Merge pull request #1977 from dvdksn/docs/cherrypick_fup_buildinfo

[0.11 backport] docs: update since buildinfo removal

.github/workflows/build.yml

@@ -102,7 +102,7 @@ jobs:
           ./hack/test
         env:
           TEST_DOCKERD: "${{ (matrix.worker == 'docker' || matrix.worker == 'docker-container') && '1' || '0' }}"
-          TESTFLAGS: "${{ (matrix.worker == 'docker' || matrix.worker == 'docker-container') && env.TESTFLAGS_DOCKER || env.TESTFLAGS }} --run=//worker=${{ matrix.worker }}$"
+          TESTFLAGS: "${{ (matrix.worker == 'docker') && env.TESTFLAGS_DOCKER || env.TESTFLAGS }} --run=//worker=${{ matrix.worker }}$"
           TESTPKGS: "${{ matrix.pkg }}"
           SKIP_INTEGRATION_TESTS: "${{ matrix.skip-integration-tests }}"
       -

Dockerfile

@@ -1,14 +1,13 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20
+ARG GO_VERSION=1.20.6
 ARG XX_VERSION=1.2.1
-ARG DOCKERD_VERSION=20.10.14
+
+ARG DOCKER_VERSION=24.0.2
 ARG GOTESTSUM_VERSION=v1.9.0
 ARG REGISTRY_VERSION=2.8.0
 ARG BUILDKIT_VERSION=v0.11.6
 
-FROM docker:$DOCKERD_VERSION AS dockerd-release
-
 # xx is a helper for cross-compilation
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 
@@ -25,6 +24,22 @@ FROM registry:$REGISTRY_VERSION AS registry
 
 FROM moby/buildkit:$BUILDKIT_VERSION AS buildkit
 
+FROM gobase AS docker
+ARG TARGETPLATFORM
+ARG DOCKER_VERSION
+WORKDIR /opt/docker
+RUN DOCKER_ARCH=$(case ${TARGETPLATFORM:-linux/amd64} in \
+    "linux/amd64")   echo "x86_64"  ;; \
+    "linux/arm/v6")  echo "armel"   ;; \
+    "linux/arm/v7")  echo "armhf"   ;; \
+    "linux/arm64")   echo "aarch64" ;; \
+    "linux/ppc64le") echo "ppc64le" ;; \
+    "linux/s390x")   echo "s390x"   ;; \
+    *)               echo ""        ;; esac) \
+  && echo "DOCKER_ARCH=$DOCKER_ARCH" \
+  && wget -qO- "https://download.docker.com/linux/static/stable/${DOCKER_ARCH}/docker-${DOCKER_VERSION}.tgz" | tar xvz --strip 1
+RUN ./dockerd --version && ./containerd --version && ./ctr --version && ./runc --version
+
 FROM gobase AS gotestsum
 ARG GOTESTSUM_VERSION
 ENV GOFLAGS=
@@ -77,9 +92,20 @@ FROM binaries-$TARGETOS AS binaries
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 
 FROM gobase AS integration-test-base
-RUN apk add --no-cache docker runc containerd
+# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
+RUN apk add --no-cache \
+      btrfs-progs \
+      e2fsprogs \
+      e2fsprogs-extra \
+      ip6tables \
+      iptables \
+      openssl \
+      shadow-uidmap \
+      xfsprogs \
+      xz
 COPY --link --from=gotestsum /out/gotestsum /usr/bin/
 COPY --link --from=registry /bin/registry /usr/bin/
+COPY --link --from=docker /opt/docker/* /usr/bin/
 COPY --link --from=buildkit /usr/bin/buildkitd /usr/bin/
 COPY --link --from=buildkit /usr/bin/buildctl /usr/bin/
 COPY --link --from=binaries /buildx /usr/bin/
@@ -102,7 +128,7 @@ FROM scratch AS release
 COPY --from=releaser /out/ /
 
 # Shell
-FROM docker:$DOCKERD_VERSION AS dockerd-release
+FROM docker:$DOCKER_VERSION AS dockerd-release
 FROM alpine AS shell
 RUN apk add --no-cache iptables tmux git vim less openssh
 RUN mkdir -p /usr/local/lib/docker/cli-plugins && ln -s /usr/local/bin/buildx /usr/local/lib/docker/cli-plugins/docker-buildx

bake/compose.go

@@ -37,6 +37,7 @@ func ParseCompose(cfgs []compose.ConfigFile, envs map[string]string) (*Config, e
 	}, func(options *loader.Options) {
 		options.SetProjectName("bake", false)
 		options.SkipNormalization = true
+		options.Profiles = []string{"*"}
 	})
 	if err != nil {
 		return nil, err

bake/compose_test.go

@@ -36,6 +36,8 @@ services:
         - token
         - aws
   webapp2:
+    profiles:
+      - test
     build:
       context: ./dir
       dockerfile_inline: |

bake/remote.go

@@ -59,7 +59,7 @@ func ReadRemoteFiles(ctx context.Context, nodes []builder.Node, url string, name
 
 	ch, done := progress.NewChannel(pw)
 	defer func() { <-done }()
-	_, err = c.Build(ctx, client.SolveOpt{Session: session}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+	_, err = c.Build(ctx, client.SolveOpt{Session: session, Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 		def, err := st.Marshal(ctx)
 		if err != nil {
 			return nil, err

build/build.go

@@ -642,7 +642,7 @@ func toSolveOpt(ctx context.Context, node builder.Node, multiDriver bool, opt Op
 	}
 
 	// setup extrahosts
-	extraHosts, err := toBuildkitExtraHosts(opt.ExtraHosts, nodeDriver.IsMobyDriver())
+	extraHosts, err := toBuildkitExtraHosts(ctx, opt.ExtraHosts, nodeDriver)
 	if err != nil {
 		return nil, nil, err
 	}

build/result.go

@@ -160,6 +160,7 @@ func NewResultHandle(ctx context.Context, cc *client.Client, opt client.SolveOpt
 		opt.Ref = ""
 		opt.Exports = nil
 		opt.CacheExports = nil
+		opt.Internal = true
 		_, respErr = cc.Build(ctx, opt, "buildx", func(ctx context.Context, c gateway.Client) (*gateway.Result, error) {
 			res, err := evalDefinition(ctx, c, def)
 			if err != nil {

build/url.go

@@ -21,7 +21,7 @@ func createTempDockerfileFromURL(ctx context.Context, d *driver.DriverHandle, ur
 	var out string
 	ch, done := progress.NewChannel(pw)
 	defer func() { <-done }()
-	_, err = c.Build(ctx, client.SolveOpt{}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
+	_, err = c.Build(ctx, client.SolveOpt{Internal: true}, "buildx", func(ctx context.Context, c gwclient.Client) (*gwclient.Result, error) {
 		def, err := llb.HTTP(url, llb.Filename("Dockerfile"), llb.WithCustomNamef("[internal] load %s", url)).Marshal(ctx)
 		if err != nil {
 			return nil, err

build/utils.go

@@ -3,10 +3,12 @@ package build
 import (
 	"archive/tar"
 	"bytes"
+	"context"
 	"net"
 	"os"
 	"strings"
 
+	"github.com/docker/buildx/driver"
 	"github.com/docker/cli/opts"
 	"github.com/docker/docker/builder/remotecontext/urlutil"
 	"github.com/moby/buildkit/util/gitutil"
@@ -57,7 +59,7 @@ func isArchive(header []byte) bool {
 }
 
 // toBuildkitExtraHosts converts hosts from docker key:value format to buildkit's csv format
-func toBuildkitExtraHosts(inp []string, mobyDriver bool) (string, error) {
+func toBuildkitExtraHosts(ctx context.Context, inp []string, nodeDriver *driver.DriverHandle) (string, error) {
 	if len(inp) == 0 {
 		return "", nil
 	}
@@ -67,11 +69,16 @@ func toBuildkitExtraHosts(inp []string, mobyDriver bool) (string, error) {
 		if !ok || host == "" || ip == "" {
 			return "", errors.Errorf("invalid host %s", h)
 		}
-		// Skip IP address validation for "host-gateway" string with moby driver
+		// If the IP Address is a "host-gateway", replace this value with the
-		if !mobyDriver || ip != mobyHostGatewayName {
+		// IP address provided by the worker's label.
-			if net.ParseIP(ip) == nil {
+		if ip == mobyHostGatewayName {
-				return "", errors.Errorf("invalid host %s", h)
+			hgip, err := nodeDriver.HostGatewayIP(ctx)
+			if err != nil {
+				return "", errors.Wrap(err, "unable to derive the IP value for host-gateway")
 			}
+			ip = hgip.String()
+		} else if net.ParseIP(ip) == nil {
+			return "", errors.Errorf("invalid host %s", h)
 		}
 		hosts = append(hosts, host+"="+ip)
 	}

builder/node.go

@@ -82,12 +82,12 @@ func (b *Builder) LoadNodes(ctx context.Context, withData bool) (_ []Node, err e
 				contextStore := b.opts.dockerCli.ContextStore()
 
 				var kcc driver.KubeClientConfig
-				kcc, err = ctxkube.ConfigFromContext(n.Endpoint, contextStore)
+				kcc, err = ctxkube.ConfigFromEndpoint(n.Endpoint, contextStore)
 				if err != nil {
 					// err is returned if n.Endpoint is non-context name like "unix:///var/run/docker.sock".
 					// try again with name="default".
 					// FIXME(@AkihiroSuda): n should retain real context name.
-					kcc, err = ctxkube.ConfigFromContext("default", contextStore)
+					kcc, err = ctxkube.ConfigFromEndpoint("default", contextStore)
 					if err != nil {
 						logrus.Error(err)
 					}

commands/build.go

@@ -487,7 +487,8 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.StringArrayVar(&options.platforms, "platform", platformsDefault, "Set target platform for build")
 
 	if isExperimental() {
-		flags.StringVar(&options.printFunc, "print", "", "Print result of information request (e.g., outline, targets) [experimental]")
+		flags.StringVar(&options.printFunc, "print", "", "Print result of information request (e.g., outline, targets)")
+		flags.SetAnnotation("print", "experimentalCLI", nil)
 	}
 
 	flags.BoolVar(&options.exportPush, "push", false, `Shorthand for "--output=type=registry"`)
@@ -514,10 +515,14 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.StringVar(&options.provenance, "provenance", "", `Shorthand for "--attest=type=provenance"`)
 
 	if isExperimental() {
-		flags.StringVar(&invokeFlag, "invoke", "", "Invoke a command after the build [experimental]")
+		flags.StringVar(&invokeFlag, "invoke", "", "Invoke a command after the build")
-		flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect [experimental]")
+		flags.SetAnnotation("invoke", "experimentalCLI", nil)
-		flags.BoolVar(&options.Detach, "detach", false, "Detach buildx server (supported only on linux) [experimental]")
+		flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect")
-		flags.StringVar(&options.ServerConfig, "server-config", "", "Specify buildx server config file (used only when launching new server) [experimental]")
+		flags.SetAnnotation("root", "experimentalCLI", nil)
+		flags.BoolVar(&options.Detach, "detach", false, "Detach buildx server (supported only on linux)")
+		flags.SetAnnotation("detach", "experimentalCLI", nil)
+		flags.StringVar(&options.ServerConfig, "server-config", "", "Specify buildx server config file (used only when launching new server)")
+		flags.SetAnnotation("server-config", "experimentalCLI", nil)
 	}
 
 	// hidden flags
@@ -540,6 +545,7 @@ func buildCmd(dockerCli command.Cli, rootOpts *rootOptions) *cobra.Command {
 	flags.BoolVar(&ignoreBool, "squash", false, "Squash newly built layers into a single new layer")
 	flags.MarkHidden("squash")
 	flags.SetAnnotation("squash", "flag-warn", []string{"experimental flag squash is removed with BuildKit. You should squash inside build using a multi-stage Dockerfile for efficiency."})
+	flags.SetAnnotation("squash", "experimentalCLI", nil)
 
 	flags.StringVarP(&ignore, "memory", "m", "", "Memory limit")
 	flags.MarkHidden("memory")

commands/debug-shell.go

@@ -24,6 +24,9 @@ func debugShellCmd(dockerCli command.Cli) *cobra.Command {
 	cmd := &cobra.Command{
 		Use:   "debug-shell",
 		Short: "Start a monitor",
+		Annotations: map[string]string{
+			"experimentalCLI": "",
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			printer, err := progress.NewPrinter(context.TODO(), os.Stderr, os.Stderr, progressMode)
 			if err != nil {
@@ -55,9 +58,15 @@ func debugShellCmd(dockerCli command.Cli) *cobra.Command {
 
 	flags := cmd.Flags()
 
-	flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect [experimental]")
+	flags.StringVar(&options.Root, "root", "", "Specify root directory of server to connect")
-	flags.BoolVar(&options.Detach, "detach", runtime.GOOS == "linux", "Detach buildx server (supported only on linux) [experimental]")
+	flags.SetAnnotation("root", "experimentalCLI", nil)
-	flags.StringVar(&options.ServerConfig, "server-config", "", "Specify buildx server config file (used only when launching new server) [experimental]")
+
+	flags.BoolVar(&options.Detach, "detach", runtime.GOOS == "linux", "Detach buildx server (supported only on linux)")
+	flags.SetAnnotation("detach", "experimentalCLI", nil)
+
+	flags.StringVar(&options.ServerConfig, "server-config", "", "Specify buildx server config file (used only when launching new server)")
+	flags.SetAnnotation("server-config", "experimentalCLI", nil)
+
 	flags.StringVar(&progressMode, "progress", "auto", `Set type of progress output ("auto", "plain", "tty"). Use plain to show container output`)
 
 	return cmd

commands/root.go

@@ -52,17 +52,6 @@ func NewRootCmd(name string, isPlugin bool, dockerCli command.Cli) *cobra.Comman
 		"using default config store",
 	))
 
-	// filter out useless commandConn.CloseWrite warning message that can occur
-	// when listing builder instances with "buildx ls" for those that are
-	// unreachable: "commandConn.CloseWrite: commandconn: failed to wait: signal: killed"
-	// https://github.com/docker/cli/blob/3fb4fb83dfb5db0c0753a8316f21aea54dab32c5/cli/connhelper/commandconn/commandconn.go#L203-L214
-	logrus.AddHook(logutil.NewFilter([]logrus.Level{
-		logrus.WarnLevel,
-	},
-		"commandConn.CloseWrite:",
-		"commandConn.CloseRead:",
-	))
-
 	addCommands(cmd, dockerCli)
 	return cmd
 }

controller/build/build.go

@@ -54,6 +54,7 @@ func RunBuild(ctx context.Context, dockerCli command.Cli, in controllerapi.Build
 			NamedContexts:  contexts,
 		},
 		BuildArgs:     in.BuildArgs,
+		CgroupParent:  in.CgroupParent,
 		ExtraHosts:    in.ExtraHosts,
 		Labels:        in.Labels,
 		NetworkMode:   in.NetworkMode,

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-  default = "1.20"
+  default = null
 }
 variable "DOCS_FORMATS" {
   default = "md"

docs/reference/buildx.md

@@ -9,24 +9,21 @@ Extended build capabilities with BuildKit
 
 ### Subcommands
 
-| Name                                           | Description                                |
+| Name                                   | Description                            |
-|:-----------------------------------------------|:-------------------------------------------|
+|:---------------------------------------|:---------------------------------------|
-| [`_INTERNAL_SERVE`](buildx__INTERNAL_SERVE.md) |                                            |
+| [`bake`](buildx_bake.md)               | Build from a file                      |
-| [`bake`](buildx_bake.md)                       | Build from a file                          |
+| [`build`](buildx_build.md)             | Start a build                          |
-| [`build`](buildx_build.md)                     | Start a build                              |
+| [`create`](buildx_create.md)           | Create a new builder instance          |
-| [`create`](buildx_create.md)                   | Create a new builder instance              |
+| [`debug-shell`](buildx_debug-shell.md) | Start a monitor                        |
-| [`debug-shell`](buildx_debug-shell.md)         | Start a monitor                            |
+| [`du`](buildx_du.md)                   | Disk usage                             |
-| [`du`](buildx_du.md)                           | Disk usage                                 |
+| [`imagetools`](buildx_imagetools.md)   | Commands to work on images in registry |
-| [`imagetools`](buildx_imagetools.md)           | Commands to work on images in registry     |
+| [`inspect`](buildx_inspect.md)         | Inspect current builder instance       |
-| [`inspect`](buildx_inspect.md)                 | Inspect current builder instance           |
+| [`ls`](buildx_ls.md)                   | List builder instances                 |
-| [`install`](buildx_install.md)                 | Install buildx as a 'docker builder' alias |
+| [`prune`](buildx_prune.md)             | Remove build cache                     |
-| [`ls`](buildx_ls.md)                           | List builder instances                     |
+| [`rm`](buildx_rm.md)                   | Remove a builder instance              |
-| [`prune`](buildx_prune.md)                     | Remove build cache                         |
+| [`stop`](buildx_stop.md)               | Stop builder instance                  |
-| [`rm`](buildx_rm.md)                           | Remove a builder instance                  |
+| [`use`](buildx_use.md)                 | Set the current builder instance       |
-| [`stop`](buildx_stop.md)                       | Stop builder instance                      |
+| [`version`](buildx_version.md)         | Show buildx version information        |
-| [`uninstall`](buildx_uninstall.md)             | Uninstall the 'docker builder' alias       |
-| [`use`](buildx_use.md)                         | Set the current builder instance           |
-| [`version`](buildx_version.md)                 | Show buildx version information            |
 
 
 ### Options

docs/reference/buildx_build.md

@@ -24,10 +24,10 @@ Start a build
 | [`--cache-from`](#cache-from)                                                                                                                          | `stringArray` |           | External cache sources (e.g., `user/app:cache`, `type=local,src=path/to/dir`)                       |
 | [`--cache-to`](#cache-to)                                                                                                                              | `stringArray` |           | Cache export destinations (e.g., `user/app:cache`, `type=local,dest=path/to/dir`)                   |
 | [`--cgroup-parent`](https://docs.docker.com/engine/reference/commandline/build/#cgroup-parent)                                                         | `string`      |           | Optional parent cgroup for the container                                                            |
-| `--detach`                                                                                                                                             |               |           | Detach buildx server (supported only on linux) [experimental]                                       |
+| `--detach`                                                                                                                                             |               |           | Detach buildx server (supported only on linux)                                                      |
 | [`-f`](https://docs.docker.com/engine/reference/commandline/build/#file), [`--file`](https://docs.docker.com/engine/reference/commandline/build/#file) | `string`      |           | Name of the Dockerfile (default: `PATH/Dockerfile`)                                                 |
 | `--iidfile`                                                                                                                                            | `string`      |           | Write the image ID to the file                                                                      |
-| `--invoke`                                                                                                                                             | `string`      |           | Invoke a command after the build [experimental]                                                     |
+| `--invoke`                                                                                                                                             | `string`      |           | Invoke a command after the build                                                                    |
 | `--label`                                                                                                                                              | `stringArray` |           | Set metadata for an image                                                                           |
 | [`--load`](#load)                                                                                                                                      |               |           | Shorthand for `--output=type=docker`                                                                |
 | [`--metadata-file`](#metadata-file)                                                                                                                    | `string`      |           | Write build result metadata to the file                                                             |
@@ -36,16 +36,16 @@ Start a build
 | `--no-cache-filter`                                                                                                                                    | `stringArray` |           | Do not cache specified stages                                                                       |
 | [`-o`](#output), [`--output`](#output)                                                                                                                 | `stringArray` |           | Output destination (format: `type=local,dest=path`)                                                 |
 | [`--platform`](#platform)                                                                                                                              | `stringArray` |           | Set target platform for build                                                                       |
-| `--print`                                                                                                                                              | `string`      |           | Print result of information request (e.g., outline, targets) [experimental]                         |
+| `--print`                                                                                                                                              | `string`      |           | Print result of information request (e.g., outline, targets)                                        |
 | [`--progress`](#progress)                                                                                                                              | `string`      | `auto`    | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output            |
 | [`--provenance`](#provenance)                                                                                                                          | `string`      |           | Shorthand for `--attest=type=provenance`                                                            |
 | `--pull`                                                                                                                                               |               |           | Always attempt to pull all referenced images                                                        |
 | [`--push`](#push)                                                                                                                                      |               |           | Shorthand for `--output=type=registry`                                                              |
 | `-q`, `--quiet`                                                                                                                                        |               |           | Suppress the build output and print image ID on success                                             |
-| `--root`                                                                                                                                               | `string`      |           | Specify root directory of server to connect [experimental]                                          |
+| `--root`                                                                                                                                               | `string`      |           | Specify root directory of server to connect                                                         |
 | [`--sbom`](#sbom)                                                                                                                                      | `string`      |           | Shorthand for `--attest=type=sbom`                                                                  |
 | [`--secret`](#secret)                                                                                                                                  | `stringArray` |           | Secret to expose to the build (format: `id=mysecret[,src=/local/secret]`)                           |
-| `--server-config`                                                                                                                                      | `string`      |           | Specify buildx server config file (used only when launching new server) [experimental]              |
+| `--server-config`                                                                                                                                      | `string`      |           | Specify buildx server config file (used only when launching new server)                             |
 | [`--shm-size`](#shm-size)                                                                                                                              | `bytes`       | `0`       | Size of `/dev/shm`                                                                                  |
 | [`--ssh`](#ssh)                                                                                                                                        | `stringArray` |           | SSH agent socket or keys to expose to the build (format: `default\|<id>[=<socket>\|<key>[,<key>]]`) |
 | [`-t`](https://docs.docker.com/engine/reference/commandline/build/#tag), [`--tag`](https://docs.docker.com/engine/reference/commandline/build/#tag)    | `stringArray` |           | Name and optionally a tag (format: `name:tag`)                                                      |
@@ -125,7 +125,6 @@ Same as [`docker build` command](https://docs.docker.com/engine/reference/comman
 There are also useful built-in build args like:
 
 * `BUILDKIT_CONTEXT_KEEP_GIT_DIR=<bool>` trigger git context to keep the `.git` directory
-* `BUILDKIT_INLINE_BUILDINFO_ATTRS=<bool>` inline build info attributes in image config or not
 * `BUILDKIT_INLINE_CACHE=<bool>` inline cache metadata to image config or not
 * `BUILDKIT_MULTI_PLATFORM=<bool>` opt into deterministic output regardless of multi-platform output or not
 
@@ -286,26 +285,6 @@ $ cat metadata.json
 ```
 ```json
 {
-  "containerimage.buildinfo": {
-    "frontend": "dockerfile.v0",
-    "attrs": {
-      "context": "https://github.com/crazy-max/buildkit-buildsources-test.git#master",
-      "filename": "Dockerfile",
-      "source": "docker/dockerfile:master"
-    },
-    "sources": [
-      {
-        "type": "docker-image",
-        "ref": "docker.io/docker/buildx-bin:0.6.1@sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0",
-        "pin": "sha256:a652ced4a4141977c7daaed0a074dcd9844a78d7d2615465b12f433ae6dd29f0"
-      },
-      {
-        "type": "docker-image",
-        "ref": "docker.io/library/alpine:3.13",
-        "pin": "sha256:026f721af4cf2843e07bba648e158fb35ecc876d822130633cc49f707f0fc88c"
-      }
-    ]
-  },
   "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
   "containerimage.descriptor": {
     "annotations": {

docs/reference/buildx_debug-shell.md

@@ -8,10 +8,10 @@ Start a monitor
 | Name              | Type     | Default | Description                                                                              |
 |:------------------|:---------|:--------|:-----------------------------------------------------------------------------------------|
 | `--builder`       | `string` |         | Override the configured builder instance                                                 |
-| `--detach`        |          |         | Detach buildx server (supported only on linux) [experimental]                            |
+| `--detach`        |          |         | Detach buildx server (supported only on linux)                                           |
 | `--progress`      | `string` | `auto`  | Set type of progress output (`auto`, `plain`, `tty`). Use plain to show container output |
-| `--root`          | `string` |         | Specify root directory of server to connect [experimental]                               |
+| `--root`          | `string` |         | Specify root directory of server to connect                                              |
-| `--server-config` | `string` |         | Specify buildx server config file (used only when launching new server) [experimental]   |
+| `--server-config` | `string` |         | Specify buildx server config file (used only when launching new server)                  |
 
 
 <!---MARKER_GEN_END-->

docs/reference/buildx_install.md

@@ -1,11 +0,0 @@
-# buildx install
-
-```
-docker buildx install
-```
-
-<!---MARKER_GEN_START-->
-Install buildx as a 'docker builder' alias
-
-
-<!---MARKER_GEN_END-->

docs/reference/buildx_uninstall.md

@@ -1,11 +0,0 @@
-# buildx uninstall
-
-```
-docker buildx uninstall
-```
-
-<!---MARKER_GEN_START-->
-Uninstall the 'docker builder' alias
-
-
-<!---MARKER_GEN_END-->

driver/manager.go

@@ -2,17 +2,17 @@ package driver
 
 import (
 	"context"
+	"net"
 	"os"
 	"sort"
 	"strings"
 	"sync"
 
-	"k8s.io/client-go/rest"
-
 	dockerclient "github.com/docker/docker/client"
 	"github.com/moby/buildkit/client"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"k8s.io/client-go/rest"
 )
 
 type Factory interface {
@@ -154,6 +154,9 @@ type DriverHandle struct {
 	features                map[Feature]bool
 	historyAPISupportedOnce sync.Once
 	historyAPISupported     bool
+	hostGatewayIPOnce       sync.Once
+	hostGatewayIP           net.IP
+	hostGatewayIPErr        error
 }
 
 func (d *DriverHandle) Client(ctx context.Context) (*client.Client, error) {
@@ -178,3 +181,36 @@ func (d *DriverHandle) HistoryAPISupported(ctx context.Context) bool {
 	})
 	return d.historyAPISupported
 }
+
+func (d *DriverHandle) HostGatewayIP(ctx context.Context) (net.IP, error) {
+	d.hostGatewayIPOnce.Do(func() {
+		if !d.Driver.IsMobyDriver() {
+			d.hostGatewayIPErr = errors.New("host-gateway is only supported with the docker driver")
+			return
+		}
+		c, err := d.Client(ctx)
+		if err != nil {
+			d.hostGatewayIPErr = err
+			return
+		}
+		workers, err := c.ListWorkers(ctx)
+		if err != nil {
+			d.hostGatewayIPErr = errors.Wrap(err, "listing workers")
+			return
+		}
+		for _, w := range workers {
+			// should match github.com/docker/docker/builder/builder-next/worker/label.HostGatewayIP const
+			if v, ok := w.Labels["org.mobyproject.buildkit.worker.moby.host-gateway-ip"]; ok && v != "" {
+				ip := net.ParseIP(v)
+				if ip == nil {
+					d.hostGatewayIPErr = errors.Errorf("failed to parse host-gateway IP: %s", v)
+					return
+				}
+				d.hostGatewayIP = ip
+				return
+			}
+		}
+		d.hostGatewayIPErr = errors.New("host-gateway IP not found")
+	})
+	return d.hostGatewayIP, d.hostGatewayIPErr
+}

go.mod

@@ -10,10 +10,10 @@ require (
 	github.com/containerd/containerd v1.7.2
 	github.com/containerd/continuity v0.4.1
 	github.com/containerd/typeurl/v2 v2.1.1
-	github.com/docker/cli v24.0.2+incompatible
+	github.com/docker/cli v24.0.4+incompatible
-	github.com/docker/cli-docs-tool v0.5.1
+	github.com/docker/cli-docs-tool v0.6.0
 	github.com/docker/distribution v2.8.2+incompatible
-	github.com/docker/docker v24.0.2+incompatible
+	github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible // 24.0
 	github.com/docker/go-units v0.5.0
 	github.com/gofrs/flock v0.8.1
 	github.com/gogo/protobuf v1.3.2
@@ -22,7 +22,7 @@ require (
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-cty-funcs v0.0.0-20200930094925-2721b1e36840
 	github.com/hashicorp/hcl/v2 v2.8.2
-	github.com/moby/buildkit v0.11.0-rc3.0.20230609092854-67a08623b95a
+	github.com/moby/buildkit v0.12.1-0.20230717122532-faa0cc7da353 // v0.12.1-dev
 	github.com/moby/sys/mountinfo v0.6.2
 	github.com/moby/sys/signal v0.7.0
 	github.com/morikuni/aec v1.0.0
@@ -138,10 +138,10 @@ require (
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
 	github.com/spf13/viper v1.14.0 // indirect
 	github.com/theupdateframework/notary v0.6.1 // indirect
-	github.com/tonistiigi/fsutil v0.0.0-20230407161946-9e7a6df48576 // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
-	github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f // indirect
+	github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.40.0 // indirect

go.sum

@@ -149,14 +149,14 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/distribution/v3 v3.0.0-20230214150026-36d8c594d7aa h1:L9Ay/slwQ4ERSPaurC+TVkZrM0K98GNrEEo1En3e8as=
 github.com/distribution/distribution/v3 v3.0.0-20230214150026-36d8c594d7aa/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
-github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM=
+github.com/docker/cli v24.0.4+incompatible h1:Y3bYF9ekNTm2VFz5U/0BlMdJy73D+Y1iAAZ8l63Ydzw=
-github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v24.0.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli-docs-tool v0.5.1 h1:jIk/cCZurZERhALPVKhqlNxTQGxn2kcI+56gE57PQXg=
+github.com/docker/cli-docs-tool v0.6.0 h1:Z9x10SaZgFaB6jHgz3OWooynhSa40CsWkpe5hEnG/qA=
-github.com/docker/cli-docs-tool v0.5.1/go.mod h1:zMjqTFCU361PRh8apiXzeAZ1Q/xupbIwTusYpzCXS/o=
+github.com/docker/cli-docs-tool v0.6.0/go.mod h1:zMjqTFCU361PRh8apiXzeAZ1Q/xupbIwTusYpzCXS/o=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg=
+github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible h1:sdGvA1bxu/1J51gAs1XU0bZC+2WxncYnI210as3c6g8=
-github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
@@ -371,8 +371,8 @@ github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7 h1:DpOJ2HYzC
 github.com/mitchellh/go-wordwrap v0.0.0-20150314170334-ad45545899c7/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.11.0-rc3.0.20230609092854-67a08623b95a h1:1k3bAXwxC2N1FncWijq/43sLj2OVIZ11FT0APIXWhMg=
+github.com/moby/buildkit v0.12.1-0.20230717122532-faa0cc7da353 h1:/ZIwqvOF3QKObJbjX96xVvAKtnWdw/AuEqysbbujaZA=
-github.com/moby/buildkit v0.11.0-rc3.0.20230609092854-67a08623b95a/go.mod h1:4sM7BBBqXOQ+vV6LrVAOAMhZI9cVNYV5RhZCl906a64=
+github.com/moby/buildkit v0.12.1-0.20230717122532-faa0cc7da353/go.mod h1:+n9GmkxwBCjVz4u7wmiyh+oqvjIjQM+1zk3iJrWfdos=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
@@ -484,18 +484,19 @@ github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXl
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/theupdateframework/notary v0.6.1 h1:7wshjstgS9x9F5LuB1L5mBI2xNMObWqjz+cjWoom6l0=
 github.com/theupdateframework/notary v0.6.1/go.mod h1:MOfgIfmox8s7/7fduvB2xyPPMJCrjRLRizA8OFwpnKY=
-github.com/tonistiigi/fsutil v0.0.0-20230407161946-9e7a6df48576 h1:fZXPQDVh5fm2x7pA0CH1TtH80tiZ0L7i834kZqZN8Pw=
+github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb h1:uUe8rNyVXM8moActoBol6Xf6xX2GMr7SosR2EywMvGg=
-github.com/tonistiigi/fsutil v0.0.0-20230407161946-9e7a6df48576/go.mod h1:q1CxMSzcAbjUkVGHoZeQUcCaALnaE4XdWk+zJcgMYFw=
+github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb/go.mod h1:SxX/oNQ/ag6Vaoli547ipFK9J7BZn5JqJG0JE8lf8bA=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea/go.mod h1:WPnis/6cRcDZSUvVmezrxJPkiO87ThFYsoUiMwWNDJk=
-github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f h1:DLpt6B5oaaS8jyXHa9VA4rrZloBVPVXeCtrOsrFauxc=
+github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531 h1:Y/M5lygoNPKwVNLMPXgVfsRT40CSFKXCxuU8LoHySjs=
-github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f/go.mod h1:ulncasL3N9uLrVann0m+CDlJKWsIAP34MPcOJF6VRvc=
+github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531/go.mod h1:ulncasL3N9uLrVann0m+CDlJKWsIAP34MPcOJF6VRvc=
 github.com/vbatts/tar-split v0.11.2 h1:Via6XqJr0hceW4wff3QRzD5gAk/tatMw/4ZA7cTlIME=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
 github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
-github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
+github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=

hack/dockerfiles/docs.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20
+ARG GO_VERSION=1.20.6
 ARG FORMATS=md,yaml
 
 FROM golang:${GO_VERSION}-alpine AS docsgen

hack/dockerfiles/generated-files.Dockerfile

@@ -5,11 +5,11 @@
 # Copyright The Buildx Authors.
 # Licensed under the Apache License, Version 2.0
 
-ARG GO_VERSION="1.20"
+ARG GO_VERSION="1.20.6"
 ARG PROTOC_VERSION="3.11.4"
 
 # protoc is dynamically linked to glibc so can't use alpine base
-FROM golang:${GO_VERSION}-buster AS base
+FROM golang:${GO_VERSION}-bookworm AS base
 RUN apt-get update && apt-get --no-install-recommends install -y git unzip
 ARG PROTOC_VERSION
 ARG TARGETOS

hack/dockerfiles/lint.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20
+ARG GO_VERSION=1.20.6
 
 FROM golang:${GO_VERSION}-alpine
 RUN apk add --no-cache git gcc musl-dev

hack/dockerfiles/vendor.Dockerfile

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.20
+ARG GO_VERSION=1.20.6
 ARG MODOUTDATED_VERSION=v0.8.0
 
 FROM golang:${GO_VERSION}-alpine AS base

store/store_test.go

@@ -235,3 +235,26 @@ func TestNodeManagement(t *testing.T) {
 	require.NotNil(t, ng)
 	require.Equal(t, "mybuild", ng.Name)
 }
+
+func TestNodeInvalidName(t *testing.T) {
+	t.Parallel()
+	tmpdir := t.TempDir()
+
+	s, err := New(tmpdir)
+	require.NoError(t, err)
+
+	txn, release, err := s.Txn()
+	require.NoError(t, err)
+	defer release()
+
+	_, err = txn.NodeGroupByName("123builder")
+	require.Error(t, err)
+	require.True(t, IsErrInvalidName(err))
+
+	err = txn.Save(&NodeGroup{
+		Name:   "123builder",
+		Driver: "mydriver",
+	})
+	require.Error(t, err)
+	require.True(t, IsErrInvalidName(err))
+}

store/storeutil/storeutil.go

@@ -74,7 +74,7 @@ func GetCurrentInstance(txn *store.Txn, dockerCli command.Cli) (*store.NodeGroup
 func GetNodeGroup(txn *store.Txn, dockerCli command.Cli, name string) (*store.NodeGroup, error) {
 	ng, err := txn.NodeGroupByName(name)
 	if err != nil {
-		if !os.IsNotExist(errors.Cause(err)) {
+		if !os.IsNotExist(errors.Cause(err)) && !store.IsErrInvalidName(err) {
 			return nil, err
 		}
 	}

store/util.go

@@ -11,9 +11,28 @@ import (
 
 var namePattern = regexp.MustCompile(`^[a-zA-Z][a-zA-Z0-9\.\-_]*$`)
 
+type errInvalidName struct {
+	error
+}
+
+func (e *errInvalidName) Error() string {
+	return e.error.Error()
+}
+
+func (e *errInvalidName) Unwrap() error {
+	return e.error
+}
+
+func IsErrInvalidName(err error) bool {
+	_, ok := err.(*errInvalidName)
+	return ok
+}
+
 func ValidateName(s string) (string, error) {
 	if !namePattern.MatchString(s) {
-		return "", errors.Errorf("invalid name %s, name needs to start with a letter and may not contain symbols, except ._-", s)
+		return "", &errInvalidName{
+			errors.Errorf("invalid name %s, name needs to start with a letter and may not contain symbols, except ._-", s),
+		}
 	}
 	return strings.ToLower(s), nil
 }

tests/build.go

@@ -3,10 +3,11 @@ package tests
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"os"
+	"path"
 	"path/filepath"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -16,6 +17,7 @@ import (
 	"github.com/moby/buildkit/util/testutil"
 	"github.com/moby/buildkit/util/testutil/integration"
 	"github.com/opencontainers/go-digest"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
 )
 
@@ -32,6 +34,7 @@ var buildTests = []func(t *testing.T, sb integration.Sandbox){
 	testBuildLocalExport,
 	testBuildRegistryExport,
 	testBuildTarExport,
+	testBuildDetailsLink,
 }
 
 func testBuild(t *testing.T, sb integration.Sandbox) {
@@ -139,6 +142,48 @@ func testImageIDOutput(t *testing.T, sb integration.Sandbox) {
 	require.Equal(t, dgst, digest.Digest(md.ConfigDigest))
 }
 
+func testBuildDetailsLink(t *testing.T, sb integration.Sandbox) {
+	buildDetailsPattern := regexp.MustCompile(`(?m)^View build details: docker-desktop://dashboard/build/[^/]+/[^/]+/[^/]+\n$`)
+
+	// build simple dockerfile
+	dockerfile := []byte(`FROM busybox:latest
+RUN echo foo > /bar`)
+	dir := tmpdir(t, fstest.CreateFile("Dockerfile", dockerfile, 0600))
+	cmd := buildxCmd(sb, withArgs("build", "--output=type=cacheonly", dir))
+	out, err := cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+	require.False(t, buildDetailsPattern.MatchString(string(out)), fmt.Sprintf("build details link not expected in output, got %q", out))
+
+	// create desktop-build .lastaccess file
+	home, err := os.UserHomeDir() // TODO: sandbox should create a temp home dir and expose it through its interface
+	require.NoError(t, err)
+	dbDir := path.Join(home, ".docker", "desktop-build")
+	require.NoError(t, os.MkdirAll(dbDir, 0755))
+	dblaFile, err := os.Create(path.Join(dbDir, ".lastaccess"))
+	require.NoError(t, err)
+	defer func() {
+		dblaFile.Close()
+		if err := os.Remove(dblaFile.Name()); err != nil {
+			t.Fatal(err)
+		}
+	}()
+
+	// build again
+	cmd = buildxCmd(sb, withArgs("build", "--output=type=cacheonly", dir))
+	out, err = cmd.CombinedOutput()
+	require.NoError(t, err, string(out))
+	require.True(t, buildDetailsPattern.MatchString(string(out)), fmt.Sprintf("expected build details link in output, got %q", out))
+
+	// build erroneous dockerfile
+	dockerfile = []byte(`FROM busybox:latest
+RUN exit 1`)
+	dir = tmpdir(t, fstest.CreateFile("Dockerfile", dockerfile, 0600))
+	cmd = buildxCmd(sb, withArgs("build", "--output=type=cacheonly", dir))
+	out, err = cmd.CombinedOutput()
+	require.Error(t, err, string(out))
+	require.True(t, buildDetailsPattern.MatchString(string(out)), fmt.Sprintf("expected build details link in output, got %q", out))
+}
+
 func createTestProject(t *testing.T) string {
 	dockerfile := []byte(`
 FROM busybox:latest AS base

tests/integration.go

@@ -47,6 +47,7 @@ func buildxCmd(sb integration.Sandbox, opts ...cmdOpt) *exec.Cmd {
 
 	if builder := sb.Address(); builder != "" {
 		cmd.Args = append(cmd.Args, "--builder="+builder)
+		cmd.Env = append(cmd.Env, "BUILDX_CONFIG=/tmp/buildx-"+builder)
 	}
 	if context := sb.DockerAddress(); context != "" {
 		cmd.Env = append(cmd.Env, "DOCKER_CONTEXT="+context)

tests/workers/docker-container.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"os"
 	"os/exec"
+	"sync"
 
 	"github.com/moby/buildkit/identity"
 	"github.com/moby/buildkit/util/testutil/integration"
@@ -18,6 +19,11 @@ func InitDockerContainerWorker() {
 
 type containerWorker struct {
 	id string
+
+	docker      integration.Backend
+	dockerClose func() error
+	dockerErr   error
+	dockerOnce  sync.Once
 }
 
 func (w *containerWorker) Name() string {
@@ -29,9 +35,11 @@ func (w *containerWorker) Rootless() bool {
 }
 
 func (w *containerWorker) New(ctx context.Context, cfg *integration.BackendConfig) (integration.Backend, func() error, error) {
-	bk, bkclose, err := dockerWorker{id: w.id}.New(ctx, cfg)
+	w.dockerOnce.Do(func() {
-	if err != nil {
+		w.docker, w.dockerClose, w.dockerErr = dockerWorker{id: w.id}.New(ctx, cfg)
-		return bk, bkclose, err
+	})
+	if w.dockerErr != nil {
+		return w.docker, w.dockerClose, w.dockerErr
 	}
 
 	name := "integration-container-" + identity.NewID()
@@ -42,25 +50,36 @@ func (w *containerWorker) New(ctx context.Context, cfg *integration.BackendConfi
 		"--driver=docker-container",
 		"--driver-opt=network=host",
 	)
-	cmd.Env = append(os.Environ(), "DOCKER_CONTEXT="+bk.DockerAddress())
+	cmd.Env = append(
+		os.Environ(),
+		"BUILDX_CONFIG=/tmp/buildx-"+name,
+		"DOCKER_CONTEXT="+w.docker.DockerAddress(),
+	)
 	if err := cmd.Run(); err != nil {
 		return nil, nil, errors.Wrapf(err, "failed to create buildx instance %s", name)
 	}
 
 	cl := func() error {
-		var err error
-		if err1 := bkclose(); err == nil {
-			err = err1
-		}
 		cmd := exec.Command("buildx", "rm", "-f", name)
-		if err1 := cmd.Run(); err == nil {
+		return cmd.Run()
-			err = err1
-		}
-		return err
 	}
 
 	return &backend{
-		context: bk.DockerAddress(),
+		context: w.docker.DockerAddress(),
 		builder: name,
 	}, cl, nil
 }
+
+func (w *containerWorker) Close() error {
+	if close := w.dockerClose; close != nil {
+		return close()
+	}
+
+	// reset the worker to be ready to go again
+	w.docker = nil
+	w.dockerClose = nil
+	w.dockerErr = nil
+	w.dockerOnce = sync.Once{}
+
+	return nil
+}

tests/workers/docker.go

@@ -2,6 +2,7 @@ package workers
 
 import (
 	"context"
+	"os"
 	"os/exec"
 
 	"github.com/moby/buildkit/identity"
@@ -41,8 +42,9 @@ func (c dockerWorker) New(ctx context.Context, cfg *integration.BackendConfig) (
 		name,
 		"--docker", "host="+bk.DockerAddress(),
 	)
+	cmd.Env = append(os.Environ(), "BUILDX_CONFIG=/tmp/buildx-"+name)
 	if err := cmd.Run(); err != nil {
-		return nil, cl, errors.Wrapf(err, "failed to create buildx instance %s", name)
+		return bk, cl, errors.Wrapf(err, "failed to create buildx instance %s", name)
 	}
 
 	cl = func() error {
@@ -62,3 +64,7 @@ func (c dockerWorker) New(ctx context.Context, cfg *integration.BackendConfig) (
 		context: name,
 	}, cl, nil
 }
+
+func (c dockerWorker) Close() error {
+	return nil
+}

tests/workers/remote.go

@@ -2,6 +2,7 @@ package workers
 
 import (
 	"context"
+	"os"
 	"os/exec"
 
 	"github.com/moby/buildkit/identity"
@@ -41,6 +42,7 @@ func (w remoteWorker) New(ctx context.Context, cfg *integration.BackendConfig) (
 		"--driver=remote",
 		bk.Address(),
 	)
+	cmd.Env = append(os.Environ(), "BUILDX_CONFIG=/tmp/buildx-"+name)
 	if err := cmd.Run(); err != nil {
 		return nil, nil, errors.Wrapf(err, "failed to create buildx instance %s", name)
 	}
@@ -61,3 +63,7 @@ func (w remoteWorker) New(ctx context.Context, cfg *integration.BackendConfig) (
 		builder: name,
 	}, cl, nil
 }
+
+func (w remoteWorker) Close() error {
+	return nil
+}

util/desktop/desktop.go

@@ -81,6 +81,6 @@ func (e *ErrorWithBuildRef) Print(w io.Writer) error {
 	if _, err := console.ConsoleFromFile(os.Stderr); err == nil {
 		term = true
 	}
-	fmt.Fprintf(w, "\n%s", BuildDetailsOutput(map[string]string{"default": e.Ref}, term))
+	fmt.Fprintf(w, "\n%s\n", BuildDetailsOutput(map[string]string{"default": e.Ref}, term))
 	return nil
 }

util/imagetools/inspect.go

@@ -15,9 +15,7 @@ import (
 	clitypes "github.com/docker/cli/cli/config/types"
 	"github.com/docker/distribution/reference"
 	"github.com/moby/buildkit/util/contentutil"
-	"github.com/moby/buildkit/util/imageutil"
 	"github.com/moby/buildkit/util/tracing"
-	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/sirupsen/logrus"
 )
@@ -162,11 +160,3 @@ func RegistryAuthForRef(ref string, a Auth) (string, error) {
 	}
 	return base64.URLEncoding.EncodeToString(buf), nil
 }
-
-func (r *Resolver) ImageConfig(ctx context.Context, in string, platform *ocispec.Platform) (digest.Digest, []byte, error) {
-	in, _, err := r.Resolve(ctx, in)
-	if err != nil {
-		return "", nil, err
-	}
-	return imageutil.Config(ctx, in, r.resolver(), r.buffer, nil, platform)
-}

vendor/github.com/docker/cli-docs-tool/clidocstool_md.go

@@ -53,6 +53,12 @@ func (c *Client) GenMarkdownTree(cmd *cobra.Command) error {
 		return nil
 	}
 
+	// Skip hidden command
+	if cmd.Hidden {
+		log.Printf("INFO: Skipping Markdown for %q (hidden command)", cmd.CommandPath())
+		return nil
+	}
+
 	log.Printf("INFO: Generating Markdown for %q", cmd.CommandPath())
 	mdFile := mdFilename(cmd)
 	sourcePath := filepath.Join(c.source, mdFile)
@@ -208,6 +214,9 @@ func mdCmdOutput(cmd *cobra.Command, old string) (string, error) {
 		b.WriteString("### Subcommands\n\n")
 		table := newMdTable("Name", "Description")
 		for _, c := range cmd.Commands() {
+			if c.Hidden {
+				continue
+			}
 			table.AddRow(fmt.Sprintf("[`%s`](%s)", c.Name(), mdFilename(c)), c.Short)
 		}
 		b.WriteString(table.String() + "\n")

vendor/github.com/docker/cli-docs-tool/clidocstool_yaml.go

@@ -62,6 +62,7 @@ type cmdDoc struct {
 	InheritedOptions []cmdOption `yaml:"inherited_options,omitempty"`
 	Example          string      `yaml:"examples,omitempty"`
 	Deprecated       bool
+	Hidden           bool
 	MinAPIVersion    string `yaml:"min_api_version,omitempty"`
 	Experimental     bool
 	ExperimentalCLI  bool
@@ -155,6 +156,7 @@ func (c *Client) genYamlCustom(cmd *cobra.Command, w io.Writer) error {
 		Long:       forceMultiLine(cmd.Long, longMaxWidth),
 		Example:    cmd.Example,
 		Deprecated: len(cmd.Deprecated) > 0,
+		Hidden:     cmd.Hidden,
 	}
 
 	if len(cliDoc.Long) == 0 {

vendor/github.com/docker/cli/cli/command/cli.go

@@ -8,7 +8,6 @@ import (
 	"path/filepath"
 	"runtime"
 	"strconv"
-	"strings"
 	"sync"
 	"time"
 
@@ -327,13 +326,8 @@ func (cli *DockerCli) getInitTimeout() time.Duration {
 
 func (cli *DockerCli) initializeFromClient() {
 	ctx := context.Background()
-	if !strings.HasPrefix(cli.dockerEndpoint.Host, "ssh://") {
+	ctx, cancel := context.WithTimeout(ctx, cli.getInitTimeout())
-		// @FIXME context.WithTimeout doesn't work with connhelper / ssh connections
+	defer cancel()
-		// time="2020-04-10T10:16:26Z" level=warning msg="commandConn.CloseWrite: commandconn: failed to wait: signal: killed"
-		var cancel func()
-		ctx, cancel = context.WithTimeout(ctx, cli.getInitTimeout())
-		defer cancel()
-	}
 
 	ping, err := cli.client.Ping(ctx)
 	if err != nil {
@@ -381,7 +375,7 @@ func (cli *DockerCli) ContextStore() store.Store {
 // the "default" context is used if:
 //
 //   - The "--host" option is set
-//   - The "DOCKER_HOST" ([DefaultContextName]) environment variable is set
+//   - The "DOCKER_HOST" ([client.EnvOverrideHost]) environment variable is set
 //     to a non-empty value.
 //
 // In these cases, the default context is used, which uses the host as

vendor/github.com/docker/cli/cli/connhelper/commandconn/commandconn.go

@@ -23,6 +23,7 @@ import (
 	"runtime"
 	"strings"
 	"sync"
+	"sync/atomic"
 	"syscall"
 	"time"
 
@@ -64,81 +65,68 @@ func New(_ context.Context, cmd string, args ...string) (net.Conn, error) {
 
 // commandConn implements net.Conn
 type commandConn struct {
-	cmd           *exec.Cmd
+	cmdMutex     sync.Mutex // for cmd, cmdWaitErr
-	cmdExited     bool
+	cmd          *exec.Cmd
-	cmdWaitErr    error
+	cmdWaitErr   error
-	cmdMutex      sync.Mutex
+	cmdExited    atomic.Bool
-	stdin         io.WriteCloser
+	stdin        io.WriteCloser
-	stdout        io.ReadCloser
+	stdout       io.ReadCloser
-	stderrMu      sync.Mutex
+	stderrMu     sync.Mutex // for stderr
-	stderr        bytes.Buffer
+	stderr       bytes.Buffer
-	stdioClosedMu sync.Mutex // for stdinClosed and stdoutClosed
+	stdinClosed  atomic.Bool
-	stdinClosed   bool
+	stdoutClosed atomic.Bool
-	stdoutClosed  bool
+	closing      atomic.Bool
-	localAddr     net.Addr
+	localAddr    net.Addr
-	remoteAddr    net.Addr
+	remoteAddr   net.Addr
 }
 
-// killIfStdioClosed kills the cmd if both stdin and stdout are closed.
+// kill terminates the process. On Windows it kills the process directly,
-func (c *commandConn) killIfStdioClosed() error {
+// whereas on other platforms, a SIGTERM is sent, before forcefully terminating
-	c.stdioClosedMu.Lock()
+// the process after 3 seconds.
-	stdioClosed := c.stdoutClosed && c.stdinClosed
+func (c *commandConn) kill() {
-	c.stdioClosedMu.Unlock()
+	if c.cmdExited.Load() {
-	if !stdioClosed {
+		return
-		return nil
 	}
-	return c.kill()
+	c.cmdMutex.Lock()
-}
-
-// killAndWait tries sending SIGTERM to the process before sending SIGKILL.
-func killAndWait(cmd *exec.Cmd) error {
 	var werr error
 	if runtime.GOOS != "windows" {
 		werrCh := make(chan error)
-		go func() { werrCh <- cmd.Wait() }()
+		go func() { werrCh <- c.cmd.Wait() }()
-		cmd.Process.Signal(syscall.SIGTERM)
+		_ = c.cmd.Process.Signal(syscall.SIGTERM)
 		select {
 		case werr = <-werrCh:
 		case <-time.After(3 * time.Second):
-			cmd.Process.Kill()
+			_ = c.cmd.Process.Kill()
 			werr = <-werrCh
 		}
 	} else {
-		cmd.Process.Kill()
+		_ = c.cmd.Process.Kill()
-		werr = cmd.Wait()
+		werr = c.cmd.Wait()
 	}
-	return werr
+	c.cmdWaitErr = werr
+	c.cmdMutex.Unlock()
+	c.cmdExited.Store(true)
 }
 
-// kill returns nil if the command terminated, regardless to the exit status.
+// handleEOF handles io.EOF errors while reading or writing from the underlying
-func (c *commandConn) kill() error {
+// command pipes.
-	var werr error
+//
-	c.cmdMutex.Lock()
+// When we've received an EOF we expect that the command will
-	if c.cmdExited {
+// be terminated soon. As such, we call Wait() on the command
-		werr = c.cmdWaitErr
+// and return EOF or the error depending on whether the command
-	} else {
+// exited with an error.
-		werr = killAndWait(c.cmd)
+//
-		c.cmdWaitErr = werr
+// If Wait() does not return within 10s, an error is returned
-		c.cmdExited = true
+func (c *commandConn) handleEOF(err error) error {
-	}
+	if err != io.EOF {
-	c.cmdMutex.Unlock()
+		return err
-	if werr == nil {
-		return nil
-	}
-	wExitErr, ok := werr.(*exec.ExitError)
-	if ok {
-		if wExitErr.ProcessState.Exited() {
-			return nil
-		}
 	}
-	return errors.Wrapf(werr, "commandconn: failed to wait")
-}
 
-func (c *commandConn) onEOF(eof error) error {
-	// when we got EOF, the command is going to be terminated
-	var werr error
 	c.cmdMutex.Lock()
-	if c.cmdExited {
+	defer c.cmdMutex.Unlock()
+
+	var werr error
+	if c.cmdExited.Load() {
 		werr = c.cmdWaitErr
 	} else {
 		werrCh := make(chan error)
@@ -146,18 +134,17 @@ func (c *commandConn) onEOF(eof error) error {
 		select {
 		case werr = <-werrCh:
 			c.cmdWaitErr = werr
-			c.cmdExited = true
+			c.cmdExited.Store(true)
 		case <-time.After(10 * time.Second):
-			c.cmdMutex.Unlock()
 			c.stderrMu.Lock()
 			stderr := c.stderr.String()
 			c.stderrMu.Unlock()
-			return errors.Errorf("command %v did not exit after %v: stderr=%q", c.cmd.Args, eof, stderr)
+			return errors.Errorf("command %v did not exit after %v: stderr=%q", c.cmd.Args, err, stderr)
 		}
 	}
-	c.cmdMutex.Unlock()
+
 	if werr == nil {
-		return eof
+		return err
 	}
 	c.stderrMu.Lock()
 	stderr := c.stderr.String()
@@ -166,71 +153,86 @@ func (c *commandConn) onEOF(eof error) error {
 }
 
 func ignorableCloseError(err error) bool {
-	errS := err.Error()
+	return strings.Contains(err.Error(), os.ErrClosed.Error())
-	ss := []string{
+}
-		os.ErrClosed.Error(),
+
+func (c *commandConn) Read(p []byte) (int, error) {
+	n, err := c.stdout.Read(p)
+	// check after the call to Read, since
+	// it is blocking, and while waiting on it
+	// Close might get called
+	if c.closing.Load() {
+		// If we're currently closing the connection
+		// we don't want to call onEOF
+		return n, err
 	}
-	for _, s := range ss {
+
-		if strings.Contains(errS, s) {
+	return n, c.handleEOF(err)
-			return true
+}
-		}
+
+func (c *commandConn) Write(p []byte) (int, error) {
+	n, err := c.stdin.Write(p)
+	// check after the call to Write, since
+	// it is blocking, and while waiting on it
+	// Close might get called
+	if c.closing.Load() {
+		// If we're currently closing the connection
+		// we don't want to call onEOF
+		return n, err
 	}
-	return false
+
+	return n, c.handleEOF(err)
 }
 
+// CloseRead allows commandConn to implement halfCloser
 func (c *commandConn) CloseRead() error {
 	// NOTE: maybe already closed here
 	if err := c.stdout.Close(); err != nil && !ignorableCloseError(err) {
-		logrus.Warnf("commandConn.CloseRead: %v", err)
+		return err
 	}
-	c.stdioClosedMu.Lock()
+	c.stdoutClosed.Store(true)
-	c.stdoutClosed = true
-	c.stdioClosedMu.Unlock()
-	if err := c.killIfStdioClosed(); err != nil {
-		logrus.Warnf("commandConn.CloseRead: %v", err)
-	}
-	return nil
-}
 
-func (c *commandConn) Read(p []byte) (int, error) {
+	if c.stdinClosed.Load() {
-	n, err := c.stdout.Read(p)
+		c.kill()
-	if err == io.EOF {
-		err = c.onEOF(err)
 	}
-	return n, err
+
+	return nil
 }
 
+// CloseWrite allows commandConn to implement halfCloser
 func (c *commandConn) CloseWrite() error {
 	// NOTE: maybe already closed here
 	if err := c.stdin.Close(); err != nil && !ignorableCloseError(err) {
-		logrus.Warnf("commandConn.CloseWrite: %v", err)
+		return err
-	}
-	c.stdioClosedMu.Lock()
-	c.stdinClosed = true
-	c.stdioClosedMu.Unlock()
-	if err := c.killIfStdioClosed(); err != nil {
-		logrus.Warnf("commandConn.CloseWrite: %v", err)
 	}
-	return nil
+	c.stdinClosed.Store(true)
-}
 
-func (c *commandConn) Write(p []byte) (int, error) {
+	if c.stdoutClosed.Load() {
-	n, err := c.stdin.Write(p)
+		c.kill()
-	if err == io.EOF {
-		err = c.onEOF(err)
 	}
-	return n, err
+	return nil
 }
 
+// Close is the net.Conn func that gets called
+// by the transport when a dial is cancelled
+// due to it's context timing out. Any blocked
+// Read or Write calls will be unblocked and
+// return errors. It will block until the underlying
+// command has terminated.
 func (c *commandConn) Close() error {
-	var err error
+	c.closing.Store(true)
-	if err = c.CloseRead(); err != nil {
+	defer c.closing.Store(false)
+
+	if err := c.CloseRead(); err != nil {
 		logrus.Warnf("commandConn.Close: CloseRead: %v", err)
+		return err
 	}
-	if err = c.CloseWrite(); err != nil {
+	if err := c.CloseWrite(); err != nil {
 		logrus.Warnf("commandConn.Close: CloseWrite: %v", err)
+		return err
 	}
-	return err
+
+	return nil
 }
 
 func (c *commandConn) LocalAddr() net.Addr {

vendor/github.com/docker/cli/cli/connhelper/connhelper.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"net"
 	"net/url"
+	"strings"
 
 	"github.com/docker/cli/cli/connhelper/commandconn"
 	"github.com/docker/cli/cli/connhelper/ssh"
@@ -51,6 +52,7 @@ func getConnectionHelper(daemonURL string, sshFlags []string) (*ConnectionHelper
 				if sp.Path != "" {
 					args = append(args, "--host", "unix://"+sp.Path)
 				}
+				sshFlags = addSSHTimeout(sshFlags)
 				args = append(args, "system", "dial-stdio")
 				return commandconn.New(ctx, "ssh", append(sshFlags, sp.Args(args...)...)...)
 			},
@@ -71,3 +73,10 @@ func GetCommandConnectionHelper(cmd string, flags ...string) (*ConnectionHelper,
 		Host: "http://docker.example.com",
 	}, nil
 }
+
+func addSSHTimeout(sshFlags []string) []string {
+	if !strings.Contains(strings.Join(sshFlags, ""), "ConnectTimeout") {
+		sshFlags = append(sshFlags, "-o ConnectTimeout=30")
+	}
+	return sshFlags
+}

vendor/github.com/docker/docker/api/swagger.yaml

@@ -5162,42 +5162,8 @@ definitions:
       ServerVersion:
         description: |
           Version string of the daemon.
-
-          > **Note**: the [standalone Swarm API](https://docs.docker.com/swarm/swarm-api/)
-          > returns the Swarm version instead of the daemon  version, for example
-          > `swarm/1.2.8`.
-        type: "string"
-        example: "17.06.0-ce"
-      ClusterStore:
-        description: |
-          URL of the distributed storage backend.
-
-
-          The storage backend is used for multihost networking (to store
-          network and endpoint information) and by the node discovery mechanism.
-
-          <p><br /></p>
-
-          > **Deprecated**: This field is only propagated when using standalone Swarm
-          > mode, and overlay networking using an external k/v store. Overlay
-          > networks with Swarm mode enabled use the built-in raft store, and
-          > this field will be empty.
-        type: "string"
-        example: "consul://consul.corp.example.com:8600/some/path"
-      ClusterAdvertise:
-        description: |
-          The network endpoint that the Engine advertises for the purpose of
-          node discovery. ClusterAdvertise is a `host:port` combination on which
-          the daemon is reachable by other hosts.
-
-          <p><br /></p>
-
-          > **Deprecated**: This field is only propagated when using standalone Swarm
-          > mode, and overlay networking using an external k/v store. Overlay
-          > networks with Swarm mode enabled use the built-in raft store, and
-          > this field will be empty.
         type: "string"
-        example: "node5.corp.example.com:8000"
+        example: "24.0.2"
       Runtimes:
         description: |
           List of [OCI compliant](https://github.com/opencontainers/runtime-spec)
@@ -10393,6 +10359,12 @@ paths:
             default if omitted.
           required: true
           type: "string"
+        - name: "force"
+          in: "query"
+          description: |
+            Force disable a plugin even if still in use.
+          required: false
+          type: "boolean"
       tags: ["Plugin"]
   /plugins/{name}/upgrade:
     post:

vendor/github.com/docker/docker/api/types/configs.go

@@ -3,7 +3,7 @@ package types // import "github.com/docker/docker/api/types"
 import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // configs holds structs used for internal communication between the
@@ -16,7 +16,7 @@ type ContainerCreateConfig struct {
 	Config           *container.Config
 	HostConfig       *container.HostConfig
 	NetworkingConfig *network.NetworkingConfig
-	Platform         *specs.Platform
+	Platform         *ocispec.Platform
 	AdjustCPUShares  bool
 }
 

vendor/github.com/docker/docker/api/types/image/opts.go

@@ -1,9 +1,9 @@
 package image
 
-import specs "github.com/opencontainers/image-spec/specs-go/v1"
+import ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 
 // GetImageOpts holds parameters to inspect an image.
 type GetImageOpts struct {
-	Platform *specs.Platform
+	Platform *ocispec.Platform
 	Details  bool
 }

vendor/github.com/docker/docker/api/types/registry/registry.go

@@ -4,7 +4,7 @@ import (
 	"encoding/json"
 	"net"
 
-	v1 "github.com/opencontainers/image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // ServiceConfig stores daemon registry services configuration.
@@ -113,8 +113,8 @@ type SearchResults struct {
 type DistributionInspect struct {
 	// Descriptor contains information about the manifest, including
 	// the content addressable digest
-	Descriptor v1.Descriptor
+	Descriptor ocispec.Descriptor
 	// Platforms contains the list of platforms supported by the image,
 	// obtained by parsing the manifest
-	Platforms []v1.Platform
+	Platforms []ocispec.Platform
 }

vendor/github.com/docker/docker/client/client.go

@@ -56,6 +56,36 @@ import (
 	"github.com/pkg/errors"
 )
 
+// DummyHost is a hostname used for local communication.
+//
+// It acts as a valid formatted hostname for local connections (such as "unix://"
+// or "npipe://") which do not require a hostname. It should never be resolved,
+// but uses the special-purpose ".localhost" TLD (as defined in [RFC 2606, Section 2]
+// and [RFC 6761, Section 6.3]).
+//
+// [RFC 7230, Section 5.4] defines that an empty header must be used for such
+// cases:
+//
+//	If the authority component is missing or undefined for the target URI,
+//	then a client MUST send a Host header field with an empty field-value.
+//
+// However, [Go stdlib] enforces the semantics of HTTP(S) over TCP, does not
+// allow an empty header to be used, and requires req.URL.Scheme to be either
+// "http" or "https".
+//
+// For further details, refer to:
+//
+//   - https://github.com/docker/engine-api/issues/189
+//   - https://github.com/golang/go/issues/13624
+//   - https://github.com/golang/go/issues/61076
+//   - https://github.com/moby/moby/issues/45935
+//
+// [RFC 2606, Section 2]: https://www.rfc-editor.org/rfc/rfc2606.html#section-2
+// [RFC 6761, Section 6.3]: https://www.rfc-editor.org/rfc/rfc6761#section-6.3
+// [RFC 7230, Section 5.4]: https://datatracker.ietf.org/doc/html/rfc7230#section-5.4
+// [Go stdlib]: https://github.com/golang/go/blob/6244b1946bc2101b01955468f1be502dbadd6807/src/net/http/transport.go#L558-L569
+const DummyHost = "api.moby.localhost"
+
 // ErrRedirect is the error returned by checkRedirect when the request is non-GET.
 var ErrRedirect = errors.New("unexpected redirect in response")
 

vendor/github.com/docker/docker/client/container_create.go

@@ -9,7 +9,7 @@ import (
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/versions"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 type configWrapper struct {
@@ -20,7 +20,7 @@ type configWrapper struct {
 
 // ContainerCreate creates a new container based on the given configuration.
 // It can be associated with a name, but it's not mandatory.
-func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, platform *specs.Platform, containerName string) (container.CreateResponse, error) {
+func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, platform *ocispec.Platform, containerName string) (container.CreateResponse, error) {
 	var response container.CreateResponse
 
 	if err := cli.NewVersionError("1.25", "stop timeout"); config != nil && config.StopTimeout != nil && err != nil {
@@ -75,7 +75,7 @@ func (cli *Client) ContainerCreate(ctx context.Context, config *container.Config
 // Similar to containerd's platforms.Format(), but does allow components to be
 // omitted (e.g. pass "architecture" only, without "os":
 // https://github.com/containerd/containerd/blob/v1.5.2/platforms/platforms.go#L243-L263
-func formatPlatform(platform *specs.Platform) string {
+func formatPlatform(platform *ocispec.Platform) string {
 	if platform == nil {
 		return ""
 	}

vendor/github.com/docker/docker/client/hijack.go

@@ -64,7 +64,11 @@ func fallbackDial(proto, addr string, tlsConfig *tls.Config) (net.Conn, error) {
 }
 
 func (cli *Client) setupHijackConn(ctx context.Context, req *http.Request, proto string) (net.Conn, string, error) {
-	req.Host = cli.addr
+	req.URL.Host = cli.addr
+	if cli.proto == "unix" || cli.proto == "npipe" {
+		// Override host header for non-tcp connections.
+		req.Host = DummyHost
+	}
 	req.Header.Set("Connection", "Upgrade")
 	req.Header.Set("Upgrade", proto)
 

vendor/github.com/docker/docker/client/interface.go

@@ -15,7 +15,7 @@ import (
 	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/volume"
-	specs "github.com/opencontainers/image-spec/specs-go/v1"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 )
 
 // CommonAPIClient is the common methods between stable and experimental versions of APIClient.
@@ -47,7 +47,7 @@ type CommonAPIClient interface {
 type ContainerAPIClient interface {
 	ContainerAttach(ctx context.Context, container string, options types.ContainerAttachOptions) (types.HijackedResponse, error)
 	ContainerCommit(ctx context.Context, container string, options types.ContainerCommitOptions) (types.IDResponse, error)
-	ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, platform *specs.Platform, containerName string) (container.CreateResponse, error)
+	ContainerCreate(ctx context.Context, config *container.Config, hostConfig *container.HostConfig, networkingConfig *network.NetworkingConfig, platform *ocispec.Platform, containerName string) (container.CreateResponse, error)
 	ContainerDiff(ctx context.Context, container string) ([]container.FilesystemChange, error)
 	ContainerExecAttach(ctx context.Context, execID string, config types.ExecStartCheck) (types.HijackedResponse, error)
 	ContainerExecCreate(ctx context.Context, container string, config types.ExecConfig) (types.IDResponse, error)

vendor/github.com/docker/docker/client/request.go

@@ -96,16 +96,14 @@ func (cli *Client) buildRequest(method, path string, body io.Reader, headers hea
 		return nil, err
 	}
 	req = cli.addHeaders(req, headers)
+	req.URL.Scheme = cli.scheme
+	req.URL.Host = cli.addr
 
 	if cli.proto == "unix" || cli.proto == "npipe" {
-		// For local communications, it doesn't matter what the host is. We just
+		// Override host header for non-tcp connections.
-		// need a valid and meaningful host name. (See #189)
+		req.Host = DummyHost
-		req.Host = "docker"
 	}
 
-	req.URL.Host = cli.addr
-	req.URL.Scheme = cli.scheme
-
 	if expectedPayload && req.Header.Get("Content-Type") == "" {
 		req.Header.Set("Content-Type", "text/plain")
 	}

vendor/github.com/docker/docker/pkg/idtools/idtools_unix.go

@@ -167,7 +167,10 @@ func callGetent(database, key string) (io.Reader, error) {
 	if getentCmd == "" {
 		return nil, fmt.Errorf("unable to find getent command")
 	}
-	out, err := exec.Command(getentCmd, database, key).CombinedOutput()
+	command := exec.Command(getentCmd, database, key)
+	// we run getent within container filesystem, but without /dev so /dev/null is not available for exec to mock stdin
+	command.Stdin = io.NopCloser(bytes.NewReader(nil))
+	out, err := command.CombinedOutput()
 	if err != nil {
 		exitCode, errC := getExitCode(err)
 		if errC != nil {

vendor/github.com/moby/buildkit/client/client.go

@@ -25,6 +25,7 @@ import (
 	sdktrace "go.opentelemetry.io/otel/sdk/trace"
 	"go.opentelemetry.io/otel/trace"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
@@ -184,6 +185,19 @@ func (c *Client) Dialer() session.Dialer {
 	return grpchijack.Dialer(c.ControlClient())
 }
 
+func (c *Client) Wait(ctx context.Context) error {
+	opts := []grpc.CallOption{grpc.WaitForReady(true)}
+	_, err := c.ControlClient().Info(ctx, &controlapi.InfoRequest{}, opts...)
+	if err != nil {
+		if code := grpcerrors.Code(err); code == codes.Unimplemented {
+			// only buildkit v0.11+ supports the info api, but an unimplemented
+			// response error is still a response so we can ignore it
+			return nil
+		}
+	}
+	return err
+}
+
 func (c *Client) Close() error {
 	return c.conn.Close()
 }

vendor/github.com/moby/buildkit/client/llb/async.go

@@ -15,7 +15,7 @@ type asyncState struct {
 	target State
 	set    bool
 	err    error
-	g      flightcontrol.Group
+	g      flightcontrol.Group[State]
 }
 
 func (as *asyncState) Output() Output {
@@ -53,7 +53,7 @@ func (as *asyncState) ToInput(ctx context.Context, c *Constraints) (*pb.Input, e
 }
 
 func (as *asyncState) Do(ctx context.Context, c *Constraints) error {
-	_, err := as.g.Do(ctx, "", func(ctx context.Context) (interface{}, error) {
+	_, err := as.g.Do(ctx, "", func(ctx context.Context) (State, error) {
 		if as.set {
 			return as.target, as.err
 		}

vendor/github.com/moby/buildkit/client/llb/fileop.go

@@ -61,6 +61,10 @@ type capAdder interface {
 	addCaps(*FileOp)
 }
 
+// FileAction is used to specify a file operation on a [State].
+// It can be used to create a directory, create a file, or remove a file, etc.
+// This is used by [State.File]
+// Typically a FileAction is created by calling one of the helper functions such as [Mkdir], [Copy], [Rm], [Mkfile]
 type FileAction struct {
 	state  *State
 	prev   *FileAction
@@ -141,6 +145,7 @@ func Mkdir(p string, m os.FileMode, opt ...MkdirOption) *FileAction {
 	for _, o := range opt {
 		o.SetMkdirOption(&mi)
 	}
+
 	return &FileAction{
 		action: &fileActionMkdir{
 			file: p,
@@ -443,7 +448,6 @@ func Copy(input CopyInput, src, dest string, opts ...CopyOption) *FileAction {
 	for _, o := range opts {
 		o.SetCopyOption(&mi)
 	}
-
 	return &FileAction{
 		action: &fileActionCopy{
 			state: state,
@@ -519,22 +523,19 @@ func (a *fileActionCopy) toProtoAction(ctx context.Context, parent string, base
 
 func (a *fileActionCopy) sourcePath(ctx context.Context) (string, error) {
 	p := path.Clean(a.src)
+	dir := "/"
+	var err error
 	if !path.IsAbs(p) {
 		if a.state != nil {
-			dir, err := a.state.GetDir(ctx)
+			dir, err = a.state.GetDir(ctx)
-			if err != nil {
-				return "", err
-			}
-			p = path.Join("/", dir, p)
 		} else if a.fas != nil {
-			dir, err := a.fas.state.GetDir(ctx)
+			dir, err = a.fas.state.GetDir(ctx)
-			if err != nil {
+		}
-				return "", err
+		if err != nil {
-			}
+			return "", err
-			p = path.Join("/", dir, p)
 		}
 	}
-	return p, nil
+	return path.Join(dir, p), nil
 }
 
 func (a *fileActionCopy) addCaps(f *FileOp) {

vendor/github.com/moby/buildkit/client/llb/meta.go

@@ -10,6 +10,7 @@ import (
 	"github.com/google/shlex"
 	"github.com/moby/buildkit/solver/pb"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/pkg/errors"
 )
 
 type contextKeyT string
@@ -29,10 +30,15 @@ var (
 	keySecurity = contextKeyT("llb.security")
 )
 
+// AddEnvf is the same as [AddEnv] but allows for a format string.
+// This is the equivalent of `[State.AddEnvf]`
 func AddEnvf(key, value string, v ...interface{}) StateOption {
 	return addEnvf(key, value, true, v...)
 }
 
+// AddEnv returns a [StateOption] whichs adds an environment variable to the state.
+// Use this with [State.With] to create a new state with the environment variable set.
+// This is the equivalent of `[State.AddEnv]`
 func AddEnv(key, value string) StateOption {
 	return addEnvf(key, value, false)
 }
@@ -52,10 +58,14 @@ func addEnvf(key, value string, replace bool, v ...interface{}) StateOption {
 	}
 }
 
+// Dir returns a [StateOption] sets the working directory for the state which will be used to resolve
+// relative paths as well as the working directory for [State.Run].
+// See [State.With] for where to use this.
 func Dir(str string) StateOption {
 	return dirf(str, false)
 }
 
+// Dirf is the same as [Dir] but allows for a format string.
 func Dirf(str string, v ...interface{}) StateOption {
 	return dirf(str, true, v...)
 }
@@ -69,7 +79,7 @@ func dirf(value string, replace bool, v ...interface{}) StateOption {
 			if !path.IsAbs(value) {
 				prev, err := getDir(s)(ctx, c)
 				if err != nil {
-					return nil, err
+					return nil, errors.Wrap(err, "getting dir from state")
 				}
 				if prev == "" {
 					prev = "/"
@@ -81,12 +91,18 @@ func dirf(value string, replace bool, v ...interface{}) StateOption {
 	}
 }
 
+// User returns a [StateOption] which sets the user for the state which will be used by [State.Run].
+// This is the equivalent of [State.User]
+// See [State.With] for where to use this.
 func User(str string) StateOption {
 	return func(s State) State {
 		return s.WithValue(keyUser, str)
 	}
 }
 
+// Reset returns a [StateOption] which creates a new [State] with just the
+// output of the current [State] and the provided [State] is set as the parent.
+// This is the equivalent of [State.Reset]
 func Reset(other State) StateOption {
 	return func(s State) State {
 		s = NewState(s.Output())
@@ -147,6 +163,9 @@ func getUser(s State) func(context.Context, *Constraints) (string, error) {
 	}
 }
 
+// Hostname returns a [StateOption] which sets the hostname used for containers created by [State.Run].
+// This is the equivalent of [State.Hostname]
+// See [State.With] for where to use this.
 func Hostname(str string) StateOption {
 	return func(s State) State {
 		return s.WithValue(keyHostname, str)
@@ -283,6 +302,9 @@ func getCgroupParent(s State) func(context.Context, *Constraints) (string, error
 	}
 }
 
+// Network returns a [StateOption] which sets the network mode used for containers created by [State.Run].
+// This is the equivalent of [State.Network]
+// See [State.With] for where to use this.
 func Network(v pb.NetMode) StateOption {
 	return func(s State) State {
 		return s.WithValue(keyNetwork, v)
@@ -302,6 +324,9 @@ func getNetwork(s State) func(context.Context, *Constraints) (pb.NetMode, error)
 	}
 }
 
+// Security returns a [StateOption] which sets the security mode used for containers created by [State.Run].
+// This is the equivalent of [State.Security]
+// See [State.With] for where to use this.
 func Security(v pb.SecurityMode) StateOption {
 	return func(s State) State {
 		return s.WithValue(keySecurity, v)

vendor/github.com/moby/buildkit/client/llb/resolver.go

@@ -3,6 +3,7 @@ package llb
 import (
 	"context"
 
+	spb "github.com/moby/buildkit/sourcepolicy/pb"
 	digest "github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 )
@@ -31,7 +32,7 @@ func WithLayerLimit(l int) ImageOption {
 
 // ImageMetaResolver can resolve image config metadata from a reference
 type ImageMetaResolver interface {
-	ResolveImageConfig(ctx context.Context, ref string, opt ResolveImageConfigOpt) (digest.Digest, []byte, error)
+	ResolveImageConfig(ctx context.Context, ref string, opt ResolveImageConfigOpt) (string, digest.Digest, []byte, error)
 }
 
 type ResolverType int
@@ -49,6 +50,8 @@ type ResolveImageConfigOpt struct {
 	LogName     string
 
 	Store ResolveImageConfigOptStore
+
+	SourcePolicies []*spb.Policy
 }
 
 type ResolveImageConfigOptStore struct {

vendor/github.com/moby/buildkit/client/llb/source.go

@@ -135,7 +135,7 @@ func Image(ref string, opts ...ImageOption) State {
 				if p == nil {
 					p = c.Platform
 				}
-				_, dt, err := info.metaResolver.ResolveImageConfig(ctx, ref, ResolveImageConfigOpt{
+				_, _, dt, err := info.metaResolver.ResolveImageConfig(ctx, ref, ResolveImageConfigOpt{
 					Platform:     p,
 					ResolveMode:  info.resolveMode.String(),
 					ResolverType: ResolverTypeRegistry,
@@ -151,7 +151,7 @@ func Image(ref string, opts ...ImageOption) State {
 			if p == nil {
 				p = c.Platform
 			}
-			dgst, dt, err := info.metaResolver.ResolveImageConfig(context.TODO(), ref, ResolveImageConfigOpt{
+			ref, dgst, dt, err := info.metaResolver.ResolveImageConfig(context.TODO(), ref, ResolveImageConfigOpt{
 				Platform:     p,
 				ResolveMode:  info.resolveMode.String(),
 				ResolverType: ResolverTypeRegistry,
@@ -159,6 +159,10 @@ func Image(ref string, opts ...ImageOption) State {
 			if err != nil {
 				return State{}, err
 			}
+			r, err := reference.ParseNormalizedNamed(ref)
+			if err != nil {
+				return State{}, err
+			}
 			if dgst != "" {
 				r, err = reference.WithDigest(r, dgst)
 				if err != nil {
@@ -230,6 +234,9 @@ type ImageInfo struct {
 // Other URL formats are supported such as "git@github.com:moby/buildkit.git", "git://...", "ssh://..."
 // Formats that utilize SSH may need to supply credentials as a [GitOption].
 // You may need to check the source code for a full list of supported formats.
+//
+// By default the git repository is cloned with `--depth=1` to reduce the amount of data downloaded.
+// Additionally the ".git" directory is removed after the clone, you can keep ith with the [KeepGitDir] [GitOption].
 func Git(remote, ref string, opts ...GitOption) State {
 	url := strings.Split(remote, "#")[0]
 

vendor/github.com/moby/buildkit/client/llb/state.go

@@ -53,6 +53,8 @@ func NewState(o Output) State {
 // States are immutable, and all operations return a new state linked to the previous one.
 // State is the core type of the LLB API and is used to build a graph of operations.
 // The graph is then marshaled into a definition that can be executed by a backend (such as buildkitd).
+//
+// Operations performed on a State are executed lazily after the entire state graph is marshalled and sent to the backend.
 type State struct {
 	out   Output
 	prev  *State
@@ -127,6 +129,7 @@ func (s State) SetMarshalDefaults(co ...ConstraintsOpt) State {
 	return s
 }
 
+// Marshal marshals the state and all its parents into a [Definition].
 func (s State) Marshal(ctx context.Context, co ...ConstraintsOpt) (*Definition, error) {
 	c := NewConstraints(append(s.opts, co...)...)
 	def := &Definition{
@@ -212,10 +215,13 @@ func marshal(ctx context.Context, v Vertex, def *Definition, s *sourceMapCollect
 	return def, nil
 }
 
+// Validate validates the state.
+// This validation, unlike most other operations on [State], is not lazily performed.
 func (s State) Validate(ctx context.Context, c *Constraints) error {
 	return s.Output().Vertex(ctx, c).Validate(ctx, c)
 }
 
+// Output returns the output of the state.
 func (s State) Output() Output {
 	if s.async != nil {
 		return s.async.Output()
@@ -223,6 +229,7 @@ func (s State) Output() Output {
 	return s.out
 }
 
+// WithOutput creats a new state with the output set to the given output.
 func (s State) WithOutput(o Output) State {
 	prev := s
 	s = State{
@@ -233,6 +240,7 @@ func (s State) WithOutput(o Output) State {
 	return s
 }
 
+// WithImageConfig adds the environment variables, working directory, and platform specified in the image config to the state.
 func (s State) WithImageConfig(c []byte) (State, error) {
 	var img ocispecs.Image
 	if err := json.Unmarshal(c, &img); err != nil {
@@ -259,6 +267,12 @@ func (s State) WithImageConfig(c []byte) (State, error) {
 	return s, nil
 }
 
+// Run performs the command specified by the arguments within the contexst of the current [State].
+// The command is executed as a container with the [State]'s filesystem as the root filesystem.
+// As such any command you run must be present in the [State]'s filesystem.
+// Constraints such as [State.Ulimit], [State.ParentCgroup], [State.Network], etc. are applied to the container.
+//
+// Run is useful when none of the LLB ops are sufficient for the operation that you want to perform.
 func (s State) Run(ro ...RunOption) ExecState {
 	ei := &ExecInfo{State: s}
 	for _, o := range ro {
@@ -277,6 +291,8 @@ func (s State) Run(ro ...RunOption) ExecState {
 	}
 }
 
+// File performs a file operation on the current state.
+// See [FileAction] for details on the operations that can be performed.
 func (s State) File(a *FileAction, opts ...ConstraintsOpt) State {
 	var c Constraints
 	for _, o := range opts {
@@ -286,21 +302,29 @@ func (s State) File(a *FileAction, opts ...ConstraintsOpt) State {
 	return s.WithOutput(NewFileOp(s, a, c).Output())
 }
 
+// AddEnv returns a new [State] with the provided environment variable set.
+// See [AddEnv]
 func (s State) AddEnv(key, value string) State {
 	return AddEnv(key, value)(s)
 }
 
+// AddEnvf is the same as [State.AddEnv] but with a format string.
 func (s State) AddEnvf(key, value string, v ...interface{}) State {
 	return AddEnvf(key, value, v...)(s)
 }
 
+// Dir returns a new [State] with the provided working directory set.
+// See [Dir]
 func (s State) Dir(str string) State {
 	return Dir(str)(s)
 }
+
+// Dirf is the same as [State.Dir] but with a format string.
 func (s State) Dirf(str string, v ...interface{}) State {
 	return Dirf(str, v...)(s)
 }
 
+// GetEnv returns the value of the environment variable with the provided key.
 func (s State) GetEnv(ctx context.Context, key string, co ...ConstraintsOpt) (string, bool, error) {
 	c := &Constraints{}
 	for _, f := range co {
@@ -314,6 +338,8 @@ func (s State) GetEnv(ctx context.Context, key string, co ...ConstraintsOpt) (st
 	return v, ok, nil
 }
 
+// Env returns a new [State] with the provided environment variable set.
+// See [Env]
 func (s State) Env(ctx context.Context, co ...ConstraintsOpt) ([]string, error) {
 	c := &Constraints{}
 	for _, f := range co {
@@ -326,6 +352,7 @@ func (s State) Env(ctx context.Context, co ...ConstraintsOpt) ([]string, error)
 	return env.ToArray(), nil
 }
 
+// GetDir returns the current working directory for the state.
 func (s State) GetDir(ctx context.Context, co ...ConstraintsOpt) (string, error) {
 	c := &Constraints{}
 	for _, f := range co {
@@ -342,18 +369,28 @@ func (s State) GetArgs(ctx context.Context, co ...ConstraintsOpt) ([]string, err
 	return getArgs(s)(ctx, c)
 }
 
+// Reset is used to return a new [State] with all of the current state and the
+// provided [State] as the parent. In effect you can think of this as creating
+// a new state with all the output from the current state but reparented to the
+// provided state.  See [Reset] for more details.
 func (s State) Reset(s2 State) State {
 	return Reset(s2)(s)
 }
 
+// User sets the user for this state.
+// See [User] for more details.
 func (s State) User(v string) State {
 	return User(v)(s)
 }
 
+// Hostname sets the hostname for this state.
+// See [Hostname] for more details.
 func (s State) Hostname(v string) State {
 	return Hostname(v)(s)
 }
 
+// GetHostname returns the hostname set on the state.
+// See [Hostname] for more details.
 func (s State) GetHostname(ctx context.Context, co ...ConstraintsOpt) (string, error) {
 	c := &Constraints{}
 	for _, f := range co {
@@ -362,10 +399,14 @@ func (s State) GetHostname(ctx context.Context, co ...ConstraintsOpt) (string, e
 	return getHostname(s)(ctx, c)
 }
 
+// Platform sets the platform for the state. Platforms are used to determine
+// image variants to pull and run as well as the platform metadata to set on the
+// image config.
 func (s State) Platform(p ocispecs.Platform) State {
 	return platform(p)(s)
 }
 
+// GetPlatform returns the platform for the state.
 func (s State) GetPlatform(ctx context.Context, co ...ConstraintsOpt) (*ocispecs.Platform, error) {
 	c := &Constraints{}
 	for _, f := range co {
@@ -374,10 +415,14 @@ func (s State) GetPlatform(ctx context.Context, co ...ConstraintsOpt) (*ocispecs
 	return getPlatform(s)(ctx, c)
 }
 
+// Network sets the network mode for the state.
+// Network modes are used by [State.Run] to determine the network mode used when running the container.
+// Network modes are not applied to image configs.
 func (s State) Network(n pb.NetMode) State {
 	return Network(n)(s)
 }
 
+// GetNetwork returns the network mode for the state.
 func (s State) GetNetwork(ctx context.Context, co ...ConstraintsOpt) (pb.NetMode, error) {
 	c := &Constraints{}
 	for _, f := range co {
@@ -385,10 +430,15 @@ func (s State) GetNetwork(ctx context.Context, co ...ConstraintsOpt) (pb.NetMode
 	}
 	return getNetwork(s)(ctx, c)
 }
+
+// Security sets the security mode for the state.
+// Security modes are used by [State.Run] to the privileges that processes in the container will run with.
+// Security modes are not applied to image configs.
 func (s State) Security(n pb.SecurityMode) State {
 	return Security(n)(s)
 }
 
+// GetSecurity returns the security mode for the state.
 func (s State) GetSecurity(ctx context.Context, co ...ConstraintsOpt) (pb.SecurityMode, error) {
 	c := &Constraints{}
 	for _, f := range co {
@@ -397,6 +447,8 @@ func (s State) GetSecurity(ctx context.Context, co ...ConstraintsOpt) (pb.Securi
 	return getSecurity(s)(ctx, c)
 }
 
+// With applies [StateOption]s to the [State].
+// Each applied [StateOption] creates a new [State] object with the previous as its parent.
 func (s State) With(so ...StateOption) State {
 	for _, o := range so {
 		s = o(s)
@@ -404,14 +456,23 @@ func (s State) With(so ...StateOption) State {
 	return s
 }
 
+// AddExtraHost adds a host name to IP mapping to any containers created from this state.
 func (s State) AddExtraHost(host string, ip net.IP) State {
 	return extraHost(host, ip)(s)
 }
 
+// AddUlimit sets the hard/soft for the given ulimit.
+// The ulimit is applied to containers created from this state.
+// Ulimits are Linux specific and only applies to containers created from this state such as via `[State.Run]`
+// Ulimits do not apply to image configs.
 func (s State) AddUlimit(name UlimitName, soft int64, hard int64) State {
 	return ulimit(name, soft, hard)(s)
 }
 
+// WithCgroupParent sets the parent cgroup for any containers created from this state.
+// This is useful when you want to apply resource constraints to a group of containers.
+// Cgroups are Linux specific and only applies to containers created from this state such as via `[State.Run]`
+// Cgroups do not apply to image configs.
 func (s State) WithCgroupParent(cp string) State {
 	return cgroupParent(cp)(s)
 }

vendor/github.com/moby/buildkit/exporter/containerimage/image/docker_image.go

@@ -19,9 +19,10 @@ type HealthConfig struct {
 	Test []string `json:",omitempty"`
 
 	// Zero means to inherit. Durations are expressed as integer nanoseconds.
-	Interval    time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
+	Interval      time.Duration `json:",omitempty"` // Interval is the time to wait between checks.
-	Timeout     time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
+	Timeout       time.Duration `json:",omitempty"` // Timeout is the time to wait before considering the check to have hung.
-	StartPeriod time.Duration `json:",omitempty"` // The start period for the container to initialize before the retries starts to count down.
+	StartPeriod   time.Duration `json:",omitempty"` // The start period for the container to initialize before the retries starts to count down.
+	StartInterval time.Duration `json:",omitempty"` // StartInterval is the time to wait between checks during the start period.
 
 	// Retries is the number of consecutive failures needed to consider a container as unhealthy.
 	// Zero means inherit.

vendor/github.com/moby/buildkit/frontend/dockerui/config.go

@@ -19,6 +19,7 @@ import (
 	"github.com/moby/buildkit/frontend/gateway/client"
 	"github.com/moby/buildkit/solver/pb"
 	"github.com/moby/buildkit/util/flightcontrol"
+	digest "github.com/opencontainers/go-digest"
 	ocispecs "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
 )
@@ -76,7 +77,7 @@ type Client struct {
 	client      client.Client
 	ignoreCache []string
 	bctx        *buildContext
-	g           flightcontrol.Group
+	g           flightcontrol.Group[*buildContext]
 	bopts       client.BuildOpts
 
 	dockerignore []byte
@@ -96,6 +97,7 @@ type ContextOpt struct {
 	LocalOpts      []llb.LocalOption
 	Platform       *ocispecs.Platform
 	ResolveMode    string
+	CaptureDigest  *digest.Digest
 }
 
 func validateMinCaps(c client.Client) error {
@@ -278,7 +280,7 @@ func (bc *Client) init() error {
 }
 
 func (bc *Client) buildContext(ctx context.Context) (*buildContext, error) {
-	bctx, err := bc.g.Do(ctx, "initcontext", func(ctx context.Context) (interface{}, error) {
+	return bc.g.Do(ctx, "initcontext", func(ctx context.Context) (*buildContext, error) {
 		if bc.bctx != nil {
 			return bc.bctx, nil
 		}
@@ -288,10 +290,6 @@ func (bc *Client) buildContext(ctx context.Context) (*buildContext, error) {
 		}
 		return bctx, err
 	})
-	if err != nil {
-		return nil, err
-	}
-	return bctx.(*buildContext), nil
 }
 
 func (bc *Client) ReadEntrypoint(ctx context.Context, lang string, opts ...llb.LocalOption) (*Source, error) {

vendor/github.com/moby/buildkit/frontend/dockerui/namedcontext.go

@@ -13,25 +13,36 @@ import (
 	"github.com/moby/buildkit/exporter/containerimage/image"
 	"github.com/moby/buildkit/frontend/dockerfile/dockerignore"
 	"github.com/moby/buildkit/frontend/gateway/client"
+	"github.com/moby/buildkit/util/imageutil"
 	"github.com/pkg/errors"
 )
 
 const (
 	contextPrefix       = "context:"
 	inputMetadataPrefix = "input-metadata:"
+	maxContextRecursion = 10
 )
 
 func (bc *Client) namedContext(ctx context.Context, name string, nameWithPlatform string, opt ContextOpt) (*llb.State, *image.Image, error) {
+	return bc.namedContextRecursive(ctx, name, nameWithPlatform, opt, 0)
+}
+
+func (bc *Client) namedContextRecursive(ctx context.Context, name string, nameWithPlatform string, opt ContextOpt, count int) (*llb.State, *image.Image, error) {
 	opts := bc.bopts.Opts
 	v, ok := opts[contextPrefix+nameWithPlatform]
 	if !ok {
 		return nil, nil, nil
 	}
 
+	if count > maxContextRecursion {
+		return nil, nil, errors.New("context recursion limit exceeded; this may indicate a cycle in the provided source policies: " + v)
+	}
+
 	vv := strings.SplitN(v, ":", 2)
 	if len(vv) != 2 {
 		return nil, nil, errors.Errorf("invalid context specifier %s for %s", v, nameWithPlatform)
 	}
+
 	// allow git@ without protocol for SSH URLs for backwards compatibility
 	if strings.HasPrefix(vv[0], "git@") {
 		vv[0] = "git"
@@ -58,13 +69,17 @@ func (bc *Client) namedContext(ctx context.Context, name string, nameWithPlatfor
 
 		named = reference.TagNameOnly(named)
 
-		_, data, err := bc.client.ResolveImageConfig(ctx, named.String(), llb.ResolveImageConfigOpt{
+		ref, dgst, data, err := bc.client.ResolveImageConfig(ctx, named.String(), llb.ResolveImageConfigOpt{
 			Platform:     opt.Platform,
 			ResolveMode:  opt.ResolveMode,
 			LogName:      fmt.Sprintf("[context %s] load metadata for %s", nameWithPlatform, ref),
 			ResolverType: llb.ResolverTypeRegistry,
 		})
 		if err != nil {
+			e := &imageutil.ResolveToNonImageError{}
+			if errors.As(err, &e) {
+				return bc.namedContextRecursive(ctx, e.Updated, name, opt, count+1)
+			}
 			return nil, nil, err
 		}
 
@@ -79,6 +94,9 @@ func (bc *Client) namedContext(ctx context.Context, name string, nameWithPlatfor
 		if err != nil {
 			return nil, nil, err
 		}
+		if opt.CaptureDigest != nil {
+			*opt.CaptureDigest = dgst
+		}
 		return &st, &img, nil
 	case "git":
 		st, ok := DetectGitContext(v, true)
@@ -119,7 +137,8 @@ func (bc *Client) namedContext(ctx context.Context, name string, nameWithPlatfor
 			return nil, nil, errors.Wrapf(err, "could not wrap %q with digest", name)
 		}
 
-		_, data, err := bc.client.ResolveImageConfig(ctx, dummyRef.String(), llb.ResolveImageConfigOpt{
+		// TODO: How should source policy be handled here with a dummy ref?
+		_, dgst, data, err := bc.client.ResolveImageConfig(ctx, dummyRef.String(), llb.ResolveImageConfigOpt{
 			Platform:     opt.Platform,
 			ResolveMode:  opt.ResolveMode,
 			LogName:      fmt.Sprintf("[context %s] load metadata for %s", nameWithPlatform, dummyRef.String()),
@@ -153,6 +172,9 @@ func (bc *Client) namedContext(ctx context.Context, name string, nameWithPlatfor
 		if err != nil {
 			return nil, nil, err
 		}
+		if opt.CaptureDigest != nil {
+			*opt.CaptureDigest = dgst
+		}
 		return &st, &img, nil
 	case "local":
 		st := llb.Local(vv[1],

vendor/github.com/moby/buildkit/frontend/gateway/client/client.go

@@ -27,7 +27,7 @@ func NewResult() *Result {
 
 type Client interface {
 	Solve(ctx context.Context, req SolveRequest) (*Result, error)
-	ResolveImageConfig(ctx context.Context, ref string, opt llb.ResolveImageConfigOpt) (digest.Digest, []byte, error)
+	ResolveImageConfig(ctx context.Context, ref string, opt llb.ResolveImageConfigOpt) (string, digest.Digest, []byte, error)
 	BuildOpts() BuildOpts
 	Inputs(ctx context.Context) (map[string]llb.State, error)
 	NewContainer(ctx context.Context, req NewContainerRequest) (Container, error)
@@ -71,6 +71,7 @@ type Container interface {
 type StartRequest struct {
 	Args           []string
 	Env            []string
+	SecretEnv      []*pb.SecretEnv
 	User           string
 	Cwd            string
 	Tty            bool

vendor/github.com/moby/buildkit/frontend/gateway/grpcclient/client.go

@@ -478,7 +478,7 @@ func (c *grpcClient) Solve(ctx context.Context, creq client.SolveRequest) (res *
 	return res, nil
 }
 
-func (c *grpcClient) ResolveImageConfig(ctx context.Context, ref string, opt llb.ResolveImageConfigOpt) (digest.Digest, []byte, error) {
+func (c *grpcClient) ResolveImageConfig(ctx context.Context, ref string, opt llb.ResolveImageConfigOpt) (string, digest.Digest, []byte, error) {
 	var p *opspb.Platform
 	if platform := opt.Platform; platform != nil {
 		p = &opspb.Platform{
@@ -489,19 +489,27 @@ func (c *grpcClient) ResolveImageConfig(ctx context.Context, ref string, opt llb
 			OSFeatures:   platform.OSFeatures,
 		}
 	}
+
 	resp, err := c.client.ResolveImageConfig(ctx, &pb.ResolveImageConfigRequest{
-		ResolverType: int32(opt.ResolverType),
+		ResolverType:   int32(opt.ResolverType),
-		Ref:          ref,
+		Ref:            ref,
-		Platform:     p,
+		Platform:       p,
-		ResolveMode:  opt.ResolveMode,
+		ResolveMode:    opt.ResolveMode,
-		LogName:      opt.LogName,
+		LogName:        opt.LogName,
-		SessionID:    opt.Store.SessionID,
+		SessionID:      opt.Store.SessionID,
-		StoreID:      opt.Store.StoreID,
+		StoreID:        opt.Store.StoreID,
+		SourcePolicies: opt.SourcePolicies,
 	})
 	if err != nil {
-		return "", nil, err
+		return "", "", nil, err
+	}
+	newRef := resp.Ref
+	if newRef == "" {
+		// No ref returned, use the original one.
+		// This could occur if the version of buildkitd is too old.
+		newRef = ref
 	}
-	return resp.Digest, resp.Config, nil
+	return newRef, resp.Digest, resp.Config, nil
 }
 
 func (c *grpcClient) BuildOpts() client.BuildOpts {
@@ -806,6 +814,7 @@ func (c *grpcClient) NewContainer(ctx context.Context, req client.NewContainerRe
 
 	return &container{
 		client:   c.client,
+		caps:     c.caps,
 		id:       id,
 		execMsgs: c.execMsgs,
 	}, nil
@@ -813,6 +822,7 @@ func (c *grpcClient) NewContainer(ctx context.Context, req client.NewContainerRe
 
 type container struct {
 	client   pb.LLBBridgeClient
+	caps     apicaps.CapSet
 	id       string
 	execMsgs *messageForwarder
 }
@@ -821,6 +831,12 @@ func (ctr *container) Start(ctx context.Context, req client.StartRequest) (clien
 	pid := fmt.Sprintf("%s:%s", ctr.id, identity.NewID())
 	msgs := ctr.execMsgs.Register(pid)
 
+	if len(req.SecretEnv) > 0 {
+		if err := ctr.caps.Supports(pb.CapGatewayExecSecretEnv); err != nil {
+			return nil, err
+		}
+	}
+
 	init := &pb.InitMessage{
 		ContainerID: ctr.id,
 		Meta: &opspb.Meta{
@@ -829,8 +845,9 @@ func (ctr *container) Start(ctx context.Context, req client.StartRequest) (clien
 			Cwd:  req.Cwd,
 			User: req.User,
 		},
-		Tty:      req.Tty,
+		Tty:       req.Tty,
-		Security: req.SecurityMode,
+		Security:  req.SecurityMode,
+		Secretenv: req.SecretEnv,
 	}
 	init.Meta.RemoveMountStubsRecursive = req.RemoveMountStubsRecursive
 	if req.Stdin != nil {

vendor/github.com/moby/buildkit/frontend/gateway/pb/caps.go

@@ -44,6 +44,10 @@ const (
 	// /etc/hosts for containers created via gateway exec.
 	CapGatewayExecExtraHosts apicaps.CapID = "gateway.exec.extrahosts"
 
+	// CapGatewayExecExtraHosts is the capability to set secrets as env vars for
+	// containers created via gateway exec.
+	CapGatewayExecSecretEnv apicaps.CapID = "gateway.exec.secretenv"
+
 	// CapGatewayExecExtraHosts is the capability to send signals to a process
 	// created via gateway exec.
 	CapGatewayExecSignals apicaps.CapID = "gateway.exec.signals"
@@ -179,6 +183,13 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapGatewayExecSecretEnv,
+		Name:    "gateway exec secret env",
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapGatewayExecSignals,
 		Name:    "gateway exec signals",

vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.pb.go

@@ -736,16 +736,17 @@ func (m *InputsResponse) GetDefinitions() map[string]*pb.Definition {
 }
 
 type ResolveImageConfigRequest struct {
-	Ref                  string       `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
+	Ref                  string        `protobuf:"bytes,1,opt,name=Ref,proto3" json:"Ref,omitempty"`
-	Platform             *pb.Platform `protobuf:"bytes,2,opt,name=Platform,proto3" json:"Platform,omitempty"`
+	Platform             *pb.Platform  `protobuf:"bytes,2,opt,name=Platform,proto3" json:"Platform,omitempty"`
-	ResolveMode          string       `protobuf:"bytes,3,opt,name=ResolveMode,proto3" json:"ResolveMode,omitempty"`
+	ResolveMode          string        `protobuf:"bytes,3,opt,name=ResolveMode,proto3" json:"ResolveMode,omitempty"`
-	LogName              string       `protobuf:"bytes,4,opt,name=LogName,proto3" json:"LogName,omitempty"`
+	LogName              string        `protobuf:"bytes,4,opt,name=LogName,proto3" json:"LogName,omitempty"`
-	ResolverType         int32        `protobuf:"varint,5,opt,name=ResolverType,proto3" json:"ResolverType,omitempty"`
+	ResolverType         int32         `protobuf:"varint,5,opt,name=ResolverType,proto3" json:"ResolverType,omitempty"`
-	SessionID            string       `protobuf:"bytes,6,opt,name=SessionID,proto3" json:"SessionID,omitempty"`
+	SessionID            string        `protobuf:"bytes,6,opt,name=SessionID,proto3" json:"SessionID,omitempty"`
-	StoreID              string       `protobuf:"bytes,7,opt,name=StoreID,proto3" json:"StoreID,omitempty"`
+	StoreID              string        `protobuf:"bytes,7,opt,name=StoreID,proto3" json:"StoreID,omitempty"`
-	XXX_NoUnkeyedLiteral struct{}     `json:"-"`
+	SourcePolicies       []*pb1.Policy `protobuf:"bytes,8,rep,name=SourcePolicies,proto3" json:"SourcePolicies,omitempty"`
-	XXX_unrecognized     []byte       `json:"-"`
+	XXX_NoUnkeyedLiteral struct{}      `json:"-"`
-	XXX_sizecache        int32        `json:"-"`
+	XXX_unrecognized     []byte        `json:"-"`
+	XXX_sizecache        int32         `json:"-"`
 }
 
 func (m *ResolveImageConfigRequest) Reset()         { *m = ResolveImageConfigRequest{} }
@@ -830,9 +831,17 @@ func (m *ResolveImageConfigRequest) GetStoreID() string {
 	return ""
 }
 
+func (m *ResolveImageConfigRequest) GetSourcePolicies() []*pb1.Policy {
+	if m != nil {
+		return m.SourcePolicies
+	}
+	return nil
+}
+
 type ResolveImageConfigResponse struct {
 	Digest               github_com_opencontainers_go_digest.Digest `protobuf:"bytes,1,opt,name=Digest,proto3,customtype=github.com/opencontainers/go-digest.Digest" json:"Digest"`
 	Config               []byte                                     `protobuf:"bytes,2,opt,name=Config,proto3" json:"Config,omitempty"`
+	Ref                  string                                     `protobuf:"bytes,3,opt,name=Ref,proto3" json:"Ref,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}                                   `json:"-"`
 	XXX_unrecognized     []byte                                     `json:"-"`
 	XXX_sizecache        int32                                      `json:"-"`
@@ -878,6 +887,13 @@ func (m *ResolveImageConfigResponse) GetConfig() []byte {
 	return nil
 }
 
+func (m *ResolveImageConfigResponse) GetRef() string {
+	if m != nil {
+		return m.Ref
+	}
+	return ""
+}
+
 type SolveRequest struct {
 	Definition  *pb.Definition    `protobuf:"bytes,1,opt,name=Definition,proto3" json:"Definition,omitempty"`
 	Frontend    string            `protobuf:"bytes,2,opt,name=Frontend,proto3" json:"Frontend,omitempty"`
@@ -2204,6 +2220,7 @@ type InitMessage struct {
 	Fds                  []uint32        `protobuf:"varint,3,rep,packed,name=Fds,proto3" json:"Fds,omitempty"`
 	Tty                  bool            `protobuf:"varint,4,opt,name=Tty,proto3" json:"Tty,omitempty"`
 	Security             pb.SecurityMode `protobuf:"varint,5,opt,name=Security,proto3,enum=pb.SecurityMode" json:"Security,omitempty"`
+	Secretenv            []*pb.SecretEnv `protobuf:"bytes,6,rep,name=secretenv,proto3" json:"secretenv,omitempty"`
 	XXX_NoUnkeyedLiteral struct{}        `json:"-"`
 	XXX_unrecognized     []byte          `json:"-"`
 	XXX_sizecache        int32           `json:"-"`
@@ -2277,6 +2294,13 @@ func (m *InitMessage) GetSecurity() pb.SecurityMode {
 	return pb.SecurityMode_SANDBOX
 }
 
+func (m *InitMessage) GetSecretenv() []*pb.SecretEnv {
+	if m != nil {
+		return m.Secretenv
+	}
+	return nil
+}
+
 type ExitMessage struct {
 	Code                 uint32      `protobuf:"varint,1,opt,name=Code,proto3" json:"Code,omitempty"`
 	Error                *rpc.Status `protobuf:"bytes,2,opt,name=Error,proto3" json:"Error,omitempty"`
@@ -2635,161 +2659,164 @@ func init() {
 func init() { proto.RegisterFile("gateway.proto", fileDescriptor_f1a937782ebbded5) }
 
 var fileDescriptor_f1a937782ebbded5 = []byte{
-	// 2464 bytes of a gzipped FileDescriptorProto
+	// 2497 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x59, 0xcf, 0x6f, 0x1b, 0xc7,
-	0xf5, 0xd7, 0x8a, 0x14, 0x25, 0x3d, 0xfe, 0x10, 0x3d, 0x71, 0xf2, 0x65, 0x16, 0x81, 0x23, 0xaf,
+	0xf5, 0xd7, 0x8a, 0x14, 0x45, 0x3e, 0xfe, 0x10, 0x3d, 0x71, 0xf2, 0xa5, 0x17, 0x81, 0x23, 0xaf,
-	0x63, 0x45, 0x56, 0x9c, 0xa5, 0xbf, 0xb2, 0x0d, 0xb9, 0x76, 0xeb, 0xc4, 0xfa, 0x05, 0x29, 0x96,
+	0x63, 0x45, 0x96, 0x1d, 0xd2, 0x5f, 0xd9, 0x86, 0x5c, 0xbb, 0x75, 0x62, 0xfd, 0x82, 0x14, 0x4b,
-	0x6c, 0x76, 0xe4, 0xc2, 0x45, 0x90, 0x02, 0x5d, 0x71, 0x87, 0xd4, 0xd6, 0xab, 0xdd, 0xed, 0xee,
+	0x36, 0x3b, 0x72, 0xe1, 0x22, 0x48, 0x81, 0xae, 0xb8, 0x43, 0x6a, 0xeb, 0xd5, 0xee, 0x76, 0x77,
-	0xd0, 0xb2, 0x92, 0x4b, 0x7b, 0x28, 0x50, 0xe4, 0x0f, 0xe8, 0x2d, 0x28, 0xd0, 0x02, 0x3d, 0xf5,
+	0x28, 0x59, 0xc9, 0xa9, 0x87, 0x02, 0x45, 0x8e, 0x3d, 0xf4, 0x96, 0x4b, 0x0b, 0xf4, 0xd4, 0x43,
-	0xd0, 0xfe, 0x01, 0xed, 0x39, 0x40, 0x2f, 0x3d, 0xf7, 0x10, 0x14, 0xfe, 0x07, 0x7a, 0x2b, 0xd0,
+	0xfb, 0x07, 0x34, 0xe7, 0x00, 0xed, 0xa1, 0xe7, 0x1e, 0x82, 0xc2, 0x7f, 0x44, 0x81, 0xde, 0x8a,
-	0x5b, 0xf1, 0x66, 0x66, 0xc9, 0xe1, 0x0f, 0x2d, 0xc9, 0xfa, 0xc4, 0x99, 0x37, 0xef, 0xc7, 0xbc,
+	0x37, 0x33, 0x4b, 0x0e, 0x7f, 0x68, 0x45, 0xd6, 0x27, 0xce, 0xbc, 0x79, 0x3f, 0xe6, 0xbd, 0x37,
-	0xf7, 0xe6, 0xbd, 0xf9, 0xcc, 0x12, 0xca, 0x6d, 0x87, 0xb3, 0x33, 0xe7, 0xdc, 0x8e, 0xe2, 0x90,
+	0xef, 0xcd, 0x67, 0x96, 0x50, 0xee, 0xd8, 0x9c, 0x9d, 0xda, 0x67, 0xf5, 0x30, 0x0a, 0x78, 0x40,
-	0x87, 0xe4, 0xdd, 0xd3, 0xf0, 0xf8, 0xdc, 0x3e, 0xee, 0x78, 0xbe, 0xfb, 0xc2, 0xe3, 0xf6, 0xcb,
+	0xae, 0x1c, 0x07, 0x87, 0x67, 0xf5, 0xc3, 0xae, 0xeb, 0x39, 0xaf, 0x5c, 0x5e, 0x3f, 0xf9, 0xff,
-	0xff, 0xb7, 0x5b, 0x71, 0x18, 0x70, 0x16, 0xb8, 0xe6, 0xc7, 0x6d, 0x8f, 0x9f, 0x74, 0x8e, 0xed,
+	0x7a, 0x3b, 0x0a, 0x7c, 0xce, 0x7c, 0xc7, 0xfc, 0xb8, 0xe3, 0xf2, 0xa3, 0xee, 0x61, 0xbd, 0x15,
-	0x66, 0x78, 0x5a, 0x6f, 0x87, 0xed, 0xb0, 0x2e, 0x24, 0x8e, 0x3b, 0x2d, 0x31, 0x13, 0x13, 0x31,
+	0x1c, 0x37, 0x3a, 0x41, 0x27, 0x68, 0x08, 0x89, 0xc3, 0x6e, 0x5b, 0xcc, 0xc4, 0x44, 0x8c, 0xa4,
-	0x92, 0x9a, 0xcc, 0xf5, 0x41, 0xf6, 0x76, 0x18, 0xb6, 0x7d, 0xe6, 0x44, 0x5e, 0xa2, 0x86, 0xf5,
+	0x26, 0x73, 0x75, 0x98, 0xbd, 0x13, 0x04, 0x1d, 0x8f, 0xd9, 0xa1, 0x1b, 0xab, 0x61, 0x23, 0x0a,
-	0x38, 0x6a, 0xd6, 0x13, 0xee, 0xf0, 0x4e, 0xa2, 0x64, 0x6e, 0x6a, 0x32, 0xb8, 0x91, 0x7a, 0xba,
+	0x5b, 0x8d, 0x98, 0xdb, 0xbc, 0x1b, 0x2b, 0x99, 0xdb, 0x9a, 0x0c, 0x6e, 0xa4, 0x91, 0x6c, 0xa4,
-	0x91, 0x7a, 0x12, 0xfa, 0x2f, 0x59, 0x5c, 0x8f, 0x8e, 0xeb, 0x61, 0x94, 0x72, 0xd7, 0x2f, 0xe4,
+	0x11, 0x07, 0xde, 0x09, 0x8b, 0x1a, 0xe1, 0x61, 0x23, 0x08, 0x13, 0xee, 0xc6, 0xb9, 0xdc, 0x76,
-	0x76, 0x22, 0xaf, 0xce, 0xcf, 0x23, 0x96, 0xd4, 0xcf, 0xc2, 0xf8, 0x05, 0x8b, 0x95, 0xc0, 0xed,
+	0xe8, 0x36, 0xf8, 0x59, 0xc8, 0xe2, 0xc6, 0x69, 0x10, 0xbd, 0x62, 0x91, 0x12, 0xb8, 0x7b, 0xae,
-	0x0b, 0x05, 0x3a, 0xdc, 0xf3, 0x51, 0xaa, 0xe9, 0x44, 0x09, 0x1a, 0xc1, 0x5f, 0x25, 0xa4, 0xbb,
+	0x40, 0x97, 0xbb, 0x1e, 0x4a, 0xb5, 0xec, 0x30, 0x46, 0x23, 0xf8, 0xab, 0x84, 0x74, 0xb7, 0x79,
-	0xcd, 0xc3, 0xc0, 0x4b, 0xb8, 0xe7, 0xb5, 0xbd, 0x7a, 0x2b, 0x11, 0x32, 0xd2, 0x0a, 0x3a, 0xa1,
+	0xe0, 0xbb, 0x31, 0x77, 0xdd, 0x8e, 0xdb, 0x68, 0xc7, 0x42, 0x46, 0x5a, 0x41, 0x27, 0x14, 0xfb,
-	0xd8, 0xef, 0x66, 0xb8, 0xd0, 0x89, 0x9b, 0x2c, 0x0a, 0x7d, 0xaf, 0x79, 0x8e, 0x36, 0xe4, 0x48,
+	0xfd, 0x14, 0x17, 0xba, 0x51, 0x8b, 0x85, 0x81, 0xe7, 0xb6, 0xce, 0xd0, 0x86, 0x1c, 0x49, 0x31,
-	0x8a, 0x59, 0x7f, 0xcb, 0x43, 0x81, 0xb2, 0xa4, 0xe3, 0x73, 0xb2, 0x02, 0xe5, 0x98, 0xb5, 0xb6,
+	0xeb, 0x6f, 0x59, 0xc8, 0x51, 0x16, 0x77, 0x3d, 0x4e, 0x96, 0xa0, 0x1c, 0xb1, 0xf6, 0x26, 0x0b,
-	0x59, 0x14, 0xb3, 0xa6, 0xc3, 0x99, 0x5b, 0x33, 0x96, 0x8d, 0xd5, 0xc5, 0xbd, 0x19, 0xda, 0x4f,
+	0x23, 0xd6, 0xb2, 0x39, 0x73, 0x6a, 0xc6, 0xa2, 0xb1, 0x5c, 0xd8, 0x99, 0xa1, 0x83, 0x64, 0xf2,
-	0x26, 0x3f, 0x82, 0x4a, 0xcc, 0x5a, 0x89, 0xc6, 0x38, 0xbb, 0x6c, 0xac, 0x16, 0xd7, 0x3f, 0xb2,
+	0x13, 0xa8, 0x44, 0xac, 0x1d, 0x6b, 0x8c, 0xb3, 0x8b, 0xc6, 0x72, 0x71, 0xf5, 0x56, 0xfd, 0xdc,
-	0x2f, 0xcc, 0xa1, 0x4d, 0x59, 0xeb, 0xd0, 0x89, 0x7a, 0x22, 0x7b, 0x33, 0x74, 0x40, 0x09, 0x59,
+	0x1c, 0xd6, 0x29, 0x6b, 0xef, 0xdb, 0x61, 0x5f, 0x64, 0x67, 0x86, 0x0e, 0x29, 0x21, 0xab, 0x90,
-	0x87, 0x5c, 0xcc, 0x5a, 0xb5, 0x9c, 0xd0, 0x75, 0x25, 0x5b, 0xd7, 0xde, 0x0c, 0x45, 0x66, 0xb2,
+	0x89, 0x58, 0xbb, 0x96, 0x11, 0xba, 0xae, 0xa6, 0xeb, 0xda, 0x99, 0xa1, 0xc8, 0x4c, 0xd6, 0x20,
-	0x01, 0x79, 0xd4, 0x52, 0xcb, 0x0b, 0xa1, 0xab, 0x63, 0x37, 0xb0, 0x37, 0x43, 0x85, 0x00, 0x79,
+	0x8b, 0x5a, 0x6a, 0x59, 0x21, 0x74, 0xed, 0xc2, 0x0d, 0xec, 0xcc, 0x50, 0x21, 0x40, 0x9e, 0x42,
-	0x0c, 0x0b, 0xa7, 0x8c, 0x3b, 0xae, 0xc3, 0x9d, 0x1a, 0x2c, 0xe7, 0x56, 0x8b, 0xeb, 0xf5, 0x4c,
+	0xfe, 0x98, 0x71, 0xdb, 0xb1, 0xb9, 0x5d, 0x83, 0xc5, 0xcc, 0x72, 0x71, 0xb5, 0x91, 0x2a, 0x8c,
-	0x61, 0x0c, 0x90, 0x7d, 0xa8, 0x24, 0x76, 0x02, 0x1e, 0x9f, 0xd3, 0xae, 0x02, 0xf2, 0x1c, 0x4a,
+	0x01, 0xaa, 0xef, 0x2b, 0x89, 0x2d, 0x9f, 0x47, 0x67, 0xb4, 0xa7, 0x80, 0xbc, 0x84, 0x92, 0xcd,
-	0x0e, 0xe7, 0x0c, 0x93, 0xe1, 0x85, 0x41, 0x52, 0x2b, 0x09, 0x85, 0xb7, 0xc7, 0x2b, 0x7c, 0xa4,
+	0x39, 0xc3, 0x64, 0xb8, 0x81, 0x1f, 0xd7, 0x4a, 0x42, 0xe1, 0xdd, 0x8b, 0x15, 0x3e, 0xd1, 0xa4,
-	0x49, 0x49, 0xa5, 0x7d, 0x8a, 0xcc, 0x07, 0x50, 0xee, 0xb3, 0x49, 0xaa, 0x90, 0x7b, 0xc1, 0xce,
+	0xa4, 0xd2, 0x01, 0x45, 0xe6, 0x23, 0x28, 0x0f, 0xd8, 0x24, 0x55, 0xc8, 0xbc, 0x62, 0x67, 0x32,
-	0x65, 0x62, 0x28, 0x0e, 0xc9, 0x65, 0x98, 0x7b, 0xe9, 0xf8, 0x1d, 0x26, 0x72, 0x50, 0xa2, 0x72,
+	0x31, 0x14, 0x87, 0xe4, 0x32, 0xcc, 0x9d, 0xd8, 0x5e, 0x97, 0x89, 0x1c, 0x94, 0xa8, 0x9c, 0x3c,
-	0x72, 0x7f, 0xf6, 0x9e, 0x61, 0x9e, 0xc0, 0xa5, 0x21, 0xfd, 0x23, 0x14, 0xfc, 0x40, 0x57, 0x50,
+	0x9c, 0x7d, 0x60, 0x98, 0x47, 0x70, 0x69, 0x44, 0xff, 0x18, 0x05, 0x3f, 0xd2, 0x15, 0x14, 0x57,
-	0x5c, 0xff, 0x30, 0x63, 0xd7, 0xba, 0x3a, 0xcd, 0xd2, 0xe6, 0x02, 0x14, 0x62, 0xe1, 0x90, 0xf5,
+	0x3f, 0x4a, 0xd9, 0xb5, 0xae, 0x4e, 0xb3, 0xb4, 0x9e, 0x87, 0x5c, 0x24, 0x1c, 0xb2, 0x7e, 0x67,
-	0x1b, 0x03, 0xaa, 0x83, 0xa9, 0x26, 0xfb, 0x2a, 0x49, 0x86, 0x08, 0xcb, 0xdd, 0x29, 0x4e, 0x09,
+	0x40, 0x75, 0x38, 0xd5, 0x64, 0x57, 0x25, 0xc9, 0x10, 0x61, 0xb9, 0x3f, 0xc5, 0x29, 0x41, 0x82,
-	0x12, 0x54, 0x60, 0x84, 0x0a, 0x73, 0x03, 0x16, 0xbb, 0xa4, 0x71, 0xc1, 0x58, 0xd4, 0xb6, 0x68,
+	0x0a, 0x8c, 0x50, 0x61, 0xae, 0x41, 0xa1, 0x47, 0xba, 0x28, 0x18, 0x05, 0x6d, 0x8b, 0xd6, 0x1a,
-	0x6d, 0x40, 0x8e, 0xb2, 0x16, 0xa9, 0xc0, 0xac, 0xa7, 0xce, 0x35, 0x9d, 0xf5, 0x5c, 0xb2, 0x0c,
+	0x64, 0x28, 0x6b, 0x93, 0x0a, 0xcc, 0xba, 0xea, 0x5c, 0xd3, 0x59, 0xd7, 0x21, 0x8b, 0x90, 0x71,
-	0x39, 0x97, 0xb5, 0x94, 0xeb, 0x15, 0x3b, 0x3a, 0xb6, 0xb7, 0x59, 0xcb, 0x0b, 0x3c, 0x74, 0x91,
+	0x58, 0x5b, 0xb9, 0x5e, 0xa9, 0x87, 0x87, 0xf5, 0x4d, 0xd6, 0x76, 0x7d, 0x17, 0x5d, 0xa4, 0xb8,
-	0xe2, 0x92, 0xf5, 0x3b, 0x03, 0xeb, 0x03, 0xb7, 0x45, 0x3e, 0xe9, 0xf3, 0x63, 0xfc, 0x69, 0x1f,
+	0x64, 0xfd, 0xde, 0xc0, 0xfa, 0xc0, 0x6d, 0x91, 0x4f, 0x06, 0xfc, 0xb8, 0xf8, 0xb4, 0x8f, 0xec,
-	0xda, 0xfd, 0xf3, 0xec, 0xdd, 0xdf, 0xe9, 0xcf, 0xc4, 0x98, 0x12, 0xd0, 0xbd, 0xfb, 0x31, 0x94,
+	0xfe, 0x65, 0xfa, 0xee, 0xef, 0x0d, 0x66, 0xe2, 0x82, 0x12, 0xd0, 0xbd, 0xfb, 0x29, 0x94, 0xf4,
-	0xf4, 0xdc, 0x90, 0x3d, 0x28, 0x6a, 0xe7, 0x48, 0x6d, 0x78, 0x65, 0xb2, 0xcc, 0x52, 0x5d, 0xd4,
+	0xdc, 0x90, 0x1d, 0x28, 0x6a, 0xe7, 0x48, 0x6d, 0x78, 0x69, 0xb2, 0xcc, 0x52, 0x5d, 0xd4, 0xfa,
-	0xfa, 0x43, 0x0e, 0x8a, 0xda, 0x22, 0x79, 0x08, 0xf9, 0x17, 0x5e, 0x20, 0x43, 0x58, 0x59, 0x5f,
+	0x63, 0x06, 0x8a, 0xda, 0x22, 0x79, 0x0c, 0xd9, 0x57, 0xae, 0x2f, 0x43, 0x58, 0x59, 0x5d, 0x99,
-	0x9b, 0x4c, 0xe5, 0x63, 0x2f, 0x70, 0xa9, 0x90, 0x23, 0x0d, 0xad, 0xee, 0x66, 0xc5, 0xb6, 0xee,
+	0x4c, 0xe5, 0x53, 0xd7, 0x77, 0xa8, 0x90, 0x23, 0x4d, 0xad, 0xee, 0x66, 0xc5, 0xb6, 0xee, 0x4d,
-	0x4c, 0xa6, 0xe3, 0xc2, 0xe2, 0xbb, 0x35, 0x45, 0xdb, 0x90, 0x4d, 0x83, 0x40, 0x3e, 0x72, 0xf8,
+	0xa6, 0xe3, 0xdc, 0xe2, 0xbb, 0x33, 0x45, 0xdb, 0x90, 0x4d, 0x83, 0x40, 0x36, 0xb4, 0xf9, 0x91,
-	0x89, 0x68, 0x1a, 0x8b, 0x54, 0x8c, 0xc9, 0x2d, 0x78, 0xcb, 0x0b, 0x9e, 0x85, 0x3c, 0x6c, 0xc4,
+	0x68, 0x1a, 0x05, 0x2a, 0xc6, 0xe4, 0x0e, 0xbc, 0xe3, 0xfa, 0x2f, 0x02, 0x1e, 0x34, 0x23, 0xe6,
-	0xcc, 0xf5, 0xf0, 0xf0, 0x3d, 0x3b, 0x8f, 0x58, 0x6d, 0x4e, 0xb0, 0x8c, 0x5a, 0x22, 0x0d, 0xa8,
+	0xb8, 0x78, 0xf8, 0x5e, 0x9c, 0x85, 0xac, 0x36, 0x27, 0x58, 0xc6, 0x2d, 0x91, 0x26, 0x54, 0x24,
-	0x48, 0xf2, 0x51, 0xe7, 0xf8, 0x67, 0xac, 0xc9, 0x93, 0x5a, 0x41, 0xf8, 0xb3, 0x9a, 0xb1, 0x85,
+	0xf9, 0xa0, 0x7b, 0xf8, 0x0b, 0xd6, 0xe2, 0x71, 0x2d, 0x27, 0xfc, 0x59, 0x4e, 0xd9, 0xc2, 0xae,
-	0x7d, 0x5d, 0x80, 0x0e, 0xc8, 0xbf, 0x51, 0xb5, 0x5b, 0x7f, 0x36, 0xa0, 0xdc, 0xa7, 0x9e, 0x7c,
+	0x2e, 0x40, 0x87, 0xe4, 0xdf, 0xaa, 0xda, 0xad, 0xbf, 0x18, 0x50, 0x1e, 0x50, 0x4f, 0x3e, 0x1d,
-	0xda, 0x97, 0xaa, 0x9b, 0x93, 0x6e, 0x4b, 0x4b, 0xd6, 0x67, 0x50, 0x70, 0xbd, 0x36, 0x4b, 0xb8,
+	0x48, 0xd5, 0xed, 0x49, 0xb7, 0xa5, 0x25, 0xeb, 0x33, 0xc8, 0x39, 0x6e, 0x87, 0xc5, 0x5c, 0xa4,
-	0x48, 0xd5, 0xe2, 0xe6, 0xfa, 0xb7, 0xdf, 0xbd, 0x3f, 0xf3, 0x8f, 0xef, 0xde, 0x5f, 0xd3, 0xae,
+	0xaa, 0xb0, 0xbe, 0xfa, 0xdd, 0xf7, 0x1f, 0xcc, 0xfc, 0xf3, 0xfb, 0x0f, 0x56, 0xb4, 0xab, 0x26,
-	0x9a, 0x30, 0x62, 0x41, 0x33, 0x0c, 0xb8, 0xe3, 0x05, 0x2c, 0xc6, 0x0b, 0xf6, 0x63, 0x29, 0x62,
+	0x08, 0x99, 0xdf, 0x0a, 0x7c, 0x6e, 0xbb, 0x3e, 0x8b, 0xf0, 0x82, 0xfd, 0x58, 0x8a, 0xd4, 0x37,
-	0x6f, 0x8b, 0x1f, 0xaa, 0x34, 0x60, 0xd0, 0x03, 0xe7, 0x94, 0x89, 0x3c, 0x2d, 0x52, 0x31, 0xb6,
+	0xc5, 0x0f, 0x55, 0x1a, 0x30, 0xe8, 0xbe, 0x7d, 0xcc, 0x44, 0x9e, 0x0a, 0x54, 0x8c, 0x2d, 0x0e,
-	0x38, 0x94, 0x29, 0xe3, 0x9d, 0x38, 0xa0, 0xec, 0xe7, 0x1d, 0x64, 0xfa, 0x5e, 0xda, 0x48, 0xc4,
+	0x65, 0xca, 0x78, 0x37, 0xf2, 0x29, 0xfb, 0x65, 0x17, 0x99, 0x7e, 0x90, 0x34, 0x12, 0xb1, 0xe9,
-	0xa6, 0xc7, 0x35, 0x74, 0x64, 0xa4, 0x4a, 0x80, 0xac, 0xc2, 0x1c, 0x8b, 0xe3, 0x30, 0x56, 0xc5,
+	0x8b, 0x1a, 0x3a, 0x32, 0x52, 0x25, 0x40, 0x96, 0x61, 0x8e, 0x45, 0x51, 0x10, 0xa9, 0xe2, 0x21,
-	0x43, 0x6c, 0x79, 0xd5, 0xdb, 0x71, 0xd4, 0xb4, 0x8f, 0xc4, 0x55, 0x4f, 0x25, 0x83, 0x55, 0x85,
+	0x75, 0x79, 0xd5, 0xd7, 0xa3, 0xb0, 0x55, 0x3f, 0x10, 0x57, 0x3d, 0x95, 0x0c, 0x56, 0x15, 0x2a,
-	0x4a, 0x6a, 0x35, 0x89, 0xc2, 0x20, 0x61, 0xd6, 0x12, 0x86, 0x2e, 0xea, 0xf0, 0x44, 0xed, 0xc3,
+	0x89, 0xd5, 0x38, 0x0c, 0xfc, 0x98, 0x59, 0x0b, 0x18, 0xba, 0xb0, 0xcb, 0x63, 0xb5, 0x0f, 0xeb,
-	0xfa, 0xab, 0x01, 0x95, 0x94, 0x22, 0x79, 0xc8, 0x17, 0x50, 0xec, 0xb5, 0x86, 0xb4, 0x07, 0xdc,
+	0x5b, 0x03, 0x2a, 0x09, 0x45, 0xf2, 0x90, 0x2f, 0xa0, 0xd8, 0x6f, 0x0d, 0x49, 0x0f, 0x78, 0x98,
-	0xcf, 0x0c, 0xaa, 0x2e, 0xaf, 0xf5, 0x15, 0xd5, 0x12, 0x74, 0x75, 0xe6, 0x13, 0xa8, 0x0e, 0x32,
+	0x1a, 0x54, 0x5d, 0x5e, 0xeb, 0x2b, 0xaa, 0x25, 0xe8, 0xea, 0xcc, 0x67, 0x50, 0x1d, 0x66, 0x18,
-	0x8c, 0xc8, 0xfe, 0x07, 0xfd, 0x0d, 0x62, 0xb0, 0x5f, 0x69, 0xa7, 0xe1, 0x5f, 0x06, 0xbc, 0x4b,
+	0x93, 0xfd, 0x0f, 0x07, 0x1b, 0xc4, 0x70, 0xbf, 0xd2, 0x4e, 0xc3, 0xb7, 0xb3, 0x70, 0x85, 0x32,
-	0x99, 0xc0, 0x2e, 0xfb, 0xa7, 0x4e, 0x9b, 0x6d, 0x85, 0x41, 0xcb, 0x6b, 0xa7, 0x61, 0xae, 0x8a,
+	0x81, 0x5d, 0x76, 0x8f, 0xed, 0x0e, 0xdb, 0x08, 0xfc, 0xb6, 0xdb, 0x49, 0xc2, 0x5c, 0x15, 0xcd,
-	0x66, 0x98, 0x6a, 0xc6, 0xbe, 0xb8, 0x0a, 0x0b, 0x0d, 0xdf, 0xe1, 0xad, 0x30, 0x3e, 0x55, 0xca,
+	0x30, 0xd1, 0x8c, 0x7d, 0x71, 0x19, 0xf2, 0x4d, 0xcf, 0xe6, 0xed, 0x20, 0x3a, 0x56, 0xca, 0x4b,
-	0x4b, 0xa8, 0x3c, 0xa5, 0xd1, 0xee, 0x2a, 0x59, 0x86, 0xa2, 0x52, 0x7c, 0x18, 0xba, 0x69, 0x3a,
+	0xa8, 0x3c, 0xa1, 0xd1, 0xde, 0x2a, 0x59, 0x84, 0xa2, 0x52, 0xbc, 0x1f, 0x38, 0x49, 0x3a, 0x75,
-	0x75, 0x12, 0xa9, 0xc1, 0xfc, 0x41, 0xd8, 0x7e, 0x82, 0xc9, 0x96, 0x15, 0x96, 0x4e, 0x89, 0x05,
+	0x12, 0xa9, 0xc1, 0xfc, 0x5e, 0xd0, 0x79, 0x86, 0xc9, 0x96, 0x15, 0x96, 0x4c, 0x89, 0x05, 0x25,
-	0x25, 0xc5, 0x18, 0x77, 0xab, 0x6b, 0x8e, 0xf6, 0xd1, 0xc8, 0x7b, 0xb0, 0x78, 0xc4, 0x92, 0xc4,
+	0xc5, 0x18, 0xf5, 0xaa, 0x6b, 0x8e, 0x0e, 0xd0, 0xc8, 0xfb, 0x50, 0x38, 0x60, 0x71, 0xec, 0x06,
-	0x0b, 0x83, 0xfd, 0xed, 0x5a, 0x41, 0xc8, 0xf7, 0x08, 0xa8, 0xfb, 0x88, 0x87, 0x31, 0xdb, 0xdf,
+	0xfe, 0xee, 0x66, 0x2d, 0x27, 0xe4, 0xfb, 0x04, 0xd4, 0x7d, 0xc0, 0x83, 0x88, 0xed, 0x6e, 0xd6,
-	0xae, 0xcd, 0x4b, 0xdd, 0x6a, 0x6a, 0xfd, 0xc2, 0x00, 0x73, 0x94, 0xc7, 0x2a, 0x7d, 0x9f, 0x41,
+	0xe6, 0xa5, 0x6e, 0x35, 0x25, 0xfb, 0x50, 0x39, 0x10, 0x38, 0xa7, 0x89, 0xe8, 0xc6, 0x65, 0x71,
-	0x41, 0x1e, 0x48, 0xe9, 0xf5, 0xff, 0x76, 0x94, 0xe5, 0x2f, 0x79, 0x07, 0x0a, 0x52, 0xbb, 0xaa,
+	0x2d, 0x2f, 0x52, 0x74, 0x63, 0x34, 0x45, 0x3a, 0x1e, 0xaa, 0x0b, 0xf6, 0x33, 0x3a, 0x24, 0x6c,
-	0x42, 0x35, 0xb3, 0x7e, 0x55, 0x80, 0xd2, 0x11, 0x6e, 0x20, 0x8d, 0xb3, 0x0d, 0xd0, 0x4b, 0x8f,
+	0xfd, 0xd6, 0x00, 0x73, 0x5c, 0x00, 0xd5, 0x69, 0xf8, 0x0c, 0x72, 0xf2, 0x7c, 0xcb, 0x20, 0xfe,
-	0x3a, 0xd2, 0x83, 0x49, 0xd3, 0x38, 0x88, 0x09, 0x0b, 0xbb, 0xea, 0xf8, 0xa8, 0x1b, 0xac, 0x3b,
+	0x6f, 0x95, 0x21, 0x7f, 0xc9, 0x7b, 0x90, 0x93, 0xda, 0x55, 0x51, 0xab, 0x59, 0x92, 0xa5, 0x4c,
-	0x27, 0x9f, 0x43, 0x31, 0x1d, 0x3f, 0x8d, 0x78, 0x2d, 0x27, 0xce, 0xdf, 0xbd, 0x8c, 0xf3, 0xa7,
+	0x2f, 0x4b, 0xd6, 0xaf, 0x73, 0x50, 0x3a, 0xc0, 0x2d, 0x25, 0x89, 0xac, 0x03, 0xf4, 0xf3, 0xaf,
-	0xef, 0xc4, 0xd6, 0x44, 0xd5, 0xe9, 0xd3, 0x28, 0xe4, 0x26, 0x5c, 0x72, 0x7c, 0x3f, 0x3c, 0x53,
+	0x6a, 0x66, 0xf8, 0x54, 0x68, 0x1c, 0xc4, 0x84, 0xfc, 0xb6, 0x3a, 0x9f, 0xea, 0x8a, 0xec, 0xcd,
-	0x25, 0x25, 0x8a, 0x43, 0x24, 0x67, 0x81, 0x0e, 0x2f, 0x60, 0xab, 0xd4, 0x88, 0x8f, 0xe2, 0xd8,
+	0xc9, 0xe7, 0x50, 0x4c, 0xc6, 0xcf, 0x43, 0x5e, 0xcb, 0x88, 0xe8, 0x3d, 0x48, 0x39, 0xe0, 0xfa,
-	0x39, 0xc7, 0xd3, 0x54, 0x10, 0xfc, 0xa3, 0x96, 0xb0, 0x6b, 0xed, 0x7a, 0x81, 0xe3, 0xd7, 0x40,
+	0x4e, 0xea, 0x9a, 0xa8, 0x3a, 0xde, 0x1a, 0x85, 0xdc, 0x86, 0x4b, 0xb6, 0xe7, 0x05, 0xa7, 0xaa,
-	0xf0, 0xc8, 0x09, 0x9e, 0x86, 0x9d, 0x57, 0x51, 0x18, 0x73, 0x16, 0x3f, 0xe2, 0x3c, 0xae, 0x15,
+	0x66, 0x45, 0xf5, 0x89, 0xec, 0xe7, 0xe9, 0xe8, 0x02, 0xf6, 0x62, 0x8d, 0xf8, 0x24, 0x8a, 0xec,
-	0x45, 0x30, 0xfb, 0x68, 0xa4, 0x01, 0xa5, 0x2d, 0xa7, 0x79, 0xc2, 0xf6, 0x4f, 0x91, 0x98, 0x22,
+	0x33, 0x0c, 0x44, 0x4e, 0xf0, 0x8f, 0x5b, 0xc2, 0xb6, 0xb8, 0xed, 0xfa, 0xb6, 0x57, 0x03, 0xc1,
-	0xab, 0xac, 0x5e, 0x26, 0xd8, 0x9f, 0x46, 0x3a, 0xa4, 0xd2, 0x35, 0x90, 0x26, 0x54, 0x52, 0xd7,
+	0x23, 0x27, 0x78, 0xdc, 0xb6, 0x5e, 0x87, 0x41, 0xc4, 0x59, 0xf4, 0x84, 0xf3, 0xa8, 0x56, 0x14,
-	0x65, 0x85, 0xd6, 0xca, 0x42, 0xe7, 0x83, 0x69, 0x43, 0x29, 0xa5, 0xa5, 0x89, 0x01, 0x95, 0x98,
+	0xe1, 0x1d, 0xa0, 0x91, 0x26, 0x94, 0x36, 0xec, 0xd6, 0x11, 0xdb, 0x3d, 0x46, 0x62, 0x02, 0xdd,
-	0xc8, 0x1d, 0x2c, 0x46, 0x87, 0xb3, 0x5a, 0x45, 0xf8, 0xdc, 0x9d, 0x93, 0x43, 0xa8, 0x1c, 0x09,
+	0xd2, 0x9a, 0xa5, 0x60, 0x7f, 0x1e, 0xea, 0x98, 0x4d, 0xd7, 0x40, 0x5a, 0x50, 0x49, 0x5c, 0x97,
-	0x40, 0xde, 0x40, 0x18, 0xee, 0xb1, 0xa4, 0xb6, 0x24, 0x36, 0x70, 0x7d, 0x78, 0x03, 0x3a, 0x70,
+	0x2d, 0xa0, 0x56, 0x16, 0x3a, 0x1f, 0x4d, 0x1b, 0x4a, 0x29, 0x2d, 0x4d, 0x0c, 0xa9, 0xc4, 0x44,
-	0xb7, 0x05, 0xfb, 0x39, 0x1d, 0x10, 0x36, 0x1f, 0x42, 0x75, 0x30, 0xb9, 0xd3, 0x00, 0x23, 0xf3,
+	0x6e, 0x61, 0xb5, 0xdb, 0x9c, 0xd5, 0x2a, 0xc2, 0xe7, 0xde, 0x7c, 0x4c, 0x25, 0x2c, 0xbc, 0x45,
-	0x87, 0xf0, 0xd6, 0x08, 0x8f, 0xde, 0xa8, 0xf9, 0xfc, 0xc9, 0x80, 0x4b, 0x43, 0x69, 0xc0, 0x0b,
+	0x25, 0x98, 0x8f, 0xa1, 0x3a, 0x9c, 0xdc, 0x69, 0x90, 0x97, 0xf9, 0x63, 0x78, 0x67, 0x8c, 0x47,
-	0x40, 0x14, 0xbd, 0x54, 0x29, 0xc6, 0xe4, 0x10, 0xe6, 0x30, 0xcd, 0x89, 0x82, 0x02, 0x1b, 0xd3,
+	0x6f, 0xd5, 0xdd, 0xfe, 0x6c, 0xc0, 0xa5, 0x91, 0x34, 0xe0, 0x0d, 0x23, 0xba, 0x8a, 0x54, 0x29,
-	0xe4, 0xd5, 0x16, 0x92, 0x32, 0xfe, 0x52, 0x8b, 0x79, 0x0f, 0xa0, 0x47, 0x9c, 0x0a, 0x1e, 0x7e,
+	0xc6, 0x64, 0x1f, 0xe6, 0x30, 0xcd, 0xb1, 0xc2, 0x1a, 0x6b, 0xd3, 0xe4, 0xb5, 0x2e, 0x24, 0x65,
-	0x01, 0x65, 0x95, 0x64, 0xd5, 0x2f, 0xaa, 0x12, 0x55, 0x28, 0x61, 0x44, 0x0d, 0xbd, 0xbb, 0x29,
+	0xfc, 0xa5, 0x16, 0xf3, 0x01, 0x40, 0x9f, 0x38, 0x15, 0xfe, 0xfc, 0x02, 0xca, 0x2a, 0xc9, 0xaa,
-	0x37, 0xe5, 0xdd, 0x64, 0x7d, 0x05, 0x4b, 0x94, 0x39, 0xee, 0xae, 0xe7, 0xb3, 0x8b, 0x5b, 0x30,
+	0x83, 0x54, 0x25, 0x6c, 0x51, 0xc2, 0x08, 0x4b, 0xfa, 0x97, 0x5f, 0x66, 0xca, 0xcb, 0xcf, 0xfa,
-	0x16, 0xbf, 0xe7, 0xb3, 0x06, 0x22, 0x93, 0xb4, 0xf8, 0xd5, 0x9c, 0xdc, 0x87, 0x39, 0xea, 0x04,
+	0x0a, 0x16, 0x28, 0xb3, 0x9d, 0x6d, 0xd7, 0x63, 0xe7, 0xf7, 0x78, 0x2c, 0x7e, 0xd7, 0x63, 0x4d,
-	0x6d, 0xa6, 0x4c, 0x7f, 0x90, 0x61, 0x5a, 0x18, 0x41, 0x5e, 0x2a, 0x45, 0xac, 0x07, 0xb0, 0xd8,
+	0x84, 0x3e, 0x49, 0xf1, 0xab, 0x39, 0x79, 0x08, 0x73, 0xd4, 0xf6, 0x3b, 0x4c, 0x99, 0xfe, 0x30,
-	0xa5, 0x61, 0xeb, 0x7a, 0xda, 0x6a, 0x25, 0x4c, 0xb6, 0xc1, 0x1c, 0x55, 0x33, 0xa4, 0x1f, 0xb0,
+	0xc5, 0xb4, 0x30, 0x82, 0xbc, 0x54, 0x8a, 0x58, 0x8f, 0xa0, 0xd0, 0xa3, 0x61, 0x33, 0x7b, 0xde,
-	0xa0, 0xad, 0x4c, 0xe7, 0xa8, 0x9a, 0x59, 0x2b, 0x08, 0xe7, 0xd3, 0x9d, 0xab, 0xd0, 0x10, 0xc8,
+	0x6e, 0xc7, 0x4c, 0x36, 0xc6, 0x0c, 0x55, 0x33, 0xa4, 0xef, 0x31, 0xbf, 0xa3, 0x4c, 0x67, 0xa8,
-	0x6f, 0x23, 0x7c, 0x33, 0x44, 0xbd, 0x8a, 0xb1, 0xe5, 0xe2, 0x9d, 0xea, 0xb8, 0xdb, 0x5e, 0x7c,
+	0x9a, 0x59, 0x4b, 0xf8, 0x5e, 0x48, 0x76, 0xae, 0x42, 0x43, 0x20, 0xbb, 0x89, 0xf8, 0xd0, 0x10,
-	0xb1, 0x83, 0x35, 0x98, 0xdf, 0xf6, 0x62, 0xcd, 0xbf, 0x74, 0x4a, 0x56, 0xf0, 0xb6, 0x6d, 0xfa,
+	0xf5, 0x2a, 0xc6, 0x96, 0x83, 0x97, 0xb6, 0xed, 0x6c, 0xba, 0xd1, 0xf9, 0x0e, 0xd6, 0x60, 0x7e,
-	0x1d, 0x17, 0xbd, 0xe5, 0x2c, 0x0e, 0xd4, 0xb5, 0x32, 0x40, 0xb5, 0x3e, 0x91, 0x71, 0x14, 0x56,
+	0xd3, 0x8d, 0x34, 0xff, 0x92, 0x29, 0x59, 0xc2, 0xeb, 0xbc, 0xe5, 0x75, 0x1d, 0xf4, 0x96, 0xb3,
-	0xd4, 0x66, 0x6e, 0xc2, 0x3c, 0x0b, 0x78, 0x8c, 0x65, 0x24, 0xaf, 0x64, 0x62, 0xcb, 0x07, 0xb2,
+	0xc8, 0x57, 0x5d, 0x75, 0x88, 0x6a, 0x7d, 0x22, 0xe3, 0x28, 0xac, 0xa8, 0xcd, 0xdc, 0x86, 0x79,
-	0x2d, 0x1e, 0xc8, 0xe2, 0xea, 0xa7, 0x29, 0x8b, 0xb5, 0x01, 0x4b, 0x48, 0xc8, 0x4e, 0x04, 0x81,
+	0xe6, 0xf3, 0x08, 0xcb, 0x48, 0xde, 0xf9, 0xa4, 0x2e, 0x5f, 0xe0, 0x75, 0xf1, 0x02, 0x17, 0xd8,
-	0xbc, 0xb6, 0x49, 0x31, 0xb6, 0xee, 0x43, 0xb5, 0x27, 0xa8, 0x4c, 0xaf, 0x40, 0x1e, 0xb1, 0xa9,
+	0x82, 0x26, 0x2c, 0xd6, 0x1a, 0x2c, 0x20, 0x21, 0x3d, 0x11, 0x04, 0xb2, 0xda, 0x26, 0xc5, 0xd8,
-	0xea, 0xeb, 0xa3, 0xec, 0x8a, 0x75, 0xeb, 0x1a, 0x2c, 0xa5, 0xc5, 0x7f, 0xa1, 0x51, 0x8b, 0x40,
+	0x7a, 0x08, 0xd5, 0xbe, 0xa0, 0x32, 0xbd, 0x04, 0x59, 0x04, 0xbf, 0xaa, 0xaf, 0x8f, 0xb3, 0x2b,
-	0xb5, 0xc7, 0xa4, 0x60, 0x49, 0x19, 0x8a, 0x0d, 0x2f, 0x48, 0x6f, 0x6d, 0xeb, 0xb5, 0x01, 0xa5,
+	0xd6, 0xad, 0xeb, 0xb0, 0x90, 0x14, 0xff, 0xb9, 0x46, 0x2d, 0x02, 0xd5, 0x3e, 0x93, 0xc2, 0x3d,
-	0x46, 0x18, 0xf4, 0xee, 0xb4, 0x06, 0x2c, 0xa5, 0xa5, 0xfb, 0xa8, 0xb1, 0xbf, 0xe5, 0x44, 0x69,
+	0x65, 0x28, 0x36, 0x5d, 0x3f, 0x81, 0x05, 0xd6, 0x1b, 0x03, 0x4a, 0xcd, 0xc0, 0xef, 0xdf, 0x72,
-	0x0c, 0x96, 0x87, 0xcf, 0x87, 0xfa, 0xc4, 0x60, 0x4b, 0xc6, 0xcd, 0x3c, 0x5e, 0x7f, 0x74, 0x50,
+	0x4d, 0x58, 0x48, 0x4a, 0xf7, 0x49, 0x73, 0x77, 0xc3, 0x0e, 0x93, 0x18, 0x2c, 0x8e, 0x9e, 0x0f,
-	0x9c, 0x7c, 0x0a, 0xf3, 0x07, 0x07, 0x9b, 0x42, 0xd3, 0xec, 0x54, 0x9a, 0x52, 0x31, 0xf2, 0x10,
+	0xf5, 0x0d, 0xa3, 0x2e, 0x19, 0xd7, 0xb3, 0x78, 0x21, 0xd2, 0x61, 0x71, 0xf2, 0x29, 0xcc, 0xef,
-	0xe6, 0x9f, 0x8b, 0x2f, 0x1f, 0x89, 0xba, 0xa2, 0x46, 0x9c, 0x55, 0x19, 0x21, 0xc9, 0x46, 0x59,
+	0xed, 0xad, 0x0b, 0x4d, 0xb3, 0x53, 0x69, 0x4a, 0xc4, 0xc8, 0x63, 0x98, 0x7f, 0x29, 0x3e, 0xad,
-	0x33, 0x8c, 0x5d, 0x9a, 0x0a, 0x59, 0xff, 0x36, 0xa0, 0xf8, 0xdc, 0xe9, 0x21, 0xc2, 0x1e, 0x04,
+	0xc4, 0xea, 0x8a, 0x1a, 0x73, 0x56, 0x65, 0x84, 0x24, 0x1b, 0x65, 0xad, 0x20, 0x72, 0x68, 0x22,
-	0x7d, 0x83, 0x7b, 0x5b, 0x41, 0xd0, 0xcb, 0x30, 0xe7, 0xb3, 0x97, 0xcc, 0x57, 0x67, 0x5c, 0x4e,
+	0x64, 0xfd, 0xdb, 0x80, 0xe2, 0x4b, 0xbb, 0x0f, 0x39, 0xfb, 0x18, 0xf7, 0x2d, 0x6e, 0x72, 0x85,
-	0x90, 0x9a, 0x9c, 0x84, 0xb1, 0x2c, 0xeb, 0x12, 0x95, 0x13, 0x2c, 0x08, 0x97, 0x71, 0xc7, 0xf3,
+	0x71, 0x2f, 0xc3, 0x9c, 0xc7, 0x4e, 0x98, 0xa7, 0xce, 0xb8, 0x9c, 0x20, 0x35, 0x3e, 0x0a, 0x22,
-	0x6b, 0xf9, 0xe5, 0x1c, 0xde, 0xf1, 0x72, 0x86, 0x99, 0xeb, 0xc4, 0xbe, 0x7a, 0x17, 0xe0, 0x90,
+	0x59, 0xd6, 0x25, 0x2a, 0x27, 0x58, 0x10, 0x0e, 0xe3, 0xb6, 0xeb, 0xd5, 0xb2, 0x8b, 0x19, 0xbc,
-	0x58, 0x90, 0xf7, 0x82, 0x56, 0x28, 0xee, 0x3f, 0xd5, 0x16, 0x65, 0x8b, 0xde, 0x0f, 0x5a, 0x21,
+	0xf5, 0xe5, 0x0c, 0x33, 0xd7, 0x8d, 0x3c, 0xf5, 0xf0, 0xc0, 0x21, 0xb1, 0x20, 0xeb, 0xfa, 0xed,
-	0x15, 0x6b, 0xe4, 0x2a, 0x14, 0x62, 0xac, 0xbf, 0xa4, 0x36, 0x2f, 0x82, 0xb2, 0x88, 0x5c, 0xb2,
+	0x40, 0xdc, 0x7f, 0xaa, 0x2d, 0xca, 0x16, 0xbd, 0xeb, 0xb7, 0x03, 0x2a, 0xd6, 0xc8, 0x35, 0xc8,
-	0x4a, 0xd5, 0x82, 0x55, 0x81, 0x92, 0xf4, 0x5b, 0x25, 0xff, 0x8f, 0xb3, 0xf0, 0xd6, 0x13, 0x76,
+	0x45, 0x58, 0x7f, 0x71, 0x6d, 0x5e, 0x04, 0xa5, 0x80, 0x5c, 0xb2, 0x4a, 0xd5, 0x82, 0x55, 0x81,
-	0xb6, 0x95, 0xfa, 0x95, 0x06, 0x64, 0x19, 0x8a, 0x5d, 0xda, 0xfe, 0xb6, 0x3a, 0x42, 0x3a, 0x09,
+	0x92, 0xf4, 0x5b, 0x25, 0xff, 0x4f, 0xb3, 0xf0, 0xce, 0x33, 0x76, 0xba, 0x91, 0xf8, 0x95, 0x04,
-	0x8d, 0x1d, 0x86, 0x9d, 0x80, 0xa7, 0x39, 0x14, 0xc6, 0x04, 0x85, 0xaa, 0x05, 0x72, 0x1d, 0xe6,
+	0x64, 0x11, 0x8a, 0x3d, 0xda, 0xee, 0xa6, 0x3a, 0x42, 0x3a, 0x09, 0x8d, 0xed, 0x07, 0x5d, 0x9f,
-	0x9f, 0x30, 0x7e, 0x16, 0xc6, 0x2f, 0x84, 0xd7, 0x95, 0xf5, 0x22, 0xf2, 0x3c, 0x61, 0x1c, 0x01,
+	0x27, 0x39, 0x14, 0xc6, 0x04, 0x85, 0xaa, 0x05, 0x72, 0x03, 0xe6, 0x9f, 0x31, 0x7e, 0x1a, 0x44,
-	0x1c, 0x4d, 0xd7, 0x10, 0x15, 0x46, 0x29, 0x2a, 0xcc, 0x8f, 0x42, 0x85, 0xe9, 0x2a, 0xd9, 0x80,
+	0xaf, 0x84, 0xd7, 0x95, 0xd5, 0x22, 0xf2, 0x3c, 0x63, 0x1c, 0x11, 0x22, 0x4d, 0xd6, 0x10, 0x76,
-	0x62, 0x33, 0x0c, 0x12, 0x1e, 0x3b, 0x1e, 0x1a, 0x9e, 0x13, 0xcc, 0x6f, 0x23, 0xb3, 0x4c, 0xec,
+	0x86, 0x09, 0xec, 0xcc, 0x8e, 0x83, 0x9d, 0xc9, 0x2a, 0x59, 0x83, 0x62, 0x2b, 0xf0, 0x63, 0x1e,
-	0x56, 0x6f, 0x91, 0xea, 0x9c, 0x64, 0x0d, 0x80, 0xbd, 0xe2, 0xb1, 0xb3, 0x17, 0x26, 0xdd, 0x17,
+	0xd9, 0x2e, 0x1a, 0x9e, 0x13, 0xcc, 0xef, 0x22, 0xb3, 0x4c, 0xec, 0x46, 0x7f, 0x91, 0xea, 0x9c,
-	0x14, 0xa0, 0x1c, 0x12, 0xf6, 0x1b, 0x54, 0x5b, 0xc5, 0x0e, 0x79, 0x12, 0x26, 0x5c, 0x3c, 0x23,
+	0x64, 0x05, 0x80, 0xbd, 0xe6, 0x91, 0xbd, 0x13, 0xc4, 0xbd, 0x27, 0x1a, 0xa0, 0x1c, 0x12, 0x76,
-	0x24, 0xfa, 0xeb, 0xce, 0xad, 0x77, 0xe0, 0x72, 0x7f, 0xb4, 0x54, 0x18, 0x1f, 0xc0, 0xff, 0x51,
+	0x9b, 0x54, 0x5b, 0xc5, 0x0e, 0x79, 0x14, 0xc4, 0x5c, 0xbc, 0x53, 0x24, 0xbc, 0xec, 0xcd, 0xad,
-	0xe6, 0x33, 0x27, 0x61, 0xd3, 0x47, 0xd2, 0x32, 0xa1, 0x36, 0x2c, 0xac, 0x14, 0xff, 0x27, 0x07,
+	0xf7, 0xe0, 0xf2, 0x60, 0xb4, 0x54, 0x18, 0x1f, 0xc1, 0xff, 0x51, 0xe6, 0x31, 0x3b, 0x66, 0xd3,
-	0xc5, 0x9d, 0x57, 0xac, 0x79, 0xc8, 0x92, 0xc4, 0x69, 0x0b, 0xdc, 0xda, 0x88, 0xc3, 0x26, 0x4b,
+	0x47, 0xd2, 0x32, 0xa1, 0x36, 0x2a, 0xac, 0x14, 0xff, 0x27, 0x03, 0xc5, 0xad, 0xd7, 0xac, 0xb5,
-	0x92, 0xae, 0xae, 0x1e, 0x81, 0x7c, 0x1f, 0xf2, 0xfb, 0x81, 0xc7, 0xd5, 0xdd, 0xb9, 0x92, 0xf9,
+	0xcf, 0xe2, 0xd8, 0xee, 0x08, 0x60, 0xdc, 0x8c, 0x82, 0x16, 0x8b, 0xe3, 0x9e, 0xae, 0x3e, 0x81,
-	0x6c, 0xf0, 0xb8, 0xd2, 0xb9, 0x37, 0x43, 0x85, 0x14, 0xb9, 0x0f, 0x79, 0xec, 0x3c, 0x93, 0x74,
+	0xfc, 0x10, 0xb2, 0xbb, 0xbe, 0xcb, 0xd5, 0xdd, 0xb9, 0x94, 0xfa, 0x2e, 0x71, 0xb9, 0xd2, 0xb9,
-	0x7f, 0x57, 0x93, 0x45, 0x19, 0xb2, 0x29, 0x3e, 0xef, 0x79, 0x5f, 0x32, 0x95, 0xc1, 0xd5, 0xec,
+	0x33, 0x43, 0x85, 0x14, 0x79, 0x08, 0x59, 0xec, 0x3c, 0x93, 0x74, 0x7f, 0x47, 0x93, 0x45, 0x19,
-	0x6b, 0xcb, 0xfb, 0x92, 0xf5, 0x34, 0x28, 0x49, 0xb2, 0x83, 0xa8, 0xdb, 0x89, 0x39, 0x73, 0x55,
+	0xb2, 0x2e, 0xbe, 0x1f, 0xba, 0x5f, 0x32, 0x95, 0xc1, 0xe5, 0xf4, 0x6b, 0xcb, 0xfd, 0x92, 0xf5,
-	0x66, 0x6f, 0x64, 0x81, 0x25, 0xc9, 0xd9, 0xd3, 0x92, 0xca, 0x62, 0x10, 0x76, 0x5e, 0x79, 0x5c,
+	0x35, 0x28, 0x49, 0xb2, 0x85, 0xb0, 0xde, 0x8e, 0x38, 0x73, 0x54, 0x66, 0x6f, 0xa6, 0x81, 0x25,
-	0x55, 0x4a, 0x56, 0x10, 0x90, 0x4d, 0x73, 0x04, 0xa7, 0x28, 0xbd, 0x1d, 0x06, 0x32, 0xf3, 0xd9,
+	0xc9, 0xd9, 0xd7, 0x92, 0xc8, 0x62, 0x10, 0xb6, 0x5e, 0xbb, 0x5c, 0x55, 0x4a, 0x5a, 0x10, 0x90,
-	0xd2, 0xc8, 0xa6, 0x49, 0xe3, 0x14, 0xc3, 0x70, 0xe4, 0xb5, 0x11, 0x83, 0x2e, 0x8c, 0x0d, 0x83,
+	0x4d, 0x73, 0x04, 0xa7, 0x28, 0xbd, 0x19, 0xf8, 0x32, 0xf3, 0xe9, 0xd2, 0xc8, 0xa6, 0x49, 0xe3,
-	0x64, 0xd4, 0xc2, 0x20, 0x09, 0x9b, 0xf3, 0x30, 0x27, 0x20, 0x92, 0xf5, 0x5b, 0x03, 0x8a, 0x5a,
+	0x14, 0xc3, 0x70, 0xe0, 0x76, 0x10, 0x83, 0xe6, 0x2f, 0x0c, 0x83, 0x64, 0xd4, 0xc2, 0x20, 0x09,
-	0x9e, 0x26, 0xa8, 0xc9, 0xf7, 0x20, 0x8f, 0x4f, 0x7b, 0x95, 0xff, 0x05, 0x51, 0x91, 0x8c, 0x3b,
+	0xeb, 0xf3, 0x30, 0x27, 0x20, 0x92, 0xf5, 0x77, 0x03, 0x8a, 0x5a, 0x9e, 0x26, 0xa8, 0xc9, 0xf7,
-	0x54, 0x50, 0xb1, 0xa9, 0xec, 0xba, 0xb2, 0x61, 0x96, 0x29, 0x0e, 0x91, 0xf2, 0x8c, 0x9f, 0x8b,
+	0x21, 0xbb, 0xcf, 0xc4, 0x37, 0x15, 0x34, 0x9e, 0x17, 0x15, 0xc9, 0xb8, 0x4d, 0x05, 0x15, 0x9b,
-	0x94, 0x2d, 0x50, 0x1c, 0x92, 0x9b, 0xb0, 0x70, 0xc4, 0x9a, 0x9d, 0xd8, 0xe3, 0xe7, 0x22, 0x09,
+	0xca, 0xb6, 0x23, 0x1b, 0x66, 0x99, 0xe2, 0x10, 0x29, 0x2f, 0xf8, 0x99, 0x48, 0x59, 0x9e, 0xe2,
-	0x95, 0xf5, 0xaa, 0x68, 0x35, 0x8a, 0x26, 0x0a, 0xb7, 0xcb, 0x61, 0x3d, 0xc6, 0xc3, 0xd9, 0xdb,
+	0x90, 0xdc, 0x86, 0xfc, 0x01, 0x6b, 0x75, 0x23, 0x97, 0x9f, 0x89, 0x24, 0x54, 0x56, 0xab, 0xa2,
-	0x20, 0x81, 0xfc, 0x16, 0xbe, 0xd6, 0x70, 0x67, 0x65, 0x2a, 0xc6, 0xf8, 0x60, 0xde, 0x19, 0xf7,
+	0xd5, 0x28, 0x9a, 0x28, 0xdc, 0x1e, 0x07, 0xb9, 0x05, 0x85, 0x98, 0xb5, 0x22, 0xc6, 0x99, 0x7f,
-	0x60, 0xde, 0x49, 0x1f, 0xcc, 0xfd, 0x49, 0xc5, 0x9b, 0x49, 0x0b, 0xb2, 0xf5, 0x08, 0x16, 0xbb,
+	0xa2, 0xaa, 0xaa, 0xac, 0xd8, 0x23, 0xc6, 0xb7, 0xfc, 0x13, 0xda, 0x5f, 0xb7, 0x9e, 0xe2, 0x49,
-	0x07, 0x8f, 0x54, 0x60, 0x76, 0xd7, 0x55, 0x96, 0x66, 0x77, 0x5d, 0x74, 0x65, 0xe7, 0xe9, 0xae,
+	0xee, 0x7b, 0x43, 0x20, 0xbb, 0x81, 0x6f, 0x47, 0x74, 0xa3, 0x4c, 0xc5, 0x18, 0x9f, 0xef, 0x5b,
-	0xb0, 0xb2, 0x40, 0x71, 0xd8, 0x05, 0x10, 0x39, 0x0d, 0x40, 0x6c, 0x40, 0xb9, 0xef, 0xf4, 0x21,
+	0x17, 0x3d, 0xdf, 0xb7, 0x92, 0xe7, 0xfb, 0xe0, 0x09, 0xc0, 0x6b, 0x4c, 0xcb, 0x88, 0xf5, 0x04,
-	0x13, 0x0d, 0xcf, 0x92, 0x74, 0xcb, 0x38, 0x96, 0x6e, 0xf8, 0x89, 0xd0, 0x25, 0xdc, 0xf0, 0x13,
+	0x0a, 0xbd, 0x53, 0x4a, 0x2a, 0x30, 0xbb, 0xed, 0x28, 0x4b, 0xb3, 0xdb, 0x0e, 0xfa, 0xbd, 0xf5,
-	0xeb, 0x1a, 0x94, 0xfb, 0xf2, 0x85, 0x4c, 0xe2, 0xed, 0xa9, 0x70, 0x26, 0x8e, 0xd7, 0x18, 0x2c,
+	0x7c, 0x5b, 0x58, 0xc9, 0x53, 0x1c, 0xf6, 0xd0, 0x46, 0x46, 0x43, 0x1b, 0x6b, 0x50, 0x1e, 0x38,
-	0x0d, 0x7c, 0x8e, 0x22, 0xd7, 0xa1, 0x20, 0x3f, 0x7b, 0x54, 0x67, 0xcc, 0x77, 0xbf, 0xfe, 0x66,
+	0xaa, 0xc8, 0x44, 0x83, 0xd3, 0x38, 0xd9, 0x32, 0x8e, 0xa5, 0x1b, 0x5e, 0x2c, 0x74, 0x09, 0x37,
-	0xf9, 0xed, 0x01, 0x06, 0xb9, 0x88, 0x6c, 0x9b, 0x9d, 0xc0, 0xf5, 0x59, 0xd5, 0x18, 0xc9, 0x26,
+	0xbc, 0xd8, 0xba, 0x0e, 0xe5, 0x81, 0xe4, 0x22, 0x93, 0x78, 0x09, 0x2b, 0x50, 0x8a, 0xe3, 0x15,
-	0x17, 0xcd, 0xfc, 0xaf, 0x7f, 0x7f, 0x65, 0x66, 0xcd, 0x81, 0x4b, 0x43, 0x9f, 0x52, 0xc8, 0x35,
+	0x06, 0x0b, 0x43, 0x1f, 0xc7, 0xc8, 0x0d, 0xc8, 0xc9, 0x8f, 0x30, 0xd5, 0x19, 0xf3, 0xca, 0xd7,
-	0xc8, 0x1f, 0x31, 0xbf, 0x95, 0x9a, 0x19, 0x62, 0xc0, 0x45, 0x72, 0x15, 0x72, 0xd4, 0x39, 0xab,
+	0xdf, 0x2c, 0xbe, 0x3b, 0xc4, 0x20, 0x17, 0x91, 0x6d, 0xbd, 0xeb, 0x3b, 0x1e, 0xab, 0x1a, 0x63,
-	0x1a, 0x66, 0xed, 0xeb, 0x6f, 0x96, 0x2f, 0x0f, 0x7f, 0x8f, 0x71, 0xce, 0xa4, 0x89, 0xf5, 0xbf,
+	0xd9, 0xe4, 0xa2, 0x99, 0xfd, 0xcd, 0x1f, 0xae, 0xce, 0xac, 0xd8, 0x70, 0x69, 0xe4, 0xc3, 0x0e,
-	0x00, 0x2c, 0x1e, 0x1c, 0x6c, 0x6e, 0xc6, 0x9e, 0xdb, 0x66, 0xe4, 0x97, 0x06, 0x90, 0xe1, 0x47,
+	0xb9, 0x0e, 0xd9, 0x03, 0xe6, 0xb5, 0x13, 0x33, 0x23, 0x0c, 0xb8, 0x48, 0xae, 0x41, 0x86, 0xda,
-	0x2f, 0xb9, 0x93, 0x5d, 0xe3, 0xa3, 0xbf, 0x0a, 0x98, 0x77, 0xa7, 0x94, 0x52, 0x28, 0xe4, 0x73,
+	0xa7, 0x55, 0xc3, 0xac, 0x7d, 0xfd, 0xcd, 0xe2, 0xe5, 0xd1, 0xaf, 0x43, 0xf6, 0xa9, 0x34, 0xb1,
-	0x98, 0x13, 0xd0, 0x99, 0x7c, 0x38, 0xe1, 0x0b, 0xca, 0x5c, 0x1d, 0xcf, 0xa8, 0x74, 0x37, 0x61,
+	0xfa, 0x57, 0x80, 0xc2, 0xde, 0xde, 0xfa, 0x7a, 0xe4, 0x3a, 0x1d, 0x46, 0x7e, 0x65, 0x00, 0x19,
-	0x21, 0x85, 0x9f, 0x64, 0x2d, 0x73, 0x7b, 0x7d, 0xe8, 0xda, 0xfc, 0x68, 0x22, 0x5e, 0x65, 0xe4,
+	0x7d, 0x33, 0x93, 0x7b, 0xe9, 0x0d, 0x61, 0xfc, 0x37, 0x0a, 0xf3, 0xfe, 0x94, 0x52, 0x0a, 0xb2,
-	0xa7, 0x30, 0xaf, 0x50, 0x25, 0xb9, 0x31, 0x46, 0xae, 0x87, 0x6f, 0xcd, 0xb5, 0x49, 0x58, 0x7b,
+	0x7c, 0x0e, 0x73, 0x02, 0x67, 0x93, 0x8f, 0x26, 0x7c, 0x6e, 0x99, 0xcb, 0x17, 0x33, 0x2a, 0xdd,
-	0x6e, 0xa4, 0xe8, 0x31, 0xd3, 0x8d, 0x01, 0x6c, 0x9a, 0xe9, 0xc6, 0x10, 0x1c, 0x6d, 0xf6, 0xde,
+	0x2d, 0xc8, 0x27, 0x58, 0x95, 0xac, 0xa4, 0x6e, 0x6f, 0x00, 0x8a, 0x9b, 0xb7, 0x26, 0xe2, 0x55,
-	0x9c, 0x99, 0x46, 0x06, 0xb0, 0x68, 0xa6, 0x91, 0x41, 0x48, 0x4a, 0x9e, 0x43, 0x1e, 0x21, 0x29,
+	0x46, 0x7e, 0x0e, 0xf3, 0x0a, 0x82, 0x92, 0x9b, 0x17, 0xc8, 0xf5, 0xc1, 0xb0, 0xb9, 0x32, 0x09,
-	0xc9, 0x6a, 0xbf, 0x1a, 0x66, 0x35, 0xb3, 0xce, 0x44, 0x1f, 0x96, 0xfd, 0x09, 0x5e, 0x53, 0xe2,
+	0x6b, 0xdf, 0x8d, 0x04, 0x6a, 0xa6, 0xba, 0x31, 0x04, 0x64, 0x53, 0xdd, 0x18, 0xc1, 0xae, 0xad,
-	0xf3, 0x42, 0xf6, 0x05, 0xa5, 0x7d, 0x2d, 0x34, 0x6f, 0x4c, 0xc0, 0xd9, 0x53, 0xaf, 0x9e, 0xe6,
+	0xfe, 0x03, 0x35, 0xd5, 0xc8, 0x10, 0x70, 0x4d, 0x35, 0x32, 0x8c, 0x5f, 0xc9, 0x4b, 0xc8, 0x22,
-	0xab, 0x13, 0x7c, 0xb2, 0x1b, 0xaf, 0x7e, 0xe0, 0xe3, 0x60, 0x08, 0x25, 0x1d, 0x7d, 0x10, 0x3b,
+	0x7e, 0x25, 0x69, 0xbd, 0x5a, 0x03, 0xb8, 0x66, 0xda, 0x99, 0x18, 0x00, 0xbe, 0x3f, 0xc3, 0x3b,
-	0x43, 0x74, 0x04, 0xa8, 0x33, 0xeb, 0x13, 0xf3, 0x2b, 0x83, 0x5f, 0xe1, 0xbb, 0xac, 0x1f, 0x99,
+	0x4d, 0x7c, 0x8b, 0x48, 0xbf, 0xcd, 0xb4, 0x6f, 0x97, 0xe6, 0xcd, 0x09, 0x38, 0xfb, 0xea, 0xd5,
-	0x90, 0xf5, 0xcc, 0x70, 0x8c, 0xc4, 0x40, 0xe6, 0xed, 0xa9, 0x64, 0x94, 0x71, 0x47, 0x22, 0x1f,
+	0x3b, 0x7e, 0x79, 0x82, 0x0f, 0x88, 0x17, 0xab, 0x1f, 0xfa, 0x54, 0x19, 0x40, 0x49, 0x87, 0x2a,
-	0x85, 0x6e, 0x48, 0xf6, 0x45, 0xde, 0x45, 0x48, 0xe6, 0x84, 0x7c, 0xab, 0xc6, 0x2d, 0x03, 0xcf,
+	0xa4, 0x9e, 0x22, 0x3a, 0x06, 0x01, 0x9a, 0x8d, 0x89, 0xf9, 0x95, 0xc1, 0xaf, 0xf0, 0x11, 0x37,
-	0x19, 0xa2, 0xe1, 0x4c, 0xdd, 0xda, 0x33, 0x21, 0xf3, 0x9c, 0xe9, 0xb0, 0x7a, 0xb3, 0xf4, 0xed,
+	0x08, 0x63, 0xc8, 0x6a, 0x6a, 0x38, 0xc6, 0x02, 0x26, 0xf3, 0xee, 0x54, 0x32, 0xca, 0xb8, 0x2d,
-	0xeb, 0x2b, 0xc6, 0xdf, 0x5f, 0x5f, 0x31, 0xfe, 0xf9, 0xfa, 0x8a, 0x71, 0x5c, 0x10, 0xff, 0x81,
+	0x61, 0x92, 0x82, 0x42, 0x24, 0xfd, 0xd6, 0xef, 0xc1, 0x29, 0x73, 0x42, 0xbe, 0x65, 0xe3, 0x8e,
-	0xde, 0xfe, 0x6f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xec, 0xb9, 0xed, 0xf9, 0x8c, 0x1e, 0x00, 0x00,
+	0x81, 0xe7, 0x0c, 0xa1, 0x73, 0xaa, 0x6e, 0xed, 0x4d, 0x91, 0x7a, 0xce, 0x74, 0x0c, 0xbe, 0x5e,
+	0xfa, 0xee, 0xcd, 0x55, 0xe3, 0x1f, 0x6f, 0xae, 0x1a, 0xff, 0x7a, 0x73, 0xd5, 0x38, 0xcc, 0x89,
+	0x7f, 0x64, 0xef, 0xfe, 0x37, 0x00, 0x00, 0xff, 0xff, 0x20, 0x47, 0x7d, 0x27, 0x1a, 0x1f, 0x00,
+	0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -4022,6 +4049,20 @@ func (m *ResolveImageConfigRequest) MarshalToSizedBuffer(dAtA []byte) (int, erro
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.SourcePolicies) > 0 {
+		for iNdEx := len(m.SourcePolicies) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.SourcePolicies[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGateway(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x42
+		}
+	}
 	if len(m.StoreID) > 0 {
 		i -= len(m.StoreID)
 		copy(dAtA[i:], m.StoreID)
@@ -4101,6 +4142,13 @@ func (m *ResolveImageConfigResponse) MarshalToSizedBuffer(dAtA []byte) (int, err
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.Ref) > 0 {
+		i -= len(m.Ref)
+		copy(dAtA[i:], m.Ref)
+		i = encodeVarintGateway(dAtA, i, uint64(len(m.Ref)))
+		i--
+		dAtA[i] = 0x1a
+	}
 	if len(m.Config) > 0 {
 		i -= len(m.Config)
 		copy(dAtA[i:], m.Config)
@@ -5348,6 +5396,20 @@ func (m *InitMessage) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if len(m.Secretenv) > 0 {
+		for iNdEx := len(m.Secretenv) - 1; iNdEx >= 0; iNdEx-- {
+			{
+				size, err := m.Secretenv[iNdEx].MarshalToSizedBuffer(dAtA[:i])
+				if err != nil {
+					return 0, err
+				}
+				i -= size
+				i = encodeVarintGateway(dAtA, i, uint64(size))
+			}
+			i--
+			dAtA[i] = 0x32
+		}
+	}
 	if m.Security != 0 {
 		i = encodeVarintGateway(dAtA, i, uint64(m.Security))
 		i--
@@ -5973,6 +6035,12 @@ func (m *ResolveImageConfigRequest) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovGateway(uint64(l))
 	}
+	if len(m.SourcePolicies) > 0 {
+		for _, e := range m.SourcePolicies {
+			l = e.Size()
+			n += 1 + l + sovGateway(uint64(l))
+		}
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -5993,6 +6061,10 @@ func (m *ResolveImageConfigResponse) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovGateway(uint64(l))
 	}
+	l = len(m.Ref)
+	if l > 0 {
+		n += 1 + l + sovGateway(uint64(l))
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -6586,6 +6658,12 @@ func (m *InitMessage) Size() (n int) {
 	if m.Security != 0 {
 		n += 1 + sovGateway(uint64(m.Security))
 	}
+	if len(m.Secretenv) > 0 {
+		for _, e := range m.Secretenv {
+			l = e.Size()
+			n += 1 + l + sovGateway(uint64(l))
+		}
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -8819,6 +8897,40 @@ func (m *ResolveImageConfigRequest) Unmarshal(dAtA []byte) error {
 			}
 			m.StoreID = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
+		case 8:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field SourcePolicies", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.SourcePolicies = append(m.SourcePolicies, &pb1.Policy{})
+			if err := m.SourcePolicies[len(m.SourcePolicies)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGateway(dAtA[iNdEx:])
@@ -8936,6 +9048,38 @@ func (m *ResolveImageConfigResponse) Unmarshal(dAtA []byte) error {
 				m.Config = []byte{}
 			}
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ref", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= uint64(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ref = string(dAtA[iNdEx:postIndex])
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGateway(dAtA[iNdEx:])
@@ -12261,6 +12405,40 @@ func (m *InitMessage) Unmarshal(dAtA []byte) error {
 					break
 				}
 			}
+		case 6:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Secretenv", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGateway
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGateway
+			}
+			postIndex := iNdEx + msglen
+			if postIndex < 0 {
+				return ErrInvalidLengthGateway
+			}
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Secretenv = append(m.Secretenv, &pb.SecretEnv{})
+			if err := m.Secretenv[len(m.Secretenv)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGateway(dAtA[iNdEx:])

vendor/github.com/moby/buildkit/frontend/gateway/pb/gateway.proto

@@ -11,6 +11,7 @@ import "github.com/tonistiigi/fsutil/types/stat.proto";
 import "github.com/moby/buildkit/sourcepolicy/pb/policy.proto";
 
 
+
 option (gogoproto.sizer_all) = true;
 option (gogoproto.marshaler_all) = true;
 option (gogoproto.unmarshaler_all) = true;
@@ -38,7 +39,7 @@ service LLBBridge {
 	rpc ExecProcess(stream ExecMessage) returns (stream ExecMessage);
 
 	// apicaps:CapGatewayWarnings
-	rpc Warn(WarnRequest) returns (WarnResponse); 
+	rpc Warn(WarnRequest) returns (WarnResponse);
 }
 
 message Result {
@@ -124,11 +125,13 @@ message ResolveImageConfigRequest {
 	int32 ResolverType = 5;
 	string SessionID = 6;
 	string StoreID = 7;
+	repeated moby.buildkit.v1.sourcepolicy.Policy SourcePolicies = 8;
 }
 
 message ResolveImageConfigResponse {
 	string Digest = 1 [(gogoproto.customtype) = "github.com/opencontainers/go-digest.Digest", (gogoproto.nullable) = false];
 	bytes Config = 2;
+	string Ref = 3;
 }
 
 message SolveRequest {
@@ -138,7 +141,7 @@ message SolveRequest {
 	// 4 was removed in BuildKit v0.11.0.
 	bool allowResultReturn = 5;
 	bool allowResultArrayRef = 6;
-	
+
 	// apicaps.CapSolveInlineReturn deprecated
 	bool Final = 10;
 	bytes ExporterAttr = 11;
@@ -165,7 +168,7 @@ message SolveResponse {
 	string ref = 1; // can be used by readfile request
 	// deprecated
 /*	bytes ExporterAttr = 2;*/
-	
+
 	// these fields are returned when allowMapReturn was set
 	Result result = 3;
 }
@@ -256,7 +259,7 @@ message ExecMessage {
 		// InitMessage sent from client to server will start a new process in a
 		// container
 		InitMessage Init = 2;
-		// FdMessage used from client to server for input (stdin) and 
+		// FdMessage used from client to server for input (stdin) and
 		// from server to client for output (stdout, stderr)
 		FdMessage File = 3;
 		// ResizeMessage used from client to server for terminal resize events
@@ -281,6 +284,7 @@ message InitMessage{
 	repeated uint32 Fds = 3;
 	bool Tty = 4;
 	pb.SecurityMode Security = 5;
+	repeated pb.SecretEnv secretenv = 6;
 }
 
 message ExitMessage {

vendor/github.com/moby/buildkit/session/filesync/filesync.go

@@ -4,8 +4,11 @@ import (
 	"context"
 	"fmt"
 	io "io"
+	"net/url"
 	"os"
+	"strconv"
 	"strings"
+	"unicode"
 
 	"github.com/moby/buildkit/session"
 	"github.com/pkg/errors"
@@ -82,6 +85,7 @@ func (sp *fsSyncProvider) handle(method string, stream grpc.ServerStream) (retEr
 	}
 
 	opts, _ := metadata.FromIncomingContext(stream.Context()) // if no metadata continue with empty object
+	opts = decodeOpts(opts)
 
 	dirName := ""
 	name, ok := opts[keyDirName]
@@ -209,6 +213,8 @@ func FSSync(ctx context.Context, c session.Caller, opt FSSendRequestOpt) error {
 
 	var stream grpc.ClientStream
 
+	opts = encodeOpts(opts)
+
 	ctx = metadata.NewOutgoingContext(ctx, opts)
 
 	switch pr.name {
@@ -337,3 +343,60 @@ func (e InvalidSessionError) Error() string {
 func (e InvalidSessionError) Unwrap() error {
 	return e.err
 }
+
+func encodeOpts(opts map[string][]string) map[string][]string {
+	md := make(map[string][]string, len(opts))
+	for k, v := range opts {
+		out, encoded := encodeStringForHeader(v)
+		md[k] = out
+		if encoded {
+			md[k+"-encoded"] = []string{"1"}
+		}
+	}
+	return md
+}
+
+func decodeOpts(opts map[string][]string) map[string][]string {
+	md := make(map[string][]string, len(opts))
+	for k, v := range opts {
+		out := make([]string, len(v))
+		var isDecoded bool
+		if v, ok := opts[k+"-encoded"]; ok && len(v) > 0 {
+			if b, _ := strconv.ParseBool(v[0]); b {
+				isDecoded = true
+			}
+		}
+		if isDecoded {
+			for i, s := range v {
+				out[i], _ = url.QueryUnescape(s)
+			}
+		} else {
+			copy(out, v)
+		}
+		md[k] = out
+	}
+	return md
+}
+
+// encodeStringForHeader encodes a string value so it can be used in grpc header. This encoding
+// is backwards compatible and avoids encoding ASCII characters.
+func encodeStringForHeader(inputs []string) ([]string, bool) {
+	var encode bool
+	for _, input := range inputs {
+		for _, runeVal := range input {
+			// Only encode non-ASCII characters, and characters that have special
+			// meaning during decoding.
+			if runeVal > unicode.MaxASCII {
+				encode = true
+				break
+			}
+		}
+	}
+	if !encode {
+		return inputs, false
+	}
+	for i, input := range inputs {
+		inputs[i] = url.QueryEscape(input)
+	}
+	return inputs, true
+}

vendor/github.com/moby/buildkit/source/types/types.go

@@ -0,0 +1,10 @@
+package srctypes
+
+const (
+	DockerImageScheme = "docker-image"
+	GitScheme         = "git"
+	LocalScheme       = "local"
+	HTTPScheme        = "http"
+	HTTPSScheme       = "https"
+	OCIScheme         = "oci-layout"
+)

vendor/github.com/moby/buildkit/sourcepolicy/engine.go

@@ -0,0 +1,161 @@
+package sourcepolicy
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/solver/pb"
+	spb "github.com/moby/buildkit/sourcepolicy/pb"
+	"github.com/moby/buildkit/util/bklog"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+)
+
+var (
+	// ErrSourceDenied is returned by the policy engine when a source is denied by the policy.
+	ErrSourceDenied = errors.New("source denied by policy")
+
+	// ErrTooManyOps is returned by the policy engine when there are too many converts for a single source op.
+	ErrTooManyOps = errors.New("too many operations")
+)
+
+// Engine is the source policy engine.
+// It is responsible for evaluating a source policy against a source operation.
+// Create one with `NewEngine`
+//
+// Rule matching is delegated to the `Matcher` interface.
+// Mutations are delegated to the `Mutater` interface.
+type Engine struct {
+	pol     []*spb.Policy
+	sources map[string]*selectorCache
+}
+
+// NewEngine creates a new source policy engine.
+func NewEngine(pol []*spb.Policy) *Engine {
+	return &Engine{
+		pol: pol,
+	}
+}
+
+// TODO: The key here can't be used to cache attr constraint regexes.
+func (e *Engine) selectorCache(src *spb.Selector) *selectorCache {
+	if e.sources == nil {
+		e.sources = map[string]*selectorCache{}
+	}
+
+	key := src.MatchType.String() + " " + src.Identifier
+
+	if s, ok := e.sources[key]; ok {
+		return s
+	}
+
+	s := &selectorCache{Selector: src}
+
+	e.sources[key] = s
+	return s
+}
+
+// Evaluate evaluates a source operation against the policy.
+//
+// Policies are re-evaluated for each convert rule.
+// Evaluate will error if the there are too many converts for a single source op to prevent infinite loops.
+// This function may error out even if the op was mutated, in which case `true` will be returned along with the error.
+//
+// An error is returned when the source is denied by the policy.
+func (e *Engine) Evaluate(ctx context.Context, op *pb.Op) (bool, error) {
+	if len(e.pol) == 0 {
+		return false, nil
+	}
+
+	var mutated bool
+	const maxIterr = 20
+
+	for i := 0; ; i++ {
+		if i > maxIterr {
+			return mutated, errors.Wrapf(ErrTooManyOps, "too many mutations on a single source")
+		}
+
+		srcOp := op.GetSource()
+		if srcOp == nil {
+			return false, nil
+		}
+		if i == 0 {
+			ctx = bklog.WithLogger(ctx, bklog.G(ctx).WithField("orig", *srcOp).WithField("updated", op.GetSource()))
+		}
+
+		mut, err := e.evaluatePolicies(ctx, srcOp)
+		if mut {
+			mutated = true
+		}
+		if err != nil {
+			return mutated, err
+		}
+		if !mut {
+			break
+		}
+	}
+
+	return mutated, nil
+}
+
+func (e *Engine) evaluatePolicies(ctx context.Context, srcOp *pb.SourceOp) (bool, error) {
+	for _, pol := range e.pol {
+		mut, err := e.evaluatePolicy(ctx, pol, srcOp)
+		if mut || err != nil {
+			return mut, err
+		}
+	}
+	return false, nil
+}
+
+// evaluatePolicy evaluates a single policy against a source operation.
+// If the source is mutated the policy is short-circuited and `true` is returned.
+// If the source is denied, an error will be returned.
+//
+// For Allow/Deny rules, the last matching rule wins.
+// E.g. `ALLOW foo; DENY foo` will deny `foo`, `DENY foo; ALLOW foo` will allow `foo`.
+func (e *Engine) evaluatePolicy(ctx context.Context, pol *spb.Policy, srcOp *pb.SourceOp) (retMut bool, retErr error) {
+	ident := srcOp.GetIdentifier()
+
+	ctx = bklog.WithLogger(ctx, bklog.G(ctx).WithField("ref", ident))
+	defer func() {
+		if retMut || retErr != nil {
+			bklog.G(ctx).WithFields(
+				logrus.Fields{
+					"mutated":       retMut,
+					"updated":       srcOp.GetIdentifier(),
+					logrus.ErrorKey: retErr,
+				}).Debug("Evaluated source policy")
+		}
+	}()
+
+	var deny bool
+	for _, rule := range pol.Rules {
+		selector := e.selectorCache(rule.Selector)
+		matched, err := match(ctx, selector, ident, srcOp.Attrs)
+		if err != nil {
+			return false, errors.Wrap(err, "error matching source policy")
+		}
+		if !matched {
+			continue
+		}
+
+		switch rule.Action {
+		case spb.PolicyAction_ALLOW:
+			deny = false
+		case spb.PolicyAction_DENY:
+			deny = true
+		case spb.PolicyAction_CONVERT:
+			mut, err := mutate(ctx, srcOp, rule, selector, ident)
+			if err != nil || mut {
+				return mut, errors.Wrap(err, "error mutating source policy")
+			}
+		default:
+			return false, errors.Errorf("source policy: rule %s %s: unknown type %q", rule.Action, rule.Selector.Identifier, ident)
+		}
+	}
+
+	if deny {
+		return false, errors.Wrapf(ErrSourceDenied, "source %q denied by policy", ident)
+	}
+	return false, nil
+}

vendor/github.com/moby/buildkit/sourcepolicy/formatter.go

@@ -0,0 +1,92 @@
+package sourcepolicy
+
+import (
+	"regexp"
+
+	spb "github.com/moby/buildkit/sourcepolicy/pb"
+	"github.com/moby/buildkit/util/wildcard"
+	"github.com/pkg/errors"
+)
+
+// Source wraps a a protobuf source in order to store cached state such as the compiled regexes.
+type selectorCache struct {
+	*spb.Selector
+
+	re *regexp.Regexp
+	w  *wildcardCache
+}
+
+// Format formats the provided ref according to the match/type of the source.
+//
+// For example, if the source is a wildcard, the ref will be formatted with the wildcard in the source replacing the parameters in the destination.
+//
+//	matcher: wildcard source: "docker.io/library/golang:*"  match: "docker.io/library/golang:1.19" format: "docker.io/library/golang:${1}-alpine" result: "docker.io/library/golang:1.19-alpine"
+func (s *selectorCache) Format(match, format string) (string, error) {
+	switch s.MatchType {
+	case spb.MatchType_EXACT:
+		return s.Identifier, nil
+	case spb.MatchType_REGEX:
+		re, err := s.regex()
+		if err != nil {
+			return "", err
+		}
+		return re.ReplaceAllString(match, format), nil
+	case spb.MatchType_WILDCARD:
+		w, err := s.wildcard()
+		if err != nil {
+			return "", err
+		}
+		m := w.Match(match)
+		if m == nil {
+			return match, nil
+		}
+
+		return m.Format(format)
+	}
+	return "", errors.Errorf("unknown match type: %s", s.MatchType)
+}
+
+// wildcardCache wraps a wildcard.Wildcard to cache returned matches by ref.
+// This way a match only needs to be computed once per ref.
+type wildcardCache struct {
+	w *wildcard.Wildcard
+	m map[string]*wildcard.Match
+}
+
+func (w *wildcardCache) Match(ref string) *wildcard.Match {
+	if w.m == nil {
+		w.m = make(map[string]*wildcard.Match)
+	}
+
+	if m, ok := w.m[ref]; ok {
+		return m
+	}
+
+	m := w.w.Match(ref)
+	w.m[ref] = m
+	return m
+}
+
+func (s *selectorCache) wildcard() (*wildcardCache, error) {
+	if s.w != nil {
+		return s.w, nil
+	}
+	w, err := wildcard.New(s.Identifier)
+	if err != nil {
+		return nil, err
+	}
+	s.w = &wildcardCache{w: w}
+	return s.w, nil
+}
+
+func (s *selectorCache) regex() (*regexp.Regexp, error) {
+	if s.re != nil {
+		return s.re, nil
+	}
+	re, err := regexp.Compile(s.Identifier)
+	if err != nil {
+		return nil, err
+	}
+	s.re = re
+	return re, nil
+}

vendor/github.com/moby/buildkit/sourcepolicy/matcher.go

@@ -0,0 +1,58 @@
+package sourcepolicy
+
+import (
+	"context"
+	"regexp"
+
+	spb "github.com/moby/buildkit/sourcepolicy/pb"
+	"github.com/pkg/errors"
+)
+
+func match(ctx context.Context, src *selectorCache, ref string, attrs map[string]string) (bool, error) {
+	for _, c := range src.Constraints {
+		switch c.Condition {
+		case spb.AttrMatch_EQUAL:
+			if attrs[c.Key] != c.Value {
+				return false, nil
+			}
+		case spb.AttrMatch_NOTEQUAL:
+			if attrs[c.Key] == c.Value {
+				return false, nil
+			}
+		case spb.AttrMatch_MATCHES:
+			// TODO: Cache the compiled regex
+			matches, err := regexp.MatchString(c.Value, attrs[c.Key])
+			if err != nil {
+				return false, errors.Errorf("invalid regex %q: %v", c.Value, err)
+			}
+			if !matches {
+				return false, nil
+			}
+		default:
+			return false, errors.Errorf("unknown attr condition: %s", c.Condition)
+		}
+	}
+
+	if src.Identifier == ref {
+		return true, nil
+	}
+
+	switch src.MatchType {
+	case spb.MatchType_EXACT:
+		return false, nil
+	case spb.MatchType_REGEX:
+		re, err := src.regex()
+		if err != nil {
+			return false, err
+		}
+		return re.MatchString(ref), nil
+	case spb.MatchType_WILDCARD:
+		w, err := src.wildcard()
+		if err != nil {
+			return false, err
+		}
+		return w.Match(ref) != nil, nil
+	default:
+		return false, errors.Errorf("unknown match type: %s", src.MatchType)
+	}
+}

vendor/github.com/moby/buildkit/sourcepolicy/mutate.go

@@ -0,0 +1,50 @@
+package sourcepolicy
+
+import (
+	"context"
+
+	"github.com/moby/buildkit/solver/pb"
+	spb "github.com/moby/buildkit/sourcepolicy/pb"
+	"github.com/moby/buildkit/util/bklog"
+	"github.com/pkg/errors"
+)
+
+// mutate is a MutateFn which converts the source operation to the identifier and attributes provided by the policy.
+// If there is no change, then the return value should be false and is not considered an error.
+func mutate(ctx context.Context, op *pb.SourceOp, rule *spb.Rule, selector *selectorCache, ref string) (bool, error) {
+	if rule.Updates == nil {
+		return false, errors.Errorf("missing destination for convert rule")
+	}
+
+	dest := rule.Updates.Identifier
+	if dest == "" {
+		dest = rule.Selector.Identifier
+	}
+	dest, err := selector.Format(ref, dest)
+	if err != nil {
+		return false, errors.Wrap(err, "error formatting destination")
+	}
+
+	bklog.G(ctx).Debugf("sourcepolicy: converting %s to %s, pattern: %s", ref, dest, rule.Updates.Identifier)
+
+	var mutated bool
+	if op.Identifier != dest && dest != "" {
+		mutated = true
+		op.Identifier = dest
+	}
+
+	if rule.Updates.Attrs != nil {
+		if op.Attrs == nil {
+			op.Attrs = make(map[string]string, len(rule.Updates.Attrs))
+		}
+		for k, v := range rule.Updates.Attrs {
+			if op.Attrs[k] != v {
+				bklog.G(ctx).Debugf("setting attr %s=%s", k, v)
+				op.Attrs[k] = v
+				mutated = true
+			}
+		}
+	}
+
+	return mutated, nil
+}

vendor/github.com/moby/buildkit/util/contentutil/refs.go

@@ -20,7 +20,6 @@ func ProviderFromRef(ref string) (ocispecs.Descriptor, content.Provider, error)
 	headers := http.Header{}
 	headers.Set("User-Agent", version.UserAgent())
 	remote := docker.NewResolver(docker.ResolverOptions{
-		Client:  http.DefaultClient,
 		Headers: headers,
 	})
 
@@ -40,7 +39,6 @@ func IngesterFromRef(ref string) (content.Ingester, error) {
 	headers := http.Header{}
 	headers.Set("User-Agent", version.UserAgent())
 	remote := docker.NewResolver(docker.ResolverOptions{
-		Client:  http.DefaultClient,
 		Headers: headers,
 	})
 

vendor/github.com/moby/buildkit/util/flightcontrol/flightcontrol.go

@@ -25,13 +25,13 @@ type contextKeyT string
 var contextKey = contextKeyT("buildkit/util/flightcontrol.progress")
 
 // Group is a flightcontrol synchronization group
-type Group struct {
+type Group[T any] struct {
-	mu sync.Mutex       // protects m
+	mu sync.Mutex          // protects m
-	m  map[string]*call // lazily initialized
+	m  map[string]*call[T] // lazily initialized
 }
 
 // Do executes a context function syncronized by the key
-func (g *Group) Do(ctx context.Context, key string, fn func(ctx context.Context) (interface{}, error)) (v interface{}, err error) {
+func (g *Group[T]) Do(ctx context.Context, key string, fn func(ctx context.Context) (T, error)) (v T, err error) {
 	var backoff time.Duration
 	for {
 		v, err = g.do(ctx, key, fn)
@@ -53,10 +53,10 @@ func (g *Group) Do(ctx context.Context, key string, fn func(ctx context.Context)
 	}
 }
 
-func (g *Group) do(ctx context.Context, key string, fn func(ctx context.Context) (interface{}, error)) (interface{}, error) {
+func (g *Group[T]) do(ctx context.Context, key string, fn func(ctx context.Context) (T, error)) (T, error) {
 	g.mu.Lock()
 	if g.m == nil {
-		g.m = make(map[string]*call)
+		g.m = make(map[string]*call[T])
 	}
 
 	if c, ok := g.m[key]; ok { // register 2nd waiter
@@ -78,16 +78,16 @@ func (g *Group) do(ctx context.Context, key string, fn func(ctx context.Context)
 	return c.wait(ctx)
 }
 
-type call struct {
+type call[T any] struct {
 	mu      sync.Mutex
-	result  interface{}
+	result  T
 	err     error
 	ready   chan struct{}
 	cleaned chan struct{}
 
-	ctx  *sharedContext
+	ctx  *sharedContext[T]
 	ctxs []context.Context
-	fn   func(ctx context.Context) (interface{}, error)
+	fn   func(ctx context.Context) (T, error)
 	once sync.Once
 
 	closeProgressWriter func()
@@ -95,8 +95,8 @@ type call struct {
 	progressCtx         context.Context
 }
 
-func newCall(fn func(ctx context.Context) (interface{}, error)) *call {
+func newCall[T any](fn func(ctx context.Context) (T, error)) *call[T] {
-	c := &call{
+	c := &call[T]{
 		fn:            fn,
 		ready:         make(chan struct{}),
 		cleaned:       make(chan struct{}),
@@ -114,7 +114,7 @@ func newCall(fn func(ctx context.Context) (interface{}, error)) *call {
 	return c
 }
 
-func (c *call) run() {
+func (c *call[T]) run() {
 	defer c.closeProgressWriter()
 	ctx, cancel := context.WithCancel(c.ctx)
 	defer cancel()
@@ -126,7 +126,8 @@ func (c *call) run() {
 	close(c.ready)
 }
 
-func (c *call) wait(ctx context.Context) (v interface{}, err error) {
+func (c *call[T]) wait(ctx context.Context) (v T, err error) {
+	var empty T
 	c.mu.Lock()
 	// detect case where caller has just returned, let it clean up before
 	select {
@@ -134,7 +135,7 @@ func (c *call) wait(ctx context.Context) (v interface{}, err error) {
 		c.mu.Unlock()
 		if c.err != nil { // on error retry
 			<-c.cleaned
-			return nil, errRetry
+			return empty, errRetry
 		}
 		pw, ok, _ := progress.NewFromContext(ctx)
 		if ok {
@@ -145,7 +146,7 @@ func (c *call) wait(ctx context.Context) (v interface{}, err error) {
 	case <-c.ctx.done: // could return if no error
 		c.mu.Unlock()
 		<-c.cleaned
-		return nil, errRetry
+		return empty, errRetry
 	default:
 	}
 
@@ -174,13 +175,13 @@ func (c *call) wait(ctx context.Context) (v interface{}, err error) {
 		if ok {
 			c.progressState.close(pw)
 		}
-		return nil, ctx.Err()
+		return empty, ctx.Err()
 	case <-c.ready:
 		return c.result, c.err // shared not implemented yet
 	}
 }
 
-func (c *call) Deadline() (deadline time.Time, ok bool) {
+func (c *call[T]) Deadline() (deadline time.Time, ok bool) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	for _, ctx := range c.ctxs {
@@ -196,11 +197,11 @@ func (c *call) Deadline() (deadline time.Time, ok bool) {
 	return time.Time{}, false
 }
 
-func (c *call) Done() <-chan struct{} {
+func (c *call[T]) Done() <-chan struct{} {
 	return c.ctx.done
 }
 
-func (c *call) Err() error {
+func (c *call[T]) Err() error {
 	select {
 	case <-c.ctx.Done():
 		return c.ctx.err
@@ -209,7 +210,7 @@ func (c *call) Err() error {
 	}
 }
 
-func (c *call) Value(key interface{}) interface{} {
+func (c *call[T]) Value(key interface{}) interface{} {
 	if key == contextKey {
 		return c.progressState
 	}
@@ -239,17 +240,17 @@ func (c *call) Value(key interface{}) interface{} {
 	return nil
 }
 
-type sharedContext struct {
+type sharedContext[T any] struct {
-	*call
+	*call[T]
 	done chan struct{}
 	err  error
 }
 
-func newContext(c *call) *sharedContext {
+func newContext[T any](c *call[T]) *sharedContext[T] {
-	return &sharedContext{call: c, done: make(chan struct{})}
+	return &sharedContext[T]{call: c, done: make(chan struct{})}
 }
 
-func (sc *sharedContext) checkDone() bool {
+func (sc *sharedContext[T]) checkDone() bool {
 	sc.mu.Lock()
 	select {
 	case <-sc.done:

vendor/github.com/moby/buildkit/util/imageutil/config.go

@@ -3,6 +3,8 @@ package imageutil
 import (
 	"context"
 	"encoding/json"
+	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -14,6 +16,10 @@ import (
 	"github.com/containerd/containerd/remotes"
 	"github.com/containerd/containerd/remotes/docker"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/moby/buildkit/solver/pb"
+	srctypes "github.com/moby/buildkit/source/types"
+	"github.com/moby/buildkit/sourcepolicy"
+	spb "github.com/moby/buildkit/sourcepolicy/pb"
 	"github.com/moby/buildkit/util/contentutil"
 	"github.com/moby/buildkit/util/leaseutil"
 	"github.com/moby/buildkit/util/resolver/limited"
@@ -47,7 +53,17 @@ func AddLease(f func(context.Context) error) {
 	leasesMu.Unlock()
 }
 
-func Config(ctx context.Context, str string, resolver remotes.Resolver, cache ContentCache, leaseManager leases.Manager, p *ocispecs.Platform) (digest.Digest, []byte, error) {
+// ResolveToNonImageError is returned by the resolver when the ref is mutated by policy to a non-image ref
+type ResolveToNonImageError struct {
+	Ref     string
+	Updated string
+}
+
+func (e ResolveToNonImageError) Error() string {
+	return fmt.Sprintf("ref mutated by policy to non-image: %s://%s -> %s", srctypes.DockerImageScheme, e.Ref, e.Updated)
+}
+
+func Config(ctx context.Context, str string, resolver remotes.Resolver, cache ContentCache, leaseManager leases.Manager, p *ocispecs.Platform, spls []*spb.Policy) (string, digest.Digest, []byte, error) {
 	// TODO: fix buildkit to take interface instead of struct
 	var platform platforms.MatchComparer
 	if p != nil {
@@ -57,13 +73,44 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co
 	}
 	ref, err := reference.Parse(str)
 	if err != nil {
-		return "", nil, errors.WithStack(err)
+		return "", "", nil, errors.WithStack(err)
+	}
+
+	op := &pb.Op{
+		Op: &pb.Op_Source{
+			Source: &pb.SourceOp{
+				Identifier: srctypes.DockerImageScheme + "://" + ref.String(),
+			},
+		},
+	}
+
+	mut, err := sourcepolicy.NewEngine(spls).Evaluate(ctx, op)
+	if err != nil {
+		return "", "", nil, errors.Wrap(err, "could not resolve image due to policy")
+	}
+
+	if mut {
+		var (
+			t  string
+			ok bool
+		)
+		t, newRef, ok := strings.Cut(op.GetSource().GetIdentifier(), "://")
+		if !ok {
+			return "", "", nil, errors.Errorf("could not parse ref: %s", op.GetSource().GetIdentifier())
+		}
+		if ok && t != srctypes.DockerImageScheme {
+			return "", "", nil, &ResolveToNonImageError{Ref: str, Updated: newRef}
+		}
+		ref, err = reference.Parse(newRef)
+		if err != nil {
+			return "", "", nil, errors.WithStack(err)
+		}
 	}
 
 	if leaseManager != nil {
 		ctx2, done, err := leaseutil.WithLease(ctx, leaseManager, leases.WithExpiration(5*time.Minute), leaseutil.MakeTemporary)
 		if err != nil {
-			return "", nil, errors.WithStack(err)
+			return "", "", nil, errors.WithStack(err)
 		}
 		ctx = ctx2
 		defer func() {
@@ -94,24 +141,25 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co
 	if desc.MediaType == "" {
 		_, desc, err = resolver.Resolve(ctx, ref.String())
 		if err != nil {
-			return "", nil, err
+			return "", "", nil, err
 		}
 	}
 
 	fetcher, err := resolver.Fetcher(ctx, ref.String())
 	if err != nil {
-		return "", nil, err
+		return "", "", nil, err
 	}
 
 	if desc.MediaType == images.MediaTypeDockerSchema1Manifest {
-		return readSchema1Config(ctx, ref.String(), desc, fetcher, cache)
+		dgst, dt, err := readSchema1Config(ctx, ref.String(), desc, fetcher, cache)
+		return ref.String(), dgst, dt, err
 	}
 
 	children := childrenConfigHandler(cache, platform)
 
 	dslHandler, err := docker.AppendDistributionSourceLabel(cache, ref.String())
 	if err != nil {
-		return "", nil, err
+		return "", "", nil, err
 	}
 
 	handlers := []images.Handler{
@@ -120,19 +168,19 @@ func Config(ctx context.Context, str string, resolver remotes.Resolver, cache Co
 		children,
 	}
 	if err := images.Dispatch(ctx, images.Handlers(handlers...), nil, desc); err != nil {
-		return "", nil, err
+		return "", "", nil, err
 	}
 	config, err := images.Config(ctx, cache, desc, platform)
 	if err != nil {
-		return "", nil, err
+		return "", "", nil, err
 	}
 
 	dt, err := content.ReadBlob(ctx, cache, config)
 	if err != nil {
-		return "", nil, err
+		return "", "", nil, err
 	}
 
-	return desc.Digest, dt, nil
+	return ref.String(), desc.Digest, dt, nil
 }
 
 func childrenConfigHandler(provider content.Provider, platform platforms.MatchComparer) images.HandlerFunc {

vendor/github.com/moby/buildkit/util/system/path.go

@@ -37,8 +37,8 @@ func NormalizePath(parent, newPath, inputOS string, keepSlash bool) (string, err
 		inputOS = "linux"
 	}
 
-	newPath = toSlash(newPath, inputOS)
+	newPath = ToSlash(newPath, inputOS)
-	parent = toSlash(parent, inputOS)
+	parent = ToSlash(parent, inputOS)
 	origPath := newPath
 
 	if parent == "" {
@@ -82,18 +82,17 @@ func NormalizePath(parent, newPath, inputOS string, keepSlash bool) (string, err
 		}
 	}
 
-	return toSlash(newPath, inputOS), nil
+	return ToSlash(newPath, inputOS), nil
 }
 
-func toSlash(inputPath, inputOS string) string {
+func ToSlash(inputPath, inputOS string) string {
-	separator := "/"
+	if inputOS != "windows" {
-	if inputOS == "windows" {
+		return inputPath
-		separator = "\\"
 	}
-	return strings.Replace(inputPath, separator, "/", -1)
+	return strings.Replace(inputPath, "\\", "/", -1)
 }
 
-func fromSlash(inputPath, inputOS string) string {
+func FromSlash(inputPath, inputOS string) string {
 	separator := "/"
 	if inputOS == "windows" {
 		separator = "\\"
@@ -119,7 +118,7 @@ func NormalizeWorkdir(current, wd string, inputOS string) (string, error) {
 
 	// Make sure we use the platform specific path separator. HCS does not like forward
 	// slashes in CWD.
-	return fromSlash(wd, inputOS), nil
+	return FromSlash(wd, inputOS), nil
 }
 
 // IsAbs returns a boolean value indicating whether or not the path
@@ -142,7 +141,7 @@ func IsAbs(pth, inputOS string) bool {
 	if err != nil {
 		return false
 	}
-	cleanedPath = toSlash(cleanedPath, inputOS)
+	cleanedPath = ToSlash(cleanedPath, inputOS)
 	// We stripped any potential drive letter and converted any backslashes to
 	// forward slashes. We can safely use path.IsAbs() for both Windows and Linux.
 	return path.IsAbs(cleanedPath)
@@ -189,14 +188,14 @@ func CheckSystemDriveAndRemoveDriveLetter(path string, inputOS string) (string,
 	}
 
 	// UNC paths should error out
-	if len(path) >= 2 && toSlash(path[:2], inputOS) == "//" {
+	if len(path) >= 2 && ToSlash(path[:2], inputOS) == "//" {
 		return "", errors.Errorf("UNC paths are not supported")
 	}
 
 	parts := strings.SplitN(path, ":", 2)
 	// Path does not have a drive letter. Just return it.
 	if len(parts) < 2 {
-		return toSlash(filepath.Clean(path), inputOS), nil
+		return ToSlash(filepath.Clean(path), inputOS), nil
 	}
 
 	// We expect all paths to be in C:
@@ -221,5 +220,5 @@ func CheckSystemDriveAndRemoveDriveLetter(path string, inputOS string) (string,
 	//
 	// We must return the second element of the split path, as is, without attempting to convert
 	// it to an absolute path. We have no knowledge of the CWD; that is treated elsewhere.
-	return toSlash(filepath.Clean(parts[1]), inputOS), nil
+	return ToSlash(filepath.Clean(parts[1]), inputOS), nil
 }

vendor/github.com/moby/buildkit/util/testutil/integration/containerd.go

@@ -230,6 +230,10 @@ disabled_plugins = ["cri"]
 	}, cl, nil
 }
 
+func (c *Containerd) Close() error {
+	return nil
+}
+
 func formatLogs(m map[string]*bytes.Buffer) string {
 	var ss []string
 	for k, b := range m {

vendor/github.com/moby/buildkit/util/testutil/integration/dockerd.go

@@ -137,6 +137,7 @@ func (c Moby) New(ctx context.Context, cfg *BackendConfig) (b Backend, cl func()
 	dockerdFlags := []string{
 		"--config-file", dockerdConfigFile,
 		"--userland-proxy=false",
+		"--tls=false",
 		"--debug",
 	}
 	if s := os.Getenv("BUILDKIT_INTEGRATION_DOCKERD_FLAGS"); s != "" {
@@ -219,6 +220,10 @@ func (c Moby) New(ctx context.Context, cfg *BackendConfig) (b Backend, cl func()
 	}, cl, nil
 }
 
+func (c Moby) Close() error {
+	return nil
+}
+
 func waitForAPI(ctx context.Context, apiClient *client.Client, d time.Duration) error {
 	step := 50 * time.Millisecond
 	i := 0

vendor/github.com/moby/buildkit/util/testutil/integration/oci.go

@@ -84,3 +84,7 @@ func (s *OCI) New(ctx context.Context, cfg *BackendConfig) (Backend, func() erro
 		snapshotter: s.Snapshotter,
 	}, stop, nil
 }
+
+func (s *OCI) Close() error {
+	return nil
+}

vendor/github.com/moby/buildkit/util/testutil/integration/run.go

@@ -62,6 +62,7 @@ type BackendConfig struct {
 
 type Worker interface {
 	New(context.Context, *BackendConfig) (Backend, func() error, error)
+	Close() error
 	Name() string
 	Rootless() bool
 }
@@ -168,6 +169,11 @@ func Run(t *testing.T, testCases []Test, opt ...TestOpt) {
 		rng := rand.New(rand.NewSource(time.Now().UnixNano())) //nolint:gosec // using math/rand is fine in a test utility
 		list = []Worker{list[rng.Intn(len(list))]}
 	}
+	t.Cleanup(func() {
+		for _, br := range list {
+			_ = br.Close()
+		}
+	})
 
 	for _, br := range list {
 		for _, tc := range testCases {

vendor/github.com/moby/buildkit/util/wildcard/wildcard.go

@@ -0,0 +1,87 @@
+package wildcard
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/pkg/errors"
+)
+
+// New returns a wildcard object for a string that contains "*" symbols.
+func New(s string) (*Wildcard, error) {
+	reStr, err := Wildcard2Regexp(s)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to translate wildcard %q to regexp", s)
+	}
+	re, err := regexp.Compile(reStr)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to compile regexp %q (translated from wildcard %q)", reStr, s)
+	}
+	w := &Wildcard{
+		orig: s,
+		re:   re,
+	}
+	return w, nil
+}
+
+// Wildcard2Regexp translates a wildcard string to a regexp string.
+func Wildcard2Regexp(wildcard string) (string, error) {
+	s := regexp.QuoteMeta(wildcard)
+	if strings.Contains(s, "\\*\\*") {
+		return "", errors.New("invalid wildcard: \"**\"")
+	}
+	s = strings.ReplaceAll(s, "\\*", "(.*)")
+	s = "^" + s + "$"
+	return s, nil
+}
+
+// Wildcard is a wildcard matcher object.
+type Wildcard struct {
+	orig string
+	re   *regexp.Regexp
+}
+
+// String implements fmt.Stringer.
+func (w *Wildcard) String() string {
+	return w.orig
+}
+
+// Match returns a non-nil Match on match.
+func (w *Wildcard) Match(q string) *Match {
+	submatches := w.re.FindStringSubmatch(q)
+	if len(submatches) == 0 {
+		return nil
+	}
+	m := &Match{
+		w:          w,
+		Submatches: submatches,
+		// FIXME: avoid executing regexp twice
+		idx: w.re.FindStringSubmatchIndex(q),
+	}
+	return m
+}
+
+// Match is a matched result.
+type Match struct {
+	w          *Wildcard
+	Submatches []string // 0: the entire query, 1: the first submatch, 2: the second submatch, ...
+	idx        []int
+}
+
+// String implements fmt.Stringer.
+func (m *Match) String() string {
+	if len(m.Submatches) == 0 {
+		return ""
+	}
+	return m.Submatches[0]
+}
+
+// Format formats submatch strings like "$1", "$2".
+func (m *Match) Format(f string) (string, error) {
+	if m.w == nil || len(m.Submatches) == 0 || len(m.idx) == 0 {
+		return "", errors.New("invalid state")
+	}
+	var b []byte
+	b = m.w.re.ExpandString(b, f, m.Submatches[0], m.idx)
+	return string(b), nil
+}

vendor/github.com/tonistiigi/fsutil/Dockerfile

@@ -1,5 +1,5 @@
 #syntax=docker/dockerfile:1
-ARG GO_VERSION=1.18
+ARG GO_VERSION=1.20
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.1.0 AS xx
 

vendor/github.com/tonistiigi/fsutil/diskwriter.go

@@ -162,6 +162,10 @@ func (dw *DiskWriter) HandleChange(kind ChangeKind, p string, fi os.FileInfo, er
 	switch {
 	case fi.IsDir():
 		if err := os.Mkdir(newPath, fi.Mode()); err != nil {
+			if errors.Is(err, syscall.EEXIST) {
+				// we saw a race to create this directory, so try again
+				return dw.HandleChange(kind, p, fi, nil)
+			}
 			return errors.Wrapf(err, "failed to create dir %s", newPath)
 		}
 		dw.dirModTimes[destPath] = statCopy.ModTime
@@ -188,7 +192,6 @@ func (dw *DiskWriter) HandleChange(kind ChangeKind, p string, fi os.FileInfo, er
 				file.Close()
 				return err
 			}
-			break
 		}
 		if err := file.Close(); err != nil {
 			return errors.Wrapf(err, "failed to close %s", newPath)

vendor/github.com/tonistiigi/fsutil/docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-  default = "1.18"
+  default = "1.20"
 }
 
 group "default" {

vendor/github.com/tonistiigi/fsutil/walker.go

@@ -2,6 +2,7 @@ package fsutil
 
 import (
 	"context"
+	gofs "io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@@ -47,11 +48,11 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 	if err != nil {
 		return errors.WithStack(&os.PathError{Op: "resolve", Path: root, Err: err})
 	}
-	fi, err := os.Stat(root)
+	rootFI, err := os.Stat(root)
 	if err != nil {
 		return errors.WithStack(err)
 	}
-	if !fi.IsDir() {
+	if !rootFI.IsDir() {
 		return errors.WithStack(&os.PathError{Op: "walk", Path: root, Err: syscall.ENOTDIR})
 	}
 
@@ -126,7 +127,7 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 	var parentDirs []visitedDir
 
 	seenFiles := make(map[uint64]string)
-	return filepath.Walk(root, func(path string, fi os.FileInfo, walkErr error) (retErr error) {
+	return filepath.WalkDir(root, func(path string, dirEntry gofs.DirEntry, walkErr error) (retErr error) {
 		defer func() {
 			if retErr != nil && isNotExist(retErr) {
 				retErr = filepath.SkipDir
@@ -146,9 +147,10 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 		var (
 			dir   visitedDir
 			isDir bool
+			fi    gofs.FileInfo
 		)
-		if fi != nil {
+		if dirEntry != nil {
-			isDir = fi.IsDir()
+			isDir = dirEntry.IsDir()
 		}
 
 		if includeMatcher != nil || excludeMatcher != nil {
@@ -161,6 +163,11 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 			}
 
 			if isDir {
+				fi, err = dirEntry.Info()
+				if err != nil {
+					return err
+				}
+
 				dir = visitedDir{
 					fi:          fi,
 					path:        path,
@@ -268,6 +275,14 @@ func Walk(ctx context.Context, p string, opt *WalkOpt, fn filepath.WalkFunc) err
 
 		dir.calledFn = true
 
+		// The FileInfo might have already been read further up.
+		if fi == nil {
+			fi, err = dirEntry.Info()
+			if err != nil {
+				return err
+			}
+		}
+
 		stat, err := mkstat(origpath, path, fi, seenFiles)
 		if err != nil {
 			return err

vendor/github.com/tonistiigi/vt100/vt100.go

@@ -181,6 +181,13 @@ func (v *VT100) UsedHeight() int {
 }
 
 func (v *VT100) Resize(y, x int) {
+	// add some minimal defaults to handle zero and negative values
+	if x < 6 {
+		x = 6
+	}
+	if y < 1 {
+		y = 1
+	}
 	if y > v.Height {
 		n := y - v.Height
 		for row := 0; row < n; row++ {
@@ -329,6 +336,10 @@ func (v *VT100) advance() {
 }
 
 func (v *VT100) scrollIfNeeded() {
+	if v.Cursor.X >= v.Width {
+		v.Cursor.X = 0
+		v.Cursor.Y++
+	}
 	if v.Cursor.Y >= v.Height {
 		first := v.Content[0]
 		copy(v.Content, v.Content[1:])

vendor/github.com/xeipuuv/gojsonpointer/README.md

@@ -35,7 +35,7 @@ An implementation of JSON Pointer - Go language
 
 
 ## References
-http://tools.ietf.org/html/draft-ietf-appsawg-json-pointer-07
+https://tools.ietf.org/html/rfc6901
 
 ### Note
 The 4.Evaluation part of the previous reference, starting with 'If the currently referenced value is a JSON array, the reference token MUST contain either...' is not implemented.

vendor/github.com/xeipuuv/gojsonpointer/pointer.go

@@ -130,10 +130,10 @@ func (p *JsonPointer) implementation(i *implStruct) {
 				node = v[decodedToken]
 				if isLastToken && i.mode == "SET" {
 					v[decodedToken] = i.setInValue
-				} else if isLastToken && i.mode =="DEL" {
+				} else if isLastToken && i.mode == "DEL" {
-					delete(v,decodedToken)
+					delete(v, decodedToken)
 				}
-			} else if (isLastToken && i.mode == "SET") {
+			} else if isLastToken && i.mode == "SET" {
 				v[decodedToken] = i.setInValue
 			} else {
 				i.outError = fmt.Errorf("Object has no key '%s'", decodedToken)
@@ -160,7 +160,7 @@ func (p *JsonPointer) implementation(i *implStruct) {
 			node = v[tokenIndex]
 			if isLastToken && i.mode == "SET" {
 				v[tokenIndex] = i.setInValue
-			}  else if isLastToken && i.mode =="DEL" {
+			} else if isLastToken && i.mode == "DEL" {
 				v[tokenIndex] = v[len(v)-1]
 				v[len(v)-1] = nil
 				v = v[:len(v)-1]

vendor/modules.txt

@@ -206,7 +206,7 @@ github.com/davecgh/go-spew/spew
 # github.com/distribution/distribution/v3 v3.0.0-20230214150026-36d8c594d7aa
 ## explicit; go 1.18
 github.com/distribution/distribution/v3/reference
-# github.com/docker/cli v24.0.2+incompatible
+# github.com/docker/cli v24.0.4+incompatible
 ## explicit
 github.com/docker/cli/cli
 github.com/docker/cli/cli-plugins/manager
@@ -231,7 +231,7 @@ github.com/docker/cli/cli/streams
 github.com/docker/cli/cli/trust
 github.com/docker/cli/cli/version
 github.com/docker/cli/opts
-# github.com/docker/cli-docs-tool v0.5.1
+# github.com/docker/cli-docs-tool v0.6.0
 ## explicit; go 1.18
 github.com/docker/cli-docs-tool
 github.com/docker/cli-docs-tool/annotation
@@ -254,7 +254,7 @@ github.com/docker/distribution/registry/client/transport
 github.com/docker/distribution/registry/storage/cache
 github.com/docker/distribution/registry/storage/cache/memory
 github.com/docker/distribution/uuid
-# github.com/docker/docker v24.0.2+incompatible
+# github.com/docker/docker v24.0.5-0.20230714235725-36e9e796c6fc+incompatible
 ## explicit
 github.com/docker/docker/api
 github.com/docker/docker/api/types
@@ -498,7 +498,7 @@ github.com/mitchellh/go-wordwrap
 # github.com/mitchellh/mapstructure v1.5.0
 ## explicit; go 1.14
 github.com/mitchellh/mapstructure
-# github.com/moby/buildkit v0.11.0-rc3.0.20230609092854-67a08623b95a
+# github.com/moby/buildkit v0.12.1-0.20230717122532-faa0cc7da353
 ## explicit; go 1.20
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types
@@ -539,6 +539,8 @@ github.com/moby/buildkit/session/upload/uploadprovider
 github.com/moby/buildkit/solver/errdefs
 github.com/moby/buildkit/solver/pb
 github.com/moby/buildkit/solver/result
+github.com/moby/buildkit/source/types
+github.com/moby/buildkit/sourcepolicy
 github.com/moby/buildkit/sourcepolicy/pb
 github.com/moby/buildkit/util/apicaps
 github.com/moby/buildkit/util/apicaps/pb
@@ -569,6 +571,7 @@ github.com/moby/buildkit/util/tracing/detect
 github.com/moby/buildkit/util/tracing/detect/delegated
 github.com/moby/buildkit/util/tracing/env
 github.com/moby/buildkit/util/tracing/otlptracegrpc
+github.com/moby/buildkit/util/wildcard
 github.com/moby/buildkit/version
 # github.com/moby/locker v1.0.1
 ## explicit; go 1.13
@@ -685,17 +688,17 @@ github.com/theupdateframework/notary/tuf/data
 github.com/theupdateframework/notary/tuf/signed
 github.com/theupdateframework/notary/tuf/utils
 github.com/theupdateframework/notary/tuf/validation
-# github.com/tonistiigi/fsutil v0.0.0-20230407161946-9e7a6df48576
+# github.com/tonistiigi/fsutil v0.0.0-20230629203738-36ef4d8c0dbb
-## explicit; go 1.18
+## explicit; go 1.19
 github.com/tonistiigi/fsutil
 github.com/tonistiigi/fsutil/types
 # github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea
 ## explicit
 github.com/tonistiigi/units
-# github.com/tonistiigi/vt100 v0.0.0-20210615222946-8066bb97264f
+# github.com/tonistiigi/vt100 v0.0.0-20230623042737-f9a4f7ef6531
 ## explicit; go 1.12
 github.com/tonistiigi/vt100
-# github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f
+# github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb
 ## explicit
 github.com/xeipuuv/gojsonpointer
 # github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415