v0.29.0

Welcome to the v0.29.0 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• David Karlsson
• Akihiro Suda
• Sebastiaan van Stijn
• Brian Ristuccia
• Jonathan A. Sternberg
• Mateusz Gozdek
• Natnael Gebremariam

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.23.0 changelog
• Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See Dockerfile changelog for how to enable this in the Dockerfile frontend #6600
• Various file access operations in Git and HTTP sources have been hardened for improved security #6613
• Frontends can now report updated SOURCE_DATE_EPOCH with result metadata that can be used by exporters #6601
• Fix possible panic when listing build history after recent deletions #6614
• Fix possible issue where builds from Git repositories could start to fail after submodule rename #6563
• Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client #6531
• Fix regression where build progress skipped the message about layers being pushed to the registry #6587
• Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments #6585
• Fix issue with resolving symlinks via file access methods of the Gateway API #6559
• Fix possible "parent snapshot does not exist" error when exporting images in parallel #6558
• Fix possible panic from zstd compression #6599
• Fix issue where cache imports from an uninitialized local cache tag could fail the build #6554
• Included CNI plugins have been updated to v1.9.1 #6583
• Included QEMU emulator support has been updated to v10.2.1 #6580
• Runc container runtime has been updated to v1.3.5 #6625

Dependency Changes

• github.com/aws/aws-sdk-go-v2 v1.41.1 -> v1.41.4
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 -> v1.7.5
• github.com/aws/aws-sdk-go-v2/config v1.32.7 -> v1.32.12
• github.com/aws/aws-sdk-go-v2/credentials v1.19.7 -> v1.19.12
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 -> v1.18.20
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 -> v1.4.20
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 -> v2.7.20
• github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 -> v1.8.6
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 -> v1.13.7
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 -> v1.13.20
• github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 -> v1.0.8
• github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 -> v1.30.13
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 -> v1.35.17
• github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 -> v1.41.9
• github.com/aws/smithy-go v1.24.0 -> v1.24.2
• github.com/containerd/cgroups/v3 v3.1.2 -> v3.1.3
• github.com/containerd/containerd/v2 v2.2.1 -> v2.2.2
• github.com/containerd/nydus-snapshotter v0.15.11 -> v0.15.13
• github.com/containerd/ttrpc v1.2.7 -> v1.2.8
• github.com/containernetworking/plugins v1.9.0 -> v1.9.1
• github.com/docker/cli v29.2.1 -> v29.3.1
• github.com/go-openapi/analysis v0.24.1 -> v0.24.3
• github.com/go-openapi/errors v0.22.6 -> v0.22.7
• github.com/go-openapi/jsonpointer v0.22.4 -> v0.22.5
• github.com/go-openapi/jsonreference v0.21.4 -> v0.21.5
• github.com/go-openapi/loads v0.23.2 -> v0.23.3
• github.com/go-openapi/spec v0.22.3 -> v0.22.4
• github.com/go-openapi/strfmt v0.25.0 -> v0.26.1
• github.com/go-openapi/swag/conv v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/fileutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/jsonname v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/jsonutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/loading v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/mangling v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/stringutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/typeutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/yamlutils v0.25.4 -> v0.25.5
• github.com/go-openapi/validate v0.25.1 -> v0.25.2
• github.com/go-viper/mapstructure/v2 v2.4.0 -> v2.5.0
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 -> v2.27.7
• github.com/klauspost/compress v1.18.4 -> v1.18.5
• github.com/moby/policy-helpers 824747bfdd3c -> b7c0b994300b
• github.com/oklog/ulid/v2 v2.1.1 new
• go.opentelemetry.io/otel v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/metric v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/sdk v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/sdk/metric v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/trace v1.38.0 -> v1.40.0
• go.opentelemetry.io/proto/otlp v1.7.1 -> v1.9.0
• golang.org/x/sys v0.41.0 -> v0.42.0
• golang.org/x/term v0.40.0 -> v0.41.0
• google.golang.org/genproto/googleapis/api ff82c1b0f217 -> 8636f8732409
• google.golang.org/genproto/googleapis/rpc 0a764e51fe1b -> 8636f8732409
• google.golang.org/grpc v1.78.0 -> v1.79.3

Previous release can be found at v0.28.1

dockerfile/1.23.0-labs

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.23.0-labs

dockerfile/1.23.0

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.23.0

Notable changes

• Git URLs now accept the mtime=commit query parameter to initialize checked-out file timestamps to Git commit time. Remote builds using a Git context that define SOURCE_DATE_EPOCH automatically default to mtime=commit for better reproducibility. #6600
• Dockerfile can now define SOURCE_DATE_EPOCH build-arg in the global scope with a default value. The value can still be overridden with --build-arg as before. #6601
• Fix issue with the order of applied proxy build-args being non-deterministic #6560

v0.29.0-rc1

buildkit 0.29.0-rc1

Welcome to the v0.29.0-rc1 release of buildkit!
This is a pre-release of buildkit

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• David Karlsson
• Sebastiaan van Stijn
• Akihiro Suda
• Brian Ristuccia
• Jonathan A. Sternberg
• Mateusz Gozdek
• Natnael Gebremariam

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.23.0-rc1 changelog
• Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See Dockerfile changelog for how to enable this in the Dockerfile frontend #6600
• Various file access operations in Git and HTTP sources have been hardened for improved security #6613
• Frontends can now report updated SOURCE_DATE_EPOCH with result metadata that can be used by exporters #6601
• Fix possible panic when listing build history after recent deletions #6614
• Fix possible issue where builds from Git repositories could start to fail after submodule rename #6563
• Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client #6531
• Fix regression where build progress skipped the message about layers being pushed to the registry #6587
• Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments #6585
• Fix issue with resolving symlinks via file access methods of the Gateway API #6559
• Fix possible "parent snapshot does not exist" error when exporting images in parallel #6558
• Fix possible panic from zstd compression #6599
• Fix issue where cache imports from an uninitialized local cache tag could fail the build #6554
• Included CNI plugins have been updated to v1.9.1 #6583
• Included QEMU emulator support has been updated to v10.2.1 #6580

Dependency Changes

• github.com/aws/aws-sdk-go-v2 v1.41.1 -> v1.41.4
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.4 -> v1.7.5
• github.com/aws/aws-sdk-go-v2/config v1.32.7 -> v1.32.12
• github.com/aws/aws-sdk-go-v2/credentials v1.19.7 -> v1.19.12
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 -> v1.18.20
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 -> v1.4.20
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 -> v2.7.20
• github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 -> v1.8.6
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 -> v1.13.7
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 -> v1.13.20
• github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 -> v1.0.8
• github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 -> v1.30.13
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 -> v1.35.17
• github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 -> v1.41.9
• github.com/aws/smithy-go v1.24.0 -> v1.24.2
• github.com/containerd/cgroups/v3 v3.1.2 -> v3.1.3
• github.com/containerd/containerd/v2 v2.2.1 -> v2.2.2
• github.com/containerd/nydus-snapshotter v0.15.11 -> v0.15.13
• github.com/containerd/ttrpc v1.2.7 -> v1.2.8
• github.com/containernetworking/plugins v1.9.0 -> v1.9.1
• github.com/docker/cli v29.2.1 -> v29.3.1
• github.com/go-openapi/analysis v0.24.1 -> v0.24.3
• github.com/go-openapi/errors v0.22.6 -> v0.22.7
• github.com/go-openapi/jsonpointer v0.22.4 -> v0.22.5
• github.com/go-openapi/jsonreference v0.21.4 -> v0.21.5
• github.com/go-openapi/loads v0.23.2 -> v0.23.3
• github.com/go-openapi/spec v0.22.3 -> v0.22.4
• github.com/go-openapi/strfmt v0.25.0 -> v0.26.1
• github.com/go-openapi/swag/conv v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/fileutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/jsonname v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/jsonutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/loading v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/mangling v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/stringutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/typeutils v0.25.4 -> v0.25.5
• github.com/go-openapi/swag/yamlutils v0.25.4 -> v0.25.5
• github.com/go-openapi/validate v0.25.1 -> v0.25.2
• github.com/go-viper/mapstructure/v2 v2.4.0 -> v2.5.0
• github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.3 -> v2.27.7
• github.com/klauspost/compress v1.18.4 -> v1.18.5
• github.com/moby/policy-helpers 824747bfdd3c -> b7c0b994300b
• github.com/oklog/ulid/v2 v2.1.1 new
• go.opentelemetry.io/otel v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.38.0 -> v1.39.0
• go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.38.0 -> v1.39.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.38.0 -> v1.39.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/metric v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/sdk v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/sdk/metric v1.38.0 -> v1.40.0
• go.opentelemetry.io/otel/trace v1.38.0 -> v1.40.0
• go.opentelemetry.io/proto/otlp v1.7.1 -> v1.9.0
• google.golang.org/genproto/googleapis/api ff82c1b0f217 -> 8636f8732409
• google.golang.org/genproto/googleapis/rpc 0a764e51fe1b -> 8636f8732409
• google.golang.org/grpc v1.78.0 -> v1.79.3

Previous release can be found at v0.28.1

v0.28.1

Welcome to the v0.28.1 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn

Notable Changes

• Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg
• Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj
• Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Dependency Changes

• github.com/moby/patternmatcher v0.6.0 -> v0.6.1

Previous release can be found at v0.28.0

dockerfile/1.23.0-rc1-labs

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.23.0-rc1-labs

dockerfile/1.23.0-rc1

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.23.0-rc1

Notable changes

• Git URLs now accept the mtime=commit query parameter to initialize checked-out file timestamps to Git commit time. Remote builds using a Git context that define SOURCE_DATE_EPOCH automatically default to mtime=commit for better reproducibility. #6600
• Dockerfile can now define SOURCE_DATE_EPOCH build-arg in the global scope with a default value. The value can still be overridden with --build-arg as before. #6601
• Fix issue with the order of applied proxy build-args being non-deterministic #6560

v0.28.0

buildkit 0.28.0

Welcome to the v0.28.0 release of buildkit!

Please try out the release binaries and report any issues at
https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Akihiro Suda
• Amr Mahdi
• Dan Duvall
• David Karlsson
• Jonas Geiler
• Kevin L.
• rsteube

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.22.0 changelog
• The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the version attribute. #6526
• Provenance attestation for an image can now be directly pulled via Source metadata request. #6516 #6514 #6537
• Pushing result images and exporting build cache now happens in parallel, for better performance. #6451
• LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols docker-image+blob:// and oci-layout+blob://. #4286
• LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. #6527 #6537
• LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. #6527
• With the update to a newer version of the in-toto library, the provenance attestation key InvocationID has changed to InvocationId to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. #6533
• Embedded Qemu emulator support has been updated to v10.1.3 #6524
• Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. #6368
• Buildctl binary now supports bash completion. #6474
• PGP signature verification now supports combined public keys as input for defining the required signer. #6519
• Fix possible "failed to read expected number of bytes" error when reading attestation chains #6520
• Fix possible error from race condition when creating images in parallel #6477

Dependency Changes

• github.com/aws/aws-sdk-go-v2 v1.39.6 -> v1.41.1
• github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2 -> v1.7.4
• github.com/aws/aws-sdk-go-v2/config v1.31.20 -> v1.32.7
• github.com/aws/aws-sdk-go-v2/credentials v1.18.24 -> v1.19.7
• github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 -> v1.18.17
• github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 -> v1.4.17
• github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.13 -> v2.7.17
• github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.3 -> v1.13.4
• github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.13 -> v1.13.17
• github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 new
• github.com/aws/aws-sdk-go-v2/service/sso v1.30.3 -> v1.30.9
• github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.7 -> v1.35.13
• github.com/aws/aws-sdk-go-v2/service/sts v1.40.2 -> v1.41.6
• github.com/aws/smithy-go v1.23.2 -> v1.24.0
• github.com/cloudflare/circl v1.6.1 -> v1.6.3
• github.com/containerd/nydus-snapshotter v0.15.10 -> v0.15.11
• github.com/containerd/stargz-snapshotter v0.17.0 -> v0.18.2
• github.com/containerd/stargz-snapshotter/estargz v0.17.0 -> v0.18.2
• github.com/coreos/go-systemd/v22 v22.6.0 -> v22.7.0
• github.com/docker/cli v29.1.4 -> v29.2.1
• github.com/go-openapi/errors v0.22.4 -> v0.22.6
• github.com/go-openapi/jsonpointer v0.22.1 -> v0.22.4
• github.com/go-openapi/jsonreference v0.21.3 -> v0.21.4
• github.com/go-openapi/spec v0.22.1 -> v0.22.3
• github.com/go-openapi/swag v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/cmdutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/conv v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/fileutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/jsonname v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/jsonutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/loading v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/mangling v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/netutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/stringutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/typeutils v0.25.3 -> v0.25.4
• github.com/go-openapi/swag/yamlutils v0.25.3 -> v0.25.4
• github.com/google/go-containerregistry v0.20.6 -> v0.20.7
• github.com/hanwen/go-fuse/v2 v2.8.0 -> v2.9.0
• github.com/in-toto/in-toto-golang v0.9.0 -> v0.10.0
• github.com/klauspost/compress v1.18.3 -> v1.18.4
• github.com/moby/policy-helpers eeebf1a0ab2b -> 824747bfdd3c
• github.com/morikuni/aec v1.0.0 -> v1.1.0
• github.com/pelletier/go-toml/v2 v2.2.4 new
• github.com/secure-systems-lab/go-securesystemslib v0.9.1 -> v0.10.0
• github.com/sigstore/rekor v1.4.3 -> v1.5.0
• github.com/sigstore/sigstore v1.10.0 -> v1.10.4
• github.com/sigstore/sigstore-go b5fe07a5a7d7 -> v1.1.4
• github.com/sigstore/timestamp-authority/v2 v2.0.2 -> v2.0.3
• github.com/theupdateframework/go-tuf/v2 v2.3.0 -> v2.4.1
• google.golang.org/genproto/googleapis/api f26f9409b101 -> ff82c1b0f217
• google.golang.org/genproto/googleapis/rpc f26f9409b101 -> 0a764e51fe1b
• google.golang.org/grpc v1.76.0 -> v1.78.0

Previous release can be found at v0.27.1

dockerfile/1.22.0-labs

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.22.0-labs

dockerfile/1.22.0

Usage

# syntax=docker.io/docker/dockerfile-upstream:1.22.0

Notable changes

• Fix incorrect linter warning for copying ignored files when negated patterns exist #6534
• Update linter conditions for SecretsUsedInArgOrEnv rule for better matching. #6501
• Named sources can now pass a different "shared key" for local sources if clients support it, and different projects that use the same context names will not overwrite each other (causing reduced performance). #6478