Skip to content

provenance: add dockerfile frontend version#6705

Merged
tonistiigi merged 2 commits intomoby:masterfrom
tonistiigi:provenance-dockerfile-version
May 7, 2026
Merged

provenance: add dockerfile frontend version#6705
tonistiigi merged 2 commits intomoby:masterfrom
tonistiigi:provenance-dockerfile-version

Conversation

@tonistiigi
Copy link
Copy Markdown
Member

@tonistiigi tonistiigi commented Apr 15, 2026

depends on #6681

Record the builtin Dockerfile frontend version in provenance
attestations for both SLSA v0.2 and v1 formats. The version
is derived from a new builder.Version constant, normalized
with the BuildKit release version suffix.

The external frontend Dockerfile validates that the builtin
version constant matches the git tag at release time.

The Dockerfile version file needs to be updated after release branch is cut or on Dockerfile patch releases. Note that we can't use dockerfile git version tags for this as buildkitd is tagged before Dockerfile version and has it's own version that is different.

crazy-max
crazy-max reviewed Apr 24, 2026
View reviewed changes
Comment thread solver/llbsolver/provenance.go
}
pr.BuildDefinition.InternalParameters.DockerfileVersion = dockerfileVersion
}

Copy link
Copy Markdown
Member

@crazy-max crazy-max Apr 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This reminds me of recent changes in #6643

Was thinking it would not read the builtin version if we route to builtin but seems to work. Also next commit covers this case ee145d2#diff-b9582afb7cee482a23201365d6a87e962b706b6fe027b091c5d4094e3bbba796R1073

crazy-max
crazy-max reviewed Apr 24, 2026
View reviewed changes
Comment thread control/control.go
Comment on lines +639 to +641
if dockerfileVersion := dockerfileversion.Version(); dockerfileVersion != "" {
buildkitVersion.DockerfileVersion = dockerfileVersion
}
Copy link
Copy Markdown
Member

@crazy-max crazy-max Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hum I was looking at

buildkit/cmd/buildkitd/main.go

Line 818 in 29dc132

frontends["dockerfile.v0"] = forwarder.NewGatewayForwarder(wc.Infos(), dockerfile.Build)
and the new Dockerfile version field is advertised unconditionally from the compiled binary even when dockerfile.v0 is disabled and never registered.

Would prinjt the Dockerfile version in buildctl debug info for a daemon that cannot serve the builtin Dockerfile frontend. Should we follow actual frontend registration?

Copy link
Copy Markdown
Member Author

@tonistiigi tonistiigi May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is probably fine and could be considered a compatibility version, not an indication that the frontend is enabled. It's not very clean to update this for the listworkers code path.

tonistiigi added 2 commits May 6, 2026 10:42
@tonistiigi
provenance: add dockerfile frontend version
b3fe287 
Record the builtin Dockerfile frontend version in provenance
attestations for both SLSA v0.2 and v1 formats. The version
is derived from a new builder.Version constant, normalized
with the BuildKit release version suffix.

The external frontend Dockerfile validates that the builtin
version constant matches the git tag at release time.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi
version: expose Dockerfile frontend version
1890989 
Expose the builtin Dockerfile frontend version in BuildKit version
APIs and buildctl debug output.

Move Dockerfile version logic into frontend/dockerfile/version and
validate that the builtin version constant matches release tags.

Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com>
@tonistiigi tonistiigi force-pushed the provenance-dockerfile-version branch from ee145d2 to 1890989 Compare May 6, 2026 17:42
@tonistiigi tonistiigi requested a review from jsternberg May 6, 2026 17:42
@github-actions github-actions Bot removed area/hack building buildkit itself area/dependencies Pull requests that update a dependency file area/ci area/util area/docs area/exporter area/source labels May 6, 2026
@tonistiigi tonistiigi added this to the v0.30.0 milestone May 7, 2026
@tonistiigi
Copy link
Copy Markdown
Member Author

tonistiigi commented May 7, 2026

🤦 Forgot to merge this for v0.30.0-rc1

@tonistiigi tonistiigi merged commit 4f42761 into moby:master May 7, 2026
192 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crazy-max crazy-max crazy-max approved these changes

@jsternberg jsternberg Awaiting requested review from jsternberg

Assignees

@tonistiigi tonistiigi

Labels

area/api area/buildctl area/buildkitd area/client area/dockerfile area/frontend area/solver area/testing status/merge

Projects

None yet

Milestone

v0.30.0

Development

Successfully merging this pull request may close these issues.

2 participants

@tonistiigi @crazy-max