Skip to content

Commit

Permalink
vendor: github.com/docker/buildx v0.20.1
Browse files Browse the repository at this point in the history
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
  • Loading branch information
tonistiigi authored and github-actions[bot] committed Jan 22, 2025
1 parent ddde535 commit 3dc492a
Show file tree
Hide file tree
Showing 5 changed files with 108 additions and 3 deletions.
28 changes: 28 additions & 0 deletions _vendor/github.com/docker/buildx/docs/bake-reference.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion _vendor/modules.txt
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# github.com/moby/moby v27.5.0+incompatible
# github.com/moby/buildkit v0.19.0
# github.com/docker/buildx v0.20.0
# github.com/docker/buildx v0.20.1
# github.com/docker/cli v27.5.0+incompatible
# github.com/docker/compose/v2 v2.32.4
# github.com/docker/scout-cli v1.15.0
75 changes: 75 additions & 0 deletions data/buildx/docker_buildx_bake.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ options:
value_type: stringArray
default_value: '[]'
description: Allow build to access specified resources
details_url: '#allow'
deprecated: false
hidden: false
experimental: false
Expand Down Expand Up @@ -218,6 +219,80 @@ inherited_options:
kubernetes: false
swarm: false
examples: |-
### Allow extra privileged entitlement (--allow) {#allow}
```text
--allow=ENTITLEMENT[=VALUE]
```
Entitlements are designed to provide controlled access to privileged
operations. By default, Buildx and BuildKit operates with restricted
permissions to protect users and their systems from unintended side effects or
security risks. The `--allow` flag explicitly grants access to additional
entitlements, making it clear when a build or bake operation requires elevated
privileges.
In addition to BuildKit's `network.host` and `security.insecure` entitlements
(see [`docker buildx build --allow`](/reference/cli/docker/buildx/build/#allow),
Bake supports file system entitlements that grant granular control over file
system access. These are particularly useful when working with builds that need
access to files outside the default working directory.
Bake supports the following filesystem entitlements:
- `--allow fs=<path|*>` - Grant read and write access to files outside of the
working directory.
- `--allow fs.read=<path|*>` - Grant read access to files outside of the
working directory.
- `--allow fs.write=<path|*>` - Grant write access to files outside of the
working directory.
The `fs` entitlements take a path value (relative or absolute) to a directory
on the filesystem. Alternatively, you can pass a wildcard (`*`) to allow Bake
to access the entire filesystem.
### Example: fs.read
Given the following Bake configuration, Bake would need to access the parent
directory, relative to the Bake file.
```hcl
target "app" {
context = "../src"
}
```
Assuming `docker buildx bake app` is executed in the same directory as the
`docker-bake.hcl` file, you would need to explicitly allow Bake to read from
the `../src` directory. In this case, the following invocations all work:
```console
$ docker buildx bake --allow fs.read=* app
$ docker buildx bake --allow fs.read=../src app
$ docker buildx bake --allow fs=* app
```
### Example: fs.write
The following `docker-bake.hcl` file requires write access to the `/tmp`
directory.
```hcl
target "app" {
output = "/tmp"
}
```
Assuming `docker buildx bake app` is executed outside of the `/tmp` directory,
you would need to allow the `fs.write` entitlement, either by specifying the
path or using a wildcard:
```console
$ docker buildx bake --allow fs=/tmp app
$ docker buildx bake --allow fs.write=/tmp app
$ docker buildx bake --allow fs.write=* app
```
### Override the configured builder instance (--builder) {#builder}
Same as [`buildx --builder`](/reference/cli/docker/buildx/#builder).
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/docker/docs
go 1.23.1

require (
github.com/docker/buildx v0.20.0 // indirect
github.com/docker/buildx v0.20.1 // indirect
github.com/docker/cli v27.5.0+incompatible // indirect
github.com/docker/compose/v2 v2.32.4 // indirect
github.com/docker/scout-cli v1.15.0 // indirect
Expand All @@ -12,7 +12,7 @@ require (
)

replace (
github.com/docker/buildx => github.com/docker/buildx v0.20.0
github.com/docker/buildx => github.com/docker/buildx v0.20.1
github.com/docker/cli => github.com/docker/cli v27.5.0+incompatible
github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.32.4
github.com/docker/scout-cli => github.com/docker/scout-cli v1.15.0
Expand Down
2 changes: 2 additions & 0 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ github.com/docker/buildx v0.19.2 h1:2zXzgP2liQKgQ5BiOqMc+wz7hfWgAIMWw5MR6QDG++I=
github.com/docker/buildx v0.19.2/go.mod h1:k4WP+XmGRYL0a7l4RZAI2TqpwhuAuSQ5U/rosRgFmAA=
github.com/docker/buildx v0.20.0 h1:XM2EvwEfohbxLPAheVm03biNHpspB/dA6U9F0c6yJsI=
github.com/docker/buildx v0.20.0/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic=
github.com/docker/buildx v0.20.1 h1:q88EfoYwrWEKVqNb9stOFq8fUlFp/OPlDcFE+QUYZBM=
github.com/docker/buildx v0.20.1/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic=
github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM=
github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
github.com/docker/cli v24.0.4+incompatible h1:Y3bYF9ekNTm2VFz5U/0BlMdJy73D+Y1iAAZ8l63Ydzw=
Expand Down

0 comments on commit 3dc492a

Please sign in to comment.