buildkit icon indicating copy to clipboard operation
buildkit copied to clipboard
verified publisher icon moby

git url: support query form + support specifying checksum in query

Open AkihiroSuda opened this issue 7 months ago • 5 comments

Split from:

  • #5903

e.g.,

https://github.com/moby/example.git?ref=v1.0.0&commit=deadbeef&subdir=/subdir

# alias of ref=refs/tags/v1.0.0
https://github.com/moby/example.git?tag=v1.0.0

# alias of ref=refs/heads/v1.0
https://github.com/moby/example.git?branch=v1.0

Fix #4905, but the syntax differs from the original proposal.

The document will be added to https://github.com/docker/docs/blob/main/content/manuals/build/concepts/context.md#url-fragments

AkihiroSuda avatar May 15 '25 10:05 AkihiroSuda

@AkihiroSuda Needs rebase after #5975

tonistiigi avatar May 19 '25 20:05 tonistiigi

Failure:

  • #5982

AkihiroSuda avatar May 20 '25 10:05 AkihiroSuda

@AkihiroSuda Any update?

tonistiigi avatar Jun 05 '25 00:06 tonistiigi

Rebased, but refactoring the parser may take some time. Unlikely in this week.

AkihiroSuda avatar Jun 05 '25 06:06 AkihiroSuda

Split the commit git url: rename GitURLFragment to GitURLOpts to #6012 for ease of merging.

Is the commit git url: support query form safe to cherry-pick too, ahead of the refactoring of the parser?

AkihiroSuda avatar Jun 05 '25 06:06 AkihiroSuda

Rebased, but refactoring the parser may take some time. Unlikely in this week.

@AkihiroSuda Do you have time to look at it? We plan to do first v0.24 RC next week.

crazy-max avatar Aug 18 '25 08:08 crazy-max

Looking at the current return type, there is already some weird things there, eg. IndistinguishableFromLocal seems to be only used in Dockerfile, and UnencryptedTCP doesn't seem to be used anywhere at all.

Moving these weirdo to frontend/dockerfile/dfgitutil:

  • https://github.com/moby/buildkit/pull/6152

AkihiroSuda avatar Aug 20 '25 09:08 AkihiroSuda

Added refactoring commits

  • util/gitutil: add ParseURLBasic
  • client/llb: add Git2

AkihiroSuda avatar Aug 20 '25 10:08 AkihiroSuda 

=== FAIL: frontend/dockerfile TestIntegration/TestGitProvenanceAttestation/worker=containerd-1.7/frontend=gateway/#00 (0.95s)
    dockerfile_provenance_test.go:468: 
        	Error Trace:	/src/frontend/dockerfile/dockerfile_provenance_test.go:468
        	Error:      	Received unexpected error:
        	            	failed to load cache key: failed to fetch remote https://127.0.0.1:37313/.git: git stderr:
        	            	fatal: unable to access 'https://127.0.0.1:37313/.git/': TLS connect error: error:0A0000C6:SSL routines::packet length too long
        	            	: exit status 128

https://github.com/moby/buildkit/actions/runs/17095584705/job/48479374770?pr=5974

AkihiroSuda avatar Aug 20 '25 10:08 AkihiroSuda

WDYT if we have another var to opt-out for checksum validation while keeping ref and commit like:

We could have another option like fetch-by-commit that could ignore ref (just set it blindly) if the intention is to support refs that used to be a specific commit. But if commit is set then buildkit should always guarantee that this is the correct commit that was checked out. Could also have something like fetch-by-commit=fast-forward for the heads/master case as master branch is always expected to be either commit or based on the commit. For the PR CI case where PR gets forced pushed, I think we should just fail the build in our actions, as no point in building a ref of the old PR if it has already been forced pushed to something else (new CI would start anyway).

tonistiigi avatar Aug 27 '25 07:08 tonistiigi

Carried and merged as:

  • #6172

Thanks @tonistiigi 🙇

AkihiroSuda avatar Aug 29 '25 05:08 AkihiroSuda