From 13b71f322951558b9b6cfae9ff84a41ea3f6f7a9 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Thu, 10 Jul 2025 14:37:54 +0200 Subject: [PATCH] build: update buildx ref to 0.25.0 and buildkit ref to 0.23.2 Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .../docker/buildx/docs/bake-reference.md | 17 + .../docs/attestations/slsa-definitions.md | 755 +++++++++++------- .../moby/buildkit/docs/buildkitd.toml.md | 2 + .../frontend/dockerfile/docs/reference.md | 19 +- go.mod | 94 +-- go.sum | 4 + 6 files changed, 504 insertions(+), 387 deletions(-) diff --git a/_vendor/github.com/docker/buildx/docs/bake-reference.md b/_vendor/github.com/docker/buildx/docs/bake-reference.md index 5245f611dc38..22592ec373ba 100644 --- a/_vendor/github.com/docker/buildx/docs/bake-reference.md +++ b/_vendor/github.com/docker/buildx/docs/bake-reference.md @@ -227,6 +227,8 @@ The following table shows the complete list of attributes that you can assign to | [`description`](#targetdescription) | String | Description of a target | | [`dockerfile-inline`](#targetdockerfile-inline) | String | Inline Dockerfile string | | [`dockerfile`](#targetdockerfile) | String | Dockerfile location | +| [`entitlements`](#targetentitlements) | List | Permissions that the build process requires to run | +| [`extra-hosts`](#targetextra-hosts) | List | Customs host-to-IP mapping | | [`inherits`](#targetinherits) | List | Inherit attributes from other targets | | [`labels`](#targetlabels) | Map | Metadata for images | | [`matrix`](#targetmatrix) | Map | Define a set of variables that forks a target into multiple targets. | @@ -583,6 +585,20 @@ target "integration-tests" { Entitlements are enabled with a two-step process. First, a target must declare the entitlements it requires. Secondly, when invoking the `bake` command, the user must grant the entitlements by passing the `--allow` flag or confirming the entitlements when prompted in an interactive terminal. This is to ensure that the user is aware of the possibly insecure permissions they are granting to the build process. +### `target.extra-hosts` + +Use the `extra-hosts` attribute to define customs host-to-IP mapping for the +target. This has the same effect as passing a [`--add-host`][add-host] flag to +the build command. + +```hcl +target "default" { + extra-hosts = { + my_hostname = "8.8.8.8" + } +} +``` + ### `target.inherits` A target can inherit attributes from other targets. @@ -1422,6 +1438,7 @@ target "webapp-dev" { +[add-host]: https://docs.docker.com/reference/cli/docker/buildx/build/#add-host [attestations]: https://docs.docker.com/build/attestations/ [bake_stdlib]: https://github.com/docker/buildx/blob/master/bake/hclparser/stdlib.go [build-arg]: https://docs.docker.com/reference/cli/docker/image/build/#build-arg diff --git a/_vendor/github.com/moby/buildkit/docs/attestations/slsa-definitions.md b/_vendor/github.com/moby/buildkit/docs/attestations/slsa-definitions.md index 08b692df3d3b..0053e1e12d28 100644 --- a/_vendor/github.com/moby/buildkit/docs/attestations/slsa-definitions.md +++ b/_vendor/github.com/moby/buildkit/docs/attestations/slsa-definitions.md @@ -2,22 +2,436 @@ title: SLSA definitions --- -BuildKit supports the [creation of SLSA Provenance](./slsa-provenance.md) for builds that -it runs. +BuildKit supports the [creation of SLSA Provenance](./slsa-provenance.md) for +builds that it runs. The provenance format generated by BuildKit is defined by the -[SLSA Provenance format](https://slsa.dev/provenance/v0.2). +SLSA Provenance format (supports both [v0.2](https://slsa.dev/spec/v0.2/provenance) +and [v1](https://slsa.dev/spec/v1.1/provenance)). This page describes how BuildKit populate each field, and whether the field gets included when you generate attestations `mode=min` and `mode=max`. -## `builder.id` +## SLSA v1 -Corresponds to [SLSA `builder.id`](https://slsa.dev/provenance/v0.2#builder.id). +### `buildDefinition.buildType` + +* Ref: https://slsa.dev/spec/v1.1/provenance#buildType +* Included with `mode=min` and `mode=max`. + +The `buildDefinition.buildType` field is set to `https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md` +and can be used to determine the structure of the provenance content. + +```json + "buildDefinition": { + "buildType": "https://github.com/moby/buildkit/blob/master/docs/attestations/slsa-definitions.md", + ... + } +``` + +### `buildDefinition.externalParameters.configSource` + +* Ref: https://slsa.dev/spec/v1.1/provenance#externalParameters +* Included with `mode=min` and `mode=max`. + +Describes the config that initialized the build. + +```json + "buildDefinition": { + "externalParameters": { + "configSource": { + "uri": "https://github.com/moby/buildkit.git#refs/tags/v0.11.0", + "digest": { + "sha1": "4b220de5058abfd01ff619c9d2ff6b09a049bea0" + }, + "path": "Dockerfile" + }, + ... + }, + } +``` + +For builds initialized from a remote context, like a Git or HTTP URL, this +object defines the context URL and its immutable digest in the `uri` and +`digest` fields. For builds using a local frontend, such as a Dockerfile, the +`path` field defines the path for the frontend file that initialized the build +(`filename` frontend option). + +### `buildDefinition.externalParameters.request` + +* Ref: https://slsa.dev/spec/v1.1/provenance#externalParameters +* Partially included with `mode=min`. + +Describes build inputs passed to the build. + +```json + "buildDefinition": { + "externalParameters": { + "request": { + "frontend": "gateway.v0", + "args": { + "build-arg:BUILDKIT_CONTEXT_KEEP_GIT_DIR": "1", + "label:FOO": "bar", + "source": "docker/dockerfile-upstream:master", + "target": "release" + }, + "secrets": [ + { + "id": "GIT_AUTH_HEADER", + "optional": true + }, + ... + ], + "ssh": [], + "locals": [] + }, + ... + }, + } +``` + +The following fields are included with both `mode=min` and `mode=max`: + +- `locals` lists any local sources used in the build, including the build + context and frontend file. +- `frontend` defines type of BuildKit frontend used for the build. Currently, + this can be `dockerfile.v0` or `gateway.v0`. +- `args` defines the build arguments passed to the BuildKit frontend. + + The keys inside the `args` object reflect the options as BuildKit receives + them. For example, `build-arg` and `label` prefixes are used for build + arguments and labels, and `target` key defines the target stage that was + built. The `source` key defines the source image for the Gateway frontend, if + used. + +The following fields are only included with `mode=max`: + +- `secrets` defines secrets used during the build. Note that actual secret + values are not included. +- `ssh` defines the ssh forwards used during the build. + +### `buildDefinition.internalParameters.buildConfig` + +* Ref: https://slsa.dev/spec/v1.1/provenance#internalParameters +* Only included with `mode=max`. + +Defines the build steps performed during the build. + +BuildKit internally uses LLB definition to execute the build steps. The LLB +definition of the build steps is defined in the +`buildDefinition.internalParameters.buildConfig.llbDefinition` field. + +Each LLB step is the JSON definition of the +[LLB ProtoBuf API](https://github.com/moby/buildkit/blob/v0.10.0/solver/pb/ops.proto). +The dependencies for a vertex in the LLB graph can be found in the `inputs` +field for every step. + +```json + "buildDefinition": { + "internalParameters": { + "buildConfig": { + "llbDefinition": [ + { + "id": "step0", + "op": { + "Op": { + "exec": { + "meta": { + "args": [ + "/bin/sh", + "-c", + "go build ." + ], + "env": [ + "PATH=/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", + "GOPATH=/go", + "GOFLAGS=-mod=vendor", + ], + "cwd": "/src", + }, + "mounts": [...] + } + }, + "platform": {...}, + }, + "inputs": [ + "step8:0", + "step2:0", + ] + }, + ... + ] + }, + } + } +``` + +### `buildDefinition.internalParameters.builderPlatform` + +* Ref: https://slsa.dev/spec/v1.1/provenance#internalParameters +* Included with `mode=min` and `mode=max`. + +```json + "buildDefinition": { + "internalParameters": { + "builderPlatform": "linux/amd64" + ... + }, + } +``` + +BuildKit sets the `builderPlatform` of the build machine. Note that this is not +necessarily the platform of the build result that can be determined from the +`in-toto` subject field. + +### `buildDefinition.resolvedDependencies` + +* Ref: https://slsa.dev/spec/v1.1/provenance#resolvedDependencies +* Included with `mode=min` and `mode=max`. + +Defines all the external artifacts that were part of the build. The value +depends on the type of artifact: + +- The URL of Git repositories containing source code for the image +- HTTP URLs if you are building from a remote tarball, or that was included + using an `ADD` command in Dockerfile +- Any Docker images used during the build + +The URLs to the Docker images will be in +[Package URL](https://github.com/package-url/purl-spec) format. + +All the build materials will include the immutable checksum of the artifact. +When building from a mutable tag, you can use the digest information to +determine if the artifact has been updated compared to when the build ran. + +```json + "buildDefinition": { + "resolvedDependencies": [ + { + "uri": "pkg:docker/alpine@3.17?platform=linux%2Famd64", + "digest": { + "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4" + } + }, + { + "uri": "https://github.com/moby/buildkit.git#refs/tags/v0.11.0", + "digest": { + "sha1": "4b220de5058abfd01ff619c9d2ff6b09a049bea0" + } + }, + ... + ], + ... + } +``` + +### `runDetails.builder.id` + +* Ref: https://slsa.dev/spec/v1.1/provenance#builder.id +* Included with `mode=min` and `mode=max`. + +The field is set to the URL of the build, if available. + +```json + "runDetails": { + "builder": { + "id": "https://github.com/docker/buildx/actions/runs/3709599520" + ... + }, + ... + } +``` + +> [!NOTE] +> This value can be set using the `builder-id` attestation parameter. + +### `runDetails.metadata.invocationID` + +* Ref: https://slsa.dev/spec/v1.1/provenance#invocationId +* Included with `mode=min` and `mode=max`. + +Unique identifier for the build invocation. When building a multi-platform image +with a single build request, this value will be the shared by all the platform +versions of the image. + +```json + "runDetails": { + "metadata": { + "invocationID": "rpv7a389uzil5lqmrgwhijwjz", + ... + }, + ... + } +``` + +### `runDetails.metadata.startedOn` + +* Ref: https://slsa.dev/spec/v1.1/provenance#startedOn +* Included with `mode=min` and `mode=max`. + +Timestamp when the build started. + +```json + "runDetails": { + "metadata": { + "startedOn": "2021-11-17T15:00:00Z", + ... + }, + ... + } +``` + +### `runDetails.metadata.finishedOn` + +* Ref: https://slsa.dev/spec/v1.1/provenance#finishedOn +* Included with `mode=min` and `mode=max`. + +Timestamp when the build finished. + +```json + "runDetails": { + "metadata": { + "finishedOn": "2021-11-17T15:01:00Z", + ... + }, + } +``` + +### `runDetails.metadata.buildkit_metadata` + +* Ref: https://slsa.dev/spec/v1.1/provenance#extension-fields +* Partially included with `mode=min`. + +This extension field defines BuildKit-specific additional metadata that is not +part of the SLSA provenance spec. + +```json + "runDetails": { + "metadata": { + "buildkit_metadata": { + "source": {...}, + "layers": {...}, + "vcs": {...}, + }, + ... + }, + } +``` + +#### `source` + +Only included with `mode=max`. + +Defines a source mapping of LLB build steps, defined in the +`buildDefinition.internalParameters.buildConfig.llbDefinition` field, to their +original source code (for example, Dockerfile commands). The `source.locations` +field contains the ranges of all the Dockerfile commands ran in an LLB step. +`source.infos` array contains the source code itself. This mapping is present +if the BuildKit frontend provided it when creating the LLB definition. + +#### `layers` + +Only included with `mode=max`. + +Defines the layer mapping of LLB build step mounts defined in +`buildDefinition.internalParameters.buildConfig.llbDefinition` to the OCI +descriptors of equivalent layers. This mapping is present if the layer data was +available, usually when attestation is for an image or if the build step pulled +in image data as part of the build. + +#### `vcs` Included with `mode=min` and `mode=max`. -The `builder.id` field is set to the URL of the build, if available. +Defines optional metadata for the version control system used for the build. If +a build uses a remote context from Git repository, BuildKit extracts the details +of the version control system automatically and displays it in the +`buildDefinition.externalParameters.configSource` field. But if the build uses +a source from a local directory, the VCS information is lost even if the +directory contained a Git repository. In this case, the build client can send +additional `vcs:source` and `vcs:revision` build options and BuildKit will add +them to the provenance attestations as extra metadata. Note that, contrary to +the `buildDefinition.externalParameters.configSource` field, BuildKit doesn't +verify the `vcs` values, and as such they can't be trusted and should only be +used as a metadata hint. + +### `runDetails.metadata.buildkit_hermetic` + +* Ref: https://slsa.dev/spec/v1.1/provenance#extension-fields +* Included with `mode=min` and `mode=max`. + +This extension field is set to true if the build was hermetic and did not access +the network. In Dockerfiles, a build is hermetic if it does not use `RUN` +commands or disables network with `--network=none` flag. + +```json + "runDetails": { + "metadata": { + "buildkit_hermetic": true, + ... + }, + } +``` + +### `runDetails.metadata.buildkit_completeness` + +* Ref: https://slsa.dev/spec/v1.1/provenance#extension-fields +* Included with `mode=min` and `mode=max`. + +This extension field defines if the provenance information is complete. It is +similar to `metadata.completeness` field in SLSA v0.2. + +`buildkit_completeness.request` is true if all the build arguments are included +in the `buildDefinition.externalParameters.request` field. When building with +`min` mode, the build arguments are not included in the provenance information +and request is not complete. Request is also not complete on direct LLB builds +that did not use a frontend. + +`buildkit_completeness.resolvedDependencies` is true if +`buildDefinition.resolvedDependencies` field includes all the dependencies of +the build. When building from un-tracked source in a local directory, the +dependencies are not complete, while when building from a remote Git repository +all dependencies can be tracked by BuildKit and +`buildkit_completeness.resolvedDependencies` is true. + +```json + "runDetails": { + "metadata": { + "buildkit_completeness": { + "request": true, + "resolvedDependencies": true + }, + ... + }, + } +``` + +### `runDetails.metadata.buildkit_reproducible` + +* Ref: https://slsa.dev/spec/v1.1/provenance#extension-fields +* Included with `mode=min` and `mode=max`. + +This extension field defines if the build result is supposed to be byte-by-byte +reproducible. It is similar to `metadata.reproducible` field in SLSA v0.2. This +value can be set by the user with the `reproducible=true` attestation parameter. + +```json + "runDetails": { + "metadata": { + "buildkit_reproducible": false, + ... + }, + } +``` + +## SLSA v0.2 + +### `builder.id` + +* Ref: https://slsa.dev/spec/v0.2/provenance#builder.id +* Included with `mode=min` and `mode=max`. + +The field is set to the URL of the build, if available. ```json "builder": { @@ -25,26 +439,25 @@ The `builder.id` field is set to the URL of the build, if available. }, ``` -This value can be set using the `builder-id` attestation parameter. - -## `buildType` +> [!NOTE] +> This value can be set using the `builder-id` attestation parameter. -Corresponds to [SLSA `buildType`](https://slsa.dev/provenance/v0.2#buildType). +### `buildType` -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#buildType +* Included with `mode=min` and `mode=max`. -The `buildType` field is set to `https://mobyproject.org/buildkit@v1` can be +The `buildType` field is set to `https://mobyproject.org/buildkit@v1` and can be used to determine the structure of the provenance content. ```json "buildType": "https://mobyproject.org/buildkit@v1", ``` -## `invocation.configSource` +### `invocation.configSource` -Corresponds to [SLSA `invocation.configSource`](https://slsa.dev/provenance/v0.2#invocation.configSource). - -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#invocation.configSource +* Included with `mode=min` and `mode=max`. Describes the config that initialized the build. @@ -62,15 +475,15 @@ Describes the config that initialized the build. ``` For builds initialized from a remote context, like a Git or HTTP URL, this -object defines the context URL and its immutable digest in the `uri` and `digest` fields. -For builds using a local frontend, such as a Dockerfile, the `entryPoint` field defines the path -for the frontend file that initialized the build (`filename` frontend option). +object defines the context URL and its immutable digest in the `uri` and +`digest` fields. For builds using a local frontend, such as a Dockerfile, the +`entryPoint` field defines the path for the frontend file that initialized the +build (`filename` frontend option). -## `invocation.parameters` +### `invocation.parameters` -Corresponds to [SLSA `invocation.parameters`](https://slsa.dev/provenance/v0.2#invocation.parameters). - -Partially included with `mode=min`. +* Ref: https://slsa.dev/spec/v0.2/provenance#invocation.parameters +* Partially included with `mode=min`. Describes build inputs passed to the build. @@ -118,11 +531,10 @@ The following fields are only included with `mode=max`: values are not included. - `ssh` defines the ssh forwards used during the build. -## `invocation.environment` +### `invocation.environment` -Corresponds to [SLSA `invocation.environment`](https://slsa.dev/provenance/v0.2#invocation.environment). - -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#invocation.environment +* Included with `mode=min` and `mode=max`. ```json "invocation": { @@ -137,11 +549,10 @@ The only value BuildKit currently sets is the `platform` of the current build machine. Note that this is not necessarily the platform of the build result that can be determined from the `in-toto` subject field. -## `materials` - -Corresponds to [SLSA `materials`](https://slsa.dev/provenance/v0.2#materials). +### `materials` -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#materials +* Included with `mode=min` and `mode=max`. Defines all the external artifacts that were part of the build. The value depends on the type of artifact: @@ -176,11 +587,10 @@ determine if the artifact has been updated compared to when the build ran. ], ``` -## `buildConfig` +### `buildConfig` -Corresponds to [SLSA `buildConfig`](https://slsa.dev/provenance/v0.2#buildConfig). - -Only included with `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#buildConfig +* Only included with `mode=max`. Defines the build steps performed during the build. @@ -228,11 +638,10 @@ field for every step. }, ``` -## `metadata.buildInvocationId` +### `metadata.buildInvocationId` -Corresponds to [SLSA `metadata.buildInvocationId`](https://slsa.dev/provenance/v0.2#metadata.buildIncocationId). - -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#buildInvocationId +* Included with `mode=min` and `mode=max`. Unique identifier for the build invocation. When building a multi-platform image with a single build request, this value will be the shared by all the platform @@ -245,11 +654,10 @@ versions of the image. }, ``` -## `metadata.buildStartedOn` +### `metadata.buildStartedOn` -Corresponds to [SLSA `metadata.buildStartedOn`](https://slsa.dev/provenance/v0.2#metadata.buildStartedOn). - -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#buildStartedOn +* Included with `mode=min` and `mode=max`. Timestamp when the build started. @@ -260,11 +668,10 @@ Timestamp when the build started. }, ``` -## `metadata.buildFinishedOn` - -Corresponds to [SLSA `metadata.buildFinishedOn`](https://slsa.dev/provenance/v0.2#metadata.buildFinishedOn). +### `metadata.buildFinishedOn` -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#buildFinishedOn +* Included with `mode=min` and `mode=max`. Timestamp when the build finished. @@ -275,19 +682,18 @@ Timestamp when the build finished. }, ``` -## `metadata.completeness` - -Corresponds to [SLSA `metadata.completeness`](https://slsa.dev/provenance/v0.2#metadata.completeness). +### `metadata.completeness` -Included with `mode=min` and `mode=max`. +* Ref: https://slsa.dev/spec/v0.2/provenance#metadata.completeness +* Included with `mode=min` and `mode=max`. Defines if the provenance information is complete. `completeness.parameters` is true if all the build arguments are included in the -`invocation.parameters` field. When building with `min` mode, the build -arguments are not included in the provenance information and parameters are not -complete. Parameters are also not complete on direct LLB builds that did not use -a frontend. +`parameters` field. When building with `min` mode, the build arguments are not +included in the provenance information and parameters are not complete. +Parameters are also not complete on direct LLB builds that did not use a +frontend. `completeness.environment` is always true for BuildKit builds. @@ -308,9 +714,10 @@ is true. }, ``` -## `metadata.reproducible` +### `metadata.reproducible` -Corresponds to [SLSA `metadata.reproducible`](https://slsa.dev/provenance/v0.2#metadata.reproducible). +* Ref: https://slsa.dev/spec/v0.2/provenance#metadata.reproducible +* Included with `mode=min` and `mode=max`. Defines if the build result is supposed to be byte-by-byte reproducible. This value can be set by the user with the `reproducible=true` attestation parameter. @@ -322,7 +729,7 @@ value can be set by the user with the `reproducible=true` attestation parameter. }, ``` -## `metadata.https://mobyproject.org/buildkit@v1#hermetic` +### `metadata.https://mobyproject.org/buildkit@v1#hermetic` Included with `mode=min` and `mode=max`. @@ -337,7 +744,7 @@ commands or disables network with `--network=none` flag. }, ``` -## `metadata.https://mobyproject.org/buildkit@v1#metadata` +### `metadata.https://mobyproject.org/buildkit@v1#metadata` Partially included with `mode=min`. @@ -355,7 +762,7 @@ part of the SLSA provenance spec. }, ``` -### `source` +#### `source` Only included with `mode=max`. @@ -366,7 +773,7 @@ the Dockerfile commands ran in an LLB step. `source.infos` array contains the source code itself. This mapping is present if the BuildKit frontend provided it when creating the LLB definition. -### `layers` +#### `layers` Only included with `mode=max`. @@ -375,7 +782,7 @@ Defines the layer mapping of LLB build step mounts defined in mapping is present if the layer data was available, usually when attestation is for an image or if the build step pulled in image data as part of the build. -### `vcs` +#### `vcs` Included with `mode=min` and `mode=max`. @@ -389,227 +796,3 @@ repository. In this case, the build client can send additional `vcs:source` and attestations as extra metadata. Note that, contrary to the `invocation.configSource` field, BuildKit doesn't verify the `vcs` values, and as such they can't be trusted and should only be used as a metadata hint. - -## Output - -To inspect the provenance that was generated and attached to a container image, -you can use the `docker buildx imagetools` command to inspect the image in a -registry. Inspecting the attestation displays the format described in the -[attestation storage specification](./attestation-storage.md). - -For example, inspecting a simple Docker image based on `alpine:latest` results -in a provenance attestation similar to the following, for a `mode=min` build: - -```json -{ - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "pkg:docker//@?platform=", - "digest": { - "sha256": "e8275b2b76280af67e26f068e5d585eb905f8dfd2f1918b3229db98133cb4862" - } - } - ], - "predicate": { - "builder": { - "id": "" - }, - "buildType": "https://mobyproject.org/buildkit@v1", - "materials": [ - { - "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64", - "digest": { - "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4" - } - } - ], - "invocation": { - "configSource": { - "entryPoint": "Dockerfile" - }, - "parameters": { - "frontend": "dockerfile.v0", - "args": {}, - "locals": [ - { - "name": "context" - }, - { - "name": "dockerfile" - } - ] - }, - "environment": { - "platform": "linux/amd64" - } - }, - "metadata": { - "buildInvocationID": "yirbp1aosi1vqjmi3z6bc75nb", - "buildStartedOn": "2022-12-08T11:48:59.466513707Z", - "buildFinishedOn": "2022-12-08T11:49:01.256820297Z", - "reproducible": false, - "completeness": { - "parameters": true, - "environment": true, - "materials": false - }, - "https://mobyproject.org/buildkit@v1#metadata": {} - } - } -} -``` - -For a similar build, but with `mode=max`: - -```json -{ - "_type": "https://in-toto.io/Statement/v0.1", - "predicateType": "https://slsa.dev/provenance/v0.2", - "subject": [ - { - "name": "pkg:docker//@?platform=", - "digest": { - "sha256": "e8275b2b76280af67e26f068e5d585eb905f8dfd2f1918b3229db98133cb4862" - } - } - ], - "predicate": { - "builder": { - "id": "" - }, - "buildType": "https://mobyproject.org/buildkit@v1", - "materials": [ - { - "uri": "pkg:docker/alpine@latest?platform=linux%2Famd64", - "digest": { - "sha256": "8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4" - } - } - ], - "invocation": { - "configSource": { - "entryPoint": "Dockerfile" - }, - "parameters": { - "frontend": "dockerfile.v0", - "args": {}, - "locals": [ - { - "name": "context" - }, - { - "name": "dockerfile" - } - ] - }, - "environment": { - "platform": "linux/amd64" - } - }, - "buildConfig": { - "llbDefinition": [ - { - "id": "step0", - "op": { - "Op": { - "source": { - "identifier": "docker-image://docker.io/library/alpine:latest@sha256:8914eb54f968791faf6a8638949e480fef81e697984fba772b3976835194c6d4" - } - }, - "platform": { - "Architecture": "amd64", - "OS": "linux" - }, - "constraints": {} - } - }, - { - "id": "step1", - "op": { - "Op": null - }, - "inputs": ["step0:0"] - } - ] - }, - "metadata": { - "buildInvocationID": "46ue2x93k3xj5l463dektwldw", - "buildStartedOn": "2022-12-08T11:50:54.953375437Z", - "buildFinishedOn": "2022-12-08T11:50:55.447841328Z", - "reproducible": false, - "completeness": { - "parameters": true, - "environment": true, - "materials": false - }, - "https://mobyproject.org/buildkit@v1#metadata": { - "source": { - "locations": { - "step0": { - "locations": [ - { - "ranges": [ - { - "start": { - "line": 1 - }, - "end": { - "line": 1 - } - } - ] - } - ] - } - }, - "infos": [ - { - "filename": "Dockerfile", - "data": "RlJPTSBhbHBpbmU6bGF0ZXN0Cg==", - "llbDefinition": [ - { - "id": "step0", - "op": { - "Op": { - "source": { - "identifier": "local://dockerfile", - "attrs": { - "local.differ": "none", - "local.followpaths": "[\"Dockerfile\",\"Dockerfile.dockerignore\",\"dockerfile\"]", - "local.session": "q2jnwdkas0i0iu4knchd92jaz", - "local.sharedkeyhint": "dockerfile" - } - } - }, - "constraints": {} - } - }, - { - "id": "step1", - "op": { - "Op": null - }, - "inputs": ["step0:0"] - } - ] - } - ] - }, - "layers": { - "step0:0": [ - [ - { - "mediaType": "application/vnd.oci.image.layer.v1.tar+gzip", - "digest": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715", - "size": 3370706 - } - ] - ] - } - } - } - } -} -``` diff --git a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md index ec314b9f08ba..3565a28a2173 100644 --- a/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md +++ b/_vendor/github.com/moby/buildkit/docs/buildkitd.toml.md @@ -176,7 +176,9 @@ insecure-entitlements = [ "network.host", "security.insecure" ] [registry."docker.io"] # mirror configuration to handle path in case a mirror registry requires a /project path rather than just a host:port mirrors = ["yourmirror.local:5000", "core.harbor.domain/proxy.docker.io"] + # Use plain HTTP to connect to the mirrors. http = true + # Use HTTPS with self-signed certificates. Do not enable this together with `http`. insecure = true ca=["/etc/config/myca.pem"] [[registry."docker.io".keypair]] diff --git a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md index c5105e524876..5b32b7f01e13 100644 --- a/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md +++ b/_vendor/github.com/moby/buildkit/frontend/dockerfile/docs/reference.md @@ -2608,15 +2608,16 @@ RUN echo "I'm building for $TARGETPLATFORM" ### BuildKit built-in build args -| Arg | Type | Description | -| ------------------------------- | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| `BUILDKIT_CACHE_MOUNT_NS` | String | Set optional cache ID namespace. | -| `BUILDKIT_CONTEXT_KEEP_GIT_DIR` | Bool | Trigger Git context to keep the `.git` directory. | -| `BUILDKIT_INLINE_CACHE`[^2] | Bool | Inline cache metadata to image config or not. | -| `BUILDKIT_MULTI_PLATFORM` | Bool | Opt into deterministic output regardless of multi-platform output or not. | -| `BUILDKIT_SANDBOX_HOSTNAME` | String | Set the hostname (default `buildkitsandbox`) | -| `BUILDKIT_SYNTAX` | String | Set frontend image | -| `SOURCE_DATE_EPOCH` | Int | Set the Unix timestamp for created image and layers. More info from [reproducible builds](https://reproducible-builds.org/docs/source-date-epoch/). Supported since Dockerfile 1.5, BuildKit 0.11 | +| Arg | Type | Description | +|----------------------------------|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `BUILDKIT_CACHE_MOUNT_NS` | String | Set optional cache ID namespace. | +| `BUILDKIT_CONTEXT_KEEP_GIT_DIR` | Bool | Trigger Git context to keep the `.git` directory. | +| `BUILDKIT_HISTORY_PROVENANCE_V1` | Bool | Enable [SLSA Provenance v1](https://slsa.dev/spec/v1.1/provenance) for build history record. | +| `BUILDKIT_INLINE_CACHE`[^2] | Bool | Inline cache metadata to image config or not. | +| `BUILDKIT_MULTI_PLATFORM` | Bool | Opt into deterministic output regardless of multi-platform output or not. | +| `BUILDKIT_SANDBOX_HOSTNAME` | String | Set the hostname (default `buildkitsandbox`) | +| `BUILDKIT_SYNTAX` | String | Set frontend image | +| `SOURCE_DATE_EPOCH` | Int | Set the Unix timestamp for created image and layers. More info from [reproducible builds](https://reproducible-builds.org/docs/source-date-epoch/). Supported since Dockerfile 1.5, BuildKit 0.11 | #### Example: keep `.git` dir diff --git a/go.mod b/go.mod index c3c9a29e8617..aa770c3d62dd 100644 --- a/go.mod +++ b/go.mod @@ -3,111 +3,21 @@ module github.com/docker/docs go 1.24.0 require ( - github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect - github.com/Microsoft/go-winio v0.6.2 // indirect - github.com/StackExchange/wmi v1.2.1 // indirect - github.com/cenkalti/backoff/v4 v4.3.0 // indirect - github.com/containerd/containerd/v2 v2.1.3 // indirect - github.com/containerd/errdefs v1.0.0 // indirect - github.com/containerd/errdefs/pkg v0.3.0 // indirect - github.com/containerd/log v0.1.0 // indirect - github.com/containerd/platforms v1.0.0-rc.1 // indirect - github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect - github.com/containerd/typeurl/v2 v2.2.3 // indirect - github.com/distribution/reference v0.6.0 // indirect github.com/docker/buildx v0.25.0 // indirect github.com/docker/cli v28.3.1+incompatible // indirect github.com/docker/compose/v2 v2.38.2 // indirect - github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v28.3.1+incompatible // indirect - github.com/docker/docker-credential-helpers v0.9.3 // indirect - github.com/docker/go-connections v0.5.0 // indirect - github.com/docker/go-units v0.5.0 // indirect github.com/docker/model-cli v0.1.33-0.20250703103301-d4e4936a9eb2 // indirect - github.com/docker/model-distribution v0.0.0-20250627163720-aff34abcf3e0 // indirect - github.com/docker/model-runner v0.0.0-20250627142917-26a0a73fbbc0 // indirect github.com/docker/scout-cli v1.15.0 // indirect - github.com/felixge/httpsnoop v1.0.4 // indirect - github.com/fsnotify/fsnotify v1.9.0 // indirect - github.com/fvbommel/sortorder v1.1.0 // indirect - github.com/go-logr/logr v1.4.3 // indirect - github.com/go-logr/stdr v1.2.2 // indirect - github.com/go-ole/go-ole v1.3.0 // indirect - github.com/gogo/protobuf v1.3.2 // indirect - github.com/google/go-containerregistry v0.20.6 // indirect - github.com/google/uuid v1.6.0 // indirect - github.com/gpustack/gguf-parser-go v0.14.1 // indirect - github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect - github.com/henvic/httpretty v0.1.4 // indirect - github.com/inconshreveable/mousetrap v1.1.0 // indirect - github.com/jaypipes/ghw v0.17.0 // indirect - github.com/jaypipes/pcidb v1.0.1 // indirect - github.com/json-iterator/go v1.1.12 // indirect - github.com/klauspost/compress v1.18.0 // indirect - github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.16 // indirect - github.com/mattn/go-shellwords v1.0.12 // indirect - github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/moby/buildkit v0.23.2 // indirect - github.com/moby/docker-image-spec v1.3.1 // indirect - github.com/moby/locker v1.0.1 // indirect github.com/moby/moby v28.3.2+incompatible // indirect - github.com/moby/sys/atomicwriter v0.1.0 // indirect - github.com/moby/sys/sequential v0.6.0 // indirect - github.com/moby/term v0.5.2 // indirect - github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.2 // indirect - github.com/morikuni/aec v1.0.0 // indirect - github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect - github.com/nxadm/tail v1.4.8 // indirect - github.com/olekukonko/tablewriter v0.0.5 // indirect - github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.1 // indirect - github.com/pkg/errors v0.9.1 // indirect - github.com/prometheus/client_model v0.6.2 // indirect - github.com/prometheus/common v0.65.0 // indirect - github.com/rivo/uniseg v0.4.7 // indirect - github.com/rs/dnscache v0.0.0-20230804202142-fc85eb664529 // indirect - github.com/sirupsen/logrus v1.9.3 // indirect - github.com/smallnest/ringbuffer v0.0.0-20241116012123-461381446e3d // indirect - github.com/spf13/cobra v1.9.1 // indirect - github.com/spf13/pflag v1.0.6 // indirect - github.com/vbatts/tar-split v0.12.1 // indirect - go.opentelemetry.io/auto/sdk v1.1.0 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect - go.opentelemetry.io/otel v1.37.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.34.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect - go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect - go.opentelemetry.io/otel/metric v1.37.0 // indirect - go.opentelemetry.io/otel/sdk v1.37.0 // indirect - go.opentelemetry.io/otel/sdk/metric v1.37.0 // indirect - go.opentelemetry.io/otel/trace v1.37.0 // indirect - go.opentelemetry.io/proto/otlp v1.5.0 // indirect - golang.org/x/crypto v0.39.0 // indirect - golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect - golang.org/x/mod v0.25.0 // indirect - golang.org/x/net v0.41.0 // indirect - golang.org/x/sync v0.15.0 // indirect - golang.org/x/sys v0.33.0 // indirect - golang.org/x/text v0.26.0 // indirect - golang.org/x/tools v0.34.0 // indirect - gonum.org/v1/gonum v0.15.1 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect - google.golang.org/grpc v1.73.0 // indirect - google.golang.org/protobuf v1.36.6 // indirect - gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect - gopkg.in/yaml.v3 v3.0.1 // indirect - howett.net/plist v1.0.1 // indirect ) replace ( - github.com/docker/buildx => github.com/docker/buildx v0.24.0 + github.com/docker/buildx => github.com/docker/buildx v0.25.0 github.com/docker/cli => github.com/docker/cli v28.3.0+incompatible github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.38.2 github.com/docker/model-cli => github.com/docker/model-cli v0.1.33-0.20250703103301-d4e4936a9eb2 github.com/docker/scout-cli => github.com/docker/scout-cli v1.15.0 - github.com/moby/buildkit => github.com/moby/buildkit v0.22.0 + github.com/moby/buildkit => github.com/moby/buildkit v0.23.2 github.com/moby/moby => github.com/moby/moby v28.3.2+incompatible ) diff --git a/go.sum b/go.sum index 50be990992b4..bf12dd923926 100644 --- a/go.sum +++ b/go.sum @@ -28,6 +28,8 @@ github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5Qvfr github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E= github.com/docker/buildx v0.24.0 h1:qiD+xktY+Fs3R79oz8M+7pbhip78qGLx6LBuVmyb+64= github.com/docker/buildx v0.24.0/go.mod h1:vYkdBUBjFo/i5vUE0mkajGlk03gE0T/HaGXXhgIxo8E= +github.com/docker/buildx v0.25.0 h1:qs5WxBo0wQKSXcQ+v6UhWaeM2Pu+95ZCymaimRzInaE= +github.com/docker/buildx v0.25.0/go.mod h1:xJcOeBhz49tgqN174MMGuOU4bxNmgfaLnZn7Gm641EE= github.com/docker/cli v28.2.1+incompatible h1:AYyTcuwvhl9dXdyCiXlOGXiIqSNYzTmaDNpxIISPGsM= github.com/docker/cli v28.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/cli v28.3.0+incompatible h1:s+ttruVLhB5ayeuf2BciwDVxYdKi+RoUlxmwNHV3Vfo= @@ -134,6 +136,8 @@ github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= github.com/moby/buildkit v0.22.0 h1:aWN06w1YGSVN1XfeZbj2ZbgY+zi5xDAjEFI8Cy9fTjA= github.com/moby/buildkit v0.22.0/go.mod h1:j4pP5hxiTWcz7xuTK2cyxQislHl/N2WWHzOy43DlLJw= +github.com/moby/buildkit v0.23.2 h1:gt/dkfcpgTXKx+B9I310kV767hhVqTvEyxGgI3mqsGQ= +github.com/moby/buildkit v0.23.2/go.mod h1:iEjAfPQKIuO+8y6OcInInvzqTMiKMbb2RdJz1K/95a0= github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=