bake: derive git auth host from remote URL#3648
Merged
Merged
Conversation
crazy-max
force-pushed
the
bake-auth-token-domain
branch
from
ac8f506 to
8573243
Compare
crazy-max
force-pushed
the
bake-auth-token-domain
branch
from
8573243 to
22217e5
Compare
This comment was marked as outdated.
This comment was marked as outdated.
3 tasks
tonistiigi
reviewed
Feb 10, 2026
Member
tonistiigi
left a comment
tonistiigi
left a comment
There was a problem hiding this comment.
I don't think users should need to set the host in the env variable. We can just get the host from the remote URL and connect these automatically.
crazy-max
force-pushed
the
bake-auth-token-domain
branch
from
22217e5 to
eebe1e5
Compare
crazy-max
changed the title
crazy-max
force-pushed
the
bake-auth-token-domain
branch
from
eebe1e5 to
ac54d55
Compare
tonistiigi
reviewed
Feb 20, 2026
| } | ||
|
|
||
| func isRemoteContext(t build.Inputs, inp *Input) bool { | ||
| func remoteContextURL(t build.Inputs, inp *Input) string { |
Member
There was a problem hiding this comment.
nit: bit cleaner to return string, bool from such functions.
| return nil | ||
| } | ||
| secrets := make(buildflags.Secrets, 0, len(hosts)+1) | ||
| secrets = append(secrets, &buildflags.Secret{ |
Member
There was a problem hiding this comment.
I still don't get it.
(assuming this isn't breaking existing users badly), this should be only set if the Bake command is using remote input, not based on if the target is using remote URL or not what seems to happen atm.
Additionally, there is no point in adding the main secret key and host key with the same value. Only host key should be set, and only for the host that was "bake remote URL", not any host that happened to be remote URL for a bake target.
Member
Author
There was a problem hiding this comment.
there is no point in adding the main secret key and host key with the same value.
Ah right, this should only emit host-scoped git auth secrets (no generic main key).
(assuming this isn't breaking existing users badly), this should be only set if the Bake command is using remote input, not based on if the target is using remote URL or not what seems to happen atm.
I kept target remote-context handling for backward compatibility for now. I'm a bit hesitant to switch to strict remote input only immediately, because the current behavior follows context resolution in
Lines 1294 to 1331 in 268f1c7
And changing that could break existing flows. If you prefer, I can still change it to strict remote input only behavior.
crazy-max
force-pushed
the
bake-auth-token-domain
branch
from
ac54d55 to
f43adf9
Compare
tonistiigi
reviewed
Feb 24, 2026
| Env: "BUILDX_BAKE_GIT_AUTH_HEADER", | ||
| }) | ||
| } | ||
| if remoteURL, ok := remoteContextURL(bi, inp); ok { |
Member
There was a problem hiding this comment.
The change in remote.go seems right, but this one still seems to use target.ContextPath as ther remote URL, what may not be correct. A target context URL and the bake remote definition URL may not be the same and these env secrets should be based on the remote definition URL only iiuc.
Member
Author
There was a problem hiding this comment.
but this one still seems to use
target.ContextPathas ther remote URL, what may not be correct
Ok I was following the context resolution in
Lines 1294 to 1331 in 268f1c7
inp.URL but not needed. I'm changing this.
crazy-max
force-pushed
the
bake-auth-token-domain
branch
from
f43adf9 to
a5b81ef
Compare
tonistiigi
reviewed
Feb 24, 2026
| Env: "BUILDX_BAKE_GIT_AUTH_HEADER", | ||
| }) | ||
| } | ||
| if inp != nil && urlutil.IsRemoteURL(inp.URL) && !strings.HasPrefix(bi.ContextPath, "cwd://") { |
Member
There was a problem hiding this comment.
This should do some kind of 1) both are URLs 2) both URLs use same host , check instead of just !cwd://
Signed-off-by: CrazyMax <[email protected]>
crazy-max
force-pushed
the
bake-auth-token-domain
branch
from
a5b81ef to
26c7ae6
Compare
tonistiigi
approved these changes
Feb 24, 2026
3 tasks
eleboucher
pushed a commit
to eleboucher/runner
that referenced
this pull request
May 28, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [buildx](https://github.com/docker/buildx) | minor | `v0.30.0` → `v0.34.1` | --- ### Release Notes <details> <summary>docker/buildx (buildx)</summary> ### [`v0.34.1`](https://github.com/docker/buildx/releases/tag/v0.34.1) [Compare Source](docker/buildx@v0.34.0...v0.34.1) buildx 0.34.1 Welcome to the v0.34.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - CrazyMax - Jonathan A. Sternberg - Tõnis Tiigi ##### Notable Changes - Fix regression in Bake command when building from Compose files with empty array value [#​3849](docker/buildx#3849) [#​3852](docker/buildx#3852) - Fix possible panic in Kubernetes driver when using statefulset [#​3853](docker/buildx#3853) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.34.0](https://github.com/docker/buildx/releases/tag/v0.34.0) ### [`v0.34.0`](https://github.com/docker/buildx/releases/tag/v0.34.0) [Compare Source](docker/buildx@v0.33.0...v0.34.0) Welcome to the v0.34.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - CrazyMax - Tõnis Tiigi - Sebastiaan van Stijn - Jonathan A. Sternberg - Guillaume Lours - Hervé Le Meur - Mateusz Gozdek ##### Notable Changes - Buildx now supports a default source policy for common build pipeline images that are provided by Docker Inc and signed by [Docker GitHub builder](https://github.com/docker/github-builder). These include `docker/dockerfile` frontend (including `docker/dockerfile-upstream` staging area) and `docker/buildkit-syft-scanner` image used for SBOM generation. These images are cryptographically verified to be authentic releases before they are used in builds. This feature is currently opt-in behind the `BUILDX_DEFAULT_POLICY` environment variable, but the intention is to enable it by default in a future release [#​3807](docker/buildx#3807) - Add `--policy` flag to `bake` command to specify global policy evaluation options. [#​3832](docker/buildx#3832) - Kubernetes driver now supports persistent storage options that change the deployment definition to use a StatefulSet and a persistent volume claim. [#​3766](docker/buildx#3766) - Fix issue where progress policy errors may have been lost in progress output. [#​3838](docker/buildx#3838) - Fix stopping `dial-stdio` command when the builder connection closes [#​3790](docker/buildx#3790) - Fix possible panic in `buildx debug` command when solving fails [#​3823](docker/buildx#3823) - Fix handling of Windows paths in local OCI layout definitions [#​3825](docker/buildx#3825) [#​3820](docker/buildx#3820) [#​3812](docker/buildx#3812) - Fix possible incorrect error when using `rm` commands on Docker context based builders [#​3817](docker/buildx#3817) - Fix possible cache miss due to nondeterministic ordering of extra hosts [#​3789](docker/buildx#3789) - Fix mounting of WSL libraries for GPU devices only on local docker-container endpoints [#​3784](docker/buildx#3784) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.4 -> v1.41.7 - **github.com/aws/aws-sdk-go-v2/config** v1.32.12 -> v1.32.17 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.12 -> v1.19.16 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.20 -> v1.18.23 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.20 -> v1.4.23 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.20 -> v2.7.23 - **github.com/aws/aws-sdk-go-v2/internal/v4a** v1.4.24 ***new*** - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.7 -> v1.13.9 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.20 -> v1.13.23 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.8 -> v1.0.11 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.13 -> v1.30.17 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.17 -> v1.35.21 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.9 -> v1.42.1 - **github.com/aws/smithy-go** v1.24.2 -> v1.25.1 - **github.com/clipperhouse/uax29/v2** v2.2.0 ***new*** - **github.com/compose-spec/compose-go/v2** v2.9.1 -> v2.10.2 - **github.com/containerd/containerd/v2** v2.2.2 -> v2.2.3 - **github.com/docker/cli** v29.3.1 -> v29.4.3 - **github.com/docker/go-connections** v0.6.0 -> v0.7.0 - **github.com/go-openapi/runtime** v0.29.2 -> v0.29.3 - **github.com/go-openapi/swag** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/cmdutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/netutils** v0.25.4 -> v0.25.5 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.7 -> v2.28.0 - **github.com/in-toto/in-toto-golang** v0.10.0 -> v0.11.0 - **github.com/klauspost/compress** v1.18.5 -> v1.18.6 - **github.com/mattn/go-runewidth** v0.0.16 -> v0.0.23 - **github.com/moby/buildkit** v0.29.0 -> v0.30.0 - **github.com/moby/moby/api** v1.54.0 -> v1.54.2 - **github.com/moby/moby/client** v0.3.0 -> v0.4.1 - **github.com/moby/policy-helpers** [`b7c0b99`](docker/buildx@b7c0b994300b) -> [`a39d601`](docker/buildx@a39d60132186) - **github.com/moby/spdystream** v0.5.0 -> v0.5.1 - **github.com/sigstore/sigstore** v1.10.4 -> v1.10.5 - **github.com/sigstore/timestamp-authority/v2** v2.0.3 -> v2.0.6 - **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.63.0 -> v0.68.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.63.0 -> v0.68.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.63.0 -> v0.68.0 - **go.opentelemetry.io/otel** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/exporters/stdout/stdouttrace** v1.38.0 -> v1.42.0 - **go.opentelemetry.io/otel/metric** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/sdk** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/sdk/metric** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/otel/trace** v1.40.0 -> v1.43.0 - **go.opentelemetry.io/proto/otlp** v1.9.0 -> v1.10.0 - **go.yaml.in/yaml/v4** v4.0.0-rc.4 ***new*** - **golang.org/x/crypto** v0.48.0 -> v0.50.0 - **golang.org/x/mod** v0.33.0 -> v0.34.0 - **golang.org/x/net** v0.51.0 -> v0.53.0 - **golang.org/x/oauth2** v0.34.0 -> v0.36.0 - **golang.org/x/sync** v0.19.0 -> v0.20.0 - **golang.org/x/sys** v0.42.0 -> v0.43.0 - **golang.org/x/term** v0.41.0 -> v0.42.0 - **golang.org/x/text** v0.34.0 -> v0.36.0 - **golang.org/x/time** v0.14.0 -> v0.15.0 - **golang.org/x/tools** v0.41.0 -> v0.43.0 - **google.golang.org/genproto/googleapis/api** [`8636f87`](docker/buildx@8636f8732409) -> [`6f92a3b`](docker/buildx@6f92a3bedf2d) - **google.golang.org/genproto/googleapis/rpc** [`8636f87`](docker/buildx@8636f8732409) -> [`6f92a3b`](docker/buildx@6f92a3bedf2d) - **google.golang.org/grpc** v1.79.3 -> v1.80.0 - **k8s.io/api** v0.35.2 -> v0.35.4 - **k8s.io/apimachinery** v0.35.2 -> v0.35.4 - **k8s.io/client-go** v0.35.2 -> v0.35.4 Previous release can be found at [v0.33.0](https://github.com/docker/buildx/releases/tag/v0.33.0) ### [`v0.33.0`](https://github.com/docker/buildx/releases/tag/v0.33.0) [Compare Source](docker/buildx@v0.32.1...v0.33.0) Welcome to the v0.33.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Jonathan A. Sternberg - Sebastiaan van Stijn - rishabh - Akihiro Suda ##### Notable Changes - Imagetools `create` and `inspect` commands now support OCI layout paths as source and destination that can be used together with registry references [#​3721](docker/buildx#3721) - Bake command supports new builtin functions `formattimestamp` and `unixtimestampparse` for better handling of time values [#​3286](docker/buildx#3286) - DAP debugger support is now generally available without the need for the experimental features flag [#​3736](docker/buildx#3736) - Policy evaluation now supports verifying HTTP sources with PGP signatures through the `verify_http_pgp_signature` builtin [#​3677](docker/buildx#3677) - `policy eval` command now supports `--platform` flag to specify the platform for evaluated image sources [#​3738](docker/buildx#3738) - `policy eval` can now read policy from stdin when `-f -` is used [#​3738](docker/buildx#3738) - `policy eval` flag `--filename` has been renamed to `--file` for consistency with other commands. The previous flag is deprecated. [#​3738](docker/buildx#3738) - Fix issue where `imagetools create` could in some cases upload the same (attestation) manifest multiple times, possibly causing `400` error in some registries [#​3731](docker/buildx#3731) - Fix rejecting empty string values for `BUILDKIT_SYNTAX` build argument override [#​3734](docker/buildx#3734) - Fix possible inconsistent build context contents when using remote bake builds with a subdirectory in context path [#​3678](docker/buildx#3678) - Fix possible formatting issue in `imagetools inspect` based on whitespace in input [#​3732](docker/buildx#3732) - Fix possible error when finalizing build history traces in multi-node builders [#​3716](docker/buildx#3716) [#​3717](docker/buildx#3717) - Fix possible build errors when linking Bake multi-platform targets with session attributes like build secrets [#​3696](docker/buildx#3696) - Fix remote Bake git contexts to preserve subdirectory paths [#​3682](docker/buildx#3682) - Fix proxy build-arg override detection when argument casing differs [#​3697](docker/buildx#3697) - Fix DAP breakpoints on the entrypoint line being skipped in some cases [#​3691](docker/buildx#3691) - Fix DAP breakpoint detection on case-insensitive filesystems such as Windows [#​3704](docker/buildx#3704) - Fix DAP source path mapping for Dockerfiles outside the context root or in subdirectories [#​3709](docker/buildx#3709) - Fix DAP stepping by skipping internal build context load steps without source locations [#​3712](docker/buildx#3712) - Fix over-eager DAP input evaluation while stepping through builds [#​3687](docker/buildx#3687) - Fix DAP checks for whether an exec command can run successfully [#​3701](docker/buildx#3701) - Fix DAP debugger exit status reporting and output delivery on session shutdown [#​3735](docker/buildx#3735) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.41.1 -> v1.41.4 - **github.com/aws/aws-sdk-go-v2/config** v1.32.7 -> v1.32.12 - **github.com/aws/aws-sdk-go-v2/credentials** v1.19.7 -> v1.19.12 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.17 -> v1.18.20 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.17 -> v1.4.20 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.17 -> v2.7.20 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.4 -> v1.8.6 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.4 -> v1.13.7 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.17 -> v1.13.20 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 -> v1.0.8 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.9 -> v1.30.13 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.13 -> v1.35.17 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.41.6 -> v1.41.9 - **github.com/aws/smithy-go** v1.24.0 -> v1.24.2 - **github.com/containerd/containerd/v2** v2.2.1 -> v2.2.2 - **github.com/containerd/ttrpc** v1.2.7 -> v1.2.8 - **github.com/docker/cli** v29.2.1 -> v29.3.1 - **github.com/go-openapi/analysis** v0.24.1 -> v0.24.3 - **github.com/go-openapi/errors** v0.22.6 -> v0.22.7 - **github.com/go-openapi/jsonpointer** v0.22.4 -> v0.22.5 - **github.com/go-openapi/jsonreference** v0.21.4 -> v0.21.5 - **github.com/go-openapi/loads** v0.23.2 -> v0.23.3 - **github.com/go-openapi/spec** v0.22.3 -> v0.22.4 - **github.com/go-openapi/strfmt** v0.25.0 -> v0.26.1 - **github.com/go-openapi/swag/conv** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/fileutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonname** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/jsonutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/loading** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/mangling** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/stringutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/typeutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/swag/yamlutils** v0.25.4 -> v0.25.5 - **github.com/go-openapi/validate** v0.25.1 -> v0.25.2 - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.3 -> v2.27.7 - **github.com/klauspost/compress** v1.18.4 -> v1.18.5 - **github.com/moby/buildkit** v0.28.0 -> v0.29.0 - **github.com/moby/moby/api** v1.53.0 -> v1.54.0 - **github.com/moby/moby/client** v0.2.2 -> v0.3.0 - **github.com/moby/patternmatcher** v0.6.0 -> v0.6.1 - **github.com/moby/policy-helpers** [`824747b`](docker/buildx@824747bfdd3c) -> [`b7c0b99`](docker/buildx@b7c0b994300b) - **github.com/oklog/ulid/v2** v2.1.1 ***new*** - **go.opentelemetry.io/otel** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/sdk/metric** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/otel/trace** v1.38.0 -> v1.40.0 - **go.opentelemetry.io/proto/otlp** v1.7.1 -> v1.9.0 - **golang.org/x/sys** v0.41.0 -> v0.42.0 - **golang.org/x/term** v0.40.0 -> v0.41.0 - **google.golang.org/genproto/googleapis/api** [`ff82c1b`](docker/buildx@ff82c1b0f217) -> [`8636f87`](docker/buildx@8636f8732409) - **google.golang.org/genproto/googleapis/rpc** [`0a764e5`](docker/buildx@0a764e51fe1b) -> [`8636f87`](docker/buildx@8636f8732409) - **google.golang.org/grpc** v1.78.0 -> v1.79.3 - **k8s.io/api** v0.34.1 -> v0.35.2 - **k8s.io/apimachinery** v0.34.1 -> v0.35.2 - **k8s.io/client-go** v0.34.1 -> v0.35.2 - **k8s.io/kube-openapi** [`f3f2b99`](docker/buildx@f3f2b991d03b) -> [`589584f`](docker/buildx@589584f1c912) - **k8s.io/utils** [`4c0f3b2`](docker/buildx@4c0f3b243397) -> [`bc988d5`](docker/buildx@bc988d571ff4) - **sigs.k8s.io/json** [`cfa47c3`](docker/buildx@cfa47c3a1cc8) -> [`2d32026`](docker/buildx@2d320260d730) Previous release can be found at [v0.32.1](https://github.com/docker/buildx/releases/tag/v0.32.1) ### [`v0.32.1`](https://github.com/docker/buildx/releases/tag/v0.32.1) [Compare Source](docker/buildx@v0.32.0...v0.32.1) buildx 0.32.1 Welcome to the v0.32.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - CrazyMax - Tõnis Tiigi ##### Notable Changes - Fix possible error when building private Git repositories with secret credentials directly from remote source [#​3694](docker/buildx#3694) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.32.0](https://github.com/docker/buildx/releases/tag/v0.32.0) ### [`v0.32.0`](https://github.com/docker/buildx/releases/tag/v0.32.0) [Compare Source](docker/buildx@v0.31.1...v0.32.0) buildx 0.32.0 Welcome to the v0.32.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Akhil Manoj - David Karlsson - yzewei ##### Notable Changes - Imagetools now supports `--metadata-file` flag to capture properties like descriptor/digest values for the new image. [#​3638](docker/buildx#3638) - Imagetools auth libraries have now been combined with the ones used in `build` commands, enabling previously missing support for scoped credentials and automatic fallbacks for Docker Hardened Image registries. [#​3627](docker/buildx#3627) - Many commands now support `--timeout` flag to configure the timeout for waiting for responses from remote builders. [#​3665](docker/buildx#3665) - Rego Policy now supports validating builds from remote sources (Git, HTTP) [#​3661](docker/buildx#3661) - Rego Policies now include new builtins for validating signed Sigstore bundle attestations of HTTP source artifacts. Attestations can also be automatically fetched from Github API [#​3657](docker/buildx#3657) - Rego policies can now use `input.image.provenance` to write rules validating specific provenance attestation fields. Materials of provenance can be accessed as policy secondary inputs. Requires BuildKit v0.28+ [#​3652](docker/buildx#3652) [#​3662](docker/buildx#3662) - Builds failing due to policy violations now have better error messages with the failing step clearly marked and the last policy logs shown with the error. [#​3656](docker/buildx#3656) - Fix possible passing of incorrect Git auth token for Bake builds when multiple remotes with different hosts exist. [#​3648](docker/buildx#3648) - Fixed policy filesystem reference lifecycle handling to avoid stale policy filesystem state during builds. [#​3674](docker/buildx#3674) - Normalized default policy filename resolution from environment configuration for more consistent behavior. [#​3675](docker/buildx#3675) - Named contexts used in different projects now get unique "shared keys" (previously based on context name) to avoid overwriting destinations of other projects, with reduced performance. This feature requires Dockerfile 1.22+ [#​3618](docker/buildx#3618) - Fix local subdir named context copied with wrong parent directory for remote Bake builds [#​3678](docker/buildx#3678) - Bake builds now capture the original URL information of named contexts sent as inputs in request metadata [#​3682](docker/buildx#3682) [#​3462](docker/buildx#3462) - Additional metrics associated with DAP debugger have been added [#​3633](docker/buildx#3633) - DAP file explorer now gets a more accurate state of the file system via updated BuildKit API [#​3450](docker/buildx#3450) - DAP file explorer source names have been improved [#​3631](docker/buildx#3631) - Improve the output of `-q` used with `--call` [#​3655](docker/buildx#3655) ##### Dependency Changes - **github.com/aws/aws-sdk-go-v2** v1.39.6 -> v1.41.1 - **github.com/aws/aws-sdk-go-v2/config** v1.31.20 -> v1.32.7 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.24 -> v1.19.7 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.13 -> v1.18.17 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.13 -> v1.4.17 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.13 -> v2.7.17 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.3 -> v1.13.4 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.13 -> v1.13.17 - **github.com/aws/aws-sdk-go-v2/service/signin** v1.0.5 ***new*** - **github.com/aws/aws-sdk-go-v2/service/sso** v1.30.3 -> v1.30.9 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.35.7 -> v1.35.13 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.40.2 -> v1.41.6 - **github.com/aws/smithy-go** v1.23.2 -> v1.24.0 - **github.com/cloudflare/circl** v1.6.1 -> v1.6.3 - **github.com/docker/cli** v29.1.5 -> v29.2.1 - **github.com/go-openapi/errors** v0.22.4 -> v0.22.6 - **github.com/go-openapi/jsonpointer** v0.22.1 -> v0.22.4 - **github.com/go-openapi/jsonreference** v0.21.3 -> v0.21.4 - **github.com/go-openapi/spec** v0.22.1 -> v0.22.3 - **github.com/go-openapi/swag** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/cmdutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/conv** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/fileutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonname** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/jsonutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/loading** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/mangling** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/netutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/stringutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/typeutils** v0.25.3 -> v0.25.4 - **github.com/go-openapi/swag/yamlutils** v0.25.3 -> v0.25.4 - **github.com/go-viper/mapstructure/v2** v2.4.0 -> v2.5.0 - **github.com/golang/snappy** v1.0.0 ***new*** - **github.com/google/go-containerregistry** v0.20.6 -> v0.20.7 - **github.com/in-toto/in-toto-golang** v0.9.0 -> v0.10.0 - **github.com/klauspost/compress** v1.18.2 -> v1.18.4 - **github.com/moby/buildkit** v0.27.0 -> v0.28.0 - **github.com/moby/moby/api** v1.52.0 -> v1.53.0 - **github.com/moby/moby/client** v0.2.1 -> v0.2.2 - **github.com/moby/policy-helpers** [`9fcc1a9`](docker/buildx@9fcc1a9ec5c9) -> [`824747b`](docker/buildx@824747bfdd3c) - **github.com/package-url/packageurl-go** v0.1.1 ***new*** - **github.com/pelletier/go-toml/v2** v2.2.4 ***new*** - **github.com/secure-systems-lab/go-securesystemslib** v0.9.1 -> v0.10.0 - **github.com/sigstore/rekor** v1.4.3 -> v1.5.0 - **github.com/sigstore/sigstore** v1.10.0 -> v1.10.4 - **github.com/sigstore/sigstore-go** [`b5fe07a`](docker/buildx@b5fe07a5a7d7) -> v1.1.4 - **github.com/sigstore/timestamp-authority/v2** v2.0.2 -> v2.0.3 - **github.com/theupdateframework/go-tuf/v2** v2.3.0 -> v2.4.1 - **google.golang.org/genproto/googleapis/api** [`f26f940`](docker/buildx@f26f9409b101) -> [`ff82c1b`](docker/buildx@ff82c1b0f217) - **google.golang.org/genproto/googleapis/rpc** [`f26f940`](docker/buildx@f26f9409b101) -> [`0a764e5`](docker/buildx@0a764e51fe1b) - **google.golang.org/grpc** v1.76.0 -> v1.78.0 Previous release can be found at [v0.31.1](https://github.com/docker/buildx/releases/tag/v0.31.1) ### [`v0.31.1`](https://github.com/docker/buildx/releases/tag/v0.31.1) [Compare Source](docker/buildx@v0.31.0...v0.31.1) buildx 0.31.1 Welcome to the v0.31.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi ##### Notable Changes - Fix excessive HTTP requests when using `buildx imagetools create` command [#​3632](docker/buildx#3632) ##### Dependency Changes This release has no dependency changes Previous release can be found at [v0.31.0](https://github.com/docker/buildx/releases/tag/v0.31.0) ### [`v0.31.0`](https://github.com/docker/buildx/releases/tag/v0.31.0) [Compare Source](docker/buildx@v0.30.1...v0.31.0) buildx 0.31.0 Welcome to the v0.31.0 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Sebastiaan van Stijn - Jonathan A. Sternberg - Justin Chadwell - Akihiro Suda - Brian Goff - David Karlsson - Paweł Gronowski - Sergei Khomenkov - guimove ##### Notable Changes - This is a first version of Buildx with signed artifacts built using [Docker Github Builder](https://github.com/docker/github-builder-experimental) - This release comes with new experimental support for source policy enforcement during builds using policies written in [Rego](https://www.openpolicyagent.org/docs/policy-language) language. There are some limitations in this release, for example, only builds from the local build context currently load policies. [#​3593](docker/buildx#3593) [#​3539](docker/buildx#3539) [#​3592](docker/buildx#3592) [#​3611](docker/buildx#3611) [docs](https://docs.docker.com/build/policies/) - Matching policy for Dockerfile is loaded automatically if one exists, e.g., `Dockerfile.rego` or `app.Dockerfile.rego`. - Additional policy configuration can be provided using new `build --policy` flag. - Bake also supports automatic policy loading and a new `policy` key in the target configuration. - New `buildx policy` command includes subcommands `eval` and `test` to help you write and test your policies. - Bake command has a new `--var` flag to set variable values from the command line instead of setting environment variables. [#​3610](docker/buildx#3610) - When creating images in Docker image store, they no longer unpack if export was initialized with `--push` or `-o type=registry` [#​3519](docker/buildx#3519) - Add `semvercmp` helper function to Bake stdlib for easier version comparisons [#​3577](docker/buildx#3577) - Retry transient TLS errors when talking to Kubernetes nodes [#​3493](docker/buildx#3493) - Allow disabling Bake env lookups so `bake` can ignore host environment variables [#​3595](docker/buildx#3595) - Add possibility to load Docker configs scoped to specific repos/scopes for finer credential control [#​3562](docker/buildx#3562) - When building images from Docker Hardened Images (dhi.io) and Docker Scout registries, authentication will now automatically fall back to Docker Hub credentials if no specific credentials are found. [#​3612](docker/buildx#3612) - Fix the `--debug` flag issues in standalone mode [#​3554](docker/buildx#3554) - Fix handling `@` characters inside OCI layout paths passed to build [#​3583](docker/buildx#3583) - Surface policy controls `--policy`, policy eval, custom builtins/Regos/gitsign checks so builds can enforce policies [#​3593](docker/buildx#3593) [#​3549](docker/buildx#3549) - Prevent DAP breakpoint overlaps from triggering false positives [#​3534](docker/buildx#3534) - Fix mount input names in DAP run mounts [#​3579](docker/buildx#3579) - Fix DAP breakpoint reason reporting [#​3581](docker/buildx#3581) ##### Dependency Changes - **github.com/ProtonMail/go-crypto** v1.3.0 ***new*** - **github.com/agnivade/levenshtein** v1.2.1 ***new*** - **github.com/asaskevich/govalidator** [`a9d515a`](docker/buildx@a9d515a09cc2) ***new*** - **github.com/aws/aws-sdk-go-v2** v1.38.1 -> v1.39.6 - **github.com/aws/aws-sdk-go-v2/config** v1.31.3 -> v1.31.20 - **github.com/aws/aws-sdk-go-v2/credentials** v1.18.7 -> v1.18.24 - **github.com/aws/aws-sdk-go-v2/feature/ec2/imds** v1.18.4 -> v1.18.13 - **github.com/aws/aws-sdk-go-v2/internal/configsources** v1.4.4 -> v1.4.13 - **github.com/aws/aws-sdk-go-v2/internal/endpoints/v2** v2.7.4 -> v2.7.13 - **github.com/aws/aws-sdk-go-v2/internal/ini** v1.8.3 -> v1.8.4 - **github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding** v1.13.0 -> v1.13.3 - **github.com/aws/aws-sdk-go-v2/service/internal/presigned-url** v1.13.4 -> v1.13.13 - **github.com/aws/aws-sdk-go-v2/service/sso** v1.28.2 -> v1.30.3 - **github.com/aws/aws-sdk-go-v2/service/ssooidc** v1.34.0 -> v1.35.7 - **github.com/aws/aws-sdk-go-v2/service/sts** v1.38.0 -> v1.40.2 - **github.com/aws/smithy-go** v1.22.5 -> v1.23.2 - **github.com/beorn7/perks** v1.0.1 ***new*** - **github.com/blang/semver** v3.5.1 ***new*** - **github.com/cespare/xxhash/v2** v2.3.0 ***new*** - **github.com/cloudflare/circl** v1.6.1 ***new*** - **github.com/containerd/containerd/v2** [`efd86f2`](docker/buildx@efd86f2b0bc2) -> v2.2.1 - **github.com/cyberphone/json-canonicalization** [`19d51d7`](docker/buildx@19d51d7fe467) ***new*** - **github.com/davecgh/go-spew** v1.1.1 -> [`d8f796a`](docker/buildx@d8f796af33cc) - **github.com/decred/dcrd/dcrec/secp256k1/v4** v4.4.0 ***new*** - **github.com/digitorus/pkcs7** [`3a137a8`](docker/buildx@3a137a874352) ***new*** - **github.com/digitorus/timestamp** [`220c5c2`](docker/buildx@220c5c2851b7) ***new*** - **github.com/docker/cli** v28.5.1 -> v29.1.5 - **github.com/docker/cli-docs-tool** v0.10.0 -> v0.11.0 - **github.com/docker/docker** v28.5.1 -> v28.5.2 - **github.com/docker/docker-credential-helpers** v0.9.3 -> v0.9.5 - **github.com/docker/go-connections** v0.5.0 -> v0.6.0 - **github.com/fvbommel/sortorder** v1.0.1 -> v1.1.0 - **github.com/go-ini/ini** v1.67.0 ***new*** - **github.com/go-openapi/analysis** v0.24.1 ***new*** - **github.com/go-openapi/errors** v0.22.4 ***new*** - **github.com/go-openapi/jsonpointer** v0.21.0 -> v0.22.1 - **github.com/go-openapi/jsonreference** v0.20.2 -> v0.21.3 - **github.com/go-openapi/loads** v0.23.2 ***new*** - **github.com/go-openapi/runtime** v0.29.2 ***new*** - **github.com/go-openapi/spec** v0.22.1 ***new*** - **github.com/go-openapi/strfmt** v0.25.0 ***new*** - **github.com/go-openapi/swag** v0.23.0 -> v0.25.3 - **github.com/go-openapi/swag/cmdutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/conv** v0.25.3 ***new*** - **github.com/go-openapi/swag/fileutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/jsonname** v0.25.3 ***new*** - **github.com/go-openapi/swag/jsonutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/loading** v0.25.3 ***new*** - **github.com/go-openapi/swag/mangling** v0.25.3 ***new*** - **github.com/go-openapi/swag/netutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/stringutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/typeutils** v0.25.3 ***new*** - **github.com/go-openapi/swag/yamlutils** v0.25.3 ***new*** - **github.com/go-openapi/validate** v0.25.1 ***new*** - **github.com/gobwas/glob** v0.2.3 ***new*** - **github.com/goccy/go-json** v0.10.5 ***new*** - **github.com/google/certificate-transparency-go** v1.3.2 ***new*** - **github.com/google/go-containerregistry** v0.20.6 ***new*** - **github.com/google/go-dap** v0.12.0 -> [`d7a2259`](docker/buildx@d7a2259b058b) - **github.com/grpc-ecosystem/grpc-gateway/v2** v2.27.2 -> v2.27.3 - **github.com/hiddeco/sshsig** v0.2.0 ***new*** - **github.com/in-toto/attestation** v1.1.2 ***new*** - **github.com/klauspost/compress** v1.18.1 -> v1.18.2 - **github.com/lestrrat-go/blackmagic** v1.0.4 ***new*** - **github.com/lestrrat-go/dsig** v1.0.0 ***new*** - **github.com/lestrrat-go/dsig-secp256k1** v1.0.0 ***new*** - **github.com/lestrrat-go/httpcc** v1.0.1 ***new*** - **github.com/lestrrat-go/httprc/v3** v3.0.1 ***new*** - **github.com/lestrrat-go/jwx/v3** v3.0.11 ***new*** - **github.com/lestrrat-go/option** v1.0.1 ***new*** - **github.com/lestrrat-go/option/v2** v2.0.0 ***new*** - **github.com/moby/buildkit** v0.26.1 -> v0.27.0 - **github.com/moby/go-archive** v0.1.0 -> v0.2.0 - **github.com/moby/moby/api** v1.52.0 ***new*** - **github.com/moby/moby/client** v0.2.1 ***new*** - **github.com/moby/policy-helpers** [`9fcc1a9`](docker/buildx@9fcc1a9ec5c9) ***new*** - **github.com/morikuni/aec** v1.0.0 -> v1.1.0 - **github.com/oklog/ulid** v1.3.1 ***new*** - **github.com/open-policy-agent/opa** v1.10.1 ***new*** - **github.com/pmezard/go-difflib** v1.0.0 -> [`5d4384e`](docker/buildx@5d4384ee4fb2) - **github.com/prometheus/client\_golang** v1.23.2 ***new*** - **github.com/prometheus/client\_model** v0.6.2 ***new*** - **github.com/prometheus/common** v0.66.1 ***new*** - **github.com/prometheus/procfs** v0.17.0 ***new*** - **github.com/rcrowley/go-metrics** [`65e299d`](docker/buildx@65e299d6c5c9) ***new*** - **github.com/rivo/uniseg** v0.2.0 -> v0.4.7 - **github.com/segmentio/asm** v1.2.0 ***new*** - **github.com/sigstore/protobuf-specs** v0.5.0 ***new*** - **github.com/sigstore/rekor** v1.4.3 ***new*** - **github.com/sigstore/rekor-tiles/v2** v2.0.1 ***new*** - **github.com/sigstore/sigstore** v1.10.0 ***new*** - **github.com/sigstore/sigstore-go** [`b5fe07a`](docker/buildx@b5fe07a5a7d7) ***new*** - **github.com/sigstore/timestamp-authority/v2** v2.0.2 ***new*** - **github.com/sirupsen/logrus** v1.9.3 -> v1.9.4 - **github.com/spf13/cobra** v1.10.1 -> v1.10.2 - **github.com/tchap/go-patricia/v2** v2.3.3 ***new*** - **github.com/theupdateframework/go-tuf/v2** v2.3.0 ***new*** - **github.com/tonistiigi/fsutil** [`586307a`](docker/buildx@586307ad452f) -> [`a2aa163`](docker/buildx@a2aa163d723f) - **github.com/transparency-dev/formats** [`404c0d5`](docker/buildx@404c0d5b696c) ***new*** - **github.com/transparency-dev/merkle** v0.0.2 ***new*** - **github.com/valyala/fastjson** v1.6.4 ***new*** - **github.com/vektah/gqlparser/v2** v2.5.30 ***new*** - **github.com/xeipuuv/gojsonpointer** [`02993c4`](docker/buildx@02993c407bfb) ***new*** - **github.com/xeipuuv/gojsonreference** [`bd5ef7b`](docker/buildx@bd5ef7bd5415) ***new*** - **github.com/yashtewari/glob-intersection** v0.2.0 ***new*** - **go.mongodb.org/mongo-driver** v1.17.6 ***new*** - **go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp** v0.61.0 -> v0.63.0 - **go.opentelemetry.io/otel/exporters/stdout/stdouttrace** v1.31.0 -> v1.38.0 - **go.yaml.in/yaml/v2** v2.4.2 -> v2.4.3 - **google.golang.org/genproto/googleapis/api** [`c5933d9`](docker/buildx@c5933d9347a5) -> [`f26f940`](docker/buildx@f26f9409b101) - **google.golang.org/genproto/googleapis/rpc** [`c5933d9`](docker/buildx@c5933d9347a5) -> [`f26f940`](docker/buildx@f26f9409b101) Previous release can be found at [v0.30.1](https://github.com/docker/buildx/releases/tag/v0.30.1) ### [`v0.30.1`](https://github.com/docker/buildx/releases/tag/v0.30.1) [Compare Source](docker/buildx@v0.30.0...v0.30.1) Welcome to the v0.30.1 release of buildx! Please try out the release binaries and report any issues at <https://github.com/docker/buildx/issues>. ##### Contributors - Tõnis Tiigi - CrazyMax - Jonathan A. Sternberg ##### Notable Changes - Fix concurrent map write panic. [#​3524](docker/buildx#3524) - Fix possible excessive chunking when fetching blobs. [#​3529](docker/buildx#3529) ##### Dependency Changes - **github.com/containerd/containerd/v2** v2.2.0 -> [`efd86f2`](docker/buildx@efd86f2b0bc2) - **github.com/moby/buildkit** v0.26.0 -> v0.26.1 Previous release can be found at [v0.30.0](https://github.com/docker/buildx/releases/tag/v0.30.0) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xOTUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJLaW5kL0RlcGVuZGVuY3lVcGRhdGUiLCJydW4tZW5kLXRvLWVuZC10ZXN0cyJdfQ==--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/1533 Reviewed-by: Mathieu Fenniak <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR refactors Bake Git authentication secret handling by introducing a dedicated gitauth helper that centralizes how secrets are built from environment variables. The same helper is now used in both build option creation and remote bake file reads, so the behavior is consistent across those paths while preserving existing support for
BUILDX_BAKE_GIT_AUTH_TOKENandBUILDX_BAKE_GIT_AUTH_HEADER.It also adds automatic host-based Git auth secret derivation for remote Bake invocations. When a remote URL is in play, Bake now emits both base BuildKit secret IDs and host-scoped IDs (for example
GIT_AUTH_TOKEN.<host>/GIT_AUTH_HEADER.<host>) based on the resolved remote URL logic, enabling per-host auth routing automatically without introducing host-suffixed auth env vars.