policy: add recursive provenance material resolution#3662
Merged
Conversation
58c88a4 to
9f8d762
Compare
9f8d762 to
b71956d
Compare
crazy-max
reviewed
Feb 25, 2026
| return dockerMaterialSource(uri, dgst) | ||
| } | ||
|
|
||
| if gu, err := gitutil.ParseURL(uri); err == nil { |
Member
There was a problem hiding this comment.
Was looking at our gitutil and it only accepts http|https|ssh|git so common SLSA-style git+https://... URIs fail parse and then fail HTTP detection, so they are treated as unsupported and never resolved: https://slsa.dev/spec/v1.2/build-provenance#builddefinition
"externalParameters": {
"repository": "https://github.com/octocat/hello-world",
"ref": "refs/heads/main"
},
"resolvedDependencies": [{
"uri": "git+https://github.com/octocat/hello-world@refs/heads/main",
"digest": {"gitCommit": "7fd1a60b01f91b314f59955a4e4d4e80d8edf11d"}
}]
Member
Author
There was a problem hiding this comment.
I don't think buildkit can produce git+https:// atm and there isn't specific git definition for purl. Just https URLs are used, and gitutil figures out if the URL is pointing to a repo.
Comment on lines
+168
to
+173
| if _, _, err := parseSLSAMaterial(rd); err != nil { | ||
| if logf != nil { | ||
| logf(logrus.WarnLevel, fmt.Sprintf("skipping unsupported provenance material %q: %v", m.URI, err)) | ||
| } | ||
| continue | ||
| } |
Member
There was a problem hiding this comment.
iiuc malformed material entries are silently filtered out and that includes digest mismatch errors, so invalid/tampered materials are omitted from input.image.provenance.materials instead of causing evaluation failure. Could that potentially hide the material records policy is supposed to inspect?
Member
Author
There was a problem hiding this comment.
This should be preferred as we don't want images to fail automatically when new material types are added. Instead atm it will fail based on policy rules. So if the user has a policy rule expecting a specific material, but it fails to parse in here, then that policy rule will fail the build.
Member
|
Lint issue with slsa1: https://github.com/docker/buildx/actions/runs/22424348729/job/64929097618?pr=3662#step:3:431 Needs similar golangci-lint rule: https://github.com/moby/buildkit/blob/373d0adc5c452f65d2e42300a47f328b0a55c40b/.golangci.yml#L127-L129 |
Unify root/material unknown resolution with recursive Input traversal. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Track fields reloaded during eval --print resolution loops and filter final invalid-field warnings against that set. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
1527c6a to
88cba2c
Compare
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Allow child refs from partial evaluation to match allowed parent keys on path boundaries and return canonical unknowns for metadata resolution. Add tests for parent-child matching and boundary safety cases. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Member
Author
|
I did some more testing and unfortunately this does not behave quite as well as I would have hoped. The properties of materials that are not initially present are only loaded if the material is accessed via a static index. If it is accessed dynamically, eg. or Then the rego library can not figure out what fields of the materials are actually required to be loaded. So while this is working (and maybe more useful in the I added some new examples to https://github.com/tonistiigi/buildx-rego-examples |
crazy-max
approved these changes
Feb 27, 2026
crazy-max
left a comment
Member
There was a problem hiding this comment.
Ok iiuc recursive material loading is currently reliable only for statically indexed material access, while dynamic iteration (every m in input.image.provenance.materials) doesn't give enough hints for lazy resolution.
As follow-up I agree that we should either extend unknown-field discovery in the Rego lib or add a dedicated helper that pre-resolves/iterates material inputs in a policy-friendly way.
eleboucher
pushed a commit
to eleboucher/runner
that referenced
this pull request
May 28, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [buildx](https://github.com/docker/buildx) | minor | `v0.30.0` → `v0.34.1` | --- ### Release Notes <details> <summary>docker/buildx (buildx)</summary> ### [`v0.34.1`](https://github.com/docker/buildx/releases/tag/v0.34.1) [Compare Source](docker/buildx@v0.34.0...v0.34.1) buildx 0.34.1 Welcome to the v0.34.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - CrazyMax - Jonathan A. Sternberg - Tõnis Tiigi ##### Notable Changes - Fix regression in Bake command when building from Compose files with empty array value [#​3849](docker/buildx#3849) [#​3852](docker/buildx#3852) - Fix possible panic in Kubernetes driver when using statefulset [#​3853](docker/buildx#3853) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.34.0](https://github.com/docker/buildx/releases/tag/v0.34.0) ### [`v0.34.0`](https://github.com/docker/buildx/releases/tag/v0.34.0) [Compare Source](docker/buildx@v0.33.0...v0.34.0) Welcome to the v0.34.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - CrazyMax - Tõnis Tiigi - Sebastiaan van Stijn - Jonathan A. Sternberg - Guillaume Lours - Hervé Le Meur - Mateusz Gozdek ##### Notable Changes - Buildx now supports a default source policy for common build pipeline images that are provided by Docker Inc and signed by [Docker GitHub builder](https://github.com/docker/github-builder). These include `docker/dockerfile` frontend (including `docker/dockerfile-upstream` staging area) and `docker/buildkit-syft-scanner` image used for SBOM generation. These images are cryptographically verified to be authentic releases before they are used in builds. This feature is currently opt-in behind the `BUILDX_DEFAULT_POLICY` environment variable, but the intention is to enable it by default in a future release [#​3807](docker/buildx#3807) - Add `--policy` flag to `bake` command to specify global policy evaluation options. [#​3832](docker/buildx#3832) - Kubernetes driver now supports persistent storage options that change the deployment definition to use a StatefulSet and a persistent volume claim. [#​3766](docker/buildx#3766) - Fix issue where progress policy errors may have been lost in progress output. [#​3838](docker/buildx#3838) - Fix stopping `dial-stdio` command when the builder connection closes [#​3790](docker/buildx#3790) - Fix possible panic in `buildx debug` command when solving fails [#​3823](docker/buildx#3823) - Fix handling of Windows paths in local OCI layout definitions [#​3825](docker/buildx#3825) [#​3820](docker/buildx#3820) [#​3812](docker/buildx#3812) - Fix possible incorrect error when using `rm` commands on Docker context based builders [#​3817](docker/buildx#3817) - Fix possible cache miss due to nondeterministic ordering of extra hosts [#​3789](docker/buildx#3789) - Fix mounting of WSL libraries for GPU devices only on local docker-container endpoints [#​3784](docker/buildx#3784) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.4 -> v1.41.7 - **github.com/aws/aws-sdk-go-v2/config** v1.32.12 -> v1.32.17 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.12 -> v1.19.16 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.20 -> v1.18.23 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.20 -> v1.4.23 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.20 -> v2.7.23 - **github.com/aws/aws-sdk-go-v2/internal/v4a** v1.4.24 ***new*** - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.7 -> v1.13.9 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.20 -> v1.13.23 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.8 -> v1.0.11 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.13 -> v1.30.17 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.17 -> v1.35.21 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.9 -> v1.42.1 - **github.com/aws/smithy-go** v1.24.2 -> v1.25.1 - **github.com/clipperhouse/uax29/v2** v2.2.0 ***new*** - **github.com/compose-spec/compose-go/v2** v2.9.1 -> v2.10.2 - **github.com/containerd/containerd/v2** v2.2.2 -> v2.2.3 - **github.com/docker/cli** v29.3.1 -> v29.4.3 - **github.com/docker/go-connections** v0.6.0 -> v0.7.0 - **github.com/go-openapi/runtime** v0.29.2 -> v0.29.3 - **github.com/go-openapi/swag** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/cmdutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/netutils** v0.25.4 -> v0.25.5 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.7 -> v2.28.0 - **github.com/in-toto/in-toto-golang** v0.10.0 -> v0.11.0 - **github.com/klauspost/compress** v1.18.5 -> v1.18.6 - **github.com/mattn/go-runewidth** v0.0.16 -> v0.0.23 - **github.com/moby/buildkit** v0.29.0 -> v0.30.0 - **github.com/moby/moby/api** v1.54.0 -> v1.54.2 - **github.com/moby/moby/client** v0.3.0 -> v0.4.1 - **github.com/moby/policy-helpers** [`b7c0b99`](docker/buildx@b7c0b994300b) -> [`a39d601`](docker/buildx@a39d60132186) - **github.com/moby/spdystream** v0.5.0 -> v0.5.1 - **github.com/sigstore/sigstore** v1.10.4 -> v1.10.5 - **github.com/sigstore/timestamp-authority/v2** v2.0.3 -> v2.0.6 - **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.63.0 -> v0.68.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.63.0 -> v0.68.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.63.0 -> v0.68.0 - **go.opentelemetry.io/otel** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/stdout/stdouttrace** v1.38.0 -> v1.42.0 - **go.opentelemetry.io/otel/metric** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/sdk** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/sdk/metric** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/trace** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/proto/otlp** v1.9.0 -> v1.10.0 - **go.yaml.in/yaml/v4** v4.0.0-rc.4 ***new*** - **golang.org/x/crypto** v0.48.0 -> v0.50.0 - **golang.org/x/mod** v0.33.0 -> v0.34.0 - **golang.org/x/net** v0.51.0 -> v0.53.0 - **golang.org/x/oauth2** v0.34.0 -> v0.36.0 - **golang.org/x/sync** v0.19.0 -> v0.20.0 - **golang.org/x/sys** v0.42.0 -> v0.43.0 - **golang.org/x/term** v0.41.0 -> v0.42.0 - **golang.org/x/text** v0.34.0 -> v0.36.0 - **golang.org/x/time** v0.14.0 -> v0.15.0 - **golang.org/x/tools** v0.41.0 -> v0.43.0 - **google.golang.org/genproto/googleapis/api** [`8636f87`](docker/buildx@8636f8732409) -> [`6f92a3b`](docker/buildx@6f92a3bedf2d) - **google.golang.org/genproto/googleapis/rpc** [`8636f87`](docker/buildx@8636f8732409) -> [`6f92a3b`](docker/buildx@6f92a3bedf2d) - **google.golang.org/grpc** v1.79.3 -> v1.80.0 - **k8s.io/api** v0.35.2 -> v0.35.4 - **k8s.io/apimachinery** v0.35.2 -> v0.35.4 - **k8s.io/client-go** v0.35.2 -> v0.35.4 Previous release can be found at [v0.33.0](https://github.com/docker/buildx/releases/tag/v0.33.0) ### [`v0.33.0`](https://github.com/docker/buildx/releases/tag/v0.33.0) [Compare Source](docker/buildx@v0.32.1...v0.33.0) Welcome to the v0.33.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Jonathan A. Sternberg - Sebastiaan van Stijn - rishabh - Akihiro Suda ##### Notable Changes - Imagetools `create` and `inspect` commands now support OCI layout paths as source and destination that can be used together with registry references [#​3721](docker/buildx#3721) - Bake command supports new builtin functions `formattimestamp` and `unixtimestampparse` for better handling of time values [#​3286](docker/buildx#3286) - DAP debugger support is now generally available without the need for the experimental features flag [#​3736](docker/buildx#3736) - Policy evaluation now supports verifying HTTP sources with PGP signatures through the `verify_http_pgp_signature` builtin [#​3677](docker/buildx#3677) - `policy eval` command now supports `--platform` flag to specify the platform for evaluated image sources [#​3738](docker/buildx#3738) - `policy eval` can now read policy from stdin when `-f -` is used [#​3738](docker/buildx#3738) - `policy eval` flag `--filename` has been renamed to `--file` for consistency with other commands. The previous flag is deprecated. [#​3738](docker/buildx#3738) - Fix issue where `imagetools create` could in some cases upload the same (attestation) manifest multiple times, possibly causing `400` error in some registries [#​3731](docker/buildx#3731) - Fix rejecting empty string values for `BUILDKIT_SYNTAX` build argument override [#​3734](docker/buildx#3734) - Fix possible inconsistent build context contents when using remote bake builds with a subdirectory in context path [#​3678](docker/buildx#3678) - Fix possible formatting issue in `imagetools inspect` based on whitespace in input [#​3732](docker/buildx#3732) - Fix possible error when finalizing build history traces in multi-node builders [#​3716](docker/buildx#3716) [#​3717](docker/buildx#3717) - Fix possible build errors when linking Bake multi-platform targets with session attributes like build secrets [#​3696](docker/buildx#3696) - Fix remote Bake git contexts to preserve subdirectory paths [#​3682](docker/buildx#3682) - Fix proxy build-arg override detection when argument casing differs [#​3697](docker/buildx#3697) - Fix DAP breakpoints on the entrypoint line being skipped in some cases [#​3691](docker/buildx#3691) - Fix DAP breakpoint detection on case-insensitive filesystems such as Windows [#​3704](docker/buildx#3704) - Fix DAP source path mapping for Dockerfiles outside the context root or in subdirectories [#​3709](docker/buildx#3709) - Fix DAP stepping by skipping internal build context load steps without source locations [#​3712](docker/buildx#3712) - Fix over-eager DAP input evaluation while stepping through builds [#​3687](docker/buildx#3687) - Fix DAP checks for whether an exec command can run successfully [#​3701](docker/buildx#3701) - Fix DAP debugger exit status reporting and output delivery on session shutdown [#​3735](docker/buildx#3735) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/buildkit** v0.28.0 -> v0.29.0 - **github.com/moby/moby/api** v1.53.0 -> v1.54.0 - **github.com/moby/moby/client** v0.2.2 -> v0.3.0 - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 - **github.com/moby/policy-helpers** [`824747b`](docker/buildx@824747bfdd3c) -> [`b7c0b99`](docker/buildx@b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](docker/buildx@ff82c1b0f217) -> [`8636f87`](docker/buildx@8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](docker/buildx@0a764e51fe1b) -> [`8636f87`](docker/buildx@8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 - **k8s.io/api** v0.34.1 -> v0.35.2 - **k8s.io/apimachinery** v0.34.1 -> v0.35.2 - **k8s.io/client-go** v0.34.1 -> v0.35.2 - **k8s.io/kube-openapi** [`f3f2b99`](docker/buildx@f3f2b991d03b) -> [`589584f`](docker/buildx@589584f1c912) - **k8s.io/utils** [`4c0f3b2`](docker/buildx@4c0f3b243397) -> [`bc988d5`](docker/buildx@bc988d571ff4) - **sigs.k8s.io/json** [`cfa47c3`](docker/buildx@cfa47c3a1cc8) -> [`2d32026`](docker/buildx@2d320260d730) Previous release can be found at [v0.32.1](https://github.com/docker/buildx/releases/tag/v0.32.1) ### [`v0.32.1`](https://github.com/docker/buildx/releases/tag/v0.32.1) [Compare Source](docker/buildx@v0.32.0...v0.32.1) buildx 0.32.1 Welcome to the v0.32.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - CrazyMax - Tõnis Tiigi ##### Notable Changes - Fix possible error when building private Git repositories with secret credentials directly from remote source [#​3694](docker/buildx#3694) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.32.0](https://github.com/docker/buildx/releases/tag/v0.32.0) ### [`v0.32.0`](https://github.com/docker/buildx/releases/tag/v0.32.0) [Compare Source](docker/buildx@v0.31.1...v0.32.0) buildx 0.32.0 Welcome to the v0.32.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akhil Manoj - David Karlsson - yzewei ##### Notable Changes - Imagetools now supports `--metadata-file` flag to capture properties like descriptor/digest values for the new image. [#​3638](docker/buildx#3638) - Imagetools auth libraries have now been combined with the ones used in `build` commands, enabling previously missing support for scoped credentials and automatic fallbacks for Docker Hardened Image registries. [#​3627](docker/buildx#3627) - Many commands now support `--timeout` flag to configure the timeout for waiting for responses from remote builders. [#​3665](docker/buildx#3665) - Rego Policy now supports validating builds from remote sources (Git, HTTP) [#​3661](docker/buildx#3661) - Rego Policies now include new builtins for validating signed Sigstore bundle attestations of HTTP source artifacts. Attestations can also be automatically fetched from Github API [#​3657](docker/buildx#3657) - Rego policies can now use `input.image.provenance` to write rules validating specific provenance attestation fields. Materials of provenance can be accessed as policy secondary inputs. Requires BuildKit v0.28+ [#​3652](docker/buildx#3652) [#​3662](docker/buildx#3662) - Builds failing due to policy violations now have better error messages with the failing step clearly marked and the last policy logs shown with the error. [#​3656](docker/buildx#3656) - Fix possible passing of incorrect Git auth token for Bake builds when multiple remotes with different hosts exist. [#​3648](docker/buildx#3648) - Fixed policy filesystem reference lifecycle handling to avoid stale policy filesystem state during builds. [#​3674](docker/buildx#3674) - Normalized default policy filename resolution from environment configuration for more consistent behavior. [#​3675](docker/buildx#3675) - Named contexts used in different projects now get unique "shared keys" (previously based on context name) to avoid overwriting destinations of other projects, with reduced performance. This feature requires Dockerfile 1.22+ [#​3618](docker/buildx#3618) - Fix local subdir named context copied with wrong parent directory for remote Bake builds [#​3678](docker/buildx#3678) - Bake builds now capture the original URL information of named contexts sent as inputs in request metadata [#​3682](docker/buildx#3682) [#​3462](docker/buildx#3462) - Additional metrics associated with DAP debugger have been added [#​3633](docker/buildx#3633) - DAP file explorer now gets a more accurate state of the file system via updated BuildKit API [#​3450](docker/buildx#3450) - DAP file explorer source names have been improved [#​3631](docker/buildx#3631) - Improve the output of `-q` used with `--call` [#​3655](docker/buildx#3655) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/docker/cli** v29.1.5 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/golang/snappy** v1.0.0 ***new*** - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.2 -> v1.18.4 - **github.com/moby/buildkit** v0.27.0 -> v0.28.0 - **github.com/moby/moby/api** v1.52.0 -> v1.53.0 - **github.com/moby/moby/client** v0.2.1 -> v0.2.2 - **github.com/moby/policy-helpers** [`9fcc1a9`](docker/buildx@9fcc1a9ec5c9) -> [`824747b`](docker/buildx@824747bfdd3c) - **github.com/package-url/packageurl-go** v0.1.1 ***new*** - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](docker/buildx@b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](docker/buildx@f26f9409b101) -> [`ff82c1b`](docker/buildx@ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](docker/buildx@f26f9409b101) -> [`0a764e5`](docker/buildx@0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.31.1](https://github.com/docker/buildx/releases/tag/v0.31.1) ### [`v0.31.1`](https://github.com/docker/buildx/releases/tag/v0.31.1) [Compare Source](docker/buildx@v0.31.0...v0.31.1) buildx 0.31.1 Welcome to the v0.31.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi ##### Notable Changes - Fix excessive HTTP requests when using `buildx imagetools create` command [#​3632](docker/buildx#3632) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.31.0](https://github.com/docker/buildx/releases/tag/v0.31.0) ### [`v0.31.0`](https://github.com/docker/buildx/releases/tag/v0.31.0) [Compare Source](docker/buildx@v0.30.1...v0.31.0) buildx 0.31.0 Welcome to the v0.31.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Justin Chadwell - Akihiro Suda - Brian Goff - David Karlsson - Paweł Gronowski - Sergei Khomenkov - guimove ##### Notable Changes - This is a first version of Buildx with signed artifacts built using [Docker Github Builder](https://github.com/docker/github-builder-experimental) - This release comes with new experimental support for source policy enforcement during builds using policies written in [Rego](https://www.openpolicyagent.org/docs/policy-language) language. There are some limitations in this release, for example, only builds from the local build context currently load policies. [#​3593](docker/buildx#3593) [#​3539](docker/buildx#3539) [#​3592](docker/buildx#3592) [#​3611](docker/buildx#3611) [docs](https://docs.docker.com/build/policies/) - Matching policy for Dockerfile is loaded automatically if one exists, e.g., `Dockerfile.rego` or `app.Dockerfile.rego`. - Additional policy configuration can be provided using new `build --policy` flag. - Bake also supports automatic policy loading and a new `policy` key in the target configuration. - New `buildx policy` command includes subcommands `eval` and `test` to help you write and test your policies. - Bake command has a new `--var` flag to set variable values from the command line instead of setting environment variables. [#​3610](docker/buildx#3610) - When creating images in Docker image store, they no longer unpack if export was initialized with `--push` or `-o type=registry` [#​3519](docker/buildx#3519) - Add `semvercmp` helper function to Bake stdlib for easier version comparisons [#​3577](docker/buildx#3577) - Retry transient TLS errors when talking to Kubernetes nodes [#​3493](docker/buildx#3493) - Allow disabling Bake env lookups so `bake` can ignore host environment variables [#​3595](docker/buildx#3595) - Add possibility to load Docker configs scoped to specific repos/scopes for finer credential control [#​3562](docker/buildx#3562) - When building images from Docker Hardened Images (dhi.io) and Docker Scout registries, authentication will now automatically fall back to Docker Hub credentials if no specific credentials are found. [#​3612](docker/buildx#3612) - Fix the `--debug` flag issues in standalone mode [#​3554](docker/buildx#3554) - Fix handling `@` characters inside OCI layout paths passed to build [#​3583](docker/buildx#3583) - Surface policy controls `--policy`, policy eval, custom builtins/Regos/gitsign checks so builds can enforce policies [#​3593](docker/buildx#3593) [#​3549](docker/buildx#3549) - Prevent DAP breakpoint overlaps from triggering false positives [#​3534](docker/buildx#3534) - Fix mount input names in DAP run mounts [#​3579](docker/buildx#3579) - Fix DAP breakpoint reason reporting [#​3581](docker/buildx#3581) ##### Dependency Changes - **github.com/ProtonMail/go-crypto** v1.3.0 ***new*** - **github.com/agnivade/levenshtein** v1.2.1 ***new*** - **github.com/asaskevich/govalidator** [`a9d515a`](docker/buildx@a9d515a09cc2) ***new*** - **github.com/aws/aws-sdk-go-v2** v1.38.1 -> v1.39.6 - **github.com/aws/aws-sdk-go-v2/config** v1.31.3 -> v1.31.20 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.7 -> v1.18.24 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.4 -> v1.18.13 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.4 -> v1.4.13 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.4 -> v2.7.13 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.3 -> v1.8.4 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.0 -> v1.13.3 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.4 -> v1.13.13 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.28.2 -> v1.30.3 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.34.0 -> v1.35.7 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.38.0 -> v1.40.2 - **github.com/aws/smithy-go** v1.22.5 -> v1.23.2 - **github.com/beorn7/perks** v1.0.1 ***new*** - **github.com/blang/semver** v3.5.1 ***new*** - **github.com/cespare/xxhash/v2** v2.3.0 ***new*** - **github.com/cloudflare/circl** v1.6.1 ***new*** - **github.com/containerd/containerd/v2** [`efd86f2`](docker/buildx@efd86f2b0bc2) -> v2.2.1 - **github.com/cyberphone/json-canonicalization** [`19d51d7`](docker/buildx@19d51d7fe467) ***new*** - **github.com/davecgh/go-spew** v1.1.1 -> [`d8f796a`](docker/buildx@d8f796af33cc) - **github.com/decred/dcrd/dcrec/secp256k1/v4** v4.4.0 ***new*** - **github.com/digitorus/pkcs7** [`3a137a8`](docker/buildx@3a137a874352) ***new*** - **github.com/digitorus/timestamp** [`220c5c2`](docker/buildx@220c5c2851b7) ***new*** - **github.com/docker/cli** v28.5.1 -> v29.1.5 - **github.com/docker/cli-docs-tool** v0.10.0 -> v0.11.0 - **github.com/docker/docker** v28.5.1 -> v28.5.2 - **github.com/docker/docker-credential-helpers** v0.9.3 -> v0.9.5 - **github.com/docker/go-connections** v0.5.0 -> v0.6.0 - **github.com/fvbommel/sortorder** v1.0.1 -> v1.1.0 - **github.com/go-ini/ini** v1.67.0 ***new*** - **github.com/go-openapi/analysis** v0.24.1 ***new*** - **github.com/go-openapi/errors** v0.22.4 ***new*** - **github.com/go-openapi/jsonpointer** v0.21.0 -> v0.22.1 - **github.com/go-openapi/jsonreference** v0.20.2 -> v0.21.3 - **github.com/go-openapi/loads** v0.23.2 ***new*** - **github.com/go-openapi/runtime** v0.29.2 ***new*** - **github.com/go-openapi/spec** v0.22.1 ***new*** - **github.com/go-openapi/strfmt** v0.25.0 ***new*** - **github.com/go-openapi/swag** v0.23.0 -> v0.25.3 - **github.com/go-openapi/swag/cmdutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/conv** v0.25.3 ***new*** - **github.com/go-openapi/swag/fileutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/jsonname** v0.25.3 ***new*** - **github.com/go-openapi/swag/jsonutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/loading** v0.25.3 ***new*** - **github.com/go-openapi/swag/mangling** v0.25.3 ***new*** - **github.com/go-openapi/swag/netutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/stringutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/typeutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/yamlutils** v0.25.3 ***new*** - **github.com/go-openapi/validate** v0.25.1 ***new*** - **github.com/gobwas/glob** v0.2.3 ***new*** - **github.com/goccy/go-json** v0.10.5 ***new*** - **github.com/google/certificate-transparency-go** v1.3.2 ***new*** - **github.com/google/go-containerregistry** v0.20.6 ***new*** - **github.com/google/go-dap** v0.12.0 -> [`d7a2259`](docker/buildx@d7a2259b058b) - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.2 -> v2.27.3 - **github.com/hiddeco/sshsig** v0.2.0 ***new*** - **github.com/in-toto/attestation** v1.1.2 ***new*** - **github.com/klauspost/compress** v1.18.1 -> v1.18.2 - **github.com/lestrrat-go/blackmagic** v1.0.4 ***new*** - **github.com/lestrrat-go/dsig** v1.0.0 ***new*** - **github.com/lestrrat-go/dsig-secp256k1** v1.0.0 ***new*** - **github.com/lestrrat-go/httpcc** v1.0.1 ***new*** - **github.com/lestrrat-go/httprc/v3** v3.0.1 ***new*** - **github.com/lestrrat-go/jwx/v3** v3.0.11 ***new*** - **github.com/lestrrat-go/option** v1.0.1 ***new*** - **github.com/lestrrat-go/option/v2** v2.0.0 ***new*** - **github.com/moby/buildkit** v0.26.1 -> v0.27.0 - **github.com/moby/go-archive** v0.1.0 -> v0.2.0 - **github.com/moby/moby/api** v1.52.0 ***new*** - **github.com/moby/moby/client** v0.2.1 ***new*** - **github.com/moby/policy-helpers** [`9fcc1a9`](docker/buildx@9fcc1a9ec5c9) ***new*** - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/oklog/ulid** v1.3.1 ***new*** - **github.com/open-policy-agent/opa** v1.10.1 ***new*** - **github.com/pmezard/go-difflib** v1.0.0 -> [`5d4384e`](docker/buildx@5d4384ee4fb2) - **github.com/prometheus/client\_golang** v1.23.2 ***new*** - **github.com/prometheus/client\_model** v0.6.2 ***new*** - **github.com/prometheus/common** v0.66.1 ***new*** - **github.com/prometheus/procfs** v0.17.0 ***new*** - **github.com/rcrowley/go-metrics** [`65e299d`](docker/buildx@65e299d6c5c9) ***new*** - **github.com/rivo/uniseg** v0.2.0 -> v0.4.7 - **github.com/segmentio/asm** v1.2.0 ***new*** - **github.com/sigstore/protobuf-specs** v0.5.0 ***new*** - **github.com/sigstore/rekor** v1.4.3 ***new*** - **github.com/sigstore/rekor-tiles/v2** v2.0.1 ***new*** - **github.com/sigstore/sigstore** v1.10.0 ***new*** - **github.com/sigstore/sigstore-go** [`b5fe07a`](docker/buildx@b5fe07a5a7d7) ***new*** - **github.com/sigstore/timestamp-authority/v2** v2.0.2 ***new*** - **github.com/sirupsen/logrus** v1.9.3 -> v1.9.4 - **github.com/spf13/cobra** v1.10.1 -> v1.10.2 - **github.com/tchap/go-patricia/v2** v2.3.3 ***new*** - **github.com/theupdateframework/go-tuf/v2** v2.3.0 ***new*** - **github.com/tonistiigi/fsutil** [`586307a`](docker/buildx@586307ad452f) -> [`a2aa163`](docker/buildx@a2aa163d723f) - **github.com/transparency-dev/formats** [`404c0d5`](docker/buildx@404c0d5b696c) ***new*** - **github.com/transparency-dev/merkle** v0.0.2 ***new*** - **github.com/valyala/fastjson** v1.6.4 ***new*** - **github.com/vektah/gqlparser/v2** v2.5.30 ***new*** - **github.com/xeipuuv/gojsonpointer** [`02993c4`](docker/buildx@02993c407bfb) ***new*** - **github.com/xeipuuv/gojsonreference** [`bd5ef7b`](docker/buildx@bd5ef7bd5415) ***new*** - **github.com/yashtewari/glob-intersection** v0.2.0 ***new*** - **go.mongodb.org/mongo-driver** v1.17.6 ***new*** - **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/otel/exporters/stdout/stdouttrace** v1.31.0 -> v1.38.0 - **go.yaml.in/yaml/v2** v2.4.2 -> v2.4.3 - **google.golang.org/genproto/googleapis/api** [`c5933d9`](docker/buildx@c5933d9347a5) -> [`f26f940`](docker/buildx@f26f9409b101) - **google.golang.org/genproto/googleapis/rpc** [`c5933d9`](docker/buildx@c5933d9347a5) -> [`f26f940`](docker/buildx@f26f9409b101) Previous release can be found at [v0.30.1](https://github.com/docker/buildx/releases/tag/v0.30.1) ### [`v0.30.1`](https://github.com/docker/buildx/releases/tag/v0.30.1) [Compare Source](docker/buildx@v0.30.0...v0.30.1) Welcome to the v0.30.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Jonathan A. Sternberg ##### Notable Changes - Fix concurrent map write panic. [#​3524](docker/buildx#3524) - Fix possible excessive chunking when fetching blobs. [#​3529](docker/buildx#3529) ##### Dependency Changes - **github.com/containerd/containerd/v2** v2.2.0 -> [`efd86f2`](docker/buildx@efd86f2b0bc2) - **github.com/moby/buildkit** v0.26.0 -> v0.26.1 Previous release can be found at [v0.30.0](https://github.com/docker/buildx/releases/tag/v0.30.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJLaW5kL0RlcGVuZGVuY3lVcGRhdGUiLCJydW4tZW5kLXRvLWVuZC10ZXN0cyJdfQ==--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1533 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.code.forgejo.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #3639