.github/workflows/build.yml

@@ -33,7 +33,7 @@ jobs:
           TEST_COVERAGE: 1
         run: make test
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: ./out/tests/coverage-unit.txt
@@ -55,10 +55,62 @@ jobs:
         run: |
           make format || true
           make test
+  test-windows:
+    runs-on: windows-2019
+    steps:
+      - name: Set git to use LF and symlinks
+        run: |
+          git config --global core.autocrlf false
+          git config --global core.eol lf
+          git config --global core.symlinks true
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: 'go.mod'
+      - name: Add runner IP to daemon insecure-registries and firewall
+        shell: powershell
+        run: |
+          # Get IP from default gateway interface
+          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
+
+          # Allow container-to-host registry traffic (from public interface, to the same interface)
+          New-NetfirewallRule -DisplayName test-registry -LocalAddress $IPAddress -RemoteAddress $IPAddress
+
+          # create or update daemon config to allow host as insecure-registry
+          $config=@{}
+          if (Test-Path C:\ProgramData\docker\config\daemon.json) {
+            $config=(Get-Content C:\ProgramData\docker\config\daemon.json | ConvertFrom-json)
+          }
+          $config | Add-Member -Force -Name "insecure-registries" -value @("$IPAddress/32") -MemberType NoteProperty
+          $config | Add-Member -Force -Name "allow-nondistributable-artifacts" -value @("$IPAddress/32") -MemberType NoteProperty
+          ConvertTo-json $config | Out-File -Encoding ASCII C:\ProgramData\docker\config\daemon.json
+
+          Restart-Service docker
+
+          # dump docker info for auditing
+          docker version
+          docker info
+      - name: Test
+        env:
+          TEST_COVERAGE: 1
+        run: |
+          make test
+      - name: Prepare Codecov
+        uses: crazy-max/ghaction-chocolatey@v3
+        with:
+          args: install codecov -y
+      - name: Run Codecov
+        run: |
+          codecov.exe -f .\out\tests\coverage-unit.txt -v --flag os_windows
   build-and-publish:
     needs:
       - test-linux-amd64
       - test-linux-arm64
+      - test-windows
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -76,14 +128,14 @@ jobs:
       - name: Set version
         run: |
           echo "LIFECYCLE_VERSION=$(go run tools/version/main.go)" | tee -a $GITHUB_ENV version.txt
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: version
           path: version.txt
       - name: Set tag
         run: |
           echo "LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)" >> tag.txt
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: tag
           path: tag.txt
@@ -92,51 +144,59 @@ jobs:
           make clean
           make build
           make package
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-x86-64
           path: out/lifecycle-v*+linux.x86-64.tgz
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-x86-64-sha256
           path: out/lifecycle-v*+linux.x86-64.tgz.sha256
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-arm64
           path: out/lifecycle-v*+linux.arm64.tgz
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-arm64-sha256
           path: out/lifecycle-v*+linux.arm64.tgz.sha256
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-ppc64le
           path: out/lifecycle-v*+linux.ppc64le.tgz
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-ppc64le-sha256
           path: out/lifecycle-v*+linux.ppc64le.tgz.sha256
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-s390x
           path: out/lifecycle-v*+linux.s390x.tgz
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-linux-s390x-sha256
           path: out/lifecycle-v*+linux.s390x.tgz.sha256
+      - uses: actions/upload-artifact@v3
+        with:
+          name: lifecycle-windows-x86-64
+          path: out/lifecycle-v*+windows.x86-64.tgz
+      - uses: actions/upload-artifact@v3
+        with:
+          name: lifecycle-windows-x86-64-sha256
+          path: out/lifecycle-v*+windows.x86-64.tgz.sha256
       - name: Generate SBOM JSON
         uses: CycloneDX/gh-gomod-generate-sbom@v2
         with:
           args: mod -licenses -json -output lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json
           version: ^v1
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-bom-cdx
           path: lifecycle-v*-bom.cdx.json
       - name: Calculate SBOM sha
         run: |
           shasum -a 256 lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json > lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json.sha256
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v3
         with:
           name: lifecycle-bom-cdx-sha256
           path: lifecycle-v*-bom.cdx.json.sha256
@@ -145,7 +205,7 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@v3
         with:
           name: tag
       - name: Set env
@@ -169,11 +229,15 @@ jobs:
           LINUX_S390X_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.s390x.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-s390x -arch s390x | awk '{print $NF}')
           echo "LINUX_S390X_SHA: $LINUX_S390X_SHA"
 
+          WINDOWS_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+windows.x86-64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows -os windows | awk '{print $NF}')
+          echo "WINDOWS_AMD64_SHA: $WINDOWS_AMD64_SHA"
+
           docker manifest create buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG} \
               buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64@${LINUX_AMD64_SHA} \
               buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64@${LINUX_ARM64_SHA} \
               buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-ppc64le@${LINUX_PPC64LE_SHA} \
-              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-s390x@${LINUX_S390X_SHA}
+              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-s390x@${LINUX_S390X_SHA} \
+              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-windows@${WINDOWS_AMD64_SHA}
 
           MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG})
           echo "MANIFEST_SHA: $MANIFEST_SHA"
@@ -188,7 +252,7 @@ jobs:
             buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}
       - name: Scan image
         if: github.event_name == 'push'
-        uses: anchore/scan-action@v6
+        uses: anchore/scan-action@v3
         with:
           image: buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}
   pack-acceptance-linux:
@@ -206,17 +270,17 @@ jobs:
         uses: actions/setup-go@v5
         with:
           go-version-file: 'pack/go.mod'
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@v3
         with:
           name: version
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@v3
         with:
           name: tag
       - name: Set env
         run: |
           cat version.txt >> $GITHUB_ENV
           cat tag.txt >> $GITHUB_ENV
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@v3
         with:
           name: lifecycle-linux-x86-64
           path: pack
@@ -227,3 +291,75 @@ jobs:
           LIFECYCLE_PATH="../lifecycle-v${{ env.LIFECYCLE_VERSION }}+linux.x86-64.tgz" \
           LIFECYCLE_IMAGE="buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}" \
           make acceptance
+  pack-acceptance-windows:
+    if: github.event_name == 'push'
+    needs: build-and-publish
+    runs-on: windows-2019
+    steps:
+      - name: Set git to use LF and symlinks
+        run: |
+          git config --global core.autocrlf false
+          git config --global core.eol lf
+          git config --global core.symlinks true
+      - uses: actions/checkout@v4
+        with:
+          repository: 'buildpacks/pack'
+          path: 'pack'
+          ref: 'main'
+          fetch-depth: 0 # fetch all history for all branches and tags
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'pack/go.mod'
+      - name: Add runner IP to daemon insecure-registries and firewall
+        shell: powershell
+        run: |
+          # Get IP from default gateway interface
+          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
+
+          # Allow container-to-host registry traffic (from public interface, to the same interface)
+          New-NetfirewallRule -DisplayName test-registry -LocalAddress $IPAddress -RemoteAddress $IPAddress
+
+          # create or update daemon config to allow host as insecure-registry
+          $config=@{}
+          if (Test-Path C:\ProgramData\docker\config\daemon.json) {
+            $config=(Get-Content C:\ProgramData\docker\config\daemon.json | ConvertFrom-json)
+          }
+          $config | Add-Member -Force -Name "insecure-registries" -value @("$IPAddress/32") -MemberType NoteProperty
+          ConvertTo-json $config | Out-File -Encoding ASCII C:\ProgramData\docker\config\daemon.json
+
+          Restart-Service docker
+
+          # dump docker info for auditing
+          docker version
+          docker info
+      - name: Modify etc\hosts to include runner IP
+        shell: powershell
+        run: |
+          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
+          "# Modified by CNB: https://github.com/buildpacks/ci/tree/main/gh-runners/windows
+          ${IPAddress} host.docker.internal
+          ${IPAddress} gateway.docker.internal
+          " | Out-File -Filepath C:\Windows\System32\drivers\etc\hosts -Encoding utf8
+      - uses: actions/download-artifact@v3
+        with:
+          name: version
+      - uses: actions/download-artifact@v3
+        with:
+          name: tag
+      - name: Set env
+        run: |
+          cat version.txt >> $env:GITHUB_ENV
+          cat tag.txt >> $env:GITHUB_ENV
+      - uses: actions/download-artifact@v3
+        with:
+          name: lifecycle-windows-x86-64
+          path: pack
+      - name: Run pack acceptance
+        run: |
+          cd pack
+          git checkout $(git describe --abbrev=0 --tags) # check out the latest tag
+          $env:LIFECYCLE_PATH="..\lifecycle-v${{ env.LIFECYCLE_VERSION }}+windows.x86-64.tgz"
+          $env:LIFECYCLE_IMAGE="buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}"
+          make acceptance
+

.github/workflows/check-latest-release.yml

@@ -86,7 +86,7 @@ jobs:
           fi
       - name: Scan latest release image
         id: scan-image
-        uses: anchore/scan-action@v6
+        uses: anchore/scan-action@v3
         with:
           image: buildpacksio/lifecycle:${{ steps.read-versions.outputs.latest-release-version }}
           fail-build: true

.github/workflows/draft-release.yml

@@ -24,7 +24,7 @@ jobs:
             exit 1
           fi
           echo "LIFECYCLE_VERSION=$version" >> $GITHUB_ENV
-      - name: Determine download urls for linux-x86-64, linux-arm64, linux-ppc64le, linux-s390x
+      - name: Determine download urls for linux-x86-64, linux-arm64, linux-ppc64le, linux-s390x, and windows
         id: artifact-urls
         # FIXME: this script should be updated to work with actions/github-script@v6
         uses: actions/github-script@v3
@@ -82,11 +82,8 @@ jobs:
                 if (urlList.length === 0) {
                   throw "no artifacts found"
                 }
-                if (urlList.length != 10) {
-                  // found too many artifacts
-                  // list them and throw
-                  console.log(urlList);
-                  throw "there should be exactly 10 artifacts, found " + urlList.length + " artifacts"
+                if (urlList.length != 12) {
+                  throw "there should be exactly 12 artifacts"
                 }
                 return urlList.join(",")
               })
@@ -191,7 +188,7 @@ jobs:
             --draft \
             --notes-file ../body.txt \
             --prerelease \
-            --target $GITHUB_REF_NAME \
+            --target $GITHUB_REF \
             --title "lifecycle v${{ env.LIFECYCLE_VERSION }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -203,7 +200,7 @@ jobs:
             $(ls | sort | paste -sd " " -) \
             --draft \
             --notes-file ../body.txt \
-            --target $GITHUB_REF_NAME \
+            --target $GITHUB_REF \
             --title "lifecycle v${{ env.LIFECYCLE_VERSION }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/post-release.yml

@@ -48,6 +48,9 @@ jobs:
           echo "LINUX_S390X_SHA: $LINUX_S390X_SHA"
           echo "LINUX_S390X_SHA=$LINUX_S390X_SHA" >> $GITHUB_ENV
 
+          WINDOWS_AMD64_SHA=$(cosign verify --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" --certificate-oidc-issuer https://token.actions.githubusercontent.com buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-windows | jq -r .[0].critical.image.\"docker-manifest-digest\")
+          echo "WINDOWS_AMD64_SHA: $WINDOWS_AMD64_SHA"
+          echo "WINDOWS_AMD64_SHA=$WINDOWS_AMD64_SHA" >> $GITHUB_ENV
       - name: Download SBOM
         run: |
           gh release download --pattern '*-bom.cdx.json' ${{ github.event.release.tag_name }}
@@ -61,12 +64,14 @@ jobs:
           crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-arm64@${{ env.LINUX_ARM64_SHA }} ${{ env.LIFECYCLE_VERSION }}-linux-arm64
           crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} ${{ env.LIFECYCLE_VERSION }}-linux-ppc64le
           crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-s390x@${{ env.LINUX_S390X_SHA }} ${{ env.LIFECYCLE_VERSION }}-linux-s390x
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-windows@${{ env.WINDOWS_AMD64_SHA }} ${{ env.LIFECYCLE_VERSION }}-windows
 
           docker manifest create buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }} \
             buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-x86-64@${{ env.LINUX_AMD64_SHA }} \
             buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-arm64@${{ env.LINUX_ARM64_SHA }} \
             buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} \
-            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-s390x@${{ env.LINUX_S390X_SHA }}
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-s390x@${{ env.LINUX_S390X_SHA }} \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-windows@${{ env.WINDOWS_AMD64_SHA }}
 
           MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }})
           echo "MANIFEST_SHA: $MANIFEST_SHA"
@@ -98,12 +103,14 @@ jobs:
           crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-arm64@${{ env.LINUX_ARM64_SHA }} latest-linux-arm64
           crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} latest-linux-ppc64le
           crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-s390x@${{ env.LINUX_S390X_SHA }} latest-linux-s390x
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-windows@${{ env.WINDOWS_AMD64_SHA }} latest-windows
 
           docker manifest create buildpacksio/lifecycle:latest \
             buildpacksio/lifecycle:latest-linux-x86-64@${{ env.LINUX_AMD64_SHA }} \
             buildpacksio/lifecycle:latest-linux-arm64@${{ env.LINUX_ARM64_SHA }} \
             buildpacksio/lifecycle:latest-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} \
-            buildpacksio/lifecycle:latest-linux-s390x@${{ env.LINUX_S390X_SHA }}
+            buildpacksio/lifecycle:latest-linux-s390x@${{ env.LINUX_S390X_SHA }} \
+            buildpacksio/lifecycle:latest-windows@${{ env.WINDOWS_AMD64_SHA }}
 
           MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:latest)
           echo "MANIFEST_SHA: $MANIFEST_SHA"

.github/workflows/test-s390x.yml

@@ -55,7 +55,7 @@ jobs:
               fi
           done
       - name: Install dependencies and run all tests on s390x ZVSI
-        uses: appleboy/ssh-action@v1.2.2
+        uses: appleboy/ssh-action@v1.0.3
         env:
           GH_REPOSITORY: ${{ github.server_url }}/${{ github.repository }}
           GH_REF: ${{ github.ref }}
@@ -68,8 +68,8 @@ jobs:
           script: |
             apt-get update -y
             apt-get install -y wget curl git make gcc jq docker.io
-            wget https://go.dev/dl/go1.24.6.linux-s390x.tar.gz
-            rm -rf /usr/local/go && tar -C /usr/local -xzf go1.24.6.linux-s390x.tar.gz
+            wget https://go.dev/dl/go1.22.2.linux-s390x.tar.gz
+            rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.2.linux-s390x.tar.gz
             export PATH=$PATH:/usr/local/go/bin
             git clone ${GH_REPOSITORY} lifecycle
             cd lifecycle && git checkout ${GH_REF}

.grype.yaml

@@ -1,5 +1,3 @@
 ignore:
   - vulnerability: CVE-2015-5237 # false positive, see https://github.com/anchore/grype/issues/558
   - vulnerability: CVE-2021-22570 # false positive, see https://github.com/anchore/grype/issues/558
-  - vulnerability: CVE-2024-41110 # non-impactful as we only use docker as a client
-  - vulnerability: GHSA-v23v-6jw2-98fq # non-impactful as we only use docker as a client

DEVELOPMENT.md

@@ -21,7 +21,7 @@
     * Windows:
         * `choco install cygwin make -y`
         * `[Environment]::SetEnvironmentVariable("PATH", "C:\tools\cygwin\bin;$ENV:PATH", "MACHINE")`
-
+        
 ### Caveats
 
 * The acceptance tests require the docker daemon to be able to communicate with a local containerized insecure registry. On Docker Desktop 3.3.x, this may result in failures such as: `Expected nil: push response: : Get http://localhost:<port>/v2/: dial tcp [::1]:<port>: connect: connection refused`. To fix these failures, it may be necessary to add the following to the Docker Desktop Engine config:
@@ -32,6 +32,17 @@
   ]
 ```
 
+* Some of the Windows acceptance tests use license restricted base images. By default, the docker deamon will not publish layers from these images when pushing to a registry which can result in test failures with error messages such as: `Ignoring image "X" because it was corrupt`. To fix these failures you must [enable pushing nondistributable artifacts](https://docs.docker.com/engine/reference/commandline/dockerd/#allow-push-of-nondistributable-artifacts) to the test registry by adding the following to your Docker Desktop Engine config: 
+    * `%programdata%\docker\config\daemon.json`:
+
+```
+{
+  "allow-nondistributable-artifacts": [
+    "<my-host-ip>/32"
+  ]
+}
+```
+
 ### Testing GitHub actions on forks
 
 The lifecycle release process involves chaining a series of GitHub actions together such that:
@@ -46,7 +57,7 @@ For the fork, it is necessary to add the following secrets:
 * DOCKER_PASSWORD (if not using ghcr.io)
 * DOCKER_USERNAME (if not using ghcr.io)
 
-The tools/test-fork.sh script can be used to update the source code to reflect the state of the fork.
+The tools/test-fork.sh script can be used to update the source code to reflect the state of the fork. 
 It can be invoked like so: `./tools/test-fork.sh <registry repo name>`
 
 ## Tasks

IMAGE.md

@@ -7,6 +7,7 @@ This image is maintained by the [Cloud Native Buildpacks project](https://buildp
 Supported tags are semver-versioned manifest lists - e.g., `0.12.0` or `0.12.0-rc.1`, pointing to one of the following os/architectures:
 * `linux/amd64`
 * `linux/arm64`
+* `windows/amd64`
 
 # About this image
 
@@ -41,4 +42,4 @@ With [tekton](https://github.com/tektoncd/catalog/tree/main/task/buildpacks-phas
 * Provide as param `LIFECYCLE_IMAGE` in taskrun
 
 ***
-[Source](https://github.com/buildpacks/lifecycle/blob/main/IMAGE.md) for this page
+[Source](https://github.com/buildpacks/lifecycle/blob/main/IMAGE.md) for this page

Makefile

@@ -30,6 +30,7 @@ LDFLAGS+=-X 'github.com/buildpacks/lifecycle/cmd.Version=$(LIFECYCLE_VERSION)'
 GOBUILD:=go build $(GOFLAGS) -ldflags "$(LDFLAGS)"
 GOTEST=$(GOCMD) test $(GOFLAGS)
 BUILD_DIR?=$(PWD)$/out
+WINDOWS_COMPILATION_IMAGE?=golang:1.22-windowsservercore-1809
 SOURCE_COMPILATION_IMAGE?=lifecycle-img
 BUILD_CTR?=lifecycle-ctr
 DOCKER_CMD?=make test
@@ -38,9 +39,13 @@ GOFILES := $(shell $(GOCMD) run tools$/lister$/main.go)
 
 all: test build package
 
-GOOS_ARCHS = linux/amd64 linux/arm64 linux/ppc64le linux/s390x darwin/amd64 darwin/arm64
+build: build-linux-amd64 build-linux-arm64 build-windows-amd64 build-linux-ppc64le build-linux-s390x
 
-build: build-linux-amd64 build-linux-arm64 build-linux-ppc64le build-linux-s390x
+build-linux-amd64: build-linux-amd64-lifecycle build-linux-amd64-symlinks build-linux-amd64-launcher
+build-linux-arm64: build-linux-arm64-lifecycle build-linux-arm64-symlinks build-linux-arm64-launcher
+build-windows-amd64: build-windows-amd64-lifecycle build-windows-amd64-symlinks build-windows-amd64-launcher
+build-linux-ppc64le: build-linux-ppc64le-lifecycle build-linux-ppc64le-symlinks build-linux-ppc64le-launcher
+build-linux-s390x: build-linux-s390x-lifecycle build-linux-s390x-symlinks build-linux-s390x-launcher
 
 build-image-linux-amd64: build-linux-amd64 package-linux-amd64
 build-image-linux-amd64: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+linux.x86-64.tgz
@@ -52,6 +57,11 @@ build-image-linux-arm64: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSIO
 build-image-linux-arm64:
 	$(GOCMD) run ./tools/image/main.go -daemon -lifecyclePath $(ARCHIVE_PATH) -os linux -arch arm64 -tag lifecycle:$(LIFECYCLE_IMAGE_TAG)
 
+build-image-windows-amd64: build-windows-amd64 package-windows-amd64
+build-image-windows-amd64: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+windows.x86-64.tgz
+build-image-windows-amd64:
+	$(GOCMD) run ./tools/image/main.go -daemon -lifecyclePath $(ARCHIVE_PATH) -os windows -arch amd64 -tag lifecycle:$(LIFECYCLE_IMAGE_TAG)
+
 build-image-linux-ppc64le: build-linux-ppc64le package-linux-ppc64le
 build-image-linux-ppc64le: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+linux.ppc64le.tgz
 build-image-linux-ppc64le:
@@ -62,50 +72,240 @@ build-image-linux-s390x: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSIO
 build-image-linux-s390x:
 	$(GOCMD) run ./tools/image/main.go -daemon -lifecyclePath $(ARCHIVE_PATH) -os linux -arch s390x -tag lifecycle:$(LIFECYCLE_IMAGE_TAG)
 
-define build_targets
-build-$(1)-$(2): build-$(1)-$(2)-lifecycle build-$(1)-$(2)-symlinks build-$(1)-$(2)-launcher
+build-linux-amd64-lifecycle: $(BUILD_DIR)/linux-amd64/lifecycle/lifecycle
 
-build-$(1)-$(2)-lifecycle: $(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle
+build-linux-arm64-lifecycle: $(BUILD_DIR)/linux-arm64/lifecycle/lifecycle
 
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: export GOOS:=$(1)
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: export GOARCH:=$(2)
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: OUT_DIR?=$$(BUILD_DIR)/$$(GOOS)-$$(GOARCH)/lifecycle
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: $$(GOFILES)
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle:
-	@echo "> Building lifecycle/lifecycle for $$(GOOS)/$$(GOARCH)..."
-	mkdir -p $$(OUT_DIR)
-	$$(GOENV) $$(GOBUILD) -o $$(OUT_DIR)/lifecycle -a ./cmd/lifecycle
+build-linux-ppc64le-lifecycle: $(BUILD_DIR)/linux-ppc64le/lifecycle/lifecycle
 
-build-$(1)-$(2)-symlinks: export GOOS:=$(1)
-build-$(1)-$(2)-symlinks: export GOARCH:=$(2)
-build-$(1)-$(2)-symlinks: OUT_DIR?=$$(BUILD_DIR)/$$(GOOS)-$$(GOARCH)/lifecycle
-build-$(1)-$(2)-symlinks:
-	@echo "> Creating phase symlinks for $$(GOOS)/$$(GOARCH)..."
-	ln -sf lifecycle $$(OUT_DIR)/detector
-	ln -sf lifecycle $$(OUT_DIR)/analyzer
-	ln -sf lifecycle $$(OUT_DIR)/restorer
-	ln -sf lifecycle $$(OUT_DIR)/builder
-	ln -sf lifecycle $$(OUT_DIR)/exporter
-	ln -sf lifecycle $$(OUT_DIR)/rebaser
-	ln -sf lifecycle $$(OUT_DIR)/creator
-	ln -sf lifecycle $$(OUT_DIR)/extender
+build-linux-s390x-lifecycle: $(BUILD_DIR)/linux-s390x/lifecycle/lifecycle
 
-build-$(1)-$(2)-launcher: $$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher
+$(BUILD_DIR)/linux-amd64/lifecycle/lifecycle: export GOOS:=linux
+$(BUILD_DIR)/linux-amd64/lifecycle/lifecycle: export GOARCH:=amd64
+$(BUILD_DIR)/linux-amd64/lifecycle/lifecycle: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-amd64/lifecycle/lifecycle: $(GOFILES)
+$(BUILD_DIR)/linux-amd64/lifecycle/lifecycle:
+	@echo "> Building lifecycle/lifecycle for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/lifecycle -a ./cmd/lifecycle
 
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: export GOOS:=$(1)
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: export GOARCH:=$(2)
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: OUT_DIR?=$$(BUILD_DIR)/$$(GOOS)-$$(GOARCH)/lifecycle
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: $$(GOFILES)
-$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher:
-	@echo "> Building lifecycle/launcher for $$(GOOS)/$$(GOARCH)..."
-	mkdir -p $$(OUT_DIR)
-	$$(GOENV) $$(GOBUILD) -o $$(OUT_DIR)/launcher -a ./cmd/launcher
-	test $$$$(du -m $$(OUT_DIR)/launcher|cut -f 1) -le 3
-endef
+$(BUILD_DIR)/linux-arm64/lifecycle/lifecycle: export GOOS:=linux
+$(BUILD_DIR)/linux-arm64/lifecycle/lifecycle: export GOARCH:=arm64
+$(BUILD_DIR)/linux-arm64/lifecycle/lifecycle: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-arm64/lifecycle/lifecycle: $(GOFILES)
+$(BUILD_DIR)/linux-arm64/lifecycle/lifecycle:
+	@echo "> Building lifecycle/lifecycle for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/lifecycle -a ./cmd/lifecycle
 
-$(foreach ga,$(GOOS_ARCHS),$(eval $(call build_targets,$(word 1, $(subst /, ,$(ga))),$(word 2, $(subst /, ,$(ga))))))
+$(BUILD_DIR)/linux-ppc64le/lifecycle/lifecycle: export GOOS:=linux
+$(BUILD_DIR)/linux-ppc64le/lifecycle/lifecycle: export GOARCH:=ppc64le
+$(BUILD_DIR)/linux-ppc64le/lifecycle/lifecycle: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-ppc64le/lifecycle/lifecycle: $(GOFILES)
+$(BUILD_DIR)/linux-ppc64le/lifecycle/lifecycle:
+	@echo "> Building lifecycle/lifecycle for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/lifecycle -a ./cmd/lifecycle
 
-generate-sbom: run-syft-linux-amd64 run-syft-linux-arm64 run-syft-linux-ppc64le run-syft-linux-s390x
+$(BUILD_DIR)/linux-s390x/lifecycle/lifecycle: export GOOS:=linux
+$(BUILD_DIR)/linux-s390x/lifecycle/lifecycle: export GOARCH:=s390x
+$(BUILD_DIR)/linux-s390x/lifecycle/lifecycle: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-s390x/lifecycle/lifecycle: $(GOFILES)
+$(BUILD_DIR)/linux-s390x/lifecycle/lifecycle:
+	@echo "> Building lifecycle/lifecycle for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/lifecycle -a ./cmd/lifecycle
+
+build-linux-amd64-launcher: $(BUILD_DIR)/linux-amd64/lifecycle/launcher
+
+$(BUILD_DIR)/linux-amd64/lifecycle/launcher: export GOOS:=linux
+$(BUILD_DIR)/linux-amd64/lifecycle/launcher: export GOARCH:=amd64
+$(BUILD_DIR)/linux-amd64/lifecycle/launcher: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-amd64/lifecycle/launcher: $(GOFILES)
+$(BUILD_DIR)/linux-amd64/lifecycle/launcher:
+	@echo "> Building lifecycle/launcher for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/launcher -a ./cmd/launcher
+	test $$(du -m $(OUT_DIR)/launcher|cut -f 1) -le 3
+
+build-linux-arm64-launcher: $(BUILD_DIR)/linux-arm64/lifecycle/launcher
+
+$(BUILD_DIR)/linux-arm64/lifecycle/launcher: export GOOS:=linux
+$(BUILD_DIR)/linux-arm64/lifecycle/launcher: export GOARCH:=arm64
+$(BUILD_DIR)/linux-arm64/lifecycle/launcher: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-arm64/lifecycle/launcher: $(GOFILES)
+$(BUILD_DIR)/linux-arm64/lifecycle/launcher:
+	@echo "> Building lifecycle/launcher for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/launcher -a ./cmd/launcher
+	test $$(du -m $(OUT_DIR)/launcher|cut -f 1) -le 3
+
+build-linux-ppc64le-launcher: $(BUILD_DIR)/linux-ppc64le/lifecycle/launcher
+
+$(BUILD_DIR)/linux-ppc64le/lifecycle/launcher: export GOOS:=linux
+$(BUILD_DIR)/linux-ppc64le/lifecycle/launcher: export GOARCH:=ppc64le
+$(BUILD_DIR)/linux-ppc64le/lifecycle/launcher: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-ppc64le/lifecycle/launcher: $(GOFILES)
+$(BUILD_DIR)/linux-ppc64le/lifecycle/launcher:
+	@echo "> Building lifecycle/launcher for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/launcher -a ./cmd/launcher
+	test $$(du -m $(OUT_DIR)/launcher|cut -f 1) -le 3
+
+build-linux-s390x-launcher: $(BUILD_DIR)/linux-s390x/lifecycle/launcher
+
+$(BUILD_DIR)/linux-s390x/lifecycle/launcher: export GOOS:=linux
+$(BUILD_DIR)/linux-s390x/lifecycle/launcher: export GOARCH:=s390x
+$(BUILD_DIR)/linux-s390x/lifecycle/launcher: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+$(BUILD_DIR)/linux-s390x/lifecycle/launcher: $(GOFILES)
+$(BUILD_DIR)/linux-s390x/lifecycle/launcher:
+	@echo "> Building lifecycle/launcher for $(GOOS)/$(GOARCH)..."
+	mkdir -p $(OUT_DIR)
+	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/launcher -a ./cmd/launcher
+	test $$(du -m $(OUT_DIR)/launcher|cut -f 1) -le 3
+
+build-linux-amd64-symlinks: export GOOS:=linux
+build-linux-amd64-symlinks: export GOARCH:=amd64
+build-linux-amd64-symlinks: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+build-linux-amd64-symlinks:
+	@echo "> Creating phase symlinks for $(GOOS)/$(GOARCH)..."
+	ln -sf lifecycle $(OUT_DIR)/detector
+	ln -sf lifecycle $(OUT_DIR)/analyzer
+	ln -sf lifecycle $(OUT_DIR)/restorer
+	ln -sf lifecycle $(OUT_DIR)/builder
+	ln -sf lifecycle $(OUT_DIR)/exporter
+	ln -sf lifecycle $(OUT_DIR)/rebaser
+	ln -sf lifecycle $(OUT_DIR)/creator
+	ln -sf lifecycle $(OUT_DIR)/extender
+
+build-linux-arm64-symlinks: export GOOS:=linux
+build-linux-arm64-symlinks: export GOARCH:=arm64
+build-linux-arm64-symlinks: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+build-linux-arm64-symlinks:
+	@echo "> Creating phase symlinks for $(GOOS)/$(GOARCH)..."
+	ln -sf lifecycle $(OUT_DIR)/detector
+	ln -sf lifecycle $(OUT_DIR)/analyzer
+	ln -sf lifecycle $(OUT_DIR)/restorer
+	ln -sf lifecycle $(OUT_DIR)/builder
+	ln -sf lifecycle $(OUT_DIR)/exporter
+	ln -sf lifecycle $(OUT_DIR)/rebaser
+	ln -sf lifecycle $(OUT_DIR)/creator
+	ln -sf lifecycle $(OUT_DIR)/extender
+
+build-linux-ppc64le-symlinks: export GOOS:=linux
+build-linux-ppc64le-symlinks: export GOARCH:=ppc64le
+build-linux-ppc64le-symlinks: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+build-linux-ppc64le-symlinks:
+	@echo "> Creating phase symlinks for $(GOOS)/$(GOARCH)..."
+	ln -sf lifecycle $(OUT_DIR)/detector
+	ln -sf lifecycle $(OUT_DIR)/analyzer
+	ln -sf lifecycle $(OUT_DIR)/restorer
+	ln -sf lifecycle $(OUT_DIR)/builder
+	ln -sf lifecycle $(OUT_DIR)/exporter
+	ln -sf lifecycle $(OUT_DIR)/rebaser
+	ln -sf lifecycle $(OUT_DIR)/creator
+	ln -sf lifecycle $(OUT_DIR)/extender
+
+build-linux-s390x-symlinks: export GOOS:=linux
+build-linux-s390x-symlinks: export GOARCH:=s390x
+build-linux-s390x-symlinks: OUT_DIR?=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+build-linux-s390x-symlinks:
+	@echo "> Creating phase symlinks for $(GOOS)/$(GOARCH)..."
+	ln -sf lifecycle $(OUT_DIR)/detector
+	ln -sf lifecycle $(OUT_DIR)/analyzer
+	ln -sf lifecycle $(OUT_DIR)/restorer
+	ln -sf lifecycle $(OUT_DIR)/builder
+	ln -sf lifecycle $(OUT_DIR)/exporter
+	ln -sf lifecycle $(OUT_DIR)/rebaser
+	ln -sf lifecycle $(OUT_DIR)/creator
+	ln -sf lifecycle $(OUT_DIR)/extender
+
+build-windows-amd64-lifecycle: $(BUILD_DIR)/windows-amd64/lifecycle/lifecycle.exe
+
+$(BUILD_DIR)/windows-amd64/lifecycle/lifecycle.exe: export GOOS:=windows
+$(BUILD_DIR)/windows-amd64/lifecycle/lifecycle.exe: export GOARCH:=amd64
+$(BUILD_DIR)/windows-amd64/lifecycle/lifecycle.exe: OUT_DIR?=$(BUILD_DIR)$/$(GOOS)-$(GOARCH)$/lifecycle
+$(BUILD_DIR)/windows-amd64/lifecycle/lifecycle.exe: $(GOFILES)
+$(BUILD_DIR)/windows-amd64/lifecycle/lifecycle.exe:
+	@echo "> Building lifecycle/lifecycle for $(GOOS)/$(GOARCH)..."
+	$(GOBUILD) -o $(OUT_DIR)$/lifecycle.exe -a .$/cmd$/lifecycle
+
+build-windows-amd64-launcher: $(BUILD_DIR)/windows-amd64/lifecycle/launcher.exe
+
+$(BUILD_DIR)/windows-amd64/lifecycle/launcher.exe: export GOOS:=windows
+$(BUILD_DIR)/windows-amd64/lifecycle/launcher.exe: export GOARCH:=amd64
+$(BUILD_DIR)/windows-amd64/lifecycle/launcher.exe: OUT_DIR?=$(BUILD_DIR)$/$(GOOS)-$(GOARCH)$/lifecycle
+$(BUILD_DIR)/windows-amd64/lifecycle/launcher.exe: $(GOFILES)
+$(BUILD_DIR)/windows-amd64/lifecycle/launcher.exe:
+	@echo "> Building lifecycle/launcher for $(GOOS)/$(GOARCH)..."
+	$(GOBUILD) -o $(OUT_DIR)$/launcher.exe -a .$/cmd$/launcher
+
+build-windows-amd64-symlinks: export GOOS:=windows
+build-windows-amd64-symlinks: export GOARCH:=amd64
+build-windows-amd64-symlinks: OUT_DIR?=$(BUILD_DIR)$/$(GOOS)-$(GOARCH)$/lifecycle
+build-windows-amd64-symlinks:
+	@echo "> Creating phase symlinks for Windows..."
+ifeq ($(OS),Windows_NT)
+	call del $(OUT_DIR)$/detector.exe
+	call del $(OUT_DIR)$/analyzer.exe
+	call del $(OUT_DIR)$/restorer.exe
+	call del $(OUT_DIR)$/builder.exe
+	call del $(OUT_DIR)$/exporter.exe
+	call del $(OUT_DIR)$/rebaser.exe
+	call del $(OUT_DIR)$/creator.exe
+	call mklink $(OUT_DIR)$/detector.exe lifecycle.exe
+	call mklink $(OUT_DIR)$/analyzer.exe lifecycle.exe
+	call mklink $(OUT_DIR)$/restorer.exe lifecycle.exe
+	call mklink $(OUT_DIR)$/builder.exe  lifecycle.exe
+	call mklink $(OUT_DIR)$/exporter.exe lifecycle.exe
+	call mklink $(OUT_DIR)$/rebaser.exe  lifecycle.exe
+	call mklink $(OUT_DIR)$/creator.exe  lifecycle.exe
+else
+	ln -sf lifecycle.exe $(OUT_DIR)$/detector.exe
+	ln -sf lifecycle.exe $(OUT_DIR)$/analyzer.exe
+	ln -sf lifecycle.exe $(OUT_DIR)$/restorer.exe
+	ln -sf lifecycle.exe $(OUT_DIR)$/builder.exe
+	ln -sf lifecycle.exe $(OUT_DIR)$/exporter.exe
+	ln -sf lifecycle.exe $(OUT_DIR)$/rebaser.exe
+	ln -sf lifecycle.exe $(OUT_DIR)$/creator.exe
+endif
+
+## DARWIN ARM64/AMD64
+include lifecycle.mk
+include launcher.mk
+build-darwin-arm64: build-darwin-arm64-lifecycle build-darwin-arm64-launcher
+build-darwin-arm64-lifecycle:
+	$(eval GOARCH := arm64)
+	$(eval TARGET := darwin-arm64)
+	$(eval OUT_DIR := $(BUILD_DIR)/$(TARGET)/lifecycle)
+	$(call build_lifecycle)
+build-darwin-arm64-launcher:
+	$(eval GOARCH := arm64)
+	$(eval TARGET := darwin-arm64)
+	$(eval OUT_DIR := $(BUILD_DIR)/$(TARGET)/lifecycle)
+	$(call build_launcher)
+
+build-darwin-amd64: build-darwin-amd64-lifecycle build-darwin-amd64-launcher
+build-darwin-amd64-lifecycle:
+	$(eval GOARCH := amd64)
+	$(eval TARGET := darwin-amd64)
+	$(eval OUT_DIR := $(BUILD_DIR)/$(TARGET)/lifecycle)
+	$(call build_lifecycle)
+build-darwin-amd64-launcher:
+	$(eval GOARCH := amd64)
+	$(eval TARGET := darwin-amd64)
+	$(eval OUT_DIR := $(BUILD_DIR)/$(TARGET)/lifecycle)
+	$(call build_launcher)
+
+generate-sbom: run-syft-windows run-syft-linux-amd64 run-syft-linux-arm64 run-syft-linux-ppc64le run-syft-linux-s390x
+
+run-syft-windows: install-syft
+run-syft-windows: export GOOS:=windows
+run-syft-windows: export GOARCH:=amd64
+run-syft-windows:
+	@echo "> Running syft..."
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.exe -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.cdx.json
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.exe -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.cdx.json
 
 run-syft-linux-amd64: install-syft
 run-syft-linux-amd64: export GOOS:=linux
@@ -143,26 +343,21 @@ install-syft:
 	@echo "> Installing syft..."
 	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
 
-define install-go-tool
-	@echo "> Installing $(1)..."
-	$(GOCMD) install $(1)@$(shell $(GOCMD) list -m -f '{{.Version}}' $(2))
-endef
-
 install-goimports:
 	@echo "> Installing goimports..."
-	$(call install-go-tool,golang.org/x/tools/cmd/goimports,golang.org/x/tools)
+	$(GOCMD) install golang.org/x/tools/cmd/goimports@v0.1.2
 
 install-yj:
 	@echo "> Installing yj..."
-	$(call install-go-tool,github.com/sclevine/yj,github.com/sclevine/yj)
+	$(GOCMD) install github.com/sclevine/yj@v0.0.0-20210612025309-737bdf40a5d1
 
 install-mockgen:
 	@echo "> Installing mockgen..."
-	$(call install-go-tool,github.com/golang/mock/mockgen,github.com/golang/mock)
+	$(GOCMD) install github.com/golang/mock/mockgen@v1.5.0
 
 install-golangci-lint:
 	@echo "> Installing golangci-lint..."
-	$(call install-go-tool,github.com/golangci/golangci-lint/v2/cmd/golangci-lint,github.com/golangci/golangci-lint/v2)
+	$(GOCMD) install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.57.2
 
 lint: install-golangci-lint
 	@echo "> Linting code..."
@@ -205,7 +400,7 @@ clean:
 	@echo "> Cleaning workspace..."
 	rm -rf $(BUILD_DIR)
 
-package:  generate-sbom package-linux-amd64 package-linux-arm64 package-linux-ppc64le package-linux-s390x
+package:  generate-sbom package-linux-amd64 package-linux-arm64 package-windows-amd64 package-linux-ppc64le package-linux-s390x
 
 package-linux-amd64: GOOS:=linux
 package-linux-amd64: GOARCH:=amd64
@@ -242,3 +437,26 @@ package-linux-s390x: PACKAGER=./tools/packager/main.go
 package-linux-s390x:
 	@echo "> Packaging lifecycle for $(GOOS)/$(GOARCH)..."
 	$(GOCMD) run $(PACKAGER) --inputDir $(INPUT_DIR) -archivePath $(ARCHIVE_PATH) -descriptorPath $(LIFECYCLE_DESCRIPTOR_PATH) -version $(LIFECYCLE_VERSION)
+
+package-windows-amd64: GOOS:=windows
+package-windows-amd64: GOARCH:=amd64
+package-windows-amd64: INPUT_DIR:=$(BUILD_DIR)$/$(GOOS)-$(GOARCH)$/lifecycle
+package-windows-amd64: ARCHIVE_PATH=$(BUILD_DIR)$/lifecycle-v$(LIFECYCLE_VERSION)+$(GOOS).x86-64.tgz
+package-windows-amd64: PACKAGER=.$/tools$/packager$/main.go
+package-windows-amd64:
+	@echo "> Packaging lifecycle for $(GOOS)/$(GOARCH)..."
+	$(GOCMD) run $(PACKAGER) --inputDir $(INPUT_DIR) -archivePath $(ARCHIVE_PATH) -descriptorPath $(LIFECYCLE_DESCRIPTOR_PATH) -version $(LIFECYCLE_VERSION)
+
+# Ensure workdir is clean and build image from .git
+docker-build-source-image-windows: $(GOFILES)
+docker-build-source-image-windows:
+	$(if $(shell git status --short), @echo Uncommitted changes. Refusing to run. && exit 1)
+	docker build .git -f tools/Dockerfile.windows --tag $(SOURCE_COMPILATION_IMAGE) --build-arg image_tag=$(WINDOWS_COMPILATION_IMAGE) --cache-from=$(SOURCE_COMPILATION_IMAGE) --isolation=process --compress
+
+docker-run-windows: docker-build-source-image-windows
+docker-run-windows:
+	@echo "> Running '$(DOCKER_CMD)' in docker windows..."
+	@docker volume rm -f lifecycle-out
+	docker run -v lifecycle-out:c:/lifecycle/out -e LIFECYCLE_VERSION -e PLATFORM_API -e BUILDPACK_API -v gopathcache:c:/gopath -v '\\.\pipe\docker_engine:\\.\pipe\docker_engine' --isolation=process --interactive --tty --rm $(SOURCE_COMPILATION_IMAGE) $(DOCKER_CMD)
+	docker run -v lifecycle-out:c:/lifecycle/out --rm $(SOURCE_COMPILATION_IMAGE) tar -cf- out | tar -xf-
+	@docker volume rm -f lifecycle-out

RELEASE.md

@@ -1,73 +1,22 @@
-# Release Finalization
+## Release Finalization
 
-## Types of releases
-
-#### New minor
-* For newly supported Platform or Buildpack API versions, or breaking changes (e.g., API deprecations).
-
-#### Pre-release aka release candidate
-* Ideally we should ship a pre-release (waiting a few days for folks to try it out) before we ship a new minor.
-* We typically don't ship pre-releases for patches or backports.
-
-#### New patch
-* For go version updates, CVE fixes / dependency bumps, bug fixes, etc.
-* Review the latest commits on `main` to determine if any are unacceptable for a patch - if there are commits that should be excluded, branch off the latest tag for the current minor and cherry-pick commits over.
-
-#### Backport
-* New patch for an old minor. Typically, to help folks out who haven't yet upgraded from [unsupported APIs](https://github.com/buildpacks/rfcs/blob/main/text/0110-deprecate-apis.md).
-* For go version updates, CVE fixes / dependency bumps, bug fixes, etc.
-* Branch off the latest tag for the desired minor.
-
-## Release Finalization Steps
-
-### Step 1 - Prepare
-
-Determine the type of release ([new minor](#new-minor), [pre-release](#pre-release-aka-release-candidate), [new patch](#new-patch), or [backport](#backport)) and prepare the branch accordingly.
-
-**To prepare the release branch:**
-1. Check open PRs for any dependabot updates that should be merged.
-1. Create a release branch in the format `release/0.99.0-rc.1` (for pre-releases) or `release/0.99.0` (for final releases).
-   * New commits to this branch will trigger the `build` workflow and produce a lifecycle image: `buildpacksio/lifecycle:<commit sha>`.
+To cut a pre-release:
 1. If applicable, ensure the README is updated with the latest supported apis (example PR: https://github.com/buildpacks/lifecycle/pull/550).
-   * For final releases (not pre-releases), remove the pre-release note (`*`) for the latest apis.
+1. Create a release branch in the format `release/0.99.0-rc.1`. New commits to this branch will trigger the `build` workflow and produce a lifecycle image: `buildpacksio/lifecycle:<commit sha>`.
+1. When ready to cut the release, manually trigger the `draft-release` workflow: Actions -> draft-release -> Run workflow -> Use workflow from branch: `release/0.99.0-rc.1`. This will create a draft release on GitHub using the artifacts from the `build` workflow run for the latest commit on the release branch.
+1. Edit the release notes as necessary.
+1. Perform any manual validation of the artifacts.
+1. When ready to publish the release, edit the release page and click "Publish release". This will trigger the `post-release` workflow that will re-tag the lifecycle image from `buildpacksio/lifecycle:<commit sha>` to `buildpacksio/lifecycle:0.99.0` but will NOT update the `latest` tag.
 
-**For final releases (not pre-releases):**
+To cut a release:
 1. Ensure the relevant spec APIs have been released.
 1. Ensure the `lifecycle/0.99.0` milestone on the [docs repo](https://github.com/buildpacks/docs/blob/main/RELEASE.md#lump-changes) is complete, such that every new feature in the lifecycle is fully explained in the `release/lifecycle/0.99` branch on the docs repo, and [migration guides](https://github.com/buildpacks/docs/tree/main/content/docs/reference/spec/migration) (if relevant) are included.
-
-### Step 2 - Publish the Release
-
-1. Manually trigger the `draft-release` workflow: Actions -> draft-release -> Run workflow -> Use workflow from branch: `release/<release version>`. This will create a draft release on GitHub using the artifacts from the `build` workflow run for the latest commit on the release branch.
+1. Create a release branch in the format `release/0.99.0`. New commits to this branch will trigger the `build` workflow and produce a lifecycle image: `buildpacksio/lifecycle:<commit sha>`.
+1. If applicable, ensure the README is updated with the latest supported apis (example PR: https://github.com/buildpacks/lifecycle/pull/550) and remove the pre-release note for the latest apis.
+1. When ready to cut the release, manually trigger the `draft-release` workflow: Actions -> draft-release -> Run workflow -> Use workflow from branch: `release/0.99.0`. This will create a draft release on GitHub using the artifacts from the `build` workflow run for the latest commit on the release branch.
 1. Edit the release notes as necessary.
-1. Perform any manual validation of the artifacts as necessary (usually none).
-1. Edit the release page and click "Publish release".
-   * This will trigger the `post-release` workflow that will re-tag the lifecycle image from `buildpacksio/lifecycle:<commit sha>` to `buildpacksio/lifecycle:<release version>`.
-     * For final releases ONLY, this will also re-tag the lifecycle image from `buildpacksio/lifecycle:<commit sha>` to `buildpacksio/lifecycle:latest`.
-
-### Step 3 - Follow-up
-
-**For pre-releases:**
-* Ask the relevant teams to try out the pre-released artifacts.
-
-**For final releases:**
-* Update the `main` branch to remove the pre-release note in [README.md](https://github.com/buildpacks/lifecycle/blob/main/README.md) and/or merge `release/0.99.0` into `main`.
-* Ask the learning team to merge the `release/lifecycle/0.99` branch into `main` on the docs repo.
-
-## Go version updates
-
-Go version updates should be released as a [new minor](#new-minor) or [new patch](#new-patch) release.
-
-### New Patch
-
-If the go patch is in [actions/go-versions](https://github.com/actions/go-versions/pulls?q=is%3Apr+is%3Aclosed) then CI should pull it in automatically without any action needed.
-We simply need to create the release branch and let the pipeline run.
-
-### New Minor
-
-We typically do this when the existing patch version exceeds 6 - e.g., `1.22.6`. This means we have about 6 months to upgrade before the current minor becomes unsupported due to the introduction of the new n+2 minor.
-
-#### Steps
-1. Update go.mod
-1. Search for the old `major.minor`, there are a few files that need to be updated (example PR: https://github.com/buildpacks/lifecycle/pull/1405/files)
-1. Update the linter to a version that supports the current `major.minor`
-1. Fix any lint errors as necessary
+1. Perform any manual validation of the artifacts.
+1. When ready to publish the release, edit the release page and click "Publish release". This will trigger the `post-release` workflow that will re-tag the lifecycle image from `buildpacksio/lifecycle:<commit sha>` to `buildpacksio/lifecycle:0.99.0` and `buildpacksio/lifecycle:latest`.
+1. Once released
+- Update the `main` branch to remove the pre-release note in [README.md](https://github.com/buildpacks/lifecycle/blob/main/README.md) and/or merge `release/0.99.0` into `main`.
+- Ask the learning team to merge the `release/lifecycle/0.99` branch into `main` on the docs repo.

acceptance/acceptance_test.go

@@ -23,6 +23,7 @@ const (
 var (
 	latestPlatformAPI = api.Platform.Latest().String()
 	buildDir          string
+	cacheFixtureDir   string
 )
 
 func TestVersion(t *testing.T) {

acceptance/analyzer_test.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -36,6 +37,7 @@ func TestAnalyzer(t *testing.T) {
 
 	analyzeImage = analyzeTest.testImageRef
 	analyzerPath = analyzeTest.containerBinaryPath
+	cacheFixtureDir = filepath.Join("testdata", "cache-dir")
 	analyzeRegAuthConfig = analyzeTest.targetRegistry.authConfig
 	analyzeRegNetwork = analyzeTest.targetRegistry.network
 	analyzeDaemonFixtures = analyzeTest.targetDaemon.fixtures
@@ -127,6 +129,8 @@ func testAnalyzerFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 
 		when("the provided layers directory isn't writeable", func() {
 			it("recursively chowns the directory", func() {
+				h.SkipIf(t, runtime.GOOS == "windows", "Not relevant on Windows")
+
 				analyzeFlags := []string{"-run-image", analyzeRegFixtures.ReadOnlyRunImage}
 
 				output := h.DockerRun(t,
@@ -199,6 +203,8 @@ func testAnalyzerFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 		})
 
 		it("drops privileges", func() {
+			h.SkipIf(t, runtime.GOOS == "windows", "Not relevant on Windows")
+
 			analyzeArgs := []string{
 				"-analyzed", "/some-dir/some-analyzed.toml",
 				"-run-image", analyzeRegFixtures.ReadOnlyRunImage,

acceptance/builder_test.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/sclevine/spec"
@@ -24,6 +25,8 @@ var (
 )
 
 func TestBuilder(t *testing.T) {
+	h.SkipIf(t, runtime.GOOS == "windows", "Builder acceptance tests are not yet supported on Windows")
+
 	info, err := h.DockerCli(t).Info(context.TODO())
 	h.AssertNil(t, err)
 

acceptance/creator_test.go

@@ -1,4 +1,5 @@
 //go:build acceptance
+// +build acceptance
 
 package acceptance
 
@@ -6,6 +7,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"testing"
 	"time"
 
@@ -29,6 +31,8 @@ var (
 )
 
 func TestCreator(t *testing.T) {
+	h.SkipIf(t, runtime.GOOS == "windows", "Creator acceptance tests are not yet supported on Windows")
+
 	testImageDockerContext := filepath.Join("testdata", "creator")
 	createTest = NewPhaseTest(t, "creator", testImageDockerContext)
 	createTest.Start(t)
@@ -36,6 +40,7 @@ func TestCreator(t *testing.T) {
 
 	createImage = createTest.testImageRef
 	creatorPath = createTest.containerBinaryPath
+	cacheFixtureDir = filepath.Join("testdata", "creator", "cache-dir")
 	createRegAuthConfig = createTest.targetRegistry.authConfig
 	createRegNetwork = createTest.targetRegistry.network
 	createDaemonFixtures = createTest.targetDaemon.fixtures

acceptance/detector_test.go

@@ -1,4 +1,5 @@
 //go:build acceptance
+// +build acceptance
 
 package acceptance
 
@@ -8,6 +9,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/sclevine/spec"
@@ -28,6 +30,8 @@ var (
 )
 
 func TestDetector(t *testing.T) {
+	h.SkipIf(t, runtime.GOOS == "windows", "Detector acceptance tests are not yet supported on Windows")
+
 	info, err := h.DockerCli(t).Info(context.TODO())
 	h.AssertNil(t, err)
 

acceptance/exporter_test.go

@@ -1,17 +1,16 @@
 //go:build acceptance
+// +build acceptance
 
 package acceptance
 
 import (
 	"context"
-	"crypto/sha256"
-	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	"io"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 	"time"
@@ -19,7 +18,6 @@ import (
 	"github.com/buildpacks/imgutil"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/v1/remote"
-	"github.com/pkg/errors"
 	"github.com/sclevine/spec"
 	"github.com/sclevine/spec/report"
 
@@ -27,7 +25,6 @@ import (
 	"github.com/buildpacks/lifecycle/auth"
 	"github.com/buildpacks/lifecycle/cache"
 	"github.com/buildpacks/lifecycle/cmd"
-	"github.com/buildpacks/lifecycle/internal/fsutil"
 	"github.com/buildpacks/lifecycle/internal/path"
 	"github.com/buildpacks/lifecycle/platform/files"
 	h "github.com/buildpacks/lifecycle/testhelpers"
@@ -44,6 +41,8 @@ var (
 )
 
 func TestExporter(t *testing.T) {
+	h.SkipIf(t, runtime.GOOS == "windows", "Exporter acceptance tests are not yet supported on Windows")
+
 	testImageDockerContext := filepath.Join("testdata", "exporter")
 	exportTest = NewPhaseTest(t, "exporter", testImageDockerContext)
 
@@ -52,6 +51,7 @@ func TestExporter(t *testing.T) {
 
 	exportImage = exportTest.testImageRef
 	exporterPath = exportTest.containerBinaryPath
+	cacheFixtureDir = filepath.Join("testdata", "exporter", "cache-dir")
 	exportRegAuthConfig = exportTest.targetRegistry.authConfig
 	exportRegNetwork = exportTest.targetRegistry.network
 	exportDaemonFixtures = exportTest.targetDaemon.fixtures
@@ -64,146 +64,147 @@ func TestExporter(t *testing.T) {
 
 func testExporterFunc(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
 	return func(t *testing.T, when spec.G, it spec.S) {
+		var exportedImageName string
+
+		it.After(func() {
+			_, _, _ = h.RunE(exec.Command("docker", "rmi", exportedImageName)) // #nosec G204
+		})
 
 		when("daemon case", func() {
-			var exportedImageName string
+			when("first build", func() {
+				when("app", func() {
+					it("is created", func() {
+						exportFlags := []string{"-daemon", "-log-level", "debug"}
+						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+						exportedImageName = "some-exported-image-" + h.RandString(10)
+						exportArgs = append(exportArgs, exportedImageName)
 
-			it.After(func() {
-				_, _, _ = h.RunE(exec.Command("docker", "rmi", exportedImageName)) // #nosec G204
-			})
+						output := h.DockerRun(t,
+							exportImage,
+							h.WithFlags(append(
+								dockerSocketMount,
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+							)...),
+							h.WithArgs(exportArgs...),
+						)
+						h.AssertStringContains(t, output, "Saving "+exportedImageName)
 
-			it("app is created", func() {
-				exportFlags := []string{"-daemon", "-log-level", "debug"}
-				exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-				exportedImageName = "some-exported-image-" + h.RandString(10)
-				exportArgs = append(exportArgs, exportedImageName)
+						if api.MustParse(platformAPI).AtLeast("0.11") {
+							extensions := []string{"sbom.cdx.json", "sbom.spdx.json", "sbom.syft.json"}
+							for _, extension := range extensions {
+								h.AssertStringContains(t, output, fmt.Sprintf("Copying SBOM lifecycle.%s to %s", extension, filepath.Join(path.RootDir, "layers", "sbom", "build", "buildpacksio_lifecycle", extension)))
+								h.AssertStringContains(t, output, fmt.Sprintf("Copying SBOM launcher.%s to %s", extension, filepath.Join(path.RootDir, "layers", "sbom", "launch", "buildpacksio_lifecycle", "launcher", extension)))
+							}
+						} else {
+							h.AssertStringDoesNotContain(t, output, "Copying SBOM")
+						}
 
-				output := h.DockerRun(t,
-					exportImage,
-					h.WithFlags(append(
-						dockerSocketMount,
-						"--env", "CNB_PLATFORM_API="+platformAPI,
-					)...),
-					h.WithArgs(exportArgs...),
-				)
-				h.AssertStringContains(t, output, "Saving "+exportedImageName)
+						if api.MustParse(platformAPI).AtLeast("0.12") {
+							expectedHistory := []string{
+								"Buildpacks Launcher Config",
+								"Buildpacks Application Launcher",
+								"Application Layer",
+								"Software Bill-of-Materials",
+								"Layer: 'launch-layer', Created by buildpack: cacher_buildpack@cacher_v1",
+								"", // run image layer
+							}
+							assertDaemonImageHasHistory(t, exportedImageName, expectedHistory)
+						} else {
+							assertDaemonImageDoesNotHaveHistory(t, exportedImageName)
+						}
 
-				if api.MustParse(platformAPI).AtLeast("0.11") {
-					extensions := []string{"sbom.cdx.json", "sbom.spdx.json", "sbom.syft.json"}
-					for _, extension := range extensions {
-						h.AssertStringContains(t, output, fmt.Sprintf("Copying SBOM lifecycle.%s to %s", extension, filepath.Join(path.RootDir, "layers", "sbom", "build", "buildpacksio_lifecycle", extension)))
-						h.AssertStringContains(t, output, fmt.Sprintf("Copying SBOM launcher.%s to %s", extension, filepath.Join(path.RootDir, "layers", "sbom", "launch", "buildpacksio_lifecycle", "launcher", extension)))
-					}
-				} else {
-					h.AssertStringDoesNotContain(t, output, "Copying SBOM")
-				}
-
-				if api.MustParse(platformAPI).AtLeast("0.12") {
-					expectedHistory := []string{
-						"Buildpacks Launcher Config",
-						"Buildpacks Application Launcher",
-						"Application Layer",
-						"Software Bill-of-Materials",
-						"Layer: 'corrupted-layer', Created by buildpack: corrupted_buildpack@corrupted_v1",
-						"Layer: 'launch-layer', Created by buildpack: cacher_buildpack@cacher_v1",
-						"", // run image layer
-					}
-					assertDaemonImageHasHistory(t, exportedImageName, expectedHistory)
-				} else {
-					assertDaemonImageDoesNotHaveHistory(t, exportedImageName)
-				}
-
-				assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
-			})
-
-			when("using extensions", func() {
-				it.Before(func() {
-					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
+						assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+					})
 				})
 
-				it("app is created from the extended run image", func() {
-					exportFlags := []string{
-						"-analyzed", "/layers/run-image-extended-analyzed.toml", // though the run image is a registry image, it also exists in the daemon with the same tag
-						"-daemon",
-						"-extended", "/layers/some-extended-dir",
-						"-log-level", "debug",
-						"-run", "/cnb/run.toml", // though the run image is a registry image, it also exists in the daemon with the same tag
-					}
-					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-					exportedImageName = "some-exported-image-" + h.RandString(10)
-					exportArgs = append(exportArgs, exportedImageName)
+				when("using extensions", func() {
+					it.Before(func() {
+						h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
+					})
 
-					// get run image top layer
-					inspect, _, err := h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportTest.targetRegistry.fixtures.ReadOnlyRunImage)
-					h.AssertNil(t, err)
-					layers := inspect.RootFS.Layers
-					runImageFixtureTopLayerSHA := layers[len(layers)-1]
-					runImageFixtureSHA := inspect.ID
+					it("is created from the extended run image", func() {
+						exportFlags := []string{
+							"-analyzed", "/layers/run-image-extended-analyzed.toml", // though the run image is a registry image, it also exists in the daemon with the same tag
+							"-daemon",
+							"-extended", "/layers/some-extended-dir",
+							"-log-level", "debug",
+							"-run", "/cnb/run.toml", // though the run image is a registry image, it also exists in the daemon with the same tag
+						}
+						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+						exportedImageName = "some-exported-image-" + h.RandString(10)
+						exportArgs = append(exportArgs, exportedImageName)
 
-					experimentalMode := "warn"
-					if api.MustParse(platformAPI).AtLeast("0.13") {
-						experimentalMode = "error"
-					}
+						// get run image top layer
+						inspect, _, err := h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportTest.targetRegistry.fixtures.ReadOnlyRunImage)
+						h.AssertNil(t, err)
+						layers := inspect.RootFS.Layers
+						runImageFixtureTopLayerSHA := layers[len(layers)-1]
+						runImageFixtureSHA := inspect.ID
 
-					output := h.DockerRun(t,
-						exportImage,
-						h.WithFlags(append(
-							dockerSocketMount,
-							"--env", "CNB_EXPERIMENTAL_MODE="+experimentalMode,
-							"--env", "CNB_PLATFORM_API="+platformAPI,
-						)...),
-						h.WithArgs(exportArgs...),
-					)
-					h.AssertStringContains(t, output, "Saving "+exportedImageName)
+						experimentalMode := "warn"
+						if api.MustParse(platformAPI).AtLeast("0.13") {
+							experimentalMode = "error"
+						}
 
-					assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
-					expectedHistory := []string{
-						"Buildpacks Launcher Config",
-						"Buildpacks Application Launcher",
-						"Application Layer",
-						"Software Bill-of-Materials",
-						"Layer: 'corrupted-layer', Created by buildpack: corrupted_buildpack@corrupted_v1",
-						"Layer: 'launch-layer', Created by buildpack: cacher_buildpack@cacher_v1",
-						"Layer: 'RUN mkdir /some-other-dir && echo some-data > /some-other-dir/some-file && echo some-data > /some-other-file', Created by extension: second-extension",
-						"Layer: 'RUN mkdir /some-dir && echo some-data > /some-dir/some-file && echo some-data > /some-file', Created by extension: first-extension",
-						"", // run image layer
-					}
-					assertDaemonImageHasHistory(t, exportedImageName, expectedHistory)
-					t.Log("bases the exported image on the extended run image")
-					inspect, _, err = h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportedImageName)
-					h.AssertNil(t, err)
-					h.AssertEq(t, inspect.Config.Labels["io.buildpacks.rebasable"], "false") // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<sha>/blobs/sha256/<config>
-					t.Log("Adds extension layers")
-					type testCase struct {
-						expectedDiffID string
-						layerIndex     int
-					}
-					testCases := []testCase{
-						{
-							expectedDiffID: "sha256:fb54d2566824d6630d94db0b008d9a544a94d3547a424f52e2fd282b648c0601", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/65c2873d397056a5cb4169790654d787579b005f18b903082b177d4d9b4aecf5 after un-compressing and zeroing timestamps
-							layerIndex:     1,
-						},
-						{
-							expectedDiffID: "sha256:1018c7d3584c4f7fa3ef4486d1a6a11b93956b9d8bfe0898a3e0fbd248c984d8", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/0fb9b88c9cbe9f11b4c8da645f390df59f5949632985a0bfc2a842ef17b2ad18 after un-compressing and zeroing timestamps
-							layerIndex:     2,
-						},
-					}
-					for _, tc := range testCases {
-						h.AssertEq(t, inspect.RootFS.Layers[tc.layerIndex], tc.expectedDiffID)
-					}
-					t.Log("sets the layers metadata label according to the new spec")
-					var lmd files.LayersMetadata
-					lmdJSON := inspect.Config.Labels["io.buildpacks.lifecycle.metadata"]
-					h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
-					h.AssertEq(t, lmd.RunImage.Image, exportTest.targetRegistry.fixtures.ReadOnlyRunImage) // from analyzed.toml
-					h.AssertEq(t, lmd.RunImage.Mirrors, []string{"mirror1", "mirror2"})                    // from run.toml
-					h.AssertEq(t, lmd.RunImage.TopLayer, runImageFixtureTopLayerSHA)
-					h.AssertEq(t, lmd.RunImage.Reference, strings.TrimPrefix(runImageFixtureSHA, "sha256:"))
+						output := h.DockerRun(t,
+							exportImage,
+							h.WithFlags(append(
+								dockerSocketMount,
+								"--env", "CNB_EXPERIMENTAL_MODE="+experimentalMode,
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+							)...),
+							h.WithArgs(exportArgs...),
+						)
+						h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+						assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+						expectedHistory := []string{
+							"Buildpacks Launcher Config",
+							"Buildpacks Application Launcher",
+							"Application Layer",
+							"Software Bill-of-Materials",
+							"Layer: 'launch-layer', Created by buildpack: cacher_buildpack@cacher_v1",
+							"Layer: 'RUN mkdir /some-other-dir && echo some-data > /some-other-dir/some-file && echo some-data > /some-other-file', Created by extension: second-extension",
+							"Layer: 'RUN mkdir /some-dir && echo some-data > /some-dir/some-file && echo some-data > /some-file', Created by extension: first-extension",
+							"", // run image layer
+						}
+						assertDaemonImageHasHistory(t, exportedImageName, expectedHistory)
+						t.Log("bases the exported image on the extended run image")
+						inspect, _, err = h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportedImageName)
+						h.AssertNil(t, err)
+						h.AssertEq(t, inspect.Config.Labels["io.buildpacks.rebasable"], "false") // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<sha>/blobs/sha256/<config>
+						t.Log("Adds extension layers")
+						type testCase struct {
+							expectedDiffID string
+							layerIndex     int
+						}
+						testCases := []testCase{
+							{
+								expectedDiffID: "sha256:fb54d2566824d6630d94db0b008d9a544a94d3547a424f52e2fd282b648c0601", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/65c2873d397056a5cb4169790654d787579b005f18b903082b177d4d9b4aecf5 after un-compressing and zeroing timestamps
+								layerIndex:     1,
+							},
+							{
+								expectedDiffID: "sha256:1018c7d3584c4f7fa3ef4486d1a6a11b93956b9d8bfe0898a3e0fbd248c984d8", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/0fb9b88c9cbe9f11b4c8da645f390df59f5949632985a0bfc2a842ef17b2ad18 after un-compressing and zeroing timestamps
+								layerIndex:     2,
+							},
+						}
+						for _, tc := range testCases {
+							h.AssertEq(t, inspect.RootFS.Layers[tc.layerIndex], tc.expectedDiffID)
+						}
+						t.Log("sets the layers metadata label according to the new spec")
+						var lmd files.LayersMetadata
+						lmdJSON := inspect.Config.Labels["io.buildpacks.lifecycle.metadata"]
+						h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
+						h.AssertEq(t, lmd.RunImage.Image, exportTest.targetRegistry.fixtures.ReadOnlyRunImage) // from analyzed.toml
+						h.AssertEq(t, lmd.RunImage.Mirrors, []string{"mirror1", "mirror2"})                    // from run.toml
+						h.AssertEq(t, lmd.RunImage.TopLayer, runImageFixtureTopLayerSHA)
+						h.AssertEq(t, lmd.RunImage.Reference, strings.TrimPrefix(runImageFixtureSHA, "sha256:"))
+					})
 				})
 			})
 
 			when("SOURCE_DATE_EPOCH is set", func() {
-				it("app is created with config CreatedAt set to SOURCE_DATE_EPOCH", func() {
+				it("Image CreatedAt is set to SOURCE_DATE_EPOCH", func() {
 					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.9"), "SOURCE_DATE_EPOCH support added in 0.9")
 					expectedTime := time.Date(2022, 1, 5, 5, 5, 5, 0, time.UTC)
 					exportFlags := []string{"-daemon"}
@@ -230,93 +231,10 @@ func testExporterFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 		})
 
 		when("registry case", func() {
-			var exportedImageName string
-
-			it.After(func() {
-				_, _, _ = h.RunE(exec.Command("docker", "rmi", exportedImageName)) // #nosec G204
-			})
-
-			it("app is created", func() {
-				var exportFlags []string
-				exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-				exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
-				exportArgs = append(exportArgs, exportedImageName)
-
-				output := h.DockerRun(t,
-					exportImage,
-					h.WithFlags(
-						"--env", "CNB_PLATFORM_API="+platformAPI,
-						"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
-						"--network", exportRegNetwork,
-					),
-					h.WithArgs(exportArgs...),
-				)
-				h.AssertStringContains(t, output, "Saving "+exportedImageName)
-
-				h.Run(t, exec.Command("docker", "pull", exportedImageName))
-				assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
-			})
-
-			when("registry is insecure", func() {
-				it.Before(func() {
-					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
-				})
-
-				it("uses http protocol", func() {
-					var exportFlags []string
-					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-					exportedImageName = exportTest.RegRepoName("some-insecure-exported-image-" + h.RandString(10))
-					exportArgs = append(exportArgs, exportedImageName)
-					insecureRegistry := "host.docker.internal/bar"
-					insecureAnalyzed := "/layers/analyzed_insecure.toml"
-
-					_, _, err := h.DockerRunWithError(t,
-						exportImage,
-						h.WithFlags(
-							"--env", "CNB_PLATFORM_API="+platformAPI,
-							"--env", "CNB_INSECURE_REGISTRIES="+insecureRegistry,
-							"--env", "CNB_ANALYZED_PATH="+insecureAnalyzed,
-							"--network", exportRegNetwork,
-						),
-						h.WithArgs(exportArgs...),
-					)
-					h.AssertStringContains(t, err.Error(), "http://host.docker.internal")
-				})
-			})
-
-			when("SOURCE_DATE_EPOCH is set", func() {
-				it("app is created with config CreatedAt set to SOURCE_DATE_EPOCH", func() {
-					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.9"), "SOURCE_DATE_EPOCH support added in 0.9")
-					expectedTime := time.Date(2022, 1, 5, 5, 5, 5, 0, time.UTC)
-
-					var exportFlags []string
-					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-					exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
-					exportArgs = append(exportArgs, exportedImageName)
-
-					output := h.DockerRun(t,
-						exportImage,
-						h.WithFlags(
-							"--env", "CNB_PLATFORM_API="+platformAPI,
-							"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
-							"--env", "SOURCE_DATE_EPOCH="+fmt.Sprintf("%d", expectedTime.Unix()),
-							"--network", exportRegNetwork,
-						),
-						h.WithArgs(exportArgs...),
-					)
-					h.AssertStringContains(t, output, "Saving "+exportedImageName)
-
-					h.Run(t, exec.Command("docker", "pull", exportedImageName))
-					assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, expectedTime)
-				})
-			})
-
-			// FIXME: move this out of the registry block
-			when("cache", func() {
-				when("image case", func() {
-					it("cache is created", func() {
-						cacheImageName := exportTest.RegRepoName("some-cache-image-" + h.RandString(10))
-						exportFlags := []string{"-cache-image", cacheImageName}
+			when("first build", func() {
+				when("app", func() {
+					it("is created", func() {
+						var exportFlags []string
 						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
 						exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
 						exportArgs = append(exportArgs, exportedImageName)
@@ -331,14 +249,92 @@ func testExporterFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 							h.WithArgs(exportArgs...),
 						)
 						h.AssertStringContains(t, output, "Saving "+exportedImageName)
-						// To detect whether the export of cacheImage and exportedImage is successful
+
 						h.Run(t, exec.Command("docker", "pull", exportedImageName))
 						assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
-						h.Run(t, exec.Command("docker", "pull", cacheImageName))
+					})
+				})
+
+				when("app using insecure registry", func() {
+					it.Before(func() {
+						h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
 					})
 
-					when("parallel export is enabled", func() {
-						it("cache is created", func() {
+					it("does an http request", func() {
+						var exportFlags []string
+						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+						exportedImageName = exportTest.RegRepoName("some-insecure-exported-image-" + h.RandString(10))
+						exportArgs = append(exportArgs, exportedImageName)
+						insecureRegistry := "host.docker.internal/bar"
+						insecureAnalyzed := "/layers/analyzed_insecure.toml"
+
+						_, _, err := h.DockerRunWithError(t,
+							exportImage,
+							h.WithFlags(
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+								"--env", "CNB_INSECURE_REGISTRIES="+insecureRegistry,
+								"--env", "CNB_ANALYZED_PATH="+insecureAnalyzed,
+								"--network", exportRegNetwork,
+							),
+							h.WithArgs(exportArgs...),
+						)
+						h.AssertStringContains(t, err.Error(), "http://host.docker.internal")
+					})
+				})
+
+				when("SOURCE_DATE_EPOCH is set", func() {
+					it("Image CreatedAt is set to SOURCE_DATE_EPOCH", func() {
+						h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.9"), "SOURCE_DATE_EPOCH support added in 0.9")
+						expectedTime := time.Date(2022, 1, 5, 5, 5, 5, 0, time.UTC)
+
+						var exportFlags []string
+						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+						exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+						exportArgs = append(exportArgs, exportedImageName)
+
+						output := h.DockerRun(t,
+							exportImage,
+							h.WithFlags(
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+								"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+								"--env", "SOURCE_DATE_EPOCH="+fmt.Sprintf("%d", expectedTime.Unix()),
+								"--network", exportRegNetwork,
+							),
+							h.WithArgs(exportArgs...),
+						)
+						h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+						h.Run(t, exec.Command("docker", "pull", exportedImageName))
+						assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, expectedTime)
+					})
+				})
+
+				when("cache", func() {
+					when("cache image case", func() {
+						it("is created", func() {
+							cacheImageName := exportTest.RegRepoName("some-cache-image-" + h.RandString(10))
+							exportFlags := []string{"-cache-image", cacheImageName}
+							exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+							exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+							exportArgs = append(exportArgs, exportedImageName)
+
+							output := h.DockerRun(t,
+								exportImage,
+								h.WithFlags(
+									"--env", "CNB_PLATFORM_API="+platformAPI,
+									"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+									"--network", exportRegNetwork,
+								),
+								h.WithArgs(exportArgs...),
+							)
+							h.AssertStringContains(t, output, "Saving "+exportedImageName)
+							// To detect whether the export of cacheImage and exportedImage is successful
+							h.Run(t, exec.Command("docker", "pull", exportedImageName))
+							assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+							h.Run(t, exec.Command("docker", "pull", cacheImageName))
+						})
+
+						it("is created with parallel export enabled", func() {
 							cacheImageName := exportTest.RegRepoName("some-cache-image-" + h.RandString(10))
 							exportFlags := []string{"-cache-image", cacheImageName, "-parallel"}
 							exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
@@ -360,10 +356,8 @@ func testExporterFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 							assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
 							h.Run(t, exec.Command("docker", "pull", cacheImageName))
 						})
-					})
 
-					when("cache is provided but no data was cached", func() {
-						it("cache is created with an empty layer", func() {
+						it("is created with empty layer", func() {
 							cacheImageName := exportTest.RegRepoName("some-empty-cache-image-" + h.RandString(10))
 							exportFlags := []string{"-cache-image", cacheImageName, "-layers", "/other_layers"}
 							exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
@@ -398,186 +392,108 @@ func testExporterFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 					})
 				})
 
-				when("directory case", func() {
-					when("original cache was corrupted", func() {
-						var cacheDir string
-
-						it.Before(func() {
-							var err error
-							cacheDir, err = os.MkdirTemp("", "cache")
-							h.AssertNil(t, err)
-							h.AssertNil(t, os.Chmod(cacheDir, 0777)) // Override umask
-
-							cacheFixtureDir := filepath.Join("testdata", "exporter", "cache-dir")
-							h.AssertNil(t, fsutil.Copy(cacheFixtureDir, cacheDir))
-							// We have to pre-create the tar files so that their digests do not change due to timestamps
-							// But, ':' in the filepath on Windows is not allowed
-							h.AssertNil(t, os.Rename(
-								filepath.Join(cacheDir, "committed", "sha256_258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59.tar"),
-								filepath.Join(cacheDir, "committed", "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59.tar"),
-							))
-						})
-
-						it.After(func() {
-							_ = os.RemoveAll(cacheDir)
-						})
-
-						it("overwrites the original layer", func() {
-							exportFlags := []string{
-								"-cache-dir", "/cache",
-								"-log-level", "debug",
-							}
-							exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-							exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
-							exportArgs = append(exportArgs, exportedImageName)
-
-							output := h.DockerRun(t,
-								exportImage,
-								h.WithFlags(
-									"--env", "CNB_PLATFORM_API="+platformAPI,
-									"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
-									"--network", exportRegNetwork,
-									"--volume", fmt.Sprintf("%s:/cache", cacheDir),
-								),
-								h.WithArgs(exportArgs...),
-							)
-							h.AssertStringContains(t, output, "Skipping reuse for layer corrupted_buildpack:corrupted-layer: expected layer contents to have SHA 'sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59'; found 'sha256:9e0b77ed599eafdab8611f7eeefef084077f91f02f1da0a3870c7ff20a08bee8'")
-							h.AssertStringContains(t, output, "Saving "+exportedImageName)
-							h.Run(t, exec.Command("docker", "pull", exportedImageName))
-							defer h.Run(t, exec.Command("docker", "image", "rm", exportedImageName))
-							// Verify the app has the correct sha for the layer
-							inspect, _, err := h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportedImageName)
-							h.AssertNil(t, err)
-							var lmd files.LayersMetadata
-							lmdJSON := inspect.Config.Labels["io.buildpacks.lifecycle.metadata"]
-							h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
-							h.AssertEq(t, lmd.Buildpacks[2].Layers["corrupted-layer"].SHA, "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59")
-							// Verify the cache has correct contents now
-							foundDiffID, err := func() (string, error) {
-								layerPath := filepath.Join(cacheDir, "committed", "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59.tar")
-								layerRC, err := os.Open(layerPath)
-								if err != nil {
-									return "", err
-								}
-								defer func() {
-									_ = layerRC.Close()
-								}()
-								hasher := sha256.New()
-								if _, err = io.Copy(hasher, layerRC); err != nil {
-									return "", errors.Wrap(err, "hashing layer")
-								}
-								foundDiffID := "sha256:" + hex.EncodeToString(hasher.Sum(make([]byte, 0, hasher.Size())))
-								return foundDiffID, nil
-							}()
-							h.AssertNil(t, err)
-							h.AssertEq(t, foundDiffID, "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59")
-						})
+				when("using extensions", func() {
+					it.Before(func() {
+						h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
 					})
-				})
-			})
 
-			when("using extensions", func() {
-				it.Before(func() {
-					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
-				})
+					it("is created from the extended run image", func() {
+						exportFlags := []string{
+							"-analyzed", "/layers/run-image-extended-analyzed.toml",
+							"-extended", "/layers/some-extended-dir",
+							"-log-level", "debug",
+							"-run", "/cnb/run.toml",
+						}
+						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+						exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+						exportArgs = append(exportArgs, exportedImageName)
 
-				it("app is created from the extended run image", func() {
-					exportFlags := []string{
-						"-analyzed", "/layers/run-image-extended-analyzed.toml",
-						"-extended", "/layers/some-extended-dir",
-						"-log-level", "debug",
-						"-run", "/cnb/run.toml",
-					}
-					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-					exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
-					exportArgs = append(exportArgs, exportedImageName)
-
-					// get run image SHA & top layer
-					ref, imageAuth, err := auth.ReferenceForRepoName(authn.DefaultKeychain, exportTest.targetRegistry.fixtures.ReadOnlyRunImage)
-					h.AssertNil(t, err)
-					remoteImage, err := remote.Image(ref, remote.WithAuth(imageAuth))
-					h.AssertNil(t, err)
-					layers, err := remoteImage.Layers()
-					h.AssertNil(t, err)
-					runImageFixtureTopLayerSHA, err := layers[len(layers)-1].DiffID()
-					h.AssertNil(t, err)
-					runImageFixtureSHA, err := remoteImage.Digest()
-					h.AssertNil(t, err)
-
-					experimentalMode := "warn"
-					if api.MustParse(platformAPI).AtLeast("0.13") {
-						experimentalMode = "error"
-					}
-
-					output := h.DockerRun(t,
-						exportImage,
-						h.WithFlags(
-							"--env", "CNB_EXPERIMENTAL_MODE="+experimentalMode,
-							"--env", "CNB_PLATFORM_API="+platformAPI,
-							"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
-							"--network", exportRegNetwork,
-						),
-						h.WithArgs(exportArgs...),
-					)
-					h.AssertStringContains(t, output, "Saving "+exportedImageName)
-
-					h.Run(t, exec.Command("docker", "pull", exportedImageName))
-					assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
-					t.Log("bases the exported image on the extended run image")
-					ref, imageAuth, err = auth.ReferenceForRepoName(authn.DefaultKeychain, exportedImageName)
-					h.AssertNil(t, err)
-					remoteImage, err = remote.Image(ref, remote.WithAuth(imageAuth))
-					h.AssertNil(t, err)
-					configFile, err := remoteImage.ConfigFile()
-					h.AssertNil(t, err)
-					h.AssertEq(t, configFile.Config.Labels["io.buildpacks.rebasable"], "false") // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<sha>/blobs/sha256/<config>
-					t.Log("Adds extension layers")
-					layers, err = remoteImage.Layers()
-					h.AssertNil(t, err)
-					type testCase struct {
-						expectedDigest string
-						layerIndex     int
-					}
-					testCases := []testCase{
-						{
-							expectedDigest: "sha256:08e7ad5ce17cf5e5f70affe68b341a93de86ee2ba074932c3a05b8770f66d772", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/65c2873d397056a5cb4169790654d787579b005f18b903082b177d4d9b4aecf5 after un-compressing, zeroing timestamps, and re-compressing
-							layerIndex:     1,
-						},
-						{
-							expectedDigest: "sha256:0e74ef444ea437147e3fa0ce2aad371df5380c26b96875ae07b9b67f44cdb2ee", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/0fb9b88c9cbe9f11b4c8da645f390df59f5949632985a0bfc2a842ef17b2ad18 after un-compressing, zeroing timestamps, and re-compressing
-							layerIndex:     2,
-						},
-					}
-					for _, tc := range testCases {
-						layer := layers[tc.layerIndex]
-						digest, err := layer.Digest()
+						// get run image SHA & top layer
+						ref, imageAuth, err := auth.ReferenceForRepoName(authn.DefaultKeychain, exportTest.targetRegistry.fixtures.ReadOnlyRunImage)
 						h.AssertNil(t, err)
-						h.AssertEq(t, digest.String(), tc.expectedDigest)
-					}
-					t.Log("sets the layers metadata label according to the new spec")
-					var lmd files.LayersMetadata
-					lmdJSON := configFile.Config.Labels["io.buildpacks.lifecycle.metadata"]
-					h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
-					h.AssertEq(t, lmd.RunImage.Image, exportTest.targetRegistry.fixtures.ReadOnlyRunImage) // from analyzed.toml
-					h.AssertEq(t, lmd.RunImage.Mirrors, []string{"mirror1", "mirror2"})                    // from run.toml
-					h.AssertEq(t, lmd.RunImage.TopLayer, runImageFixtureTopLayerSHA.String())
-					h.AssertEq(t, lmd.RunImage.Reference, fmt.Sprintf("%s@%s", exportTest.targetRegistry.fixtures.ReadOnlyRunImage, runImageFixtureSHA.String()))
+						remoteImage, err := remote.Image(ref, remote.WithAuth(imageAuth))
+						h.AssertNil(t, err)
+						layers, err := remoteImage.Layers()
+						h.AssertNil(t, err)
+						runImageFixtureTopLayerSHA, err := layers[len(layers)-1].DiffID()
+						h.AssertNil(t, err)
+						runImageFixtureSHA, err := remoteImage.Digest()
+						h.AssertNil(t, err)
+
+						experimentalMode := "warn"
+						if api.MustParse(platformAPI).AtLeast("0.13") {
+							experimentalMode = "error"
+						}
+
+						output := h.DockerRun(t,
+							exportImage,
+							h.WithFlags(
+								"--env", "CNB_EXPERIMENTAL_MODE="+experimentalMode,
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+								"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+								"--network", exportRegNetwork,
+							),
+							h.WithArgs(exportArgs...),
+						)
+						h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+						h.Run(t, exec.Command("docker", "pull", exportedImageName))
+						assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+						t.Log("bases the exported image on the extended run image")
+						ref, imageAuth, err = auth.ReferenceForRepoName(authn.DefaultKeychain, exportedImageName)
+						h.AssertNil(t, err)
+						remoteImage, err = remote.Image(ref, remote.WithAuth(imageAuth))
+						h.AssertNil(t, err)
+						configFile, err := remoteImage.ConfigFile()
+						h.AssertNil(t, err)
+						h.AssertEq(t, configFile.Config.Labels["io.buildpacks.rebasable"], "false") // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<sha>/blobs/sha256/<config>
+						t.Log("Adds extension layers")
+						layers, err = remoteImage.Layers()
+						h.AssertNil(t, err)
+						type testCase struct {
+							expectedDigest string
+							layerIndex     int
+						}
+						testCases := []testCase{
+							{
+								expectedDigest: "sha256:08e7ad5ce17cf5e5f70affe68b341a93de86ee2ba074932c3a05b8770f66d772", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/65c2873d397056a5cb4169790654d787579b005f18b903082b177d4d9b4aecf5 after un-compressing, zeroing timestamps, and re-compressing
+								layerIndex:     1,
+							},
+							{
+								expectedDigest: "sha256:0e74ef444ea437147e3fa0ce2aad371df5380c26b96875ae07b9b67f44cdb2ee", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/0fb9b88c9cbe9f11b4c8da645f390df59f5949632985a0bfc2a842ef17b2ad18 after un-compressing, zeroing timestamps, and re-compressing
+								layerIndex:     2,
+							},
+						}
+						for _, tc := range testCases {
+							layer := layers[tc.layerIndex]
+							digest, err := layer.Digest()
+							h.AssertNil(t, err)
+							h.AssertEq(t, digest.String(), tc.expectedDigest)
+						}
+						t.Log("sets the layers metadata label according to the new spec")
+						var lmd files.LayersMetadata
+						lmdJSON := configFile.Config.Labels["io.buildpacks.lifecycle.metadata"]
+						h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
+						h.AssertEq(t, lmd.RunImage.Image, exportTest.targetRegistry.fixtures.ReadOnlyRunImage) // from analyzed.toml
+						h.AssertEq(t, lmd.RunImage.Mirrors, []string{"mirror1", "mirror2"})                    // from run.toml
+						h.AssertEq(t, lmd.RunImage.TopLayer, runImageFixtureTopLayerSHA.String())
+						h.AssertEq(t, lmd.RunImage.Reference, fmt.Sprintf("%s@%s", exportTest.targetRegistry.fixtures.ReadOnlyRunImage, runImageFixtureSHA.String()))
+					})
 				})
 			})
 		})
 
 		when("layout case", func() {
 			var (
-				containerName     string
-				err               error
-				layoutDir         string
-				tmpDir            string
-				exportedImageName string
+				containerName string
+				err           error
+				layoutDir     string
+				tmpDir        string
 			)
 
 			when("experimental mode is enabled", func() {
 				it.Before(func() {
-					// create the directory to save all OCI images on disk
+					// creates the directory to save all the OCI images on disk
 					tmpDir, err = os.MkdirTemp("", "layout")
 					h.AssertNil(t, err)
 
@@ -592,31 +508,35 @@ func testExporterFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 					os.RemoveAll(tmpDir)
 				})
 
-				when("using a custom layout directory", func() {
-					it.Before(func() {
-						exportedImageName = "my-custom-layout-app"
-						layoutDir = filepath.Join(path.RootDir, "my-layout-dir")
-					})
+				when("custom layout directory", func() {
+					when("first build", func() {
+						when("app", func() {
+							it.Before(func() {
+								exportedImageName = "my-custom-layout-app"
+								layoutDir = filepath.Join(path.RootDir, "my-layout-dir")
+							})
 
-					it("app is created", func() {
-						var exportFlags []string
-						h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
-						exportFlags = append(exportFlags, []string{"-layout", "-layout-dir", layoutDir, "-analyzed", "/layers/layout-analyzed.toml"}...)
-						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
-						exportArgs = append(exportArgs, exportedImageName)
+							it("is created", func() {
+								var exportFlags []string
+								h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
+								exportFlags = append(exportFlags, []string{"-layout", "-layout-dir", layoutDir, "-analyzed", "/layers/layout-analyzed.toml"}...)
+								exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+								exportArgs = append(exportArgs, exportedImageName)
 
-						output := h.DockerRunAndCopy(t, containerName, tmpDir, layoutDir, exportImage,
-							h.WithFlags(
-								"--env", "CNB_EXPERIMENTAL_MODE=warn",
-								"--env", "CNB_PLATFORM_API="+platformAPI,
-							),
-							h.WithArgs(exportArgs...))
+								output := h.DockerRunAndCopy(t, containerName, tmpDir, layoutDir, exportImage,
+									h.WithFlags(
+										"--env", "CNB_EXPERIMENTAL_MODE=warn",
+										"--env", "CNB_PLATFORM_API="+platformAPI,
+									),
+									h.WithArgs(exportArgs...))
 
-						h.AssertStringContains(t, output, "Saving /my-layout-dir/index.docker.io/library/my-custom-layout-app/latest")
+								h.AssertStringContains(t, output, "Saving /my-layout-dir/index.docker.io/library/my-custom-layout-app/latest")
 
-						// assert the image was saved on disk in OCI layout format
-						index := h.ReadIndexManifest(t, filepath.Join(tmpDir, layoutDir, "index.docker.io", "library", exportedImageName, "latest"))
-						h.AssertEq(t, len(index.Manifests), 1)
+								// assert the image was saved on disk in OCI layout format
+								index := h.ReadIndexManifest(t, filepath.Join(tmpDir, layoutDir, "index.docker.io", "library", exportedImageName, "latest"))
+								h.AssertEq(t, len(index.Manifests), 1)
+							})
+						})
 					})
 				})
 			})

acceptance/extender_test.go

@@ -1,4 +1,5 @@
 //go:build acceptance
+// +build acceptance
 
 package acceptance
 
@@ -7,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/buildpacks/imgutil/layout/sparse"
@@ -44,6 +46,8 @@ const (
 )
 
 func TestExtender(t *testing.T) {
+	h.SkipIf(t, runtime.GOOS == "windows", "Extender is not supported on Windows")
+
 	testImageDockerContext := filepath.Join("testdata", "extender")
 	extendTest = NewPhaseTest(t, "extender", testImageDockerContext)
 	extendTest.Start(t)

acceptance/launcher_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -24,6 +25,9 @@ func TestLauncher(t *testing.T) {
 	launchTest = NewPhaseTest(t, "launcher", testImageDockerContext, withoutDaemonFixtures, withoutRegistry)
 
 	containerBinaryDir := filepath.Join("testdata", "launcher", "linux", "container", "cnb", "lifecycle")
+	if launchTest.targetDaemon.os == "windows" {
+		containerBinaryDir = filepath.Join("testdata", "launcher", "windows", "container", "cnb", "lifecycle")
+	}
 	withCustomContainerBinaryDir := func(_ *testing.T, phaseTest *PhaseTest) {
 		phaseTest.containerBinaryDir = containerBinaryDir
 	}
@@ -88,7 +92,11 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
 				launchImage, "with user provided args",
 			)
-			assertOutput(t, cmd, "Executing web process-type with user provided args")
+			if runtime.GOOS == "windows" {
+				assertOutput(t, cmd, `Executing web process-type "with user provided args"`)
+			} else {
+				assertOutput(t, cmd, "Executing web process-type with user provided args")
+			}
 		})
 	})
 
@@ -101,6 +109,15 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				launchImage, "--",
 				"env",
 			)
+			if runtime.GOOS == "windows" {
+				cmd = exec.Command( //nolint
+					"docker", "run", "--rm",
+					`--entrypoint=launcher`,
+					"--env=CNB_PLATFORM_API=0.7",
+					launchImage, "--",
+					"cmd", "/c", "set",
+				)
+			}
 
 			assertOutput(t, cmd,
 				"SOME_VAR=some-bp-val",
@@ -143,11 +160,22 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				launchImage,
 				"echo", "$SOME_VAR", "$OTHER_VAR", "$WORKER_VAR",
 			)
+			if runtime.GOOS == "windows" {
+				cmd = exec.Command( //nolint
+					"docker", "run", "--rm",
+					"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+					launchImage,
+					"echo", "%SOME_VAR%", "%OTHER_VAR%", "%WORKER_VAR%",
+				)
+			}
 			assertOutput(t, cmd, "sourced bp profile\nsourced app profile\nsome-bp-val other-bp-val worker-no-process-val")
 		})
 
 		it("passes through env vars from user, excluding excluded vars", func() {
 			args := []string{"echo", "$SOME_USER_VAR, $CNB_APP_DIR, $OTHER_VAR"}
+			if runtime.GOOS == "windows" {
+				args = []string{"echo", "%SOME_USER_VAR%, %CNB_APP_DIR%, %OTHER_VAR%"}
+			}
 			cmd := exec.Command("docker",
 				append(
 					[]string{
@@ -161,7 +189,13 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 					args...)...,
 			) // #nosec G204
 
-			assertOutput(t, cmd, "sourced bp profile\nsourced app profile\nsome-user-val, , other-user-val**other-bp-val")
+			if runtime.GOOS == "windows" {
+				// windows values with spaces will contain quotes
+				// empty values on windows preserve variable names instead of interpolating to empty strings
+				assertOutput(t, cmd, "sourced bp profile\nsourced app profile\n\"some-user-val, %CNB_APP_DIR%, other-user-val**other-bp-val\"")
+			} else {
+				assertOutput(t, cmd, "sourced bp profile\nsourced app profile\nsome-user-val, , other-user-val**other-bp-val")
+			}
 		})
 
 		it("adds buildpack bin dirs to the path", func() {
@@ -177,13 +211,23 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 
 	when("CMD provided starts with --", func() {
 		it("launches command directly", func() {
-			cmd := exec.Command( //nolint
-				"docker", "run", "--rm",
-				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
-				launchImage, "--",
-				"echo", "something",
-			)
-			assertOutput(t, cmd, "something")
+			if runtime.GOOS == "windows" {
+				cmd := exec.Command( //nolint
+					"docker", "run", "--rm",
+					"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+					launchImage, "--",
+					"ping", "/?",
+				)
+				assertOutput(t, cmd, "Usage: ping")
+			} else {
+				cmd := exec.Command( //nolint
+					"docker", "run", "--rm",
+					"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+					launchImage, "--",
+					"echo", "something",
+				)
+				assertOutput(t, cmd, "something")
+			}
 		})
 
 		it("sets env vars from layers", func() {
@@ -193,6 +237,14 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				launchImage, "--",
 				"env",
 			)
+			if runtime.GOOS == "windows" {
+				cmd = exec.Command( //nolint
+					"docker", "run", "--rm",
+					"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+					launchImage, "--",
+					"cmd", "/c", "set",
+				)
+			}
 
 			assertOutput(t, cmd,
 				"SOME_VAR=some-bp-val",
@@ -209,6 +261,16 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				launchImage, "--",
 				"env",
 			)
+			if runtime.GOOS == "windows" {
+				cmd = exec.Command( //nolint
+					"docker", "run", "--rm",
+					"--env", "CNB_APP_DIR=/workspace",
+					"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+					"--env", "SOME_USER_VAR=some-user-val",
+					launchImage, "--",
+					"cmd", "/c", "set",
+				)
+			}
 
 			output, err := cmd.CombinedOutput()
 			if err != nil {

acceptance/phase_test.go

@@ -17,8 +17,6 @@ import (
 	"testing"
 	"time"
 
-	"github.com/docker/docker/api/types/image"
-
 	ih "github.com/buildpacks/imgutil/testhelpers"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/registry"
@@ -428,30 +426,14 @@ func SBOMComponents() []string {
 }
 
 func assertImageOSAndArch(t *testing.T, imageName string, phaseTest *PhaseTest) { //nolint  - these functions are in fact used, i promise
-	inspect, err := h.DockerCli(t).ImageInspect(context.TODO(), imageName)
+	inspect, _, err := h.DockerCli(t).ImageInspectWithRaw(context.TODO(), imageName)
 	h.AssertNil(t, err)
 	h.AssertEq(t, inspect.Os, phaseTest.targetDaemon.os)
 	h.AssertEq(t, inspect.Architecture, phaseTest.targetDaemon.arch)
 }
 
 func assertImageOSAndArchAndCreatedAt(t *testing.T, imageName string, phaseTest *PhaseTest, expectedCreatedAt time.Time) { //nolint
-	inspect, err := h.DockerCli(t).ImageInspect(context.TODO(), imageName)
-
-	if err != nil {
-		list, _ := h.DockerCli(t).ImageList(context.TODO(), image.ListOptions{})
-		fmt.Println("Error encountered running ImageInspectWithRaw. imageName: ", imageName)
-		fmt.Println(err)
-		for _, value := range list {
-			fmt.Println("Image Name: ", value)
-		}
-
-		if strings.Contains(err.Error(), "No such image") {
-			t.Log("Image not found, retrying...")
-			time.Sleep(1 * time.Second)
-			inspect, err = h.DockerCli(t).ImageInspect(context.TODO(), imageName)
-		}
-	}
-
+	inspect, _, err := h.DockerCli(t).ImageInspectWithRaw(context.TODO(), imageName)
 	h.AssertNil(t, err)
 	h.AssertEq(t, inspect.Os, phaseTest.targetDaemon.os)
 	h.AssertEq(t, inspect.Architecture, phaseTest.targetDaemon.arch)

acceptance/rebaser_test.go

@@ -1,4 +1,5 @@
 //go:build acceptance
+// +build acceptance
 
 package acceptance
 

acceptance/restorer_test.go

@@ -1,4 +1,5 @@
 //go:build acceptance
+// +build acceptance
 
 package acceptance
 
@@ -6,6 +7,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/google/go-containerregistry/pkg/name"
@@ -31,6 +33,8 @@ var (
 )
 
 func TestRestorer(t *testing.T) {
+	h.SkipIf(t, runtime.GOOS == "windows", "Restorer acceptance tests are not yet supported on Windows")
+
 	testImageDockerContext := filepath.Join("testdata", "restorer")
 	restoreTest = NewPhaseTest(t, "restorer", testImageDockerContext)
 	restoreTest.Start(t, updateTOMLFixturesWithTestRegistry)
@@ -161,7 +165,7 @@ func testRestorerFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 					h.AssertPathDoesNotExist(t, uncachedFile)
 				})
 
-				it("does not restore layer data from unused buildpacks", func() {
+				it("does not restore unused buildpack layer data", func() {
 					h.DockerRunAndCopy(t,
 						containerName,
 						copyDir,
@@ -175,21 +179,6 @@ func testRestorerFunc(platformAPI string) func(t *testing.T, when spec.G, it spe
 					unusedBpLayer := filepath.Join(copyDir, "layers", "unused_buildpack")
 					h.AssertPathDoesNotExist(t, unusedBpLayer)
 				})
-
-				it("does not restore corrupted layer data", func() {
-					h.DockerRunAndCopy(t,
-						containerName,
-						copyDir,
-						"/layers",
-						restoreImage,
-						h.WithFlags("--env", "CNB_PLATFORM_API="+platformAPI),
-						h.WithArgs("-cache-dir", "/cache"),
-					)
-
-					// check corrupted layer is not restored
-					corruptedFile := filepath.Join(copyDir, "layers", "corrupted_buildpack", "corrupted-layer")
-					h.AssertPathDoesNotExist(t, corruptedFile)
-				})
 			})
 		})
 

acceptance/testdata/analyzer/Dockerfile.windows

@@ -0,0 +1,12 @@
+FROM mcr.microsoft.com/windows/nanoserver:1809
+USER ContainerAdministrator
+
+COPY container /
+
+WORKDIR /layers
+
+ENV CNB_USER_ID=1
+
+ENV CNB_GROUP_ID=1
+
+ENV CNB_PLATFORM_API=${cnb_platform_api}

acceptance/testdata/builder/Dockerfile.windows

@@ -0,0 +1,14 @@
+FROM mcr.microsoft.com/windows/nanoserver:1809
+USER ContainerAdministrator
+
+COPY container /
+
+ENTRYPOINT ["/cnb/lifecycle/builder"]
+
+WORKDIR /layers
+
+ENV CNB_USER_ID=1
+
+ENV CNB_GROUP_ID=1
+
+ENV CNB_PLATFORM_API=${cnb_platform_api}

acceptance/testdata/exporter/cache-dir/committed/io.buildpacks.lifecycle.cache.metadata

@@ -1,17 +0,0 @@
-{
-  "buildpacks": [
-    {
-      "key": "corrupted_buildpack",
-      "version": "corrupted_v1",
-      "layers": {
-        "corrupted-layer": {
-          "sha": "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59",
-          "data": null,
-          "build": false,
-          "launch": true,
-          "cache": true
-        }
-      }
-    }
-  ]
-}

acceptance/testdata/exporter/container/layers/cacher_buildpack/cached-layer.sha

@@ -1 +1 @@
-sha256:2d9c9c638d5c4f0df067eeae7b9c99ad05776a89d19ab863c28850a91e5f2944
+sha256:b89860e2f9c62e6b5d66d3ce019e18cdabae30273c25150b7f20a82f7a70e494

acceptance/testdata/exporter/container/layers/corrupted_buildpack/corrupted-layer.toml

@@ -1,3 +0,0 @@
-[types]
-  cache = true
-  launch = true

acceptance/testdata/exporter/container/layers/corrupted_buildpack/corrupted-layer/data

@@ -1 +0,0 @@
-digest-not-match-data

acceptance/testdata/exporter/container/layers/group.toml

@@ -7,8 +7,3 @@
   id = "cacher_buildpack"
   version = "cacher_v1"
   api = "0.8"
-
-[[group]]
-  id = "corrupted_buildpack"
-  version = "corrupted_v1"
-  api = "0.8"

acceptance/testdata/launcher/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24.6 as builder
+FROM golang:1.22 as builder
 
 COPY exec.d/ /go/src/exec.d
 RUN GO111MODULE=off go build -o helper ./src/exec.d

acceptance/testdata/launcher/Dockerfile.windows

@@ -0,0 +1,16 @@
+FROM golang:1.22-nanoserver-1809
+
+COPY exec.d/ /go/src/exec.d
+WORKDIR /go/src
+ENV GO111MODULE=off
+RUN go build -o helper.exe exec.d
+
+COPY windows/container /
+
+RUN mkdir c:\layers\0.9_buildpack\some_layer\exec.d\exec.d-checker
+RUN copy helper.exe c:\layers\0.9_buildpack\some_layer\exec.d\helper.exe
+RUN copy helper.exe c:\layers\0.9_buildpack\some_layer\exec.d\exec.d-checker\helper.exe
+
+ENV PATH="c:\cnb\process;c:\cnb\lifecycle;C:\Windows\system32;C:\Windows;"
+
+ENTRYPOINT ["c:\\cnb\\lifecycle\\launcher"]

acceptance/testdata/launcher/exec.d/fd_unix.go

@@ -1,4 +1,5 @@
-//go:build unix
+//go:build linux || darwin
+// +build linux darwin
 
 package main
 

acceptance/testdata/rebaser/Dockerfile.windows

@@ -0,0 +1,10 @@
+FROM mcr.microsoft.com/windows/nanoserver:1809
+USER ContainerAdministrator
+
+COPY container /
+
+ENV CNB_USER_ID=1
+
+ENV CNB_GROUP_ID=1
+
+ENV CNB_PLATFORM_API=${cnb_platform_api}

acceptance/testdata/restorer/Dockerfile

@@ -8,10 +8,10 @@ ENV CNB_GROUP_ID=${cnb_gid}
 
 COPY ./container/ /
 
-# We have to pre-create the tar files so that their digests do not change due to timestamps
-# But, ':' in the filepath on Windows is not allowed
-RUN mv /cache/committed/sha256_2d9c9c638d5c4f0df067eeae7b9c99ad05776a89d19ab863c28850a91e5f2944.tar /cache/committed/sha256:2d9c9c638d5c4f0df067eeae7b9c99ad05776a89d19ab863c28850a91e5f2944.tar
-RUN mv /cache/committed/sha256_430338f576c11e5236669f9c843599d96afe28784cffcb2d46ddb07beb00df78.tar /cache/committed/sha256:430338f576c11e5236669f9c843599d96afe28784cffcb2d46ddb07beb00df78.tar
+# turn /to_cache/<buildpack> directories into cache tarballs
+# these are referenced by sha in /cache/committed/io.buildpacks.lifecycle.cache.metadata
+RUN tar cvf /cache/committed/sha256:b89860e2f9c62e6b5d66d3ce019e18cdabae30273c25150b7f20a82f7a70e494.tar -C /to_cache/cacher_buildpack layers
+RUN tar cvf /cache/committed/sha256:58bafa1e79c8e44151141c95086beb37ca85b69578fc890bce33bb4c6c8e851f.tar -C /to_cache/unused_buildpack layers
 
 ENTRYPOINT ["/cnb/lifecycle/restorer"]
 

acceptance/testdata/restorer/container/cache/committed/io.buildpacks.lifecycle.cache.metadata

@@ -1,43 +1 @@
-{
-  "buildpacks": [
-    {
-      "key": "cacher_buildpack",
-      "version": "cacher_v1",
-      "layers": {
-        "cached-layer": {
-          "sha": "sha256:2d9c9c638d5c4f0df067eeae7b9c99ad05776a89d19ab863c28850a91e5f2944",
-          "data": null,
-          "build": false,
-          "launch": false,
-          "cache": true
-        }
-      }
-    },
-    {
-      "key": "corrupted_buildpack",
-      "version": "corrupted_v1",
-      "layers": {
-        "corrupted-layer": {
-          "sha": "sha256:b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c",
-          "data": null,
-          "build": false,
-          "launch": false,
-          "cache": true
-        }
-      }
-    },
-    {
-      "key": "unused_buildpack",
-      "version": "v1",
-      "layers": {
-        "cached-layer": {
-          "sha": "sha256:430338f576c11e5236669f9c843599d96afe28784cffcb2d46ddb07beb00df78",
-          "data": null,
-          "build": false,
-          "launch": false,
-          "cache": true
-        }
-      }
-    }
-  ]
-}
+{"buildpacks":[{"key":"cacher_buildpack","version":"cacher_v1","layers":{"cached-layer":{"sha":"sha256:b89860e2f9c62e6b5d66d3ce019e18cdabae30273c25150b7f20a82f7a70e494","data":null,"build":false,"launch":false,"cache":true}}},{"key":"unused_buildpack","version":"v1","layers":{"cached-layer":{"sha":"sha256:58bafa1e79c8e44151141c95086beb37ca85b69578fc890bce33bb4c6c8e851f","data":null,"build":false,"launch":false,"cache":true}}}]}

acceptance/testdata/restorer/container/layers/cacher_buildpack/cached-layer.sha

@@ -1 +1 @@
-sha256:2d9c9c638d5c4f0df067eeae7b9c99ad05776a89d19ab863c28850a91e5f2944
+sha256:b89860e2f9c62e6b5d66d3ce019e18cdabae30273c25150b7f20a82f7a70e494

acceptance/testdata/restorer/container/layers/group.toml

@@ -8,11 +8,6 @@
   version = "cacher_v1"
   api = "0.10"
 
-[[group]]
-  id = "corrupted_buildpack"
-  version = "corrupted_v1"
-  api = "0.11"
-
 [[group-extensions]]
     id = "some-extension-id"
     version = "v1"

acceptance/testdata/restorer/container/to_cache/corrupted_buildpack/layers/corrupted_buildpack/corrupted-layer/data

@@ -1 +0,0 @@
-digest-not-match-data

acceptance/variables_unix.go

@@ -1,4 +1,5 @@
-//go:build unix
+//go:build linux || darwin
+// +build linux darwin
 
 package acceptance
 

acceptance/variables_windows.go

@@ -0,0 +1,30 @@
+package acceptance
+
+import (
+	"path"
+	"path/filepath"
+	"strings"
+)
+
+const (
+	containerBaseImage     = "mcr.microsoft.com/windows/nanoserver:1809"
+	containerBaseImageFull = "mcr.microsoft.com/windows/nanoserver:1809"
+	dockerfileName         = "Dockerfile.windows"
+	exe                    = ".exe"
+	execDBpDir             = "0.9_buildpack"
+)
+
+var dockerSocketMount = []string{
+	"--mount", `type=npipe,source=\\.\pipe\docker_engine,target=\\.\pipe\docker_engine`,
+	"--user", "ContainerAdministrator",
+}
+
+// ctrPath equivalent to path.Join but converts to Windows slashes and drive prefix when needed
+func ctrPath(unixPathParts ...string) string {
+	unixPath := path.Join(unixPathParts...)
+	windowsPath := filepath.FromSlash(unixPath)
+	if strings.HasPrefix(windowsPath, `\`) {
+		return "c:" + windowsPath
+	}
+	return windowsPath
+}

archive/extract_test.go

@@ -4,6 +4,7 @@ import (
 	"archive/tar"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/sclevine/spec"
@@ -30,16 +31,31 @@ func testExtract(t *testing.T, when spec.G, it spec.S) {
 
 	it.Before(func() {
 		tr, tmpDir = newFakeTarReader(t)
-		pathModes = []archive.PathMode{
-			{"root", os.ModeDir + 0755},
-			{"root/readonly", os.ModeDir + 0500},
-			{"root/readonly/readonlysub", os.ModeDir + 0500},
-			{"root/readonly/readonlysub/somefile", 0444},
-			{"root/standarddir", os.ModeDir + 0755},
-			{"root/standarddir/somefile", 0644},
-			{"root/nonexistdirnotintar", os.ModeDir + os.FileMode(int(os.ModePerm)&^originalUmask)}, //nolint
-			{"root/symlinkdir", os.ModeSymlink + 0777},                                              // symlink permissions are not preserved from archive
-			{"root/symlinkfile", os.ModeSymlink + 0777},                                             // symlink permissions are not preserved from archive
+		// Golang for Windows only implements owner permissions
+		if runtime.GOOS == "windows" {
+			pathModes = []archive.PathMode{
+				{`root`, os.ModeDir + 0777},
+				{`root\readonly`, os.ModeDir + 0555},
+				{`root\readonly\readonlysub`, os.ModeDir + 0555},
+				{`root\readonly\readonlysub\somefile`, 0444},
+				{`root\standarddir`, os.ModeDir + 0777},
+				{`root\standarddir\somefile`, 0666},
+				{`root\nonexistdirnotintar`, os.ModeDir + 0777},
+				{`root\symlinkdir`, os.ModeSymlink + 0666},
+				{`root\symlinkfile`, os.ModeSymlink + 0666},
+			}
+		} else {
+			pathModes = []archive.PathMode{
+				{"root", os.ModeDir + 0755},
+				{"root/readonly", os.ModeDir + 0500},
+				{"root/readonly/readonlysub", os.ModeDir + 0500},
+				{"root/readonly/readonlysub/somefile", 0444},
+				{"root/standarddir", os.ModeDir + 0755},
+				{"root/standarddir/somefile", 0644},
+				{"root/nonexistdirnotintar", os.ModeDir + os.FileMode(int(os.ModePerm)&^originalUmask)},
+				{"root/symlinkdir", os.ModeSymlink + 0777},  // symlink permissions are not preserved from archive
+				{"root/symlinkfile", os.ModeSymlink + 0777}, // symlink permissions are not preserved from archive
+			}
 		}
 	})
 
@@ -94,7 +110,12 @@ func testExtract(t *testing.T, when spec.G, it spec.S) {
 			fileInfo, err := os.Stat(filepath.Join(tmpDir, "root"))
 			h.AssertNil(t, err)
 
-			h.AssertEq(t, fileInfo.Mode(), os.ModeDir+0744)
+			if runtime.GOOS != "windows" {
+				h.AssertEq(t, fileInfo.Mode(), os.ModeDir+0744)
+			} else {
+				// Golang for Windows only implements owner permissions
+				h.AssertEq(t, fileInfo.Mode(), os.ModeDir+0777)
+			}
 		})
 	})
 }

archive/reader_test.go

@@ -3,6 +3,7 @@ package archive_test
 import (
 	"archive/tar"
 	"io"
+	"runtime"
 	"testing"
 
 	"github.com/sclevine/spec"
@@ -32,7 +33,11 @@ func testNormalizingTarReader(t *testing.T, when spec.G, it spec.S) {
 		it("converts path separators", func() {
 			hdr, err := ntr.Next()
 			h.AssertNil(t, err)
-			h.AssertEq(t, hdr.Name, `/some/path`)
+			if runtime.GOOS == "windows" {
+				h.AssertEq(t, hdr.Name, `\some\path`)
+			} else {
+				h.AssertEq(t, hdr.Name, `/some/path`)
+			}
 		})
 
 		when("#Strip", func() {
@@ -40,7 +45,11 @@ func testNormalizingTarReader(t *testing.T, when spec.G, it spec.S) {
 				ntr.Strip("/some")
 				hdr, err := ntr.Next()
 				h.AssertNil(t, err)
-				h.AssertEq(t, hdr.Name, `/path`)
+				if runtime.GOOS == "windows" {
+					h.AssertEq(t, hdr.Name, `\path`)
+				} else {
+					h.AssertEq(t, hdr.Name, `/path`)
+				}
 			})
 		})
 
@@ -49,7 +58,11 @@ func testNormalizingTarReader(t *testing.T, when spec.G, it spec.S) {
 				ntr.PrependDir("/super-dir")
 				hdr, err := ntr.Next()
 				h.AssertNil(t, err)
-				h.AssertEq(t, hdr.Name, `/super-dir/some/path`)
+				if runtime.GOOS == "windows" {
+					h.AssertEq(t, hdr.Name, `\super-dir\some\path`)
+				} else {
+					h.AssertEq(t, hdr.Name, `/super-dir/some/path`)
+				}
 			})
 		})
 
@@ -60,7 +73,11 @@ func testNormalizingTarReader(t *testing.T, when spec.G, it spec.S) {
 				ntr.ExcludePaths([]string{"excluded-dir"})
 				hdr, err := ntr.Next()
 				h.AssertNil(t, err)
-				h.AssertEq(t, hdr.Name, `/some/path`)
+				if runtime.GOOS == "windows" {
+					h.AssertEq(t, hdr.Name, `\some\path`)
+				} else {
+					h.AssertEq(t, hdr.Name, `/some/path`)
+				}
 			})
 		})
 	})

archive/tar_unix.go

@@ -1,4 +1,5 @@
-//go:build unix
+//go:build linux || darwin
+// +build linux darwin
 
 package archive
 

archive/writer_test.go

@@ -2,6 +2,7 @@ package archive_test
 
 import (
 	"archive/tar"
+	"runtime"
 	"testing"
 	"time"
 
@@ -37,6 +38,21 @@ func testNormalizingTarWriter(t *testing.T, when spec.G, it spec.S) {
 			h.AssertEq(t, ftw.getLastHeader().Gname, "")
 		})
 
+		when("windows", func() {
+			it.Before(func() {
+				if runtime.GOOS != "windows" {
+					t.Skip("windows specific test")
+				}
+			})
+
+			it("converts path separators", func() {
+				h.AssertNil(t, ntw.WriteHeader(&tar.Header{
+					Name: `c:\some\file\path`,
+				}))
+				h.AssertEq(t, ftw.getLastHeader().Name, "/some/file/path")
+			})
+		})
+
 		when("#WithUID", func() {
 			it("sets the uid", func() {
 				ntw.WithUID(999)

buildpack/bp_descriptor.go

@@ -87,8 +87,11 @@ func ReadBpDescriptor(path string) (*BpDescriptor, error) {
 				return &BpDescriptor{}, err
 			}
 			for i := 0; i < len(binFiles); i++ {
-				bf := binFiles[len(binFiles)-i-1]
+				bf := binFiles[len(binFiles)-i-1] // we're iterating backwards b/c os.ReadDir sorts "build.exe" after "build" but we want to preferentially detect windows first.
 				fname := bf.Name()
+				if fname == "build.exe" || fname == "build.bat" {
+					descriptor.Targets = append(descriptor.Targets, TargetMetadata{OS: "windows"})
+				}
 				if fname == "build" {
 					descriptor.Targets = append(descriptor.Targets, TargetMetadata{OS: "linux"})
 				}

buildpack/bp_descriptor_test.go

@@ -252,5 +252,24 @@ func testBpDescriptor(t *testing.T, when spec.G, it spec.S) {
 			h.AssertEq(t, descriptor.Targets[0].OS, "linux")
 			h.AssertEq(t, len(descriptor.Targets[0].Distros), 0)
 		})
+
+		it("detects windows/* if batch files are present and ignores linux", func() {
+			path := filepath.Join("testdata", "buildpack", "by-id", "A", "v1", "buildpack.toml")
+			descriptor, err := buildpack.ReadBpDescriptor(path)
+			h.AssertNil(t, err)
+			// common sanity assertions
+			h.AssertEq(t, descriptor.WithAPI, "0.7")
+			h.AssertEq(t, descriptor.Buildpack.ID, "A")
+			h.AssertEq(t, descriptor.Buildpack.Name, "Buildpack A")
+			h.AssertEq(t, descriptor.Buildpack.Version, "v1")
+			h.AssertEq(t, descriptor.Buildpack.Homepage, "Buildpack A Homepage")
+			h.AssertEq(t, descriptor.Buildpack.SBOM, []string{"application/vnd.cyclonedx+json"})
+			// specific behaviors for this test
+			h.AssertEq(t, len(descriptor.Targets), 2)
+			h.AssertEq(t, descriptor.Targets[0].Arch, "")
+			h.AssertEq(t, descriptor.Targets[0].OS, "windows")
+			h.AssertEq(t, descriptor.Targets[1].Arch, "")
+			h.AssertEq(t, descriptor.Targets[1].OS, "linux")
+		})
 	})
 }

buildpack/build.go

@@ -14,6 +14,7 @@ import (
 	"github.com/buildpacks/lifecycle/api"
 	"github.com/buildpacks/lifecycle/env"
 	"github.com/buildpacks/lifecycle/internal/encoding"
+	"github.com/buildpacks/lifecycle/internal/fsutil"
 	"github.com/buildpacks/lifecycle/launch"
 	"github.com/buildpacks/lifecycle/layers"
 	"github.com/buildpacks/lifecycle/log"
@@ -132,7 +133,7 @@ func runBuildCmd(d BpDescriptor, bpLayersDir, planPath string, inputs BuildInput
 	) // #nosec G204
 	cmd.Dir = inputs.AppDir
 	cmd.Stdout = inputs.Out
-	cmd.Stderr = inputs.Out
+	cmd.Stderr = inputs.Err
 
 	var err error
 	if d.Buildpack.ClearEnv {
@@ -201,7 +202,7 @@ func eachLayer(bpLayersDir string, fn func(layerPath string) error) error {
 func renameLayerDirIfNeeded(layerMetadataFile LayerMetadataFile, layerDir string) error {
 	// rename <layers>/<layer> to <layers>/<layer>.ignore if all the types flags are set to false
 	if !layerMetadataFile.Launch && !layerMetadataFile.Cache && !layerMetadataFile.Build {
-		if err := os.Rename(layerDir, layerDir+".ignore"); err != nil && !os.IsNotExist(err) {
+		if err := fsutil.RenameWithWindowsFallback(layerDir, layerDir+".ignore"); err != nil && !os.IsNotExist(err) {
 			return err
 		}
 	}

buildpack/build_test.go

@@ -291,9 +291,12 @@ func testBuild(t *testing.T, when spec.G, it spec.S) {
 					if _, err := executor.Build(descriptor, inputs, logger); err != nil {
 						t.Fatalf("Unexpected error:\n%s\n", err)
 					}
-					if s := cmp.Diff(h.CleanEndings(stdout.String()), "build out: A@v1\nbuild err: A@v1\n"); s != "" {
+					if s := cmp.Diff(h.CleanEndings(stdout.String()), "build out: A@v1\n"); s != "" {
 						t.Fatalf("Unexpected stdout:\n%s\n", s)
 					}
+					if s := cmp.Diff(h.CleanEndings(stderr.String()), "build err: A@v1\n"); s != "" {
+						t.Fatalf("Unexpected stderr:\n%s\n", s)
+					}
 				})
 
 				when("modifying the env fails", func() {

buildpack/detect_test.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/apex/log"
@@ -294,6 +295,8 @@ func testDetect(t *testing.T, when spec.G, it spec.S) {
 			)
 
 			it.Before(func() {
+				h.SkipIf(t, runtime.GOOS == "windows", "Image extensions are not supported for Windows builds")
+
 				descriptorPath = filepath.Join("testdata", "extension", "by-id", "A", "v1", "extension.toml")
 				var err error
 				descriptor, err = buildpack.ReadExtDescriptor(descriptorPath)

buildpack/dockerfile.go

@@ -8,7 +8,6 @@ import (
 	"strings"
 
 	"github.com/moby/buildkit/frontend/dockerfile/instructions"
-	"github.com/moby/buildkit/frontend/dockerfile/linter"
 	"github.com/moby/buildkit/frontend/dockerfile/parser"
 
 	"github.com/buildpacks/lifecycle/log"
@@ -75,7 +74,7 @@ func parseDockerfile(dockerfile string) ([]instructions.Stage, []instructions.Ar
 	if err != nil {
 		return nil, nil, err
 	}
-	stages, metaArgs, err := instructions.Parse(p.AST, &linter.Linter{})
+	stages, metaArgs, err := instructions.Parse(p.AST)
 	if err != nil {
 		return nil, nil, err
 	}

buildpack/ext_descriptor.go

@@ -43,10 +43,14 @@ func (d *ExtDescriptor) inferTargets() error {
 			if err != nil {
 				return err
 			}
-			var linuxDetected bool
+			var windowsDetected, linuxDetected bool
 			for i := 0; i < len(binFiles); i++ { // detect and generate files are optional
-				bf := binFiles[len(binFiles)-i-1]
+				bf := binFiles[len(binFiles)-i-1] // we're iterating backwards b/c os.ReadDir sorts "foo.exe" after "foo" but we want to preferentially detect windows first.
 				fname := bf.Name()
+				if !windowsDetected && (fname == "detect.exe" || fname == "detect.bat" || fname == "generate.exe" || fname == "generate.bat") {
+					d.Targets = append(d.Targets, TargetMetadata{OS: "windows"})
+					windowsDetected = true
+				}
 				if !linuxDetected && (fname == "detect" || fname == "generate") {
 					d.Targets = append(d.Targets, TargetMetadata{OS: "linux"})
 					linuxDetected = true

buildpack/ext_descriptor_test.go

@@ -39,5 +39,13 @@ func testExtDescriptor(t *testing.T, when spec.G, it spec.S) {
 			h.AssertEq(t, descriptor.Targets[0].OS, "")
 			h.AssertEq(t, descriptor.Targets[0].Arch, "")
 		})
+		it("slices, it dices, it even does windows", func() {
+			path := filepath.Join("testdata", "extension", "by-id", "D", "v1", "extension.toml")
+			descriptor, err := buildpack.ReadExtDescriptor(path)
+			h.AssertNil(t, err)
+			h.AssertEq(t, len(descriptor.Targets), 1)
+			h.AssertEq(t, descriptor.Targets[0].OS, "windows")
+			h.AssertEq(t, descriptor.Targets[0].Arch, "")
+		})
 	})
 }

buildpack/generate.go

@@ -88,7 +88,7 @@ func runGenerateCmd(d ExtDescriptor, extOutputDir, planPath string, inputs Gener
 	) // #nosec G204
 	cmd.Dir = inputs.AppDir
 	cmd.Stdout = inputs.Out
-	cmd.Stderr = inputs.Out
+	cmd.Stderr = inputs.Err
 
 	var err error
 	if d.Extension.ClearEnv {

buildpack/generate_test.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -23,7 +24,9 @@ import (
 )
 
 func TestGenerate(t *testing.T) {
-	spec.Run(t, "unit-generate", testGenerate, spec.Report(report.Terminal{}))
+	if runtime.GOOS != "windows" {
+		spec.Run(t, "unit-generate", testGenerate, spec.Report(report.Terminal{}))
+	}
 }
 
 func testGenerate(t *testing.T, when spec.G, it spec.S) {
@@ -248,9 +251,12 @@ func testGenerate(t *testing.T, when spec.G, it spec.S) {
 					if _, err := executor.Generate(descriptor, inputs, logger); err != nil {
 						t.Fatalf("Unexpected error:\n%s\n", err)
 					}
-					if s := cmp.Diff(h.CleanEndings(stdout.String()), "build out: A@v1\nbuild err: A@v1\n"); s != "" {
+					if s := cmp.Diff(h.CleanEndings(stdout.String()), "build out: A@v1\n"); s != "" {
 						t.Fatalf("Unexpected stdout:\n%s\n", s)
 					}
+					if s := cmp.Diff(h.CleanEndings(stderr.String()), "build err: A@v1\n"); s != "" {
+						t.Fatalf("Unexpected stderr:\n%s\n", s)
+					}
 				})
 
 				it("errors when the command fails", func() {

cache/caching_image_test.go

@@ -4,6 +4,8 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
+	"strings"
 	"testing"
 
 	"github.com/buildpacks/imgutil"
@@ -68,6 +70,9 @@ func testCachingImage(t *testing.T, when spec.G, it spec.S) {
 				h.AssertNil(t, err)
 				defer from.Close()
 
+				if runtime.GOOS == "windows" {
+					layerSHA = strings.TrimPrefix(layerSHA, "sha256:")
+				}
 				to, err := os.Create(filepath.Join(tmpDir, "committed", layerSHA+".tar"))
 				h.AssertNil(t, err)
 				defer to.Close()

cache/image_cache.go

@@ -158,9 +158,3 @@ func (c *ImageCache) Commit() error {
 
 	return nil
 }
-
-// VerifyLayer returns an error if the layer contents do not match the provided sha.
-func (c *ImageCache) VerifyLayer(_ string) error {
-	// we assume the registry is verifying digests for us
-	return nil
-}

cache/image_comparer.go

@@ -9,7 +9,7 @@ import (
 
 // ImageComparer provides a way to compare images
 type ImageComparer interface {
-	ImagesEq(origImage imgutil.Image, newImage imgutil.Image) (bool, error)
+	ImagesEq(orig imgutil.Image, new imgutil.Image) (bool, error)
 }
 
 // ImageComparerImpl implements the ImageComparer interface

cache/volume_cache.go

@@ -1,12 +1,13 @@
 package cache
 
 import (
-	"crypto/sha256"
 	"encoding/json"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
+	"strings"
 
 	"github.com/pkg/errors"
 
@@ -142,8 +143,11 @@ func (c *VolumeCache) ReuseLayer(diffID string) error {
 	stagingPath := diffIDPath(c.stagingDir, diffID)
 
 	if _, err := os.Stat(committedPath); err != nil {
-		if err = handleFileError(err, diffID); errors.Is(err, ReadErr{}) {
-			return err
+		if os.IsNotExist(err) {
+			return NewReadErr(fmt.Sprintf("failed to find cache layer with SHA '%s'", diffID))
+		}
+		if os.IsPermission(err) {
+			return NewReadErr(fmt.Sprintf("failed to read cache layer with SHA '%s' due to insufficient permissions", diffID))
 		}
 		return fmt.Errorf("failed to re-use cache layer with SHA '%s': %w", diffID, err)
 	}
@@ -161,8 +165,11 @@ func (c *VolumeCache) RetrieveLayer(diffID string) (io.ReadCloser, error) {
 	}
 	file, err := os.Open(path)
 	if err != nil {
-		if err = handleFileError(err, diffID); errors.Is(err, ReadErr{}) {
-			return nil, err
+		if os.IsPermission(err) {
+			return nil, NewReadErr(fmt.Sprintf("failed to read cache layer with SHA '%s' due to insufficient permissions", diffID))
+		}
+		if os.IsNotExist(err) {
+			return nil, NewReadErr(fmt.Sprintf("failed to find cache layer with SHA '%s'", diffID))
 		}
 		return nil, fmt.Errorf("failed to get cache layer with SHA '%s'", diffID)
 	}
@@ -182,8 +189,8 @@ func (c *VolumeCache) HasLayer(diffID string) (bool, error) {
 func (c *VolumeCache) RetrieveLayerFile(diffID string) (string, error) {
 	path := diffIDPath(c.committedDir, diffID)
 	if _, err := os.Stat(path); err != nil {
-		if err = handleFileError(err, diffID); errors.Is(err, ReadErr{}) {
-			return "", err
+		if os.IsNotExist(err) {
+			return "", NewReadErr(fmt.Sprintf("failed to find cache layer with SHA '%s'", diffID))
 		}
 		return "", errors.Wrapf(err, "retrieving layer with SHA '%s'", diffID)
 	}
@@ -195,13 +202,13 @@ func (c *VolumeCache) Commit() error {
 		return errCacheCommitted
 	}
 	c.committed = true
-	if err := os.Rename(c.committedDir, c.backupDir); err != nil {
+	if err := fsutil.RenameWithWindowsFallback(c.committedDir, c.backupDir); err != nil {
 		return errors.Wrap(err, "backing up cache")
 	}
 	defer os.RemoveAll(c.backupDir)
 
-	if err1 := os.Rename(c.stagingDir, c.committedDir); err1 != nil {
-		if err2 := os.Rename(c.backupDir, c.committedDir); err2 != nil {
+	if err1 := fsutil.RenameWithWindowsFallback(c.stagingDir, c.committedDir); err1 != nil {
+		if err2 := fsutil.RenameWithWindowsFallback(c.backupDir, c.committedDir); err2 != nil {
 			return errors.Wrap(err2, "rolling back cache")
 		}
 		return errors.Wrap(err1, "committing cache")
@@ -211,6 +218,10 @@ func (c *VolumeCache) Commit() error {
 }
 
 func diffIDPath(basePath, diffID string) string {
+	if runtime.GOOS == "windows" {
+		// Avoid colons in Windows file paths
+		diffID = strings.TrimPrefix(diffID, "sha256:")
+	}
 	return filepath.Join(basePath, diffID+".tar")
 }
 
@@ -220,33 +231,3 @@ func (c *VolumeCache) setupStagingDir() error {
 	}
 	return os.MkdirAll(c.stagingDir, 0777)
 }
-
-// VerifyLayer returns an error if the layer contents do not match the provided sha.
-func (c *VolumeCache) VerifyLayer(diffID string) error {
-	layerRC, err := c.RetrieveLayer(diffID)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		_ = layerRC.Close()
-	}()
-	hasher := sha256.New()
-	if _, err := io.Copy(hasher, layerRC); err != nil {
-		return errors.Wrap(err, "hashing layer")
-	}
-	foundDiffID := fmt.Sprintf("sha256:%x", hasher.Sum(nil))
-	if diffID != foundDiffID {
-		return NewReadErr(fmt.Sprintf("expected layer contents to have SHA '%s'; found '%s'", diffID, foundDiffID))
-	}
-	return err
-}
-
-func handleFileError(err error, diffID string) error {
-	if os.IsNotExist(err) {
-		return NewReadErr(fmt.Sprintf("failed to find cache layer with SHA '%s'", diffID))
-	}
-	if os.IsPermission(err) {
-		return NewReadErr(fmt.Sprintf("failed to read cache layer with SHA '%s' due to insufficient permissions", diffID))
-	}
-	return err
-}

cmd/exit.go

@@ -60,6 +60,6 @@ func Exit(err error) {
 }
 
 func ExitWithVersion() {
-	DefaultLogger.Info(buildVersion())
+	DefaultLogger.Infof(buildVersion())
 	os.Exit(0)
 }

cmd/lifecycle/analyzer.go

@@ -19,8 +19,8 @@ import (
 type analyzeCmd struct {
 	*platform.Platform
 
-	docker   client.APIClient // construct if necessary before dropping privileges
-	keychain authn.Keychain   // construct if necessary before dropping privileges
+	docker   client.CommonAPIClient // construct if necessary before dropping privileges
+	keychain authn.Keychain         // construct if necessary before dropping privileges
 }
 
 // DefineFlags defines the flags that are considered valid and reads their values (if provided).

cmd/lifecycle/cli/command.go

@@ -61,9 +61,6 @@ func Run(c Command, withPhaseName string, asSubcommand bool) {
 
 	// We print a warning here, so we should disable color if needed and set the log level before exercising this logic.
 	for _, arg := range flagSet.Args() {
-		if len(arg) == 0 {
-			continue
-		}
 		if arg[0:1] == "-" {
 			cmd.DefaultLogger.Warnf("Warning: unconsumed flag-like positional arg: \n\t%s\n\t This will not be interpreted as a flag.\n\t Did you mean to put this before the first positional argument?", arg)
 		}

cmd/lifecycle/creator.go

@@ -23,8 +23,8 @@ import (
 type createCmd struct {
 	*platform.Platform
 
-	docker   client.APIClient // construct if necessary before dropping privileges
-	keychain authn.Keychain   // construct if necessary before dropping privileges
+	docker   client.CommonAPIClient // construct if necessary before dropping privileges
+	keychain authn.Keychain         // construct if necessary before dropping privileges
 }
 
 // DefineFlags defines the flags that are considered valid and reads their values (if provided).

cmd/lifecycle/exporter.go

@@ -313,7 +313,7 @@ func (e *exportCmd) initDaemonAppImage(analyzedMD files.Analyzed, logger log.Log
 }
 
 func (e *exportCmd) initRemoteAppImage(analyzedMD files.Analyzed) (imgutil.Image, string, error) {
-	var appOpts = []imgutil.ImageOption{
+	var opts = []imgutil.ImageOption{
 		remote.FromBaseImage(e.RunImageRef),
 	}
 
@@ -324,57 +324,43 @@ func (e *exportCmd) initRemoteAppImage(analyzedMD files.Analyzed) (imgutil.Image
 		}
 		if extendedConfig != nil {
 			cmd.DefaultLogger.Debugf("Using config from extensions...")
-			appOpts = append(appOpts, remote.WithConfig(extendedConfig))
+			opts = append(opts, remote.WithConfig(extendedConfig))
 		}
 	}
 
 	if e.supportsHistory() {
-		appOpts = append(appOpts, remote.WithHistory())
+		opts = append(opts, remote.WithHistory())
 	}
 
-	appOpts = append(appOpts, image.GetInsecureOptions(e.InsecureRegistries)...)
+	opts = append(opts, image.GetInsecureOptions(e.InsecureRegistries)...)
 
 	if analyzedMD.PreviousImageRef() != "" {
 		cmd.DefaultLogger.Infof("Reusing layers from image '%s'", analyzedMD.PreviousImageRef())
-		appOpts = append(appOpts, remote.WithPreviousImage(analyzedMD.PreviousImageRef()))
+		opts = append(opts, remote.WithPreviousImage(analyzedMD.PreviousImageRef()))
 	}
 
 	if !e.customSourceDateEpoch().IsZero() {
-		appOpts = append(appOpts, remote.WithCreatedAt(e.customSourceDateEpoch()))
+		opts = append(opts, remote.WithCreatedAt(e.customSourceDateEpoch()))
 	}
 
 	appImage, err := remote.NewImage(
 		e.OutputImageRef,
 		e.keychain,
-		appOpts...,
+		opts...,
 	)
 	if err != nil {
 		return nil, "", cmd.FailErr(err, "create new app image")
 	}
 
-	runImageID, err := func() (string, error) {
-		runImage, err := remote.NewImage(
-			e.RunImageRef,
-			e.keychain,
-			append(
-				image.GetInsecureOptions(e.InsecureRegistries),
-				remote.FromBaseImage(e.RunImageRef),
-			)...,
-		)
-		if err != nil {
-			return "", fmt.Errorf("failed to access run image: %w", err)
-		}
-		runImageID, err := runImage.Identifier()
-		if err != nil {
-			return "", fmt.Errorf("failed to get run image identifier: %w", err)
-		}
-		return runImageID.String(), nil
-	}()
+	runImage, err := remote.NewImage(e.RunImageRef, e.keychain, remote.FromBaseImage(e.RunImageRef))
 	if err != nil {
-		return nil, "", cmd.FailErr(err, "get run image ID")
+		return nil, "", cmd.FailErr(err, "access run image")
 	}
-
-	return appImage, runImageID, nil
+	runImageID, err := runImage.Identifier()
+	if err != nil {
+		return nil, "", cmd.FailErr(err, "get run image reference")
+	}
+	return appImage, runImageID.String(), nil
 }
 
 func (e *exportCmd) initLayoutAppImage(analyzedMD files.Analyzed) (imgutil.Image, string, error) {

cmd/lifecycle/rebaser.go

@@ -196,7 +196,7 @@ func (r *rebaseCmd) setAppImage() error {
 		}
 
 		// we find the best mirror for the run image as this point
-		r.RunImageRef, err = platform.BestRunImageMirrorFor(registry, runImage, r.AccessChecker())
+		r.RunImageRef, err = platform.BestRunImageMirrorFor(registry, runImage, r.LifecycleInputs.AccessChecker())
 		if err != nil {
 			return err
 		}

cmd/lifecycle/restorer.go

@@ -31,8 +31,8 @@ const kanikoDir = "/kaniko"
 type restoreCmd struct {
 	*platform.Platform
 
-	docker   client.APIClient // construct if necessary before dropping privileges
-	keychain authn.Keychain   // construct if necessary before dropping privileges
+	docker   client.CommonAPIClient // construct if necessary before dropping privileges
+	keychain authn.Keychain         // construct if necessary before dropping privileges
 }
 
 // DefineFlags defines the flags that are considered valid and reads their values (if provided).
@@ -119,8 +119,8 @@ func (r *restoreCmd) Exec() error {
 				return cmd.FailErr(err, "get digest reference for builder image")
 			}
 			analyzedMD.BuildImage = &files.ImageIdentifier{Reference: digestRef.String()}
-			cmd.DefaultLogger.Debug("Adding build image info to analyzed metadata: ")
-			cmd.DefaultLogger.Debug(encoding.ToJSONMaybe(analyzedMD.BuildImage))
+			cmd.DefaultLogger.Debugf("Adding build image info to analyzed metadata: ")
+			cmd.DefaultLogger.Debugf(encoding.ToJSONMaybe(analyzedMD.BuildImage))
 		}
 		var (
 			runImage imgutil.Image
@@ -187,12 +187,12 @@ func (r *restoreCmd) updateAnalyzedMD(analyzedMD *files.Analyzed, runImage imgut
 			return cmd.FailErr(err, "read target data from run image")
 		}
 	}
-	cmd.DefaultLogger.Debug("Run image info in analyzed metadata was: ")
-	cmd.DefaultLogger.Debug(encoding.ToJSONMaybe(analyzedMD.RunImage))
+	cmd.DefaultLogger.Debugf("Run image info in analyzed metadata was: ")
+	cmd.DefaultLogger.Debugf(encoding.ToJSONMaybe(analyzedMD.RunImage))
 	analyzedMD.RunImage.Reference = digestRef.String()
 	analyzedMD.RunImage.TargetMetadata = targetData
-	cmd.DefaultLogger.Debug("Run image info in analyzed metadata is: ")
-	cmd.DefaultLogger.Debug(encoding.ToJSONMaybe(analyzedMD.RunImage))
+	cmd.DefaultLogger.Debugf("Run image info in analyzed metadata is: ")
+	cmd.DefaultLogger.Debugf(encoding.ToJSONMaybe(analyzedMD.RunImage))
 	return nil
 }
 

env/build.go

@@ -1,6 +1,7 @@
 package env
 
 import (
+	"runtime"
 	"strings"
 )
 
@@ -17,7 +18,7 @@ var BuildEnvIncludelist = []string{
 	"no_proxy",
 }
 
-var ignoreEnvVarCase = false
+var ignoreEnvVarCase = runtime.GOOS == "windows"
 
 // NewBuildEnv returns a build-time Env from the given environment.
 //

env/build_test.go

@@ -1,6 +1,7 @@
 package env_test
 
 import (
+	"runtime"
 	"sort"
 	"testing"
 
@@ -10,6 +11,7 @@ import (
 	"github.com/sclevine/spec/report"
 
 	"github.com/buildpacks/lifecycle/env"
+	h "github.com/buildpacks/lifecycle/testhelpers"
 )
 
 func TestBuildEnv(t *testing.T) {
@@ -62,9 +64,15 @@ func testBuildEnv(t *testing.T, when spec.G, it spec.S) {
 				"NO_PROXY=some-no-proxy",
 				"PATH=some-path",
 				"PKG_CONFIG_PATH=some-pkg-config-path",
-				"http_proxy=some-http-proxy",
-				"https_proxy=some-https-proxy",
-				"no_proxy=some-no-proxy",
+			}
+			// Environment variables in Windows are case insensitive, and are added by the lifecycle in uppercase.
+			if runtime.GOOS != "windows" {
+				expectedVars = append(
+					expectedVars,
+					"http_proxy=some-http-proxy",
+					"https_proxy=some-https-proxy",
+					"no_proxy=some-no-proxy",
+				)
 			}
 			if s := cmp.Diff(out, expectedVars); s != "" {
 				t.Fatalf("Unexpected env\n%s\n", s)
@@ -88,5 +96,22 @@ func testBuildEnv(t *testing.T, when spec.G, it spec.S) {
 				t.Fatalf("Unexpected root dir map\n%s\n", s)
 			}
 		})
+
+		when("building in Windows", func() {
+			it.Before(func() {
+				if runtime.GOOS != "windows" {
+					t.Skip("This test only applies to Windows builds")
+				}
+			})
+
+			it("ignores case when initializing", func() {
+				benv := env.NewBuildEnv([]string{
+					"Path=some-path",
+				})
+				out := benv.List()
+				h.AssertEq(t, len(out), 1)
+				h.AssertEq(t, out[0], "PATH=some-path")
+			})
+		})
 	})
 }

env/env_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"sort"
 	"strings"
 	"testing"
@@ -41,7 +42,7 @@ func testEnv(t *testing.T, when spec.G, it spec.S) {
 					"LIBRARY_PATH",
 				},
 			},
-			Vars: env.NewVars(map[string]string{}, false),
+			Vars: env.NewVars(map[string]string{}, runtime.GOOS == "windows"),
 		}
 	})
 

env/launch_test.go

@@ -2,6 +2,7 @@ package env_test
 
 import (
 	"os"
+	"runtime"
 	"strings"
 	"testing"
 
@@ -10,6 +11,7 @@ import (
 	"github.com/sclevine/spec/report"
 
 	"github.com/buildpacks/lifecycle/env"
+	h "github.com/buildpacks/lifecycle/testhelpers"
 )
 
 func TestLaunchEnv(t *testing.T) {
@@ -67,5 +69,22 @@ func testLaunchEnv(t *testing.T, when spec.G, it spec.S) {
 				t.Fatalf("Unexpected root dir map\n%s\n", s)
 			}
 		})
+
+		when("launching in Windows", func() {
+			it.Before(func() {
+				if runtime.GOOS != "windows" {
+					t.Skip("This test only applies to Windows launches")
+				}
+			})
+
+			it("ignores case when initializing", func() {
+				benv := env.NewLaunchEnv([]string{
+					"Path=some-path",
+				}, "", "")
+				out := benv.List()
+				h.AssertEq(t, len(out), 1)
+				h.AssertEq(t, out[0], "PATH=some-path")
+			})
+		})
 	})
 }

go.mod

@@ -1,326 +1,142 @@
 module github.com/buildpacks/lifecycle
 
 require (
-	github.com/BurntSushi/toml v1.5.0
+	github.com/BurntSushi/toml v1.4.0
+	github.com/GoogleContainerTools/kaniko v1.23.1
 	github.com/apex/log v1.9.0
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.10.1
-	github.com/buildpacks/imgutil v0.0.0-20250814164739-4b1c8875ba7e
-	github.com/chainguard-dev/kaniko v1.25.1
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20240419161514-af205d85bb44
+	github.com/buildpacks/imgutil v0.0.0-20240605145725-186f89b2d168
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589
-	github.com/containerd/containerd v1.7.28
-	github.com/docker/docker v28.3.3+incompatible
+	github.com/containerd/containerd v1.7.19
+	github.com/docker/docker v26.1.5+incompatible
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.7.0
-	github.com/google/go-containerregistry v0.20.6
+	github.com/google/go-cmp v0.6.0
+	github.com/google/go-containerregistry v0.20.0
 	github.com/google/uuid v1.6.0
 	github.com/heroku/color v0.0.6
-	github.com/moby/buildkit v0.23.2
+	github.com/moby/buildkit v0.13.2
 	github.com/pkg/errors v0.9.1
 	github.com/sclevine/spec v1.4.0
-	golang.org/x/sync v0.16.0
-	golang.org/x/sys v0.35.0
+	golang.org/x/sync v0.7.0
+	golang.org/x/sys v0.22.0
 )
 
 require (
-	4d63.com/gocheckcompilerdirectives v1.3.0 // indirect
-	4d63.com/gochecknoglobals v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.7.0 // indirect
-	github.com/4meepo/tagalign v1.4.2 // indirect
-	github.com/Abirdcfly/dupword v0.1.3 // indirect
-	github.com/Antonboom/errname v1.1.0 // indirect
-	github.com/Antonboom/nilnil v1.1.0 // indirect
-	github.com/Antonboom/testifylint v1.6.1 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.30 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.7 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.1 // indirect
-	github.com/Azure/go-autorest/logger v0.2.2 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.1 // indirect
-	github.com/Crocmagnon/fatcontext v0.7.2 // indirect
-	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
-	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.3.1 // indirect
-	github.com/Masterminds/semver/v3 v3.3.1 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.1 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/Microsoft/hcsshim v0.13.0 // indirect
-	github.com/OpenPeeDeeP/depguard/v2 v2.2.1 // indirect
+	github.com/Microsoft/hcsshim v0.11.7 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/alecthomas/chroma/v2 v2.16.0 // indirect
-	github.com/alecthomas/go-check-sumtype v0.3.1 // indirect
-	github.com/alexkohler/nakedret/v2 v2.0.6 // indirect
-	github.com/alexkohler/prealloc v1.0.0 // indirect
-	github.com/alingse/asasalint v0.0.11 // indirect
-	github.com/alingse/nilnesserr v0.2.0 // indirect
-	github.com/ashanbrown/forbidigo v1.6.0 // indirect
-	github.com/ashanbrown/makezero v1.2.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.37.0 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.30.1 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.18.1 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.45.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.26.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.31.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.35.0 // indirect
-	github.com/aws/smithy-go v1.22.5 // indirect
-	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.27.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.16 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.16 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.27.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.10 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/bkielbasa/cyclop v1.2.3 // indirect
-	github.com/blizzy78/varnamelen v0.8.0 // indirect
-	github.com/bombsimon/wsl/v4 v4.7.0 // indirect
-	github.com/breml/bidichk v0.3.3 // indirect
-	github.com/breml/errchkjson v0.4.1 // indirect
-	github.com/butuzov/ireturn v0.4.0 // indirect
-	github.com/butuzov/mirror v1.3.0 // indirect
-	github.com/catenacyber/perfsprint v0.9.1 // indirect
-	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/charithe/durationcheck v0.0.10 // indirect
-	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
-	github.com/charmbracelet/lipgloss v1.1.0 // indirect
-	github.com/charmbracelet/x/ansi v0.8.0 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.13-0.20250311204145-2c3ea96c31dd // indirect
-	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/chavacava/garif v0.1.0 // indirect
-	github.com/ckaznocha/intrange v0.3.1 // indirect
-	github.com/containerd/cgroups/v3 v3.0.5 // indirect
-	github.com/containerd/containerd/api v1.9.0 // indirect
-	github.com/containerd/containerd/v2 v2.1.3 // indirect
-	github.com/containerd/continuity v0.4.5 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cilium/ebpf v0.9.1 // indirect
+	github.com/containerd/cgroups v1.1.0 // indirect
+	github.com/containerd/cgroups/v3 v3.0.2 // indirect
+	github.com/containerd/containerd/api v1.7.19 // indirect
+	github.com/containerd/continuity v0.4.3 // indirect
+	github.com/containerd/errdefs v0.1.0 // indirect
+	github.com/containerd/fifo v1.1.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v1.0.0-rc.1 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
-	github.com/containerd/ttrpc v1.2.7 // indirect
-	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/curioswitch/go-reassign v0.3.0 // indirect
-	github.com/daixiang0/gci v0.13.6 // indirect
-	github.com/dave/dst v0.27.3 // indirect
-	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/denis-tingaikin/go-header v0.5.0 // indirect
+	github.com/containerd/platforms v0.2.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
+	github.com/containerd/ttrpc v1.2.5 // indirect
+	github.com/containerd/typeurl/v2 v2.1.1 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/dlclark/regexp2 v1.11.5 // indirect
-	github.com/docker/cli v28.2.2+incompatible // indirect
+	github.com/docker/cli v26.1.4+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.9.3 // indirect
+	github.com/docker/docker-credential-helpers v0.8.1 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
+	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/ePirat/docker-credential-gitlabci v1.0.0 // indirect
-	github.com/ettle/strcase v0.2.0 // indirect
-	github.com/fatih/color v1.18.0 // indirect
-	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/firefart/nonamedreturns v1.0.6 // indirect
-	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/fzipp/gocyclo v0.6.0 // indirect
-	github.com/ghostiam/protogetter v0.3.15 // indirect
-	github.com/go-critic/go-critic v0.13.0 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-toolsmith/astcast v1.1.0 // indirect
-	github.com/go-toolsmith/astcopy v1.1.0 // indirect
-	github.com/go-toolsmith/astequal v1.2.0 // indirect
-	github.com/go-toolsmith/astfmt v1.1.0 // indirect
-	github.com/go-toolsmith/astp v1.1.0 // indirect
-	github.com/go-toolsmith/strparse v1.1.0 // indirect
-	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/go-xmlfmt/xmlfmt v1.1.3 // indirect
-	github.com/gobwas/glob v0.2.3 // indirect
-	github.com/gofrs/flock v0.12.1 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
-	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
-	github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32 // indirect
-	github.com/golangci/go-printf-func-name v0.1.0 // indirect
-	github.com/golangci/gofmt v0.0.0-20250106114630-d62b90e6713d // indirect
-	github.com/golangci/golangci-lint/v2 v2.1.2 // indirect
-	github.com/golangci/golines v0.0.0-20250217134842-442fd0091d95 // indirect
-	github.com/golangci/misspell v0.6.0 // indirect
-	github.com/golangci/plugin-module-register v0.1.1 // indirect
-	github.com/golangci/revgrep v0.8.0 // indirect
-	github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e // indirect
-	github.com/gordonklaus/ineffassign v0.1.0 // indirect
-	github.com/gorilla/mux v1.8.1 // indirect
-	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
-	github.com/gostaticanalysis/comment v1.5.0 // indirect
-	github.com/gostaticanalysis/forcetypeassert v0.2.0 // indirect
-	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
-	github.com/hashicorp/go-immutable-radix/v2 v2.1.0 // indirect
-	github.com/hashicorp/go-version v1.7.0 // indirect
-	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hexops/gotextdiff v1.0.3 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/jgautheron/goconst v1.8.1 // indirect
-	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
-	github.com/jjti/go-spancheck v0.6.4 // indirect
-	github.com/julz/importas v0.2.0 // indirect
-	github.com/karamaru-alpha/copyloopvar v1.2.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
+	github.com/hashicorp/go-memdb v1.3.4 // indirect
+	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/karrick/godirwalk v1.17.0 // indirect
-	github.com/kisielk/errcheck v1.9.0 // indirect
-	github.com/kkHAIKE/contextcheck v1.1.6 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/kulti/thelper v0.6.3 // indirect
-	github.com/kunwardeep/paralleltest v1.0.14 // indirect
-	github.com/lasiar/canonicalheader v1.1.2 // indirect
-	github.com/ldez/exptostd v0.4.3 // indirect
-	github.com/ldez/gomoddirectives v0.6.1 // indirect
-	github.com/ldez/grignotin v0.9.0 // indirect
-	github.com/ldez/tagliatelle v0.7.1 // indirect
-	github.com/ldez/usetesting v0.4.3 // indirect
-	github.com/leonklingele/grouper v1.1.2 // indirect
-	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/macabu/inamedparam v0.2.0 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/manuelarte/funcorder v0.2.1 // indirect
-	github.com/maratori/testableexamples v1.0.0 // indirect
-	github.com/maratori/testpackage v1.1.1 // indirect
-	github.com/matoous/godox v1.1.0 // indirect
-	github.com/mattn/go-colorable v0.1.14 // indirect
+	github.com/klauspost/compress v1.17.4 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.16 // indirect
-	github.com/mgechev/revive v1.9.0 // indirect
-	github.com/minio/highwayhash v1.0.3 // indirect
+	github.com/minio/highwayhash v1.0.2 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
-	github.com/moby/go-archive v0.1.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/atomicwriter v0.1.0 // indirect
-	github.com/moby/sys/mount v0.3.4 // indirect
-	github.com/moby/sys/mountinfo v0.7.2 // indirect
-	github.com/moby/sys/reexec v0.1.0 // indirect
-	github.com/moby/sys/sequential v0.6.0 // indirect
-	github.com/moby/sys/signal v0.7.1 // indirect
-	github.com/moby/sys/symlink v0.3.0 // indirect
-	github.com/moby/sys/user v0.4.0 // indirect
-	github.com/moby/sys/userns v0.1.0 // indirect
-	github.com/moby/term v0.5.2 // indirect
-	github.com/moricho/tparallel v0.3.2 // indirect
+	github.com/moby/swarmkit/v2 v2.0.0-20230911190601-f082dd7a0cee // indirect
+	github.com/moby/sys/mount v0.3.3 // indirect
+	github.com/moby/sys/mountinfo v0.7.1 // indirect
+	github.com/moby/sys/sequential v0.5.0 // indirect
+	github.com/moby/sys/signal v0.7.0 // indirect
+	github.com/moby/sys/symlink v0.2.0 // indirect
+	github.com/moby/sys/user v0.1.0 // indirect
+	github.com/moby/term v0.5.0 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/muesli/termenv v0.16.0 // indirect
-	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/nakabonne/nestif v0.3.1 // indirect
-	github.com/nishanths/exhaustive v0.12.0 // indirect
-	github.com/nishanths/predeclared v0.2.2 // indirect
-	github.com/nunnatsa/ginkgolinter v0.19.1 // indirect
-	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/opencontainers/runtime-spec v1.2.1 // indirect
-	github.com/otiai10/copy v1.14.1 // indirect
-	github.com/otiai10/mint v1.6.3 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
-	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
-	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/polyfloyd/go-errorlint v1.8.0 // indirect
-	github.com/prometheus/client_golang v1.22.0 // indirect
-	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.64.0 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
-	github.com/quasilyte/go-ruleguard v0.4.4 // indirect
-	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
-	github.com/quasilyte/gogrep v0.5.0 // indirect
-	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
-	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
-	github.com/raeperd/recvcheck v0.2.0 // indirect
-	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.14.1 // indirect
-	github.com/ryancurrah/gomodguard v1.4.1 // indirect
-	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
-	github.com/sanposhiho/wastedassign/v2 v2.1.0 // indirect
-	github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 // indirect
-	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
-	github.com/sashamelentyev/usestdlibvars v1.28.0 // indirect
-	github.com/sclevine/yj v0.0.0-20210612025309-737bdf40a5d1 // indirect
-	github.com/securego/gosec/v2 v2.22.3 // indirect
+	github.com/opencontainers/image-spec v1.1.0 // indirect
+	github.com/opencontainers/runtime-spec v1.1.0 // indirect
+	github.com/opencontainers/selinux v1.11.0 // indirect
+	github.com/otiai10/copy v1.14.0 // indirect
+	github.com/prometheus/client_golang v1.19.0 // indirect
+	github.com/prometheus/client_model v0.5.0 // indirect
+	github.com/prometheus/common v0.48.0 // indirect
+	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/sivchari/containedctx v1.0.3 // indirect
-	github.com/sonatard/noctx v0.1.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/sourcegraph/go-diff v0.7.0 // indirect
-	github.com/spf13/afero v1.14.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
-	github.com/spf13/cobra v1.9.1 // indirect
-	github.com/spf13/pflag v1.0.7 // indirect
-	github.com/spf13/viper v1.18.2 // indirect
-	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
-	github.com/stbenjam/no-sprintf-host-port v0.2.0 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
-	github.com/stretchr/testify v1.10.0 // indirect
-	github.com/subosito/gotenv v1.6.0 // indirect
-	github.com/tdakkota/asciicheck v0.4.1 // indirect
-	github.com/tetafro/godot v1.5.0 // indirect
-	github.com/timakin/bodyclose v0.0.0-20241222091800-1db5c5ca4d67 // indirect
-	github.com/timonwong/loggercheck v0.11.0 // indirect
-	github.com/tomarrell/wrapcheck/v2 v2.11.0 // indirect
-	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
-	github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect
-	github.com/ultraware/funlen v0.2.0 // indirect
-	github.com/ultraware/whitespace v0.2.0 // indirect
-	github.com/uudashr/gocognit v1.2.0 // indirect
-	github.com/uudashr/iface v1.3.1 // indirect
-	github.com/vbatts/tar-split v0.12.1 // indirect
-	github.com/xen0n/gosmopolitan v1.3.0 // indirect
-	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/yagipy/maintidx v1.0.0 // indirect
-	github.com/yeya24/promlinter v0.3.0 // indirect
-	github.com/ykadowak/zerologlint v0.1.5 // indirect
-	gitlab.com/bosi/decorder v0.4.2 // indirect
-	go-simpler.org/musttag v0.13.0 // indirect
-	go-simpler.org/sloglint v0.11.0 // indirect
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/vbatts/tar-split v0.11.5 // indirect
+	go.etcd.io/etcd/raft/v3 v3.5.9 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
-	go.opentelemetry.io/otel/metric v1.36.0 // indirect
-	go.opentelemetry.io/otel/trace v1.36.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/automaxprocs v1.6.0 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
-	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.40.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
-	golang.org/x/exp/typeparams v0.0.0-20250210185358-939b2ce775ac // indirect
-	golang.org/x/mod v0.26.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250721164621-a45f3dfb1074 // indirect
-	google.golang.org/grpc v1.74.2 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
-	honnef.co/go/tools v0.6.1 // indirect
-	mvdan.cc/gofumpt v0.8.0 // indirect
-	mvdan.cc/unparam v0.0.0-20250301125049-0df0534333a4 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect
+	go.opentelemetry.io/otel v1.25.0 // indirect
+	go.opentelemetry.io/otel/metric v1.25.0 // indirect
+	go.opentelemetry.io/otel/trace v1.25.0 // indirect
+	golang.org/x/crypto v0.24.0 // indirect
+	golang.org/x/net v0.26.0 // indirect
+	golang.org/x/oauth2 v0.20.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/genproto v0.0.0-20240401170217-c3f982113cda // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240521202816-d264139d666e // indirect
+	google.golang.org/grpc v1.64.1 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
 )
 
-tool golang.org/x/tools/cmd/goimports
-
-tool github.com/sclevine/yj
-
-tool github.com/golang/mock/mockgen
-
-tool github.com/golangci/golangci-lint/v2/cmd/golangci-lint
-
-go 1.24.6
+go 1.22

golangci.yaml

@@ -1,51 +1,44 @@
-version: "2"
 run:
   timeout: 6m
+
 linters:
-  default: none
+  disable-all: true
   enable:
     - bodyclose
-    - copyloopvar
     - dogsled
     - errcheck
+    - exportloopref
     - gocritic
+    - goimports
     - gosec
+    - gosimple
     - govet
     - ineffassign
-    - intrange
     - misspell
     - nakedret
     - revive
     - staticcheck
+    - stylecheck
+    - typecheck
     - unconvert
     - unused
     - whitespace
-  settings:
-    govet:
-      enable:
-        - fieldalignment
-  exclusions:
-    generated: lax
-    rules:
-      - linters:
-          - govet
-        text: pointer bytes could be
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+
+
+linters-settings:
+  goimports:
+    local-prefixes: github.com/buildpacks/lifecycle
+  govet:
+    enable:
+      - fieldalignment
+
+
 issues:
+  exclude-use-default: false
   new-from-rev: 91593cf91797ca0a98ffa31842107a9d916da37b
-formatters:
-  enable:
-    - goimports
-  settings:
-    goimports:
-      local-prefixes:
-        - github.com/buildpacks/lifecycle
-  exclusions:
-    generated: lax
-    paths:
-      - third_party$
-      - builtin$
-      - examples$
+  exclude-rules:
+    # Ignore this minor optimization.
+    # See https://github.com/golang/go/issues/44877#issuecomment-794565908
+    - linters:
+        - govet
+      text: "pointer bytes could be"

image/handler.go

@@ -22,7 +22,7 @@ type Handler interface {
 // - WHEN a docker client is provided then it returns a LocalHandler
 // - WHEN an auth.Keychain is provided then it returns a RemoteHandler
 // - Otherwise nil is returned
-func NewHandler(docker client.APIClient, keychain authn.Keychain, layoutDir string, useLayout bool, insecureRegistries []string) Handler {
+func NewHandler(docker client.CommonAPIClient, keychain authn.Keychain, layoutDir string, useLayout bool, insecureRegistries []string) Handler {
 	if layoutDir != "" && useLayout {
 		return &LayoutHandler{
 			layoutDir: layoutDir,

image/handler_test.go

@@ -23,7 +23,7 @@ func testHandler(t *testing.T, when spec.G, it spec.S) {
 	var (
 		mockController *gomock.Controller
 		mockKeychain   *testmockauth.MockKeychain
-		dockerClient   client.APIClient
+		dockerClient   client.CommonAPIClient
 	)
 
 	it.Before(func() {

image/local_handler_test.go

@@ -18,7 +18,7 @@ func TestLocalImageHandler(t *testing.T) {
 func testLocalImageHandler(t *testing.T, when spec.G, it spec.S) {
 	var (
 		imageHandler image.Handler
-		dockerClient client.APIClient
+		dockerClient client.CommonAPIClient
 	)
 
 	when("Local handler", func() {

internal/extend/kaniko/dockerfile_applier.go

@@ -6,7 +6,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/chainguard-dev/kaniko/pkg/config"
+	"github.com/GoogleContainerTools/kaniko/pkg/config"
 	"github.com/containerd/containerd/platforms"
 	"github.com/google/go-containerregistry/pkg/name"
 	v1 "github.com/google/go-containerregistry/pkg/v1"

internal/extend/kaniko/dockerfile_applier_darwin.go

@@ -1,4 +1,4 @@
-//go:build unix && !linux
+//go:build darwin
 
 package kaniko
 

internal/extend/kaniko/dockerfile_applier_linux.go

@@ -7,11 +7,11 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/chainguard-dev/kaniko/pkg/config"
-	"github.com/chainguard-dev/kaniko/pkg/executor"
-	"github.com/chainguard-dev/kaniko/pkg/image"
-	"github.com/chainguard-dev/kaniko/pkg/util"
-	"github.com/chainguard-dev/kaniko/pkg/util/proc"
+	"github.com/GoogleContainerTools/kaniko/pkg/config"
+	"github.com/GoogleContainerTools/kaniko/pkg/executor"
+	"github.com/GoogleContainerTools/kaniko/pkg/image"
+	"github.com/GoogleContainerTools/kaniko/pkg/util"
+	"github.com/GoogleContainerTools/kaniko/pkg/util/proc"
 	v1 "github.com/google/go-containerregistry/pkg/v1"
 	"github.com/google/go-containerregistry/pkg/v1/mutate"
 
@@ -39,7 +39,7 @@ func (a *DockerfileApplier) Apply(dockerfile extend.Dockerfile, toBaseImage v1.I
 	opts := createOptions(baseImageRef, dockerfile, withBuildOptions)
 
 	// update ignore paths; kaniko does this here:
-	// https://github.com/chainguard-dev/kaniko/blob/v1.9.2/cmd/executor/cmd/root.go#L124
+	// https://github.com/GoogleContainerTools/kaniko/blob/v1.9.2/cmd/executor/cmd/root.go#L124
 	if opts.IgnoreVarRun {
 		// from kaniko:
 		// /var/run is a special case. It's common to mount in /var/run/docker.sock
@@ -59,7 +59,7 @@ func (a *DockerfileApplier) Apply(dockerfile extend.Dockerfile, toBaseImage v1.I
 	}
 
 	// change to root directory; kaniko does this here:
-	// https://github.com/chainguard-dev/kaniko/blob/v1.9.2/cmd/executor/cmd/root.go#L160
+	// https://github.com/GoogleContainerTools/kaniko/blob/v1.9.2/cmd/executor/cmd/root.go#L160
 	if err = os.Chdir("/"); err != nil {
 		return nil, err
 	}

internal/extend/kaniko/dockerfile_applier_windows.go

@@ -0,0 +1,14 @@
+//go:build windows
+
+package kaniko
+
+import (
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+
+	"github.com/buildpacks/lifecycle/internal/extend"
+	"github.com/buildpacks/lifecycle/log"
+)
+
+func (a *DockerfileApplier) Apply(dockerfile extend.Dockerfile, toBaseImage v1.Image, withBuildOptions extend.Options, logger log.Logger) (v1.Image, error) {
+	return nil, nil
+}

internal/fsutil/os_detection.go

@@ -3,9 +3,6 @@ package fsutil
 import (
 	"os"
 	"strings"
-	"sync"
-
-	"github.com/buildpacks/lifecycle/log"
 )
 
 type OSInfo struct {
@@ -17,18 +14,12 @@ type Detector interface {
 	HasSystemdFile() bool
 	ReadSystemdFile() (string, error)
 	GetInfo(osReleaseContents string) OSInfo
-	StoredInfo() *OSInfo
-	InfoOnce(logger log.Logger)
 }
 
-// DefaultDetector implements Detector
-type DefaultDetector struct {
-	once sync.Once
-	info *OSInfo
+type Detect struct {
 }
 
-// HasSystemdFile returns true if /etc/os-release exists with contents
-func (d *DefaultDetector) HasSystemdFile() bool {
+func (d *Detect) HasSystemdFile() bool {
 	finfo, err := os.Stat("/etc/os-release")
 	if err != nil {
 		return false
@@ -36,14 +27,12 @@ func (d *DefaultDetector) HasSystemdFile() bool {
 	return !finfo.IsDir() && finfo.Size() > 0
 }
 
-// ReadSystemdFile returns the contents of /etc/os-release
-func (d *DefaultDetector) ReadSystemdFile() (string, error) {
+func (d *Detect) ReadSystemdFile() (string, error) {
 	bs, err := os.ReadFile("/etc/os-release")
 	return string(bs), err
 }
 
-// GetInfo returns the OS distribution name and version from the contents of /etc/os-release
-func (d *DefaultDetector) GetInfo(osReleaseContents string) OSInfo {
+func (d *Detect) GetInfo(osReleaseContents string) OSInfo {
 	ret := OSInfo{}
 	lines := strings.Split(osReleaseContents, "\n")
 	for _, line := range lines {
@@ -62,18 +51,5 @@ func (d *DefaultDetector) GetInfo(osReleaseContents string) OSInfo {
 			break
 		}
 	}
-	d.info = &ret // store for future use
 	return ret
 }
-
-// StoredInfo returns any OSInfo found during the last call to GetInfo
-func (d *DefaultDetector) StoredInfo() *OSInfo {
-	return d.info
-}
-
-// InfoOnce logs an info message to the provided logger, but only once in the lifetime of the receiving DefaultDetector.
-func (d *DefaultDetector) InfoOnce(logger log.Logger) {
-	d.once.Do(func() {
-		logger.Info("target distro name/version labels not found, reading /etc/os-release file")
-	})
-}

internal/fsutil/os_detection_linux_test.go

@@ -1,4 +1,5 @@
 //go:build linux
+// +build linux
 
 package fsutil_test
 
@@ -19,10 +20,10 @@ func TestDetectorUnix(t *testing.T) {
 func testDetectorUnix(t *testing.T, when spec.G, it spec.S) {
 	when("we should have a file", func() {
 		it("returns true correctly", func() {
-			h.AssertEq(t, (&fsutil.DefaultDetector{}).HasSystemdFile(), true)
+			h.AssertEq(t, (&fsutil.Detect{}).HasSystemdFile(), true)
 		})
 		it("returns the file contents", func() {
-			s, err := (&fsutil.DefaultDetector{}).ReadSystemdFile()
+			s, err := (&fsutil.Detect{}).ReadSystemdFile()
 			h.AssertNil(t, err)
 			h.AssertStringContains(t, s, "NAME")
 		})

internal/fsutil/os_detection_notlinux_test.go

@@ -1,4 +1,5 @@
-//go:build darwin
+//go:build windows || darwin
+// +build windows darwin
 
 package fsutil_test
 
@@ -19,10 +20,10 @@ func TestDetectorNonUnix(t *testing.T) {
 func testDetectorNonUnix(t *testing.T, when spec.G, it spec.S) {
 	when("we don't have a file", func() {
 		it("returns false correctly", func() {
-			h.AssertEq(t, (&fsutil.DefaultDetector{}).HasSystemdFile(), false)
+			h.AssertEq(t, (&fsutil.Detect{}).HasSystemdFile(), false)
 		})
 		it("returns an error correctly", func() {
-			_, err := (&fsutil.DefaultDetector{}).ReadSystemdFile()
+			_, err := (&fsutil.Detect{}).ReadSystemdFile()
 			h.AssertNotNil(t, err)
 		})
 	})

internal/fsutil/os_detection_test.go

@@ -15,7 +15,7 @@ func TestDetector(t *testing.T) {
 }
 
 // there's no state on this object so we can just use the same one forever
-var detect fsutil.DefaultDetector
+var detect fsutil.Detect
 
 func testDetector(t *testing.T, when spec.G, it spec.S) {
 	when("we have the contents of an os-release file", func() {

internal/fsutil/utils.go

@@ -4,6 +4,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 )
 
@@ -96,3 +97,20 @@ func copySymlink(src, dst string) error {
 	}
 	return os.Symlink(target, dst)
 }
+
+func RenameWithWindowsFallback(src, dst string) error {
+	if err := os.Rename(src, dst); err != nil {
+		switch {
+		case runtime.GOOS == "windows":
+			// On Windows, when using process isolation, we could encounter https://github.com/moby/moby/issues/38256
+			// which causes renames inside mounted volumes to fail for an unknown reason.
+			if err = copyDir(src, dst); err != nil {
+				return err
+			}
+			return os.RemoveAll(src)
+		default:
+			return err
+		}
+	}
+	return nil
+}

internal/fsutil/utils_test.go

@@ -70,6 +70,16 @@ func testIO(t *testing.T, when spec.G, it spec.S) {
 		})
 	})
 
+	when("#RenameWithWindowsFallback", func() {
+		when("directory does not exist", func() {
+			it("returns not exist error", func() {
+				err := fsutil.RenameWithWindowsFallback("some-not-exist-dir", "dest-dir")
+				h.AssertNotNil(t, err)
+				h.AssertEq(t, os.IsNotExist(err), true)
+			})
+		})
+	})
+
 	when("#FilesWithExtensions", func() {
 		when("called with directory and extensions", func() {
 			it("filters the files", func() {

internal/layer/sbom_restorer.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"path/filepath"
 	"regexp"
+	"runtime"
 
 	"github.com/buildpacks/imgutil"
 	"github.com/pkg/errors"
@@ -110,7 +111,11 @@ func (r *DefaultSBOMRestorer) RestoreToBuildpackLayers(detectedBps []buildpack.G
 func (r *DefaultSBOMRestorer) restoreSBOMFunc(detectedBps []buildpack.GroupElement, bomType string) func(path string, info fs.FileInfo, err error) error {
 	var bomRegex *regexp.Regexp
 
-	bomRegex = regexp.MustCompile(fmt.Sprintf(`%s/(.+)/(.+)/(sbom.+json)`, bomType))
+	if runtime.GOOS == "windows" {
+		bomRegex = regexp.MustCompile(fmt.Sprintf(`%s\\(.+)\\(.+)\\(sbom.+json)`, bomType))
+	} else {
+		bomRegex = regexp.MustCompile(fmt.Sprintf(`%s/(.+)/(.+)/(sbom.+json)`, bomType))
+	}
 
 	return func(path string, info fs.FileInfo, err error) error {
 		if info == nil || !info.Mode().IsRegular() {

internal/name/ref_test.go

@@ -73,6 +73,7 @@ func testRef(t *testing.T, when spec.G, it spec.S) {
 				},
 			}
 			for _, tc := range testCases {
+				tc := tc
 				w := when
 				w(tc.condition, func() {
 					it(tc.does, func() {

internal/path/defaults_unix.go

@@ -1,4 +1,5 @@
-//go:build unix
+//go:build linux || darwin
+// +build linux darwin
 
 package path
 

launch/bash_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/sclevine/spec"
@@ -25,6 +26,7 @@ func testBash(t *testing.T, when spec.G, it spec.S) {
 	)
 
 	it.Before(func() {
+		h.SkipIf(t, runtime.GOOS == "windows", "skip bash tests on windows")
 		var err error
 		tmpDir, err = os.MkdirTemp("", "shell-test")
 		h.AssertNil(t, err)

launch/cmd_test.go

@@ -0,0 +1,147 @@
+package launch_test
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/launch"
+	hl "github.com/buildpacks/lifecycle/launch/testhelpers"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+func TestCmd(t *testing.T) {
+	spec.Run(t, "Cmd", testCmd, spec.Report(report.Terminal{}))
+}
+
+func testCmd(t *testing.T, when spec.G, it spec.S) {
+	var (
+		shell      launch.Shell
+		tmpDir     string
+		defaultDir string
+		err        error
+	)
+
+	it.Before(func() {
+		defaultDir, err = os.Getwd()
+		h.AssertNil(t, err)
+		h.SkipIf(t, runtime.GOOS != "windows", "skip cmd tests on unix")
+		tmpDir, err = os.MkdirTemp("", "shell-test")
+		h.AssertNil(t, err)
+		shell = &launch.CmdShell{Exec: hl.SyscallExecWithStdout(t, tmpDir)}
+	})
+
+	it.After(func() {
+		h.AssertNil(t, os.RemoveAll(tmpDir))
+	})
+
+	when("#Launch", func() {
+		var process launch.ShellProcess
+
+		when("is not script", func() {
+			when("there are profiles", func() {
+				it.Before(func() {
+					h.AssertNil(t, err)
+					process = launch.ShellProcess{
+						Script:  false,
+						Command: "echo",
+						Args:    []string{"profile env: '!PROFILE_VAR!'"},
+						Env: []string{
+							"SOME_VAR=some-val",
+						},
+						WorkingDirectory: defaultDir,
+					}
+					process.Profiles = []string{
+						filepath.Join("testdata", "profiles", "print_argv0.bat"),
+						filepath.Join("testdata", "profiles", "print_env.bat"),
+						filepath.Join("testdata", "profiles", "set_env.bat"),
+					}
+				})
+
+				it("runs the profiles from the default directory", func() {
+					process.Profiles = []string{
+						filepath.Join("testdata", "profiles", "pwd.bat"),
+					}
+					err = shell.Launch(process)
+					h.AssertNil(t, err)
+					stdout := rdfile(t, filepath.Join(tmpDir, "stdout"))
+					h.AssertStringContains(t, stdout, fmt.Sprintf("profile directory: %s\r\n", defaultDir))
+				})
+
+				it("runs the command from the working directory", func() {
+					process.WorkingDirectory = tmpDir
+					process.Command = "echo"
+					process.Args = []string{
+						"process",
+						"working",
+						"directory:",
+						"&&",
+						"cd",
+					}
+					err = shell.Launch(process)
+					h.AssertNil(t, err)
+					stdout := rdfile(t, filepath.Join(tmpDir, "stdout"))
+					h.AssertStringContains(t, stdout, fmt.Sprintf("process working directory: \r\n%s\r\n", tmpDir))
+				})
+
+				it("sets argv0 for profile scripts to profile script path", func() {
+					err := shell.Launch(process)
+					h.AssertNil(t, err)
+					stdout := rdfile(t, filepath.Join(tmpDir, "stdout"))
+					if len(stdout) == 0 {
+						stderr := rdfile(t, filepath.Join(tmpDir, "stderr"))
+						t.Fatalf("stdout was empty: stderr: %s\n", stderr)
+					}
+					h.AssertStringContains(t, stdout, fmt.Sprintf("profile argv0: '%s'", filepath.Join("testdata", "profiles", "print_argv0.bat")))
+				})
+
+				it("sets env for profile scripts", func() {
+					err := shell.Launch(process)
+					h.AssertNil(t, err)
+					stdout := rdfile(t, filepath.Join(tmpDir, "stdout"))
+					if len(stdout) == 0 {
+						stderr := rdfile(t, filepath.Join(tmpDir, "stderr"))
+						t.Fatalf("stdout was empty: stderr: %s\n", stderr)
+					}
+					h.AssertStringContains(t, stdout, "SOME_VAR: 'some-val'")
+				})
+
+				it("env vars set in profile scripts are available to the command", func() {
+					err := shell.Launch(process)
+					h.AssertNil(t, err)
+					stdout := rdfile(t, filepath.Join(tmpDir, "stdout"))
+					if len(stdout) == 0 {
+						stderr := rdfile(t, filepath.Join(tmpDir, "stderr"))
+						t.Fatalf("stdout was empty: stderr: %s\n", stderr)
+					}
+					h.AssertStringContains(t, stdout, "profile env: 'some-profile-var'")
+				})
+			})
+
+			it("sets env", func() {
+				process = launch.ShellProcess{
+					Script:  false,
+					Command: `echo`,
+					Args:    []string{"SOME_VAR: '%SOME_VAR%'"},
+					Env: []string{
+						"SOME_VAR=some-val",
+					},
+					WorkingDirectory: defaultDir,
+				}
+				err := shell.Launch(process)
+				h.AssertNil(t, err)
+				stdout := rdfile(t, filepath.Join(tmpDir, "stdout"))
+				if len(stdout) == 0 {
+					stderr := rdfile(t, filepath.Join(tmpDir, "stderr"))
+					t.Fatalf("stdout was empty: stderr: %s\n", stderr)
+				}
+				h.AssertStringContains(t, stdout, "SOME_VAR: 'some-val'")
+			})
+		})
+	})
+}

launch/exec_d.go

@@ -61,8 +61,3 @@ func (e *ExecDRunner) ExecD(path string, env Env) error {
 	}
 	return nil
 }
-
-func setHandle(cmd *exec.Cmd, f *os.File) error {
-	cmd.ExtraFiles = []*os.File{f}
-	return nil
-}

launch/exec_d_test.go

@@ -5,6 +5,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"runtime"
 	"testing"
 
 	"github.com/golang/mock/gomock"
@@ -41,7 +42,11 @@ func testExecD(t *testing.T, when spec.G, it spec.S) {
 			wd, err := os.Getwd()
 			h.AssertNil(t, err)
 
-			path = filepath.Join(tmpDir, "execd")
+			exe := ""
+			if runtime.GOOS == "windows" {
+				exe = ".exe"
+			}
+			path = filepath.Join(tmpDir, "execd"+exe)
 
 			//#nosec G204
 			cmd := exec.Command("go", "build",

launch/exec_d_unix.go

@@ -0,0 +1,14 @@
+//go:build linux || darwin
+// +build linux darwin
+
+package launch
+
+import (
+	"os"
+	"os/exec"
+)
+
+func setHandle(cmd *exec.Cmd, f *os.File) error {
+	cmd.ExtraFiles = []*os.File{f}
+	return nil
+}

launch/exec_d_windows.go

@@ -0,0 +1,25 @@
+package launch
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"syscall"
+
+	"golang.org/x/sys/windows"
+)
+
+const EnvExecDHandle = "CNB_EXEC_D_HANDLE"
+
+func setHandle(cmd *exec.Cmd, f *os.File) error {
+	handle := f.Fd()
+	if err := windows.SetHandleInformation(windows.Handle(handle), windows.HANDLE_FLAG_INHERIT, windows.HANDLE_FLAG_INHERIT); err != nil {
+		return err
+	}
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		AdditionalInheritedHandles: []syscall.Handle{syscall.Handle(handle)},
+	}
+
+	cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%#x", EnvExecDHandle, handle))
+	return nil
+}

launch/launcher_test.go

@@ -3,6 +3,8 @@ package launch_test
 import (
 	"os"
 	"path/filepath"
+	"runtime"
+	"strings"
 	"testing"
 
 	"github.com/golang/mock/gomock"
@@ -122,7 +124,11 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				process.Direct = true
 
 				// set command to something on the real path so exec.LookPath succeeds
-				process.Command = launch.NewRawCommand([]string{"sh"})
+				if runtime.GOOS == "windows" {
+					process.Command = launch.NewRawCommand([]string{"notepad"})
+				} else {
+					process.Command = launch.NewRawCommand([]string{"sh"})
+				}
 
 				mockEnv.EXPECT().Get("PATH").Return("some-path").AnyTimes()
 				launcher.Setenv = func(k string, v string) error {
@@ -148,7 +154,11 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				if len(syscallExecArgsColl) != 1 {
 					t.Fatalf("expected syscall.Exec to be called once: actual %v\n", syscallExecArgsColl)
 				}
-				h.AssertMatch(t, syscallExecArgsColl[0].argv0, ".*/bin/sh$")
+				if runtime.GOOS == "windows" {
+					h.AssertEq(t, strings.ToLower(syscallExecArgsColl[0].argv0), `c:\windows\system32\notepad.exe`)
+				} else {
+					h.AssertMatch(t, syscallExecArgsColl[0].argv0, ".*/bin/sh$")
+				}
 			})
 
 			it("should set argv to command+args", func() {
@@ -156,7 +166,11 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				if len(syscallExecArgsColl) != 1 {
 					t.Fatalf("expected syscall.Exec to be called once: actual %v\n", syscallExecArgsColl)
 				}
-				h.AssertEq(t, syscallExecArgsColl[0].argv, []string{"sh", "arg1", "arg2"})
+				if runtime.GOOS == "windows" {
+					h.AssertEq(t, syscallExecArgsColl[0].argv, []string{"notepad", "arg1", "arg2"})
+				} else {
+					h.AssertEq(t, syscallExecArgsColl[0].argv, []string{"sh", "arg1", "arg2"})
+				}
 			})
 
 			it("should set envv", func() {
@@ -425,10 +439,17 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 						filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "some-process-type"),
 					)
 
-					mkfile(t, "", filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1"))
-					mkfile(t, "", filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "some-process-type", "prof1"))
-					mkfile(t, "", filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2"))
-					mkfile(t, "", filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "some-process-type", "prof2"))
+					if runtime.GOOS == "windows" {
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1.bat"))
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "some-process-type", "prof1.bat"))
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2.bat"))
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "some-process-type", "prof2.bat"))
+					} else {
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1"))
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "some-process-type", "prof1"))
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2"))
+						mkfile(t, "", filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "some-process-type", "prof2"))
+					}
 
 					mockEnv.EXPECT().AddRootDir(gomock.Any()).AnyTimes()
 					mockEnv.EXPECT().AddEnvDir(gomock.Any(), gomock.Any()).AnyTimes()
@@ -437,10 +458,17 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 				it("sets the profiles", func() {
 					h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
 					h.AssertEq(t, shell.nCalls, 1)
-					h.AssertEq(t, shell.process.Profiles, []string{
-						filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1"),
-						filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2"),
-					})
+					if runtime.GOOS == "windows" {
+						h.AssertEq(t, shell.process.Profiles, []string{
+							filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1.bat"),
+							filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2.bat"),
+						})
+					} else {
+						h.AssertEq(t, shell.process.Profiles, []string{
+							filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1"),
+							filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2"),
+						})
+					}
 				})
 
 				when("process has a type", func() {
@@ -451,12 +479,21 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 					it("includes type-specifc  profiles", func() {
 						h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
 						h.AssertEq(t, shell.nCalls, 1)
-						h.AssertEq(t, shell.process.Profiles, []string{
-							filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1"),
-							filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "some-process-type", "prof1"),
-							filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2"),
-							filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "some-process-type", "prof2"),
-						})
+						if runtime.GOOS == "windows" {
+							h.AssertEq(t, shell.process.Profiles, []string{
+								filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1.bat"),
+								filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "some-process-type", "prof1.bat"),
+								filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2.bat"),
+								filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "some-process-type", "prof2.bat"),
+							})
+						} else {
+							h.AssertEq(t, shell.process.Profiles, []string{
+								filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "prof1"),
+								filepath.Join(tmpDir, "launch", "0.7_buildpack", "layer", "profile.d", "some-process-type", "prof1"),
+								filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "prof2"),
+								filepath.Join(tmpDir, "launch", "0.8_buildpack", "layer", "profile.d", "some-process-type", "prof2"),
+							})
+						}
 					})
 				})
 			})
@@ -553,13 +590,34 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 						process.Args = []string{}
 					})
 
-					it("is script", func() {
-						h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
-						h.AssertEq(t, shell.nCalls, 1)
+					when("linux", func() {
+						it.Before(func() {
+							h.SkipIf(t, runtime.GOOS == "windows", "linux test")
+						})
 
-						if !shell.process.Script {
-							t.Fatalf("expected script process")
-						}
+						it("is script", func() {
+							h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
+							h.AssertEq(t, shell.nCalls, 1)
+
+							if !shell.process.Script {
+								t.Fatalf("expected script process")
+							}
+						})
+					})
+
+					when("windows", func() {
+						it.Before(func() {
+							h.SkipIf(t, runtime.GOOS != "windows", "windows test")
+						})
+
+						it("is not script", func() {
+							h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
+							h.AssertEq(t, shell.nCalls, 1)
+
+							if shell.process.Script {
+								t.Fatalf("did not expect script process")
+							}
+						})
 					})
 				})
 			})
@@ -581,13 +639,34 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 						process.Args = []string{}
 					})
 
-					it("is script", func() {
-						h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
-						h.AssertEq(t, shell.nCalls, 1)
+					when("linux", func() {
+						it.Before(func() {
+							h.SkipIf(t, runtime.GOOS == "windows", "linux test")
+						})
 
-						if !shell.process.Script {
-							t.Fatalf("expected script process")
-						}
+						it("is script", func() {
+							h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
+							h.AssertEq(t, shell.nCalls, 1)
+
+							if !shell.process.Script {
+								t.Fatalf("expected script process")
+							}
+						})
+					})
+
+					when("windows", func() {
+						it.Before(func() {
+							h.SkipIf(t, runtime.GOOS != "windows", "windows test")
+						})
+
+						it("is not script", func() {
+							h.AssertNil(t, launcher.LaunchProcess("/path/to/launcher", process))
+							h.AssertEq(t, shell.nCalls, 1)
+
+							if shell.process.Script {
+								t.Fatalf("did not expect script process")
+							}
+						})
 					})
 				})
 			})

launch/launcher_unix.go

@@ -1,4 +1,5 @@
-//go:build unix
+//go:build linux || darwin
+// +build linux darwin
 
 package launch
 

launch/shell.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 
 	"github.com/pkg/errors"
@@ -89,6 +90,10 @@ func (l *Launcher) populateLayerProfiles(procType string, profiles *[]string) di
 }
 
 func (l *Launcher) isScript(proc Process) (bool, error) {
+	if runtime.GOOS == "windows" {
+		// Windows does not support script commands
+		return false, nil
+	}
 	if len(proc.Args) == 0 {
 		return true, nil
 	}

launch/testdata/cmd/execd/fd_unix.go

@@ -1,4 +1,5 @@
-//go:build unix
+//go:build linux || darwin
+// +build linux darwin
 
 package main