Skip to content

Merge in buildkit all at once#14

Draft
kmannislands wants to merge 2944 commits into
mainfrom
merge-in-buildkit-all-at-once
Draft

Merge in buildkit all at once#14
kmannislands wants to merge 2944 commits into
mainfrom
merge-in-buildkit-all-at-once

Conversation

@kmannislands

@kmannislands kmannislands commented Apr 8, 2026

Copy link
Copy Markdown

Experimental huge merge of latest moby/buildkit into earthbuild fork's main.

Not planning to merge this as-is, just opening to see what can be learned about the work ahead from attempting the merge

Claude final message after performing the merge
  68 conflicted files resolved across these categories:

  - Generated/vendor files (9 files) — took upstream versions for .pb.go, go.sum, vendor/
  - CI workflows (7 files) — took upstream's Go 1.26, Ubuntu 24.04, newer action versions
  - Dockerfile & build tooling (5 files) — upstream versions with earthly's RELEASE_VERSION/EARTHLY_PKG preserved
  - Go.mod — took upstream dependency versions, kept earthly's fsutil replace directive
  - Go source (30+ files) — merged both sides preserving all earthly features:
    - Git LFS, SSH command, log level support
    - Exec time limits and OCI hooks
    - Custom gRPC window sizing and health monitoring
    - Parallelism analytics and GC analytics
    - Socket/HOST_BIND mount types
    - Earthly exporter (updated to containerd v2 APIs)
    - Session management extensions

  Post-merge fixes applied for:
  - Protobuf field renames (Size → Size_)
  - Containerd v1 → v2 import migration in earthly exporter
  - Missing earthly-specific proto types added back to generated code
  - user.IdentityMapping API updates replacing old idtools
  - fsutil API differences (vendored earthly fork)
  - FrontendLLBBridge interface compliance

It would be interesting to see how this can be split in to coherent PRs and to use this state of the code to try to determine what needs to be changed on the earthbuild client side

Split out coherent PRs:

Split out coherent PRs to upstream:

crazy-max and others added 30 commits February 10, 2026 09:08
containerimage: add resolve attestation support
containerimage: fix possible race on parallel image create
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
policy: fix ResolveAttestations via policy callback
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
gitsign: support combined public keys for verification
Abort uncommitted ingest on ReaderAt failures and reset resumed
writer offset before copy to avoid stale partial state for digest refs.
Tests for canceled-read poisoning and resumed-ingest
offset handling.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This removes the MigrateV2 function, which was added in BuildKit v0.7.0
(Docker v20.10.0) in 31a9aee. That was
in 2019, which is now over 6 Years ago, so it's very unlikely for old
files to be still present.

Removing this code would impact users migrating from Docker 19.03 or
older, which are versions that reached EOL many years ago, so very
unlikely.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
docs: add "good" example for SecretsUsedInArgOrEnv check
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
contentutil: fix referrer blob ingest cleanup
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: Kevin L. <kevin.lecouvey@gmail.com>
…t conversion

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
…OVENANCE_V1

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
…ient

Add support for riscv64 architecture in llb client
These requests allow computing additional checksum algorithms
for the payload of HTTP sources.

Optionally suffix can be passed that is added to payload. This
is needed to make validation of PGP signatures possible remotely.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Add detached PGP verification for HTTP sources during metadata resolution
and expose LLB options/caps/attrs for signature validation.

Extract shared OpenPGP verification/parsing logic into util/pgpsign and
reuse it from git signing, plus add integration and source-level tests.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
http: add support for checksum requests and pgp signatures for http sources
worker: remove automatic migration of legacy v1 cache
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Image blob source in LLB allows addressing a single blob
from a container image registry. The difference from the image
source is that image source needs to point to a manifest that
internally points to an array of layer blobs that are all extracted
on top of each other to form a root FS. Contrary, image blob
points to a single blob that is not extracted but downloaded
as a single file into an empty snapshot, similarily how
the HTTP source works.

The main use case for this source is to pin snapshots of
HTTP URLs, upload the downloaded blob into container registry,
and then use a source policy to map a HTTP URL (whose content
might be changed) to the copy of the source as image blob
to ensure immutability.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
After the upstream merge added CDI support, the earthly-specific
parameters (hooks, sampleFrequency, cdiManager) were passed in the
wrong order at the call site.

Signed-off-by: Giles Cope <gilescope@gmail.com>
- Fix Env field incorrectly set to hook.Args instead of hook.Env
- Suppress staticcheck SA1019 for intentional legacy prestart support

Signed-off-by: Giles Cope <gilescope@gmail.com>
Resolve 47 lint issues introduced by upstream's stricter lint config:
- errorlint: use errors.Is/errors.As instead of == and type assertions
- forbidigo: use context.WithCancelCause/WithTimeoutCause/Cause
- gocritic: fix comment formatting (space after //)
- gofmt: reformat 4 files
- staticcheck: fix deprecated imports, simplify selectors, nolint pkg names
- noctx: use DialContext/Listen with context
- unused: remove dead code

Signed-off-by: Giles Cope <gilescope@gmail.com>
- Replace interface{} with any
- Use strings.CutPrefix instead of HasPrefix+TrimPrefix
- Use maps.Copy instead of manual k/v loops
- Modernize for loops to range over int
- Remove unnecessary variable copy
- Fix comment formatting (space after //)

Signed-off-by: Giles Cope <gilescope@gmail.com>
@gilescope gilescope force-pushed the merge-in-buildkit-all-at-once branch from 9c315bd to d8293f6 Compare April 9, 2026 05:48
Sort maps import alphabetically among stdlib imports.

Signed-off-by: Giles Cope <gilescope@gmail.com>
Prefix unused function parameters with _ to satisfy the gopls
unusedparams analyzer.

Signed-off-by: Giles Cope <gilescope@gmail.com>
Earthly's base64 encoding of git stderr prevented upstream code in
source/git/source.go from detecting "would clobber existing tag" and
"refname conflict" errors via strings.Contains. Include raw redacted
stderr alongside the base64 so pattern matching works.

Also update TestGitCLIConfigEnv to match earthly's intentional behavior
of not isolating git config (HOME is always passed through).

Signed-off-by: Giles Cope <gilescope@gmail.com>
go mod tidy removed unused direct deps (containerd v1, docker/docker,
gogo/googleapis, go-fuzz-headers) left over from the upstream merge.
go mod vendor then cleaned up 149 files of unused vendored code.

Signed-off-by: Giles Cope <gilescope@gmail.com>
- Remove gogoproto.stdtime annotations from control.proto (earthly-
  specific SessionHistory fields) since gogo protoc is no longer used
- Fix vendored fsutil wire.proto bare import to use fully-qualified path
- Exclude earthly-specific protos (localhost, pullping, socketforward,
  registry, gateway) from protoc generation as they use old gogo-style
  codegen incompatible with modern protoc-gen-go
- Add M-flag overrides for fsutil types proto go_package paths
- Remove hand-written control_earthly.pb.go (now generated by protoc)
- Update control.go to use timestamppb.New() for History timestamps

Signed-off-by: Giles Cope <gilescope@gmail.com>
Signed-off-by: Giles Cope <gilescope@gmail.com>
- Fix copylocks warning in client_test.go: types.Stat now contains
  a mutex via protoimpl.MessageState, use pointers instead of copies
- Re-vendor after go mod tidy to sync vendor with updated fsutil

Signed-off-by: Giles Cope <gilescope@gmail.com>
@gilescope

Copy link
Copy Markdown

Not looking too shabby. Passes all the tests (except some flaky windows ones that are flaky upstream also). Next question, what does EarthBuild make of it?

Signed-off-by: Giles Cope <gilescope@gmail.com>
Earthly's multi-BUILD pattern legitimately produces multiple refs
without platform mapping.  The upstream verifier added in buildkit
treats this as a hard error; downgrade to a warning so earthly builds
continue to work.

Signed-off-by: Giles Cope <gilescope@gmail.com>
Upstream commit 7aaa797 caches gateway mounts for performance, but
this causes stale reads when a persistent cache mount is modified by
a RUN and then read by a subsequent SAVE ARTIFACT within the same
target. Disable the cache lookup so each operation gets a fresh mount.

Signed-off-by: Giles Cope <gilescope@gmail.com>
gilescope added 10 commits June 20, 2026 06:44
The manual runtime.LockOSThread() in run() was added to stop runc
processes intermittently exiting with status -1 (the classic
PdeathSignal-vs-Go-scheduler race, golang/go#27505).

go-runc v1.1.0 (which the upstream merge pulled in) already handles
this: because we set Runc.PdeathSignal (updateRuncFieldsForHostOS),
Run() -> startCommand() takes the Monitor.StartLocked() path, which
calls runtime.LockOSThread() on the goroutine that actually does
cmd.Start() (the fork). Our manual lock was on the *caller* goroutine
-- not the forking one -- so it no longer does anything useful here.

Removing it restores executor_linux.go to the exact upstream version,
shrinking the fork delta with no behaviour change.
docopy() dropped action.ModeStr (string chmod, e.g. COPY --chmod=u+x)
and hard-disabled action.AlwaysReplaceExistingDestPaths, with a comment
claiming "not supported in this fsutil fork".

That comment is stale: the vendored fork (EarthBuild/fsutil, pulled in by
5638371) supports both -- copy.CopyInfo.ModeStr (copy.go:197) and
AlwaysReplaceExistingDestPaths (copy.go:208) are honoured. The removals
dated from an older fsutil and silently degraded string-mode COPY to the
integer-mode fallback. Restores the upstream code path; matches base.
Three changes that diverged from upstream with zero functional effect,
restored to reduce future merge conflicts:

- diffapply_linux.go: uint64(stat.Dev) -> stat.Dev (Dev is uint64 on all
  linux arches, the cast was a no-op) and Rdev: 0 -> unix.Mkdev(0, 0)
  (Mkdev(0,0) == 0).
- scheduler_test.go: context.TODO() -> t.Context() in two loop bodies.
  t.Context() (Go 1.24+) is available under go 1.25.5 and is what
  upstream uses; the downgrade was an older-toolchain artifact.
Reverts util/archutil to upstream: removes the /proc mount in the arch
check and the check_nolinux.go stub, and restores check_unix.go's
!windows build constraint (it had been narrowed to linux).

The patch worked around Rosetta failing to open /proc/self/exe inside
the check's chroot, but it is not needed here and carried two upstream
regressions: the !windows->linux narrowing dropped the arch check on
FreeBSD/Darwin, and the mount error was fatal, breaking the check on
rootless/unprivileged daemons. Restoring upstream shrinks the fork delta
and removes both regressions.
Removes the earthly diagnostic scaffolding added to chase the
"inconsistent graph state" / "return leaving incoming/outgoing open"
scheduler errors: the dgstTracker ring buffer
(inconsistent_graph_state_error_tracker.go), the helpMe context strings
and bklog error logging in scheduler.go dispatch/NewInputRequest, and the
dgstTracker.add call sites in jobs.go.

The bug is no longer being actively investigated, so this telemetry is no
longer needed. All three files now match upstream exactly, removing ~120
lines of delta from the scheduler/jobs hot path -- the most
merge-conflict-prone files in the fork.
maps.Clone(opt.FrontendAttrs) returns nil when opt.FrontendAttrs is nil,
and the following maps.Copy(frontendAttrs, cacheOpt.frontendAttrs) then
panics with "assignment to entry in nil map" whenever cache attrs are
present. This is hit on the Client.Build path (earthly's multiImageSolver
passes nil FrontendAttrs) with remote/inline cache configured.

Regression from upstream "simplify with maps pkg functions" (dfc3527),
which replaced a nil-safe explicit map init with maps.Clone/Copy. Present
in moby/buildkit master too -- candidate for upstreaming. Re-add the nil
guard so frontendAttrs is always writable.
The fork existed only to add a per-file VerboseProgressCB (verbose-only
transfer logging, 2022). Stock fsutil already provides the equivalent
per-file hook on receive via ReceiveOpt.NotifyHashed (ChangeFunc), which
carries path + FileInfo. Rewire the earthly filesync target callbacks to
NotifyHashed and use stock fsutil's 4-arg Send everywhere, removing every
VerboseProgressCB reference. Drop the go.mod replace directive and
re-vendor stock fsutil.

Client API: ExportEntry.VerboseProgressCB -> OnReceiveFile (fsutil.ChangeFunc).
Resolves the Dockerfile version-baking conflict: keep the branch's
worktree-aware heredoc block (skips version check for git worktrees,
sets dev stubs) and apply main's rebrand from #18
(EARTHLY_PKG github.com/earthly/buildkit -> github.com/EarthBuild/buildkit).
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedgolang/​golang.org/​x/​crypto@​v0.14.0 ⏵ v0.48.074 +125100100100
Addedgolang/​github.com/​containerd/​containerd/​v2@​v2.2.27460100100100
Addedgolang/​github.com/​hashicorp/​go-immutable-radix/​v2@​v2.1.010010010010070
Addedgolang/​github.com/​hashicorp/​golang-lru/​v2@​v2.0.710010010010070
Addedpypi/​codespell@​2.4.19810010010070
Updatedgolang/​github.com/​spdx/​tools-golang@​v0.5.1 ⏵ v0.5.79510010010070
Updatedgolang/​kernel.org/​pub/​linux/​libs/​security/​libcap/​cap@​v1.2.67 ⏵ v1.2.77100 +110010010070
Updatedgolang/​github.com/​Azure/​azure-sdk-for-go/​sdk/​azcore@​v1.1.0 ⏵ v1.20.071 +1100100100100
Updatedgolang/​github.com/​aws/​aws-sdk-go-v2@​v1.17.6 ⏵ v1.41.471 -3100100100100
Updatedgolang/​github.com/​containerd/​stargz-snapshotter@​v0.14.3 ⏵ v0.18.272 +110010010080
Updatedgolang/​github.com/​aws/​smithy-go@​v1.13.5 ⏵ v1.24.272 -10100100100100
Updatedgolang/​github.com/​prometheus/​client_golang@​v1.14.0 ⏵ v1.23.272 -5100100100100
Addedgolang/​github.com/​containernetworking/​plugins@​v1.9.172100100100100
Addedgolang/​github.com/​vishvananda/​netlink@​v1.3.173100100100100
Updatedgolang/​github.com/​docker/​distribution@​v2.8.2+incompatible ⏵ v2.8.3+incompatible73100100100100
Updatedgolang/​github.com/​containerd/​nydus-snapshotter@​v0.13.1 ⏵ v0.15.1373 +1100100100100
Updatedgolang/​github.com/​docker/​cli@​v24.0.5+incompatible ⏵ v29.3.1+incompatible74100 +16100100100
Updatedgolang/​github.com/​Microsoft/​hcsshim@​v0.11.1 ⏵ v0.14.0-rc.174100100100100
Updatedgolang/​golang.org/​x/​net@​v0.17.0 ⏵ v0.51.075 +1100 +21100100100
Updatedgolang/​google.golang.org/​grpc@​v1.58.3 ⏵ v1.79.375 +1100 +75100100100
Updatedgolang/​google.golang.org/​protobuf@​v1.31.0 ⏵ v1.36.1175 +1100 +2100100100
Updatedgolang/​github.com/​serialx/​hashring@​v0.0.0-20190422032157-8b2912629002 ⏵ v0.0.0-20200727003509-22c0c7ab6b1b100 +110010075100
Updatedgolang/​go.opentelemetry.io/​otel@​v1.14.0 ⏵ v1.40.076 -585 -15100100100
Addedgolang/​github.com/​sigstore/​sigstore-go@​v1.1.49810010010080
Updatedgolang/​github.com/​coreos/​go-systemd/​v22@​v22.5.0 ⏵ v22.7.093 +210010010080
Addedgolang/​github.com/​containerd/​containerd/​api@​v1.10.082100100100100
Updatedgolang/​github.com/​Azure/​azure-sdk-for-go/​sdk/​storage/​azblob@​v0.4.1 ⏵ v1.5.083 -5100100100100
Updatedgolang/​golang.org/​x/​sys@​v0.13.0 ⏵ v0.42.084 -3100100100100
Updatedgolang/​github.com/​prometheus/​procfs@​v0.9.0 ⏵ v0.17.084 -4100100100100
Updatedgolang/​go.opentelemetry.io/​otel/​sdk@​v1.14.0 ⏵ v1.40.09885 -15100100100
Updatedgolang/​github.com/​Azure/​azure-sdk-for-go/​sdk/​azidentity@​v1.1.0 ⏵ v1.13.186 -5100 +2100100100
Updatedgolang/​go.opentelemetry.io/​contrib/​instrumentation/​net/​http/​otelhttp@​v0.40.0 ⏵ v0.63.088 -10100 +16100100100
See 69 more rows in the dashboard

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: golang github.com/containerd/containerd/v2 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: go.modgolang/github.com/containerd/containerd/v2@v2.2.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/containerd/containerd/v2@v2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/containerd/containerd/v2 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: go.modgolang/github.com/containerd/containerd/v2@v2.2.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/containerd/containerd/v2@v2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/containerd/containerd/v2 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: go.modgolang/github.com/containerd/containerd/v2@v2.2.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/containerd/containerd/v2@v2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/containernetworking/plugins is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: go.modgolang/github.com/containernetworking/plugins@v1.9.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/containernetworking/plugins@v1.9.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: golang github.com/planetscale/vtprotobuf is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: go.modgolang/github.com/planetscale/vtprotobuf@v0.6.1-0.20240319094008-0393e58bdf10

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/planetscale/vtprotobuf@v0.6.1-0.20240319094008-0393e58bdf10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.