Convert usages of `github.com/docker/docker/pkg/idtools` to
`github.com/moby/sys/user` in order to break the dependency between
buildkit and docker.
Signed-off-by: Jonathan A. Sternberg <jonathan.sternberg@docker.com>
The current logic was incorrect in some places so that if first
session randomly chosen by `Any()` returned NotFound then other
sessions were not attempted.
For the main use case of mounting secrets as files the logic
was correct, but it was incorrect for example for the case of
adding secrets as environment variables.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
This fixes current issue when a Git commit is accessed
multiple times through different refs or ref is added
after commit has already been pulled once.
When keep-git-dir option is true, then program can
try to resolve the current reference via .git directory
and because old cache key was only the git commit, previous
.git directory can be reused without any refs inside.
There is no change to the behavior if keep-git-dir is
false as then requests through multiple refs yield to
identical content.
Only the reference in the user provided identifier is added
to the cache key, and that is the only one that can be
expected in .git because of the shallow fetches. We do not
do extra request to find named refs for a commit SHA if that is
provided in the identifier.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
On a build with no-cache, cache mounts were not pruned correctly
if the mount was on top of another ref. This also appeared in
Dockerfile when mode/uid/gid was set because implicit parent
ref is created in these cases in order to change the permissions
of a subdir that is used as a cache mount base.
Because it is not possible to know ahead of time what ref
will become the parent of cache mount during build, all cache
mounts matching the ID that have a parent will be pruned.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
On commit SHA input we currently do a full fetch of
remote so we can pick up the commit by SHA later. This
only pulls in tags that are also part of branches. Extra
flag is needed to also get the tags that are not part of
branches.
Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
Previously, it was very possible for the CacheKey function to return a
sha key that was *not* the checked out commit.
There are two cases that I've encountered where this can happen:
- An annotated tag will have the pin of the tag, and not the underlying
commit, which will be HEAD after the checkout.
- If multiple tags have the same path component (e.g. "mytag" and
"abc/mytag") then the first alphabetical tag will be selected when (in
this case "abc/mytag").
To avoid this kind of case, we can't just search for a single match in
the results for ls-remote. There's no way to filter for just an exact
match, so we need to scan through the output ourselves. Additionally, we
need to dereference the annotated tags by also selecting refs ending in
"^{}" - which have the commit that the tag points at.
Finally, I've improved the test suite around this to check that:
- The cache-key pin is equivalent to the checked out commit
- We can check out non-master branches
- That full ref syntax like "refs/heads/<branch-name>" and
"refs/tags/<tag-name>" (or even "refs/<anything>") can be used.
Signed-off-by: Justin Chadwell <me@jedevc.com>
It's possible for a git url to contain encoded credentials - even though
this practice is not recommended. For safety, we attempt to censor the
credentials before putting them into cache descriptions and error
messages.
However, we were previously missing one of these, and we would put an
uncensored git url into the git checkout snapshot cache ref description.
Signed-off-by: Justin Chadwell <me@jedevc.com>
Move all of the git command line logic into a single object, inspired by
the object already in buildx.
The basic implemenation allows for configuring a git cli for a specific
repository, along with various authorization settings and custom
binaries. Commands can be run for that repository, and a few helpers are
provided for accessing data on it - more to come in the future
hopefully.
Signed-off-by: Justin Chadwell <me@jedevc.com>
Sources are a pretty neat extension point, except there are a few code
paths that hard-code against each type. This moves code around and
adjusts interfaces so that Source implementations are self-contained and
merely need to be registered with the source.Manager.
Signed-off-by: Alex Suraci <suraci.alex@gmail.com>
