+		}
+	}
+
+	// key string used for kubernetes "sticky" mode
+	contextPathHash, err := filepath.Abs(in.ContextPath)
+	if err != nil {
+		contextPathHash = in.ContextPath
+	}
+
+	// TODO: this should not be loaded this side of the controller api
+	b, err := builder.New(dockerCli,
+		builder.WithName(in.Builder),
+		builder.WithContextPathHash(contextPathHash),
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+	if err = updateLastActivity(dockerCli, b.NodeGroup); err != nil {
+		return nil, nil, errors.Wrapf(err, "failed to update builder last activity time")
+	}
+	nodes, err := b.LoadNodes(ctx)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	resp, res, err := buildTargets(ctx, dockerCli, b.NodeGroup, nodes, map[string]build.Options{defaultTargetName: opts}, progress, generateResult)
+	err = wrapBuildError(err, false)
+	if err != nil {
+		// NOTE: buildTargets can return *build.ResultHandle even on error.
+		return nil, res, err
+	}
+	return resp, res, nil
+}
+
+// buildTargets runs the specified build and returns the result.
+//
+// NOTE: When an error happens during the build and this function acquires the debuggable *build.ResultHandle,
+// this function returns it in addition to the error (i.e. it does "return nil, res, err"). The caller can
+// inspect the result and debug the cause of that error.
+func buildTargets(ctx context.Context, dockerCli command.Cli, ng *store.NodeGroup, nodes []builder.Node, opts map[string]build.Options, progress progress.Writer, generateResult bool) (*client.SolveResponse, *build.ResultHandle, error) {
+	var res *build.ResultHandle
+	var resp map[string]*client.SolveResponse
+	var err error
+	if generateResult {
+		var mu sync.Mutex
+		var idx int
+		resp, err = build.BuildWithResultHandler(ctx, nodes, opts, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), progress, func(driverIndex int, gotRes *build.ResultHandle) {
+			mu.Lock()
+			defer mu.Unlock()
+			if res == nil || driverIndex < idx {
+				idx, res = driverIndex, gotRes
+			}
+		})
+	} else {
+		resp, err = build.Build(ctx, nodes, opts, dockerutil.NewClient(dockerCli), confutil.ConfigDir(dockerCli), progress)
+	}
+	if err != nil {
+		return nil, res, err
+	}
+	return resp[defaultTargetName], res, err
+}
+
+func wrapBuildError(err error, bake bool) error {
+	if err == nil {
+		return nil
+	}
+	st, ok := grpcerrors.AsGRPCStatus(err)
+	if ok {
+		if st.Code() == codes.Unimplemented && strings.Contains(st.Message(), "unsupported frontend capability moby.buildkit.frontend.contexts") {
+			msg := "current frontend does not support --build-context."
+			if bake {
+				msg = "current frontend does not support defining additional contexts for targets."
+			}
+			msg += " Named contexts are supported since Dockerfile v1.4. Use #syntax directive in Dockerfile or update to latest BuildKit."
+			return &wrapped{err, msg}
+		}
+	}
+	return err
+}
+
+type wrapped struct {
+	err error
+	msg string
+}
+
+func (w *wrapped) Error() string {
+	return w.msg
+}
+
+func (w *wrapped) Unwrap() error {
+	return w.err
+}
+
+func updateLastActivity(dockerCli command.Cli, ng *store.NodeGroup) error {
+	txn, release, err := storeutil.GetStore(dockerCli)
+	if err != nil {
+		return err
+	}
+	defer release()
+	return txn.UpdateLastActivity(ng)
+}
+
+func controllerUlimitOpt2DockerUlimit(u *controllerapi.UlimitOpt) *dockeropts.UlimitOpt {
+	if u == nil {
+		return nil
+	}
+	values := make(map[string]*units.Ulimit)
+	for k, v := range u.Values {
+		values[k] = &units.Ulimit{
+			Name: v.Name,
+			Hard: v.Hard,
+			Soft: v.Soft,
+		}
+	}
+	return dockeropts.NewUlimitOpt(&values)
+}
--- a/controller/control/controller.go
+++ b/controller/control/controller.go
@@ -0,0 +1,32 @@
+package control
+
+import (
+	"context"
+	"io"
+
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+)
+
+type BuildxController interface {
+	Build(ctx context.Context, options controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (ref string, resp *client.SolveResponse, err error)
+	// Invoke starts an IO session into the specified process.
+	// If pid doesn't matche to any running processes, it starts a new process with the specified config.
+	// If there is no container running or InvokeConfig.Rollback is speicfied, the process will start in a newly created container.
+	// NOTE: If needed, in the future, we can split this API into three APIs (NewContainer, NewProcess and Attach).
+	Invoke(ctx context.Context, ref, pid string, options controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error
+	Kill(ctx context.Context) error
+	Close() error
+	List(ctx context.Context) (refs []string, _ error)
+	Disconnect(ctx context.Context, ref string) error
+	ListProcesses(ctx context.Context, ref string) (infos []*controllerapi.ProcessInfo, retErr error)
+	DisconnectProcess(ctx context.Context, ref, pid string) error
+	Inspect(ctx context.Context, ref string) (*controllerapi.InspectResponse, error)
+}
+
+type ControlOptions struct {
+	ServerConfig string
+	Root         string
+	Detach       bool
+}
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -0,0 +1,36 @@
+package controller
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/buildx/controller/control"
+	"github.com/docker/buildx/controller/local"
+	"github.com/docker/buildx/controller/remote"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+)
+
+func NewController(ctx context.Context, opts control.ControlOptions, dockerCli command.Cli, pw progress.Writer) (control.BuildxController, error) {
+	var name string
+	if opts.Detach {
+		name = "remote"
+	} else {
+		name = "local"
+	}
+
+	var c control.BuildxController
+	err := progress.Wrap(fmt.Sprintf("[internal] connecting to %s controller", name), pw.Write, func(l progress.SubLogger) (err error) {
+		if opts.Detach {
+			c, err = remote.NewRemoteBuildxController(ctx, dockerCli, opts, l)
+		} else {
+			c = local.NewLocalBuildxController(ctx, dockerCli, l)
+		}
+		return err
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to start buildx controller")
+	}
+	return c, nil
+}
--- a/controller/errdefs/build.go
+++ b/controller/errdefs/build.go
@@ -0,0 +1,34 @@
+package errdefs
+
+import (
+	"github.com/containerd/typeurl/v2"
+	"github.com/moby/buildkit/util/grpcerrors"
+)
+
+func init() {
+	typeurl.Register((*Build)(nil), "github.com/docker/buildx", "errdefs.Build+json")
+}
+
+type BuildError struct {
+	Build
+	error
+}
+
+func (e *BuildError) Unwrap() error {
+	return e.error
+}
+
+func (e *BuildError) ToProto() grpcerrors.TypedErrorProto {
+	return &e.Build
+}
+
+func WrapBuild(err error, ref string) error {
+	if err == nil {
+		return nil
+	}
+	return &BuildError{Build: Build{Ref: ref}, error: err}
+}
+
+func (b *Build) WrapError(err error) error {
+	return &BuildError{error: err, Build: *b}
+}
--- a/controller/errdefs/errdefs.pb.go
+++ b/controller/errdefs/errdefs.pb.go
@@ -0,0 +1,77 @@
+// Code generated by protoc-gen-gogo. DO NOT EDIT.
+// source: errdefs.proto
+
+package errdefs
+
+import (
+	fmt "fmt"
+	proto "github.com/gogo/protobuf/proto"
+	_ "github.com/moby/buildkit/solver/pb"
+	math "math"
+)
+
+// Reference imports to suppress errors if they are not otherwise used.
+var _ = proto.Marshal
+var _ = fmt.Errorf
+var _ = math.Inf
+
+// This is a compile-time assertion to ensure that this generated file
+// is compatible with the proto package it is being compiled against.
+// A compilation error at this line likely means your copy of the
+// proto package needs to be updated.
+const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package
+
+type Build struct {
+	Ref                  string   `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	XXX_NoUnkeyedLiteral struct{} `json:"-"`
+	XXX_unrecognized     []byte   `json:"-"`
+	XXX_sizecache        int32    `json:"-"`
+}
+
+func (m *Build) Reset()         { *m = Build{} }
+func (m *Build) String() string { return proto.CompactTextString(m) }
+func (*Build) ProtoMessage()    {}
+func (*Build) Descriptor() ([]byte, []int) {
+	return fileDescriptor_689dc58a5060aff5, []int{0}
+}
+func (m *Build) XXX_Unmarshal(b []byte) error {
+	return xxx_messageInfo_Build.Unmarshal(m, b)
+}
+func (m *Build) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
+	return xxx_messageInfo_Build.Marshal(b, m, deterministic)
+}
+func (m *Build) XXX_Merge(src proto.Message) {
+	xxx_messageInfo_Build.Merge(m, src)
+}
+func (m *Build) XXX_Size() int {
+	return xxx_messageInfo_Build.Size(m)
+}
+func (m *Build) XXX_DiscardUnknown() {
+	xxx_messageInfo_Build.DiscardUnknown(m)
+}
+
+var xxx_messageInfo_Build proto.InternalMessageInfo
+
+func (m *Build) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
+func init() {
+	proto.RegisterType((*Build)(nil), "errdefs.Build")
+}
+
+func init() { proto.RegisterFile("errdefs.proto", fileDescriptor_689dc58a5060aff5) }
+
+var fileDescriptor_689dc58a5060aff5 = []byte{
+	// 111 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xe2, 0xe2, 0x4d, 0x2d, 0x2a, 0x4a,
+	0x49, 0x4d, 0x2b, 0xd6, 0x2b, 0x28, 0xca, 0x2f, 0xc9, 0x17, 0x62, 0x87, 0x72, 0xa5, 0x74, 0xd2,
+	0x33, 0x4b, 0x32, 0x4a, 0x93, 0xf4, 0x92, 0xf3, 0x73, 0xf5, 0x73, 0xf3, 0x93, 0x2a, 0xf5, 0x93,
+	0x4a, 0x33, 0x73, 0x52, 0xb2, 0x33, 0x4b, 0xf4, 0x8b, 0xf3, 0x73, 0xca, 0x52, 0x8b, 0xf4, 0x0b,
+	0x92, 0xf4, 0xf3, 0x0b, 0xa0, 0xda, 0x94, 0x24, 0xb9, 0x58, 0x9d, 0x40, 0xf2, 0x42, 0x02, 0x5c,
+	0xcc, 0x41, 0xa9, 0x69, 0x12, 0x8c, 0x0a, 0x8c, 0x1a, 0x9c, 0x41, 0x20, 0x66, 0x12, 0x1b, 0x58,
+	0x85, 0x31, 0x20, 0x00, 0x00, 0xff, 0xff, 0x56, 0x52, 0x41, 0x91, 0x69, 0x00, 0x00, 0x00,
+}
--- a/controller/errdefs/errdefs.proto
+++ b/controller/errdefs/errdefs.proto
@@ -0,0 +1,9 @@
+syntax = "proto3";
+
+package errdefs;
+
+import "github.com/moby/buildkit/solver/pb/ops.proto";
+
+message Build {
+  string Ref = 1;
+}
--- a/controller/errdefs/generate.go
+++ b/controller/errdefs/generate.go
@@ -0,0 +1,3 @@
+package errdefs
+
+//go:generate protoc -I=. -I=../../vendor/ --gogo_out=plugins=grpc:. errdefs.proto
--- a/controller/local/controller.go
+++ b/controller/local/controller.go
@@ -0,0 +1,146 @@
+package local
+
+import (
+	"context"
+	"io"
+	"sync/atomic"
+
+	"github.com/docker/buildx/build"
+	cbuild "github.com/docker/buildx/controller/build"
+	"github.com/docker/buildx/controller/control"
+	controllererrors "github.com/docker/buildx/controller/errdefs"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/controller/processes"
+	"github.com/docker/buildx/util/ioset"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/client"
+	"github.com/pkg/errors"
+)
+
+func NewLocalBuildxController(ctx context.Context, dockerCli command.Cli, logger progress.SubLogger) control.BuildxController {
+	return &localController{
+		dockerCli: dockerCli,
+		ref:       "local",
+		processes: processes.NewManager(),
+	}
+}
+
+type buildConfig struct {
+	// TODO: these two structs should be merged
+	// Discussion: https://github.com/docker/buildx/pull/1640#discussion_r1113279719
+	resultCtx    *build.ResultHandle
+	buildOptions *controllerapi.BuildOptions
+}
+
+type localController struct {
+	dockerCli   command.Cli
+	ref         string
+	buildConfig buildConfig
+	processes   *processes.Manager
+
+	buildOnGoing atomic.Bool
+}
+
+func (b *localController) Build(ctx context.Context, options controllerapi.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, error) {
+	if !b.buildOnGoing.CompareAndSwap(false, true) {
+		return "", nil, errors.New("build ongoing")
+	}
+	defer b.buildOnGoing.Store(false)
+
+	resp, res, buildErr := cbuild.RunBuild(ctx, b.dockerCli, options, in, progress, true)
+	// NOTE: RunBuild can return *build.ResultHandle even on error.
+	if res != nil {
+		b.buildConfig = buildConfig{
+			resultCtx:    res,
+			buildOptions: &options,
+		}
+		if buildErr != nil {
+			buildErr = controllererrors.WrapBuild(buildErr, b.ref)
+		}
+	}
+	if buildErr != nil {
+		return "", nil, buildErr
+	}
+	return b.ref, resp, nil
+}
+
+func (b *localController) ListProcesses(ctx context.Context, ref string) (infos []*controllerapi.ProcessInfo, retErr error) {
+	if ref != b.ref {
+		return nil, errors.Errorf("unknown ref %q", ref)
+	}
+	return b.processes.ListProcesses(), nil
+}
+
+func (b *localController) DisconnectProcess(ctx context.Context, ref, pid string) error {
+	if ref != b.ref {
+		return errors.Errorf("unknown ref %q", ref)
+	}
+	return b.processes.DeleteProcess(pid)
+}
+
+func (b *localController) cancelRunningProcesses() {
+	b.processes.CancelRunningProcesses()
+}
+
+func (b *localController) Invoke(ctx context.Context, ref string, pid string, cfg controllerapi.InvokeConfig, ioIn io.ReadCloser, ioOut io.WriteCloser, ioErr io.WriteCloser) error {
+	if ref != b.ref {
+		return errors.Errorf("unknown ref %q", ref)
+	}
+
+	proc, ok := b.processes.Get(pid)
+	if !ok {
+		// Start a new process.
+		if b.buildConfig.resultCtx == nil {
+			return errors.New("no build result is registered")
+		}
+		var err error
+		proc, err = b.processes.StartProcess(pid, b.buildConfig.resultCtx, &cfg)
+		if err != nil {
+			return err
+		}
+	}
+
+	// Attach containerIn to this process
+	ioCancelledCh := make(chan struct{})
+	proc.ForwardIO(&ioset.In{Stdin: ioIn, Stdout: ioOut, Stderr: ioErr}, func() { close(ioCancelledCh) })
+
+	select {
+	case <-ioCancelledCh:
+		return errors.Errorf("io cancelled")
+	case err := <-proc.Done():
+		return err
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+}
+
+func (b *localController) Kill(context.Context) error {
+	b.Close()
+	return nil
+}
+
+func (b *localController) Close() error {
+	b.cancelRunningProcesses()
+	if b.buildConfig.resultCtx != nil {
+		b.buildConfig.resultCtx.Done()
+	}
+	// TODO: cancel ongoing builds?
+	return nil
+}
+
+func (b *localController) List(ctx context.Context) (res []string, _ error) {
+	return []string{b.ref}, nil
+}
+
+func (b *localController) Disconnect(ctx context.Context, key string) error {
+	b.Close()
+	return nil
+}
+
+func (b *localController) Inspect(ctx context.Context, ref string) (*controllerapi.InspectResponse, error) {
+	if ref != b.ref {
+		return nil, errors.Errorf("unknown ref %q", ref)
+	}
+	return &controllerapi.InspectResponse{Options: b.buildConfig.buildOptions}, nil
+}
--- a/controller/pb/attest.go
+++ b/controller/pb/attest.go
@@ -0,0 +1,20 @@
+package pb
+
+func CreateAttestations(attests []*Attest) map[string]*string {
+	result := map[string]*string{}
+	for _, attest := range attests {
+		// ignore duplicates
+		if _, ok := result[attest.Type]; ok {
+			continue
+		}
+
+		if attest.Disabled {
+			result[attest.Type] = nil
+			continue
+		}
+
+		attrs := attest.Attrs
+		result[attest.Type] = &attrs
+	}
+	return result
+}
--- a/controller/pb/cache.go
+++ b/controller/pb/cache.go
@@ -0,0 +1,21 @@
+package pb
+
+import "github.com/moby/buildkit/client"
+
+func CreateCaches(entries []*CacheOptionsEntry) []client.CacheOptionsEntry {
+	var outs []client.CacheOptionsEntry
+	if len(entries) == 0 {
+		return nil
+	}
+	for _, entry := range entries {
+		out := client.CacheOptionsEntry{
+			Type:  entry.Type,
+			Attrs: map[string]string{},
+		}
+		for k, v := range entry.Attrs {
+			out.Attrs[k] = v
+		}
+		outs = append(outs, out)
+	}
+	return outs
+}
--- a/controller/pb/controller.pb.go
+++ b/controller/pb/controller.pb.go
--- a/controller/pb/controller.proto
+++ b/controller/pb/controller.proto
@@ -0,0 +1,248 @@
+syntax = "proto3";
+
+package buildx.controller.v1;
+
+import "github.com/moby/buildkit/api/services/control/control.proto";
+import "github.com/moby/buildkit/sourcepolicy/pb/policy.proto";
+
+option go_package = "pb";
+
+service Controller {
+  rpc Build(BuildRequest) returns (BuildResponse);
+  rpc Inspect(InspectRequest) returns (InspectResponse);
+  rpc Status(StatusRequest) returns (stream StatusResponse);
+  rpc Input(stream InputMessage) returns (InputResponse);
+  rpc Invoke(stream Message) returns (stream Message);
+  rpc List(ListRequest) returns (ListResponse);
+  rpc Disconnect(DisconnectRequest) returns (DisconnectResponse);
+  rpc Info(InfoRequest) returns (InfoResponse);
+  rpc ListProcesses(ListProcessesRequest) returns (ListProcessesResponse);
+  rpc DisconnectProcess(DisconnectProcessRequest) returns (DisconnectProcessResponse);
+}
+
+message ListProcessesRequest {
+  string Ref = 1;
+}
+
+message ListProcessesResponse {
+  repeated ProcessInfo Infos = 1;
+}
+
+message ProcessInfo {
+  string ProcessID = 1;
+  InvokeConfig InvokeConfig = 2;
+}
+
+message DisconnectProcessRequest {
+  string Ref = 1;
+  string ProcessID = 2;
+}
+
+message DisconnectProcessResponse {
+}
+
+message BuildRequest {
+  string Ref = 1;
+  BuildOptions Options = 2;
+}
+
+message BuildOptions {
+  string ContextPath = 1;
+  string DockerfileName = 2;
+  PrintFunc PrintFunc = 3;
+  map<string, string> NamedContexts = 4;
+
+  repeated string Allow = 5;
+  repeated Attest Attests = 6;
+  map<string, string> BuildArgs = 7;
+  repeated CacheOptionsEntry CacheFrom = 8;
+  repeated CacheOptionsEntry CacheTo = 9;
+  string CgroupParent = 10;
+  repeated ExportEntry Exports = 11;
+  repeated string ExtraHosts = 12;
+  map<string, string> Labels = 13;
+  string NetworkMode = 14;
+  repeated string NoCacheFilter = 15;
+  repeated string Platforms = 16;
+  repeated Secret Secrets = 17;
+  int64 ShmSize = 18;
+  repeated SSH SSH = 19;
+  repeated string Tags = 20;
+  string Target = 21;
+  UlimitOpt Ulimits = 22;
+
+  string Builder = 23;
+  bool NoCache = 24;
+  bool Pull = 25;
+  bool ExportPush = 26;
+  bool ExportLoad = 27;
+  moby.buildkit.v1.sourcepolicy.Policy SourcePolicy = 28;
+  string Ref = 29;
+  string GroupRef = 30;
+  repeated string Annotations = 31;
+}
+
+message ExportEntry {
+  string Type = 1;
+  map<string, string> Attrs = 2;
+  string Destination = 3;
+}
+
+message CacheOptionsEntry {
+  string Type = 1;
+  map<string, string> Attrs = 2;
+}
+
+message Attest {
+  string Type = 1;
+  bool Disabled = 2;
+  string Attrs = 3;
+}
+
+message SSH {
+  string ID = 1;
+  repeated string Paths = 2;
+}
+
+message Secret {
+  string ID = 1;
+  string FilePath = 2;
+  string Env = 3;
+}
+
+message PrintFunc {
+	string Name = 1;
+	string Format = 2;
+}
+
+message InspectRequest {
+  string Ref = 1;
+}
+
+message InspectResponse {
+  BuildOptions Options = 1;
+}
+
+message UlimitOpt {
+  map<string, Ulimit> values = 1;
+}
+
+message Ulimit {
+  string Name = 1;
+  int64 Hard = 2;
+  int64 Soft = 3;
+}
+
+message BuildResponse {
+	map<string, string> ExporterResponse = 1;
+}
+
+message DisconnectRequest {
+  string Ref = 1;
+}
+
+message DisconnectResponse {}
+
+message ListRequest {
+  string Ref = 1;
+}
+
+message ListResponse {
+  repeated string keys = 1;
+}
+
+message InputMessage {
+  oneof Input {
+    InputInitMessage Init = 1;
+    DataMessage Data = 2;
+  }
+}
+
+message InputInitMessage {
+  string Ref = 1;
+}
+
+message DataMessage {
+  bool EOF = 1;    // true if eof was reached
+  bytes Data = 2;  // should be chunked smaller than 4MB:
+                   // https://pkg.go.dev/google.golang.org/grpc#MaxRecvMsgSize
+}
+
+message InputResponse {}
+
+message Message {
+  oneof Input {
+    InitMessage Init = 1;
+    // FdMessage used from client to server for input (stdin) and
+    // from server to client for output (stdout, stderr)
+    FdMessage File = 2;
+    // ResizeMessage used from client to server for terminal resize events
+    ResizeMessage Resize = 3;
+    // SignalMessage is used from client to server to send signal events
+    SignalMessage Signal = 4;
+  }
+}
+
+message InitMessage {
+  string Ref = 1;
+
+  // If ProcessID already exists in the server, it tries to connect to it
+  // instead of invoking the new one. In this case, InvokeConfig will be ignored.
+  string ProcessID = 2;
+  InvokeConfig InvokeConfig = 3;
+}
+
+message InvokeConfig {
+  repeated string Entrypoint = 1;
+  repeated string Cmd = 2;
+  bool NoCmd = 11; // Do not set cmd but use the image's default
+  repeated string Env = 3;
+  string User = 4;
+  bool NoUser = 5; // Do not set user but use the image's default
+  string Cwd = 6;
+  bool NoCwd = 7; // Do not set cwd but use the image's default
+  bool Tty = 8;
+  bool Rollback = 9; // Kill all process in the container and recreate it.
+  bool Initial = 10; // Run container from the initial state of that stage (supported only on the failed step)
+}
+
+message FdMessage {
+  uint32 Fd = 1;   // what fd the data was from
+  bool EOF = 2;    // true if eof was reached
+  bytes Data = 3;  // should be chunked smaller than 4MB:
+                   // https://pkg.go.dev/google.golang.org/grpc#MaxRecvMsgSize
+}
+
+message ResizeMessage {
+  uint32 Rows = 1;
+  uint32 Cols = 2;
+}
+
+message SignalMessage {
+  // we only send name (ie HUP, INT) because the int values
+  // are platform dependent.
+  string Name = 1;
+}
+
+message StatusRequest {
+  string Ref = 1;
+}
+
+message StatusResponse {
+  repeated moby.buildkit.v1.Vertex vertexes = 1;
+  repeated moby.buildkit.v1.VertexStatus statuses = 2;
+  repeated moby.buildkit.v1.VertexLog logs = 3;
+  repeated moby.buildkit.v1.VertexWarning warnings = 4;
+}
+
+message InfoRequest {}
+
+message InfoResponse {
+  BuildxVersion buildxVersion = 1;
+}
+
+message BuildxVersion {
+  string package = 1;
+  string version = 2;
+  string revision = 3;
+}
--- a/controller/pb/export.go
+++ b/controller/pb/export.go
@@ -0,0 +1,100 @@
+package pb
+
+import (
+	"io"
+	"os"
+	"strconv"
+
+	"github.com/containerd/console"
+	"github.com/moby/buildkit/client"
+	"github.com/pkg/errors"
+)
+
+func CreateExports(entries []*ExportEntry) ([]client.ExportEntry, error) {
+	var outs []client.ExportEntry
+	if len(entries) == 0 {
+		return nil, nil
+	}
+	for _, entry := range entries {
+		if entry.Type == "" {
+			return nil, errors.Errorf("type is required for output")
+		}
+
+		out := client.ExportEntry{
+			Type:  entry.Type,
+			Attrs: map[string]string{},
+		}
+		for k, v := range entry.Attrs {
+			out.Attrs[k] = v
+		}
+
+		supportFile := false
+		supportDir := false
+		switch out.Type {
+		case client.ExporterLocal:
+			supportDir = true
+		case client.ExporterTar:
+			supportFile = true
+		case client.ExporterOCI, client.ExporterDocker:
+			tar, err := strconv.ParseBool(out.Attrs["tar"])
+			if err != nil {
+				tar = true
+			}
+			supportFile = tar
+			supportDir = !tar
+		case "registry":
+			out.Type = client.ExporterImage
+		}
+
+		if supportDir {
+			if entry.Destination == "" {
+				return nil, errors.Errorf("dest is required for %s exporter", out.Type)
+			}
+			if entry.Destination == "-" {
+				return nil, errors.Errorf("dest cannot be stdout for %s exporter", out.Type)
+			}
+
+			fi, err := os.Stat(entry.Destination)
+			if err != nil && !os.IsNotExist(err) {
+				return nil, errors.Wrapf(err, "invalid destination directory: %s", entry.Destination)
+			}
+			if err == nil && !fi.IsDir() {
+				return nil, errors.Errorf("destination directory %s is a file", entry.Destination)
+			}
+			out.OutputDir = entry.Destination
+		}
+		if supportFile {
+			if entry.Destination == "" && out.Type != client.ExporterDocker {
+				entry.Destination = "-"
+			}
+			if entry.Destination == "-" {
+				if _, err := console.ConsoleFromFile(os.Stdout); err == nil {
+					return nil, errors.Errorf("dest file is required for %s exporter. refusing to write to console", out.Type)
+				}
+				out.Output = wrapWriteCloser(os.Stdout)
+			} else if entry.Destination != "" {
+				fi, err := os.Stat(entry.Destination)
+				if err != nil && !os.IsNotExist(err) {
+					return nil, errors.Wrapf(err, "invalid destination file: %s", entry.Destination)
+				}
+				if err == nil && fi.IsDir() {
+					return nil, errors.Errorf("destination file %s is a directory", entry.Destination)
+				}
+				f, err := os.Create(entry.Destination)
+				if err != nil {
+					return nil, errors.Errorf("failed to open %s", err)
+				}
+				out.Output = wrapWriteCloser(f)
+			}
+		}
+
+		outs = append(outs, out)
+	}
+	return outs, nil
+}
+
+func wrapWriteCloser(wc io.WriteCloser) func(map[string]string) (io.WriteCloser, error) {
+	return func(map[string]string) (io.WriteCloser, error) {
+		return wc, nil
+	}
+}
--- a/controller/pb/generate.go
+++ b/controller/pb/generate.go
@@ -0,0 +1,3 @@
+package pb
+
+//go:generate protoc -I=. -I=../../vendor/ --gogo_out=plugins=grpc:. controller.proto
--- a/controller/pb/path.go
+++ b/controller/pb/path.go
@@ -0,0 +1,175 @@
+package pb
+
+import (
+	"path/filepath"
+	"strings"
+
+	"github.com/docker/docker/builder/remotecontext/urlutil"
+	"github.com/moby/buildkit/util/gitutil"
+)
+
+// ResolveOptionPaths resolves all paths contained in BuildOptions
+// and replaces them to absolute paths.
+func ResolveOptionPaths(options *BuildOptions) (_ *BuildOptions, err error) {
+	localContext := false
+	if options.ContextPath != "" && options.ContextPath != "-" {
+		if !isRemoteURL(options.ContextPath) {
+			localContext = true
+			options.ContextPath, err = filepath.Abs(options.ContextPath)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+	if options.DockerfileName != "" && options.DockerfileName != "-" {
+		if localContext && !urlutil.IsURL(options.DockerfileName) {
+			options.DockerfileName, err = filepath.Abs(options.DockerfileName)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	var contexts map[string]string
+	for k, v := range options.NamedContexts {
+		if isRemoteURL(v) || strings.HasPrefix(v, "docker-image://") {
+			// url prefix, this is a remote path
+		} else if strings.HasPrefix(v, "oci-layout://") {
+			// oci layout prefix, this is a local path
+			p := strings.TrimPrefix(v, "oci-layout://")
+			p, err = filepath.Abs(p)
+			if err != nil {
+				return nil, err
+			}
+			v = "oci-layout://" + p
+		} else {
+			// no prefix, assume local path
+			v, err = filepath.Abs(v)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		if contexts == nil {
+			contexts = make(map[string]string)
+		}
+		contexts[k] = v
+	}
+	options.NamedContexts = contexts
+
+	var cacheFrom []*CacheOptionsEntry
+	for _, co := range options.CacheFrom {
+		switch co.Type {
+		case "local":
+			var attrs map[string]string
+			for k, v := range co.Attrs {
+				if attrs == nil {
+					attrs = make(map[string]string)
+				}
+				switch k {
+				case "src":
+					p := v
+					if p != "" {
+						p, err = filepath.Abs(p)
+						if err != nil {
+							return nil, err
+						}
+					}
+					attrs[k] = p
+				default:
+					attrs[k] = v
+				}
+			}
+			co.Attrs = attrs
+			cacheFrom = append(cacheFrom, co)
+		default:
+			cacheFrom = append(cacheFrom, co)
+		}
+	}
+	options.CacheFrom = cacheFrom
+
+	var cacheTo []*CacheOptionsEntry
+	for _, co := range options.CacheTo {
+		switch co.Type {
+		case "local":
+			var attrs map[string]string
+			for k, v := range co.Attrs {
+				if attrs == nil {
+					attrs = make(map[string]string)
+				}
+				switch k {
+				case "dest":
+					p := v
+					if p != "" {
+						p, err = filepath.Abs(p)
+						if err != nil {
+							return nil, err
+						}
+					}
+					attrs[k] = p
+				default:
+					attrs[k] = v
+				}
+			}
+			co.Attrs = attrs
+			cacheTo = append(cacheTo, co)
+		default:
+			cacheTo = append(cacheTo, co)
+		}
+	}
+	options.CacheTo = cacheTo
+	var exports []*ExportEntry
+	for _, e := range options.Exports {
+		if e.Destination != "" && e.Destination != "-" {
+			e.Destination, err = filepath.Abs(e.Destination)
+			if err != nil {
+				return nil, err
+			}
+		}
+		exports = append(exports, e)
+	}
+	options.Exports = exports
+
+	var secrets []*Secret
+	for _, s := range options.Secrets {
+		if s.FilePath != "" {
+			s.FilePath, err = filepath.Abs(s.FilePath)
+			if err != nil {
+				return nil, err
+			}
+		}
+		secrets = append(secrets, s)
+	}
+	options.Secrets = secrets
+
+	var ssh []*SSH
+	for _, s := range options.SSH {
+		var ps []string
+		for _, pt := range s.Paths {
+			p := pt
+			if p != "" {
+				p, err = filepath.Abs(p)
+				if err != nil {
+					return nil, err
+				}
+			}
+			ps = append(ps, p)
+
+		}
+		s.Paths = ps
+		ssh = append(ssh, s)
+	}
+	options.SSH = ssh
+
+	return options, nil
+}
+
+func isRemoteURL(c string) bool {
+	if urlutil.IsURL(c) {
+		return true
+	}
+	if _, err := gitutil.ParseGitRef(c); err == nil {
+		return true
+	}
+	return false
+}
--- a/controller/pb/path_test.go
+++ b/controller/pb/path_test.go
@@ -0,0 +1,248 @@
+package pb
+
+import (
+	"os"
+	"path/filepath"
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestResolvePaths(t *testing.T) {
+	tmpwd, err := os.MkdirTemp("", "testresolvepaths")
+	require.NoError(t, err)
+	defer os.Remove(tmpwd)
+	require.NoError(t, os.Chdir(tmpwd))
+	tests := []struct {
+		name    string
+		options BuildOptions
+		want    BuildOptions
+	}{
+		{
+			name:    "contextpath",
+			options: BuildOptions{ContextPath: "test"},
+			want:    BuildOptions{ContextPath: filepath.Join(tmpwd, "test")},
+		},
+		{
+			name:    "contextpath-cwd",
+			options: BuildOptions{ContextPath: "."},
+			want:    BuildOptions{ContextPath: tmpwd},
+		},
+		{
+			name:    "contextpath-dash",
+			options: BuildOptions{ContextPath: "-"},
+			want:    BuildOptions{ContextPath: "-"},
+		},
+		{
+			name:    "contextpath-ssh",
+			options: BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
+			want:    BuildOptions{ContextPath: "git@github.com:docker/buildx.git"},
+		},
+		{
+			name:    "dockerfilename",
+			options: BuildOptions{DockerfileName: "test", ContextPath: "."},
+			want:    BuildOptions{DockerfileName: filepath.Join(tmpwd, "test"), ContextPath: tmpwd},
+		},
+		{
+			name:    "dockerfilename-dash",
+			options: BuildOptions{DockerfileName: "-", ContextPath: "."},
+			want:    BuildOptions{DockerfileName: "-", ContextPath: tmpwd},
+		},
+		{
+			name:    "dockerfilename-remote",
+			options: BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
+			want:    BuildOptions{DockerfileName: "test", ContextPath: "git@github.com:docker/buildx.git"},
+		},
+		{
+			name: "contexts",
+			options: BuildOptions{NamedContexts: map[string]string{"a": "test1", "b": "test2",
+				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git"}},
+			want: BuildOptions{NamedContexts: map[string]string{"a": filepath.Join(tmpwd, "test1"), "b": filepath.Join(tmpwd, "test2"),
+				"alpine": "docker-image://alpine@sha256:0123456789", "project": "https://github.com/myuser/project.git"}},
+		},
+		{
+			name: "cache-from",
+			options: BuildOptions{
+				CacheFrom: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"src": "test"},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+			want: BuildOptions{
+				CacheFrom: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"src": filepath.Join(tmpwd, "test")},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+		},
+		{
+			name: "cache-to",
+			options: BuildOptions{
+				CacheTo: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"dest": "test"},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+			want: BuildOptions{
+				CacheTo: []*CacheOptionsEntry{
+					{
+						Type:  "local",
+						Attrs: map[string]string{"dest": filepath.Join(tmpwd, "test")},
+					},
+					{
+						Type:  "registry",
+						Attrs: map[string]string{"ref": "user/app"},
+					},
+				},
+			},
+		},
+		{
+			name: "exports",
+			options: BuildOptions{
+				Exports: []*ExportEntry{
+					{
+						Type:        "local",
+						Destination: "-",
+					},
+					{
+						Type:        "local",
+						Destination: "test1",
+					},
+					{
+						Type:        "tar",
+						Destination: "test3",
+					},
+					{
+						Type:        "oci",
+						Destination: "-",
+					},
+					{
+						Type:        "docker",
+						Destination: "test4",
+					},
+					{
+						Type:  "image",
+						Attrs: map[string]string{"push": "true"},
+					},
+				},
+			},
+			want: BuildOptions{
+				Exports: []*ExportEntry{
+					{
+						Type:        "local",
+						Destination: "-",
+					},
+					{
+						Type:        "local",
+						Destination: filepath.Join(tmpwd, "test1"),
+					},
+					{
+						Type:        "tar",
+						Destination: filepath.Join(tmpwd, "test3"),
+					},
+					{
+						Type:        "oci",
+						Destination: "-",
+					},
+					{
+						Type:        "docker",
+						Destination: filepath.Join(tmpwd, "test4"),
+					},
+					{
+						Type:  "image",
+						Attrs: map[string]string{"push": "true"},
+					},
+				},
+			},
+		},
+		{
+			name: "secrets",
+			options: BuildOptions{
+				Secrets: []*Secret{
+					{
+						FilePath: "test1",
+					},
+					{
+						ID:  "val",
+						Env: "a",
+					},
+					{
+						ID:       "test",
+						FilePath: "test3",
+					},
+				},
+			},
+			want: BuildOptions{
+				Secrets: []*Secret{
+					{
+						FilePath: filepath.Join(tmpwd, "test1"),
+					},
+					{
+						ID:  "val",
+						Env: "a",
+					},
+					{
+						ID:       "test",
+						FilePath: filepath.Join(tmpwd, "test3"),
+					},
+				},
+			},
+		},
+		{
+			name: "ssh",
+			options: BuildOptions{
+				SSH: []*SSH{
+					{
+						ID:    "default",
+						Paths: []string{"test1", "test2"},
+					},
+					{
+						ID:    "a",
+						Paths: []string{"test3"},
+					},
+				},
+			},
+			want: BuildOptions{
+				SSH: []*SSH{
+					{
+						ID:    "default",
+						Paths: []string{filepath.Join(tmpwd, "test1"), filepath.Join(tmpwd, "test2")},
+					},
+					{
+						ID:    "a",
+						Paths: []string{filepath.Join(tmpwd, "test3")},
+					},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ResolveOptionPaths(&tt.options)
+			require.NoError(t, err)
+			if !reflect.DeepEqual(tt.want, *got) {
+				t.Fatalf("expected %#v, got %#v", tt.want, *got)
+			}
+		})
+	}
+}
--- a/controller/pb/progress.go
+++ b/controller/pb/progress.go
@@ -0,0 +1,126 @@
+package pb
+
+import (
+	"github.com/docker/buildx/util/progress"
+	control "github.com/moby/buildkit/api/services/control"
+	"github.com/moby/buildkit/client"
+	"github.com/opencontainers/go-digest"
+)
+
+type writer struct {
+	ch chan<- *StatusResponse
+}
+
+func NewProgressWriter(ch chan<- *StatusResponse) progress.Writer {
+	return &writer{ch: ch}
+}
+
+func (w *writer) Write(status *client.SolveStatus) {
+	w.ch <- ToControlStatus(status)
+}
+
+func (w *writer) WriteBuildRef(target string, ref string) {
+	return
+}
+
+func (w *writer) ValidateLogSource(digest.Digest, interface{}) bool {
+	return true
+}
+
+func (w *writer) ClearLogSource(interface{}) {}
+
+func ToControlStatus(s *client.SolveStatus) *StatusResponse {
+	resp := StatusResponse{}
+	for _, v := range s.Vertexes {
+		resp.Vertexes = append(resp.Vertexes, &control.Vertex{
+			Digest:        v.Digest,
+			Inputs:        v.Inputs,
+			Name:          v.Name,
+			Started:       v.Started,
+			Completed:     v.Completed,
+			Error:         v.Error,
+			Cached:        v.Cached,
+			ProgressGroup: v.ProgressGroup,
+		})
+	}
+	for _, v := range s.Statuses {
+		resp.Statuses = append(resp.Statuses, &control.VertexStatus{
+			ID:        v.ID,
+			Vertex:    v.Vertex,
+			Name:      v.Name,
+			Total:     v.Total,
+			Current:   v.Current,
+			Timestamp: v.Timestamp,
+			Started:   v.Started,
+			Completed: v.Completed,
+		})
+	}
+	for _, v := range s.Logs {
+		resp.Logs = append(resp.Logs, &control.VertexLog{
+			Vertex:    v.Vertex,
+			Stream:    int64(v.Stream),
+			Msg:       v.Data,
+			Timestamp: v.Timestamp,
+		})
+	}
+	for _, v := range s.Warnings {
+		resp.Warnings = append(resp.Warnings, &control.VertexWarning{
+			Vertex: v.Vertex,
+			Level:  int64(v.Level),
+			Short:  v.Short,
+			Detail: v.Detail,
+			Url:    v.URL,
+			Info:   v.SourceInfo,
+			Ranges: v.Range,
+		})
+	}
+	return &resp
+}
+
+func FromControlStatus(resp *StatusResponse) *client.SolveStatus {
+	s := client.SolveStatus{}
+	for _, v := range resp.Vertexes {
+		s.Vertexes = append(s.Vertexes, &client.Vertex{
+			Digest:        v.Digest,
+			Inputs:        v.Inputs,
+			Name:          v.Name,
+			Started:       v.Started,
+			Completed:     v.Completed,
+			Error:         v.Error,
+			Cached:        v.Cached,
+			ProgressGroup: v.ProgressGroup,
+		})
+	}
+	for _, v := range resp.Statuses {
+		s.Statuses = append(s.Statuses, &client.VertexStatus{
+			ID:        v.ID,
+			Vertex:    v.Vertex,
+			Name:      v.Name,
+			Total:     v.Total,
+			Current:   v.Current,
+			Timestamp: v.Timestamp,
+			Started:   v.Started,
+			Completed: v.Completed,
+		})
+	}
+	for _, v := range resp.Logs {
+		s.Logs = append(s.Logs, &client.VertexLog{
+			Vertex:    v.Vertex,
+			Stream:    int(v.Stream),
+			Data:      v.Msg,
+			Timestamp: v.Timestamp,
+		})
+	}
+	for _, v := range resp.Warnings {
+		s.Warnings = append(s.Warnings, &client.VertexWarning{
+			Vertex:     v.Vertex,
+			Level:      int(v.Level),
+			Short:      v.Short,
+			Detail:     v.Detail,
+			URL:        v.Url,
+			SourceInfo: v.Info,
+			Range:      v.Ranges,
+		})
+	}
+	return &s
+}
--- a/controller/pb/secrets.go
+++ b/controller/pb/secrets.go
@@ -0,0 +1,22 @@
+package pb
+
+import (
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/secrets/secretsprovider"
+)
+
+func CreateSecrets(secrets []*Secret) (session.Attachable, error) {
+	fs := make([]secretsprovider.Source, 0, len(secrets))
+	for _, secret := range secrets {
+		fs = append(fs, secretsprovider.Source{
+			ID:       secret.ID,
+			FilePath: secret.FilePath,
+			Env:      secret.Env,
+		})
+	}
+	store, err := secretsprovider.NewStore(fs)
+	if err != nil {
+		return nil, err
+	}
+	return secretsprovider.NewSecretProvider(store), nil
+}
--- a/controller/pb/ssh.go
+++ b/controller/pb/ssh.go
@@ -0,0 +1,18 @@
+package pb
+
+import (
+	"github.com/moby/buildkit/session"
+	"github.com/moby/buildkit/session/sshforward/sshprovider"
+)
+
+func CreateSSH(ssh []*SSH) (session.Attachable, error) {
+	configs := make([]sshprovider.AgentConfig, 0, len(ssh))
+	for _, ssh := range ssh {
+		cfg := sshprovider.AgentConfig{
+			ID:    ssh.ID,
+			Paths: append([]string{}, ssh.Paths...),
+		}
+		configs = append(configs, cfg)
+	}
+	return sshprovider.NewSSHAgentProvider(configs)
+}
--- a/controller/processes/processes.go
+++ b/controller/processes/processes.go
@@ -0,0 +1,149 @@
+package processes
+
+import (
+	"context"
+	"sync"
+	"sync/atomic"
+
+	"github.com/docker/buildx/build"
+	"github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/ioset"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+// Process provides methods to control a process.
+type Process struct {
+	inEnd         *ioset.Forwarder
+	invokeConfig  *pb.InvokeConfig
+	errCh         chan error
+	processCancel func()
+	serveIOCancel func()
+}
+
+// ForwardIO forwards process's io to the specified reader/writer.
+// Optionally specify ioCancelCallback which will be called when
+// the process closes the specified IO. This will be useful for additional cleanup.
+func (p *Process) ForwardIO(in *ioset.In, ioCancelCallback func()) {
+	p.inEnd.SetIn(in)
+	if f := p.serveIOCancel; f != nil {
+		f()
+	}
+	p.serveIOCancel = ioCancelCallback
+}
+
+// Done returns a channel where error or nil will be sent
+// when the process exits.
+// TODO: change this to Wait()
+func (p *Process) Done() <-chan error {
+	return p.errCh
+}
+
+// Manager manages a set of proceses.
+type Manager struct {
+	container atomic.Value
+	processes sync.Map
+}
+
+// NewManager creates and returns a Manager.
+func NewManager() *Manager {
+	return &Manager{}
+}
+
+// Get returns the specified process.
+func (m *Manager) Get(id string) (*Process, bool) {
+	v, ok := m.processes.Load(id)
+	if !ok {
+		return nil, false
+	}
+	return v.(*Process), true
+}
+
+// CancelRunningProcesses cancels execution of all running processes.
+func (m *Manager) CancelRunningProcesses() {
+	var funcs []func()
+	m.processes.Range(func(key, value any) bool {
+		funcs = append(funcs, value.(*Process).processCancel)
+		m.processes.Delete(key)
+		return true
+	})
+	for _, f := range funcs {
+		f()
+	}
+}
+
+// ListProcesses lists all running processes.
+func (m *Manager) ListProcesses() (res []*pb.ProcessInfo) {
+	m.processes.Range(func(key, value any) bool {
+		res = append(res, &pb.ProcessInfo{
+			ProcessID:    key.(string),
+			InvokeConfig: value.(*Process).invokeConfig,
+		})
+		return true
+	})
+	return res
+}
+
+// DeleteProcess deletes the specified process.
+func (m *Manager) DeleteProcess(id string) error {
+	p, ok := m.processes.LoadAndDelete(id)
+	if !ok {
+		return errors.Errorf("unknown process %q", id)
+	}
+	p.(*Process).processCancel()
+	return nil
+}
+
+// StartProcess starts a process in the container.
+// When a container isn't available (i.e. first time invoking or the container has exited) or cfg.Rollback is set,
+// this method will start a new container and run the process in it. Otherwise, this method starts a new process in the
+// existing container.
+func (m *Manager) StartProcess(pid string, resultCtx *build.ResultHandle, cfg *pb.InvokeConfig) (*Process, error) {
+	// Get the target result to invoke a container from
+	var ctr *build.Container
+	if a := m.container.Load(); a != nil {
+		ctr = a.(*build.Container)
+	}
+	if cfg.Rollback || ctr == nil || ctr.IsUnavailable() {
+		go m.CancelRunningProcesses()
+		// (Re)create a new container if this is rollback or first time to invoke a process.
+		if ctr != nil {
+			go ctr.Cancel() // Finish the existing container
+		}
+		var err error
+		ctr, err = build.NewContainer(context.TODO(), resultCtx, cfg)
+		if err != nil {
+			return nil, errors.Errorf("failed to create container %v", err)
+		}
+		m.container.Store(ctr)
+	}
+	// [client(ForwardIO)] <-forwarder(switchable)-> [out] <-pipe-> [in] <- [process]
+	in, out := ioset.Pipe()
+	f := ioset.NewForwarder()
+	f.PropagateStdinClose = false
+	f.SetOut(&out)
+
+	// Register process
+	ctx, cancel := context.WithCancel(context.TODO())
+	var cancelOnce sync.Once
+	processCancelFunc := func() { cancelOnce.Do(func() { cancel(); f.Close(); in.Close(); out.Close() }) }
+	p := &Process{
+		inEnd:         f,
+		invokeConfig:  cfg,
+		processCancel: processCancelFunc,
+		errCh:         make(chan error),
+	}
+	m.processes.Store(pid, p)
+	go func() {
+		var err error
+		if err = ctr.Exec(ctx, cfg, in.Stdin, in.Stdout, in.Stderr); err != nil {
+			logrus.Debugf("process error: %v", err)
+		}
+		logrus.Debugf("finished process %s %v", pid, cfg.Entrypoint)
+		m.processes.Delete(pid)
+		processCancelFunc()
+		p.errCh <- err
+	}()
+
+	return p, nil
+}
--- a/controller/remote/client.go
+++ b/controller/remote/client.go
@@ -0,0 +1,240 @@
+package remote
+
+import (
+	"context"
+	"io"
+	"sync"
+	"time"
+
+	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/pkg/dialer"
+	"github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/progress"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/identity"
+	"github.com/moby/buildkit/util/grpcerrors"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+func NewClient(ctx context.Context, addr string) (*Client, error) {
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	connParams := grpc.ConnectParams{
+		Backoff: backoffConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithBlock(),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
+		grpc.WithUnaryInterceptor(grpcerrors.UnaryClientInterceptor),
+		grpc.WithStreamInterceptor(grpcerrors.StreamClientInterceptor),
+	}
+	conn, err := grpc.DialContext(ctx, dialer.DialAddress(addr), gopts...)
+	if err != nil {
+		return nil, err
+	}
+	return &Client{conn: conn}, nil
+}
+
+type Client struct {
+	conn      *grpc.ClientConn
+	closeOnce sync.Once
+}
+
+func (c *Client) Close() (err error) {
+	c.closeOnce.Do(func() {
+		err = c.conn.Close()
+	})
+	return
+}
+
+func (c *Client) Version(ctx context.Context) (string, string, string, error) {
+	res, err := c.client().Info(ctx, &pb.InfoRequest{})
+	if err != nil {
+		return "", "", "", err
+	}
+	v := res.BuildxVersion
+	return v.Package, v.Version, v.Revision, nil
+}
+
+func (c *Client) List(ctx context.Context) (keys []string, retErr error) {
+	res, err := c.client().List(ctx, &pb.ListRequest{})
+	if err != nil {
+		return nil, err
+	}
+	return res.Keys, nil
+}
+
+func (c *Client) Disconnect(ctx context.Context, key string) error {
+	if key == "" {
+		return nil
+	}
+	_, err := c.client().Disconnect(ctx, &pb.DisconnectRequest{Ref: key})
+	return err
+}
+
+func (c *Client) ListProcesses(ctx context.Context, ref string) (infos []*pb.ProcessInfo, retErr error) {
+	res, err := c.client().ListProcesses(ctx, &pb.ListProcessesRequest{Ref: ref})
+	if err != nil {
+		return nil, err
+	}
+	return res.Infos, nil
+}
+
+func (c *Client) DisconnectProcess(ctx context.Context, ref, pid string) error {
+	_, err := c.client().DisconnectProcess(ctx, &pb.DisconnectProcessRequest{Ref: ref, ProcessID: pid})
+	return err
+}
+
+func (c *Client) Invoke(ctx context.Context, ref string, pid string, invokeConfig pb.InvokeConfig, in io.ReadCloser, stdout io.WriteCloser, stderr io.WriteCloser) error {
+	if ref == "" || pid == "" {
+		return errors.New("build reference must be specified")
+	}
+	stream, err := c.client().Invoke(ctx)
+	if err != nil {
+		return err
+	}
+	return attachIO(ctx, stream, &pb.InitMessage{Ref: ref, ProcessID: pid, InvokeConfig: &invokeConfig}, ioAttachConfig{
+		stdin:  in,
+		stdout: stdout,
+		stderr: stderr,
+		// TODO: Signal, Resize
+	})
+}
+
+func (c *Client) Inspect(ctx context.Context, ref string) (*pb.InspectResponse, error) {
+	return c.client().Inspect(ctx, &pb.InspectRequest{Ref: ref})
+}
+
+func (c *Client) Build(ctx context.Context, options pb.BuildOptions, in io.ReadCloser, progress progress.Writer) (string, *client.SolveResponse, error) {
+	ref := identity.NewID()
+	statusChan := make(chan *client.SolveStatus)
+	eg, egCtx := errgroup.WithContext(ctx)
+	var resp *client.SolveResponse
+	eg.Go(func() error {
+		defer close(statusChan)
+		var err error
+		resp, err = c.build(egCtx, ref, options, in, statusChan)
+		return err
+	})
+	eg.Go(func() error {
+		for s := range statusChan {
+			st := s
+			progress.Write(st)
+		}
+		return nil
+	})
+	return ref, resp, eg.Wait()
+}
+
+func (c *Client) build(ctx context.Context, ref string, options pb.BuildOptions, in io.ReadCloser, statusChan chan *client.SolveStatus) (*client.SolveResponse, error) {
+	eg, egCtx := errgroup.WithContext(ctx)
+	done := make(chan struct{})
+
+	var resp *client.SolveResponse
+
+	eg.Go(func() error {
+		defer close(done)
+		pbResp, err := c.client().Build(egCtx, &pb.BuildRequest{
+			Ref:     ref,
+			Options: &options,
+		})
+		if err != nil {
+			return err
+		}
+		resp = &client.SolveResponse{
+			ExporterResponse: pbResp.ExporterResponse,
+		}
+		return nil
+	})
+	eg.Go(func() error {
+		stream, err := c.client().Status(egCtx, &pb.StatusRequest{
+			Ref: ref,
+		})
+		if err != nil {
+			return err
+		}
+		for {
+			resp, err := stream.Recv()
+			if err != nil {
+				if err == io.EOF {
+					return nil
+				}
+				return errors.Wrap(err, "failed to receive status")
+			}
+			statusChan <- pb.FromControlStatus(resp)
+		}
+	})
+	if in != nil {
+		eg.Go(func() error {
+			stream, err := c.client().Input(egCtx)
+			if err != nil {
+				return err
+			}
+			if err := stream.Send(&pb.InputMessage{
+				Input: &pb.InputMessage_Init{
+					Init: &pb.InputInitMessage{
+						Ref: ref,
+					},
+				},
+			}); err != nil {
+				return errors.Wrap(err, "failed to init input")
+			}
+
+			inReader, inWriter := io.Pipe()
+			eg2, _ := errgroup.WithContext(ctx)
+			eg2.Go(func() error {
+				<-done
+				return inWriter.Close()
+			})
+			go func() {
+				// do not wait for read completion but return here and let the caller send EOF
+				// this allows us to return on ctx.Done() without being blocked by this reader.
+				io.Copy(inWriter, in)
+				inWriter.Close()
+			}()
+			eg2.Go(func() error {
+				for {
+					buf := make([]byte, 32*1024)
+					n, err := inReader.Read(buf)
+					if err != nil {
+						if err == io.EOF {
+							break // break loop and send EOF
+						}
+						return err
+					} else if n > 0 {
+						if stream.Send(&pb.InputMessage{
+							Input: &pb.InputMessage_Data{
+								Data: &pb.DataMessage{
+									Data: buf[:n],
+								},
+							},
+						}); err != nil {
+							return err
+						}
+					}
+				}
+				return stream.Send(&pb.InputMessage{
+					Input: &pb.InputMessage_Data{
+						Data: &pb.DataMessage{
+							EOF: true,
+						},
+					},
+				})
+			})
+			return eg2.Wait()
+		})
+	}
+	return resp, eg.Wait()
+}
+
+func (c *Client) client() pb.ControllerClient {
+	return pb.NewControllerClient(c.conn)
+}
--- a/controller/remote/controller.go
+++ b/controller/remote/controller.go
@@ -0,0 +1,333 @@
+//go:build linux
+
+package remote
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"strconv"
+	"syscall"
+	"time"
+
+	"github.com/containerd/log"
+	"github.com/docker/buildx/build"
+	cbuild "github.com/docker/buildx/controller/build"
+	"github.com/docker/buildx/controller/control"
+	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/util/confutil"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/buildx/version"
+	"github.com/docker/cli/cli/command"
+	"github.com/moby/buildkit/client"
+	"github.com/moby/buildkit/util/grpcerrors"
+	"github.com/pelletier/go-toml"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc"
+)
+
+const (
+	serveCommandName = "_INTERNAL_SERVE"
+)
+
+var (
+	defaultLogFilename    = fmt.Sprintf("buildx.%s.log", version.Revision)
+	defaultSocketFilename = fmt.Sprintf("buildx.%s.sock", version.Revision)
+	defaultPIDFilename    = fmt.Sprintf("buildx.%s.pid", version.Revision)
+)
+
+type serverConfig struct {
+	// Specify buildx server root
+	Root string `toml:"root"`
+
+	// LogLevel sets the logging level [trace, debug, info, warn, error, fatal, panic]
+	LogLevel string `toml:"log_level"`
+
+	// Specify file to output buildx server log
+	LogFile string `toml:"log_file"`
+}
+
+func NewRemoteBuildxController(ctx context.Context, dockerCli command.Cli, opts control.ControlOptions, logger progress.SubLogger) (control.BuildxController, error) {
+	rootDir := opts.Root
+	if rootDir == "" {
+		rootDir = rootDataDir(dockerCli)
+	}
+	serverRoot := filepath.Join(rootDir, "shared")
+
+	// connect to buildx server if it is already running
+	ctx2, cancel := context.WithTimeout(ctx, 1*time.Second)
+	c, err := newBuildxClientAndCheck(ctx2, filepath.Join(serverRoot, defaultSocketFilename))
+	cancel()
+	if err != nil {
+		if !errors.Is(err, context.DeadlineExceeded) {
+			return nil, errors.Wrap(err, "cannot connect to the buildx server")
+		}
+	} else {
+		return &buildxController{c, serverRoot}, nil
+	}
+
+	// start buildx server via subcommand
+	err = logger.Wrap("no buildx server found; launching...", func() error {
+		launchFlags := []string{}
+		if opts.ServerConfig != "" {
+			launchFlags = append(launchFlags, "--config", opts.ServerConfig)
+		}
+		logFile, err := getLogFilePath(dockerCli, opts.ServerConfig)
+		if err != nil {
+			return err
+		}
+		wait, err := launch(ctx, logFile, append([]string{serveCommandName}, launchFlags...)...)
+		if err != nil {
+			return err
+		}
+		go wait()
+
+		// wait for buildx server to be ready
+		ctx2, cancel = context.WithTimeout(ctx, 10*time.Second)
+		c, err = newBuildxClientAndCheck(ctx2, filepath.Join(serverRoot, defaultSocketFilename))
+		cancel()
+		if err != nil {
+			return errors.Wrap(err, "cannot connect to the buildx server")
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &buildxController{c, serverRoot}, nil
+}
+
+func AddControllerCommands(cmd *cobra.Command, dockerCli command.Cli) {
+	cmd.AddCommand(
+		serveCmd(dockerCli),
+	)
+}
+
+func serveCmd(dockerCli command.Cli) *cobra.Command {
+	var serverConfigPath string
+	cmd := &cobra.Command{
+		Use:    fmt.Sprintf("%s [OPTIONS]", serveCommandName),
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			// Parse config
+			config, err := getConfig(dockerCli, serverConfigPath)
+			if err != nil {
+				return err
+			}
+			if config.LogLevel == "" {
+				logrus.SetLevel(logrus.InfoLevel)
+			} else {
+				lvl, err := logrus.ParseLevel(config.LogLevel)
+				if err != nil {
+					return errors.Wrap(err, "failed to prepare logger")
+				}
+				logrus.SetLevel(lvl)
+			}
+			logrus.SetFormatter(&logrus.JSONFormatter{
+				TimestampFormat: log.RFC3339NanoFixed,
+			})
+			root, err := prepareRootDir(dockerCli, config)
+			if err != nil {
+				return err
+			}
+			pidF := filepath.Join(root, defaultPIDFilename)
+			if err := os.WriteFile(pidF, []byte(fmt.Sprintf("%d", os.Getpid())), 0600); err != nil {
+				return err
+			}
+			defer func() {
+				if err := os.Remove(pidF); err != nil {
+					logrus.Errorf("failed to clean up info file %q: %v", pidF, err)
+				}
+			}()
+
+			// prepare server
+			b := NewServer(func(ctx context.Context, options *controllerapi.BuildOptions, stdin io.Reader, progress progress.Writer) (*client.SolveResponse, *build.ResultHandle, error) {
+				return cbuild.RunBuild(ctx, dockerCli, *options, stdin, progress, true)
+			})
+			defer b.Close()
+
+			// serve server
+			addr := filepath.Join(root, defaultSocketFilename)
+			if err := os.Remove(addr); err != nil && !os.IsNotExist(err) { // avoid EADDRINUSE
+				return err
+			}
+			defer func() {
+				if err := os.Remove(addr); err != nil {
+					logrus.Errorf("failed to clean up socket %q: %v", addr, err)
+				}
+			}()
+			logrus.Infof("starting server at %q", addr)
+			l, err := net.Listen("unix", addr)
+			if err != nil {
+				return err
+			}
+			rpc := grpc.NewServer(
+				grpc.UnaryInterceptor(grpcerrors.UnaryServerInterceptor),
+				grpc.StreamInterceptor(grpcerrors.StreamServerInterceptor),
+			)
+			controllerapi.RegisterControllerServer(rpc, b)
+			doneCh := make(chan struct{})
+			errCh := make(chan error, 1)
+			go func() {
+				defer close(doneCh)
+				if err := rpc.Serve(l); err != nil {
+					errCh <- errors.Wrapf(err, "error on serving via socket %q", addr)
+				}
+			}()
+
+			var s os.Signal
+			sigCh := make(chan os.Signal, 1)
+			signal.Notify(sigCh, syscall.SIGINT)
+			signal.Notify(sigCh, syscall.SIGTERM)
+			select {
+			case err := <-errCh:
+				logrus.Errorf("got error %s, exiting", err)
+				return err
+			case s = <-sigCh:
+				logrus.Infof("got signal %s, exiting", s)
+				return nil
+			case <-doneCh:
+				logrus.Infof("rpc server done, exiting")
+				return nil
+			}
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.StringVar(&serverConfigPath, "config", "", "Specify buildx server config file")
+	return cmd
+}
+
+func getLogFilePath(dockerCli command.Cli, configPath string) (string, error) {
+	config, err := getConfig(dockerCli, configPath)
+	if err != nil {
+		return "", err
+	}
+	if config.LogFile == "" {
+		root, err := prepareRootDir(dockerCli, config)
+		if err != nil {
+			return "", err
+		}
+		return filepath.Join(root, defaultLogFilename), nil
+	}
+	return config.LogFile, nil
+}
+
+func getConfig(dockerCli command.Cli, configPath string) (*serverConfig, error) {
+	var defaultConfigPath bool
+	if configPath == "" {
+		defaultRoot := rootDataDir(dockerCli)
+		configPath = filepath.Join(defaultRoot, "config.toml")
+		defaultConfigPath = true
+	}
+	var config serverConfig
+	tree, err := toml.LoadFile(configPath)
+	if err != nil && !(os.IsNotExist(err) && defaultConfigPath) {
+		return nil, errors.Wrapf(err, "failed to read config %q", configPath)
+	} else if err == nil {
+		if err := tree.Unmarshal(&config); err != nil {
+			return nil, errors.Wrapf(err, "failed to unmarshal config %q", configPath)
+		}
+	}
+	return &config, nil
+}
+
+func prepareRootDir(dockerCli command.Cli, config *serverConfig) (string, error) {
+	rootDir := config.Root
+	if rootDir == "" {
+		rootDir = rootDataDir(dockerCli)
+	}
+	if rootDir == "" {
+		return "", errors.New("buildx root dir must be determined")
+	}
+	if err := os.MkdirAll(rootDir, 0700); err != nil {
+		return "", err
+	}
+	serverRoot := filepath.Join(rootDir, "shared")
+	if err := os.MkdirAll(serverRoot, 0700); err != nil {
+		return "", err
+	}
+	return serverRoot, nil
+}
+
+func rootDataDir(dockerCli command.Cli) string {
+	return filepath.Join(confutil.ConfigDir(dockerCli), "controller")
+}
+
+func newBuildxClientAndCheck(ctx context.Context, addr string) (*Client, error) {
+	c, err := NewClient(ctx, addr)
+	if err != nil {
+		return nil, err
+	}
+	p, v, r, err := c.Version(ctx)
+	if err != nil {
+		return nil, err
+	}
+	logrus.Debugf("connected to server (\"%v %v %v\")", p, v, r)
+	if !(p == version.Package && v == version.Version && r == version.Revision) {
+		return nil, errors.Errorf("version mismatch (client: \"%v %v %v\", server: \"%v %v %v\")", version.Package, version.Version, version.Revision, p, v, r)
+	}
+	return c, nil
+}
+
+type buildxController struct {
+	*Client
+	serverRoot string
+}
+
+func (c *buildxController) Kill(ctx context.Context) error {
+	pidB, err := os.ReadFile(filepath.Join(c.serverRoot, defaultPIDFilename))
+	if err != nil {
+		return err
+	}
+	pid, err := strconv.ParseInt(string(pidB), 10, 64)
+	if err != nil {
+		return err
+	}
+	if pid <= 0 {
+		return errors.New("no PID is recorded for buildx server")
+	}
+	p, err := os.FindProcess(int(pid))
+	if err != nil {
+		return err
+	}
+	if err := p.Signal(syscall.SIGINT); err != nil {
+		return err
+	}
+	// TODO: Should we send SIGKILL if process doesn't finish?
+	return nil
+}
+
+func launch(ctx context.Context, logFile string, args ...string) (func() error, error) {
+	// set absolute path of binary, since we set the working directory to the root
+	pathname, err := os.Executable()
+	if err != nil {
+		return nil, err
+	}
+	bCmd := exec.CommandContext(ctx, pathname, args...)
+	if logFile != "" {
+		f, err := os.OpenFile(logFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+		if err != nil {
+			return nil, err
+		}
+		defer f.Close()
+		bCmd.Stdout = f
+		bCmd.Stderr = f
+	}
+	bCmd.Stdin = nil
+	bCmd.Dir = "/"
+	bCmd.SysProcAttr = &syscall.SysProcAttr{
+		Setsid: true,
+	}
+	if err := bCmd.Start(); err != nil {
+		return nil, err
+	}
+	return bCmd.Wait, nil
+}
--- a/controller/remote/controller_nolinux.go
+++ b/controller/remote/controller_nolinux.go
@@ -0,0 +1,19 @@
+//go:build !linux
+
+package remote
+
+import (
+	"context"
+
+	"github.com/docker/buildx/controller/control"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/cli/cli/command"
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+)
+
+func NewRemoteBuildxController(ctx context.Context, dockerCli command.Cli, opts control.ControlOptions, logger progress.SubLogger) (control.BuildxController, error) {
+	return nil, errors.New("remote buildx unsupported")
+}
+
+func AddControllerCommands(cmd *cobra.Command, dockerCli command.Cli) {}
--- a/controller/remote/io.go
+++ b/controller/remote/io.go
@@ -0,0 +1,430 @@
+package remote
+
+import (
+	"context"
+	"io"
+	"syscall"
+	"time"
+
+	"github.com/docker/buildx/controller/pb"
+	"github.com/moby/sys/signal"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sync/errgroup"
+)
+
+type msgStream interface {
+	Send(*pb.Message) error
+	Recv() (*pb.Message, error)
+}
+
+type ioServerConfig struct {
+	stdin          io.WriteCloser
+	stdout, stderr io.ReadCloser
+
+	// signalFn is a callback function called when a signal is reached to the client.
+	signalFn func(context.Context, syscall.Signal) error
+
+	// resizeFn is a callback function called when a resize event is reached to the client.
+	resizeFn func(context.Context, winSize) error
+}
+
+func serveIO(attachCtx context.Context, srv msgStream, initFn func(*pb.InitMessage) error, ioConfig *ioServerConfig) (err error) {
+	stdin, stdout, stderr := ioConfig.stdin, ioConfig.stdout, ioConfig.stderr
+	stream := &debugStream{srv, "server=" + time.Now().String()}
+	eg, ctx := errgroup.WithContext(attachCtx)
+	done := make(chan struct{})
+
+	msg, err := receive(ctx, stream)
+	if err != nil {
+		return err
+	}
+	init := msg.GetInit()
+	if init == nil {
+		return errors.Errorf("unexpected message: %T; wanted init", msg.GetInput())
+	}
+	ref := init.Ref
+	if ref == "" {
+		return errors.New("no ref is provided")
+	}
+	if err := initFn(init); err != nil {
+		return errors.Wrap(err, "failed to initialize IO server")
+	}
+
+	if stdout != nil {
+		stdoutReader, stdoutWriter := io.Pipe()
+		eg.Go(func() error {
+			<-done
+			return stdoutWriter.Close()
+		})
+
+		go func() {
+			// do not wait for read completion but return here and let the caller send EOF
+			// this allows us to return on ctx.Done() without being blocked by this reader.
+			io.Copy(stdoutWriter, stdout)
+			stdoutWriter.Close()
+		}()
+
+		eg.Go(func() error {
+			defer stdoutReader.Close()
+			return copyToStream(1, stream, stdoutReader)
+		})
+	}
+
+	if stderr != nil {
+		stderrReader, stderrWriter := io.Pipe()
+		eg.Go(func() error {
+			<-done
+			return stderrWriter.Close()
+		})
+
+		go func() {
+			// do not wait for read completion but return here and let the caller send EOF
+			// this allows us to return on ctx.Done() without being blocked by this reader.
+			io.Copy(stderrWriter, stderr)
+			stderrWriter.Close()
+		}()
+
+		eg.Go(func() error {
+			defer stderrReader.Close()
+			return copyToStream(2, stream, stderrReader)
+		})
+	}
+
+	msgCh := make(chan *pb.Message)
+	eg.Go(func() error {
+		defer close(msgCh)
+		for {
+			msg, err := receive(ctx, stream)
+			if err != nil {
+				return err
+			}
+			select {
+			case msgCh <- msg:
+			case <-done:
+				return nil
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	})
+
+	eg.Go(func() error {
+		defer close(done)
+		for {
+			var msg *pb.Message
+			select {
+			case msg = <-msgCh:
+			case <-ctx.Done():
+				return nil
+			}
+			if msg == nil {
+				return nil
+			}
+			if file := msg.GetFile(); file != nil {
+				if file.Fd != 0 {
+					return errors.Errorf("unexpected fd: %v", file.Fd)
+				}
+				if stdin == nil {
+					continue // no stdin destination is specified so ignore the data
+				}
+				if len(file.Data) > 0 {
+					_, err := stdin.Write(file.Data)
+					if err != nil {
+						return err
+					}
+				}
+				if file.EOF {
+					stdin.Close()
+				}
+			} else if resize := msg.GetResize(); resize != nil {
+				if ioConfig.resizeFn != nil {
+					ioConfig.resizeFn(ctx, winSize{
+						cols: resize.Cols,
+						rows: resize.Rows,
+					})
+				}
+			} else if sig := msg.GetSignal(); sig != nil {
+				if ioConfig.signalFn != nil {
+					syscallSignal, ok := signal.SignalMap[sig.Name]
+					if !ok {
+						continue
+					}
+					ioConfig.signalFn(ctx, syscallSignal)
+				}
+			} else {
+				return errors.Errorf("unexpected message: %T", msg.GetInput())
+			}
+		}
+	})
+
+	return eg.Wait()
+}
+
+type ioAttachConfig struct {
+	stdin          io.ReadCloser
+	stdout, stderr io.WriteCloser
+	signal         <-chan syscall.Signal
+	resize         <-chan winSize
+}
+
+type winSize struct {
+	rows uint32
+	cols uint32
+}
+
+func attachIO(ctx context.Context, stream msgStream, initMessage *pb.InitMessage, cfg ioAttachConfig) (retErr error) {
+	eg, ctx := errgroup.WithContext(ctx)
+	done := make(chan struct{})
+
+	if err := stream.Send(&pb.Message{
+		Input: &pb.Message_Init{
+			Init: initMessage,
+		},
+	}); err != nil {
+		return errors.Wrap(err, "failed to init")
+	}
+
+	if cfg.stdin != nil {
+		stdinReader, stdinWriter := io.Pipe()
+		eg.Go(func() error {
+			<-done
+			return stdinWriter.Close()
+		})
+
+		go func() {
+			// do not wait for read completion but return here and let the caller send EOF
+			// this allows us to return on ctx.Done() without being blocked by this reader.
+			io.Copy(stdinWriter, cfg.stdin)
+			stdinWriter.Close()
+		}()
+
+		eg.Go(func() error {
+			defer stdinReader.Close()
+			return copyToStream(0, stream, stdinReader)
+		})
+	}
+
+	if cfg.signal != nil {
+		eg.Go(func() error {
+			for {
+				var sig syscall.Signal
+				select {
+				case sig = <-cfg.signal:
+				case <-done:
+					return nil
+				case <-ctx.Done():
+					return nil
+				}
+				name := sigToName[sig]
+				if name == "" {
+					continue
+				}
+				if err := stream.Send(&pb.Message{
+					Input: &pb.Message_Signal{
+						Signal: &pb.SignalMessage{
+							Name: name,
+						},
+					},
+				}); err != nil {
+					return errors.Wrap(err, "failed to send signal")
+				}
+			}
+		})
+	}
+
+	if cfg.resize != nil {
+		eg.Go(func() error {
+			for {
+				var win winSize
+				select {
+				case win = <-cfg.resize:
+				case <-done:
+					return nil
+				case <-ctx.Done():
+					return nil
+				}
+				if err := stream.Send(&pb.Message{
+					Input: &pb.Message_Resize{
+						Resize: &pb.ResizeMessage{
+							Rows: win.rows,
+							Cols: win.cols,
+						},
+					},
+				}); err != nil {
+					return errors.Wrap(err, "failed to send resize")
+				}
+			}
+		})
+	}
+
+	msgCh := make(chan *pb.Message)
+	eg.Go(func() error {
+		defer close(msgCh)
+		for {
+			msg, err := receive(ctx, stream)
+			if err != nil {
+				return err
+			}
+			select {
+			case msgCh <- msg:
+			case <-done:
+				return nil
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	})
+
+	eg.Go(func() error {
+		eofs := make(map[uint32]struct{})
+		defer close(done)
+		for {
+			var msg *pb.Message
+			select {
+			case msg = <-msgCh:
+			case <-ctx.Done():
+				return nil
+			}
+			if msg == nil {
+				return nil
+			}
+			if file := msg.GetFile(); file != nil {
+				if _, ok := eofs[file.Fd]; ok {
+					continue
+				}
+				var out io.WriteCloser
+				switch file.Fd {
+				case 1:
+					out = cfg.stdout
+				case 2:
+					out = cfg.stderr
+				default:
+					return errors.Errorf("unsupported fd %d", file.Fd)
+
+				}
+				if out == nil {
+					logrus.Warnf("attachIO: no writer for fd %d", file.Fd)
+					continue
+				}
+				if len(file.Data) > 0 {
+					if _, err := out.Write(file.Data); err != nil {
+						return err
+					}
+				}
+				if file.EOF {
+					eofs[file.Fd] = struct{}{}
+				}
+			} else {
+				return errors.Errorf("unexpected message: %T", msg.GetInput())
+			}
+		}
+	})
+
+	return eg.Wait()
+}
+
+func receive(ctx context.Context, stream msgStream) (*pb.Message, error) {
+	msgCh := make(chan *pb.Message)
+	errCh := make(chan error)
+	go func() {
+		msg, err := stream.Recv()
+		if err != nil {
+			if errors.Is(err, io.EOF) {
+				return
+			}
+			errCh <- err
+			return
+		}
+		msgCh <- msg
+	}()
+	select {
+	case msg := <-msgCh:
+		return msg, nil
+	case err := <-errCh:
+		return nil, err
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	}
+}
+
+func copyToStream(fd uint32, snd msgStream, r io.Reader) error {
+	for {
+		buf := make([]byte, 32*1024)
+		n, err := r.Read(buf)
+		if err != nil {
+			if err == io.EOF {
+				break // break loop and send EOF
+			}
+			return err
+		} else if n > 0 {
+			if snd.Send(&pb.Message{
+				Input: &pb.Message_File{
+					File: &pb.FdMessage{
+						Fd:   fd,
+						Data: buf[:n],
+					},
+				},
+			}); err != nil {
+				return err
+			}
+		}
+	}
+	return snd.Send(&pb.Message{
+		Input: &pb.Message_File{
+			File: &pb.FdMessage{
+				Fd:  fd,
+				EOF: true,
+			},
+		},
+	})
+}
+
+var sigToName = map[syscall.Signal]string{}
+
+func init() {
+	for name, value := range signal.SignalMap {
+		sigToName[value] = name
+	}
+}
+
+type debugStream struct {
+	msgStream
+	prefix string
+}
+
+func (s *debugStream) Send(msg *pb.Message) error {
+	switch m := msg.GetInput().(type) {
+	case *pb.Message_File:
+		if m.File.EOF {
+			logrus.Debugf("|---> File Message (sender:%v) fd=%d, EOF", s.prefix, m.File.Fd)
+		} else {
+			logrus.Debugf("|---> File Message (sender:%v) fd=%d, %d bytes", s.prefix, m.File.Fd, len(m.File.Data))
+		}
+	case *pb.Message_Resize:
+		logrus.Debugf("|---> Resize Message (sender:%v): %+v", s.prefix, m.Resize)
+	case *pb.Message_Signal:
+		logrus.Debugf("|---> Signal Message (sender:%v): %s", s.prefix, m.Signal.Name)
+	}
+	return s.msgStream.Send(msg)
+}
+
+func (s *debugStream) Recv() (*pb.Message, error) {
+	msg, err := s.msgStream.Recv()
+	if err != nil {
+		return nil, err
+	}
+	switch m := msg.GetInput().(type) {
+	case *pb.Message_File:
+		if m.File.EOF {
+			logrus.Debugf("|<--- File Message (receiver:%v) fd=%d, EOF", s.prefix, m.File.Fd)
+		} else {
+			logrus.Debugf("|<--- File Message (receiver:%v) fd=%d, %d bytes", s.prefix, m.File.Fd, len(m.File.Data))
+		}
+	case *pb.Message_Resize:
+		logrus.Debugf("|<--- Resize Message (receiver:%v): %+v", s.prefix, m.Resize)
+	case *pb.Message_Signal:
+		logrus.Debugf("|<--- Signal Message (receiver:%v): %s", s.prefix, m.Signal.Name)
+	}
+	return msg, nil
+}
--- a/controller/remote/server.go
+++ b/controller/remote/server.go
@@ -0,0 +1,439 @@
+package remote
+
+import (
+	"context"
+	"io"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/docker/buildx/build"
+	controllererrors "github.com/docker/buildx/controller/errdefs"
+	"github.com/docker/buildx/controller/pb"
+	"github.com/docker/buildx/controller/processes"
+	"github.com/docker/buildx/util/ioset"
+	"github.com/docker/buildx/util/progress"
+	"github.com/docker/buildx/version"
+	"github.com/moby/buildkit/client"
+	"github.com/pkg/errors"
+	"golang.org/x/sync/errgroup"
+)
+
+type BuildFunc func(ctx context.Context, options *pb.BuildOptions, stdin io.Reader, progress progress.Writer) (resp *client.SolveResponse, res *build.ResultHandle, err error)
+
+func NewServer(buildFunc BuildFunc) *Server {
+	return &Server{
+		buildFunc: buildFunc,
+	}
+}
+
+type Server struct {
+	buildFunc BuildFunc
+	session   map[string]*session
+	sessionMu sync.Mutex
+}
+
+type session struct {
+	buildOnGoing atomic.Bool
+	statusChan   chan *pb.StatusResponse
+	cancelBuild  func()
+	buildOptions *pb.BuildOptions
+	inputPipe    *io.PipeWriter
+
+	result *build.ResultHandle
+
+	processes *processes.Manager
+}
+
+func (s *session) cancelRunningProcesses() {
+	s.processes.CancelRunningProcesses()
+}
+
+func (m *Server) ListProcesses(ctx context.Context, req *pb.ListProcessesRequest) (res *pb.ListProcessesResponse, err error) {
+	m.sessionMu.Lock()
+	defer m.sessionMu.Unlock()
+	s, ok := m.session[req.Ref]
+	if !ok {
+		return nil, errors.Errorf("unknown ref %q", req.Ref)
+	}
+	res = new(pb.ListProcessesResponse)
+	res.Infos = append(res.Infos, s.processes.ListProcesses()...)
+	return res, nil
+}
+
+func (m *Server) DisconnectProcess(ctx context.Context, req *pb.DisconnectProcessRequest) (res *pb.DisconnectProcessResponse, err error) {
+	m.sessionMu.Lock()
+	defer m.sessionMu.Unlock()
+	s, ok := m.session[req.Ref]
+	if !ok {
+		return nil, errors.Errorf("unknown ref %q", req.Ref)
+	}
+	return res, s.processes.DeleteProcess(req.ProcessID)
+}
+
+func (m *Server) Info(ctx context.Context, req *pb.InfoRequest) (res *pb.InfoResponse, err error) {
+	return &pb.InfoResponse{
+		BuildxVersion: &pb.BuildxVersion{
+			Package:  version.Package,
+			Version:  version.Version,
+			Revision: version.Revision,
+		},
+	}, nil
+}
+
+func (m *Server) List(ctx context.Context, req *pb.ListRequest) (res *pb.ListResponse, err error) {
+	keys := make(map[string]struct{})
+
+	m.sessionMu.Lock()
+	for k := range m.session {
+		keys[k] = struct{}{}
+	}
+	m.sessionMu.Unlock()
+
+	var keysL []string
+	for k := range keys {
+		keysL = append(keysL, k)
+	}
+	return &pb.ListResponse{
+		Keys: keysL,
+	}, nil
+}
+
+func (m *Server) Disconnect(ctx context.Context, req *pb.DisconnectRequest) (res *pb.DisconnectResponse, err error) {
+	key := req.Ref
+	if key == "" {
+		return nil, errors.New("disconnect: empty key")
+	}
+
+	m.sessionMu.Lock()
+	if s, ok := m.session[key]; ok {
+		if s.cancelBuild != nil {
+			s.cancelBuild()
+		}
+		s.cancelRunningProcesses()
+		if s.result != nil {
+			s.result.Done()
+		}
+	}
+	delete(m.session, key)
+	m.sessionMu.Unlock()
+
+	return &pb.DisconnectResponse{}, nil
+}
+
+func (m *Server) Close() error {
+	m.sessionMu.Lock()
+	for k := range m.session {
+		if s, ok := m.session[k]; ok {
+			if s.cancelBuild != nil {
+				s.cancelBuild()
+			}
+			s.cancelRunningProcesses()
+		}
+	}
+	m.sessionMu.Unlock()
+	return nil
+}
+
+func (m *Server) Inspect(ctx context.Context, req *pb.InspectRequest) (*pb.InspectResponse, error) {
+	ref := req.Ref
+	if ref == "" {
+		return nil, errors.New("inspect: empty key")
+	}
+	var bo *pb.BuildOptions
+	m.sessionMu.Lock()
+	if s, ok := m.session[ref]; ok {
+		bo = s.buildOptions
+	} else {
+		m.sessionMu.Unlock()
+		return nil, errors.Errorf("inspect: unknown key %v", ref)
+	}
+	m.sessionMu.Unlock()
+	return &pb.InspectResponse{Options: bo}, nil
+}
+
+func (m *Server) Build(ctx context.Context, req *pb.BuildRequest) (*pb.BuildResponse, error) {
+	ref := req.Ref
+	if ref == "" {
+		return nil, errors.New("build: empty key")
+	}
+
+	// Prepare status channel and session
+	m.sessionMu.Lock()
+	if m.session == nil {
+		m.session = make(map[string]*session)
+	}
+	s, ok := m.session[ref]
+	if ok {
+		if !s.buildOnGoing.CompareAndSwap(false, true) {
+			m.sessionMu.Unlock()
+			return &pb.BuildResponse{}, errors.New("build ongoing")
+		}
+		s.cancelRunningProcesses()
+		s.result = nil
+	} else {
+		s = &session{}
+		s.buildOnGoing.Store(true)
+	}
+
+	s.processes = processes.NewManager()
+	statusChan := make(chan *pb.StatusResponse)
+	s.statusChan = statusChan
+	inR, inW := io.Pipe()
+	defer inR.Close()
+	s.inputPipe = inW
+	m.session[ref] = s
+	m.sessionMu.Unlock()
+	defer func() {
+		close(statusChan)
+		m.sessionMu.Lock()
+		s, ok := m.session[ref]
+		if ok {
+			s.statusChan = nil
+			s.buildOnGoing.Store(false)
+		}
+		m.sessionMu.Unlock()
+	}()
+
+	pw := pb.NewProgressWriter(statusChan)
+
+	// Build the specified request
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+	resp, res, buildErr := m.buildFunc(ctx, req.Options, inR, pw)
+	m.sessionMu.Lock()
+	if s, ok := m.session[ref]; ok {
+		// NOTE: buildFunc can return *build.ResultHandle even on error (e.g. when it's implemented using (github.com/docker/buildx/controller/build).RunBuild).
+		if res != nil {
+			s.result = res
+			s.cancelBuild = cancel
+			s.buildOptions = req.Options
+			m.session[ref] = s
+			if buildErr != nil {
+				buildErr = controllererrors.WrapBuild(buildErr, ref)
+			}
+		}
+	} else {
+		m.sessionMu.Unlock()
+		return nil, errors.Errorf("build: unknown key %v", ref)
+	}
+	m.sessionMu.Unlock()
+
+	if buildErr != nil {
+		return nil, buildErr
+	}
+
+	if resp == nil {
+		resp = &client.SolveResponse{}
+	}
+	return &pb.BuildResponse{
+		ExporterResponse: resp.ExporterResponse,
+	}, nil
+}
+
+func (m *Server) Status(req *pb.StatusRequest, stream pb.Controller_StatusServer) error {
+	ref := req.Ref
+	if ref == "" {
+		return errors.New("status: empty key")
+	}
+
+	// Wait and get status channel prepared by Build()
+	var statusChan <-chan *pb.StatusResponse
+	for {
+		// TODO: timeout?
+		m.sessionMu.Lock()
+		if _, ok := m.session[ref]; !ok || m.session[ref].statusChan == nil {
+			m.sessionMu.Unlock()
+			time.Sleep(time.Millisecond) // TODO: wait Build without busy loop and make it cancellable
+			continue
+		}
+		statusChan = m.session[ref].statusChan
+		m.sessionMu.Unlock()
+		break
+	}
+
+	// forward status
+	for ss := range statusChan {
+		if ss == nil {
+			break
+		}
+		if err := stream.Send(ss); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m *Server) Input(stream pb.Controller_InputServer) (err error) {
+	// Get the target ref from init message
+	msg, err := stream.Recv()
+	if err != nil {
+		if !errors.Is(err, io.EOF) {
+			return err
+		}
+		return nil
+	}
+	init := msg.GetInit()
+	if init == nil {
+		return errors.Errorf("unexpected message: %T; wanted init", msg.GetInit())
+	}
+	ref := init.Ref
+	if ref == "" {
+		return errors.New("input: no ref is provided")
+	}
+
+	// Wait and get input stream pipe prepared by Build()
+	var inputPipeW *io.PipeWriter
+	for {
+		// TODO: timeout?
+		m.sessionMu.Lock()
+		if _, ok := m.session[ref]; !ok || m.session[ref].inputPipe == nil {
+			m.sessionMu.Unlock()
+			time.Sleep(time.Millisecond) // TODO: wait Build without busy loop and make it cancellable
+			continue
+		}
+		inputPipeW = m.session[ref].inputPipe
+		m.sessionMu.Unlock()
+		break
+	}
+
+	// Forward input stream
+	eg, ctx := errgroup.WithContext(context.TODO())
+	done := make(chan struct{})
+	msgCh := make(chan *pb.InputMessage)
+	eg.Go(func() error {
+		defer close(msgCh)
+		for {
+			msg, err := stream.Recv()
+			if err != nil {
+				if !errors.Is(err, io.EOF) {
+					return err
+				}
+				return nil
+			}
+			select {
+			case msgCh <- msg:
+			case <-done:
+				return nil
+			case <-ctx.Done():
+				return nil
+			}
+		}
+	})
+	eg.Go(func() (retErr error) {
+		defer close(done)
+		defer func() {
+			if retErr != nil {
+				inputPipeW.CloseWithError(retErr)
+				return
+			}
+			inputPipeW.Close()
+		}()
+		for {
+			var msg *pb.InputMessage
+			select {
+			case msg = <-msgCh:
+			case <-ctx.Done():
+				return errors.Wrap(ctx.Err(), "canceled")
+			}
+			if msg == nil {
+				return nil
+			}
+			if data := msg.GetData(); data != nil {
+				if len(data.Data) > 0 {
+					_, err := inputPipeW.Write(data.Data)
+					if err != nil {
+						return err
+					}
+				}
+				if data.EOF {
+					return nil
+				}
+			}
+		}
+	})
+
+	return eg.Wait()
+}
+
+func (m *Server) Invoke(srv pb.Controller_InvokeServer) error {
+	containerIn, containerOut := ioset.Pipe()
+	defer func() { containerOut.Close(); containerIn.Close() }()
+
+	initDoneCh := make(chan *processes.Process)
+	initErrCh := make(chan error)
+	eg, egCtx := errgroup.WithContext(context.TODO())
+	srvIOCtx, srvIOCancel := context.WithCancel(egCtx)
+	eg.Go(func() error {
+		defer srvIOCancel()
+		return serveIO(srvIOCtx, srv, func(initMessage *pb.InitMessage) (retErr error) {
+			defer func() {
+				if retErr != nil {
+					initErrCh <- retErr
+				}
+			}()
+			ref := initMessage.Ref
+			cfg := initMessage.InvokeConfig
+
+			m.sessionMu.Lock()
+			s, ok := m.session[ref]
+			if !ok {
+				m.sessionMu.Unlock()
+				return errors.Errorf("invoke: unknown key %v", ref)
+			}
+			m.sessionMu.Unlock()
+
+			pid := initMessage.ProcessID
+			if pid == "" {
+				return errors.Errorf("invoke: specify process ID")
+			}
+			proc, ok := s.processes.Get(pid)
+			if !ok {
+				// Start a new process.
+				if cfg == nil {
+					return errors.New("no container config is provided")
+				}
+				var err error
+				proc, err = s.processes.StartProcess(pid, s.result, cfg)
+				if err != nil {
+					return err
+				}
+			}
+			// Attach containerIn to this process
+			proc.ForwardIO(&containerIn, srvIOCancel)
+			initDoneCh <- proc
+			return nil
+		}, &ioServerConfig{
+			stdin:  containerOut.Stdin,
+			stdout: containerOut.Stdout,
+			stderr: containerOut.Stderr,
+			// TODO: signal, resize
+		})
+	})
+	eg.Go(func() (rErr error) {
+		defer srvIOCancel()
+		// Wait for init done
+		var proc *processes.Process
+		select {
+		case p := <-initDoneCh:
+			proc = p
+		case err := <-initErrCh:
+			return err
+		case <-egCtx.Done():
+			return egCtx.Err()
+		}
+
+		// Wait for IO done
+		select {
+		case <-srvIOCtx.Done():
+			return srvIOCtx.Err()
+		case err := <-proc.Done():
+			return err
+		case <-egCtx.Done():
+			return egCtx.Err()
+		}
+	})
+
+	return eg.Wait()
+}
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -1,17 +1,14 @@
 variable "GO_VERSION" {
-  default = "1.18"
-}
-variable "BIN_OUT" {
-  default = "./bin"
-}
-variable "RELEASE_OUT" {
-  default = "./release-out"
+  default = null
 }
 variable "DOCS_FORMATS" {
  default = "md"
 }
+variable "DESTDIR" {
+  default = "./bin"
+}

-// Special target: https://github.com/docker/metadata-action#bake-definition
+# Special target: https://github.com/docker/metadata-action#bake-definition
 target "meta-helper" {
  tags = ["docker/buildx-bin:local"]
 }
@@ -20,7 +17,6 @@ target "_common" {
  args = {
    GO_VERSION = GO_VERSION
    BUILDKIT_CONTEXT_KEEP_GIT_DIR = 1
-    BUILDX_EXPERIMENTAL = 1
  }
 }

@@ -49,6 +45,7 @@ target "validate-docs" {
  inherits = ["_common"]
  args = {
    FORMATS = DOCS_FORMATS
+    BUILDX_EXPERIMENTAL = 1 // enables experimental cmds/flags for docs generation
  }
  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
  target = "validate"
@@ -62,6 +59,13 @@ target "validate-authors" {
  output = ["type=cacheonly"]
 }

+target "validate-generated-files" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/generated-files.Dockerfile"
+  target = "validate"
+  output = ["type=cacheonly"]
+}
+
 target "update-vendor" {
  inherits = ["_common"]
  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
@@ -73,6 +77,7 @@ target "update-docs" {
  inherits = ["_common"]
  args = {
    FORMATS = DOCS_FORMATS
+    BUILDX_EXPERIMENTAL = 1 // enables experimental cmds/flags for docs generation
  }
  dockerfile = "./hack/dockerfiles/docs.Dockerfile"
  target = "update"
@@ -86,6 +91,13 @@ target "update-authors" {
  output = ["."]
 }

+target "update-generated-files" {
+  inherits = ["_common"]
+  dockerfile = "./hack/dockerfiles/generated-files.Dockerfile"
+  target = "update"
+  output = ["."]
+}
+
 target "mod-outdated" {
  inherits = ["_common"]
  dockerfile = "./hack/dockerfiles/vendor.Dockerfile"
@@ -97,13 +109,13 @@ target "mod-outdated" {
 target "test" {
  inherits = ["_common"]
  target = "test-coverage"
-  output = ["./coverage"]
+  output = ["${DESTDIR}/coverage"]
 }

 target "binaries" {
  inherits = ["_common"]
  target = "binaries"
-  output = [BIN_OUT]
+  output = ["${DESTDIR}/build"]
  platforms = ["local"]
 }

@@ -127,7 +139,7 @@ target "binaries-cross" {
 target "release" {
  inherits = ["binaries-cross"]
  target = "release"
-  output = [RELEASE_OUT]
+  output = ["${DESTDIR}/release"]
 }

 target "image" {
@@ -144,3 +156,29 @@ target "image-local" {
  inherits = ["image"]
  output = ["type=docker"]
 }
+
+variable "HTTP_PROXY" {
+  default = ""
+}
+variable "HTTPS_PROXY" {
+  default = ""
+}
+variable "NO_PROXY" {
+  default = ""
+}
+
+target "integration-test-base" {
+  inherits = ["_common"]
+  args = {
+    HTTP_PROXY = HTTP_PROXY
+    HTTPS_PROXY = HTTPS_PROXY
+    NO_PROXY = NO_PROXY
+  }
+  target = "integration-test-base"
+  output = ["type=cacheonly"]
+}
+
+target "integration-test" {
+  inherits = ["integration-test-base"]
+  target = "integration-test"
+}
--- a/docs/bake-reference.md
+++ b/docs/bake-reference.md
--- a/docs/guides/bake/build-contexts.md
+++ b/docs/guides/bake/build-contexts.md
@@ -1,74 +0,0 @@
-# Defining additional build contexts and linking targets
-
-In addition to the main `context` key that defines the build context each target
-can also define additional named contexts with a map defined with key `contexts`.
-These values map to the `--build-context` flag in the [build command](https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context).
-
-Inside the Dockerfile these contexts can be used with the `FROM` instruction or `--from` flag.
-
-The value can be a local source directory, container image (with `docker-image://` prefix),
-Git URL, HTTP URL or a name of another target in the Bake file (with `target:` prefix).
-
-## Pinning alpine image
-
-```dockerfile
-# syntax=docker/dockerfile:1
-FROM alpine
-RUN echo "Hello world"
-```
-
-```hcl
-# docker-bake.hcl
-target "app" {
-  contexts = {
-    alpine = "docker-image://alpine:3.13"
-  }
-}
-```
-
-## Using a secondary source directory
-
-```dockerfile
-# syntax=docker/dockerfile:1
-FROM scratch AS src
-
-FROM golang
-COPY --from=src . .
-```
-
-```hcl
-# docker-bake.hcl
-target "app" {
-  contexts = {
-    src = "../path/to/source"
-  }
-}
-```
-
-## Using a result of one target as a base image in another target
-
-To use a result of one target as a build context of another, specity the target
-name with `target:` prefix.
-
-```dockerfile
-# syntax=docker/dockerfile:1
-FROM baseapp
-RUN echo "Hello world"
-```
-
-```hcl
-# docker-bake.hcl
-target "base" {
-  dockerfile = "baseapp.Dockerfile"
-}
-
-target "app" {
-  contexts = {
-    baseapp = "target:base"
-  }
-}
-```
-
-Please note that in most cases you should just use a single multi-stage
-Dockerfile with multiple targets for similar behavior. This case is recommended
-when you have multiple Dockerfiles that can't be easily merged into one.
--- a/docs/guides/bake/compose-file.md
+++ b/docs/guides/bake/compose-file.md
@@ -1,270 +0,0 @@
-# Building from Compose file
-
-## Specification
-
-Bake uses the [compose-spec](https://docs.docker.com/compose/compose-file/) to
-parse a compose file and translate each service to a [target](file-definition.md#target).
-
-```yaml
-# docker-compose.yml
-services:
-  webapp-dev: 
-    build: &build-dev
-      dockerfile: Dockerfile.webapp
-      tags:
-        - docker.io/username/webapp:latest
-      cache_from:
-        - docker.io/username/webapp:cache
-      cache_to:
-        - docker.io/username/webapp:cache
-
-  webapp-release:
-    build:
-      <<: *build-dev
-      x-bake:
-        platforms:
-          - linux/amd64
-          - linux/arm64
-
-  db:
-    image: docker.io/username/db
-    build:
-      dockerfile: Dockerfile.db
-```
-
-```console
-$ docker buildx bake --print
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "db",
-        "webapp-dev",
-        "webapp-release"
-      ]
-    }
-  },
-  "target": {
-    "db": {
-      "context": ".",
-      "dockerfile": "Dockerfile.db",
-      "tags": [
-        "docker.io/username/db"
-      ]
-    },
-    "webapp-dev": {
-      "context": ".",
-      "dockerfile": "Dockerfile.webapp",
-      "tags": [
-        "docker.io/username/webapp:latest"
-      ],
-      "cache-from": [
-        "docker.io/username/webapp:cache"
-      ],
-      "cache-to": [
-        "docker.io/username/webapp:cache"
-      ]
-    },
-    "webapp-release": {
-      "context": ".",
-      "dockerfile": "Dockerfile.webapp",
-      "tags": [
-        "docker.io/username/webapp:latest"
-      ],
-      "cache-from": [
-        "docker.io/username/webapp:cache"
-      ],
-      "cache-to": [
-        "docker.io/username/webapp:cache"
-      ],
-      "platforms": [
-        "linux/amd64",
-        "linux/arm64"
-      ]
-    }
-  }
-}
-```
-
-Unlike the [HCL format](file-definition.md#hcl-definition), there are some
-limitations with the compose format:
-
-* Specifying variables or global scope attributes is not yet supported
-* `inherits` service field is not supported, but you can use [YAML anchors](https://docs.docker.com/compose/compose-file/#fragments) to reference other services like the example above
-
-## `.env` file
-
-You can declare default environment variables in an environment file named
-`.env`. This file will be loaded from the current working directory,
-where the command is executed and applied to compose definitions passed
-with `-f`.
-
-```yaml
-# docker-compose.yml
-services:
-  webapp:
-    image: docker.io/username/webapp:${TAG:-v1.0.0}
-    build:
-      dockerfile: Dockerfile
-```
-
-```
-# .env
-TAG=v1.1.0
-```
-
-```console
-$ docker buildx bake --print
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "docker.io/username/webapp:v1.1.0"
-      ]
-    }
-  }
-}
-```
-
-> **Note**
->
-> System environment variables take precedence over environment variables
-> in `.env` file.
-
-## Extension field with `x-bake`
-
-Even if some fields are not (yet) available in the compose specification, you
-can use the [special extension](https://docs.docker.com/compose/compose-file/#extension)
-field `x-bake` in your compose file to evaluate extra fields:
-
-```yaml
-# docker-compose.yml
-services:
-  addon:
-    image: ct-addon:bar
-    build:
-      context: .
-      dockerfile: ./Dockerfile
-      args:
-        CT_ECR: foo
-        CT_TAG: bar
-      x-bake:
-        tags:
-          - ct-addon:foo
-          - ct-addon:alp
-        platforms:
-          - linux/amd64
-          - linux/arm64
-        cache-from:
-          - user/app:cache
-          - type=local,src=path/to/cache
-        cache-to:
-          - type=local,dest=path/to/cache
-        pull: true
-
-  aws:
-    image: ct-fake-aws:bar
-    build:
-      dockerfile: ./aws.Dockerfile
-      args:
-        CT_ECR: foo
-        CT_TAG: bar
-      x-bake:
-        secret:
-          - id=mysecret,src=./secret
-          - id=mysecret2,src=./secret2
-        platforms: linux/arm64
-        output: type=docker
-        no-cache: true
-```
-
-```console
-$ docker buildx bake --print
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "aws",
-        "addon"
-      ]
-    }
-  },
-  "target": {
-    "addon": {
-      "context": ".",
-      "dockerfile": "./Dockerfile",
-      "args": {
-        "CT_ECR": "foo",
-        "CT_TAG": "bar"
-      },
-      "tags": [
-        "ct-addon:foo",
-        "ct-addon:alp"
-      ],
-      "cache-from": [
-        "user/app:cache",
-        "type=local,src=path/to/cache"
-      ],
-      "cache-to": [
-        "type=local,dest=path/to/cache"
-      ],
-      "platforms": [
-        "linux/amd64",
-        "linux/arm64"
-      ],
-      "pull": true
-    },
-    "aws": {
-      "context": ".",
-      "dockerfile": "./aws.Dockerfile",
-      "args": {
-        "CT_ECR": "foo",
-        "CT_TAG": "bar"
-      },
-      "tags": [
-        "ct-fake-aws:bar"
-      ],
-      "secret": [
-        "id=mysecret,src=./secret",
-        "id=mysecret2,src=./secret2"
-      ],
-      "platforms": [
-        "linux/arm64"
-      ],
-      "output": [
-        "type=docker"
-      ],
-      "no-cache": true
-    }
-  }
-}
-```
-
-Complete list of valid fields for `x-bake`:
-
-* `cache-from`
-* `cache-to`
-* `contexts`
-* `no-cache`
-* `no-cache-filter`
-* `output`
-* `platforms`
-* `pull`
-* `secret`
-* `ssh`
-* `tags`
--- a/docs/guides/bake/configuring-build.md
+++ b/docs/guides/bake/configuring-build.md
@@ -1,216 +0,0 @@
-# Configuring builds
-
-Bake supports loading build definition from files, but sometimes you need even
-more flexibility to configure this definition.
-
-For this use case, you can define variables inside the bake files that can be
-set by the user with environment variables or by [attribute definitions](#global-scope-attributes)
-in other bake files. If you wish to change a specific value for a single
-invocation you can use the `--set` flag [from the command line](#from-command-line).
-
-## Global scope attributes
-
-You can define global scope attributes in HCL/JSON and use them for code reuse
-and setting values for variables. This means you can do a "data-only" HCL file
-with the values you want to set/override and use it in the list of regular
-output files.
-
-```hcl
-# docker-bake.hcl
-variable "FOO" {
-  default = "abc"
-}
-
-target "app" {
-  args = {
-    v1 = "pre-${FOO}"
-  }
-}
-```
-
-You can use this file directly:
-
-```console
-$ docker buildx bake --print app
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "pre-abc"
-      }
-    }
-  }
-}
-```
-
-Or create an override configuration file:
-
-```hcl
-# env.hcl
-WHOAMI="myuser"
-FOO="def-${WHOAMI}"
-```
-
-And invoke bake together with both of the files:
-
-```console
-$ docker buildx bake -f docker-bake.hcl -f env.hcl --print app
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "pre-def-myuser"
-      }
-    }
-  }
-}
-```
-
-## From command line
-
-You can also override target configurations from the command line with the
-[`--set` flag](https://docs.docker.com/engine/reference/commandline/buildx_bake/#set):
-
-```hcl
-# docker-bake.hcl
-target "app" {
-  args = {
-    mybuildarg = "foo"
-  }
-}
-```
-
-```console
-$ docker buildx bake --set app.args.mybuildarg=bar --set app.platform=linux/arm64 app --print
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "mybuildarg": "bar"
-      },
-      "platforms": [
-        "linux/arm64"
-      ]
-    }
-  }
-}
-```
-
-Pattern matching syntax defined in [https://golang.org/pkg/path/#Match](https://golang.org/pkg/path/#Match)
-is also supported:
-
-```console
-$ docker buildx bake --set foo*.args.mybuildarg=value  # overrides build arg for all targets starting with "foo"
-$ docker buildx bake --set *.platform=linux/arm64      # overrides platform for all targets
-$ docker buildx bake --set foo*.no-cache               # bypass caching only for targets starting with "foo"
-```
-
-Complete list of overridable fields:
-
-* `args`
-* `cache-from`
-* `cache-to`
-* `context`
-* `dockerfile`
-* `labels`
-* `no-cache`
-* `output`
-* `platform`
-* `pull`
-* `secrets`
-* `ssh`
-* `tags`
-* `target`
-
-## Using variables in variables across files
-
-When multiple files are specified, one file can use variables defined in
-another file.
-
-```hcl
-# docker-bake1.hcl
-variable "FOO" {
-  default = upper("${BASE}def")
-}
-
-variable "BAR" {
-  default = "-${FOO}-"
-}
-
-target "app" {
-  args = {
-    v1 = "pre-${BAR}"
-  }
-}
-```
-
-```hcl
-# docker-bake2.hcl
-variable "BASE" {
-  default = "abc"
-}
-
-target "app" {
-  args = {
-    v2 = "${FOO}-post"
-  }
-}
-```
-
-```console
-$ docker buildx bake -f docker-bake1.hcl -f docker-bake2.hcl --print app
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "pre--ABCDEF-",
-        "v2": "ABCDEF-post"
-      }
-    }
-  }
-}
-```
--- a/docs/guides/bake/file-definition.md
+++ b/docs/guides/bake/file-definition.md
@@ -1,440 +0,0 @@
-# Bake file definition
-
-`buildx bake` supports HCL, JSON and Compose file format for defining build
-[groups](#group), [targets](#target) as well as [variables](#variable) and
-[functions](#functions). It looks for build definition files in the current
-directory in the following order:
-
-* `docker-compose.yml`
-* `docker-compose.yaml`
-* `docker-bake.json`
-* `docker-bake.override.json`
-* `docker-bake.hcl`
-* `docker-bake.override.hcl`
-
-## Specification
-
-Inside a bake file you can declare group, target and variable blocks to define
-project specific reusable build flows.
-
-### Target
-
-A target reflects a single docker build invocation with the same options that
-you would specify for `docker build`:
-
-```hcl
-# docker-bake.hcl
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:latest"]
-}
-```
-```console
-$ docker buildx bake webapp-dev
-```
-
-> **Note**
->
-> In the case of compose files, each service corresponds to a target.
-> If compose service name contains a dot it will be replaced with an underscore.
-
-Complete list of valid target fields available for [HCL](#hcl-definition) and
-[JSON](#json-definition) definitions:
-
-| Name                | Type   | Description                                                                                                                                     |
-|---------------------|--------|-------------------------------------------------------------------------------------------------------------------------------------------------|
-| `inherits`          | List   | [Inherit build options](#merging-and-inheritance) from other targets                                                                            |
-| `args`              | Map    | Set build-time variables (same as [`--build-arg` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                     |
-| `cache-from`        | List   | External cache sources (same as [`--cache-from` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                      |
-| `cache-to`          | List   | Cache export destinations (same as [`--cache-to` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                     |
-| `context`           | String | Set of files located in the specified path or URL                                                                                               |
-| `contexts`          | Map    | Additional build contexts (same as [`--build-context` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                |
-| `dockerfile`        | String | Name of the Dockerfile (same as [`--file` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                            |
-| `dockerfile-inline` | String | Inline Dockerfile content                                                                                                                       |
-| `labels`            | Map    | Set metadata for an image (same as [`--label` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                        |
-| `no-cache`          | Bool   | Do not use cache when building the image (same as [`--no-cache` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))      |
-| `no-cache-filter`   | List   | Do not cache specified stages (same as [`--no-cache-filter` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))          |
-| `output`            | List   | Output destination (same as [`--output` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                              |
-| `platforms`         | List   | Set target platforms for build (same as [`--platform` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                |
-| `pull`              | Bool   | Always attempt to pull all referenced images (same as [`--pull` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))      |
-| `secret`            | List   | Secret to expose to the build (same as [`--secret` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))                   |
-| `ssh`               | List   | SSH agent socket or keys to expose to the build (same as [`--ssh` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))    |
-| `tags`              | List   | Name and optionally a tag in the format `name:tag` (same as [`--tag` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/)) |
-| `target`            | String | Set the target build stage to build (same as [`--target` flag](https://docs.docker.com/engine/reference/commandline/buildx_build/))             |
-
-### Group
-
-A group is a grouping of targets:
-
-```hcl
-# docker-bake.hcl
-group "build" {
-  targets = ["db", "webapp-dev"]
-}
-
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:latest"]
-}
-
-target "db" {
-  dockerfile = "Dockerfile.db"
-  tags = ["docker.io/username/db"]
-}
-```
-```console
-$ docker buildx bake build
-```
-
-### Variable
-
-Similar to how Terraform provides a way to [define variables](https://www.terraform.io/docs/configuration/variables.html#declaring-an-input-variable),
-the HCL file format also supports variable block definitions. These can be used
-to define variables with values provided by the current environment, or a
-default value when unset:
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {
-  default = "latest"
-}
-
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:${TAG}"]
-}
-```
-```console
-$ docker buildx bake webapp-dev          # will use the default value "latest"
-$ TAG=dev docker buildx bake webapp-dev  # will use the TAG environment variable value
-```
-
-> **Tip**
->
-> See also the [Configuring builds](configuring-build.md) page for advanced usage.
-
-### Functions
-
-A [set of generally useful functions](https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go)
-provided by [go-cty](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib)
-are available for use in HCL files:
-
-```hcl
-# docker-bake.hcl
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:latest"]
-  args = {
-    buildno = "${add(123, 1)}"
-  }
-}
-```
-
-In addition, [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc)
-are also supported:
-
-```hcl
-# docker-bake.hcl
-function "increment" {
-  params = [number]
-  result = number + 1
-}
-
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:latest"]
-  args = {
-    buildno = "${increment(123)}"
-  }
-}
-```
-
-> **Note**
->
-> See [User defined HCL functions](hcl-funcs.md) page for more details.
-
-## Built-in variables
-
-* `BAKE_CMD_CONTEXT` can be used to access the main `context` for bake command
-  from a bake file that has been [imported remotely](file-definition.md#remote-definition).
-* `BAKE_LOCAL_PLATFORM` returns the current platform's default platform
-  specification (e.g. `linux/amd64`).
-
-## Merging and inheritance
-
-Multiple files can include the same target and final build options will be
-determined by merging them together:
-
-```hcl
-# docker-bake.hcl
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:latest"]
-}
-```
-```hcl
-# docker-bake2.hcl
-target "webapp-dev" {
-  tags = ["docker.io/username/webapp:dev"]
-}
-```
-```console
-$ docker buildx bake -f docker-bake.hcl -f docker-bake2.hcl webapp-dev
-```
-
-A group can specify its list of targets with the `targets` option. A target can
-inherit build options by setting the `inherits` option to the list of targets or
-groups to inherit from:
-
-```hcl
-# docker-bake.hcl
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:${TAG}"]
-}
-
-target "webapp-release" {
-  inherits = ["webapp-dev"]
-  platforms = ["linux/amd64", "linux/arm64"]
-}
-```
-
-## `default` target/group
-
-When you invoke `bake` you specify what targets/groups you want to build. If no
-arguments is specified, the group/target named `default` will be built:
-
-```hcl
-# docker-bake.hcl
-target "default" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:latest"]
-}
-```
-```console
-$ docker buildx bake
-```
-
-## Definitions
-
-### HCL definition
-
-HCL definition file is recommended as its experience is more aligned with buildx UX
-and also allows better code reuse, different target groups and extended features.
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {
-  default = "latest"
-}
-
-group "default" {
-  targets = ["db", "webapp-dev"]
-}
-
-target "webapp-dev" {
-  dockerfile = "Dockerfile.webapp"
-  tags = ["docker.io/username/webapp:${TAG}"]
-}
-
-target "webapp-release" {
-  inherits = ["webapp-dev"]
-  platforms = ["linux/amd64", "linux/arm64"]
-}
-
-target "db" {
-  dockerfile = "Dockerfile.db"
-  tags = ["docker.io/username/db"]
-}
-```
-
-### JSON definition
-
-```json
-{
-  "variable": {
-    "TAG": {
-      "default": "latest"
-    }
-  },
-  "group": {
-    "default": {
-      "targets": [
-        "db",
-        "webapp-dev"
-      ]
-    }
-  },
-  "target": {
-    "webapp-dev": {
-      "dockerfile": "Dockerfile.webapp",
-      "tags": [
-        "docker.io/username/webapp:${TAG}"
-      ]
-    },
-    "webapp-release": {
-      "inherits": [
-        "webapp-dev"
-      ],
-      "platforms": [
-        "linux/amd64",
-        "linux/arm64"
-      ]
-    },
-    "db": {
-      "dockerfile": "Dockerfile.db",
-      "tags": [
-        "docker.io/username/db"
-      ]
-    }
-  }
-}
-```
-
-### Compose file
-
-```yaml
-# docker-compose.yml
-services:
-  webapp:
-    image: docker.io/username/webapp:latest
-    build:
-      dockerfile: Dockerfile.webapp
-
-  db:
-    image: docker.io/username/db
-    build:
-      dockerfile: Dockerfile.db
-```
-
-> **Note**
->
-> See [Building from Compose file](compose-file.md) page for more details.
-
-## Remote definition
-
-You can also build bake files directly from a remote Git repository or HTTPS URL:
-
-```console
-$ docker buildx bake "https://github.com/docker/cli.git#v20.10.11" --print
-#1 [internal] load git source https://github.com/docker/cli.git#v20.10.11
-#1 0.745 e8f1871b077b64bcb4a13334b7146492773769f7       refs/tags/v20.10.11
-#1 2.022 From https://github.com/docker/cli
-#1 2.022  * [new tag]         v20.10.11  -> v20.10.11
-#1 DONE 2.9s
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "binary"
-      ]
-    }
-  },
-  "target": {
-    "binary": {
-      "context": "https://github.com/docker/cli.git#v20.10.11",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "BASE_VARIANT": "alpine",
-        "GO_STRIP": "",
-        "VERSION": ""
-      },
-      "target": "binary",
-      "platforms": [
-        "local"
-      ],
-      "output": [
-        "build"
-      ]
-    }
-  }
-}
-```
-
-As you can see the context is fixed to `https://github.com/docker/cli.git` even if
-[no context is actually defined](https://github.com/docker/cli/blob/2776a6d694f988c0c1df61cad4bfac0f54e481c8/docker-bake.hcl#L17-L26)
-in the definition.
-
-If you want to access the main context for bake command from a bake file
-that has been imported remotely, you can use the [`BAKE_CMD_CONTEXT` built-in var](#built-in-variables).
-
-```console
-$ cat https://raw.githubusercontent.com/tonistiigi/buildx/remote-test/docker-bake.hcl
-```
-```hcl
-target "default" {
-  context = BAKE_CMD_CONTEXT
-  dockerfile-inline = <<EOT
-FROM alpine
-WORKDIR /src
-COPY . .
-RUN ls -l && stop
-EOT
-}
-```
-
-```console
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" --print
-```
-```json
-{
-  "target": {
-    "default": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
-    }
-  }
-}
-```
-
-```console
-$ touch foo bar
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test"
-```
-```text
-...
- > [4/4] RUN ls -l && stop:
-#8 0.101 total 0
-#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 bar
-#8 0.102 -rw-r--r--    1 root     root             0 Jul 27 18:47 foo
-#8 0.102 /bin/sh: stop: not found
-```
-
-```console
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11" --print
-#1 [internal] load git source https://github.com/tonistiigi/buildx.git#remote-test
-#1 0.429 577303add004dd7efeb13434d69ea030d35f7888       refs/heads/remote-test
-#1 CACHED
-```
-```json
-{
-  "target": {
-    "default": {
-      "context": "https://github.com/docker/cli.git#v20.10.11",
-      "dockerfile": "Dockerfile",
-      "dockerfile-inline": "FROM alpine\nWORKDIR /src\nCOPY . .\nRUN ls -l \u0026\u0026 stop\n"
-    }
-  }
-}
-```
-
-```console
-$ docker buildx bake "https://github.com/tonistiigi/buildx.git#remote-test" "https://github.com/docker/cli.git#v20.10.11"
-```
-```text
-...
- > [4/4] RUN ls -l && stop:
-#8 0.136 drwxrwxrwx    5 root     root          4096 Jul 27 18:31 kubernetes
-#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 man
-#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 opts
-#8 0.136 -rw-rw-rw-    1 root     root          1893 Jul 27 18:31 poule.yml
-#8 0.136 drwxrwxrwx    7 root     root          4096 Jul 27 18:31 scripts
-#8 0.136 drwxrwxrwx    3 root     root          4096 Jul 27 18:31 service
-#8 0.136 drwxrwxrwx    2 root     root          4096 Jul 27 18:31 templates
-#8 0.136 drwxrwxrwx   10 root     root          4096 Jul 27 18:31 vendor
-#8 0.136 -rwxrwxrwx    1 root     root          9620 Jul 27 18:31 vendor.conf
-#8 0.136 /bin/sh: stop: not found
-```
--- a/docs/guides/bake/hcl-funcs.md
+++ b/docs/guides/bake/hcl-funcs.md
@@ -1,327 +0,0 @@
-# User defined HCL functions
-
-## Using interpolation to tag an image with the git sha
-
-As shown in the [File definition](file-definition.md#variable) page, `bake`
-supports variable blocks which are assigned to matching environment variables
-or default values:
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {
-  default = "latest"
-}
-
-group "default" {
-  targets = ["webapp"]
-}
-
-target "webapp" {
-  tags = ["docker.io/username/webapp:${TAG}"]
-}
-```
-
-alternatively, in json format:
-
-```json
-{
-  "variable": {
-    "TAG": {
-      "default": "latest"
-    }
-  },
-  "group": {
-    "default": {
-      "targets": ["webapp"]
-    }
-  },
-  "target": {
-    "webapp": {
-      "tags": ["docker.io/username/webapp:${TAG}"]
-    }
-  }
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "docker.io/username/webapp:latest"
-      ]
-    }
-  }
-}
-```
-
-```console
-$ TAG=$(git rev-parse --short HEAD) docker buildx bake --print webapp
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "docker.io/username/webapp:985e9e9"
-      ]
-    }
-  }
-}
-```
-
-## Using the `add` function
-
-You can use [`go-cty` stdlib functions](https://github.com/zclconf/go-cty/tree/main/cty/function/stdlib).
-Here we are using the `add` function.
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {
-  default = "latest"
-}
-
-group "default" {
-  targets = ["webapp"]
-}
-
-target "webapp" {
-  args = {
-    buildno = "${add(123, 1)}"
-  }
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "buildno": "124"
-      }
-    }
-  }
-}
-```
-
-## Defining an `increment` function
-
-It also supports [user defined functions](https://github.com/hashicorp/hcl/tree/main/ext/userfunc).
-The following example defines a simple an `increment` function.
-
-```hcl
-# docker-bake.hcl
-function "increment" {
-  params = [number]
-  result = number + 1
-}
-
-group "default" {
-  targets = ["webapp"]
-}
-
-target "webapp" {
-  args = {
-    buildno = "${increment(123)}"
-  }
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "buildno": "124"
-      }
-    }
-  }
-}
-```
-
-## Only adding tags if a variable is not empty using an `notequal`
-
-Here we are using the conditional `notequal` function which is just for
-symmetry with the `equal` one.
-
-```hcl
-# docker-bake.hcl
-variable "TAG" {default="" }
-
-group "default" {
-  targets = [
-    "webapp",
-  ]
-}
-
-target "webapp" {
-  context="."
-  dockerfile="Dockerfile"
-  tags = [
-    "my-image:latest",
-    notequal("",TAG) ? "my-image:${TAG}": "",
-  ]
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "my-image:latest"
-      ]
-    }
-  }
-}
-```
-
-## Using variables in functions
-
-You can refer variables to other variables like the target blocks can. Stdlib
-functions can also be called but user functions can't at the moment.
-
-```hcl
-# docker-bake.hcl
-variable "REPO" {
-  default = "user/repo"
-}
-
-function "tag" {
-  params = [tag]
-  result = ["${REPO}:${tag}"]
-}
-
-target "webapp" {
-  tags = tag("v1")
-}
-```
-
-```console
-$ docker buildx bake --print webapp
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "webapp"
-      ]
-    }
-  },
-  "target": {
-    "webapp": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "tags": [
-        "user/repo:v1"
-      ]
-    }
-  }
-}
-```
-
-## Using typed variables
-
-Non-string variables are also accepted. The value passed with env is parsed
-into suitable type first.
-
-```hcl
-# docker-bake.hcl
-variable "FOO" {
-  default = 3
-}
-
-variable "IS_FOO" {
-  default = true
-}
-
-target "app" {
-  args = {
-    v1 = FOO > 5 ? "higher" : "lower" 
-    v2 = IS_FOO ? "yes" : "no"
-  }
-}
-```
-
-```console
-$ docker buildx bake --print app
-```
-```json
-{
-  "group": {
-    "default": {
-      "targets": [
-        "app"
-      ]
-    }
-  },
-  "target": {
-    "app": {
-      "context": ".",
-      "dockerfile": "Dockerfile",
-      "args": {
-        "v1": "lower",
-        "v2": "yes"
-      }
-    }
-  }
-}
-```
--- a/docs/guides/bake/index.md
+++ b/docs/guides/bake/index.md
@@ -1,36 +0,0 @@
-# High-level build options with Bake
-
-> This command is experimental.
->
-> The design of bake is in early stages, and we are looking for [feedback from users](https://github.com/docker/buildx/issues).
-{: .experimental }
-
-Buildx also aims to provide support for high-level build concepts that go beyond
-invoking a single build command. We want to support building all the images in
-your application together and let the users define project specific reusable
-build flows that can then be easily invoked by anyone.
-
-[BuildKit](https://github.com/moby/buildkit) efficiently handles multiple
-concurrent build requests and de-duplicating work. The build commands can be
-combined with general-purpose command runners (for example, `make`). However,
-these tools generally invoke builds in sequence  and therefore cannot leverage
-the full potential of BuildKit parallelization, or combine BuildKit's output
-for the user. For this use case, we have added a command called
-[`docker buildx bake`](https://docs.docker.com/engine/reference/commandline/buildx_bake/).
-
-The `bake` command supports building images from HCL, JSON and Compose files.
-This is similar to [`docker compose build`](https://docs.docker.com/compose/reference/build/),
-but allowing all the services to be built concurrently as part of a single
-request. If multiple files are specified they are all read and configurations are
-combined.
-
-We recommend using HCL files as its experience is more aligned with buildx UX
-and also allows better code reuse, different target groups and extended features.
-
-## Next steps
-
-* [File definition](file-definition.md)
-* [Configuring builds](configuring-build.md)
-* [User defined HCL functions](hcl-funcs.md)
-* [Defining additional build contexts and linking targets](build-contexts.md)
-* [Building from Compose file](compose-file.md)
--- a/docs/guides/cicd.md
+++ b/docs/guides/cicd.md
@@ -1,48 +1,3 @@
 # CI/CD

-## GitHub Actions
-
-Docker provides a [GitHub Action that will build and push your image](https://github.com/docker/build-push-action/#about)
-using Buildx. Here is a simple workflow:
-
-```yaml
-name: ci
-
-on:
-  push:
-    branches:
-      - 'main'
-
-jobs:
-  docker:
-    runs-on: ubuntu-latest
-    steps:
-      -
-        name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-      -
-        name: Login to DockerHub
-        uses: docker/login-action@v2 
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          tags: user/app:latest
-```
-
-In this example we are also using 3 other actions:
-
-* [`setup-buildx`](https://github.com/docker/setup-buildx-action) action will create and boot a builder using by
-default the `docker-container` [builder driver](../reference/buildx_create.md#driver).
-This is **not required but recommended** using it to be able to build multi-platform images, export cache, etc.
-* [`setup-qemu`](https://github.com/docker/setup-qemu-action) action can be useful if you want
-to add emulation support with QEMU to be able to build against more platforms.
-* [`login`](https://github.com/docker/login-action) action will take care to log
-in against a Docker registry.
+This page has moved to [Docker Docs website](https://docs.docker.com/build/ci/)
--- a/docs/guides/cni-networking.md
+++ b/docs/guides/cni-networking.md
@@ -1,23 +1,3 @@
 # CNI networking

-It can be useful to use a bridge network for your builder if for example you
-encounter a network port contention during multiple builds. If you're using
-the BuildKit image, CNI is not yet available in it, but you can create
-[a custom BuildKit image with CNI support](https://github.com/moby/buildkit/blob/master/docs/cni-networking.md).
-
-Now build this image:
-
-```console
-$ docker buildx build --tag buildkit-cni:local --load .
-```
-
-Then [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/) that
-will use this image:
-
-```console
-$ docker buildx create --use \
-  --name mybuilder \
-  --driver docker-container \
-  --driver-opt "image=buildkit-cni:local" \
-  --buildkitd-flags "--oci-worker-net=cni"
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/buildkit/configure/#cni-networking)
--- a/docs/guides/color-output.md
+++ b/docs/guides/color-output.md
@@ -1,20 +1,3 @@
 # Color output controls

-Buildx has support for modifying the colors that are used to output information
-to the terminal. You can set the environment variable `BUILDKIT_COLORS` to
-something like `run=123,20,245:error=yellow:cancel=blue:warning=white` to set
-the colors that you would like to use:
-
-![Progress output custom colors](https://user-images.githubusercontent.com/1951866/180584033-24522385-cafd-4a54-a4a2-18f5ce74eb27.png)
-
-Setting `NO_COLOR` to anything will disable any colorized output as recommended
-by [no-color.org](https://no-color.org/):
-
-![Progress output no color](https://user-images.githubusercontent.com/1951866/180584037-e28f9997-dd4c-49cf-8b26-04864815de19.png)
-
-> **Note**
->
-> Parsing errors will be reported but ignored. This will result in default
-> color values being used where needed.
-
-See also [the list of pre-defined colors](https://github.com/moby/buildkit/blob/master/util/progress/progressui/colors.go).
+This page has moved to [Docker Docs website](https://docs.docker.com/build/building/env-vars/#buildkit_colors)
--- a/docs/guides/custom-network.md
+++ b/docs/guides/custom-network.md
@@ -1,34 +1,3 @@
 # Using a custom network

-[Create a network](https://docs.docker.com/engine/reference/commandline/network_create/)
-named `foonet`:
-
-```console
-$ docker network create foonet
-```
-
-[Create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
-named `mybuilder` that will use this network:
-
-```console
-$ docker buildx create --use \
-  --name mybuilder \
-  --driver docker-container \
-  --driver-opt "network=foonet"
-```
-
-Boot and [inspect `mybuilder`](https://docs.docker.com/engine/reference/commandline/buildx_inspect/):
-
-```console
-$ docker buildx inspect --bootstrap
-```
-
-[Inspect the builder container](https://docs.docker.com/engine/reference/commandline/inspect/)
-and see what network is being used:
-
-{% raw %}
-```console
-$ docker inspect buildx_buildkit_mybuilder0 --format={{.NetworkSettings.Networks}}
-map[foonet:0xc00018c0c0]
-```
-{% endraw %}
+This page has moved to [Docker Docs website](https://docs.docker.com/build/drivers/docker-container/#custom-network)
--- a/docs/guides/custom-registry-config.md
+++ b/docs/guides/custom-registry-config.md
@@ -1,63 +1,3 @@
 # Using a custom registry configuration

-If you [create a `docker-container` or `kubernetes` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/) and
-have specified certificates for registries in the [BuildKit daemon configuration](https://github.com/moby/buildkit/blob/master/docs/buildkitd.toml.md),
-the files will be copied into the container under `/etc/buildkit/certs` and
-configuration will be updated to reflect that.
-
-Take the following `buildkitd.toml` configuration that will be used for
-pushing an image to this registry using self-signed certificates:
-
-```toml
-# /etc/buildkitd.toml
-debug = true
-[registry."myregistry.com"]
-  ca=["/etc/certs/myregistry.pem"]
-  [[registry."myregistry.com".keypair]]
-    key="/etc/certs/myregistry_key.pem"
-    cert="/etc/certs/myregistry_cert.pem"
-```
-
-Here we have configured a self-signed certificate for `myregistry.com` registry.
-
-Now [create a `docker-container` builder](https://docs.docker.com/engine/reference/commandline/buildx_create/)
-that will use this BuildKit configuration:
-
-```console
-$ docker buildx create --use \
-  --name mybuilder \
-  --driver docker-container \
-  --config /etc/buildkitd.toml
-```
-
-Inspecting the builder container, you can see that buildkitd configuration
-has changed:
-
-```console
-$ docker exec -it buildx_buildkit_mybuilder0 cat /etc/buildkit/buildkitd.toml
-```
-```toml
-debug = true
-
-[registry]
-
-  [registry."myregistry.com"]
-    ca = ["/etc/buildkit/certs/myregistry.com/myregistry.pem"]
-
-    [[registry."myregistry.com".keypair]]
-      cert = "/etc/buildkit/certs/myregistry.com/myregistry_cert.pem"
-      key = "/etc/buildkit/certs/myregistry.com/myregistry_key.pem"
-```
-
-And certificates copied inside the container:
-
-```console
-$ docker exec -it buildx_buildkit_mybuilder0 ls /etc/buildkit/certs/myregistry.com/
-myregistry.pem    myregistry_cert.pem   myregistry_key.pem
-```
-
-Now you should be able to push to the registry with this builder:
-
-```console
-$ docker buildx build --push --tag myregistry.com/myimage:latest .
-```
+This page has moved to [Docker Docs website](https://docs.docker.com/build/buildkit/configure/#setting-registry-certificates)
--- a/Show More
+++ b/Show More