Merge pull request #45047 from thaJeztah/update_buildkit_0.11.3

vendor: github.com/moby/buildkit v0.11.3

vendor.mod

@@ -56,7 +56,7 @@ require (
 	github.com/klauspost/compress v1.15.12
 	github.com/miekg/dns v1.1.43
 	github.com/mistifyio/go-zfs v2.1.2-0.20190413222219-f784269be439+incompatible
-	github.com/moby/buildkit v0.11.3-0.20230206194711-49992f513921
+	github.com/moby/buildkit v0.11.3
 	github.com/moby/ipvs v1.1.0
 	github.com/moby/locker v1.0.1
 	github.com/moby/patternmatcher v0.5.0

vendor.sum

@@ -755,8 +755,8 @@ github.com/mitchellh/iochan v1.0.0/go.mod h1:JwYml1nuB7xOzsp52dPpHFffvOCDupsG0Qu
 github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/osext v0.0.0-20151018003038-5e2d6d41470f/go.mod h1:OkQIRizQZAeMln+1tSwduZz7+Af5oFlKirV/MSYes2A=
-github.com/moby/buildkit v0.11.3-0.20230206194711-49992f513921 h1:B6x+BCRpTTUhEsHtvBpi2IsRnrLCJ7xoJ3oZrO8oQEU=
-github.com/moby/buildkit v0.11.3-0.20230206194711-49992f513921/go.mod h1:P8MqGq7YrIDldCdZLhK8M/vPcrFYZ6GX1crX0j4hOmQ=
+github.com/moby/buildkit v0.11.3 h1:bnQFPHkNJTELRb2n3HISPGvB1FWzFx+YD1MTZg8bsfk=
+github.com/moby/buildkit v0.11.3/go.mod h1:P8MqGq7YrIDldCdZLhK8M/vPcrFYZ6GX1crX0j4hOmQ=
 github.com/moby/ipvs v1.1.0 h1:ONN4pGaZQgAx+1Scz5RvWV4Q7Gb+mvfRh3NsPS+1XQQ=
 github.com/moby/ipvs v1.1.0/go.mod h1:4VJMWuf098bsUMmZEiD4Tjk/O7mOn3l1PTD3s4OoYAs=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=

vendor/github.com/moby/buildkit/cache/manager.go

@@ -222,10 +222,8 @@ func (cm *cacheManager) GetByBlob(ctx context.Context, desc ocispecs.Descriptor,
 
 	id := identity.NewID()
 	snapshotID := chainID.String()
-	blobOnly := true
 	if link != nil {
 		snapshotID = link.getSnapshotID()
-		blobOnly = link.getBlobOnly()
 		go link.Release(context.TODO())
 	}
 
@@ -289,7 +287,7 @@ func (cm *cacheManager) GetByBlob(ctx context.Context, desc ocispecs.Descriptor,
 	rec.queueChainID(chainID)
 	rec.queueBlobChainID(blobChainID)
 	rec.queueSnapshotID(snapshotID)
-	rec.queueBlobOnly(blobOnly)
+	rec.queueBlobOnly(true)
 	rec.queueMediaType(desc.MediaType)
 	rec.queueBlobSize(desc.Size)
 	rec.appendURLs(desc.URLs)

vendor/github.com/moby/buildkit/cache/metadata.go

@@ -251,7 +251,13 @@ func (md *cacheMetadata) queueMediaType(str string) error {
 }
 
 func (md *cacheMetadata) getSnapshotID() string {
-	return md.GetString(keySnapshot)
+	sid := md.GetString(keySnapshot)
+	// Note that historic buildkit releases did not always set the snapshot ID.
+	// Fallback to record ID is needed for old build cache compatibility.
+	if sid == "" {
+		return md.ID()
+	}
+	return sid
 }
 
 func (md *cacheMetadata) queueSnapshotID(str string) error {

vendor/github.com/moby/buildkit/exporter/containerimage/attestations.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"fmt"
 	"io/fs"
+	"path/filepath"
 	"strings"
 
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
@@ -30,6 +31,9 @@ var intotoPlatform ocispecs.Platform = ocispecs.Platform{
 
 // supplementSBOM modifies SPDX attestations to include the file layers
 func supplementSBOM(ctx context.Context, s session.Group, target cache.ImmutableRef, targetRemote *solver.Remote, att exporter.Attestation) (exporter.Attestation, error) {
+	if target == nil {
+		return att, nil
+	}
 	if att.Kind != gatewaypb.AttestationKindInToto {
 		return att, nil
 	}
@@ -40,7 +44,7 @@ func supplementSBOM(ctx context.Context, s session.Group, target cache.Immutable
 	if !ok {
 		return att, nil
 	}
-	if n, _, _ := strings.Cut(att.Path, "."); n != string(name) {
+	if n, _, _ := strings.Cut(filepath.Base(att.Path), "."); n != string(name) {
 		return att, nil
 	}
 
@@ -172,6 +176,8 @@ func newFileLayerFinder(target cache.ImmutableRef, remote *solver.Remote) (fileL
 //
 // find is not concurrency-safe.
 func (c *fileLayerFinder) find(ctx context.Context, s session.Group, filename string) (cache.ImmutableRef, *ocispecs.Descriptor, error) {
+	filename = filepath.Join("/", filename)
+
 	// return immediately if we've already found the layer containing filename
 	if cache, ok := c.cache[filename]; ok {
 		return cache.ref, &cache.desc, nil
@@ -188,7 +194,9 @@ func (c *fileLayerFinder) find(ctx context.Context, s session.Group, filename st
 
 		found := false
 		for _, f := range files {
-			if strings.HasPrefix(f, ".wh.") {
+			f = filepath.Join("/", f)
+
+			if strings.HasPrefix(filepath.Base(f), ".wh.") {
 				// skip whiteout files, we only care about file creations
 				continue
 			}

vendor/github.com/moby/buildkit/exporter/util/epoch/parse.go

@@ -60,6 +60,6 @@ func parseTime(key, value string) (*time.Time, error) {
 	if err != nil {
 		return nil, errors.Wrapf(err, "invalid %s: %s", key, err)
 	}
-	tm := time.Unix(sde, 0)
+	tm := time.Unix(sde, 0).UTC()
 	return &tm, nil
 }

vendor/github.com/moby/buildkit/frontend/attestations/sbom/sbom.go

@@ -78,6 +78,8 @@ func CreateSBOMScanner(ctx context.Context, resolver llb.ImageMetaResolver, scan
 		}
 
 		runscan := llb.Image(scanner).Run(runOpts...)
+		runscan.AddMount("/tmp", llb.Scratch(), llb.Tmpfs())
+
 		runscan.AddMount(path.Join(srcDir, "core", CoreSBOMName), ref, llb.Readonly)
 		for k, extra := range extras {
 			runscan.AddMount(path.Join(srcDir, "extras", ExtraSBOMPrefix+k), extra, llb.Readonly)

vendor/github.com/moby/buildkit/frontend/dockerfile/builder/build.go

@@ -1133,6 +1133,6 @@ func parseSourceDateEpoch(v string) (*time.Time, error) {
 	if err != nil {
 		return nil, errors.Wrapf(err, "invalid SOURCE_DATE_EPOCH: %s", v)
 	}
-	tm := time.Unix(sde, 0)
+	tm := time.Unix(sde, 0).UTC()
 	return &tm, nil
 }

vendor/github.com/moby/buildkit/solver/llbsolver/mounts/mount.go

@@ -251,14 +251,14 @@ func (mm *MountManager) getSecretMountable(ctx context.Context, m *pb.Mount, g s
 	err = mm.sm.Any(ctx, g, func(ctx context.Context, _ string, caller session.Caller) error {
 		dt, err = secrets.GetSecret(ctx, caller, id)
 		if err != nil {
-			if errors.Is(err, secrets.ErrNotFound) && m.SecretOpt.Optional {
-				return nil
-			}
 			return err
 		}
 		return nil
 	})
 	if err != nil {
+		if errors.Is(err, secrets.ErrNotFound) && m.SecretOpt.Optional {
+			return nil, nil
+		}
 		return nil, err
 	}
 	return &secretMount{mount: m, data: dt, idmap: mm.cm.IdentityMapping()}, nil

vendor/github.com/moby/buildkit/util/gitutil/git_ref.go

@@ -73,22 +73,12 @@ func ParseGitRef(ref string) (*GitRef, error) {
 		}
 	}
 
-	refSplitBySharp := strings.SplitN(ref, "#", 2)
-	res.Remote = refSplitBySharp[0]
+	var fragment string
+	res.Remote, fragment, _ = strings.Cut(ref, "#")
 	if len(res.Remote) == 0 {
 		return res, errdefs.ErrInvalidArgument
 	}
-
-	if len(refSplitBySharp) > 1 {
-		refSplitBySharpSplitByColon := strings.SplitN(refSplitBySharp[1], ":", 2)
-		res.Commit = refSplitBySharpSplitByColon[0]
-		if len(res.Commit) == 0 {
-			return res, errdefs.ErrInvalidArgument
-		}
-		if len(refSplitBySharpSplitByColon) > 1 {
-			res.SubDir = refSplitBySharpSplitByColon[1]
-		}
-	}
+	res.Commit, res.SubDir, _ = strings.Cut(fragment, ":")
 	repoSplitBySlash := strings.Split(res.Remote, "/")
 	res.ShortName = strings.TrimSuffix(repoSplitBySlash[len(repoSplitBySlash)-1], ".git")
 	return res, nil

vendor/modules.txt

@@ -540,7 +540,7 @@ github.com/mistifyio/go-zfs
 # github.com/mitchellh/hashstructure/v2 v2.0.2
 ## explicit; go 1.14
 github.com/mitchellh/hashstructure/v2
-# github.com/moby/buildkit v0.11.3-0.20230206194711-49992f513921
+# github.com/moby/buildkit v0.11.3
 ## explicit; go 1.18
 github.com/moby/buildkit/api/services/control
 github.com/moby/buildkit/api/types