Merge branch 'docker:master' into project-guide

.github/workflows/build.yml

@@ -21,6 +21,7 @@ on:
 env:
   BUILDX_VERSION: "latest"
   BUILDKIT_IMAGE: "moby/buildkit:latest"
+  SCOUT_VERSION: "1.11.0"
   REPO_SLUG: "docker/buildx-bin"
   DESTDIR: "./bin"
   TEST_CACHE_SCOPE: "test"
@@ -214,6 +215,36 @@ jobs:
           name: test-reports-${{ env.TESTREPORTS_NAME }}
           path: ${{ env.TESTREPORTS_BASEDIR }}
 
+  govulncheck:
+    runs-on: ubuntu-24.04
+    permissions:
+      # required to write sarif report
+      security-events: write
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          version: ${{ env.BUILDX_VERSION }}
+          driver-opts: image=${{ env.BUILDKIT_IMAGE }}
+          buildkitd-flags: --debug
+      -
+        name: Run
+        uses: docker/bake-action@v5
+        with:
+          targets: govulncheck
+        env:
+          GOVULNCHECK_FORMAT: sarif
+      -
+        name: Upload SARIF report
+        if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ env.DESTDIR }}/govulncheck.out
+
   prepare-binaries:
     runs-on: ubuntu-24.04
     outputs:
@@ -328,6 +359,38 @@ jobs:
             *.cache-from=type=gha,scope=bin-image
             *.cache-to=type=gha,scope=bin-image,mode=max
 
+  scout:
+    runs-on: ubuntu-24.04
+    if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
+    permissions:
+      # required to write sarif report
+      security-events: write
+    needs:
+      - bin-image
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+      -
+        name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERPUBLICBOT_USERNAME }}
+          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+      -
+        name: Scout
+        id: scout
+        uses: crazy-max/.github/.github/actions/docker-scout@ccae1c98f1237b5c19e4ef77ace44fa68b3bc7e4
+        with:
+          version: ${{ env.SCOUT_VERSION }}
+          format: sarif
+          image: registry://${{ env.REPO_SLUG }}:master
+      -
+        name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scout.outputs.result-file }}
+
   release:
     runs-on: ubuntu-24.04
     needs:
@@ -359,7 +422,7 @@ jobs:
       -
         name: GitHub Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0  # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191  # v2.0.8
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/docs-release.yml

@@ -57,7 +57,7 @@ jobs:
           VENDOR_MODULE: github.com/docker/buildx@${{ env.RELEASE_NAME }}
       -
         name: Create PR on docs repo
-        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c  # v6.1.0
+        uses: peter-evans/create-pull-request@4320041ed380b20e97d388d56a7fb4f9b8c20e79  # v7.0.0
         with:
           token: ${{ secrets.GHPAT_DOCS_DISPATCH }}
           push-to-fork: docker-tools-robot/docker.github.io

.github/workflows/labeler.yml

@@ -17,3 +17,5 @@ jobs:
       -
         name: Run
         uses: actions/labeler@v5
+        with:
+          sync-labels: true

.mailmap

@@ -1,11 +1,25 @@
 # This file lists all individuals having contributed content to the repository.
 # For how it is generated, see hack/dockerfiles/authors.Dockerfile.
 
+Batuhan Apaydın <[email protected]>
+Batuhan Apaydın <[email protected]> <[email protected]>
 CrazyMax <[email protected]>
 CrazyMax <[email protected]> <[email protected]>
 CrazyMax <[email protected]> <[email protected]>
+David Karlsson <[email protected]>
+David Karlsson <[email protected]> <[email protected]>
+jaihwan104 <[email protected]>
+jaihwan104 <[email protected]> <[email protected]>
+Kenyon Ralph <[email protected]>
+Kenyon Ralph <[email protected]> <[email protected]>
 Sebastiaan van Stijn <[email protected]>
 Sebastiaan van Stijn <[email protected]> <[email protected]>
+Shaun Thompson <[email protected]>
+Shaun Thompson <[email protected]> <[email protected]>
+Silvin Lubecki <[email protected]>
+Silvin Lubecki <[email protected]> <[email protected]>
+Talon Bowler <[email protected]>
+Talon Bowler <[email protected]> <[email protected]>
 Tibor Vass <[email protected]>
 Tibor Vass <[email protected]> <[email protected]>
 Tõnis Tiigi <[email protected]>

AUTHORS

@@ -1,45 +1,112 @@
 # This file lists all individuals having contributed content to the repository.
 # For how it is generated, see hack/dockerfiles/authors.Dockerfile.
 
+accetto <[email protected]>
 Akihiro Suda <[email protected]>
+Aleksa Sarai <[email protected]>
 Alex Couture-Beil <[email protected]>
 Andrew Haines <[email protected]>
+Andy Caldwell <[email protected]>
 Andy MacKinlay <[email protected]>
 Anthony Poschen <[email protected]>
+Arnold Sobanski <[email protected]>
 Artur Klauser <[email protected]>
-Batuhan Apaydın <[email protected]>
+Avi Deitcher <[email protected]>
+Batuhan Apaydın <[email protected]>
+Ben Peachey <[email protected]>
+Bertrand Paquet <[email protected]>
 Bin Du <[email protected]>
 Brandon Philips <[email protected]>
 Brian Goff <[email protected]>
+Bryce Lampe <[email protected]>
+Cameron Adams <[email protected]>
+Christian Dupuis <[email protected]>
+Cory Snider <[email protected]>
 CrazyMax <[email protected]>
+David Gageot <[email protected]>
+David Karlsson <[email protected]>
+David Scott <[email protected]>
 dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 Devin Bayer <[email protected]>
 Djordje Lukic <[email protected]>
+Dmitry Makovey <[email protected]>
 Dmytro Makovey <[email protected]>
 Donghui Wang <[email protected]>
+Doug Borg <[email protected]>
+Edgar Lee <[email protected]>
+Eli Treuherz <[email protected]>
+Eliott Wiener <[email protected]>
+Elran Shefer <[email protected]>
 faust <[email protected]>
 Felipe Santos <[email protected]>
+Felix de Souza <[email protected]>
 Fernando Miguel <[email protected]>
 gfrancesco <[email protected]>
 gracenoah <[email protected]>
+Guillaume Lours <[email protected]>
+guoguangwu <[email protected]>
 Hollow Man <[email protected]>
+Ian King'ori <[email protected]>
+idnandre <[email protected]>
 Ilya Dmitrichenko <[email protected]>
+Isaac Gaskin <[email protected]>
 Jack Laxson <[email protected]>
+jaihwan104 <[email protected]>
 Jean-Yves Gastaud <[email protected]>
+Jhan S. Álvarez <[email protected]>
+Jonathan A. Sternberg <[email protected]>
+Jonathan Piché <[email protected]>
+Justin Chadwell <[email protected]>
+Kenyon Ralph <[email protected]>
 khs1994 <[email protected]>
+Kijima Daigo <[email protected]>
+Kohei Tokunaga <[email protected]>
 Kotaro Adachi <[email protected]>
+Kushagra Mansingh <[email protected]>
 l00397676 <[email protected]>
+Laura Brehm <[email protected]>
+Laurent Goderre <[email protected]>
+Mark Hildreth <[email protected]>
+Mayeul Blanzat <[email protected]>
 Michal Augustyn <[email protected]>
+Milas Bowman <[email protected]>
+Mitsuru Kariya <[email protected]>
+Moleus <[email protected]>
+Nick Santos <[email protected]>
+Nick Sieger <[email protected]>
+Nicolas De Loof <[email protected]>
+Niklas Gehlen <[email protected]>
 Patrick Van Stee <[email protected]>
+Paweł Gronowski <[email protected]>
+Phong Tran <[email protected]>
+Qasim Sarfraz <[email protected]>
+Rob Murray <[email protected]>
+robertlestak <[email protected]>
 Saul Shanabrook <[email protected]>
+Sean P. Kane <[email protected]>
 Sebastiaan van Stijn <[email protected]>
+Shaun Thompson <[email protected]>
 SHIMA Tatsuya <[email protected]>
 Silvin Lubecki <[email protected]>
+Simon A. Eugster <[email protected]>
 Solomon Hykes <[email protected]>
+Sumner Warren <[email protected]>
 Sune Keller <[email protected]>
+Talon Bowler <[email protected]>
+Tianon Gravi <[email protected]>
 Tibor Vass <[email protected]>
+Tim Smith <[email protected]>
+Timofey Kirillov <[email protected]>
+Tyler Smith <[email protected]>
 Tõnis Tiigi <[email protected]>
 Ulysses Souza <[email protected]>
+Usual Coder <[email protected]>
 Wang Jinglei <[email protected]>
+Wei <[email protected]>
+Wojciech M <[email protected]>
 Xiang Dai <[email protected]>
+Zachary Povey <[email protected]>
 zelahi <[email protected]>
+Zero <[email protected]>
+zhyon404 <[email protected]>
+Zsolt <[email protected]>

Dockerfile

@@ -4,7 +4,8 @@ ARG GO_VERSION=1.22
 ARG XX_VERSION=1.4.0
 
 # for testing
-ARG DOCKER_VERSION=27.0.3
+ARG DOCKER_VERSION=27.1.1
+ARG DOCKER_CLI_VERSION=${DOCKER_VERSION}
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG REGISTRY_VERSION=2.8.0
 ARG BUILDKIT_VERSION=v0.14.1
@@ -13,7 +14,7 @@ ARG UNDOCK_VERSION=0.7.0
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS golatest
 FROM moby/moby-bin:$DOCKER_VERSION AS docker-engine
-FROM dockereng/cli-bin:$DOCKER_VERSION AS docker-cli
+FROM dockereng/cli-bin:$DOCKER_CLI_VERSION AS docker-cli
 FROM registry:$REGISTRY_VERSION AS registry
 FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
 FROM crazymax/undock:$UNDOCK_VERSION AS undock

README.md

@@ -56,8 +56,7 @@ For more information on how to use Buildx, see
 
 Using `buildx` with Docker requires Docker engine 19.03 or newer.
 
-> **Warning**
->
+> [!WARNING]
 > Using an incompatible version of Docker may result in unexpected behavior,
 > and will likely cause issues, especially when using Buildx builders with more
 > recent versions of BuildKit.
@@ -75,8 +74,7 @@ Docker Engine package repositories contain Docker Buildx packages when installed
 
 ## Manual download
 
-> **Important**
->
+> [!IMPORTANT]
 > This section is for unattended installation of the buildx component. These
 > instructions are mostly suitable for testing purposes. We do not recommend
 > installing buildx using manual download in production environments as they
@@ -107,8 +105,7 @@ On Windows:
 * `C:\ProgramData\Docker\cli-plugins`
 * `C:\Program Files\Docker\cli-plugins`
 
-> **Note**
->
+> [!NOTE]
 > On Unix environments, it may also be necessary to make it executable with `chmod +x`:
 > ```shell
 > $ chmod +x ~/.docker/cli-plugins/docker-buildx

bake/bake.go

@@ -25,6 +25,7 @@ import (
 	"github.com/moby/buildkit/client"
 	"github.com/moby/buildkit/client/llb"
 	"github.com/moby/buildkit/session/auth/authprovider"
+	"github.com/moby/buildkit/util/entitlements"
 	"github.com/pkg/errors"
 	"github.com/tonistiigi/go-csvvalue"
 	"github.com/zclconf/go-cty/cty"
@@ -542,7 +543,7 @@ func (c Config) newOverrides(v []string) (map[string]map[string]Override, error)
 			o := t[kk[1]]
 
 			switch keys[1] {
-			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh", "attest":
+			case "output", "cache-to", "cache-from", "tags", "platform", "secrets", "ssh", "attest", "entitlements", "network":
 				if len(parts) == 2 {
 					o.ArrValue = append(o.ArrValue, parts[1])
 				}
@@ -703,11 +704,12 @@ type Target struct {
 	Outputs          []string           `json:"output,omitempty" hcl:"output,optional" cty:"output"`
 	Pull             *bool              `json:"pull,omitempty" hcl:"pull,optional" cty:"pull"`
 	NoCache          *bool              `json:"no-cache,omitempty" hcl:"no-cache,optional" cty:"no-cache"`
-	NetworkMode      *string            `json:"-" hcl:"-" cty:"-"`
+	NetworkMode      *string            `json:"network" hcl:"network" cty:"network"`
 	NoCacheFilter    []string           `json:"no-cache-filter,omitempty" hcl:"no-cache-filter,optional" cty:"no-cache-filter"`
 	ShmSize          *string            `json:"shm-size,omitempty" hcl:"shm-size,optional"`
 	Ulimits          []string           `json:"ulimits,omitempty" hcl:"ulimits,optional"`
 	Call             *string            `json:"call,omitempty" hcl:"call,optional" cty:"call"`
+	Entitlements     []string           `json:"entitlements,omitempty" hcl:"entitlements,optional" cty:"entitlements"`
 	// IMPORTANT: if you add more fields here, do not forget to update newOverrides/AddOverrides and docs/bake-reference.md.
 
 	// linked is a private field to mark a target used as a linked one
@@ -732,6 +734,12 @@ func (t *Target) normalize() {
 	t.NoCacheFilter = removeDupes(t.NoCacheFilter)
 	t.Ulimits = removeDupes(t.Ulimits)
 
+	if t.NetworkMode != nil && *t.NetworkMode == "host" {
+		t.Entitlements = append(t.Entitlements, "network.host")
+	}
+
+	t.Entitlements = removeDupes(t.Entitlements)
+
 	for k, v := range t.Contexts {
 		if v == "" {
 			delete(t.Contexts, k)
@@ -831,6 +839,9 @@ func (t *Target) Merge(t2 *Target) {
 	if t2.Description != "" {
 		t.Description = t2.Description
 	}
+	if t2.Entitlements != nil { // merge
+		t.Entitlements = append(t.Entitlements, t2.Entitlements...)
+	}
 	t.Inherits = append(t.Inherits, t2.Inherits...)
 }
 
@@ -885,6 +896,8 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.Platforms = o.ArrValue
 		case "output":
 			t.Outputs = o.ArrValue
+		case "entitlements":
+			t.Entitlements = append(t.Entitlements, o.ArrValue...)
 		case "annotations":
 			t.Annotations = append(t.Annotations, o.ArrValue...)
 		case "attest":
@@ -901,6 +914,8 @@ func (t *Target) AddOverrides(overrides map[string]Override) error {
 			t.ShmSize = &value
 		case "ulimits":
 			t.Ulimits = o.ArrValue
+		case "network":
+			t.NetworkMode = &value
 		case "pull":
 			pull, err := strconv.ParseBool(value)
 			if err != nil {
@@ -1313,7 +1328,7 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 
 	if t.Call != nil {
-		bo.PrintFunc = &build.PrintFunc{
+		bo.CallFunc = &build.CallFunc{
 			Name: *t.Call,
 		}
 	}
@@ -1368,6 +1383,10 @@ func toBuildOpt(t *Target, inp *Input) (*build.Options, error) {
 	}
 	bo.Ulimits = ulimits
 
+	for _, ent := range t.Entitlements {
+		bo.Allow = append(bo.Allow, entitlements.Entitlement(ent))
+	}
+
 	return bo, nil
 }