Skip to content

Bump github.com/moby/buildkit from 0.26.3 to 0.28.0#373

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/moby/buildkit-0.28.0
Closed

Bump github.com/moby/buildkit from 0.26.3 to 0.28.0#373
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/moby/buildkit-0.28.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 9, 2026

Bumps github.com/moby/buildkit from 0.26.3 to 0.28.0.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.28.0

buildkit 0.28.0

Welcome to the v0.28.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

  • Tõnis Tiigi
  • CrazyMax
  • Sebastiaan van Stijn
  • Jonathan A. Sternberg
  • Akihiro Suda
  • Amr Mahdi
  • Dan Duvall
  • David Karlsson
  • Jonas Geiler
  • Kevin L.
  • rsteube

Notable Changes

  • Builtin Dockerfile frontend has been updated to v1.22.0 changelog
  • The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the version attribute. #6526
  • Provenance attestation for an image can now be directly pulled via Source metadata request. #6516 #6514 #6537
  • Pushing result images and exporting build cache now happens in parallel, for better performance. #6451
  • LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols docker-image+blob:// and oci-layout+blob://. #4286
  • LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. #6527 #6537
  • LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. #6527
  • With the update to a newer version of the in-toto library, the provenance attestation key InvocationID has changed to InvocationId to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. #6533
  • Embedded Qemu emulator support has been updated to v10.1.3 #6524
  • Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. #6368
  • Buildctl binary now supports bash completion. #6474
  • PGP signature verification now supports combined public keys as input for defining the required signer. #6519
  • Fix possible "failed to read expected number of bytes" error when reading attestation chains #6520
  • Fix possible error from race condition when creating images in parallel #6477

Dependency Changes

  • github.com/aws/aws-sdk-go-v2 v1.39.6 -> v1.41.1
  • github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.2 -> v1.7.4
  • github.com/aws/aws-sdk-go-v2/config v1.31.20 -> v1.32.7
  • github.com/aws/aws-sdk-go-v2/credentials v1.18.24 -> v1.19.7
  • github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.13 -> v1.18.17
  • github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.13 -> v1.4.17

... (truncated)

Commits
  • 5245d86 Merge pull request #6551 from tonistiigi/v0.28-cherry-picks
  • 90ee5de vendor: update x/net to v0.51.0
  • 3eab156 vendor: update cloudflare/circl v1.6.3
  • ecde336 Merge pull request #6537 from tonistiigi/add-v0.28-sourcemeta-caps
  • 8d58a58 gateway: add caps for source metadata extensions
  • 373d0ad Merge pull request #6534 from jsternberg/copy-ignored-file-linter-negated-mat...
  • 9a083f4 Merge pull request #6532 from crazy-max/update-aec
  • 809fe38 Merge pull request #4286 from tonistiigi/imageblob
  • d4e025a linter: do not attempt to check for copying ignored file when negated pattern...
  • c5cee9e Merge pull request #6533 from crazy-max/update-intoto-golang
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump github.com/moby/buildkit from 0.26.3 to 0.28.0
1d7ab79 
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.26.3 to 0.28.0.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](moby/buildkit@v0.26.3...v0.28.0)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 9, 2026
@openshift-ci openshift-ci bot requested a review from Jdubrick March 9, 2026 23:03
@openshift-ci
Copy link

openshift-ci bot commented Mar 9, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign michael-valdron for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot requested a review from michael-valdron March 9, 2026 23:03
thepetk
thepetk reviewed Mar 23, 2026
View reviewed changes
Copy link
Contributor

@thepetk thepetk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no because it upgrades go version

@thepetk thepetk closed this Mar 23, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 23, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/go_modules/github.com/moby/buildkit-0.28.0 branch March 23, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thepetk thepetk thepetk left review comments

@Jdubrick Jdubrick Awaiting requested review from Jdubrick

@michael-valdron michael-valdron Awaiting requested review from michael-valdron

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thepetk