chore: merge v0.13.0

.github/SECURITY.md

@@ -6,6 +6,9 @@ issue, please bring it to their attention right away!
 **Please _DO NOT_ file a public issue**, instead send your report privately to
 [security@docker.com](mailto:security@docker.com).
 
+
+Explanation of BuildKit security boundary and what we consider a security issue can be found in [here](/PROJECT.md#security-boundary). If you are unsure if you have found a security issue, it is always better to check privately first.
+
 Security reports are greatly appreciated, and we will publicly thank you for it
 (if you want to). We also like to send gifts—if you're into schwag, make
 sure to let us know. We currently do not offer a paid security bounty program,

.github/dependabot.yml

@@ -5,6 +5,11 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    ignore:
+      # ignore this dependency
+      # it seems a bug with dependabot as pining to commit sha should not
+      # trigger a new version: https://github.com/docker/buildx/pull/2222#issuecomment-1919092153
+      - dependency-name: "docker/docs"
     labels:
       - "dependencies"
       - "bot"

.github/issue_template.md

@@ -0,0 +1,5 @@
+<!---
+Thank you for contributing to BuildKit through issue submission! If you're new to this repository, we encourage you to review our issue reporting guide https://github.com/moby/buildkit/blob/master/.github/issue_reporting_guide.md which outlines the key information you should provide for the process to go smoothly.
+
+Feel free to report bugs, suggest features, or submit proposals here. For general questions about using BuildKit, consider joining the #buildkit channel on the Docker Community Slack, where a broader community can provide support and insights.
+--->

.github/workflows/.test.yml

@@ -28,7 +28,7 @@ on:
 
 env:
   GO_VERSION: "1.21"
-  SETUP_BUILDX_VERSION: "v0.14.1"  # TODO(jhorsts): replace with upstream
+  SETUP_BUILDX_VERSION: "latest"
   SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest"
 
 jobs:
@@ -63,7 +63,7 @@ jobs:
       -
         name: Set outputs
         id: set
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const yaml = require('js-yaml');
@@ -89,18 +89,15 @@ jobs:
             });
       -
         name: Build
-        uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c  # v6.9.0
+        uses: docker/bake-action@v4
         with:
-          provenance: false
           targets: integration-tests-base
-          # TODO(jhorsts): replace with upstream
-          # set: |
-          #   *.cache-from=type=gha,scope=${{ inputs.cache_scope }}
-          #   *.cache-to=type=gha,scope=${{ inputs.cache_scope }}
+          set: |
+            *.cache-from=type=gha,scope=${{ inputs.cache_scope }}
+            *.cache-to=type=gha,scope=${{ inputs.cache_scope }}
 
   run:
     runs-on: ubuntu-22.04
-    continue-on-error: true
     needs:
       - prepare
     env:
@@ -118,19 +115,28 @@ jobs:
           - containerd-snapshotter-stargz
           - oci
           - oci-rootless
+          - oci-rootless-slirp4netns-detachnetns
           - oci-snapshotter-stargz
         pkg: ${{ fromJson(needs.prepare.outputs.pkgs) }}
         kind: ${{ fromJson(needs.prepare.outputs.kinds) }}
         tags: ${{ fromJson(needs.prepare.outputs.tags) }}
         include: ${{ fromJson(needs.prepare.outputs.includes) }}
     steps:
       -
-        name: Environment variables
+        name: Prepare
         run: |
           for l in "${{ inputs.env }}"; do
             echo "${l?}" >> $GITHUB_ENV
           done
           echo "TEST_REPORT_NAME=${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.kind }}-${{ matrix.worker }}-${{ matrix.tags }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_ENV
+          testFlags="${{ env.TESTFLAGS }}"
+          if [ -n "${{ matrix.tags }}" ]; then
+            testFlags="${testFlags} --tags=${{ matrix.tags }}"
+          fi
+          if [ -n "${{ matrix.worker }}" ]; then
+            testFlags="${testFlags} --run=//worker=${{ matrix.worker }}$"
+          fi
+          echo "TESTFLAGS=${testFlags}" >> $GITHUB_ENV
       -
         name: Checkout
         uses: actions/checkout@v4
@@ -149,9 +155,8 @@ jobs:
           buildkitd-flags: --debug
       -
         name: Build test image
-        uses: docker/bake-action@3acf805d94d93a86cce4ca44798a76464a75b88c  # v6.9.0
+        uses: docker/bake-action@v4
         with:
-          provenance: false
           targets: integration-tests
           set: |
             *.cache-from=type=gha,scope=${{ inputs.cache_scope }}
@@ -160,34 +165,26 @@ jobs:
           BUILDKITD_TAGS: ${{ matrix.tags }}
       -
         name: Test
-        continue-on-error: ${{ matrix.tags == 'nydus' }}
         run: |
-          export TEST_REPORT_SUFFIX=-${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.kind }}-${{ matrix.worker }}-${{ matrix.tags }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]')
-          if [ -n "${{ matrix.tags }}" ]; then
-            TESTFLAGS="${TESTFLAGS} --tags=${{ matrix.tags }}"
-          fi
-          if [ -n "${{ matrix.worker }}" ]; then
-            export TESTFLAGS="${TESTFLAGS} --run=//worker=${{ matrix.worker }}$"
-          fi
-          echo TESTFLAGS=$TESTFLAGS
           ./hack/test ${{ matrix.kind }}
         env:
+          TEST_REPORT_SUFFIX: -${{ env.TEST_REPORT_NAME }}
           TEST_COVERAGE: 1
           TESTPKGS: ${{ matrix.pkg }}
-          SKIP_INTEGRATION_TESTS: 1
-          # TODO(jhorsts): errors with HTTP 400
-          # CACHE_FROM: type=gha,scope=${{ inputs.cache_scope }}
+          SKIP_INTEGRATION_TESTS: ${{ matrix.skip-integration-tests }}
+          CACHE_FROM: type=gha,scope=${{ inputs.cache_scope }}
       -
         name: Send to Codecov
         if: always()
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v4
         with:
           directory: ./bin/testreports
           flags: ${{ matrix.codecov_flags }}
+          token: ${{ secrets.CODECOV_TOKEN }}  # used to upload coverage reports: https://github.com/moby/buildkit/pull/4660#issue-2142122533
       -
         name: Generate annotations
         if: always()
-        uses: crazy-max/.github/.github/actions/gotest-annotations@5af0882e0496d2f7e98a53ae4048e3d86682496f
+        uses: crazy-max/.github/.github/actions/gotest-annotations@fa6141aedf23596fb8bdcceab9cce8dadaa31bd9
         with:
           directory: ./bin/testreports
       -
@@ -197,7 +194,6 @@ jobs:
         with:
           name: test-reports-${{ env.TEST_REPORT_NAME }}
           path: ./bin/testreports
-          overwrite: true
       -
         name: Dump context
         if: failure()

.github/workflows/buildkit.yml

@@ -22,37 +22,13 @@
 
 env:
   GO_VERSION: "1.21"
-  SETUP_BUILDX_VERSION: "v0.14.1"  # TODO(jhorsts): replace with upstream
+  SETUP_BUILDX_VERSION: "latest"
   SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest"
   IMAGE_NAME: "moby/buildkit"
   PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64,linux/s390x,linux/ppc64le,linux/riscv64"
   DESTDIR: "./bin"
 
 jobs:
-  test:
-    uses: ./.github/workflows/.test.yml
-    with:
-      cache_scope: build-integration-tests
-      pkgs: ./client ./cmd/buildctl ./worker/containerd ./solver ./frontend
-      kinds: integration
-      codecov_flags: core
-      includes: |
-        - pkg: ./...
-          skip-integration-tests: 1
-          typ: integration gateway
-        - pkg: ./client
-          worker: containerd
-          tags: nydus
-          typ: integration
-        - pkg: ./client
-          worker: oci
-          tags: nydus
-          typ: integration
-        - pkg: ./...
-          tags: nydus
-          skip-integration-tests: 1
-          typ: integration
-
   prepare:
     runs-on: ubuntu-22.04
     outputs:
@@ -81,6 +57,9 @@
               PUSH=push
             fi
           fi
+          if [ "$GITHUB_REPOSITORY" != "moby/buildkit" ]; then
+            PUSH=false
+          fi
           echo "tag=${TAG}" >>${GITHUB_OUTPUT}
           echo "push=${PUSH}" >>${GITHUB_OUTPUT}
           platforms=$(docker buildx bake release --print | jq -cr '.target."release".platforms')
@@ -125,9 +104,8 @@
         env:
           RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }}
           PLATFORMS: ${{ matrix.platform }}
-          # TODO(jhorsts): replace with upstream
-          # CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
-          # CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_FROM: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
+          CACHE_TO: type=gha,scope=binaries-${{ env.PLATFORM_PAIR }}
       -
         name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -136,7 +114,34 @@
           path: ${{ env.DESTDIR }}/*
           if-no-files-found: error
 
+  test:
+    uses: ./.github/workflows/.test.yml
+    secrets: inherit
+    needs:
+      - binaries
+    with:
+      cache_scope: build-integration-tests
+      pkgs: ./client ./cmd/buildctl ./worker/containerd ./solver ./frontend
+      kinds: integration
+      codecov_flags: core
+      includes: |
+        - pkg: ./...
+          skip-integration-tests: 1
+          typ: integration gateway
+        - pkg: ./client
+          worker: containerd
+          tags: nydus
+          typ: integration
+        - pkg: ./client
+          worker: oci
+          tags: nydus
+          typ: integration
+        - pkg: ./...
+          tags: nydus
+          skip-integration-tests: 1
+          typ: integration
+
   image:
     runs-on: ubuntu-22.04
     needs:
       - prepare
@@ -169,7 +174,7 @@
         if: needs.prepare.outputs.push == 'push'
         uses: docker/login-action@v3
         with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Build ${{ needs.prepare.outputs.tag }}
@@ -178,9 +183,8 @@
         env:
           RELEASE: ${{ startsWith(github.ref, 'refs/tags/v') }}
           TARGET: ${{ matrix.target-stage }}
-          # TODO(jhorsts): replace with upstream
-          # CACHE_FROM: type=gha,scope=image${{ matrix.target-stage }}
-          # CACHE_TO: type=gha,scope=image${{ matrix.target-stage }}
+          CACHE_FROM: type=gha,scope=image${{ matrix.target-stage }}
+          CACHE_TO: type=gha,scope=image${{ matrix.target-stage }}
 
   release:
     runs-on: ubuntu-22.04
@@ -192,7 +196,7 @@
     steps:
       -
         name: Download artifacts
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
+        uses: actions/download-artifact@v4
         with:
           path: ${{ env.DESTDIR }}
           pattern: buildkit-*

.github/workflows/dockerd.yml

@@ -7,10 +7,10 @@ on:
       version:
         description: 'Docker version'
         required: true
-        default: '23.0.1'
+        default: '25.0.2'
 
 env:
-  SETUP_BUILDX_VERSION: "v0.14.1"  # TODO(jhorsts): replace with upstream
+  SETUP_BUILDX_VERSION: "latest"
   SETUP_BUILDKIT_IMAGE: "moby/buildkit:latest"
   TESTFLAGS: "-v --parallel=1 --timeout=30m"
 
@@ -20,10 +20,10 @@ jobs:
     steps:
       -
         name: Prepare
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
-            const version = `${{ inputs.version }}` || '23.0.1';
+            const version = `${{ inputs.version }}` || '25.0.2';
             let build = 'true';
             try {
               new URL(version);
@@ -109,7 +109,7 @@ jobs:
           buildkitd-flags: --debug
       -
         name: Download dockerd
-        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0  # v5.0.0
+        uses: actions/download-artifact@v4
         with:
           name: dockerd
           path: ./build/
@@ -127,8 +127,7 @@ jobs:
           TESTPKGS: "${{ matrix.pkg }}"
           TESTFLAGS: "${{ env.TESTFLAGS }} --run=//worker=${{ matrix.worker }}$"
           SKIP_INTEGRATION_TESTS: "${{ matrix.skip-integration-tests }}"
-          # TODO(jhorsts): replace with upstream
-          # CACHE_FROM: "type=gha,scope=build-integration-tests"
+          CACHE_FROM: "type=gha,scope=build-integration-tests"
           BUILDKIT_INTEGRATION_DOCKERD_FLAGS: |
             --bip=10.66.66.1/24
             --default-address-pool=base=10.66.66.0/16,size=24

.github/workflows/docs-upstream.yml

@@ -1,8 +1,6 @@
-# this workflow runs the remote validate bake target from docker/docker.github.io
-# to check if yaml reference docs and markdown files used in this repo are still
-# valid: https://github.com/docker/docs/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/docker-bake.hcl#L34-L36
-# path filters reflects the files that are used as remote resource in this
-# repo: https://github.com/docker/docs/blob/d5312d53e255a24e421dfe6c3344359e10271cb8/_config.yml#L202-L217
+# this workflow runs the remote validate bake target from docker/docs to check
+# if yaml reference docs and markdown files used in this repo are still valid
+# https://github.com/docker/docker.github.io/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/docker-bake.hcl#L34-L36
 name: docs-upstream
 
 concurrency:
@@ -30,6 +28,6 @@
 
 jobs:
   validate:
-    uses: docker/docs/.github/workflows/validate-upstream.yml@main
+    uses: docker/docs/.github/workflows/validate-upstream.yml@919a9b9104a34a40b30d116529bcce589a544d1c  # pin for artifact v4 support: https://github.com/docker/docs/pull/19220
     with:
       module-name: moby/buildkit

.github/workflows/frontend.yml

@@ -28,6 +28,7 @@ env:
 jobs:
   test:
     uses: ./.github/workflows/.test.yml
+    secrets: inherit
     with:
       cache_scope: frontend-integration-tests
       pkgs: ./frontend/dockerfile
@@ -63,6 +64,9 @@ jobs:
               PUSH=push
             fi
           fi
+          if [ "$GITHUB_REPOSITORY" != "moby/buildkit" ]; then
+            PUSH=false
+          fi
           echo "typ=${TYP}" >>${GITHUB_OUTPUT}
           echo "push=${PUSH}" >>${GITHUB_OUTPUT}
           echo "tag=${TAG}" >>${GITHUB_OUTPUT}