Merge pull request #1534 from buildpacks/dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

Bump github.com/go-viper/mapstructure/v2 from 2.3.0 to 2.4.0
2025-08-21 12:37:38 -05:00 · 2025-08-21 15:21:02 +00:00 · 2025-08-19 13:15:59 -05:00 · 2025-08-14 14:46:42 -05:00 · 2025-08-14 12:40:41 -05:00 · 2025-08-13 11:21:21 -05:00
784 changed files with 44210 additions and 10624 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1 @@
+out
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -2,12 +2,14 @@
 name: Bug
 about: Bug report
 title: ''
-labels: status/triage, type/bug
+labels: type/bug, status/triage
 assignees: ''

 ---
+
 ### Summary
-<!--- Please provide a general summary of the issue. -->
+<!-- Please provide a general summary of the issue. -->
+


 ---
@ -15,17 +17,20 @@ assignees: ''
 ### Reproduction

 ##### Steps
-<!--- What steps should be taken to reproduce the issue? -->
+<!-- What steps should be taken to reproduce the issue? -->

 1.
 2.
 3.

 ##### Current behavior
-<!--- What happened? Logs, etc. could go here. -->
+<!-- What happened? Logs, etc. could go here. -->
+
+
+
+##### Expected behavior
+<!-- What did you expect to happen? -->

-##### Expected
-<!--- What did you expect to happen? -->


 ---
@ -33,10 +38,15 @@ assignees: ''
 ### Context

 ##### lifecycle version
-<!--- If you can find this, it helps us pin down the issue. For example, run `pack inspect-builder BUILDER` which should report the lifecycle version in question. -->
+<!-- If you can find this, it helps us pin down the issue. For example, run `pack builder inspect <builder name>` which should report the lifecycle version in question. -->
+
+

 ##### platform version(s)
-<!--- For example run `pack report` and `docker info` and copy output here. -->
+<!-- For example run `pack report` and `docker info` and copy output here, redacting any sensitive information. -->
+
+

 ##### anything else?
-<!--- Tekton task version, kpack version, etc. -->
+<!-- Add any other context that may help (e.g., Tekton task version, kpack version, etc.). -->
+
--- a/.github/ISSUE_TEMPLATE/chore.md
+++ b/.github/ISSUE_TEMPLATE/chore.md
@ -0,0 +1,26 @@
+---
+name: Chore
+about: Suggest a chore that will help contributors and doesn't affect end users
+title: ''
+labels: type/chore, status/triage
+assignees: ''
+
+---
+
+### Summary
+<!-- Please describe why this chore matters, who will enjoy it and how. -->
+
+
+
+---
+
+### Proposal
+<!-- How do you think the chore should be implemented? -->
+
+
+
+---
+
+### Context
+<!-- Add any other context that may help. -->
+
--- a/.github/ISSUE_TEMPLATE/feature.md
+++ b/.github/ISSUE_TEMPLATE/feature.md
@ -0,0 +1,33 @@
+---
+name: Feature request
+about: Suggest a new feature or an improvement to existing functionality
+title: ''
+labels: type/enhancement, status/triage
+assignees: ''
+
+---
+
+### Summary
+<!-- Please describe the feature and why it matters. -->
+
+
+
+---
+
+### Proposal
+<!-- How do you think the feature should be implemented? -->
+
+
+
+---
+
+### Related
+<!-- If this feature addresses an RFC, please provide the RFC number below. -->
+
+RFC #___
+
+---
+
+### Context
+<!-- Add any other context that may help. -->
+
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,16 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: weekly
+  groups:
+    # Group all minor/patch go dependencies into a single PR.
+    go-dependencies:
+      update-types:
+        - "minor"
+        - "patch"
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: weekly
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -0,0 +1,25 @@
+<!-- 🎉🎉🎉 Thank you for the PR!!! 🎉🎉🎉 -->
+
+### Summary
+<!-- Please describe your changes at a high level. -->
+
+
+
+#### Release notes
+<!-- Please provide 1-2 sentences for release notes. -->
+<!-- Example: When using platform API `0.7` or greater, the `creator` logs the expected phase header for the analyze phase -->
+
+
+
+---
+
+### Related
+<!-- If this PR addresses an issue, please provide the issue number below. -->
+
+Resolves #___
+
+---
+
+### Context
+<!-- Add any other context that may help reviewers (e.g., code that requires special attention, etc.). -->
+
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -3,38 +3,227 @@ name: build
 on:
  push:
    branches:
-      - master
+      - main
+      - 'release/**'
  pull_request:
    branches:
-      - master
+      - main
+      - 'release/**'

 jobs:
-  test-and-build:
+  test-linux-amd64:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - name: Set up go
-        uses: actions/setup-go@v2-beta
+      - uses: actions/checkout@v4
        with:
-          go-version: '1.14'
-      - name: Set up go env
-        run: |
-          echo "::set-env name=GOPATH::$(go env GOPATH)"
-          echo "::add-path::$(go env GOPATH)/bin"
-        shell: bash
+          fetch-depth: '0'
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: 'go.mod'
      - name: Install jq
        run: |
          mkdir -p deps/bin
          curl -s -L -o deps/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
          chmod +x deps/bin/jq
-          echo "::add-path::${PWD}/deps/bin"
+          echo "${PWD}/deps/bin" >> $GITHUB_PATH
      - name: Test
+        env:
+          TEST_COVERAGE: 1
        run: make test
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          file: ./out/tests/coverage-unit.txt
+          flags: unit,os_linux
+          fail_ci_if_error: true
+          verbose: true
+  test-linux-arm64:
+    runs-on: linux-arm64
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: 'go.mod'
+      - name: Test
+        run: |
+          make format || true
+          make test
+  build-and-publish:
+    needs:
+      - test-linux-amd64
+      - test-linux-arm64
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # fetch all history for all branches and tags
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: 'go.mod'
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3
+      - name: Set version
+        run: |
+          echo "LIFECYCLE_VERSION=$(go run tools/version/main.go)" | tee -a $GITHUB_ENV version.txt
+      - uses: actions/upload-artifact@v4
+        with:
+          name: version
+          path: version.txt
+      - name: Set tag
+        run: |
+          echo "LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)" >> tag.txt
+      - uses: actions/upload-artifact@v4
+        with:
+          name: tag
+          path: tag.txt
      - name: Build
        run: |
+          make clean
          make build
          make package
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
        with:
          name: lifecycle-linux-x86-64
          path: out/lifecycle-v*+linux.x86-64.tgz
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-linux-x86-64-sha256
+          path: out/lifecycle-v*+linux.x86-64.tgz.sha256
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-linux-arm64
+          path: out/lifecycle-v*+linux.arm64.tgz
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-linux-arm64-sha256
+          path: out/lifecycle-v*+linux.arm64.tgz.sha256
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-linux-ppc64le
+          path: out/lifecycle-v*+linux.ppc64le.tgz
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-linux-ppc64le-sha256
+          path: out/lifecycle-v*+linux.ppc64le.tgz.sha256
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-linux-s390x
+          path: out/lifecycle-v*+linux.s390x.tgz
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-linux-s390x-sha256
+          path: out/lifecycle-v*+linux.s390x.tgz.sha256
+      - name: Generate SBOM JSON
+        uses: CycloneDX/gh-gomod-generate-sbom@v2
+        with:
+          args: mod -licenses -json -output lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json
+          version: ^v1
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-bom-cdx
+          path: lifecycle-v*-bom.cdx.json
+      - name: Calculate SBOM sha
+        run: |
+          shasum -a 256 lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json > lifecycle-v${{ env.LIFECYCLE_VERSION }}-bom.cdx.json.sha256
+      - uses: actions/upload-artifact@v4
+        with:
+          name: lifecycle-bom-cdx-sha256
+          path: lifecycle-v*-bom.cdx.json.sha256
+      - uses: azure/docker-login@v2
+        if: github.event_name == 'push'
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - uses: actions/download-artifact@v5
+        with:
+          name: tag
+      - name: Set env
+        run: |
+          cat tag.txt >> $GITHUB_ENV
+      - name: Publish images
+        if: github.event_name == 'push'
+        run: |
+          DOCKER_CLI_EXPERIMENTAL=enabled
+          LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)
+
+          LINUX_AMD64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.x86-64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64 | awk '{print $NF}')
+          echo "LINUX_AMD64_SHA: $LINUX_AMD64_SHA"
+
+          LINUX_ARM64_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.arm64.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64 -arch arm64 | awk '{print $NF}')
+          echo "LINUX_ARM64_SHA: $LINUX_ARM64_SHA"
+
+          LINUX_PPC64LE_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.ppc64le.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-ppc64le -arch ppc64le | awk '{print $NF}')
+          echo "LINUX_PPC64LE_SHA: LINUX_PPC64LE_SHA"
+
+          LINUX_S390X_SHA=$(go run ./tools/image/main.go -lifecyclePath ./out/lifecycle-v*+linux.s390x.tgz -tag buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-s390x -arch s390x | awk '{print $NF}')
+          echo "LINUX_S390X_SHA: $LINUX_S390X_SHA"
+
+          docker manifest create buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG} \
+              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-x86-64@${LINUX_AMD64_SHA} \
+              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-arm64@${LINUX_ARM64_SHA} \
+              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-ppc64le@${LINUX_PPC64LE_SHA} \
+              buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}-linux-s390x@${LINUX_S390X_SHA}
+
+          MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG})
+          echo "MANIFEST_SHA: $MANIFEST_SHA"
+
+          cosign sign -r -y \
+            -a tag=${LIFECYCLE_IMAGE_TAG} \
+            buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}@${MANIFEST_SHA}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            -a tag=${LIFECYCLE_IMAGE_TAG} \
+            buildpacksio/lifecycle:${LIFECYCLE_IMAGE_TAG}
+      - name: Scan image
+        if: github.event_name == 'push'
+        uses: anchore/scan-action@v6
+        with:
+          image: buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}
+  pack-acceptance-linux:
+    if: github.event_name == 'push'
+    needs: build-and-publish
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: 'buildpacks/pack'
+          path: 'pack'
+          ref: 'main'
+          fetch-depth: 0 # fetch all history for all branches and tags
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'pack/go.mod'
+      - uses: actions/download-artifact@v5
+        with:
+          name: version
+      - uses: actions/download-artifact@v5
+        with:
+          name: tag
+      - name: Set env
+        run: |
+          cat version.txt >> $GITHUB_ENV
+          cat tag.txt >> $GITHUB_ENV
+      - uses: actions/download-artifact@v5
+        with:
+          name: lifecycle-linux-x86-64
+          path: pack
+      - name: Run pack acceptance
+        run: |
+          cd pack
+          git checkout $(git describe --abbrev=0 --tags) # check out the latest tag
+          LIFECYCLE_PATH="../lifecycle-v${{ env.LIFECYCLE_VERSION }}+linux.x86-64.tgz" \
+          LIFECYCLE_IMAGE="buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}" \
+          make acceptance
--- a/.github/workflows/check-latest-release.yml
+++ b/.github/workflows/check-latest-release.yml
@ -0,0 +1,127 @@
+name: check-latest-release
+
+on:
+  schedule:
+    - cron: 0 2 * * 1,4
+  workflow_dispatch: {}
+
+jobs:
+  check-release:
+    runs-on:
+      - ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: 'go.mod'
+      - name: Get previous release tag
+        id: get-previous-release-tag
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          result-encoding: string
+          script: |
+            return github.rest.repos.getLatestRelease({
+                owner: "buildpacks",
+                repo: "lifecycle",
+            }).then(result => {
+                return result.data.tag_name
+            })
+      - name: Read go and release versions
+        id: read-versions
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          #!/usr/bin/env bash
+          
+          set -euo pipefail
+          
+          LATEST_GO_VERSION=$(go version | cut -d ' ' -f 3)
+          
+          LATEST_RELEASE_VERSION=${{ steps.get-previous-release-tag.outputs.result }}
+          
+          wget https://github.com/buildpacks/lifecycle/releases/download/$LATEST_RELEASE_VERSION/lifecycle-$LATEST_RELEASE_VERSION+linux.x86-64.tgz -O lifecycle.tgz
+          tar xzf lifecycle.tgz
+          LATEST_RELEASE_GO_VERSION=$(go version ./lifecycle/lifecycle | cut -d ' ' -f 2)
+          
+          echo "latest-go-version=${LATEST_GO_VERSION}" >> "$GITHUB_OUTPUT"
+          echo "latest-release-go-version=${LATEST_RELEASE_GO_VERSION}" >> "$GITHUB_OUTPUT"
+          
+          LATEST_RELEASE_VERSION=$(echo $LATEST_RELEASE_VERSION | cut -d \v -f 2)
+          echo "latest-release-version=${LATEST_RELEASE_VERSION}" >> "$GITHUB_OUTPUT"
+      - name: Create issue if needed
+        if: ${{ steps.read-versions.outputs.latest-go-version != steps.read-versions.outputs.latest-release-go-version }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          #!/usr/bin/env bash
+          
+          set -euo pipefail
+          
+          title="Upgrade lifecycle to ${{ steps.read-versions.outputs.latest-go-version }}"
+          label=${{ steps.read-versions.outputs.latest-go-version }}
+          
+          # Create label to use for exact search
+          gh label create "$label" || true
+          
+          search_output=$(gh issue list --search "$title" --label "$label")
+          
+          body="Latest lifecycle release v${{ steps.read-versions.outputs.latest-release-version }} is built with Go version ${{ steps.read-versions.outputs.latest-release-go-version }}; newer version ${{ steps.read-versions.outputs.latest-go-version }} is available."
+          
+          if [ -z "${search_output// }" ]
+          then
+            echo "No issues matched search; creating new issue..."
+            gh issue create \
+              --label "type/bug" \
+              --label "status/triage" \
+              --label "$label" \
+              --title "$title" \
+              --body "$body"
+          else
+            echo "Found matching issues:"
+            echo $search_output
+          fi
+      - name: Scan latest release image
+        id: scan-image
+        uses: anchore/scan-action@v6
+        with:
+          image: buildpacksio/lifecycle:${{ steps.read-versions.outputs.latest-release-version }}
+          fail-build: true
+          severity-cutoff: medium
+          output-format: json
+      - name: Create issue if needed
+        if: failure() && steps.scan-image.outcome == 'failure'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+            #!/usr/bin/env bash
+
+            set -euo pipefail
+
+            title="CVE(s) found in v${{ steps.read-versions.outputs.latest-release-version }}"
+            label=cve
+
+            # Create label to use for exact search
+            gh label create "$label" || true
+
+            search_output=$(gh issue list --search "$title" --label "$label")
+
+            GITHUB_WORKFLOW_URL=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
+            body="Latest lifecycle release v${{ steps.read-versions.outputs.latest-release-version }} triggered CVE(s) from Grype. For further details, see: $GITHUB_WORKFLOW_URL json: $(cat ${{ steps.scan-image.outputs.json }} | jq '.matches[] | .vulnerability | {id, severity, description}' )"
+
+            if [ -z "${search_output// }" ]
+            then
+              echo "No issues matched search; creating new issue..."
+              gh issue create \
+              --label "type/bug" \
+              --label "status/triage" \
+              --label "$label" \
+              --title "$title" \
+              --body "$body"
+            else
+              echo "Found matching issues:"
+              echo $search_output
+            fi
--- a/.github/workflows/draft-release.yml
+++ b/.github/workflows/draft-release.yml
@ -0,0 +1,209 @@
+name: draft-release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  draft-release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install jq
+        run: |
+          mkdir -p deps/bin
+          curl -s -L -o deps/bin/jq https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64
+          chmod +x deps/bin/jq
+          echo "${PWD}/deps/bin" >> $GITHUB_PATH
+      - name: Derive lifecycle version from branch name
+        run: |
+          [[ $GITHUB_REF =~ ^refs\/heads\/release/(.*)$ ]] && version=${BASH_REMATCH[1]}
+          if [[ -z "${version}" ]]; then
+            echo "lifecycle version not detected."
+            exit 1
+          fi
+          echo "LIFECYCLE_VERSION=$version" >> $GITHUB_ENV
+      - name: Determine download urls for linux-x86-64, linux-arm64, linux-ppc64le, linux-s390x
+        id: artifact-urls
+        # FIXME: this script should be updated to work with actions/github-script@v6
+        uses: actions/github-script@v3
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            return github.actions
+              .listRepoWorkflows({
+                 owner: "${{ github.repository_owner }}",
+                 repo: "lifecycle",
+              })
+              .then(workflows_result => {
+                let workflows = workflows_result.data.workflows
+                  .filter(a => a.name === "build" && a.state === "active")
+                  .map(a => a.id);
+                if (workflows.length === 0) {
+                  throw "no active workflows found with name build"
+                }
+                return workflows[0]
+              })
+              .then(workflow_id => {
+                return github.actions.listWorkflowRunsForRepo({
+                  owner: "${{ github.repository_owner }}",
+                  repo: "lifecycle",
+                  workflow_id: workflow_id,
+                  branch: "release/${{ env.LIFECYCLE_VERSION }}",
+                  event: "push"
+                })
+              })
+              .then(workflow_runs_result => {
+                let workflow_runs = workflow_runs_result.data.workflow_runs
+                  .filter(run => run.conclusion === "success")
+                  .filter(run => run.head_sha === "${{ github.sha }}");
+                if (workflow_runs.length === 0) {
+                  throw "no successful workflow runs found for commit"
+                }
+                return workflow_runs[0].id
+              })
+              .then(workflow_runid => {
+                return github.actions.listWorkflowRunArtifacts({
+                  owner: "${{ github.repository_owner }}",
+                  repo: "lifecycle",
+                  run_id: workflow_runid
+                })
+              })
+              .then(artifacts_result => {
+                let tuples = artifacts_result.data.artifacts
+                  .map(artifact => [artifact.name, artifact.archive_download_url]);
+                let urlList = new Array();
+                tuples.forEach(function(tuple) {
+                  if (tuple[0].includes("lifecycle-")) {
+                      urlList.push(tuple[1]);
+                  }
+                })
+                if (urlList.length === 0) {
+                  throw "no artifacts found"
+                }
+                if (urlList.length != 10) {
+                  // found too many artifacts
+                  // list them and throw
+                  console.log(urlList);
+                  throw "there should be exactly 10 artifacts, found " + urlList.length + " artifacts"
+                }
+                return urlList.join(",")
+              })
+      - name: Download artifacts
+        run: |
+          mkdir artifacts
+          echo "ARTIFACTS_PATH=$PWD/artifacts" >> $GITHUB_ENV
+
+          urls=$(echo '${{ steps.artifact-urls.outputs.result }}' | jq -r . )
+
+          for url in $(echo $urls | tr "," "\n"); do
+            curl -sL -w 'RESP_CODE:%{response_code}\n' \
+              --header 'Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
+              -o tmp-artifact.zip $url
+            unzip -d artifacts tmp-artifact.zip
+            rm tmp-artifact.zip
+          done
+      - name: Combine checksums
+        run: |
+          cd ${{ env.ARTIFACTS_PATH }}
+          cat *.sha256 | sort > lifecycle-v${{ env.LIFECYCLE_VERSION }}-checksums.txt
+          rm *.sha256
+      - name: Set pre-release kind
+        if: "contains(env.LIFECYCLE_VERSION, 'rc') || contains(env.LIFECYCLE_VERSION, 'pre')" # e.g., 0.99.0-rc.1
+        run: |
+          echo "RELEASE_KIND=pre-release" >> $GITHUB_ENV
+      - name: Set release kind
+        if: "!contains(env.LIFECYCLE_VERSION, 'rc') && !contains(env.LIFECYCLE_VERSION, 'pre')"
+        run: |
+          echo "RELEASE_KIND=release" >> $GITHUB_ENV
+      - name: Get previous release tag
+        id: get-previous-release-tag
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          result-encoding: string
+          script: |
+            return github.rest.repos.getLatestRelease({
+                owner: "buildpacks",
+                repo: "lifecycle",
+            }).then(result => {
+                return result.data.tag_name
+            })
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: 'go.mod'
+      - name: Get go version
+        id: get-go-version
+        run: |
+          mkdir tmp
+          tar xzvf ${{ env.ARTIFACTS_PATH }}/lifecycle-v${{ env.LIFECYCLE_VERSION }}+linux.x86-64.tgz -C tmp/
+          echo "GO_VERSION=$(go version tmp/lifecycle/lifecycle | cut -d ' ' -f 2 | sed -e 's/^go//')" >> $GITHUB_ENV
+      - name: Set release body text
+        run: |
+          cat << EOF > body.txt
+          # lifecycle v${{ env.LIFECYCLE_VERSION }}
+
+          Welcome to v${{ env.LIFECYCLE_VERSION }}, a ${{ env.RELEASE_KIND }} of the Cloud Native Buildpacks Lifecycle.
+
+          ##  Prerequisites
+
+          The lifecycle runs as a normal user in a series of unprivileged containers. To export images and cache image layers, it requires access to a Docker (compatible) daemon **or** an OCI registry.
+
+          ## Install
+
+          Extract the .tgz file and copy the lifecycle binaries into a [build image](https://github.com/buildpacks/spec/blob/main/platform.md#build-image). The build image can then be orchestrated by a platform implementation such as the [pack CLI](https://github.com/buildpack/pack) or [tekton](https://github.com/tektoncd/catalog/tree/main/task/buildpacks).
+
+          ## Lifecycle Image
+
+          An OCI image containing the lifecycle binaries is available at buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}.
+
+          ## Features
+
+          * TODO
+          * Updates go to version ${{ env.GO_VERSION }}
+
+          ## Bugfixes
+
+          * TODO
+
+          ## Chores
+
+          * TODO
+
+          **Full Changelog**: https://github.com/buildpacks/lifecycle/compare/${{ steps.get-previous-release-tag.outputs.result }}...release/${{ env.LIFECYCLE_VERSION }}
+
+          ## Contributors
+
+          We'd like to acknowledge that this release wouldn't be as good without the help of the following amazing contributors:
+
+          TODO
+
+          EOF
+      - name: Create pre-release
+        if: "contains(env.LIFECYCLE_VERSION, 'rc') || contains(env.LIFECYCLE_VERSION, 'pre')" # e.g., 0.99.0-rc.1
+        run: |
+          cd ${{ env.ARTIFACTS_PATH }}
+          gh release create v${{ env.LIFECYCLE_VERSION }} \
+            $(ls | sort | paste -sd " " -) \
+            --draft \
+            --notes-file ../body.txt \
+            --prerelease \
+            --target $GITHUB_REF_NAME \
+            --title "lifecycle v${{ env.LIFECYCLE_VERSION }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Create release
+        if: "!contains(env.LIFECYCLE_VERSION, 'rc') && !contains(env.LIFECYCLE_VERSION, 'pre')"
+        run: |
+          cd ${{ env.ARTIFACTS_PATH }}
+          gh release create v${{ env.LIFECYCLE_VERSION }} \
+            $(ls | sort | paste -sd " " -) \
+            --draft \
+            --notes-file ../body.txt \
+            --target $GITHUB_REF_NAME \
+            --title "lifecycle v${{ env.LIFECYCLE_VERSION }}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/lifecycle-image.yml
+++ b/.github/workflows/lifecycle-image.yml
@ -1,27 +0,0 @@
-name: lifecycle-image
-
-on:
-  release:
-    types:
-      - published
-
-jobs:
-  build-lifecycle-image:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@master
-      - name: Get metadata
-        id: get_metadata
-        run: |
-          echo ::set-output name=LIFECYCLE_VERSION::`echo ${{ github.event.release.tag_name }} | cut -d "v" -f2`
-          echo ::set-output name=BUILDPACK_API::`cat Makefile | grep BUILDPACK_API?= | cut -d "=" -f2`
-          echo ::set-output name=PLATFORM_API::`cat Makefile | grep PLATFORM_API?= | cut -d "=" -f2`
-      - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@master
-        with:
-          name: buildpacksio/lifecycle
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
-          dockerfile: .github/workflows/lifecycle-image/Dockerfile
-          buildargs: LIFECYCLE_URI=https://github.com/buildpacks/lifecycle/releases/download/v${{ steps.get_metadata.outputs.LIFECYCLE_VERSION }}/lifecycle-v${{ steps.get_metadata.outputs.LIFECYCLE_VERSION }}+linux.x86-64.tgz,LIFECYCLE_VERSION=${{ steps.get_metadata.outputs.LIFECYCLE_VERSION }},BUILDPACK_API=${{ steps.get_metadata.outputs.BUILDPACK_API }},PLATFORM_API=${{ steps.get_metadata.outputs.PLATFORM_API }}
-          tags: "latest,${{ steps.get_metadata.outputs.LIFECYCLE_VERSION }}"
--- a/.github/workflows/lifecycle-image/Dockerfile
+++ b/.github/workflows/lifecycle-image/Dockerfile
@ -1,24 +0,0 @@
-# Stage 1
-FROM ubuntu:bionic AS download-and-extract-lifecycle
-
-ARG LIFECYCLE_URI
-
-WORKDIR /tmp
-
-RUN apt-get update && apt-get install -y wget
-
-RUN wget $LIFECYCLE_URI -O lifecycle.tgz && tar xzvf lifecycle.tgz
-
-
-# Stage 2
-FROM gcr.io/distroless/static
-
-ARG LIFECYCLE_VERSION
-ARG BUILDPACK_API
-ARG PLATFORM_API
-
-COPY --from=download-and-extract-lifecycle /tmp/lifecycle /cnb/lifecycle
-
-LABEL io.buildpacks.builder.metadata="{\"lifecycle\":{\"version\":\"$LIFECYCLE_VERSION\",\"api\":{\"buildpack\":\"$BUILDPACK_API\",\"platform\":\"$PLATFORM_API\"}}}"
-
-WORKDIR /layers
--- a/.github/workflows/post-release.yml
+++ b/.github/workflows/post-release.yml
@ -0,0 +1,128 @@
+name: post-release
+
+on:
+  release:
+    types:
+      - published # trigger for releases and pre-releases
+
+jobs:
+  retag-lifecycle-images:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup go
+        uses: actions/setup-go@v5
+        with:
+          check-latest: true
+          go-version-file: 'go.mod'
+      - name: Install crane
+        run: |
+          go install github.com/google/go-containerregistry/cmd/crane@latest
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+      - uses: azure/docker-login@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+      - name: Set env
+        run: |
+          echo "LIFECYCLE_VERSION=$(echo ${{ github.event.release.tag_name }} | cut -d "v" -f2)" >> $GITHUB_ENV
+          echo "LIFECYCLE_IMAGE_TAG=$(git describe --always --abbrev=7)" >> $GITHUB_ENV
+      - name: Verify lifecycle images
+        run: |
+          LINUX_AMD64_SHA=$(cosign verify --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" --certificate-oidc-issuer https://token.actions.githubusercontent.com buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-x86-64 | jq -r .[0].critical.image.\"docker-manifest-digest\")
+          echo "LINUX_AMD64_SHA: $LINUX_AMD64_SHA"
+          echo "LINUX_AMD64_SHA=$LINUX_AMD64_SHA" >> $GITHUB_ENV
+
+          LINUX_ARM64_SHA=$(cosign verify --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" --certificate-oidc-issuer https://token.actions.githubusercontent.com buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-arm64 | jq -r .[0].critical.image.\"docker-manifest-digest\")
+          echo "LINUX_ARM64_SHA: $LINUX_ARM64_SHA"
+          echo "LINUX_ARM64_SHA=$LINUX_ARM64_SHA" >> $GITHUB_ENV
+
+          LINUX_PPC64LE_SHA=$(cosign verify --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" --certificate-oidc-issuer https://token.actions.githubusercontent.com buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-ppc64le | jq -r .[0].critical.image.\"docker-manifest-digest\")
+          echo "LINUX_PPC64LE_SHA: $LINUX_PPC64LE_SHA"
+          echo "LINUX_PPC64LE_SHA=$LINUX_PPC64LE_SHA" >> $GITHUB_ENV
+
+          LINUX_S390X_SHA=$(cosign verify --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" --certificate-oidc-issuer https://token.actions.githubusercontent.com buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-s390x | jq -r .[0].critical.image.\"docker-manifest-digest\")
+          echo "LINUX_S390X_SHA: $LINUX_S390X_SHA"
+          echo "LINUX_S390X_SHA=$LINUX_S390X_SHA" >> $GITHUB_ENV
+
+      - name: Download SBOM
+        run: |
+          gh release download --pattern '*-bom.cdx.json' ${{ github.event.release.tag_name }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Retag lifecycle images & create manifest list - semver
+        run: |
+          DOCKER_CLI_EXPERIMENTAL=enabled
+
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-x86-64@${{ env.LINUX_AMD64_SHA }} ${{ env.LIFECYCLE_VERSION }}-linux-x86-64
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-arm64@${{ env.LINUX_ARM64_SHA }} ${{ env.LIFECYCLE_VERSION }}-linux-arm64
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} ${{ env.LIFECYCLE_VERSION }}-linux-ppc64le
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-s390x@${{ env.LINUX_S390X_SHA }} ${{ env.LIFECYCLE_VERSION }}-linux-s390x
+
+          docker manifest create buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }} \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-x86-64@${{ env.LINUX_AMD64_SHA }} \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-arm64@${{ env.LINUX_ARM64_SHA }} \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}-linux-s390x@${{ env.LINUX_S390X_SHA }}
+
+          MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }})
+          echo "MANIFEST_SHA: $MANIFEST_SHA"
+
+          cosign sign -r -y \
+            -a tag=${{ env.LIFECYCLE_VERSION }} \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}@${MANIFEST_SHA}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/post-release.yml" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            -a tag=${{ env.LIFECYCLE_VERSION }} \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}
+
+          cosign attach sbom --sbom ./*-bom.cdx.json --type cyclonedx buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}
+          cosign sign -r -y \
+            -a tag=${{ env.LIFECYCLE_VERSION }} --attachment sbom \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}@${MANIFEST_SHA}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/post-release.yml" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            -a tag=${{ env.LIFECYCLE_VERSION }} --attachment sbom \
+            buildpacksio/lifecycle:${{ env.LIFECYCLE_VERSION }}
+      - name: Retag lifecycle images & create manifest list - latest
+        if: "!contains(env.LIFECYCLE_VERSION, 'rc') && !contains(env.LIFECYCLE_VERSION, 'pre')"
+        run: |
+          DOCKER_CLI_EXPERIMENTAL=enabled
+
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-x86-64@${{ env.LINUX_AMD64_SHA }} latest-linux-x86-64
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-arm64@${{ env.LINUX_ARM64_SHA }} latest-linux-arm64
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} latest-linux-ppc64le
+          crane tag buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-s390x@${{ env.LINUX_S390X_SHA }} latest-linux-s390x
+
+          docker manifest create buildpacksio/lifecycle:latest \
+            buildpacksio/lifecycle:latest-linux-x86-64@${{ env.LINUX_AMD64_SHA }} \
+            buildpacksio/lifecycle:latest-linux-arm64@${{ env.LINUX_ARM64_SHA }} \
+            buildpacksio/lifecycle:latest-linux-ppc64le@${{ env.LINUX_PPC64LE_SHA }} \
+            buildpacksio/lifecycle:latest-linux-s390x@${{ env.LINUX_S390X_SHA }}
+
+          MANIFEST_SHA=$(docker manifest push buildpacksio/lifecycle:latest)
+          echo "MANIFEST_SHA: $MANIFEST_SHA"
+
+          cosign sign -r -y \
+            -a tag=latest \
+            buildpacksio/lifecycle:latest@${MANIFEST_SHA}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/post-release.yml" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            -a tag=latest \
+            buildpacksio/lifecycle:latest
+
+          cosign attach sbom --sbom ./*-bom.cdx.json --type cyclonedx buildpacksio/lifecycle:latest
+          cosign sign -r -y \
+            -a tag=${{ env.LIFECYCLE_VERSION }} --attachment sbom \
+            buildpacksio/lifecycle:latest@${MANIFEST_SHA}
+          cosign verify \
+            --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/post-release.yml" \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            -a tag=${{ env.LIFECYCLE_VERSION }} --attachment sbom \
+            buildpacksio/lifecycle:latest
--- a/.github/workflows/test-s390x.yml
+++ b/.github/workflows/test-s390x.yml
@ -0,0 +1,87 @@
+name: test-s390x
+on:
+  push:
+    branches:
+      - main
+      - 'release/**'
+  pull_request:
+    branches:
+      - main
+      - 'release/**'
+
+jobs:
+  test-linux-s390x:
+    if: (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release*')
+    runs-on: ubuntu-latest
+    env:
+      ZVSI_FP_NAME: bp-floating-ci-${{ github.run_id }}
+      ZVSI_INSTANCE_NAME: bp-zvsi-ci-${{ github.run_id }}
+      ZVSI_ZONE_NAME: ca-tor-1
+      ZVSI_PROFILE_NAME: bz2-4x16
+
+    strategy:
+      fail-fast: false
+    steps:
+      - uses: actions/checkout@v4
+      - name: install ibmcli and setup ibm login
+        run: |
+          curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
+          ibmcloud login -q --apikey ${{ secrets.IBMCLOUD_API_KEY }} -r ca-tor
+          ibmcloud plugin install vpc-infrastructure
+      - name: Creation of ZVSI
+        id: ZVSI
+        run: |
+          #creation of zvsi
+          ibmcloud is instance-create $ZVSI_INSTANCE_NAME ${{ secrets.ZVSI_VPC }} $ZVSI_ZONE_NAME $ZVSI_PROFILE_NAME ${{ secrets.ZVSI_SUBNET }} --image ${{ secrets.ZVSI_IMAGE }} --keys ${{ secrets.ZVSI_KEY }} --resource-group-id ${{ secrets.ZVSI_RG_ID }}  --primary-network-interface "{\"name\":\"eth0\",\"allow_ip_spoofing\":false,\"subnet\": {\"name\":\"${{ secrets.ZVSI_SUBNET }}\"},\"security_groups\":[{\"id\":\"${{ secrets.ZVSI_SG }}\"}]}"
+          #Reserving a floating ip to the ZVSI
+          ibmcloud is floating-ip-reserve $ZVSI_FP_NAME --zone $ZVSI_ZONE_NAME --resource-group-id ${{ secrets.ZVSI_RG_ID }} --in $ZVSI_INSTANCE_NAME
+          #Bouding the Floating ip to the ZVSI
+          ibmcloud is floating-ip-update $ZVSI_FP_NAME --nic eth0 --in $ZVSI_INSTANCE_NAME
+          sleep 60
+          #Saving the Floating IP to login ZVSI
+          ZVSI_HOST=$(ibmcloud is floating-ip $ZVSI_FP_NAME | awk '/Address/{print $2}')
+          echo $ZVSI_HOST
+          echo "IP=${ZVSI_HOST}" >> $GITHUB_OUTPUT
+      - name: Status of ZVSI
+        run: |
+          check=$(ibmcloud is ins| awk '/'$ZVSI_INSTANCE_NAME'/{print $3}')
+          while [[ $check != "running" ]]
+          do
+            check=$(ibmcloud is ins | awk '/'$ZVSI_INSTANCE_NAME'/{print $3}')
+            if [[ $check == 'failed' ]]
+            then
+              echo "Failed to run the ZVSI"
+              break
+              fi
+          done
+      - name: Install dependencies and run all tests on s390x ZVSI
+        uses: appleboy/ssh-action@v1.2.2
+        env:
+          GH_REPOSITORY: ${{ github.server_url }}/${{ github.repository }}
+          GH_REF: ${{ github.ref }}
+        with:
+          host: ${{ steps.ZVSI.outputs.IP }}
+          username: ${{ secrets.ZVSI_SSH_USER }}
+          key: ${{ secrets.ZVSI_PR_KEY }}
+          envs: GH_REPOSITORY,GH_REF
+          command_timeout: 100m
+          script: |
+            apt-get update -y
+            apt-get install -y wget curl git make gcc jq docker.io
+            wget https://go.dev/dl/go1.24.6.linux-s390x.tar.gz
+            rm -rf /usr/local/go && tar -C /usr/local -xzf go1.24.6.linux-s390x.tar.gz
+            export PATH=$PATH:/usr/local/go/bin
+            git clone ${GH_REPOSITORY} lifecycle
+            cd lifecycle && git checkout ${GH_REF}
+            go env
+            export PATH=$PATH:~/go/bin
+            make format || true
+            make test
+      - name: Cleanup ZVSI
+        if: ${{ steps.ZVSI.conclusion == 'success' && always() }}
+        run: |
+          #Delete the created ZVSI
+          ibmcloud is instance-delete $ZVSI_INSTANCE_NAME --force
+          sleep 20
+          #Release the created FP
+          ibmcloud is floating-ip-release $ZVSI_FP_NAME --force
--- a/.gitignore
+++ b/.gitignore
@ -3,6 +3,15 @@
 *.coverprofile
 *.test
 *~
+.tool-versions
 /out
+.vscode

-acceptance/testdata/*/container/cnb/lifecycle/*
+acceptance/testdata/*/**/container/cnb/lifecycle/*
+acceptance/testdata/*/**/container/docker-config/*
+
+acceptance/testdata/exporter/container/cnb/run.toml
+acceptance/testdata/exporter/container/layers/*analyzed.toml
+acceptance/testdata/exporter/container/other_layers/*analyzed.toml
+
+acceptance/testdata/restorer/container/layers/*analyzed.toml
--- a/.gitpod.yml
+++ b/.gitpod.yml
@ -0,0 +1,19 @@
+
+tasks:
+  # allow socket to be writable by all
+  # (necessary for acceptance tests / calls from within container)
+  - init: chmod ugo+w /var/run/docker.sock
+  # build linux to install dependencies
+  - init: make tidy build-linux
+github:
+  prebuilds:
+    master: true
+    branches: true
+    pullRequests: true
+    pullRequestsFromForks: true
+    addCheck: true
+
+vscode:
+  extensions:
+    - golang.go
+    - ms-azuretools.vscode-docker
--- a/.grype.yaml
+++ b/.grype.yaml
@ -0,0 +1,5 @@
+ignore:
+  - vulnerability: CVE-2015-5237 # false positive, see https://github.com/anchore/grype/issues/558
+  - vulnerability: CVE-2021-22570 # false positive, see https://github.com/anchore/grype/issues/558
+  - vulnerability: CVE-2024-41110 # non-impactful as we only use docker as a client
+  - vulnerability: GHSA-v23v-6jw2-98fq # non-impactful as we only use docker as a client
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,6 @@
+{
+    "go.testTimeout": "10m",
+    "go.testFlags": [
+        "-v"
+    ]
+}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -0,0 +1,42 @@
+## Policies
+
+This repository adheres to the following project policies:
+
+- [Code of Conduct][code-of-conduct] - How we should act with each other.
+- [Contributing][contributing] - General contributing standards.
+- [Security][security] - Reporting security concerns.
+- [Support][support] - Getting support.
+
+## Contributing to this repository
+
+### Welcome
+
+We welcome contributions to this repository! To get a sense of what the team is currently focusing on, check out our [milestones](https://github.com/buildpacks/lifecycle/milestones). Issues labeled [good first issue](https://github.com/buildpacks/lifecycle/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) and issues in our [docs repo](https://github.com/buildpacks/docs/issues?q=is%3Aissue+is%3Aopen+label%3Ateam%2Fimplementations) are great places to get started, but you are welcome to work on any issue that interests you. For issues requiring a greater degree of coordination, such as those labeled `status/needs-discussion` or that are part of larger epics, please reach out in the #implementation channel in [Slack](https://slack.buildpacks.io/).
+
+### Development
+
+Aside from the policies above, you may find [DEVELOPMENT.md](DEVELOPMENT.md) helpful in developing in this repository.
+
+### Background
+
+Here are some topics that might be helpful in further understanding the lifecycle:
+
+* Cloud Native Buildpacks platform api spec
+  * Example platforms: [pack CLI](https://github.com/buildpack/pack), [Tekton](https://github.com/tektoncd/catalog/blob/master/task/buildpacks/0.1/README.md)
+* Cloud Native Buildpacks buildpack api spec
+  * Example buildpack providers: [Google](https://github.com/GoogleCloudPlatform/buildpacks), [Heroku](https://www.heroku.com/), [Paketo](https://paketo.io/)
+* The Open Container Initiative (OCI) and [OCI image spec](https://github.com/opencontainers/image-spec)
+* Questions to deepen understanding:
+  * What are the different [lifecycle phases](https://buildpacks.io/docs/concepts/components/lifecycle/)? What is the purpose of each phase?
+  * What is a [builder](https://buildpacks.io/docs/concepts/components/builder/)? Is it required to run the lifecycle?
+  * What is the [untrusted builder workflow](https://medium.com/buildpacks/faster-more-secure-builds-with-pack-0-11-0-4d0c633ca619)? Why do we have this flow?
+  * What is the [launcher](https://github.com/buildpacks/spec/blob/main/platform.md#launch)? Why do we have a launcher?
+  * What does a [buildpack](https://buildpacks.io/docs/concepts/components/buildpack/) do? Where does it write data? How does it communicate with the lifecycle?
+  * What does a [platform](https://buildpacks.io/docs/concepts/components/platform/) do? What things does it know about that the lifecycle does not? How does it communicate with the lifecycle?
+  * What is a [stack](https://buildpacks.io/docs/concepts/components/stack/)? Who produces stacks? Why is the stack concept important for the lifecycle?
+
+[code-of-conduct]: https://github.com/buildpacks/.github/blob/main/CODE_OF_CONDUCT.md
+[contributing]: https://github.com/buildpacks/.github/blob/main/CONTRIBUTING.md
+[security]: https://github.com/buildpacks/.github/blob/main/SECURITY.md
+[support]: https://github.com/buildpacks/.github/blob/main/SUPPORT.md
+[pull-request-process]: https://github.com/buildpacks/.github/blob/main/CONTRIBUTIONS.md#pull-request-process
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@ -0,0 +1,105 @@
+# Development
+
+## Prerequisites
+
+* [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)
+    * macOS: _(built-in)_
+    * Windows:
+        * `choco install git -y`
+        * `git config --global core.autocrlf false`
+* [Go](https://golang.org/doc/install)
+    * macOS: `brew install go`
+    * Windows: `choco install golang -y`
+* [Docker](https://www.docker.com/products/docker-desktop)
+* [jq](https://stedolan.github.io/jq/) and [yj](https://github.com/sclevine/yj) utilities
+    * macOS: `brew install jq yj`
+    * Windows:
+        * `choco insall jq -y`
+        * `go get github.com/sclevine/yj`
+* Make (and build tools)
+    * macOS: `xcode-select --install`
+    * Windows:
+        * `choco install cygwin make -y`
+        * `[Environment]::SetEnvironmentVariable("PATH", "C:\tools\cygwin\bin;$ENV:PATH", "MACHINE")`
+
+### Caveats
+
+* The acceptance tests require the docker daemon to be able to communicate with a local containerized insecure registry. On Docker Desktop 3.3.x, this may result in failures such as: `Expected nil: push response: : Get http://localhost:<port>/v2/: dial tcp [::1]:<port>: connect: connection refused`. To fix these failures, it may be necessary to add the following to the Docker Desktop Engine config:
+    * macOS: Docker > Preferences > Docker Engine:
+```
+  "insecure-registries": [
+    "<my-host-ip>/32"
+  ]
+```
+
+### Testing GitHub actions on forks
+
+The lifecycle release process involves chaining a series of GitHub actions together such that:
+* The "build" workflow creates the artifacts
+  * .tgz files containing the lifecycle binaries, shasums for the .tgz files, an SBOM, etc.
+  * OCI images containing the lifecycle binaries, tagged with their commit sha (for more information, see RELEASE.md)
+* The "draft-release" workflow finds the artifacts and downloads them, creating the draft release
+* The "post-release" workflow re-tags the OCI images that were created during the "build" workflow with the release version
+
+It can be rather cumbersome to test changes to these workflows, as they are heavily intertwined. Thus we recommend forking the buildpacks/lifecycle repository in GitHub and running through the entire release process end-to-end.
+For the fork, it is necessary to add the following secrets:
+* DOCKER_PASSWORD (if not using ghcr.io)
+* DOCKER_USERNAME (if not using ghcr.io)
+
+The tools/test-fork.sh script can be used to update the source code to reflect the state of the fork.
+It can be invoked like so: `./tools/test-fork.sh <registry repo name>`
+
+## Tasks
+
+To test, build, and package binaries into an archive, simply run:
+
+```bash
+$ make all
+```
+This will create archives at `out/lifecycle-<LIFECYCLE_VERSION>+linux.x86-64.tgz` and `out/lifecycle-<LIFECYCLE_VERSION>+windows.x86-64.tgz`.
+
+`LIFECYCLE_VERSION` defaults to the value returned by `git describe --tags` if not on a release branch (for more information about the release process, see [RELEASE](RELEASE.md)). It can be changed by prepending `LIFECYCLE_VERSION=<some version>` to the
+`make` command. For example:
+
+```bash
+$ LIFECYCLE_VERSION=1.2.3 make all
+```
+
+Steps can also be run individually as shown below.
+
+### Test
+
+Formats, vets, and tests the code.
+
+```bash
+$ make test
+```
+
+#### Mocks
+
+We use mock generators like most golang projects to help with our testing. To make new mocks:
+```bash
+$ make generate
+$ make format lint
+```
+
+This is because the mock generator will make a larger diff that the formatter will fix.
+
+### Build
+
+Builds binaries to `out/linux/lifecycle/` and `out/windows/lifecycle/`.
+
+```bash
+$ make build
+```
+
+> To clean the `out/` directory, run `make clean`.
+
+### Package
+
+Creates archives at `out/lifecycle-<LIFECYCLE_VERSION>+linux.x86-64.tgz` and `out/lifecycle-<LIFECYCLE_VERSION>+windows.x86-64.tgz`, using the contents of the
+`out/linux/lifecycle/` directory, for the given (or default) `LIFECYCLE_VERSION`.
+
+```bash
+$ make package
+```
--- a/IMAGE.md
+++ b/IMAGE.md
@ -0,0 +1,44 @@
+# Quick reference
+
+This image is maintained by the [Cloud Native Buildpacks project](https://buildpacks.io/). The maintainers can be contacted via the [Cloud Native Buildpacks Slack](https://slack.buildpacks.io/), or by opening an issue on the `buildpacks/lifecycle` [GitHub repo](https://github.com/buildpacks/lifecycle).
+
+# Supported tags
+
+Supported tags are semver-versioned manifest lists - e.g., `0.12.0` or `0.12.0-rc.1`, pointing to one of the following os/architectures:
+* `linux/amd64`
+* `linux/arm64`
+
+# About this image
+
+Images are built in [GitHub actions](https://github.com/buildpacks/lifecycle/actions) and signed with [`cosign`](https://github.com/sigstore/cosign). To verify:
+* Run:
+```
+cosign version # must be at least 2.0.0
+cosign verify \
+  --certificate-identity-regexp "https://github.com/buildpacks/lifecycle/.github/workflows/post-release.yml" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  buildpacksio/lifecycle:<tag>
+```
+
+A CycloneDX SBOM is "attached" to the image and signed with [`cosign`](https://github.com/sigstore/cosign). To verify:
+* Run:
+```
+cosign version # must be at least 2.0.0
+cosign verify \
+  --certificate-identity-regexp "https://github.com/buildpacks/lifecycle/.github/workflows/post-release.yml" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  -a tag=<tag> -attachment sbom \
+  buildpacksio/lifecycle:<tag>
+cosign download sbom buildpacksio/lifecycle:<tag>
+```
+
+# Using this image
+
+With [pack](https://github.com/buildpack/pack):
+* `pack build <target> --lifecycle-image buildpacksio/lifecycle:<tag>`
+
+With [tekton](https://github.com/tektoncd/catalog/tree/main/task/buildpacks-phases/0.2):
+* Provide as param `LIFECYCLE_IMAGE` in taskrun
+
+***
+[Source](https://github.com/buildpacks/lifecycle/blob/main/IMAGE.md) for this page
--- a/307
+++ b/307
@ -1,112 +1,168 @@
-GOCMD?=go
-GOARCH?=amd64
-GOENV=GOARCH=$(GOARCH) CGO_ENABLED=0
+ifeq ($(OS),Windows_NT)
+SHELL:=cmd.exe
+PWD?=$(subst /,\,${CURDIR})
+LDFLAGS=-s -w
+BLANK:=
+/:=\$(BLANK)
+else
+/:=/
+endif
+
+PARSED_COMMIT:=$(shell git rev-parse --short HEAD)
+
+ifeq ($(LIFECYCLE_VERSION),)
+LIFECYCLE_VERSION:=$(shell go run tools/version/main.go)
+LIFECYCLE_IMAGE_TAG?=$(PARSED_COMMIT)
+else
+LIFECYCLE_IMAGE_TAG?=$(LIFECYCLE_VERSION)
+endif
+
+ACCEPTANCE_TIMEOUT?=2400s
+GOCMD?=go
+GOENV=GOARCH=$(GOARCH) CGO_ENABLED=0
+LIFECYCLE_DESCRIPTOR_PATH?=lifecycle.toml
+SCM_REPO?=github.com/buildpacks/lifecycle
+SCM_COMMIT?=$(PARSED_COMMIT)
 LDFLAGS=-s -w
-LDFLAGS+=-X 'github.com/buildpacks/lifecycle/cmd.Version=$(LIFECYCLE_VERSION)'
 LDFLAGS+=-X 'github.com/buildpacks/lifecycle/cmd.SCMRepository=$(SCM_REPO)'
 LDFLAGS+=-X 'github.com/buildpacks/lifecycle/cmd.SCMCommit=$(SCM_COMMIT)'
-LDFLAGS+=-X 'github.com/buildpacks/lifecycle/cmd.PlatformAPI=$(PLATFORM_API)'
-GOBUILD=go build $(GOFLAGS) -ldflags "$(LDFLAGS)"
+LDFLAGS+=-X 'github.com/buildpacks/lifecycle/cmd.Version=$(LIFECYCLE_VERSION)'
+GOBUILD:=go build $(GOFLAGS) -ldflags "$(LDFLAGS)"
 GOTEST=$(GOCMD) test $(GOFLAGS)
-LIFECYCLE_VERSION?=$(shell cat VERSION)
-PLATFORM_API?=0.3
-BUILDPACK_API?=0.2
-SCM_REPO?=github.com/buildpacks/lifecycle
-PARSED_COMMIT:=$(shell git rev-parse --short HEAD)
-SCM_COMMIT?=$(PARSED_COMMIT)
-BUILD_DIR?=$(PWD)/out
-COMPILATION_IMAGE?=golang:1.13-alpine
+BUILD_DIR?=$(PWD)$/out
+SOURCE_COMPILATION_IMAGE?=lifecycle-img
+BUILD_CTR?=lifecycle-ctr
+DOCKER_CMD?=make test

-define LIFECYCLE_DESCRIPTOR
-[api]
-  platform = "$(PLATFORM_API)"
-  buildpack = "$(BUILDPACK_API)"
-
-[lifecycle]
-  version = "$(LIFECYCLE_VERSION)"
-endef
+GOFILES := $(shell $(GOCMD) run tools$/lister$/main.go)

 all: test build package

-build: build-linux build-windows
+GOOS_ARCHS = linux/amd64 linux/arm64 linux/ppc64le linux/s390x darwin/amd64 darwin/arm64

-build-linux-lifecycle: export GOOS:=linux
-build-linux-lifecycle: OUT_DIR:=$(BUILD_DIR)/$(GOOS)/lifecycle
-build-linux-lifecycle: GOENV:=GOARCH=$(GOARCH) CGO_ENABLED=1
-build-linux-lifecycle: DOCKER_RUN=docker run --workdir=/lifecycle -v $(OUT_DIR):/out -v $(PWD):/lifecycle $(COMPILATION_IMAGE)
-build-linux-lifecycle:
-	@echo "> Building lifecycle/lifecycle for linux..."
-	mkdir -p $(OUT_DIR)
-	$(DOCKER_RUN) sh -c 'apk add build-base && $(GOENV) $(GOBUILD) -o /out/lifecycle -a ./cmd/lifecycle'
+build: build-linux-amd64 build-linux-arm64 build-linux-ppc64le build-linux-s390x

+build-image-linux-amd64: build-linux-amd64 package-linux-amd64
+build-image-linux-amd64: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+linux.x86-64.tgz
+build-image-linux-amd64:
+	$(GOCMD) run ./tools/image/main.go -daemon -lifecyclePath $(ARCHIVE_PATH) -os linux -arch amd64 -tag lifecycle:$(LIFECYCLE_IMAGE_TAG)

-build-linux-launcher: export GOOS:=linux
-build-linux-launcher: OUT_DIR?=$(BUILD_DIR)/$(GOOS)/lifecycle
-build-linux-launcher:
-	@echo "> Building lifecycle/launcher for linux..."
-	mkdir -p $(OUT_DIR)
-	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/launcher -a ./cmd/launcher
-	test $$(du -m $(OUT_DIR)/launcher|cut -f 1) -le 3
+build-image-linux-arm64: build-linux-arm64 package-linux-arm64
+build-image-linux-arm64: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+linux.arm64.tgz
+build-image-linux-arm64:
+	$(GOCMD) run ./tools/image/main.go -daemon -lifecyclePath $(ARCHIVE_PATH) -os linux -arch arm64 -tag lifecycle:$(LIFECYCLE_IMAGE_TAG)

-build-linux-symlinks: export GOOS:=linux
-build-linux-symlinks: OUT_DIR:=$(BUILD_DIR)/$(GOOS)/lifecycle
-build-linux-symlinks:
-	@echo "> Creating phase symlinks for linux..."
-	ln -sf lifecycle $(OUT_DIR)/detector
-	ln -sf lifecycle $(OUT_DIR)/analyzer
-	ln -sf lifecycle $(OUT_DIR)/restorer
-	ln -sf lifecycle $(OUT_DIR)/builder
-	ln -sf lifecycle $(OUT_DIR)/exporter
-	ln -sf lifecycle $(OUT_DIR)/rebaser
-	ln -sf lifecycle $(OUT_DIR)/creator
+build-image-linux-ppc64le: build-linux-ppc64le package-linux-ppc64le
+build-image-linux-ppc64le: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+linux.ppc64le.tgz
+build-image-linux-ppc64le:
+	$(GOCMD) run ./tools/image/main.go -daemon -lifecyclePath $(ARCHIVE_PATH) -os linux -arch ppc64le -tag lifecycle:$(LIFECYCLE_IMAGE_TAG)

-build-linux: build-linux-lifecycle build-linux-symlinks build-linux-launcher
+build-image-linux-s390x: build-linux-s390x package-linux-s390x
+build-image-linux-s390x: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+linux.s390x.tgz
+build-image-linux-s390x:
+	$(GOCMD) run ./tools/image/main.go -daemon -lifecyclePath $(ARCHIVE_PATH) -os linux -arch s390x -tag lifecycle:$(LIFECYCLE_IMAGE_TAG)

-build-windows: export GOOS:=windows
-build-windows: OUT_DIR:=$(BUILD_DIR)/$(GOOS)/lifecycle
-build-windows:
-	@echo "> Building for windows..."
-	mkdir -p $(OUT_DIR)
-	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/launcher -a ./cmd/launcher
-	test $$(du -m $(OUT_DIR)/launcher|cut -f 1) -le 3
-	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/lifecycle.exe -a ./cmd/lifecycle
-	ln -sf lifecycle.exe $(OUT_DIR)/analyzer.exe
-	ln -sf lifecycle.exe $(OUT_DIR)/restorer.exe
-	ln -sf lifecycle.exe $(OUT_DIR)/builder.exe
-	ln -sf lifecycle.exe $(OUT_DIR)/exporter.exe
-	ln -sf lifecycle.exe $(OUT_DIR)/rebaser.exe
-	ln -sf lifecycle.exe $(OUT_DIR)/creator.exe
+define build_targets
+build-$(1)-$(2): build-$(1)-$(2)-lifecycle build-$(1)-$(2)-symlinks build-$(1)-$(2)-launcher

-build-darwin: export GOOS:=darwin
-build-darwin: OUT_DIR:=$(BUILD_DIR)/$(GOOS)/lifecycle
-build-darwin:
-	@echo "> Building for macos..."
-	mkdir -p $(OUT_DIR)
-	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/launcher -a ./cmd/launcher
-	test $$(du -m $(OUT_DIR)/launcher|cut -f 1) -le 3
-	$(GOENV) $(GOBUILD) -o $(OUT_DIR)/lifecycle -a ./cmd/lifecycle
-	ln -sf lifecycle $(OUT_DIR)/detector
-	ln -sf lifecycle $(OUT_DIR)/analyzer
-	ln -sf lifecycle $(OUT_DIR)/restorer
-	ln -sf lifecycle $(OUT_DIR)/builder
-	ln -sf lifecycle $(OUT_DIR)/exporter
-	ln -sf lifecycle $(OUT_DIR)/rebaser
+build-$(1)-$(2)-lifecycle: $(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle
+
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: export GOOS:=$(1)
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: export GOARCH:=$(2)
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: OUT_DIR?=$$(BUILD_DIR)/$$(GOOS)-$$(GOARCH)/lifecycle
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle: $$(GOFILES)
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/lifecycle:
+	@echo "> Building lifecycle/lifecycle for $$(GOOS)/$$(GOARCH)..."
+	mkdir -p $$(OUT_DIR)
+	$$(GOENV) $$(GOBUILD) -o $$(OUT_DIR)/lifecycle -a ./cmd/lifecycle
+
+build-$(1)-$(2)-symlinks: export GOOS:=$(1)
+build-$(1)-$(2)-symlinks: export GOARCH:=$(2)
+build-$(1)-$(2)-symlinks: OUT_DIR?=$$(BUILD_DIR)/$$(GOOS)-$$(GOARCH)/lifecycle
+build-$(1)-$(2)-symlinks:
+	@echo "> Creating phase symlinks for $$(GOOS)/$$(GOARCH)..."
+	ln -sf lifecycle $$(OUT_DIR)/detector
+	ln -sf lifecycle $$(OUT_DIR)/analyzer
+	ln -sf lifecycle $$(OUT_DIR)/restorer
+	ln -sf lifecycle $$(OUT_DIR)/builder
+	ln -sf lifecycle $$(OUT_DIR)/exporter
+	ln -sf lifecycle $$(OUT_DIR)/rebaser
+	ln -sf lifecycle $$(OUT_DIR)/creator
+	ln -sf lifecycle $$(OUT_DIR)/extender
+
+build-$(1)-$(2)-launcher: $$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher
+
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: export GOOS:=$(1)
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: export GOARCH:=$(2)
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: OUT_DIR?=$$(BUILD_DIR)/$$(GOOS)-$$(GOARCH)/lifecycle
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher: $$(GOFILES)
+$$(BUILD_DIR)/$(1)-$(2)/lifecycle/launcher:
+	@echo "> Building lifecycle/launcher for $$(GOOS)/$$(GOARCH)..."
+	mkdir -p $$(OUT_DIR)
+	$$(GOENV) $$(GOBUILD) -o $$(OUT_DIR)/launcher -a ./cmd/launcher
+	test $$$$(du -m $$(OUT_DIR)/launcher|cut -f 1) -le 3
+endef
+
+$(foreach ga,$(GOOS_ARCHS),$(eval $(call build_targets,$(word 1, $(subst /, ,$(ga))),$(word 2, $(subst /, ,$(ga))))))
+
+generate-sbom: run-syft-linux-amd64 run-syft-linux-arm64 run-syft-linux-ppc64le run-syft-linux-s390x
+
+run-syft-linux-amd64: install-syft
+run-syft-linux-amd64: export GOOS:=linux
+run-syft-linux-amd64: export GOARCH:=amd64
+run-syft-linux-amd64:
+	@echo "> Running syft..."
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.cdx.json
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.cdx.json
+
+run-syft-linux-arm64: install-syft
+run-syft-linux-arm64: export GOOS:=linux
+run-syft-linux-arm64: export GOARCH:=arm64
+run-syft-linux-arm64:
+	@echo "> Running syft..."
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.cdx.json
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.cdx.json
+
+run-syft-linux-ppc64le: install-syft
+run-syft-linux-ppc64le: export GOOS:=linux
+run-syft-linux-ppc64le: export GOARCH:=ppc64le
+run-syft-linux-ppc64le:
+	@echo "> Running syft..."
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.cdx.json
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.cdx.json
+
+run-syft-linux-s390x: install-syft
+run-syft-linux-s390x: export GOOS:=linux
+run-syft-linux-s390x: export GOARCH:=s390x
+run-syft-linux-s390x:
+	@echo "> Running syft..."
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/lifecycle.sbom.cdx.json
+	syft $(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher -o json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.syft.json -o spdx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.spdx.json -o cyclonedx-json=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle/launcher.sbom.cdx.json
+
+install-syft:
+	@echo "> Installing syft..."
+	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+
+define install-go-tool
+	@echo "> Installing $(1)..."
+	$(GOCMD) install $(1)@$(shell $(GOCMD) list -m -f '{{.Version}}' $(2))
+endef

 install-goimports:
 	@echo "> Installing goimports..."
-	cd tools; $(GOCMD) install golang.org/x/tools/cmd/goimports
+	$(call install-go-tool,golang.org/x/tools/cmd/goimports,golang.org/x/tools)

 install-yj:
 	@echo "> Installing yj..."
-	cd tools; $(GOCMD) install github.com/sclevine/yj
+	$(call install-go-tool,github.com/sclevine/yj,github.com/sclevine/yj)

 install-mockgen:
 	@echo "> Installing mockgen..."
-	cd tools; $(GOCMD) install github.com/golang/mock/mockgen
+	$(call install-go-tool,github.com/golang/mock/mockgen,github.com/golang/mock)

 install-golangci-lint:
 	@echo "> Installing golangci-lint..."
-	cd tools; $(GOCMD) install github.com/golangci/golangci-lint/cmd/golangci-lint
+	$(call install-go-tool,github.com/golangci/golangci-lint/v2/cmd/golangci-lint,github.com/golangci/golangci-lint/v2)

 lint: install-golangci-lint
 	@echo "> Linting code..."
@ -119,55 +175,70 @@ generate: install-mockgen

 format: install-goimports
 	@echo "> Formating code..."
-	test -z $$(goimports -l -w -local github.com/buildpacks/lifecycle .)
+	$(if $(shell goimports -l -w -local github.com/buildpacks/lifecycle .), @echo Fixed formatting errors. Re-run && exit 1)

-verify-jq:
-ifeq (, $(shell which jq))
-	$(error "No jq in $$PATH, please install jq")
-endif
+tidy:
+	@echo "> Tidying modules..."
+	$(GOCMD) mod tidy

 test: unit acceptance

-unit: verify-jq format lint install-yj
+# append coverage arguments
+ifeq ($(TEST_COVERAGE), 1)
+unit: GOTESTFLAGS:=$(GOTESTFLAGS) -coverprofile=./out/tests/coverage-unit.txt -covermode=atomic
+endif
+unit: out
+unit: UNIT_PACKAGES=$(shell $(GOCMD) list ./... | grep -v acceptance)
+unit: format lint tidy install-yj
 	@echo "> Running unit tests..."
-	$(GOTEST) -v -count=1 ./...
+	$(GOTEST) $(GOTESTFLAGS) -v -count=1 $(UNIT_PACKAGES)

-acceptance: format lint
+out:
+	@mkdir out || (exit 0)
+	mkdir out$/tests || (exit 0)
+
+acceptance: format tidy
 	@echo "> Running acceptance tests..."
-	$(GOTEST) -v -count=1 -tags=acceptance ./acceptance/...
-	
-acceptance-darwin: format lint
-	@echo "> Running acceptance tests..."
-	$(GOTEST) -v -count=1 -tags=acceptance ./acceptance/...
+	$(GOTEST) -v -count=1 -tags=acceptance -timeout=$(ACCEPTANCE_TIMEOUT) ./acceptance/...

 clean:
 	@echo "> Cleaning workspace..."
 	rm -rf $(BUILD_DIR)

-package: package-linux package-windows
+package:  generate-sbom package-linux-amd64 package-linux-arm64 package-linux-ppc64le package-linux-s390x

-package-linux: export LIFECYCLE_DESCRIPTOR:=$(LIFECYCLE_DESCRIPTOR)
-package-linux: GOOS:=linux
-package-linux: GOOS_DIR:=$(BUILD_DIR)/$(GOOS)
-package-linux: ARCHIVE_NAME=lifecycle-v$(LIFECYCLE_VERSION)+$(GOOS).x86-64
-package-linux:
-	@echo "> Writing descriptor file for $(GOOS)..."
-	mkdir -p $(GOOS_DIR)
-	echo "$${LIFECYCLE_DESCRIPTOR}" > $(GOOS_DIR)/lifecycle.toml
+package-linux-amd64: GOOS:=linux
+package-linux-amd64: GOARCH:=amd64
+package-linux-amd64: INPUT_DIR:=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+package-linux-amd64: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+$(GOOS).x86-64.tgz
+package-linux-amd64: PACKAGER=./tools/packager/main.go
+package-linux-amd64:
+	@echo "> Packaging lifecycle for $(GOOS)/$(GOARCH)..."
+	$(GOCMD) run $(PACKAGER) --inputDir $(INPUT_DIR) -archivePath $(ARCHIVE_PATH) -descriptorPath $(LIFECYCLE_DESCRIPTOR_PATH) -version $(LIFECYCLE_VERSION)

-	@echo "> Packaging lifecycle for $(GOOS)..."
-	tar czf $(BUILD_DIR)/$(ARCHIVE_NAME).tgz -C $(GOOS_DIR) lifecycle.toml lifecycle
+package-linux-arm64: GOOS:=linux
+package-linux-arm64: GOARCH:=arm64
+package-linux-arm64: INPUT_DIR:=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+package-linux-arm64: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+$(GOOS).arm64.tgz
+package-linux-arm64: PACKAGER=./tools/packager/main.go
+package-linux-arm64:
+	@echo "> Packaging lifecycle for $(GOOS)/$(GOARCH)..."
+	$(GOCMD) run $(PACKAGER) --inputDir $(INPUT_DIR) -archivePath $(ARCHIVE_PATH) -descriptorPath $(LIFECYCLE_DESCRIPTOR_PATH) -version $(LIFECYCLE_VERSION)

-package-windows: export LIFECYCLE_DESCRIPTOR:=$(LIFECYCLE_DESCRIPTOR)
-package-windows: GOOS:=windows
-package-windows: GOOS_DIR:=$(BUILD_DIR)/$(GOOS)
-package-windows: ARCHIVE_NAME=lifecycle-v$(LIFECYCLE_VERSION)+$(GOOS).x86-64
-package-windows:
-	@echo "> Writing descriptor file for $(GOOS)..."
-	mkdir -p $(GOOS_DIR)
-	echo "$${LIFECYCLE_DESCRIPTOR}" > $(GOOS_DIR)/lifecycle.toml
+package-linux-ppc64le: GOOS:=linux
+package-linux-ppc64le: GOARCH:=ppc64le
+package-linux-ppc64le: INPUT_DIR:=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+package-linux-ppc64le: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+$(GOOS).ppc64le.tgz
+package-linux-ppc64le: PACKAGER=./tools/packager/main.go
+package-linux-ppc64le:
+	@echo "> Packaging lifecycle for $(GOOS)/$(GOARCH)..."
+	$(GOCMD) run $(PACKAGER) --inputDir $(INPUT_DIR) -archivePath $(ARCHIVE_PATH) -descriptorPath $(LIFECYCLE_DESCRIPTOR_PATH) -version $(LIFECYCLE_VERSION)

-	@echo "> Packaging lifecycle for $(GOOS)..."
-	tar czf $(BUILD_DIR)/$(ARCHIVE_NAME).tgz -C $(GOOS_DIR) lifecycle.toml lifecycle
-
-.PHONY: verify-jq
+package-linux-s390x: GOOS:=linux
+package-linux-s390x: GOARCH:=s390x
+package-linux-s390x: INPUT_DIR:=$(BUILD_DIR)/$(GOOS)-$(GOARCH)/lifecycle
+package-linux-s390x: ARCHIVE_PATH=$(BUILD_DIR)/lifecycle-v$(LIFECYCLE_VERSION)+$(GOOS).s390x.tgz
+package-linux-s390x: PACKAGER=./tools/packager/main.go
+package-linux-s390x:
+	@echo "> Packaging lifecycle for $(GOOS)/$(GOARCH)..."
+	$(GOCMD) run $(PACKAGER) --inputDir $(INPUT_DIR) -archivePath $(ARCHIVE_PATH) -descriptorPath $(LIFECYCLE_DESCRIPTOR_PATH) -version $(LIFECYCLE_VERSION)
--- a/README.md
+++ b/README.md
@ -1,72 +1,74 @@
 # Lifecycle

-![Build Status](https://github.com/buildpacks/lifecycle/workflows/build/badge.svg)
+[![Build Status](https://github.com/buildpacks/lifecycle/workflows/build/badge.svg)](https://github.com/buildpacks/lifecycle/actions)
 [![GoDoc](https://godoc.org/github.com/buildpacks/lifecycle?status.svg)](https://godoc.org/github.com/buildpacks/lifecycle)
+[![codecov](https://codecov.io/gh/buildpacks/lifecycle/branch/main/graph/badge.svg)](https://codecov.io/gh/buildpacks/lifecycle/tree/main)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4748/badge)](https://bestpractices.coreinfrastructure.org/projects/4748)
+ [![Gitpod ready-to-code](https://img.shields.io/badge/Gitpod-ready--to--code-blue?logo=gitpod)](https://gitpod.io/#https://github.com/buildpacks/lifecycle)

 A reference implementation of the [Cloud Native Buildpacks specification](https://github.com/buildpacks/spec).

-This lifecycle implements the following versioned APIs
-* Buildpack API 0.2
-* Platform API 0.3
+## Supported APIs
+| Lifecycle Version | Platform APIs                                                                                                                                    | Buildpack APIs                                                                                                                 |
+|-------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|
+| 0.20.x            | [0.7][p/0.7], [0.8][p/0.8], [0.9][p/0.9], [0.10][p/0.10], [0.11][p/0.11], [0.12][p/0.12], [0.13][p/0.13], [0.14][p/0.14]                         | [0.7][b/0.7], [0.8][b/0.8], [0.9][b/0.9], [0.10][b/0.10], [0.11][b/0.11]                                                       |
+| 0.19.x            | [0.7][p/0.7], [0.8][p/0.8], [0.9][p/0.9], [0.10][p/0.10], [0.11][p/0.11], [0.12][p/0.12], [0.13][p/0.13]                                         | [0.7][b/0.7], [0.8][b/0.8], [0.9][b/0.9], [0.10][b/0.10], [0.11][b/0.11]                                                       |
+| 0.18.x            | [0.7][p/0.7], [0.8][p/0.8], [0.9][p/0.9], [0.10][p/0.10], [0.11][p/0.11], [0.12][p/0.12]                                                         | [0.7][b/0.7], [0.8][b/0.8], [0.9][b/0.9], [0.10][b/0.10]                                                                       |
+| 0.17.x            | [0.3][p/0.3], [0.4][p/0.4], [0.5][p/0.5], [0.6][p/0.6], [0.7][p/0.7], [0.8][p/0.8], [0.9][p/0.9], [0.10][p/0.10], [0.11][p/0.11], [0.12][p/0.12] | [0.2][b/0.2], [0.3][b/0.3], [0.4][b/0.4], [0.5][b/0.5], [0.6][b/0.6], [0.7][b/0.7], [0.8][b/0.8], [0.9][b/0.9], [0.10][b/0.10] |
+| 0.16.x            | [0.3][p/0.3], [0.4][p/0.4], [0.5][p/0.5], [0.6][p/0.6], [0.7][p/0.7], [0.8][p/0.8], [0.9][p/0.9], [0.10][p/0.10], [0.11][p/0.11]                 | [0.2][b/0.2], [0.3][b/0.3], [0.4][b/0.4], [0.5][b/0.5], [0.6][b/0.6], [0.7][b/0.7], [0.8][b/0.8], [0.9][b/0.9]                 |
+| 0.15.x            | [0.3][p/0.3], [0.4][p/0.4], [0.5][p/0.5], [0.6][p/0.6], [0.7][p/0.7], [0.8][p/0.8], [0.9][p/0.9], [0.10][p/0.10]                                 | [0.2][b/0.2], [0.3][b/0.3], [0.4][b/0.4], [0.5][b/0.5], [0.6][b/0.6], [0.7][b/0.7], [0.8][b/0.8], [0.9][b/0.9]                 |
+| 0.14.x            | [0.3][p/0.3], [0.4][p/0.4], [0.5][p/0.5], [0.6][p/0.6], [0.7][p/0.7], [0.8][p/0.8], [0.9][p/0.9]                                                 | [0.2][b/0.2], [0.3][b/0.3], [0.4][b/0.4], [0.5][b/0.5], [0.6][b/0.6], [0.7][b/0.7], [0.8][b/0.8]                               |
+| 0.13.x            | [0.3][p/0.3], [0.4][p/0.4], [0.5][p/0.5], [0.6][p/0.6], [0.7][p/0.7], [0.8][p/0.8]                                                               | [0.2][b/0.2], [0.3][b/0.3], [0.4][b/0.4], [0.5][b/0.5], [0.6][b/0.6], [0.7][b/0.7]                                             |

-## Commands
+[b/0.2]: https://github.com/buildpacks/spec/blob/buildpack/v0.2/buildpack.md
+[b/0.3]: https://github.com/buildpacks/spec/tree/buildpack/v0.3/buildpack.md
+[b/0.4]: https://github.com/buildpacks/spec/tree/buildpack/v0.4/buildpack.md
+[b/0.5]: https://github.com/buildpacks/spec/tree/buildpack/v0.5/buildpack.md
+[b/0.6]: https://github.com/buildpacks/spec/tree/buildpack/v0.6/buildpack.md
+[b/0.7]: https://github.com/buildpacks/spec/tree/buildpack/v0.7/buildpack.md
+[b/0.8]: https://github.com/buildpacks/spec/tree/buildpack/v0.8/buildpack.md
+[b/0.9]: https://github.com/buildpacks/spec/tree/buildpack/v0.9/buildpack.md
+[b/0.10]: https://github.com/buildpacks/spec/tree/buildpack/v0.10/buildpack.md
+[b/0.11]: https://github.com/buildpacks/spec/tree/buildpack/v0.11/buildpack.md
+[p/0.2]: https://github.com/buildpacks/spec/blob/platform/v0.2/platform.md
+[p/0.3]: https://github.com/buildpacks/spec/blob/platform/v0.3/platform.md
+[p/0.4]: https://github.com/buildpacks/spec/blob/platform/v0.4/platform.md
+[p/0.5]: https://github.com/buildpacks/spec/blob/platform/v0.5/platform.md
+[p/0.6]: https://github.com/buildpacks/spec/blob/platform/v0.6/platform.md
+[p/0.7]: https://github.com/buildpacks/spec/blob/platform/v0.7/platform.md
+[p/0.8]: https://github.com/buildpacks/spec/blob/platform/v0.8/platform.md
+[p/0.9]: https://github.com/buildpacks/spec/blob/platform/v0.9/platform.md
+[p/0.10]: https://github.com/buildpacks/spec/blob/platform/v0.10/platform.md
+[p/0.11]: https://github.com/buildpacks/spec/blob/platform/v0.11/platform.md
+[p/0.12]: https://github.com/buildpacks/spec/blob/platform/v0.12/platform.md
+[p/0.13]: https://github.com/buildpacks/spec/blob/platform/v0.13/platform.md
+[p/0.14]: https://github.com/buildpacks/spec/blob/platform/v0.14/platform.md
+
+\* denotes unreleased version
+
+## Usage

 ### Build

-* `detector` - chooses buildpacks (via `/bin/detect`)
-* `analyzer` - restores launch layer metadata from the previous build
-* `restorer` - restores cache
-* `builder` -  executes buildpacks (via `/bin/build`)
-* `exporter` - creates image and stores cache
+Either:
+* `analyzer` - Reads metadata from the previous image and ensures registry access.
+* `detector` - Chooses buildpacks (via `/bin/detect`) and produces a build plan.
+* `restorer` - Restores layer metadata from the previous image and from the cache, and restores cached layers.
+* `builder` -  Executes buildpacks (via `/bin/build`).
+* `exporter` - Creates an image and caches layers.
+
+Or:
+* `creator` - Runs the five phases listed above in order.

 ### Run

-* `launcher` - invokes choice of process
+* `launcher` - Invokes a chosen process.

 ### Rebase

-* `rebaser` - remotely patches images with new base image
+* `rebaser` - Creates an image from a previous image with updated base layers.

-## Development
-To test, build, and package binaries into an archive, simply run:
-
-```bash
-$ make all
-```
-This will create an archive at `out/lifecycle-<LIFECYCLE_VERSION>+linux.x86-64.tgz`.
-
-`LIFECYCLE_VERSION` defaults to the value in the `VERSION` file at the root of the repo . It can be changed by prepending `LIFECYCLE_VERSION=<some version>` to the
-`make` command. For example:
-
-```bash
-$ LIFECYCLE_VERSION=1.2.3 make all
-```
-
-Steps can also be run individually as shown below.
-
-### Test
-
-Formats, vets, and tests the code.
-
-```bash
-$ make test
-```
-
-### Build
-
-Builds binaries to `out/linux/lifecycle/`.
-
-```bash
-$ make build
-```
-
-> To clean the `out/` directory, run `make clean`.
-
-### Package
-
-Creates an archive at `out/lifecycle-<LIFECYCLE_VERSION>+linux.x86-64.tgz`, using the contents of the
-`out/linux/lifecycle/` directory, for the given (or default) `LIFECYCLE_VERSION`.
-
-```bash
-$ make package
-```
+## Contributing
+- [CONTRIBUTING](CONTRIBUTING.md) - Information on how to contribute and grow your understanding of the lifecycle.
+- [DEVELOPMENT](DEVELOPMENT.md) - Further detail to help you during the development process.
+- [RELEASE](RELEASE.md) - Further details about our release process.
--- a/RELEASE.md
+++ b/RELEASE.md
@ -0,0 +1,73 @@
+# Release Finalization
+
+## Types of releases
+
+#### New minor
+* For newly supported Platform or Buildpack API versions, or breaking changes (e.g., API deprecations).
+
+#### Pre-release aka release candidate
+* Ideally we should ship a pre-release (waiting a few days for folks to try it out) before we ship a new minor.
+* We typically don't ship pre-releases for patches or backports.
+
+#### New patch
+* For go version updates, CVE fixes / dependency bumps, bug fixes, etc.
+* Review the latest commits on `main` to determine if any are unacceptable for a patch - if there are commits that should be excluded, branch off the latest tag for the current minor and cherry-pick commits over.
+
+#### Backport
+* New patch for an old minor. Typically, to help folks out who haven't yet upgraded from [unsupported APIs](https://github.com/buildpacks/rfcs/blob/main/text/0110-deprecate-apis.md).
+* For go version updates, CVE fixes / dependency bumps, bug fixes, etc.
+* Branch off the latest tag for the desired minor.
+
+## Release Finalization Steps
+
+### Step 1 - Prepare
+
+Determine the type of release ([new minor](#new-minor), [pre-release](#pre-release-aka-release-candidate), [new patch](#new-patch), or [backport](#backport)) and prepare the branch accordingly.
+
+**To prepare the release branch:**
+1. Check open PRs for any dependabot updates that should be merged.
+1. Create a release branch in the format `release/0.99.0-rc.1` (for pre-releases) or `release/0.99.0` (for final releases).
+   * New commits to this branch will trigger the `build` workflow and produce a lifecycle image: `buildpacksio/lifecycle:<commit sha>`.
+1. If applicable, ensure the README is updated with the latest supported apis (example PR: https://github.com/buildpacks/lifecycle/pull/550).
+   * For final releases (not pre-releases), remove the pre-release note (`*`) for the latest apis.
+
+**For final releases (not pre-releases):**
+1. Ensure the relevant spec APIs have been released.
+1. Ensure the `lifecycle/0.99.0` milestone on the [docs repo](https://github.com/buildpacks/docs/blob/main/RELEASE.md#lump-changes) is complete, such that every new feature in the lifecycle is fully explained in the `release/lifecycle/0.99` branch on the docs repo, and [migration guides](https://github.com/buildpacks/docs/tree/main/content/docs/reference/spec/migration) (if relevant) are included.
+
+### Step 2 - Publish the Release
+
+1. Manually trigger the `draft-release` workflow: Actions -> draft-release -> Run workflow -> Use workflow from branch: `release/<release version>`. This will create a draft release on GitHub using the artifacts from the `build` workflow run for the latest commit on the release branch.
+1. Edit the release notes as necessary.
+1. Perform any manual validation of the artifacts as necessary (usually none).
+1. Edit the release page and click "Publish release".
+   * This will trigger the `post-release` workflow that will re-tag the lifecycle image from `buildpacksio/lifecycle:<commit sha>` to `buildpacksio/lifecycle:<release version>`.
+     * For final releases ONLY, this will also re-tag the lifecycle image from `buildpacksio/lifecycle:<commit sha>` to `buildpacksio/lifecycle:latest`.
+
+### Step 3 - Follow-up
+
+**For pre-releases:**
+* Ask the relevant teams to try out the pre-released artifacts.
+
+**For final releases:**
+* Update the `main` branch to remove the pre-release note in [README.md](https://github.com/buildpacks/lifecycle/blob/main/README.md) and/or merge `release/0.99.0` into `main`.
+* Ask the learning team to merge the `release/lifecycle/0.99` branch into `main` on the docs repo.
+
+## Go version updates
+
+Go version updates should be released as a [new minor](#new-minor) or [new patch](#new-patch) release.
+
+### New Patch
+
+If the go patch is in [actions/go-versions](https://github.com/actions/go-versions/pulls?q=is%3Apr+is%3Aclosed) then CI should pull it in automatically without any action needed.
+We simply need to create the release branch and let the pipeline run.
+
+### New Minor
+
+We typically do this when the existing patch version exceeds 6 - e.g., `1.22.6`. This means we have about 6 months to upgrade before the current minor becomes unsupported due to the introduction of the new n+2 minor.
+
+#### Steps
+1. Update go.mod
+1. Search for the old `major.minor`, there are a few files that need to be updated (example PR: https://github.com/buildpacks/lifecycle/pull/1405/files)
+1. Update the linter to a version that supports the current `major.minor`
+1. Fix any lint errors as necessary
--- a/1
+++ b/1
@ -1 +0,0 @@
-0.8.0
--- a/acceptance/acceptance_test.go
+++ b/acceptance/acceptance_test.go
@ -1,9 +1,7 @@
-// +build acceptance
-
 package acceptance

 import (
-	"io/ioutil"
+	"fmt"
 	"os"
 	"os/exec"
 	"path/filepath"
@ -13,52 +11,50 @@ import (
 	"github.com/sclevine/spec"
 	"github.com/sclevine/spec/report"

+	"github.com/buildpacks/lifecycle/api"
 	h "github.com/buildpacks/lifecycle/testhelpers"
 )

-var buildDir string
+const (
+	expectedVersion = "some-version"
+	expectedCommit  = "asdf123"
+)
+
+var (
+	latestPlatformAPI = api.Platform.Latest().String()
+	buildDir          string
+)

 func TestVersion(t *testing.T) {
 	var err error
-	buildDir, err = ioutil.TempDir("", "lifecycle-acceptance")
+	buildDir, err = os.MkdirTemp("", "lifecycle-acceptance")
 	h.AssertNil(t, err)
 	defer func() {
 		h.AssertNil(t, os.RemoveAll(buildDir))
 	}()
-	buildBinaries(t, buildDir, runtime.GOOS)
+
+	outDir := filepath.Join(buildDir, fmt.Sprintf("%s-%s", runtime.GOOS, runtime.GOARCH), "lifecycle")
+	h.AssertNil(t, os.MkdirAll(outDir, 0755))
+
+	h.MakeAndCopyLifecycle(t,
+		runtime.GOOS,
+		runtime.GOARCH,
+		outDir,
+		"LIFECYCLE_VERSION=some-version",
+		"SCM_COMMIT="+expectedCommit,
+	)
 	spec.Run(t, "acceptance", testVersion, spec.Parallel(), spec.Report(report.Terminal{}))
 }

 type testCase struct {
 	description string
+	focus       bool
 	command     string
 	args        []string
 }

 func testVersion(t *testing.T, when spec.G, it spec.S) {
 	when("All", func() {
-		when("CNB_PLATFORM_API is set and incompatible", func() {
-			for _, binary := range []string{
-				"analyzer",
-				"builder",
-				"detector",
-				"exporter",
-				"restorer",
-				"rebaser",
-				"lifecycle",
-			} {
-				binary := binary
-				it(binary+"/should fail with error message and exit code 11", func() {
-					cmd := lifecycleCmd(binary)
-					cmd.Env = append(os.Environ(), "CNB_PLATFORM_API=0.8")
-
-					_, exitCode, err := h.RunE(cmd)
-					h.AssertError(t, err, "the Lifecycle's Platform API version is 0.9 which is incompatible with Platform API version 0.8")
-					h.AssertEq(t, exitCode, 11)
-				})
-			}
-		})
-
 		when("version flag is set", func() {
 			for _, tc := range []testCase{
 				{
@ -138,14 +134,19 @@ func testVersion(t *testing.T, when spec.G, it spec.S) {
 				},
 			} {
 				tc := tc
-				when(tc.description, func() {
+				w := when
+				if tc.focus {
+					w = when.Focus
+				}
+				w(tc.description, func() {
 					it("only prints the version", func() {
 						cmd := lifecycleCmd(tc.command, tc.args...)
+						cmd.Env = []string{fmt.Sprintf("CNB_PLATFORM_API=%s", api.Platform.Latest().String())}
 						output, err := cmd.CombinedOutput()
 						if err != nil {
 							t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
 						}
-						h.AssertStringContains(t, string(output), "some-version+asdf123")
+						h.AssertStringContains(t, string(output), expectedVersion+"+"+expectedCommit)
 					})
 				})
 			}
@ -153,27 +154,6 @@ func testVersion(t *testing.T, when spec.G, it spec.S) {
 	})
 }

-func lifecycleCmd(binary string, args ...string) *exec.Cmd {
-	return exec.Command(filepath.Join(buildDir, runtime.GOOS, "lifecycle", binary), args...)
-}
-
-func buildBinaries(t *testing.T, dir string, goos string) {
-	cmd := exec.Command("make", "build-"+runtime.GOOS)
-	wd, err := os.Getwd()
-	h.AssertNil(t, err)
-	cmd.Dir = filepath.Join(wd, "..")
-	cmd.Env = append(
-		os.Environ(),
-		"GOOS="+goos,
-		"PWD="+cmd.Dir,
-		"BUILD_DIR="+dir,
-		"PLATFORM_API=0.9",
-		"LIFECYCLE_VERSION=some-version",
-		"SCM_COMMIT=asdf123",
-	)
-
-	t.Log("Building binaries: ", cmd.Args)
-	if output, err := cmd.CombinedOutput(); err != nil {
-		t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-	}
+func lifecycleCmd(phase string, args ...string) *exec.Cmd {
+	return exec.Command(filepath.Join(buildDir, fmt.Sprintf("%s-%s", runtime.GOOS, runtime.GOARCH), "lifecycle", phase), args...) // #nosec G204
 }
--- a/acceptance/analyzer_test.go
+++ b/acceptance/analyzer_test.go
@ -0,0 +1,541 @@
+package acceptance
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	"github.com/buildpacks/lifecycle/cmd"
+	"github.com/buildpacks/lifecycle/internal/path"
+	"github.com/buildpacks/lifecycle/platform/files"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+var (
+	analyzeImage          string
+	analyzeRegAuthConfig  string
+	analyzeRegNetwork     string
+	analyzerPath          string
+	analyzeDaemonFixtures *daemonImageFixtures
+	analyzeRegFixtures    *regImageFixtures
+	analyzeTest           *PhaseTest
+)
+
+func TestAnalyzer(t *testing.T) {
+	testImageDockerContext := filepath.Join("testdata", "analyzer")
+	analyzeTest = NewPhaseTest(t, "analyzer", testImageDockerContext)
+	analyzeTest.Start(t)
+	defer analyzeTest.Stop(t)
+
+	analyzeImage = analyzeTest.testImageRef
+	analyzerPath = analyzeTest.containerBinaryPath
+	analyzeRegAuthConfig = analyzeTest.targetRegistry.authConfig
+	analyzeRegNetwork = analyzeTest.targetRegistry.network
+	analyzeDaemonFixtures = analyzeTest.targetDaemon.fixtures
+	analyzeRegFixtures = analyzeTest.targetRegistry.fixtures
+
+	for _, platformAPI := range api.Platform.Supported {
+		spec.Run(t, "acceptance-analyzer/"+platformAPI.String(), testAnalyzerFunc(platformAPI.String()), spec.Parallel(), spec.Report(report.Terminal{}))
+	}
+}
+
+func testAnalyzerFunc(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
+	return func(t *testing.T, when spec.G, it spec.S) {
+		var copyDir, containerName, cacheVolume string
+
+		it.Before(func() {
+			containerName = "test-container-" + h.RandString(10)
+			var err error
+			copyDir, err = os.MkdirTemp("", "test-docker-copy-")
+			h.AssertNil(t, err)
+		})
+
+		it.After(func() {
+			if h.DockerContainerExists(t, containerName) {
+				h.Run(t, exec.Command("docker", "rm", containerName))
+			}
+			if h.DockerVolumeExists(t, cacheVolume) {
+				h.DockerVolumeRemove(t, cacheVolume)
+			}
+			os.RemoveAll(copyDir)
+		})
+
+		when("CNB_PLATFORM_API not provided", func() {
+			it("errors", func() {
+				cmd := exec.Command(
+					"docker", "run", "--rm",
+					"--env", "CNB_PLATFORM_API= ",
+					analyzeImage,
+					ctrPath(analyzerPath),
+					"some-image",
+				) // #nosec G204
+				output, err := cmd.CombinedOutput()
+
+				h.AssertNotNil(t, err)
+				expected := "please set 'CNB_PLATFORM_API'"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("called without an app image", func() {
+			it("errors", func() {
+				cmd := exec.Command(
+					"docker", "run", "--rm",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					analyzeImage,
+					ctrPath(analyzerPath),
+				) // #nosec G204
+				output, err := cmd.CombinedOutput()
+
+				h.AssertNotNil(t, err)
+				expected := "failed to parse arguments: received 0 arguments, but expected 1"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("called with skip layers", func() {
+			it("writes analyzed.toml and does not restore previous image SBOM", func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.9"), "Platform API < 0.9 does not accept a -skip-layers flag")
+				output := h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/layers"),
+					analyzeImage,
+					h.WithFlags(append(
+						dockerSocketMount,
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+					)...),
+					h.WithArgs(
+						ctrPath(analyzerPath),
+						"-daemon",
+						"-run-image", analyzeRegFixtures.ReadOnlyRunImage,
+						"-skip-layers",
+						analyzeDaemonFixtures.AppImage,
+					),
+				)
+				assertAnalyzedMetadata(t, filepath.Join(copyDir, "layers", "analyzed.toml"))
+				h.AssertStringDoesNotContain(t, output, "Restoring data for SBOM from previous image")
+			})
+		})
+
+		when("the provided layers directory isn't writeable", func() {
+			it("recursively chowns the directory", func() {
+				analyzeFlags := []string{"-run-image", analyzeRegFixtures.ReadOnlyRunImage}
+
+				output := h.DockerRun(t,
+					analyzeImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+						"--network", analyzeRegNetwork,
+					),
+					h.WithBash(
+						fmt.Sprintf("chown -R 9999:9999 /layers; chmod -R 775 /layers; %s %s %s; ls -al /layers",
+							analyzerPath,
+							flatPrint(analyzeFlags),
+							analyzeRegFixtures.SomeAppImage),
+					),
+				)
+
+				h.AssertMatch(t, output, "2222 3333 .+ \\.")
+				h.AssertMatch(t, output, "2222 3333 .+ group.toml")
+			})
+		})
+
+		when("called with analyzed", func() {
+			it("uses the provided analyzed.toml path", func() {
+				analyzeFlags := []string{
+					"-analyzed", ctrPath("/some-dir/some-analyzed.toml"),
+					"-run-image", analyzeRegFixtures.ReadOnlyRunImage,
+				}
+
+				var execArgs []string
+				execArgs = append([]string{ctrPath(analyzerPath)}, analyzeFlags...)
+				execArgs = append(execArgs, analyzeRegFixtures.SomeAppImage)
+
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/some-dir/some-analyzed.toml"),
+					analyzeImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+						"--network", analyzeRegNetwork,
+					),
+					h.WithArgs(execArgs...),
+				)
+
+				assertAnalyzedMetadata(t, filepath.Join(copyDir, "some-analyzed.toml"))
+			})
+		})
+
+		when("called with run", func() {
+			it("uses the provided run.toml path", func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept -run")
+				cmd := exec.Command(
+					"docker", "run", "--rm",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+					"--network", analyzeRegNetwork,
+					analyzeImage,
+					ctrPath(analyzerPath),
+					"-run", "/cnb/run.toml",
+					analyzeRegFixtures.SomeAppImage,
+				) // #nosec G204
+				output, err := cmd.CombinedOutput()
+
+				h.AssertNotNil(t, err)
+				expected := "failed to find accessible run image"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		it("drops privileges", func() {
+			analyzeArgs := []string{
+				"-analyzed", "/some-dir/some-analyzed.toml",
+				"-run-image", analyzeRegFixtures.ReadOnlyRunImage,
+			}
+
+			output := h.DockerRun(t,
+				analyzeImage,
+				h.WithFlags(
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+					"--network", analyzeRegNetwork,
+				),
+				h.WithBash(
+					fmt.Sprintf("%s %s %s; ls -al /some-dir",
+						ctrPath(analyzerPath),
+						flatPrint(analyzeArgs),
+						analyzeRegFixtures.SomeAppImage,
+					),
+				),
+			)
+
+			h.AssertMatch(t, output, "2222 3333 .+ some-analyzed.toml")
+		})
+
+		when("run image", func() {
+			when("provided", func() {
+				it("is recorded in analyzed.toml", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						ctrPath("/layers/analyzed.toml"),
+						analyzeImage,
+						h.WithFlags(
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+							"--network", analyzeRegNetwork,
+						),
+						h.WithArgs(ctrPath(analyzerPath), "-run-image", analyzeRegFixtures.ReadOnlyRunImage, analyzeRegFixtures.SomeAppImage),
+					)
+
+					analyzedMD := assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+					h.AssertStringContains(t, analyzedMD.RunImage.Reference, analyzeRegFixtures.ReadOnlyRunImage+"@sha256:")
+				})
+			})
+
+			when("not provided", func() {
+				it("falls back to CNB_RUN_IMAGE", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						ctrPath("/layers/analyzed.toml"),
+						analyzeImage,
+						h.WithFlags(
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+							"--env", "CNB_RUN_IMAGE="+analyzeRegFixtures.ReadOnlyRunImage,
+							"--network", analyzeRegNetwork,
+						),
+						h.WithArgs(ctrPath(analyzerPath), analyzeRegFixtures.SomeAppImage),
+					)
+
+					analyzedMD := assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+					h.AssertStringContains(t, analyzedMD.RunImage.Reference, analyzeRegFixtures.ReadOnlyRunImage+"@sha256:")
+				})
+			})
+		})
+
+		when("daemon case", func() {
+			it("writes analyzed.toml", func() {
+				analyzeFlags := []string{
+					"-daemon",
+					"-run-image", "some-run-image",
+				}
+
+				var execArgs []string
+				execArgs = append([]string{ctrPath(analyzerPath)}, analyzeFlags...)
+				execArgs = append(execArgs, analyzeRegFixtures.ReadOnlyAppImage)
+
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/layers/analyzed.toml"),
+					analyzeImage,
+					h.WithFlags(append(
+						dockerSocketMount,
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+					)...),
+					h.WithArgs(execArgs...),
+				)
+
+				assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+			})
+
+			when("app image exists", func() {
+				it("does not restore app metadata to the layers directory", func() {
+					analyzeFlags := []string{"-daemon", "-run-image", "some-run-image"}
+
+					var execArgs []string
+					execArgs = append([]string{ctrPath(analyzerPath)}, analyzeFlags...)
+					execArgs = append(execArgs, analyzeDaemonFixtures.AppImage)
+
+					output := h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						ctrPath("/layers"),
+						analyzeImage,
+						h.WithFlags(append(
+							dockerSocketMount,
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+						)...),
+						h.WithArgs(execArgs...),
+					)
+
+					assertNoRestoreOfAppMetadata(t, copyDir, output)
+				})
+			})
+		})
+
+		when("registry case", func() {
+			it("writes analyzed.toml", func() {
+				analyzeFlags := []string{"-run-image", analyzeRegFixtures.ReadOnlyRunImage}
+
+				var execArgs []string
+				execArgs = append([]string{ctrPath(analyzerPath)}, analyzeFlags...)
+				execArgs = append(execArgs, analyzeRegFixtures.SomeAppImage)
+
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/layers/analyzed.toml"),
+					analyzeImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+						"--network", analyzeRegNetwork,
+					),
+					h.WithArgs(execArgs...),
+				)
+
+				assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+			})
+
+			when("called with previous image", func() {
+				when("auth registry", func() {
+					when("the destination image does not exist", func() {
+						it("writes analyzed.toml with previous image identifier", func() {
+							analyzeFlags := []string{
+								"-previous-image", analyzeRegFixtures.ReadWriteAppImage,
+								"-run-image", analyzeRegFixtures.ReadOnlyRunImage,
+							}
+
+							var execArgs []string
+							execArgs = append([]string{ctrPath(analyzerPath)}, analyzeFlags...)
+							execArgs = append(execArgs, analyzeRegFixtures.ReadWriteOtherAppImage)
+
+							h.DockerRunAndCopy(t,
+								containerName,
+								copyDir,
+								ctrPath("/layers/analyzed.toml"),
+								analyzeImage,
+								h.WithFlags(
+									"--env", "CNB_PLATFORM_API="+platformAPI,
+									"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+									"--network", analyzeRegNetwork,
+								),
+								h.WithArgs(execArgs...),
+							)
+							analyzedMD := assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+							h.AssertStringContains(t, analyzedMD.PreviousImageRef(), analyzeRegFixtures.ReadWriteAppImage)
+						})
+					})
+
+					when("the destination image exists", func() {
+						it("writes analyzed.toml with previous image identifier", func() {
+							analyzeFlags := []string{
+								"-previous-image", analyzeRegFixtures.ReadWriteAppImage,
+								"-run-image", analyzeRegFixtures.ReadOnlyRunImage,
+							}
+
+							var execArgs []string
+							execArgs = append([]string{ctrPath(analyzerPath)}, analyzeFlags...)
+							execArgs = append(execArgs, analyzeRegFixtures.ReadWriteOtherAppImage)
+
+							h.DockerRunAndCopy(t,
+								containerName,
+								copyDir,
+								ctrPath("/layers/analyzed.toml"),
+								analyzeImage,
+								h.WithFlags(
+									"--env", "CNB_PLATFORM_API="+platformAPI,
+									"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+									"--network", analyzeRegNetwork,
+								),
+								h.WithArgs(execArgs...),
+							)
+
+							analyzedMD := assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+							h.AssertStringContains(t, analyzedMD.PreviousImageRef(), analyzeRegFixtures.ReadWriteAppImage)
+						})
+					})
+				})
+			})
+
+			when("called with tag", func() {
+				when("read/write access to registry", func() {
+					it("passes read/write validation and writes analyzed.toml", func() {
+						execArgs := []string{
+							ctrPath(analyzerPath),
+							"-tag", analyzeRegFixtures.ReadWriteOtherAppImage,
+							analyzeRegFixtures.ReadWriteAppImage,
+						}
+						h.DockerRunAndCopy(t,
+							containerName,
+							copyDir,
+							ctrPath("/layers/analyzed.toml"),
+							analyzeImage,
+							h.WithFlags(
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+								"--env", "CNB_REGISTRY_AUTH="+analyzeRegAuthConfig,
+								"--env", "CNB_RUN_IMAGE="+analyzeRegFixtures.ReadOnlyRunImage,
+								"--network", analyzeRegNetwork,
+							),
+							h.WithArgs(execArgs...),
+						)
+						analyzedMD := assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+						h.AssertStringContains(t, analyzedMD.PreviousImageRef(), analyzeRegFixtures.ReadWriteAppImage)
+					})
+				})
+
+				when("no read/write access to registry", func() {
+					it("throws read/write error accessing destination tag", func() {
+						cmd := exec.Command(
+							"docker", "run", "--rm",
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_RUN_IMAGE="+analyzeRegFixtures.ReadOnlyRunImage,
+							"--name", containerName,
+							"--network", analyzeRegNetwork,
+							analyzeImage,
+							ctrPath(analyzerPath),
+							"-tag", analyzeRegFixtures.InaccessibleImage,
+							analyzeRegFixtures.ReadWriteAppImage,
+						) // #nosec G204
+						output, err := cmd.CombinedOutput()
+
+						h.AssertNotNil(t, err)
+						expected := "ensure registry read/write access to " + analyzeRegFixtures.InaccessibleImage
+						h.AssertStringContains(t, string(output), expected)
+					})
+				})
+			})
+		})
+
+		when("layout case", func() {
+			layoutDir := filepath.Join(path.RootDir, "layout-repo")
+			when("experimental mode is enabled", func() {
+				it("writes analyzed.toml", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
+
+					analyzeFlags := []string{
+						"-layout",
+						"-layout-dir", layoutDir,
+						"-run-image", "busybox",
+					}
+					var execArgs []string
+					execArgs = append([]string{ctrPath(analyzerPath)}, analyzeFlags...)
+					execArgs = append(execArgs, "my-app")
+
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						ctrPath("/layers/analyzed.toml"),
+						analyzeImage,
+						h.WithFlags(
+							"--env", "CNB_EXPERIMENTAL_MODE=warn",
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+						),
+						h.WithArgs(execArgs...),
+					)
+
+					analyzer := assertAnalyzedMetadata(t, filepath.Join(copyDir, "analyzed.toml"))
+					h.AssertNotNil(t, analyzer.RunImage)
+					analyzedImagePath := filepath.Join(path.RootDir, "layout-repo", "index.docker.io", "library", "busybox", "latest")
+					reference := fmt.Sprintf("%s@%s", analyzedImagePath, "sha256:f75f3d1a317fc82c793d567de94fc8df2bece37acd5f2bd364a0d91a0d1f3dab")
+					h.AssertEq(t, analyzer.RunImage.Reference, reference)
+				})
+			})
+
+			when("experimental mode is not enabled", func() {
+				it("errors", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
+					cmd := exec.Command(
+						"docker", "run", "--rm",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_LAYOUT_DIR="+layoutDir,
+						analyzeImage,
+						ctrPath(analyzerPath),
+						"-layout",
+						"-run-image", "busybox",
+						"some-image",
+					) // #nosec G204
+					output, err := cmd.CombinedOutput()
+
+					h.AssertNotNil(t, err)
+					expected := "experimental features are disabled by CNB_EXPERIMENTAL_MODE=error"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+		})
+	}
+}
+
+func assertAnalyzedMetadata(t *testing.T, path string) *files.Analyzed {
+	contents, err := os.ReadFile(path)
+	h.AssertNil(t, err)
+	h.AssertEq(t, len(contents) > 0, true)
+
+	analyzedMD, err := files.Handler.ReadAnalyzed(path, cmd.DefaultLogger)
+	h.AssertNil(t, err)
+
+	return &analyzedMD
+}
+
+func assertNoRestoreOfAppMetadata(t *testing.T, dir, output string) {
+	layerFilenames := []string{
+		"launch-build-cache-layer.sha",
+		"launch-build-cache-layer.toml",
+		"launch-cache-layer.sha",
+		"launch-cache-layer.toml",
+		"launch-layer.sha",
+		"launch-layer.toml",
+		"store.toml",
+	}
+	for _, filename := range layerFilenames {
+		h.AssertPathDoesNotExist(t, filepath.Join(dir, "layers", "some-buildpack-id", filename))
+	}
+}
+
+func flatPrint(arr []string) string {
+	return strings.Join(arr, " ")
+}
--- a/acceptance/builder_test.go
+++ b/acceptance/builder_test.go
@ -0,0 +1,535 @@
+package acceptance
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	"github.com/buildpacks/lifecycle/platform/files"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+var (
+	builderDockerContext               = filepath.Join("testdata", "builder")
+	builderBinaryDir                   = filepath.Join("testdata", "builder", "container", "cnb", "lifecycle")
+	builderImage                       = "lifecycle/acceptance/builder"
+	builderDaemonOS, builderDaemonArch string
+)
+
+func TestBuilder(t *testing.T) {
+	info, err := h.DockerCli(t).Info(context.TODO())
+	h.AssertNil(t, err)
+
+	// These variables are clones of the variables in analyzer_test.go.
+	// You can find the same variables there without `builder` prefix.
+	// These lines are added for supporting windows tests.
+	builderDaemonOS = info.OSType
+	builderDaemonArch = info.Architecture
+	if builderDaemonArch == "x86_64" {
+		builderDaemonArch = "amd64"
+	} else if builderDaemonArch == "aarch64" {
+		builderDaemonArch = "arm64"
+	}
+
+	h.MakeAndCopyLifecycle(t, builderDaemonOS, builderDaemonArch, builderBinaryDir)
+	h.DockerBuild(t,
+		builderImage,
+		builderDockerContext,
+		h.WithArgs("--build-arg", fmt.Sprintf("cnb_platform_api=%s", api.Platform.Latest())),
+		h.WithFlags(
+			"-f", filepath.Join(builderDockerContext, dockerfileName),
+		),
+	)
+	defer h.DockerImageRemove(t, builderImage)
+
+	spec.Run(t, "acceptance-builder", testBuilder, spec.Parallel(), spec.Report(report.Terminal{}))
+}
+
+func testBuilder(t *testing.T, when spec.G, it spec.S) {
+	var copyDir, containerName, cacheVolume string
+
+	it.Before(func() {
+		containerName = "test-container-" + h.RandString(10)
+		var err error
+		copyDir, err = os.MkdirTemp("", "test-docker-copy-")
+		h.AssertNil(t, err)
+	})
+
+	it.After(func() {
+		if h.DockerContainerExists(t, containerName) {
+			h.Run(t, exec.Command("docker", "rm", containerName))
+		}
+		if h.DockerVolumeExists(t, cacheVolume) {
+			h.DockerVolumeRemove(t, cacheVolume)
+		}
+		os.RemoveAll(copyDir)
+	})
+
+	// .../cmd/lifecycle/builder.go#Args
+	when("called with arguments", func() {
+		it("errors", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				builderImage,
+				"some-arg",
+			)
+			output, err := command.CombinedOutput()
+			h.AssertNotNil(t, err)
+			expected := "failed to parse arguments: received unexpected arguments"
+			h.AssertStringContains(t, string(output), expected)
+		})
+	})
+
+	// .../cmd/lifecycle/builder.go#Privileges
+	when("running as a root", func() {
+		it("errors", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--user",
+				"root",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				builderImage,
+			)
+			output, err := command.CombinedOutput()
+			h.AssertNotNil(t, err)
+			expected := "failed to build: refusing to run as root"
+			h.AssertStringContains(t, string(output), expected)
+		})
+	})
+
+	when("correct and full group.toml and plan.toml", func() {
+		it("succeeds", func() {
+			h.DockerRunAndCopy(t,
+				containerName,
+				copyDir,
+				ctrPath("/layers"),
+				builderImage,
+				h.WithFlags(
+					"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+					"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+					"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+				),
+			)
+			// check builder metadata.toml for success test
+			_, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers", "config", "metadata.toml"))
+
+			h.AssertStringContains(t, md.Buildpacks[0].API, "0.10")
+			h.AssertStringContains(t, md.Buildpacks[0].ID, "hello_world")
+			h.AssertStringContains(t, md.Buildpacks[0].Version, "0.0.1")
+		})
+	})
+
+	when("writing metadata.toml", func() {
+		it("writes and reads successfully", func() {
+			h.DockerRunAndCopy(t,
+				containerName,
+				copyDir,
+				ctrPath("/layers"),
+				builderImage,
+				h.WithFlags(
+					"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+					"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+					"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+				),
+			)
+			// check builder metadata.toml for success test
+			contents, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers", "config", "metadata.toml"))
+
+			// prevent regression of inline table serialization
+			h.AssertStringDoesNotContain(t, contents, "processes =")
+			h.AssertStringContains(t, md.Buildpacks[0].API, "0.10")
+			h.AssertStringContains(t, md.Buildpacks[0].ID, "hello_world")
+			h.AssertStringContains(t, md.Buildpacks[0].Version, "0.0.1")
+			h.AssertEq(t, len(md.Processes), 1)
+			h.AssertEq(t, md.Processes[0].Type, "hello")
+			h.AssertEq(t, len(md.Processes[0].Command.Entries), 1)
+			h.AssertEq(t, md.Processes[0].Command.Entries[0], "echo world")
+			h.AssertEq(t, len(md.Processes[0].Args), 1)
+			h.AssertEq(t, md.Processes[0].Args[0], "arg1")
+			h.AssertEq(t, md.Processes[0].Direct, true)
+			h.AssertEq(t, md.Processes[0].WorkingDirectory, "")
+			h.AssertEq(t, md.Processes[0].Default, false)
+		})
+
+		when("the platform < 0.10", func() {
+			it("writes and reads successfully", func() {
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/layers"),
+					builderImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API=0.9",
+						"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+						"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+					),
+				)
+				// check builder metadata.toml for success test
+				contents, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers", "config", "metadata.toml"))
+
+				// prevent regression of inline table serialization
+				h.AssertStringDoesNotContain(t, contents, "processes =")
+				h.AssertStringContains(t, md.Buildpacks[0].API, "0.10")
+				h.AssertStringContains(t, md.Buildpacks[0].ID, "hello_world")
+				h.AssertStringContains(t, md.Buildpacks[0].Version, "0.0.1")
+				h.AssertEq(t, len(md.Processes), 1)
+				h.AssertEq(t, md.Processes[0].Type, "hello")
+				h.AssertEq(t, len(md.Processes[0].Command.Entries), 1)
+				h.AssertEq(t, md.Processes[0].Command.Entries[0], "echo world")
+				h.AssertEq(t, len(md.Processes[0].Args), 1)
+				h.AssertEq(t, md.Processes[0].Args[0], "arg1")
+				h.AssertEq(t, md.Processes[0].Direct, true)
+				h.AssertEq(t, md.Processes[0].WorkingDirectory, "")
+				h.AssertEq(t, md.Processes[0].Default, false)
+			})
+		})
+	})
+
+	when("-group contains extensions", func() {
+		it("includes the provided extensions in <layers>/config/metadata.toml", func() {
+			h.DockerRunAndCopy(t,
+				containerName,
+				copyDir,
+				ctrPath("/layers"),
+				builderImage,
+				h.WithFlags(
+					"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+					"--env", "CNB_GROUP_PATH=/cnb/group_tomls/group_with_ext.toml",
+					"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+				),
+			)
+			// check builder metadata.toml for success test
+			_, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers", "config", "metadata.toml"))
+
+			h.AssertStringContains(t, md.Buildpacks[0].API, "0.10")
+			h.AssertStringContains(t, md.Buildpacks[0].ID, "hello_world")
+			h.AssertStringContains(t, md.Buildpacks[0].Version, "0.0.1")
+			h.AssertStringContains(t, md.Extensions[0].API, "0.10")
+			h.AssertStringContains(t, md.Extensions[0].ID, "hello_world")
+			h.AssertStringContains(t, md.Extensions[0].Version, "0.0.1")
+		})
+	})
+
+	when("invalid input files", func() {
+		// .../cmd/lifecycle/builder.go#readData
+		when("group.toml", func() {
+			when("not found", func() {
+				it("errors", func() {
+					command := exec.Command(
+						"docker",
+						"run",
+						"--rm",
+						"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+						"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+						builderImage,
+					)
+					output, err := command.CombinedOutput()
+					h.AssertNotNil(t, err)
+					expected := "failed to read group file: open /layers/group.toml: no such file or directory"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+
+			when("empty", func() {
+				it("succeeds", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						ctrPath("/layers"),
+						builderImage,
+						h.WithFlags(
+							"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+							"--env", "CNB_GROUP_PATH=/cnb/group_tomls/empty_group.toml",
+							"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+						),
+					)
+					// check builder metadata.toml for success test
+					_, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers", "config", "metadata.toml"))
+					h.AssertEq(t, len(md.Processes), 0)
+				})
+			})
+
+			when("invalid", func() {
+				it("errors", func() {
+					command := exec.Command(
+						"docker",
+						"run",
+						"--rm",
+						"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+						"--env", "CNB_GROUP_PATH=/cnb/group_tomls/wrong_group.toml",
+						"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+						builderImage,
+					)
+					output, err := command.CombinedOutput()
+					h.AssertNotNil(t, err)
+					expected := "failed to read group file: toml: line 1: expected '.' or '=', but got 'a' instead"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+
+			// .../cmd/lifecycle/builder.go#Exec
+			when("invalid builpack api", func() {
+				it("errors", func() {
+					command := exec.Command(
+						"docker",
+						"run",
+						"--rm",
+						"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+						"--env", "CNB_GROUP_PATH=/cnb/group_tomls/invalid_buildpack_api_group.toml",
+						"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+						builderImage,
+					)
+					output, err := command.CombinedOutput()
+					h.AssertNotNil(t, err)
+					expected := "parse buildpack API '<nil>' for buildpack 'hello_world@0.0.1'"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+		})
+
+		// .../cmd/lifecycle/builder.go#readData
+		when("plan.toml", func() {
+			when("not found", func() {
+				it("errors", func() {
+					command := exec.Command(
+						"docker",
+						"run",
+						"--rm",
+						"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+						"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+						builderImage,
+					)
+					output, err := command.CombinedOutput()
+					h.AssertNotNil(t, err)
+					expected := "failed to read plan file: open /layers/plan.toml: no such file or directory"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+
+			when("empty", func() {
+				it("succeeds", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						ctrPath("/layers"),
+						builderImage,
+						h.WithFlags(
+							"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+							"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/empty_plan.toml",
+							"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+						),
+					)
+					// check builder metadata.toml for success test
+					_, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers", "config", "metadata.toml"))
+
+					h.AssertStringContains(t, md.Buildpacks[0].API, "0.10")
+					h.AssertStringContains(t, md.Buildpacks[0].ID, "hello_world")
+					h.AssertStringContains(t, md.Buildpacks[0].Version, "0.0.1")
+				})
+			})
+
+			when("invalid", func() {
+				it("errors", func() {
+					command := exec.Command(
+						"docker",
+						"run",
+						"--rm",
+						"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+						"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/wrong_plan.toml",
+						"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+						builderImage,
+					)
+					output, err := command.CombinedOutput()
+					h.AssertNotNil(t, err)
+					expected := "failed to read plan file: toml: line 1: expected '.' or '=', but got 'a' instead"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+		})
+	})
+
+	when("determining the location of input files", func() {
+		// .../cmd/lifecycle/builder.go#Args
+		when("group.toml path is not specified", func() {
+			it("will look for group.toml in the provided layers directory", func() {
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/layers"),
+					builderImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+						"--env", "CNB_LAYERS_DIR=/layers/different_layer_dir_from_env",
+						"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan_buildpack_2.toml",
+					),
+				)
+				_, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers/different_layer_dir_from_env/config/metadata.toml"))
+
+				h.AssertStringContains(t, md.Buildpacks[0].API, "0.10")
+				h.AssertStringContains(t, md.Buildpacks[0].ID, "hello_world_2")
+				h.AssertStringContains(t, md.Buildpacks[0].Version, "0.0.2")
+			})
+		})
+
+		// .../cmd/lifecycle/builder.go#Args
+		when("plan.toml path is not specified", func() {
+			it("will look for plan.toml in the provided layers directory", func() {
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/layers"),
+					builderImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+						"--env", "CNB_LAYERS_DIR=/layers/different_layer_dir_from_env",
+						"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group_buildpack2.toml",
+					),
+				)
+				_, md := getBuilderMetadata(t, filepath.Join(copyDir, "layers/different_layer_dir_from_env/config/metadata.toml"))
+
+				h.AssertStringContains(t, md.Buildpacks[0].API, "0.10")
+				h.AssertStringContains(t, md.Buildpacks[0].ID, "hello_world_2")
+				h.AssertStringContains(t, md.Buildpacks[0].Version, "0.0.2")
+			})
+		})
+	})
+
+	when("CNB_APP_DIR is set", func() {
+		it("sets the buildpacks' working directory to CNB_APP_DIR", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+				"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+				"--env", "CNB_APP_DIR=/env_folders/different_cnb_app_dir_from_env",
+				builderImage,
+			)
+			output, err := command.CombinedOutput()
+			h.AssertNil(t, err)
+			expected := "CNB_APP_DIR: /env_folders/different_cnb_app_dir_from_env"
+			h.AssertStringContains(t, string(output), expected)
+		})
+	})
+
+	when("CNB_BUILDPACKS_DIR is set", func() {
+		it("uses buildpacks from CNB_BUILDPACKS_DIR", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+				"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+				"--env", "CNB_BUILDPACKS_DIR=/env_folders/different_buildpack_dir_from_env",
+				builderImage,
+			)
+			output, err := command.CombinedOutput()
+			h.AssertNil(t, err)
+			expected := "CNB_BUILDPACK_DIR: /env_folders/different_buildpack_dir_from_env"
+			h.AssertStringContains(t, string(output), expected)
+		})
+	})
+
+	when("CNB_LAYERS_DIR is set", func() {
+		it("CNB_LAYERS_DIR is a parent of the buildpack layers dir", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+				"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+				"--env", "CNB_LAYERS_DIR=/layers/different_layer_dir_from_env",
+				builderImage,
+			)
+			output, err := command.CombinedOutput()
+			h.AssertNil(t, err)
+			expected := "LAYERS_DIR: /layers/different_layer_dir_from_env/hello_world"
+			h.AssertStringContains(t, string(output), expected)
+		})
+	})
+
+	when("CNB_PLAN_PATH is set", func() {
+		it("provides the buildpack a filtered version of the plan found at CNB_PLAN_PATH", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+				"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/different_plan_from_env.toml",
+				builderImage,
+			)
+			output, err := command.CombinedOutput()
+			h.AssertNil(t, err)
+			expected := "name = \"different_plan_from_env.toml_reqires_subset_content\""
+			h.AssertStringContains(t, string(output), expected)
+		})
+	})
+
+	when("CNB_PLATFORM_DIR is set", func() {
+		it("CNB_PLATFORM_DIR is successfully transmitted to build script", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				"--env", "CNB_GROUP_PATH=/cnb/group_tomls/always_detect_group.toml",
+				"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan.toml",
+				"--env", "CNB_PLATFORM_DIR=/env_folders/different_platform_dir_from_env",
+				builderImage,
+			)
+			output, err := command.CombinedOutput()
+			h.AssertNil(t, err)
+			expected := "PLATFORM_DIR: /env_folders/different_platform_dir_from_env"
+			h.AssertStringContains(t, string(output), expected)
+		})
+	})
+
+	when("It runs", func() {
+		it("sets CNB_TARGET_* vars", func() {
+			command := exec.Command(
+				"docker",
+				"run",
+				"--rm",
+				"--env", "CNB_PLATFORM_API="+latestPlatformAPI,
+				"--env", "CNB_LAYERS_DIR=/layers/03_layer",
+				"--env", "CNB_PLAN_PATH=/cnb/plan_tomls/always_detect_plan_buildpack_3.toml",
+				builderImage,
+			)
+			output, err := command.CombinedOutput()
+			fmt.Println(string(output))
+			h.AssertNil(t, err)
+			h.AssertStringContains(t, string(output), "CNB_TARGET_ARCH: amd64")
+			h.AssertStringContains(t, string(output), "CNB_TARGET_ARCH_VARIANT: some-variant")
+			h.AssertStringContains(t, string(output), "CNB_TARGET_OS: linux")
+			h.AssertStringContains(t, string(output), "CNB_TARGET_DISTRO_NAME: ubuntu")
+			h.AssertStringContains(t, string(output), "CNB_TARGET_DISTRO_VERSION: some-cute-version")
+		})
+	})
+}
+
+func getBuilderMetadata(t *testing.T, path string) (string, *files.BuildMetadata) {
+	t.Helper()
+	contents, _ := os.ReadFile(path)
+	h.AssertEq(t, len(contents) > 0, true)
+
+	buildMD, err := files.Handler.ReadBuildMetadata(path, api.MustParse(latestPlatformAPI))
+	h.AssertNil(t, err)
+
+	return string(contents), buildMD
+}
--- a/acceptance/creator_test.go
+++ b/acceptance/creator_test.go
@ -0,0 +1,445 @@
+//go:build acceptance
+
+package acceptance
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/buildpacks/lifecycle/internal/path"
+
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+var (
+	createImage          string
+	createRegAuthConfig  string
+	createRegNetwork     string
+	creatorPath          string
+	createDaemonFixtures *daemonImageFixtures
+	createRegFixtures    *regImageFixtures
+	createTest           *PhaseTest
+)
+
+func TestCreator(t *testing.T) {
+	testImageDockerContext := filepath.Join("testdata", "creator")
+	createTest = NewPhaseTest(t, "creator", testImageDockerContext)
+	createTest.Start(t)
+	defer createTest.Stop(t)
+
+	createImage = createTest.testImageRef
+	creatorPath = createTest.containerBinaryPath
+	createRegAuthConfig = createTest.targetRegistry.authConfig
+	createRegNetwork = createTest.targetRegistry.network
+	createDaemonFixtures = createTest.targetDaemon.fixtures
+	createRegFixtures = createTest.targetRegistry.fixtures
+
+	for _, platformAPI := range api.Platform.Supported {
+		spec.Run(t, "acceptance-creator/"+platformAPI.String(), testCreatorFunc(platformAPI.String()), spec.Parallel(), spec.Report(report.Terminal{}))
+	}
+}
+
+func testCreatorFunc(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
+	return func(t *testing.T, when spec.G, it spec.S) {
+		var createdImageName string
+
+		when("called with run", func() {
+			it("uses the provided run.toml path", func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept -run")
+				cmd := exec.Command(
+					"docker", "run", "--rm",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					"--env", "CNB_REGISTRY_AUTH="+createRegAuthConfig,
+					"--network", createRegNetwork,
+					createImage,
+					ctrPath(creatorPath),
+					"-run", "/cnb/run.toml",
+					createRegFixtures.SomeAppImage,
+				) // #nosec G204
+				output, err := cmd.CombinedOutput()
+
+				h.AssertNotNil(t, err)
+				expected := "failed to resolve inputs: failed to find accessible run image"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("detected order contains extensions", func() {
+			it("errors", func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.10"), "")
+				cmd := exec.Command(
+					"docker", "run", "--rm",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					"--env", "CNB_REGISTRY_AUTH="+createRegAuthConfig,
+					"--network", createRegNetwork,
+					createImage,
+					ctrPath(creatorPath),
+					"-log-level", "debug",
+					"-order", "/cnb/order-with-extensions.toml",
+					"-run-image", createRegFixtures.ReadOnlyRunImage,
+					createRegFixtures.SomeAppImage,
+				) // #nosec G204
+				output, err := cmd.CombinedOutput()
+
+				h.AssertNotNil(t, err)
+				expected := "detected order contains extensions which is not supported by the creator"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("daemon case", func() {
+			it.After(func() {
+				h.DockerImageRemove(t, createdImageName)
+			})
+
+			it("creates app", func() {
+				createFlags := []string{"-daemon"}
+				createFlags = append(createFlags, []string{"-run-image", createRegFixtures.ReadOnlyRunImage}...)
+
+				createArgs := append([]string{ctrPath(creatorPath)}, createFlags...)
+				createdImageName = "some-created-image-" + h.RandString(10)
+				createArgs = append(createArgs, createdImageName)
+
+				output := h.DockerRun(t,
+					createImage,
+					h.WithFlags(append(
+						dockerSocketMount,
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_REGISTRY_AUTH="+createRegAuthConfig,
+						"--network", createRegNetwork,
+					)...),
+					h.WithArgs(createArgs...),
+				)
+				h.AssertStringContains(t, output, "Saving "+createdImageName)
+
+				assertImageOSAndArch(t, createdImageName, createTest)
+
+				output = h.DockerRun(t,
+					createdImageName,
+					h.WithFlags(
+						"--entrypoint", "/cnb/lifecycle/launcher",
+					),
+					h.WithArgs("env"),
+				)
+				h.AssertStringContains(t, output, "SOME_VAR=some-val") // set by buildpack
+			})
+		})
+
+		when("registry case", func() {
+			it.After(func() {
+				h.DockerImageRemove(t, createdImageName)
+			})
+
+			it("creates app", func() {
+				var createFlags []string
+				createFlags = append(createFlags, []string{"-run-image", createRegFixtures.ReadOnlyRunImage}...)
+
+				createArgs := append([]string{ctrPath(creatorPath)}, createFlags...)
+				createdImageName = createTest.RegRepoName("some-created-image-" + h.RandString(10))
+				createArgs = append(createArgs, createdImageName)
+
+				output := h.DockerRun(t,
+					createImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_REGISTRY_AUTH="+createRegAuthConfig,
+						"--network", createRegNetwork,
+					),
+					h.WithArgs(createArgs...),
+				)
+				h.AssertStringContains(t, output, "Saving "+createdImageName)
+
+				h.Run(t, exec.Command("docker", "pull", createdImageName))
+				assertImageOSAndArch(t, createdImageName, createTest)
+
+				output = h.DockerRun(t,
+					createdImageName,
+					h.WithFlags(
+						"--entrypoint", "/cnb/lifecycle/launcher",
+					),
+					h.WithArgs("env"),
+				)
+				h.AssertStringContains(t, output, "SOME_VAR=some-val") // set by buildpack
+			})
+		})
+
+		when("multiple builds", func() {
+			var (
+				container1     string
+				container2     string
+				container3     string
+				container4     string
+				dirBuild1      string
+				dirBuild2      string
+				dirCache       string
+				dirLaunchCache string
+				dirRun1        string
+				dirRun2        string
+				imageName      string
+			)
+
+			it.Before(func() {
+				// assign container names
+				for _, cPtr := range []*string{&container1, &container2, &container3, &container4} {
+					*cPtr = "test-container-" + h.RandString(10)
+				}
+				// create temp dirs
+				for _, dirPtr := range []*string{&dirCache, &dirLaunchCache, &dirBuild1, &dirRun1, &dirBuild2, &dirRun2} {
+					dir, err := os.MkdirTemp("", "creator-acceptance")
+					h.AssertNil(t, err)
+					h.AssertNil(t, os.Chmod(dir, 0777)) // Override umask
+
+					// Resolve temp dir so it can be properly mounted by the Docker daemon.
+					*dirPtr, err = filepath.EvalSymlinks(dir)
+					h.AssertNil(t, err)
+				}
+				// assign image name
+				imageName = "some-created-image-" + h.RandString(10)
+			})
+
+			it.After(func() {
+				// remove containers if needed
+				for _, container := range []string{container1, container2, container3, container4} {
+					if h.DockerContainerExists(t, container) {
+						h.Run(t, exec.Command("docker", "rm", container))
+					}
+				}
+				// remove temp dirs
+				for _, dir := range []string{dirCache, dirLaunchCache, dirBuild1, dirRun1, dirBuild2, dirRun2} {
+					_ = os.RemoveAll(dir)
+				}
+				// remove image
+				h.DockerImageRemove(t, imageName)
+			})
+
+			when("multiple builds", func() {
+				var (
+					createFlags          []string
+					createArgs           []string
+					duration1, duration2 time.Duration
+				)
+
+				it.Before(func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.8"), "Platform API < 0.8 does not support standardized SBOM")
+
+					createFlags = []string{"-daemon"}
+					createFlags = append(createFlags, []string{
+						"-run-image", createRegFixtures.ReadOnlyRunImage,
+						"-cache-dir", ctrPath("/cache"),
+						"-launch-cache", ctrPath("/launch-cache"),
+						"-log-level", "debug",
+					}...)
+					createArgs = append([]string{ctrPath(creatorPath)}, createFlags...)
+					createArgs = append(createArgs, imageName)
+
+					startTime := time.Now()
+					// first build
+					output := h.DockerRunAndCopy(t,
+						container1,
+						dirBuild1,
+						ctrPath("/layers"),
+						createImage,
+						h.WithFlags(append(
+							dockerSocketMount,
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_REGISTRY_AUTH="+createRegAuthConfig,
+							"--network", createRegNetwork,
+							"--volume", dirCache+":"+ctrPath("/cache"),
+							"--volume", dirLaunchCache+":"+ctrPath("/launch-cache"),
+						)...),
+						h.WithArgs(createArgs...),
+					)
+					duration1 = time.Now().Sub(startTime)
+					t.Logf("First build duration: %s", duration1)
+					h.AssertStringDoesNotContain(t, output, "restored with content")
+					h.AssertPathExists(t, filepath.Join(dirBuild1, "layers", "sbom", "build", "samples_hello-world", "sbom.cdx.json"))
+					h.AssertPathExists(t, filepath.Join(dirBuild1, "layers", "sbom", "build", "samples_hello-world", "some-build-layer", "sbom.cdx.json"))
+
+					// first run
+					output = h.DockerRunAndCopy(t,
+						container2,
+						dirRun1,
+						ctrPath("/layers"),
+						imageName,
+						h.WithFlags(
+							"--entrypoint", "/cnb/lifecycle/launcher",
+						),
+						h.WithArgs("env"),
+					)
+					h.AssertPathExists(t, filepath.Join(dirRun1, "layers", "sbom", "launch", "samples_hello-world", "sbom.cdx.json"))
+					h.AssertPathExists(t, filepath.Join(dirRun1, "layers", "sbom", "launch", "samples_hello-world", "some-launch-cache-layer", "sbom.cdx.json"))
+					h.AssertPathExists(t, filepath.Join(dirRun1, "layers", "sbom", "launch", "samples_hello-world", "some-layer", "sbom.cdx.json"))
+					h.AssertPathDoesNotExist(t, filepath.Join(dirRun1, "layers", "sbom", "build"))
+					h.AssertPathDoesNotExist(t, filepath.Join(dirRun1, "layers", "sbom", "cache"))
+				})
+
+				when("rebuild with cache", func() {
+					it("exports SBOM in the app image", func() {
+						startTime := time.Now()
+						// second build
+						output := h.DockerRunAndCopy(t,
+							container3,
+							dirBuild2,
+							ctrPath("/layers"),
+							createImage,
+							h.WithFlags(append(
+								dockerSocketMount,
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+								"--env", "CNB_REGISTRY_AUTH="+createRegAuthConfig,
+								"--network", createRegNetwork,
+								"--volume", dirCache+":/cache",
+								"--volume", dirLaunchCache+":"+ctrPath("/launch-cache"),
+							)...),
+							h.WithArgs(createArgs...),
+						)
+						// check that launch cache was used
+						duration2 = time.Now().Sub(startTime)
+						t.Logf("Second build duration: %s", duration2)
+						if duration2+time.Duration(0.1*float64(time.Second)) >= duration1 {
+							t.Logf("Second build output: %s", output)
+							t.Fatalf("Expected second build to complete 0.1s faster than first build; first build took %s, second build took %s", duration1, duration2)
+						}
+						h.AssertStringContains(t, output, "some-layer.sbom.cdx.json restored with content: {\"key\": \"some-launch-true-bom-content\"}")
+						h.AssertStringContains(t, output, "some-cache-layer.sbom.cdx.json restored with content: {\"key\": \"some-cache-true-bom-content\"}")
+						h.AssertStringContains(t, output, "some-launch-cache-layer.sbom.cdx.json restored with content: {\"key\": \"some-launch-true-cache-true-bom-content\"}")
+						h.AssertStringContains(t, output, "Reusing layer 'buildpacksio/lifecycle:launch.sbom'")
+						h.AssertPathExists(t, filepath.Join(dirBuild2, "layers", "sbom", "build", "samples_hello-world", "sbom.cdx.json"))
+						h.AssertPathExists(t, filepath.Join(dirBuild2, "layers", "sbom", "build", "samples_hello-world", "some-build-layer", "sbom.cdx.json"))
+						t.Log("restores store.toml")
+						h.AssertStringContains(t, output, "store.toml restored with content: [metadata]")
+
+						// second run
+						output = h.DockerRunAndCopy(t,
+							container4,
+							dirRun2,
+							ctrPath("/layers"),
+							imageName,
+							h.WithFlags(
+								"--entrypoint", "/cnb/lifecycle/launcher",
+							),
+							h.WithArgs("env"),
+						)
+						h.AssertPathExists(t, filepath.Join(dirRun1, "layers", "sbom", "launch", "samples_hello-world", "sbom.cdx.json"))
+						h.AssertPathExists(t, filepath.Join(dirRun1, "layers", "sbom", "launch", "samples_hello-world", "some-launch-cache-layer", "sbom.cdx.json"))
+						h.AssertPathExists(t, filepath.Join(dirRun1, "layers", "sbom", "launch", "samples_hello-world", "some-layer", "sbom.cdx.json"))
+						h.AssertPathDoesNotExist(t, filepath.Join(dirRun1, "layers", "sbom", "build"))
+						h.AssertPathDoesNotExist(t, filepath.Join(dirRun1, "layers", "sbom", "cache"))
+					})
+				})
+
+				when("rebuild with clear cache", func() {
+					it("exports SBOM in the app image", func() {
+						createArgs = append([]string{ctrPath(creatorPath)}, append(createFlags, "-skip-restore")...)
+						createArgs = append(createArgs, imageName)
+
+						// second build
+						output := h.DockerRunAndCopy(t,
+							container3,
+							dirBuild2,
+							ctrPath("/layers"),
+							createImage,
+							h.WithFlags(append(
+								dockerSocketMount,
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+								"--env", "CNB_REGISTRY_AUTH="+createRegAuthConfig,
+								"--network", createRegNetwork,
+								"--volume", dirCache+":/cache",
+								"--volume", dirLaunchCache+":"+ctrPath("/launch-cache"),
+							)...),
+							h.WithArgs(createArgs...),
+						)
+						h.AssertStringDoesNotContain(t, output, "some-layer.sbom.cdx.json restored with content: {\"key\": \"some-launch-true-bom-content\"}")
+						h.AssertStringDoesNotContain(t, output, "some-cache-layer.sbom.cdx.json restored with content: {\"key\": \"some-cache-true-bom-content\"}")
+						h.AssertStringDoesNotContain(t, output, "some-launch-cache-layer.sbom.cdx.json restored with content: {\"key\": \"some-launch-true-cache-true-bom-content\"}")
+						// check that store.toml was restored
+						if api.MustParse(platformAPI).AtLeast("0.10") {
+							h.AssertStringContains(t, output, "store.toml restored with content: [metadata]")
+						} else {
+							h.AssertStringDoesNotContain(t, output, "store.toml restored with content")
+						}
+					})
+				})
+			})
+		})
+
+		when("layout case", func() {
+			var (
+				containerName string
+				err           error
+				layoutDir     string
+				tmpDir        string
+			)
+			when("experimental mode is enabled", func() {
+				it.Before(func() {
+					// creates the directory to save all the OCI images on disk
+					tmpDir, err = os.MkdirTemp("", "layout")
+					h.AssertNil(t, err)
+
+					containerName = "test-container-" + h.RandString(10)
+					layoutDir = filepath.Join(path.RootDir, "layout-repo")
+				})
+
+				it.After(func() {
+					if h.DockerContainerExists(t, containerName) {
+						h.Run(t, exec.Command("docker", "rm", containerName))
+					}
+					h.DockerImageRemove(t, createdImageName)
+
+					// removes all images created
+					os.RemoveAll(tmpDir)
+
+				})
+
+				it("creates app", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
+					var createFlags []string
+					createFlags = append(createFlags, []string{"-layout", "-layout-dir", layoutDir, "-run-image", "busybox"}...)
+
+					createArgs := append([]string{ctrPath(creatorPath)}, createFlags...)
+					createdImageName = "some-created-image-" + h.RandString(10)
+					createArgs = append(createArgs, createdImageName)
+
+					output := h.DockerRunAndCopy(t, containerName, tmpDir, layoutDir, createImage,
+						h.WithFlags(
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_EXPERIMENTAL_MODE=warn",
+						),
+						h.WithArgs(createArgs...))
+
+					h.AssertStringContains(t, output, "Saving /layout-repo/index.docker.io/library/"+createdImageName+"/latest")
+					index := h.ReadIndexManifest(t, filepath.Join(tmpDir, layoutDir, "index.docker.io", "library", createdImageName+"/latest"))
+					h.AssertEq(t, len(index.Manifests), 1)
+				})
+			})
+
+			when("experimental mode is not enabled", func() {
+				it("errors", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
+
+					cmd := exec.Command(
+						"docker", "run", "--rm",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						createImage,
+						ctrPath(creatorPath),
+						"-layout",
+						"-layout-dir", layoutDir,
+						"-run-image", "busybox",
+						"some-image",
+					) // #nosec G204
+					output, err := cmd.CombinedOutput()
+
+					h.AssertNotNil(t, err)
+					expected := "experimental features are disabled by CNB_EXPERIMENTAL_MODE=error"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+		})
+	}
+}
--- a/acceptance/detector_test.go
+++ b/acceptance/detector_test.go
@ -0,0 +1,422 @@
+//go:build acceptance
+
+package acceptance
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	"github.com/buildpacks/lifecycle/cmd"
+	"github.com/buildpacks/lifecycle/platform/files"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+var (
+	detectDockerContext                  = filepath.Join("testdata", "detector")
+	detectorBinaryDir                    = filepath.Join("testdata", "detector", "container", "cnb", "lifecycle")
+	detectImage                          = "lifecycle/acceptance/detector"
+	userID                               = "1234"
+	detectorDaemonOS, detectorDaemonArch string
+)
+
+func TestDetector(t *testing.T) {
+	info, err := h.DockerCli(t).Info(context.TODO())
+	h.AssertNil(t, err)
+
+	detectorDaemonOS = info.OSType
+	detectorDaemonArch = info.Architecture
+	if detectorDaemonArch == "x86_64" {
+		detectorDaemonArch = "amd64"
+	}
+	if detectorDaemonArch == "aarch64" {
+		detectorDaemonArch = "arm64"
+	}
+
+	h.MakeAndCopyLifecycle(t, detectorDaemonOS, detectorDaemonArch, detectorBinaryDir)
+	h.DockerBuild(t,
+		detectImage,
+		detectDockerContext,
+		h.WithArgs("--build-arg", fmt.Sprintf("cnb_platform_api=%s", api.Platform.Latest())),
+	)
+	defer h.DockerImageRemove(t, detectImage)
+
+	for _, platformAPI := range api.Platform.Supported {
+		if platformAPI.LessThan("0.12") {
+			continue
+		}
+
+		spec.Run(t, "acceptance-detector/"+platformAPI.String(), testDetectorFunc(platformAPI.String()), spec.Parallel(), spec.Report(report.Terminal{}))
+	}
+}
+
+func testDetectorFunc(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
+	return func(t *testing.T, when spec.G, it spec.S) {
+		when("called with arguments", func() {
+			it("errors", func() {
+				command := exec.Command(
+					"docker",
+					"run",
+					"--rm",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					detectImage,
+					"some-arg",
+				)
+				output, err := command.CombinedOutput()
+				h.AssertNotNil(t, err)
+				expected := "failed to parse arguments: received unexpected arguments"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("running as a root", func() {
+			it("errors", func() {
+				command := exec.Command(
+					"docker",
+					"run",
+					"--rm",
+					"--user",
+					"root",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					detectImage,
+				)
+				output, err := command.CombinedOutput()
+				h.AssertNotNil(t, err)
+				expected := "failed to detect: refusing to run as root"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("read buildpack order file failed", func() {
+			it("errors", func() {
+				// no order.toml file in the default search locations
+				command := exec.Command(
+					"docker",
+					"run",
+					"--rm",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					detectImage,
+				)
+				output, err := command.CombinedOutput()
+				h.AssertNotNil(t, err)
+				expected := "failed to initialize detector: reading order"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("no buildpack group passed detection", func() {
+			it("errors and exits with the expected code", func() {
+				command := exec.Command(
+					"docker",
+					"run",
+					"--rm",
+					"--env", "CNB_ORDER_PATH=/cnb/orders/fail_detect_order.toml",
+					"--env", "CNB_PLATFORM_API="+platformAPI,
+					detectImage,
+				)
+				output, err := command.CombinedOutput()
+				h.AssertNotNil(t, err)
+				failErr, ok := err.(*exec.ExitError)
+				if !ok {
+					t.Fatalf("expected an error of type exec.ExitError")
+				}
+				h.AssertEq(t, failErr.ExitCode(), 20) // platform code for failed detect
+
+				expected1 := `======== Output: fail_detect_buildpack@some_version ========
+Opted out of detection
+======== Results ========
+fail: fail_detect_buildpack@some_version`
+				h.AssertStringContains(t, string(output), expected1)
+				expected2 := "No buildpack groups passed detection."
+				h.AssertStringContains(t, string(output), expected2)
+			})
+		})
+
+		when("there is a buildpack group that passes detection", func() {
+			var copyDir, containerName string
+
+			it.Before(func() {
+				containerName = "test-container-" + h.RandString(10)
+				var err error
+				copyDir, err = os.MkdirTemp("", "test-docker-copy-")
+				h.AssertNil(t, err)
+			})
+
+			it.After(func() {
+				if h.DockerContainerExists(t, containerName) {
+					h.Run(t, exec.Command("docker", "rm", containerName))
+				}
+				os.RemoveAll(copyDir)
+			})
+
+			it("writes group.toml and plan.toml at the default locations", func() {
+				output := h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					"/layers",
+					detectImage,
+					h.WithFlags("--user", userID,
+						"--env", "CNB_ORDER_PATH=/cnb/orders/simple_order.toml",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+					),
+					h.WithArgs(),
+				)
+
+				// check group.toml
+				foundGroupTOML := filepath.Join(copyDir, "layers", "group.toml")
+				group, err := files.Handler.ReadGroup(foundGroupTOML)
+				h.AssertNil(t, err)
+				h.AssertEq(t, group.Group[0].ID, "simple_buildpack")
+				h.AssertEq(t, group.Group[0].Version, "simple_buildpack_version")
+
+				// check plan.toml
+				foundPlanTOML := filepath.Join(copyDir, "layers", "plan.toml")
+				buildPlan, err := files.Handler.ReadPlan(foundPlanTOML)
+				h.AssertNil(t, err)
+				h.AssertEq(t, buildPlan.Entries[0].Providers[0].ID, "simple_buildpack")
+				h.AssertEq(t, buildPlan.Entries[0].Providers[0].Version, "simple_buildpack_version")
+				h.AssertEq(t, buildPlan.Entries[0].Requires[0].Name, "some_requirement")
+				h.AssertEq(t, buildPlan.Entries[0].Requires[0].Metadata["some_metadata_key"], "some_metadata_val")
+				h.AssertEq(t, buildPlan.Entries[0].Requires[0].Metadata["version"], "some_version")
+
+				// check output
+				h.AssertStringContains(t, output, "simple_buildpack simple_buildpack_version")
+				h.AssertStringDoesNotContain(t, output, "======== Results ========") // log output is info level as detect passed
+			})
+		})
+
+		when("environment variables are provided for buildpack and app directories and for the output files", func() {
+			var copyDir, containerName string
+
+			it.Before(func() {
+				containerName = "test-container-" + h.RandString(10)
+				var err error
+				copyDir, err = os.MkdirTemp("", "test-docker-copy-")
+				h.AssertNil(t, err)
+			})
+
+			it.After(func() {
+				if h.DockerContainerExists(t, containerName) {
+					h.Run(t, exec.Command("docker", "rm", containerName))
+				}
+				os.RemoveAll(copyDir)
+			})
+
+			it("writes group.toml and plan.toml in the right locations and with the right names", func() {
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					"/layers",
+					detectImage,
+					h.WithFlags("--user", userID,
+						"--env", "CNB_ORDER_PATH=/cnb/orders/always_detect_order.toml",
+						"--env", "CNB_BUILDPACKS_DIR=/cnb/custom_buildpacks",
+						"--env", "CNB_APP_DIR=/custom_workspace",
+						"--env", "CNB_GROUP_PATH=./custom_group.toml",
+						"--env", "CNB_PLAN_PATH=./custom_plan.toml",
+						"--env", "CNB_PLATFORM_DIR=/custom_platform",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+					),
+					h.WithArgs("-log-level=debug"),
+				)
+
+				// check group.toml
+				foundGroupTOML := filepath.Join(copyDir, "layers", "custom_group.toml")
+				group, err := files.Handler.ReadGroup(foundGroupTOML)
+				h.AssertNil(t, err)
+				h.AssertEq(t, group.Group[0].ID, "always_detect_buildpack")
+				h.AssertEq(t, group.Group[0].Version, "always_detect_buildpack_version")
+
+				// check plan.toml - should be empty since we're using always_detect_order.toml so there is no "actual plan"
+				tempPlanToml := filepath.Join(copyDir, "layers", "custom_plan.toml")
+				planContents, err := os.ReadFile(tempPlanToml)
+				h.AssertNil(t, err)
+				h.AssertEq(t, len(planContents) == 0, true)
+
+				// check platform directory
+				logs := h.Run(t, exec.Command("docker", "logs", containerName))
+				expectedPlatformPath := "platform_path: /custom_platform"
+				expectedAppDir := "app_dir: /custom_workspace"
+				h.AssertStringContains(t, logs, expectedPlatformPath)
+				h.AssertStringContains(t, logs, expectedAppDir)
+			})
+		})
+
+		when("-order is provided", func() {
+			var copyDir, containerName, expectedOrderTOMLPath string
+
+			it.Before(func() {
+				containerName = "test-container-" + h.RandString(10)
+				var err error
+				copyDir, err = os.MkdirTemp("", "test-docker-copy-")
+				h.AssertNil(t, err)
+
+				simpleOrderTOML := filepath.Join("testdata", "detector", "container", "cnb", "orders", "simple_order.toml")
+				expectedOrderTOMLPath, err = filepath.Abs(simpleOrderTOML)
+				h.AssertNil(t, err)
+			})
+
+			it.After(func() {
+				if h.DockerContainerExists(t, containerName) {
+					h.Run(t, exec.Command("docker", "rm", containerName))
+				}
+				os.RemoveAll(copyDir)
+			})
+
+			when("the order.toml exists", func() {
+				it("processes the provided order.toml", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						"/layers",
+						detectImage,
+						h.WithFlags("--user", userID,
+							"--volume", expectedOrderTOMLPath+":/custom/order.toml",
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+						),
+						h.WithArgs(
+							"-log-level=debug",
+							"-order=/custom/order.toml",
+						),
+					)
+
+					// check group.toml
+					foundGroupTOML := filepath.Join(copyDir, "layers", "group.toml")
+					group, err := files.Handler.ReadGroup(foundGroupTOML)
+					h.AssertNil(t, err)
+					h.AssertEq(t, group.Group[0].ID, "simple_buildpack")
+					h.AssertEq(t, group.Group[0].Version, "simple_buildpack_version")
+				})
+			})
+
+			when("the order.toml does not exist", func() {
+				it("errors", func() {
+					command := exec.Command("docker", "run",
+						"--user", userID,
+						"--rm",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						detectImage,
+						"-order=/custom/order.toml")
+					output, err := command.CombinedOutput()
+					h.AssertNotNil(t, err)
+					expected := "failed to initialize detector: reading order: failed to read order file: open /custom/order.toml: no such file or directory"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+
+			when("the order.toml contains a buildpack using an unsupported api", func() {
+				it("errors", func() {
+					command := exec.Command("docker", "run",
+						"--user", userID,
+						"--rm",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						detectImage,
+						"-order=/cnb/orders/bad_api.toml")
+					output, err := command.CombinedOutput()
+					h.AssertNotNil(t, err)
+					failErr, ok := err.(*exec.ExitError)
+					if !ok {
+						t.Fatalf("expected an error of type exec.ExitError")
+					}
+					h.AssertEq(t, failErr.ExitCode(), 12) // platform code for buildpack api error
+					expected := "buildpack API version '0.1' is incompatible with the lifecycle"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+		})
+
+		when("-order contains extensions", func() {
+			var containerName, copyDir, orderPath string
+
+			it.Before(func() {
+				containerName = "test-container-" + h.RandString(10)
+				var err error
+				copyDir, err = os.MkdirTemp("", "test-docker-copy-")
+				h.AssertNil(t, err)
+				orderPath, err = filepath.Abs(filepath.Join("testdata", "detector", "container", "cnb", "orders", "order_with_ext.toml"))
+				h.AssertNil(t, err)
+			})
+
+			it.After(func() {
+				if h.DockerContainerExists(t, containerName) {
+					h.Run(t, exec.Command("docker", "rm", containerName))
+				}
+				os.RemoveAll(copyDir)
+			})
+
+			it("processes the provided order.toml", func() {
+				experimentalMode := "warn"
+				if api.MustParse(platformAPI).AtLeast("0.13") {
+					experimentalMode = "error"
+				}
+
+				output := h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					"/layers",
+					detectImage,
+					h.WithFlags(
+						"--user", userID,
+						"--volume", orderPath+":/layers/order.toml",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_EXPERIMENTAL_MODE="+experimentalMode,
+					),
+					h.WithArgs(
+						"-analyzed=/layers/analyzed.toml",
+						"-extensions=/cnb/extensions",
+						"-generated=/layers/generated",
+						"-log-level=debug",
+						"-run=/layers/run.toml", // /cnb/run.toml is the default location of run.toml
+					),
+				)
+
+				t.Log("runs /bin/detect for buildpacks and extensions")
+				if api.MustParse(platformAPI).LessThan("0.13") {
+					h.AssertStringContains(t, output, "Platform requested experimental feature 'Dockerfiles'")
+				}
+				h.AssertStringContains(t, output, "FOO=val-from-build-config")
+				h.AssertStringContains(t, output, "simple_extension: output from /bin/detect")
+				t.Log("writes group.toml")
+				foundGroupTOML := filepath.Join(copyDir, "layers", "group.toml")
+				group, err := files.Handler.ReadGroup(foundGroupTOML)
+				h.AssertNil(t, err)
+				h.AssertEq(t, group.GroupExtensions[0].ID, "simple_extension")
+				h.AssertEq(t, group.GroupExtensions[0].Version, "simple_extension_version")
+				h.AssertEq(t, group.Group[0].ID, "buildpack_for_ext")
+				h.AssertEq(t, group.Group[0].Version, "buildpack_for_ext_version")
+				h.AssertEq(t, group.Group[0].Extension, false)
+				t.Log("writes plan.toml")
+				foundPlanTOML := filepath.Join(copyDir, "layers", "plan.toml")
+				buildPlan, err := files.Handler.ReadPlan(foundPlanTOML)
+				h.AssertNil(t, err)
+				h.AssertEq(t, len(buildPlan.Entries), 0) // this shows that the plan was filtered to remove `requires` provided by extensions
+
+				t.Log("runs /bin/generate for extensions")
+				h.AssertStringContains(t, output, "simple_extension: output from /bin/generate")
+
+				var dockerfilePath string
+				if api.MustParse(platformAPI).LessThan("0.13") {
+					t.Log("copies the generated Dockerfiles to the output directory")
+					dockerfilePath = filepath.Join(copyDir, "layers", "generated", "run", "simple_extension", "Dockerfile")
+				} else {
+					dockerfilePath = filepath.Join(copyDir, "layers", "generated", "simple_extension", "run.Dockerfile")
+				}
+				h.AssertPathExists(t, dockerfilePath)
+				contents, err := os.ReadFile(dockerfilePath)
+				h.AssertEq(t, string(contents), "FROM some-run-image-from-extension\n")
+				t.Log("records the new run image in analyzed.toml")
+				foundAnalyzedTOML := filepath.Join(copyDir, "layers", "analyzed.toml")
+				analyzedMD, err := files.Handler.ReadAnalyzed(foundAnalyzedTOML, cmd.DefaultLogger)
+				h.AssertNil(t, err)
+				h.AssertEq(t, analyzedMD.RunImage.Image, "some-run-image-from-extension")
+			})
+		})
+	}
+}
--- a/acceptance/exporter_test.go
+++ b/acceptance/exporter_test.go
@ -0,0 +1,677 @@
+//go:build acceptance
+
+package acceptance
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/buildpacks/imgutil"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/pkg/errors"
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	"github.com/buildpacks/lifecycle/auth"
+	"github.com/buildpacks/lifecycle/cache"
+	"github.com/buildpacks/lifecycle/cmd"
+	"github.com/buildpacks/lifecycle/internal/fsutil"
+	"github.com/buildpacks/lifecycle/internal/path"
+	"github.com/buildpacks/lifecycle/platform/files"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+var (
+	exportImage          string
+	exportRegAuthConfig  string
+	exportRegNetwork     string
+	exporterPath         string
+	exportDaemonFixtures *daemonImageFixtures
+	exportRegFixtures    *regImageFixtures
+	exportTest           *PhaseTest
+)
+
+func TestExporter(t *testing.T) {
+	testImageDockerContext := filepath.Join("testdata", "exporter")
+	exportTest = NewPhaseTest(t, "exporter", testImageDockerContext)
+
+	exportTest.Start(t, updateTOMLFixturesWithTestRegistry)
+	defer exportTest.Stop(t)
+
+	exportImage = exportTest.testImageRef
+	exporterPath = exportTest.containerBinaryPath
+	exportRegAuthConfig = exportTest.targetRegistry.authConfig
+	exportRegNetwork = exportTest.targetRegistry.network
+	exportDaemonFixtures = exportTest.targetDaemon.fixtures
+	exportRegFixtures = exportTest.targetRegistry.fixtures
+
+	for _, platformAPI := range api.Platform.Supported {
+		spec.Run(t, "acceptance-exporter/"+platformAPI.String(), testExporterFunc(platformAPI.String()), spec.Parallel(), spec.Report(report.Terminal{}))
+	}
+}
+
+func testExporterFunc(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
+	return func(t *testing.T, when spec.G, it spec.S) {
+
+		when("daemon case", func() {
+			var exportedImageName string
+
+			it.After(func() {
+				_, _, _ = h.RunE(exec.Command("docker", "rmi", exportedImageName)) // #nosec G204
+			})
+
+			it("app is created", func() {
+				exportFlags := []string{"-daemon", "-log-level", "debug"}
+				exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+				exportedImageName = "some-exported-image-" + h.RandString(10)
+				exportArgs = append(exportArgs, exportedImageName)
+
+				output := h.DockerRun(t,
+					exportImage,
+					h.WithFlags(append(
+						dockerSocketMount,
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+					)...),
+					h.WithArgs(exportArgs...),
+				)
+				h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+				if api.MustParse(platformAPI).AtLeast("0.11") {
+					extensions := []string{"sbom.cdx.json", "sbom.spdx.json", "sbom.syft.json"}
+					for _, extension := range extensions {
+						h.AssertStringContains(t, output, fmt.Sprintf("Copying SBOM lifecycle.%s to %s", extension, filepath.Join(path.RootDir, "layers", "sbom", "build", "buildpacksio_lifecycle", extension)))
+						h.AssertStringContains(t, output, fmt.Sprintf("Copying SBOM launcher.%s to %s", extension, filepath.Join(path.RootDir, "layers", "sbom", "launch", "buildpacksio_lifecycle", "launcher", extension)))
+					}
+				} else {
+					h.AssertStringDoesNotContain(t, output, "Copying SBOM")
+				}
+
+				if api.MustParse(platformAPI).AtLeast("0.12") {
+					expectedHistory := []string{
+						"Buildpacks Launcher Config",
+						"Buildpacks Application Launcher",
+						"Application Layer",
+						"Software Bill-of-Materials",
+						"Layer: 'corrupted-layer', Created by buildpack: corrupted_buildpack@corrupted_v1",
+						"Layer: 'launch-layer', Created by buildpack: cacher_buildpack@cacher_v1",
+						"", // run image layer
+					}
+					assertDaemonImageHasHistory(t, exportedImageName, expectedHistory)
+				} else {
+					assertDaemonImageDoesNotHaveHistory(t, exportedImageName)
+				}
+
+				assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+			})
+
+			when("using extensions", func() {
+				it.Before(func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
+				})
+
+				it("app is created from the extended run image", func() {
+					exportFlags := []string{
+						"-analyzed", "/layers/run-image-extended-analyzed.toml", // though the run image is a registry image, it also exists in the daemon with the same tag
+						"-daemon",
+						"-extended", "/layers/some-extended-dir",
+						"-log-level", "debug",
+						"-run", "/cnb/run.toml", // though the run image is a registry image, it also exists in the daemon with the same tag
+					}
+					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+					exportedImageName = "some-exported-image-" + h.RandString(10)
+					exportArgs = append(exportArgs, exportedImageName)
+
+					// get run image top layer
+					inspect, _, err := h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportTest.targetRegistry.fixtures.ReadOnlyRunImage)
+					h.AssertNil(t, err)
+					layers := inspect.RootFS.Layers
+					runImageFixtureTopLayerSHA := layers[len(layers)-1]
+					runImageFixtureSHA := inspect.ID
+
+					experimentalMode := "warn"
+					if api.MustParse(platformAPI).AtLeast("0.13") {
+						experimentalMode = "error"
+					}
+
+					output := h.DockerRun(t,
+						exportImage,
+						h.WithFlags(append(
+							dockerSocketMount,
+							"--env", "CNB_EXPERIMENTAL_MODE="+experimentalMode,
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+						)...),
+						h.WithArgs(exportArgs...),
+					)
+					h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+					assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+					expectedHistory := []string{
+						"Buildpacks Launcher Config",
+						"Buildpacks Application Launcher",
+						"Application Layer",
+						"Software Bill-of-Materials",
+						"Layer: 'corrupted-layer', Created by buildpack: corrupted_buildpack@corrupted_v1",
+						"Layer: 'launch-layer', Created by buildpack: cacher_buildpack@cacher_v1",
+						"Layer: 'RUN mkdir /some-other-dir && echo some-data > /some-other-dir/some-file && echo some-data > /some-other-file', Created by extension: second-extension",
+						"Layer: 'RUN mkdir /some-dir && echo some-data > /some-dir/some-file && echo some-data > /some-file', Created by extension: first-extension",
+						"", // run image layer
+					}
+					assertDaemonImageHasHistory(t, exportedImageName, expectedHistory)
+					t.Log("bases the exported image on the extended run image")
+					inspect, _, err = h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportedImageName)
+					h.AssertNil(t, err)
+					h.AssertEq(t, inspect.Config.Labels["io.buildpacks.rebasable"], "false") // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<sha>/blobs/sha256/<config>
+					t.Log("Adds extension layers")
+					type testCase struct {
+						expectedDiffID string
+						layerIndex     int
+					}
+					testCases := []testCase{
+						{
+							expectedDiffID: "sha256:fb54d2566824d6630d94db0b008d9a544a94d3547a424f52e2fd282b648c0601", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/65c2873d397056a5cb4169790654d787579b005f18b903082b177d4d9b4aecf5 after un-compressing and zeroing timestamps
+							layerIndex:     1,
+						},
+						{
+							expectedDiffID: "sha256:1018c7d3584c4f7fa3ef4486d1a6a11b93956b9d8bfe0898a3e0fbd248c984d8", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/0fb9b88c9cbe9f11b4c8da645f390df59f5949632985a0bfc2a842ef17b2ad18 after un-compressing and zeroing timestamps
+							layerIndex:     2,
+						},
+					}
+					for _, tc := range testCases {
+						h.AssertEq(t, inspect.RootFS.Layers[tc.layerIndex], tc.expectedDiffID)
+					}
+					t.Log("sets the layers metadata label according to the new spec")
+					var lmd files.LayersMetadata
+					lmdJSON := inspect.Config.Labels["io.buildpacks.lifecycle.metadata"]
+					h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
+					h.AssertEq(t, lmd.RunImage.Image, exportTest.targetRegistry.fixtures.ReadOnlyRunImage) // from analyzed.toml
+					h.AssertEq(t, lmd.RunImage.Mirrors, []string{"mirror1", "mirror2"})                    // from run.toml
+					h.AssertEq(t, lmd.RunImage.TopLayer, runImageFixtureTopLayerSHA)
+					h.AssertEq(t, lmd.RunImage.Reference, strings.TrimPrefix(runImageFixtureSHA, "sha256:"))
+				})
+			})
+
+			when("SOURCE_DATE_EPOCH is set", func() {
+				it("app is created with config CreatedAt set to SOURCE_DATE_EPOCH", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.9"), "SOURCE_DATE_EPOCH support added in 0.9")
+					expectedTime := time.Date(2022, 1, 5, 5, 5, 5, 0, time.UTC)
+					exportFlags := []string{"-daemon"}
+					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+					exportedImageName = "some-exported-image-" + h.RandString(10)
+					exportArgs = append(exportArgs, exportedImageName)
+
+					output := h.DockerRun(t,
+						exportImage,
+						h.WithFlags(append(
+							dockerSocketMount,
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+							"--env", "SOURCE_DATE_EPOCH="+fmt.Sprintf("%d", expectedTime.Unix()),
+							"--network", exportRegNetwork,
+						)...),
+						h.WithArgs(exportArgs...),
+					)
+					h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+					assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, expectedTime)
+				})
+			})
+		})
+
+		when("registry case", func() {
+			var exportedImageName string
+
+			it.After(func() {
+				_, _, _ = h.RunE(exec.Command("docker", "rmi", exportedImageName)) // #nosec G204
+			})
+
+			it("app is created", func() {
+				var exportFlags []string
+				exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+				exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+				exportArgs = append(exportArgs, exportedImageName)
+
+				output := h.DockerRun(t,
+					exportImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+						"--network", exportRegNetwork,
+					),
+					h.WithArgs(exportArgs...),
+				)
+				h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+				h.Run(t, exec.Command("docker", "pull", exportedImageName))
+				assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+			})
+
+			when("registry is insecure", func() {
+				it.Before(func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
+				})
+
+				it("uses http protocol", func() {
+					var exportFlags []string
+					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+					exportedImageName = exportTest.RegRepoName("some-insecure-exported-image-" + h.RandString(10))
+					exportArgs = append(exportArgs, exportedImageName)
+					insecureRegistry := "host.docker.internal/bar"
+					insecureAnalyzed := "/layers/analyzed_insecure.toml"
+
+					_, _, err := h.DockerRunWithError(t,
+						exportImage,
+						h.WithFlags(
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_INSECURE_REGISTRIES="+insecureRegistry,
+							"--env", "CNB_ANALYZED_PATH="+insecureAnalyzed,
+							"--network", exportRegNetwork,
+						),
+						h.WithArgs(exportArgs...),
+					)
+					h.AssertStringContains(t, err.Error(), "http://host.docker.internal")
+				})
+			})
+
+			when("SOURCE_DATE_EPOCH is set", func() {
+				it("app is created with config CreatedAt set to SOURCE_DATE_EPOCH", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.9"), "SOURCE_DATE_EPOCH support added in 0.9")
+					expectedTime := time.Date(2022, 1, 5, 5, 5, 5, 0, time.UTC)
+
+					var exportFlags []string
+					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+					exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+					exportArgs = append(exportArgs, exportedImageName)
+
+					output := h.DockerRun(t,
+						exportImage,
+						h.WithFlags(
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+							"--env", "SOURCE_DATE_EPOCH="+fmt.Sprintf("%d", expectedTime.Unix()),
+							"--network", exportRegNetwork,
+						),
+						h.WithArgs(exportArgs...),
+					)
+					h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+					h.Run(t, exec.Command("docker", "pull", exportedImageName))
+					assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, expectedTime)
+				})
+			})
+
+			// FIXME: move this out of the registry block
+			when("cache", func() {
+				when("image case", func() {
+					it("cache is created", func() {
+						cacheImageName := exportTest.RegRepoName("some-cache-image-" + h.RandString(10))
+						exportFlags := []string{"-cache-image", cacheImageName}
+						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+						exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+						exportArgs = append(exportArgs, exportedImageName)
+
+						output := h.DockerRun(t,
+							exportImage,
+							h.WithFlags(
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+								"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+								"--network", exportRegNetwork,
+							),
+							h.WithArgs(exportArgs...),
+						)
+						h.AssertStringContains(t, output, "Saving "+exportedImageName)
+						// To detect whether the export of cacheImage and exportedImage is successful
+						h.Run(t, exec.Command("docker", "pull", exportedImageName))
+						assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+						h.Run(t, exec.Command("docker", "pull", cacheImageName))
+					})
+
+					when("parallel export is enabled", func() {
+						it("cache is created", func() {
+							cacheImageName := exportTest.RegRepoName("some-cache-image-" + h.RandString(10))
+							exportFlags := []string{"-cache-image", cacheImageName, "-parallel"}
+							exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+							exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+							exportArgs = append(exportArgs, exportedImageName)
+
+							output := h.DockerRun(t,
+								exportImage,
+								h.WithFlags(
+									"--env", "CNB_PLATFORM_API="+platformAPI,
+									"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+									"--network", exportRegNetwork,
+								),
+								h.WithArgs(exportArgs...),
+							)
+							h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+							h.Run(t, exec.Command("docker", "pull", exportedImageName))
+							assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+							h.Run(t, exec.Command("docker", "pull", cacheImageName))
+						})
+					})
+
+					when("cache is provided but no data was cached", func() {
+						it("cache is created with an empty layer", func() {
+							cacheImageName := exportTest.RegRepoName("some-empty-cache-image-" + h.RandString(10))
+							exportFlags := []string{"-cache-image", cacheImageName, "-layers", "/other_layers"}
+							exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+							exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+							exportArgs = append(exportArgs, exportedImageName)
+
+							output := h.DockerRun(t,
+								exportImage,
+								h.WithFlags(
+									"--env", "CNB_PLATFORM_API="+platformAPI,
+									"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+									"--network", exportRegNetwork,
+								),
+								h.WithArgs(exportArgs...),
+							)
+							h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+							testEmptyLayerSHA := calculateEmptyLayerSha(t)
+
+							// Retrieve the cache image from the ephemeral registry
+							h.Run(t, exec.Command("docker", "pull", cacheImageName))
+							logger := cmd.DefaultLogger
+
+							subject, err := cache.NewImageCacheFromName(cacheImageName, authn.DefaultKeychain, logger, cache.NewImageDeleter(cache.NewImageComparer(), logger, api.MustParse(platformAPI).LessThan("0.13")))
+							h.AssertNil(t, err)
+
+							//Assert the cache image was created with an empty layer
+							layer, err := subject.RetrieveLayer(testEmptyLayerSHA)
+							h.AssertNil(t, err)
+							defer layer.Close()
+						})
+					})
+				})
+
+				when("directory case", func() {
+					when("original cache was corrupted", func() {
+						var cacheDir string
+
+						it.Before(func() {
+							var err error
+							cacheDir, err = os.MkdirTemp("", "cache")
+							h.AssertNil(t, err)
+							h.AssertNil(t, os.Chmod(cacheDir, 0777)) // Override umask
+
+							cacheFixtureDir := filepath.Join("testdata", "exporter", "cache-dir")
+							h.AssertNil(t, fsutil.Copy(cacheFixtureDir, cacheDir))
+							// We have to pre-create the tar files so that their digests do not change due to timestamps
+							// But, ':' in the filepath on Windows is not allowed
+							h.AssertNil(t, os.Rename(
+								filepath.Join(cacheDir, "committed", "sha256_258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59.tar"),
+								filepath.Join(cacheDir, "committed", "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59.tar"),
+							))
+						})
+
+						it.After(func() {
+							_ = os.RemoveAll(cacheDir)
+						})
+
+						it("overwrites the original layer", func() {
+							exportFlags := []string{
+								"-cache-dir", "/cache",
+								"-log-level", "debug",
+							}
+							exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+							exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+							exportArgs = append(exportArgs, exportedImageName)
+
+							output := h.DockerRun(t,
+								exportImage,
+								h.WithFlags(
+									"--env", "CNB_PLATFORM_API="+platformAPI,
+									"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+									"--network", exportRegNetwork,
+									"--volume", fmt.Sprintf("%s:/cache", cacheDir),
+								),
+								h.WithArgs(exportArgs...),
+							)
+							h.AssertStringContains(t, output, "Skipping reuse for layer corrupted_buildpack:corrupted-layer: expected layer contents to have SHA 'sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59'; found 'sha256:9e0b77ed599eafdab8611f7eeefef084077f91f02f1da0a3870c7ff20a08bee8'")
+							h.AssertStringContains(t, output, "Saving "+exportedImageName)
+							h.Run(t, exec.Command("docker", "pull", exportedImageName))
+							defer h.Run(t, exec.Command("docker", "image", "rm", exportedImageName))
+							// Verify the app has the correct sha for the layer
+							inspect, _, err := h.DockerCli(t).ImageInspectWithRaw(context.TODO(), exportedImageName)
+							h.AssertNil(t, err)
+							var lmd files.LayersMetadata
+							lmdJSON := inspect.Config.Labels["io.buildpacks.lifecycle.metadata"]
+							h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
+							h.AssertEq(t, lmd.Buildpacks[2].Layers["corrupted-layer"].SHA, "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59")
+							// Verify the cache has correct contents now
+							foundDiffID, err := func() (string, error) {
+								layerPath := filepath.Join(cacheDir, "committed", "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59.tar")
+								layerRC, err := os.Open(layerPath)
+								if err != nil {
+									return "", err
+								}
+								defer func() {
+									_ = layerRC.Close()
+								}()
+								hasher := sha256.New()
+								if _, err = io.Copy(hasher, layerRC); err != nil {
+									return "", errors.Wrap(err, "hashing layer")
+								}
+								foundDiffID := "sha256:" + hex.EncodeToString(hasher.Sum(make([]byte, 0, hasher.Size())))
+								return foundDiffID, nil
+							}()
+							h.AssertNil(t, err)
+							h.AssertEq(t, foundDiffID, "sha256:258dfa0cc987efebc17559694866ebc91139e7c0e574f60d1d4092f53d7dff59")
+						})
+					})
+				})
+			})
+
+			when("using extensions", func() {
+				it.Before(func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
+				})
+
+				it("app is created from the extended run image", func() {
+					exportFlags := []string{
+						"-analyzed", "/layers/run-image-extended-analyzed.toml",
+						"-extended", "/layers/some-extended-dir",
+						"-log-level", "debug",
+						"-run", "/cnb/run.toml",
+					}
+					exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+					exportedImageName = exportTest.RegRepoName("some-exported-image-" + h.RandString(10))
+					exportArgs = append(exportArgs, exportedImageName)
+
+					// get run image SHA & top layer
+					ref, imageAuth, err := auth.ReferenceForRepoName(authn.DefaultKeychain, exportTest.targetRegistry.fixtures.ReadOnlyRunImage)
+					h.AssertNil(t, err)
+					remoteImage, err := remote.Image(ref, remote.WithAuth(imageAuth))
+					h.AssertNil(t, err)
+					layers, err := remoteImage.Layers()
+					h.AssertNil(t, err)
+					runImageFixtureTopLayerSHA, err := layers[len(layers)-1].DiffID()
+					h.AssertNil(t, err)
+					runImageFixtureSHA, err := remoteImage.Digest()
+					h.AssertNil(t, err)
+
+					experimentalMode := "warn"
+					if api.MustParse(platformAPI).AtLeast("0.13") {
+						experimentalMode = "error"
+					}
+
+					output := h.DockerRun(t,
+						exportImage,
+						h.WithFlags(
+							"--env", "CNB_EXPERIMENTAL_MODE="+experimentalMode,
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_REGISTRY_AUTH="+exportRegAuthConfig,
+							"--network", exportRegNetwork,
+						),
+						h.WithArgs(exportArgs...),
+					)
+					h.AssertStringContains(t, output, "Saving "+exportedImageName)
+
+					h.Run(t, exec.Command("docker", "pull", exportedImageName))
+					assertImageOSAndArchAndCreatedAt(t, exportedImageName, exportTest, imgutil.NormalizedDateTime)
+					t.Log("bases the exported image on the extended run image")
+					ref, imageAuth, err = auth.ReferenceForRepoName(authn.DefaultKeychain, exportedImageName)
+					h.AssertNil(t, err)
+					remoteImage, err = remote.Image(ref, remote.WithAuth(imageAuth))
+					h.AssertNil(t, err)
+					configFile, err := remoteImage.ConfigFile()
+					h.AssertNil(t, err)
+					h.AssertEq(t, configFile.Config.Labels["io.buildpacks.rebasable"], "false") // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<sha>/blobs/sha256/<config>
+					t.Log("Adds extension layers")
+					layers, err = remoteImage.Layers()
+					h.AssertNil(t, err)
+					type testCase struct {
+						expectedDigest string
+						layerIndex     int
+					}
+					testCases := []testCase{
+						{
+							expectedDigest: "sha256:08e7ad5ce17cf5e5f70affe68b341a93de86ee2ba074932c3a05b8770f66d772", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/65c2873d397056a5cb4169790654d787579b005f18b903082b177d4d9b4aecf5 after un-compressing, zeroing timestamps, and re-compressing
+							layerIndex:     1,
+						},
+						{
+							expectedDigest: "sha256:0e74ef444ea437147e3fa0ce2aad371df5380c26b96875ae07b9b67f44cdb2ee", // from testdata/exporter/container/layers/some-extended-dir/run/sha256_<c72eda1c>/blobs/sha256/0fb9b88c9cbe9f11b4c8da645f390df59f5949632985a0bfc2a842ef17b2ad18 after un-compressing, zeroing timestamps, and re-compressing
+							layerIndex:     2,
+						},
+					}
+					for _, tc := range testCases {
+						layer := layers[tc.layerIndex]
+						digest, err := layer.Digest()
+						h.AssertNil(t, err)
+						h.AssertEq(t, digest.String(), tc.expectedDigest)
+					}
+					t.Log("sets the layers metadata label according to the new spec")
+					var lmd files.LayersMetadata
+					lmdJSON := configFile.Config.Labels["io.buildpacks.lifecycle.metadata"]
+					h.AssertNil(t, json.Unmarshal([]byte(lmdJSON), &lmd))
+					h.AssertEq(t, lmd.RunImage.Image, exportTest.targetRegistry.fixtures.ReadOnlyRunImage) // from analyzed.toml
+					h.AssertEq(t, lmd.RunImage.Mirrors, []string{"mirror1", "mirror2"})                    // from run.toml
+					h.AssertEq(t, lmd.RunImage.TopLayer, runImageFixtureTopLayerSHA.String())
+					h.AssertEq(t, lmd.RunImage.Reference, fmt.Sprintf("%s@%s", exportTest.targetRegistry.fixtures.ReadOnlyRunImage, runImageFixtureSHA.String()))
+				})
+			})
+		})
+
+		when("layout case", func() {
+			var (
+				containerName     string
+				err               error
+				layoutDir         string
+				tmpDir            string
+				exportedImageName string
+			)
+
+			when("experimental mode is enabled", func() {
+				it.Before(func() {
+					// create the directory to save all OCI images on disk
+					tmpDir, err = os.MkdirTemp("", "layout")
+					h.AssertNil(t, err)
+
+					containerName = "test-container-" + h.RandString(10)
+				})
+
+				it.After(func() {
+					if h.DockerContainerExists(t, containerName) {
+						h.Run(t, exec.Command("docker", "rm", containerName))
+					}
+					// removes all images created
+					os.RemoveAll(tmpDir)
+				})
+
+				when("using a custom layout directory", func() {
+					it.Before(func() {
+						exportedImageName = "my-custom-layout-app"
+						layoutDir = filepath.Join(path.RootDir, "my-layout-dir")
+					})
+
+					it("app is created", func() {
+						var exportFlags []string
+						h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
+						exportFlags = append(exportFlags, []string{"-layout", "-layout-dir", layoutDir, "-analyzed", "/layers/layout-analyzed.toml"}...)
+						exportArgs := append([]string{ctrPath(exporterPath)}, exportFlags...)
+						exportArgs = append(exportArgs, exportedImageName)
+
+						output := h.DockerRunAndCopy(t, containerName, tmpDir, layoutDir, exportImage,
+							h.WithFlags(
+								"--env", "CNB_EXPERIMENTAL_MODE=warn",
+								"--env", "CNB_PLATFORM_API="+platformAPI,
+							),
+							h.WithArgs(exportArgs...))
+
+						h.AssertStringContains(t, output, "Saving /my-layout-dir/index.docker.io/library/my-custom-layout-app/latest")
+
+						// assert the image was saved on disk in OCI layout format
+						index := h.ReadIndexManifest(t, filepath.Join(tmpDir, layoutDir, "index.docker.io", "library", exportedImageName, "latest"))
+						h.AssertEq(t, len(index.Manifests), 1)
+					})
+				})
+			})
+
+			when("experimental mode is not enabled", func() {
+				it.Before(func() {
+					layoutDir = filepath.Join(path.RootDir, "layout-dir")
+				})
+
+				it("errors", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not accept a -layout flag")
+
+					cmd := exec.Command(
+						"docker", "run", "--rm",
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						exportImage,
+						ctrPath(exporterPath),
+						"-layout",
+						"-layout-dir", layoutDir,
+						"some-image",
+					) // #nosec G204
+					output, err := cmd.CombinedOutput()
+
+					h.AssertNotNil(t, err)
+					expected := "experimental features are disabled by CNB_EXPERIMENTAL_MODE=error"
+					h.AssertStringContains(t, string(output), expected)
+				})
+			})
+		})
+	}
+}
+
+func assertDaemonImageDoesNotHaveHistory(t *testing.T, repoName string) {
+	history, err := h.DockerCli(t).ImageHistory(context.TODO(), repoName)
+	h.AssertNil(t, err)
+	for _, hs := range history {
+		h.AssertEq(t, hs.Created, imgutil.NormalizedDateTime.Unix())
+		h.AssertEq(t, hs.CreatedBy, "")
+	}
+}
+
+func assertDaemonImageHasHistory(t *testing.T, repoName string, expectedHistory []string) {
+	history, err := h.DockerCli(t).ImageHistory(context.TODO(), repoName)
+	h.AssertNil(t, err)
+	h.AssertEq(t, len(history), len(expectedHistory))
+	for idx, hs := range history {
+		h.AssertEq(t, hs.Created, imgutil.NormalizedDateTime.Unix())
+		h.AssertEq(t, hs.CreatedBy, expectedHistory[idx])
+	}
+}
+
+func calculateEmptyLayerSha(t *testing.T) string {
+	tmpDir, err := os.MkdirTemp("", "")
+	h.AssertNil(t, err)
+	testLayerEmptyPath := filepath.Join(tmpDir, "empty.tar")
+	h.AssertNil(t, os.WriteFile(testLayerEmptyPath, []byte{}, 0600))
+	return "sha256:" + h.ComputeSHA256ForFile(t, testLayerEmptyPath)
+}
--- a/acceptance/extender_test.go
+++ b/acceptance/extender_test.go
@ -0,0 +1,288 @@
+//go:build acceptance
+
+package acceptance
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"github.com/buildpacks/imgutil/layout/sparse"
+	"github.com/google/go-containerregistry/pkg/authn"
+	v1 "github.com/google/go-containerregistry/pkg/v1"
+	"github.com/google/go-containerregistry/pkg/v1/layout"
+	"github.com/google/go-containerregistry/pkg/v1/remote"
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	"github.com/buildpacks/lifecycle/auth"
+	"github.com/buildpacks/lifecycle/cmd"
+	"github.com/buildpacks/lifecycle/platform/files"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+var (
+	extendImage          string
+	extendRegAuthConfig  string
+	extendRegNetwork     string
+	extenderPath         string
+	extendDaemonFixtures *daemonImageFixtures
+	extendRegFixtures    *regImageFixtures
+	extendTest           *PhaseTest
+)
+
+const (
+	// Log message emitted by kaniko;
+	// if we provide cache directory as an option, kaniko looks there for the base image as a tarball;
+	// however the base image is in OCI layout format, so we fail to initialize the base image;
+	// we manage to provide the base image because we override image.RetrieveRemoteImage,
+	// but the log message could be confusing to end users, hence we check that it is not printed.
+	msgErrRetrievingImageFromCache = "Error while retrieving image from cache"
+)
+
+func TestExtender(t *testing.T) {
+	testImageDockerContext := filepath.Join("testdata", "extender")
+	extendTest = NewPhaseTest(t, "extender", testImageDockerContext)
+	extendTest.Start(t)
+	defer extendTest.Stop(t)
+
+	extendImage = extendTest.testImageRef
+	extenderPath = extendTest.containerBinaryPath
+	extendRegAuthConfig = extendTest.targetRegistry.authConfig
+	extendRegNetwork = extendTest.targetRegistry.network
+	extendDaemonFixtures = extendTest.targetDaemon.fixtures
+	extendRegFixtures = extendTest.targetRegistry.fixtures
+
+	for _, platformAPI := range api.Platform.Supported {
+		if platformAPI.LessThan("0.10") {
+			continue
+		}
+		spec.Run(t, "acceptance-extender/"+platformAPI.String(), testExtenderFunc(platformAPI.String()), spec.Parallel(), spec.Report(report.Terminal{}))
+	}
+}
+
+func testExtenderFunc(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
+	return func(t *testing.T, when spec.G, it spec.S) {
+		var generatedDir = "/layers/generated"
+
+		it.Before(func() {
+			h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.10"), "")
+			if api.MustParse(platformAPI).AtLeast("0.13") {
+				generatedDir = "/layers/generated-with-contexts"
+			}
+		})
+
+		when("kaniko case", func() {
+			var extendedDir, kanikoDir, analyzedPath string
+
+			it.Before(func() {
+				var err error
+				extendedDir, err = os.MkdirTemp("", "lifecycle-acceptance")
+				h.AssertNil(t, err)
+				kanikoDir, err = os.MkdirTemp("", "lifecycle-acceptance")
+				h.AssertNil(t, err)
+
+				// push base image to test registry
+				h.Run(t, exec.Command("docker", "tag", extendImage, extendTest.RegRepoName(extendImage)))
+				h.AssertNil(t, h.PushImage(h.DockerCli(t), extendTest.RegRepoName(extendImage), extendTest.targetRegistry.registry.EncodedLabeledAuth()))
+
+				// mimic what the restorer would have done in the previous phase:
+
+				// warm kaniko cache
+
+				// get remote image
+				os.Setenv("DOCKER_CONFIG", extendTest.targetRegistry.dockerConfigDir)
+				ref, auth, err := auth.ReferenceForRepoName(authn.DefaultKeychain, extendTest.RegRepoName(extendImage))
+				h.AssertNil(t, err)
+				remoteImage, err := remote.Image(ref, remote.WithAuth(auth))
+				h.AssertNil(t, err)
+				baseImageHash, err := remoteImage.Digest()
+				h.AssertNil(t, err)
+				baseImageDigest := baseImageHash.String()
+				baseCacheDir := filepath.Join(kanikoDir, "cache", "base")
+				h.AssertNil(t, os.MkdirAll(baseCacheDir, 0755))
+
+				// write sparse image
+				layoutImage, err := sparse.NewImage(filepath.Join(baseCacheDir, baseImageDigest), remoteImage)
+				h.AssertNil(t, err)
+				h.AssertNil(t, layoutImage.Save())
+
+				// write image reference in analyzed.toml
+				analyzedMD := files.Analyzed{
+					BuildImage: &files.ImageIdentifier{
+						Reference: fmt.Sprintf("%s@%s", extendTest.RegRepoName(extendImage), baseImageDigest),
+					},
+					RunImage: &files.RunImage{
+						Reference: fmt.Sprintf("%s@%s", extendTest.RegRepoName(extendImage), baseImageDigest),
+						Extend:    true,
+					},
+				}
+				analyzedPath = h.TempFile(t, "", "analyzed.toml")
+				h.AssertNil(t, files.Handler.WriteAnalyzed(analyzedPath, &analyzedMD, cmd.DefaultLogger))
+			})
+
+			it.After(func() {
+				_ = os.RemoveAll(kanikoDir)
+				_ = os.RemoveAll(extendedDir)
+			})
+
+			when("extending the build image", func() {
+				it("succeeds", func() {
+					extendArgs := []string{
+						ctrPath(extenderPath),
+						"-analyzed", "/layers/analyzed.toml",
+						"-generated", generatedDir,
+						"-log-level", "debug",
+						"-gid", "1000",
+						"-uid", "1234",
+					}
+
+					extendFlags := []string{
+						"--env", "CNB_PLATFORM_API=" + platformAPI,
+						"--volume", fmt.Sprintf("%s:/layers/analyzed.toml", analyzedPath),
+						"--volume", fmt.Sprintf("%s:/kaniko", kanikoDir),
+					}
+
+					t.Log("first build extends the build image by running Dockerfile commands")
+					firstOutput := h.DockerRunWithCombinedOutput(t,
+						extendImage,
+						h.WithFlags(extendFlags...),
+						h.WithArgs(extendArgs...),
+					)
+					h.AssertStringDoesNotContain(t, firstOutput, msgErrRetrievingImageFromCache)
+					h.AssertStringContains(t, firstOutput, "ca-certificates")
+					h.AssertStringContains(t, firstOutput, "Hello Extensions buildpack\ncurl") // output by buildpack, shows that curl was installed on the build image
+					t.Log("sets environment variables from the extended build image in the build context")
+					h.AssertStringContains(t, firstOutput, "CNB_STACK_ID for buildpack: stack-id-from-ext-tree")
+					h.AssertStringContains(t, firstOutput, "HOME for buildpack: /home/cnb")
+
+					t.Log("cleans the kaniko directory")
+					fis, err := os.ReadDir(kanikoDir)
+					h.AssertNil(t, err)
+					h.AssertEq(t, len(fis), 1) // 1: /kaniko/cache
+
+					t.Log("second build extends the build image by pulling from the cache directory")
+					secondOutput := h.DockerRunWithCombinedOutput(t,
+						extendImage,
+						h.WithFlags(extendFlags...),
+						h.WithArgs(extendArgs...),
+					)
+					h.AssertStringDoesNotContain(t, secondOutput, msgErrRetrievingImageFromCache)
+					h.AssertStringDoesNotContain(t, secondOutput, "ca-certificates")                                                             // shows that first cache layer was used
+					h.AssertStringDoesNotContain(t, secondOutput, "No cached layer found for cmd RUN apt-get update && apt-get install -y tree") // shows that second cache layer was used
+					h.AssertStringContains(t, secondOutput, "Hello Extensions buildpack\ncurl")                                                  // output by buildpack, shows that curl is still installed in the unpacked cached layer
+				})
+			})
+
+			when("extending the run image", func() {
+				it.Before(func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not support run image extension")
+				})
+
+				it("succeeds", func() {
+					extendArgs := []string{
+						ctrPath(extenderPath),
+						"-analyzed", "/layers/analyzed.toml",
+						"-extended", "/layers/extended",
+						"-generated", generatedDir,
+						"-kind", "run",
+						"-log-level", "debug",
+						"-gid", "1000",
+						"-uid", "1234",
+					}
+
+					extendFlags := []string{
+						"--env", "CNB_PLATFORM_API=" + platformAPI,
+						"--volume", fmt.Sprintf("%s:/layers/analyzed.toml", analyzedPath),
+						"--volume", fmt.Sprintf("%s:/layers/extended", extendedDir),
+						"--volume", fmt.Sprintf("%s:/kaniko", kanikoDir),
+					}
+
+					t.Log("first build extends the run image by running Dockerfile commands")
+					firstOutput := h.DockerRunWithCombinedOutput(t,
+						extendImage,
+						h.WithFlags(extendFlags...),
+						h.WithArgs(extendArgs...),
+					)
+					h.AssertStringDoesNotContain(t, firstOutput, msgErrRetrievingImageFromCache)
+					h.AssertStringContains(t, firstOutput, "ca-certificates")
+					h.AssertStringContains(t, firstOutput, "No cached layer found for cmd RUN apt-get update && apt-get install -y tree")
+					t.Log("does not run the build phase")
+					h.AssertStringDoesNotContain(t, firstOutput, "Hello Extensions buildpack\ncurl")
+					t.Log("outputs extended image layers to the extended directory")
+					images, err := os.ReadDir(filepath.Join(extendedDir, "run"))
+					h.AssertNil(t, err)
+					h.AssertEq(t, len(images), 1) // sha256:<extended image digest>
+					assertExpectedImage(t, filepath.Join(extendedDir, "run", images[0].Name()), platformAPI)
+					t.Log("cleans the kaniko directory")
+					caches, err := os.ReadDir(kanikoDir)
+					h.AssertNil(t, err)
+					h.AssertEq(t, len(caches), 1) // 1: /kaniko/cache
+
+					t.Log("second build extends the build image by pulling from the cache directory")
+					secondOutput := h.DockerRunWithCombinedOutput(t,
+						extendImage,
+						h.WithFlags(extendFlags...),
+						h.WithArgs(extendArgs...),
+					)
+					h.AssertStringDoesNotContain(t, secondOutput, msgErrRetrievingImageFromCache)
+					h.AssertStringDoesNotContain(t, secondOutput, "ca-certificates")                                                             // shows that first cache layer was used
+					h.AssertStringDoesNotContain(t, secondOutput, "No cached layer found for cmd RUN apt-get update && apt-get install -y tree") // shows that second cache layer was used
+					t.Log("does not run the build phase")
+					h.AssertStringDoesNotContain(t, secondOutput, "Hello Extensions buildpack\ncurl")
+					t.Log("outputs extended image layers to the extended directory")
+					images, err = os.ReadDir(filepath.Join(extendedDir, "run"))
+					h.AssertNil(t, err)
+					h.AssertEq(t, len(images), 1) // sha256:<first extended image digest>
+					assertExpectedImage(t, filepath.Join(extendedDir, "run", images[0].Name()), platformAPI)
+					t.Log("cleans the kaniko directory")
+					caches, err = os.ReadDir(kanikoDir)
+					h.AssertNil(t, err)
+					h.AssertEq(t, len(caches), 1) // 1: /kaniko/cache
+				})
+			})
+		})
+	}
+}
+
+func assertExpectedImage(t *testing.T, imagePath, platformAPI string) {
+	image, err := readOCI(imagePath)
+	h.AssertNil(t, err)
+	configFile, err := image.ConfigFile()
+	h.AssertNil(t, err)
+	h.AssertEq(t, configFile.Config.Labels["io.buildpacks.rebasable"], "false")
+	layers, err := image.Layers()
+	h.AssertNil(t, err)
+	history := configFile.History
+	h.AssertEq(t, len(history), len(configFile.RootFS.DiffIDs))
+	if api.MustParse(platformAPI).AtLeast("0.13") {
+		h.AssertEq(t, len(layers), 7) // base (3), curl (2), tree (2)
+		h.AssertEq(t, history[3].CreatedBy, "Layer: 'RUN apt-get update && apt-get install -y curl', Created by extension: curl")
+		h.AssertEq(t, history[4].CreatedBy, "Layer: 'COPY run-file /', Created by extension: curl")
+		h.AssertEq(t, history[5].CreatedBy, "Layer: 'RUN apt-get update && apt-get install -y tree', Created by extension: tree")
+		h.AssertEq(t, history[6].CreatedBy, "Layer: 'COPY shared-file /shared-run', Created by extension: tree")
+	} else {
+		h.AssertEq(t, len(layers), 5) // base (3), curl (1), tree (1)
+		h.AssertEq(t, history[3].CreatedBy, "Layer: 'RUN apt-get update && apt-get install -y curl', Created by extension: curl")
+		h.AssertEq(t, history[4].CreatedBy, "Layer: 'RUN apt-get update && apt-get install -y tree', Created by extension: tree")
+	}
+}
+
+func readOCI(fromPath string) (v1.Image, error) {
+	layoutPath, err := layout.FromPath(fromPath)
+	if err != nil {
+		return nil, fmt.Errorf("getting layout from path: %w", err)
+	}
+	hash, err := v1.NewHash(filepath.Base(fromPath))
+	if err != nil {
+		return nil, fmt.Errorf("getting hash from reference '%s': %w", fromPath, err)
+	}
+	v1Image, err := layoutPath.Image(hash)
+	if err != nil {
+		return nil, fmt.Errorf("getting image from hash '%s': %w", hash.String(), err)
+	}
+	return v1Image, nil
+}
--- a/acceptance/launcher_test.go
+++ b/acceptance/launcher_test.go
@ -1,7 +1,7 @@
 package acceptance

 import (
-	"os"
+	"fmt"
 	"os/exec"
 	"path/filepath"
 	"strings"
@ -14,166 +14,202 @@ import (
 )

 var (
-	launchDockerContext = filepath.Join("testdata", "launcher")
-	launcherBinaryDir   = filepath.Join("acceptance", "testdata", "launcher", "container", "cnb", "lifecycle")
-	launchImage         = "lifecycle/acceptance/launcher"
+	launchImage  string
+	launcherPath string
+	launchTest   *PhaseTest
 )

 func TestLauncher(t *testing.T) {
-	buildLauncher(t)
-	buildLaunchImage(t)
-	defer removeLaunchImage(t)
+	testImageDockerContext := filepath.Join("testdata", "launcher")
+	launchTest = NewPhaseTest(t, "launcher", testImageDockerContext, withoutDaemonFixtures, withoutRegistry)
+
+	containerBinaryDir := filepath.Join("testdata", "launcher", "linux", "container", "cnb", "lifecycle")
+	withCustomContainerBinaryDir := func(_ *testing.T, phaseTest *PhaseTest) {
+		phaseTest.containerBinaryDir = containerBinaryDir
+	}
+	launchTest.Start(t, withCustomContainerBinaryDir)
+	defer launchTest.Stop(t)
+
+	launchImage = launchTest.testImageRef
+	launcherPath = launchTest.containerBinaryPath
+
 	spec.Run(t, "acceptance", testLauncher, spec.Parallel(), spec.Report(report.Terminal{}))
 }

 func testLauncher(t *testing.T, when spec.G, it spec.S) {
-	when("there is no CMD provided", func() {
-		when("CNB_PROCESS_TYPE is NOT set", func() {
-			it("web is the default process-type", func() {
-				cmd := exec.Command("docker", "run", "--rm", launchImage)
-				output, err := cmd.CombinedOutput()
-				if err != nil {
-					t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-				}
-				expected := "Executing web process-type"
-				if !strings.Contains(string(output), expected) {
-					t.Fatalf("failed to execute web:\n\t got: %s\n\t want: %s", output, expected)
-				}
-			})
-		})
+	when("exec.d", func() {
+		it("executes the binaries and modifies env before running profiles", func() {
+			cmd := exec.Command("docker", "run", "--rm", //nolint
+				"--env=CNB_PLATFORM_API=0.7",
+				"--entrypoint=exec.d-checker"+exe,
+				"--env=VAR_FROM_EXEC_D=orig-val",
+				launchImage)

-		when("CNB_PROCESS_TYPE is set", func() {
-			it("the value of CNB_PROCESS_TYPE is the default process-type", func() {
-				cmd := exec.Command("docker", "run", "--rm", "--env", "CNB_PROCESS_TYPE=other-process", launchImage)
-				output, err := cmd.CombinedOutput()
-				if err != nil {
-					t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-				}
-				expected := "Executing other-process process-type"
-				if !strings.Contains(string(output), expected) {
-					t.Fatalf("failed to execute other-process:\n\t got: %s\n\t want: %s", output, expected)
-				}
-			})
+			helper := "helper" + exe
+			execDHelper := ctrPath("/layers", execDBpDir, "some_layer/exec.d", helper)
+			execDCheckerHelper := ctrPath("/layers", execDBpDir, "some_layer/exec.d/exec.d-checker", helper)
+			workDir := ctrPath("/workspace")
+
+			expected := fmt.Sprintf("%s was executed\n", execDHelper)
+			expected += fmt.Sprintf("Exec.d Working Dir: %s\n", workDir)
+			expected += fmt.Sprintf("%s was executed\n", execDCheckerHelper)
+			expected += fmt.Sprintf("Exec.d Working Dir: %s\n", workDir)
+			expected += "sourced bp profile\n"
+			expected += "sourced app profile\n"
+			expected += "VAR_FROM_EXEC_D: orig-val:val-from-exec.d:val-from-exec.d-for-process-type-exec.d-checker"
+
+			assertOutput(t, cmd, expected)
 		})
 	})

-	when("process-type provided in CMD", func() {
-		it("launches that process-type", func() {
-			cmd := exec.Command("docker", "run", "--rm", launchImage, "other-process")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			expected := "Executing other-process process-type"
-			if !strings.Contains(string(output), expected) {
-				t.Fatalf("failed to execute other-process:\n\t got: %s\n\t want: %s", output, expected)
-			}
+	when("entrypoint is a process", func() {
+		it("launches that process", func() {
+			cmd := exec.Command("docker", "run", "--rm", //nolint
+				"--entrypoint=web",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage)
+			assertOutput(t, cmd, "Executing web process-type")
+		})
+
+		when("process contains a period", func() {
+			it("launches that process", func() {
+				cmd := exec.Command("docker", "run", "--rm",
+					"--entrypoint=process.with.period"+exe,
+					"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+					launchImage)
+				assertOutput(t, cmd, "Executing process.with.period process-type")
+			})
+		})
+
+		it("appends any args to the process args", func() {
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--entrypoint=web",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage, "with user provided args",
+			)
+			assertOutput(t, cmd, "Executing web process-type with user provided args")
 		})
 	})

-	it("respects CNB_APP_DIR and CNB_LAYERS_DIR environment variables", func() {
-		cmd := exec.Command("docker", "run", "--rm",
-			"--env", "CNB_APP_DIR=/other-app",
-			"--env", "CNB_LAYERS_DIR=/other-layers",
-			launchImage)
-		output, err := cmd.CombinedOutput()
-		if err != nil {
-			t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-		}
-		expected := "sourced other app profile\nExecuting other-layers web process-type"
-		if !strings.Contains(string(output), expected) {
-			t.Fatalf("failed to execute web:\n\t got: %s\n\t want: %s", output, expected)
-		}
+	when("entrypoint is a not a process", func() {
+		it("builds a process from the arguments", func() {
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--entrypoint=launcher",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage, "--",
+				"env",
+			)
+
+			assertOutput(t, cmd,
+				"SOME_VAR=some-bp-val",
+				"OTHER_VAR=other-bp-val",
+			)
+		})
+	})
+
+	when("CNB_PROCESS_TYPE is set", func() {
+		it("should warn", func() {
+			cmd := exec.Command("docker", "run", "--rm",
+				"--env=CNB_PROCESS_TYPE=direct-process",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				"--env=CNB_NO_COLOR=true",
+				launchImage,
+			)
+			out, err := cmd.CombinedOutput()
+			h.AssertNotNil(t, err)
+			h.AssertStringContains(t, string(out), "Warning: CNB_PROCESS_TYPE is not supported in Platform API "+latestPlatformAPI)
+			h.AssertStringContains(t, string(out), `Warning: Run with ENTRYPOINT 'direct-process' to invoke the 'direct-process' process type`)
+			h.AssertStringContains(t, string(out), "ERROR: failed to launch: determine start command: when there is no default process a command is required")
+		})
 	})

 	when("provided CMD is not a process-type", func() {
 		it("sources profiles and executes the command in a shell", func() {
-			cmd := exec.Command("docker", "run", "--rm", launchImage, "echo something")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			expected := "sourced bp profile\nsourced app profile\nsomething"
-			if !strings.Contains(string(output), expected) {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, expected)
-			}
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage,
+				"echo", "something",
+			)
+			assertOutput(t, cmd, "sourced bp profile\nsourced app profile\nsomething")
 		})

 		it("sets env vars from layers", func() {
-			cmd := exec.Command("docker", "run", "--rm", launchImage, "echo $SOME_VAR $OTHER_VAR")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			expected := "sourced bp profile\nsourced app profile\nsome-bp-val other-bp-val"
-			if !strings.Contains(string(output), expected) {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, expected)
-			}
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage,
+				"echo", "$SOME_VAR", "$OTHER_VAR", "$WORKER_VAR",
+			)
+			assertOutput(t, cmd, "sourced bp profile\nsourced app profile\nsome-bp-val other-bp-val worker-no-process-val")
 		})

-		it("passes through env vars from user, excluding blacklist", func() {
-			cmd := exec.Command("docker", "run", "--rm",
-				"--env", "CNB_APP_DIR=/workspace",
-				"--env", "SOME_USER_VAR=some-user-val",
-				"--env", "OTHER_VAR=other-user-val",
-				launchImage,
-				"echo $SOME_USER_VAR $CNB_APP_DIR $OTHER_VAR")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			// bp appends other-bp-val with delimeter '**'
-			expected := "sourced bp profile\nsourced app profile\nsome-user-val other-user-val**other-bp-val"
-			if !strings.Contains(string(output), expected) {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, expected)
-			}
+		it("passes through env vars from user, excluding excluded vars", func() {
+			args := []string{"echo", "$SOME_USER_VAR, $CNB_APP_DIR, $OTHER_VAR"}
+			cmd := exec.Command("docker",
+				append(
+					[]string{
+						"run", "--rm",
+						"--env", "CNB_APP_DIR=" + ctrPath("/workspace"),
+						"--env=CNB_PLATFORM_API=" + latestPlatformAPI,
+						"--env", "SOME_USER_VAR=some-user-val",
+						"--env", "OTHER_VAR=other-user-val",
+						launchImage,
+					},
+					args...)...,
+			) // #nosec G204
+
+			assertOutput(t, cmd, "sourced bp profile\nsourced app profile\nsome-user-val, , other-user-val**other-bp-val")
 		})

 		it("adds buildpack bin dirs to the path", func() {
-			cmd := exec.Command("docker", "run", "--rm", launchImage, "bp-executable")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			expected := "bp executable"
-			if !strings.Contains(string(output), expected) {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, expected)
-			}
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage,
+				"bp-executable",
+			)
+			assertOutput(t, cmd, "bp executable")
 		})
 	})

 	when("CMD provided starts with --", func() {
 		it("launches command directly", func() {
-			cmd := exec.Command("docker", "run", "--rm", launchImage, "--", "echo", "something")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			expected := "something"
-			if !strings.Contains(string(output), expected) {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, expected)
-			}
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage, "--",
+				"echo", "something",
+			)
+			assertOutput(t, cmd, "something")
 		})

 		it("sets env vars from layers", func() {
-			cmd := exec.Command("docker", "run", "--rm", launchImage, "--", "env")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			if !strings.Contains(string(output), "SOME_VAR=some-bp-val") {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, "SOME_VAR=some-bp-val")
-			}
-			if !strings.Contains(string(output), "OTHER_VAR=other-bp-val") {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, "OTHER_VAR=other-bp-val")
-			}
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage, "--",
+				"env",
+			)
+
+			assertOutput(t, cmd,
+				"SOME_VAR=some-bp-val",
+				"OTHER_VAR=other-bp-val",
+			)
 		})

-		it("passes through env vars from user, excluding blacklist", func() {
-			cmd := exec.Command("docker", "run", "--rm",
+		it("passes through env vars from user, excluding excluded vars", func() {
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
 				"--env", "CNB_APP_DIR=/workspace",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
 				"--env", "SOME_USER_VAR=some-user-val",
-				launchImage, "--", "env")
+				launchImage, "--",
+				"env",
+			)
+
 			output, err := cmd.CombinedOutput()
 			if err != nil {
 				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
@ -189,49 +225,26 @@ func testLauncher(t *testing.T, when spec.G, it spec.S) {
 		})

 		it("adds buildpack bin dirs to the path before looking up command", func() {
-			cmd := exec.Command("docker", "run", "--rm", launchImage, "--", "bp-executable")
-			output, err := cmd.CombinedOutput()
-			if err != nil {
-				t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
-			}
-			expected := "bp executable"
-			if !strings.Contains(string(output), expected) {
-				t.Fatalf("failed to execute provided CMD:\n\t got: %s\n\t want: %s", output, expected)
-			}
+			cmd := exec.Command( //nolint
+				"docker", "run", "--rm",
+				"--env=CNB_PLATFORM_API="+latestPlatformAPI,
+				launchImage, "--",
+				"bp-executable",
+			)
+			assertOutput(t, cmd, "bp executable")
 		})
 	})
 }

-func buildLaunchImage(t *testing.T) {
-	cmd := exec.Command("docker", "build", "-t", launchImage, launchDockerContext)
-	if output, err := cmd.CombinedOutput(); err != nil {
-		t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, string(output), err)
-	}
-}
-
-func removeLaunchImage(t *testing.T) {
-	cmd := exec.Command("docker", "rmi", launchImage)
-	if output, err := cmd.CombinedOutput(); err != nil {
-		t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, string(output), err)
-	}
-}
-
-func buildLauncher(t *testing.T) {
-	cmd := exec.Command("make", "clean", "build-linux-launcher")
-	wd, err := os.Getwd()
-	h.AssertNil(t, err)
-	cmd.Dir = filepath.Join(wd, "..")
-	cmd.Env = append(
-		os.Environ(),
-		"PWD="+cmd.Dir,
-		"OUT_DIR="+launcherBinaryDir,
-		"LIFECYCLE_VERSION=some-version",
-		"SCM_COMMIT=asdf123",
-	)
-
-	t.Log("Building binaries: ", cmd.Args)
+func assertOutput(t *testing.T, cmd *exec.Cmd, expected ...string) {
+	t.Helper()
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		t.Fatalf("failed to run %v\n OUTPUT: %s\n ERROR: %s\n", cmd.Args, output, err)
 	}
+	for _, ex := range expected {
+		if !strings.Contains(strings.ReplaceAll(string(output), "\r\n", "\n"), ex) {
+			t.Fatalf("failed:\n\t output: %s\n\t should include: %s", output, ex)
+		}
+	}
 }
--- a/acceptance/phase_test.go
+++ b/acceptance/phase_test.go
@ -0,0 +1,522 @@
+package acceptance
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"reflect"
+	"runtime"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/docker/docker/api/types/image"
+
+	ih "github.com/buildpacks/imgutil/testhelpers"
+	"github.com/google/go-containerregistry/pkg/authn"
+	"github.com/google/go-containerregistry/pkg/registry"
+
+	"github.com/buildpacks/lifecycle/auth"
+	"github.com/buildpacks/lifecycle/cmd"
+	"github.com/buildpacks/lifecycle/internal/encoding"
+	"github.com/buildpacks/lifecycle/platform"
+	"github.com/buildpacks/lifecycle/platform/files"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+type PhaseTest struct {
+	containerBinaryDir     string // The path to copy lifecycle binaries to before building the test image.
+	containerBinaryPath    string // The path to invoke when running the test container.
+	phaseName              string // The phase name, such as detect, analyze, restore, build, export, or create.
+	testImageDockerContext string // The directory containing the Dockerfile for the test image.
+	testImageRef           string // The test image to run.
+	targetDaemon           *targetDaemon
+	targetRegistry         *targetRegistry // The target registry to use. Remove by passing `withoutRegistry` to the constructor.
+}
+
+type targetDaemon struct {
+	os       string
+	arch     string
+	fixtures *daemonImageFixtures
+}
+
+type daemonImageFixtures struct {
+	AppImage   string
+	CacheImage string
+	RunImage   string
+}
+
+type targetRegistry struct {
+	authConfig      string
+	dockerConfigDir string
+	network         string
+	fixtures        *regImageFixtures
+	registry        *ih.DockerRegistry
+}
+
+type regImageFixtures struct {
+	InaccessibleImage      string
+	ReadOnlyAppImage       string
+	ReadOnlyCacheImage     string
+	ReadOnlyRunImage       string
+	ReadWriteAppImage      string
+	ReadWriteCacheImage    string
+	ReadWriteOtherAppImage string
+	SomeAppImage           string
+	SomeCacheImage         string
+}
+
+func NewPhaseTest(t *testing.T, phaseName, testImageDockerContext string, phaseOp ...func(*PhaseTest)) *PhaseTest {
+	phaseTest := &PhaseTest{
+		containerBinaryDir:     filepath.Join(testImageDockerContext, "container", "cnb", "lifecycle"),
+		containerBinaryPath:    "/cnb/lifecycle/" + phaseName,
+		phaseName:              phaseName,
+		targetDaemon:           newTargetDaemon(t),
+		targetRegistry:         &targetRegistry{},
+		testImageDockerContext: testImageDockerContext,
+		testImageRef:           "lifecycle/acceptance/" + phaseName,
+	}
+
+	for _, op := range phaseOp {
+		op(phaseTest)
+	}
+
+	return phaseTest
+}
+
+func newTargetDaemon(t *testing.T) *targetDaemon {
+	info, err := h.DockerCli(t).Info(context.TODO())
+	h.AssertNil(t, err)
+
+	arch := info.Architecture
+	if arch == "x86_64" {
+		arch = "amd64"
+	}
+	if arch == "aarch64" {
+		arch = "arm64"
+	}
+
+	return &targetDaemon{
+		os:       info.OSType,
+		arch:     arch,
+		fixtures: nil,
+	}
+}
+
+func (p *PhaseTest) RegRepoName(repoName string) string {
+	return p.targetRegistry.registry.RepoName(repoName)
+}
+
+func (p *PhaseTest) Start(t *testing.T, phaseOp ...func(*testing.T, *PhaseTest)) {
+	p.targetDaemon.createFixtures(t)
+
+	if p.targetRegistry != nil {
+		p.targetRegistry.start(t)
+		containerDockerConfigDir := filepath.Join(p.testImageDockerContext, "container", "docker-config")
+		h.AssertNil(t, os.RemoveAll(containerDockerConfigDir))
+		h.AssertNil(t, os.MkdirAll(containerDockerConfigDir, 0755))
+		h.RecursiveCopy(t, p.targetRegistry.dockerConfigDir, containerDockerConfigDir)
+	}
+
+	for _, op := range phaseOp {
+		op(t, p)
+	}
+
+	h.MakeAndCopyLifecycle(t, p.targetDaemon.os, p.targetDaemon.arch, p.containerBinaryDir)
+	// calculate lifecycle digest
+	hasher := sha256.New()
+	f, err := os.Open(filepath.Join(p.containerBinaryDir, "lifecycle"+exe)) //#nosec G304
+	h.AssertNil(t, err)
+	_, err = io.Copy(hasher, f)
+	h.AssertNil(t, err)
+	t.Logf("Built lifecycle binary with digest: %s", hex.EncodeToString(hasher.Sum(nil)))
+
+	copyFakeSboms(t)
+	h.DockerBuild(
+		t,
+		p.testImageRef,
+		p.testImageDockerContext,
+		h.WithArgs("-f", filepath.Join(p.testImageDockerContext, dockerfileName)),
+	)
+	t.Logf("Using image %s with lifecycle version %s",
+		p.testImageRef,
+		h.DockerRun(
+			t,
+			p.testImageRef,
+			h.WithFlags("--env", "CNB_PLATFORM_API="+latestPlatformAPI, "--entrypoint", ctrPath("/cnb/lifecycle/lifecycle"+exe)),
+			h.WithArgs("-version"),
+		))
+}
+
+func (p *PhaseTest) Stop(t *testing.T) {
+	p.targetDaemon.removeFixtures(t)
+
+	if p.targetRegistry != nil {
+		p.targetRegistry.stop(t)
+		// remove images that were built locally before being pushed to test registry
+		cleanupDaemonFixtures(t, *p.targetRegistry.fixtures)
+	}
+
+	h.DockerImageRemove(t, p.testImageRef)
+}
+
+func (d *targetDaemon) createFixtures(t *testing.T) {
+	if d.fixtures != nil {
+		return
+	}
+
+	var fixtures daemonImageFixtures
+
+	appMeta := minifyMetadata(t, filepath.Join("testdata", "app_image_metadata.json"), files.LayersMetadata{})
+	cacheMeta := minifyMetadata(t, filepath.Join("testdata", "cache_image_metadata.json"), platform.CacheMetadata{})
+
+	fixtures.AppImage = "some-app-image-" + h.RandString(10)
+	cmd := exec.Command(
+		"docker",
+		"build",
+		"-t", fixtures.AppImage,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+appMeta,
+		filepath.Join("testdata", "app-image"),
+	) // #nosec G204
+	h.Run(t, cmd)
+
+	fixtures.CacheImage = "some-cache-image-" + h.RandString(10)
+	cmd = exec.Command(
+		"docker",
+		"build",
+		"-t", fixtures.CacheImage,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+cacheMeta,
+		filepath.Join("testdata", "cache-image"),
+	) // #nosec G204
+	h.Run(t, cmd)
+
+	fixtures.RunImage = "some-run-image-" + h.RandString(10)
+	cmd = exec.Command(
+		"docker",
+		"build",
+		"-t", fixtures.RunImage,
+		"--build-arg", "fromImage="+containerBaseImage,
+		filepath.Join("testdata", "cache-image"),
+	) // #nosec G204
+	h.Run(t, cmd)
+
+	d.fixtures = &fixtures
+}
+
+func (d *targetDaemon) removeFixtures(t *testing.T) {
+	cleanupDaemonFixtures(t, *d.fixtures)
+}
+
+func (r *targetRegistry) start(t *testing.T) {
+	var err error
+
+	r.dockerConfigDir, err = os.MkdirTemp("", "test.docker.config.dir")
+	h.AssertNil(t, err)
+
+	sharedRegHandler := registry.New(registry.Logger(log.New(io.Discard, "", log.Lshortfile)))
+	r.registry = ih.NewDockerRegistry(
+		ih.WithAuth(r.dockerConfigDir),
+		ih.WithSharedHandler(sharedRegHandler),
+		ih.WithImagePrivileges(),
+	)
+	r.registry.Start(t)
+
+	// if registry is listening on localhost, use host networking to allow containers to reach it
+	r.network = "default"
+	if r.registry.Host == "localhost" {
+		r.network = "host"
+	}
+
+	// Save auth config
+	os.Setenv("DOCKER_CONFIG", r.dockerConfigDir)
+	r.authConfig, err = auth.BuildEnvVar(authn.DefaultKeychain, r.registry.RepoName("some-repo")) // repo name doesn't matter
+	h.AssertNil(t, err)
+
+	r.createFixtures(t)
+}
+
+func (r *targetRegistry) createFixtures(t *testing.T) {
+	var fixtures regImageFixtures
+
+	appMeta := minifyMetadata(t, filepath.Join("testdata", "app_image_metadata.json"), files.LayersMetadata{})
+	cacheMeta := minifyMetadata(t, filepath.Join("testdata", "cache_image_metadata.json"), platform.CacheMetadata{})
+
+	// With Permissions
+
+	fixtures.InaccessibleImage = r.registry.SetInaccessible("inaccessible-image")
+
+	someReadOnlyAppName := "some-read-only-app-image-" + h.RandString(10)
+	fixtures.ReadOnlyAppImage = buildRegistryImage(
+		t,
+		someReadOnlyAppName,
+		filepath.Join("testdata", "app-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+appMeta,
+	)
+	r.registry.SetReadOnly(someReadOnlyAppName)
+
+	someReadOnlyCacheImage := "some-read-only-cache-image-" + h.RandString(10)
+	fixtures.ReadOnlyCacheImage = buildRegistryImage(
+		t,
+		someReadOnlyCacheImage,
+		filepath.Join("testdata", "cache-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+cacheMeta,
+	)
+	r.registry.SetReadOnly(someReadOnlyCacheImage)
+
+	someRunImageName := "some-read-only-run-image-" + h.RandString(10)
+	buildRegistryImage(
+		t,
+		someRunImageName,
+		filepath.Join("testdata", "cache-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImageFull,
+	)
+	fixtures.ReadOnlyRunImage = r.registry.SetReadOnly(someRunImageName)
+
+	readWriteAppName := "some-read-write-app-image-" + h.RandString(10)
+	fixtures.ReadWriteAppImage = buildRegistryImage(
+		t,
+		readWriteAppName,
+		filepath.Join("testdata", "app-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+appMeta,
+	)
+	r.registry.SetReadWrite(readWriteAppName)
+
+	someReadWriteCacheName := "some-read-write-cache-image-" + h.RandString(10)
+	fixtures.ReadWriteCacheImage = buildRegistryImage(
+		t,
+		someReadWriteCacheName,
+		filepath.Join("testdata", "cache-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+cacheMeta,
+	)
+	r.registry.SetReadWrite(someReadWriteCacheName)
+
+	readWriteOtherAppName := "some-other-read-write-app-image-" + h.RandString(10)
+	fixtures.ReadWriteOtherAppImage = buildRegistryImage(
+		t,
+		readWriteOtherAppName,
+		filepath.Join("testdata", "app-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+appMeta,
+	)
+	r.registry.SetReadWrite(readWriteOtherAppName)
+
+	// Without Permissions
+
+	fixtures.SomeAppImage = buildRegistryImage(
+		t,
+		"some-app-image-"+h.RandString(10),
+		filepath.Join("testdata", "app-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+appMeta,
+	)
+
+	fixtures.SomeCacheImage = buildRegistryImage(
+		t,
+		"some-cache-image-"+h.RandString(10),
+		filepath.Join("testdata", "cache-image"),
+		r.registry,
+		"--build-arg", "fromImage="+containerBaseImage,
+		"--build-arg", "metadata="+cacheMeta,
+	)
+
+	r.fixtures = &fixtures
+}
+
+func (r *targetRegistry) stop(t *testing.T) {
+	r.registry.Stop(t)
+	os.Unsetenv("DOCKER_CONFIG")
+	os.RemoveAll(r.dockerConfigDir)
+}
+
+func buildRegistryImage(t *testing.T, repoName, context string, registry *ih.DockerRegistry, buildArgs ...string) string {
+	// Build image
+	regRepoName := registry.RepoName(repoName)
+	h.DockerBuild(t, regRepoName, context, h.WithArgs(buildArgs...))
+
+	// Push image
+	h.AssertNil(t, h.PushImage(h.DockerCli(t), regRepoName, registry.EncodedLabeledAuth()))
+
+	// Return registry repo name
+	return regRepoName
+}
+
+func cleanupDaemonFixtures(t *testing.T, fixtures interface{}) {
+	v := reflect.ValueOf(fixtures)
+
+	for i := 0; i < v.NumField(); i++ {
+		imageName := fmt.Sprintf("%v", v.Field(i).Interface())
+		if imageName == "" {
+			continue
+		}
+		if strings.Contains(imageName, "inaccessible") {
+			continue
+		}
+		h.DockerImageRemove(t, imageName)
+	}
+}
+
+func minifyMetadata(t *testing.T, path string, metadataStruct interface{}) string {
+	metadata, err := os.ReadFile(path)
+	h.AssertNil(t, err)
+
+	// Unmarshal and marshal to strip unnecessary whitespace
+	h.AssertNil(t, json.Unmarshal(metadata, &metadataStruct))
+	flatMetadata, err := json.Marshal(metadataStruct)
+	h.AssertNil(t, err)
+
+	return string(flatMetadata)
+}
+
+func withoutDaemonFixtures(phaseTest *PhaseTest) {
+	phaseTest.targetDaemon.fixtures = &daemonImageFixtures{}
+}
+
+func withoutRegistry(phaseTest *PhaseTest) {
+	phaseTest.targetRegistry = nil
+}
+
+func copyFakeSboms(t *testing.T) {
+	goos := runtime.GOOS
+
+	// Check Target Daemon != runtime.GOOS
+	if goos == "darwin" {
+		goos = "linux"
+	}
+	buildLifecycleDir, err := filepath.Abs(filepath.Join("..", "out", fmt.Sprintf("%s-%s", goos, runtime.GOARCH), "lifecycle"))
+	if err != nil {
+		t.Log("Fail to locate lifecycle directory")
+	}
+
+	extensions := SBOMExtensions()
+	components := SBOMComponents()
+
+	for _, component := range components {
+		for _, extension := range extensions {
+			if err := encoding.WriteJSON(filepath.Join(buildLifecycleDir, component+extension), "fake data"); err != nil {
+				t.Log("Fail to write:" + component + extension)
+			}
+		}
+	}
+}
+
+func SBOMExtensions() []string {
+	return []string{".sbom.cdx.json", ".sbom.spdx.json", ".sbom.syft.json"}
+}
+
+func SBOMComponents() []string {
+	return []string{"lifecycle", "launcher"}
+}
+
+func assertImageOSAndArch(t *testing.T, imageName string, phaseTest *PhaseTest) { //nolint  - these functions are in fact used, i promise
+	inspect, err := h.DockerCli(t).ImageInspect(context.TODO(), imageName)
+	h.AssertNil(t, err)
+	h.AssertEq(t, inspect.Os, phaseTest.targetDaemon.os)
+	h.AssertEq(t, inspect.Architecture, phaseTest.targetDaemon.arch)
+}
+
+func assertImageOSAndArchAndCreatedAt(t *testing.T, imageName string, phaseTest *PhaseTest, expectedCreatedAt time.Time) { //nolint
+	inspect, err := h.DockerCli(t).ImageInspect(context.TODO(), imageName)
+
+	if err != nil {
+		list, _ := h.DockerCli(t).ImageList(context.TODO(), image.ListOptions{})
+		fmt.Println("Error encountered running ImageInspectWithRaw. imageName: ", imageName)
+		fmt.Println(err)
+		for _, value := range list {
+			fmt.Println("Image Name: ", value)
+		}
+
+		if strings.Contains(err.Error(), "No such image") {
+			t.Log("Image not found, retrying...")
+			time.Sleep(1 * time.Second)
+			inspect, err = h.DockerCli(t).ImageInspect(context.TODO(), imageName)
+		}
+	}
+
+	h.AssertNil(t, err)
+	h.AssertEq(t, inspect.Os, phaseTest.targetDaemon.os)
+	h.AssertEq(t, inspect.Architecture, phaseTest.targetDaemon.arch)
+	h.AssertEq(t, inspect.Created, expectedCreatedAt.Format(time.RFC3339))
+}
+
+func assertRunMetadata(t *testing.T, path string) *files.Run { //nolint
+	contents, err := os.ReadFile(path)
+	h.AssertNil(t, err)
+	h.AssertEq(t, len(contents) > 0, true)
+
+	runMD, err := files.Handler.ReadRun(path, cmd.DefaultLogger)
+	h.AssertNil(t, err)
+
+	return &runMD
+}
+
+func updateTOMLFixturesWithTestRegistry(t *testing.T, phaseTest *PhaseTest) { //nolint
+	analyzedTOMLPlaceholders := []string{
+		filepath.Join(phaseTest.testImageDockerContext, "container", "layers", "analyzed.toml.placeholder"),
+		filepath.Join(phaseTest.testImageDockerContext, "container", "layers", "run-image-extended-analyzed.toml.placeholder"),
+		filepath.Join(phaseTest.testImageDockerContext, "container", "layers", "some-analyzed.toml.placeholder"),
+		filepath.Join(phaseTest.testImageDockerContext, "container", "layers", "some-extend-false-analyzed.toml.placeholder"),
+		filepath.Join(phaseTest.testImageDockerContext, "container", "layers", "some-extend-true-analyzed.toml.placeholder"),
+		filepath.Join(phaseTest.testImageDockerContext, "container", "other_layers", "analyzed.toml.placeholder"),
+	}
+	runTOMLPlaceholders := []string{
+		filepath.Join(phaseTest.testImageDockerContext, "container", "cnb", "run.toml.placeholder"),
+	}
+	layoutPlaceholders := []string{
+		filepath.Join(phaseTest.testImageDockerContext, "container", "layers", "layout-analyzed.toml.placeholder"),
+	}
+	for _, pPath := range analyzedTOMLPlaceholders {
+		if _, err := os.Stat(pPath); os.IsNotExist(err) {
+			continue
+		}
+		analyzedMD := assertAnalyzedMetadata(t, pPath)
+		if analyzedMD.RunImage != nil {
+			analyzedMD.RunImage.Reference = phaseTest.targetRegistry.fixtures.ReadOnlyRunImage // don't override extend
+			if analyzedMD.RunImage.Image == "REPLACE" {
+				analyzedMD.RunImage.Image = phaseTest.targetRegistry.fixtures.ReadOnlyRunImage
+			}
+		}
+		h.AssertNil(t, encoding.WriteTOML(strings.TrimSuffix(pPath, ".placeholder"), analyzedMD))
+	}
+	for _, pPath := range runTOMLPlaceholders {
+		if _, err := os.Stat(pPath); os.IsNotExist(err) {
+			continue
+		}
+		runMD := assertRunMetadata(t, pPath)
+		for idx, image := range runMD.Images {
+			image.Image = phaseTest.targetRegistry.fixtures.ReadOnlyRunImage
+			runMD.Images[idx] = image
+		}
+		h.AssertNil(t, encoding.WriteTOML(strings.TrimSuffix(pPath, ".placeholder"), runMD))
+	}
+	for _, pPath := range layoutPlaceholders {
+		if _, err := os.Stat(pPath); os.IsNotExist(err) {
+			continue
+		}
+		analyzedMD := assertAnalyzedMetadata(t, pPath)
+		if analyzedMD.RunImage != nil {
+			// Values from image acceptance/testdata/exporter/container/layout-repo in OCI layout format
+			analyzedMD.RunImage = &files.RunImage{Reference: "/layout-repo/index.docker.io/library/busybox/latest@sha256:445c45cc89fdeb64b915b77f042e74ab580559b8d0d5ef6950be1c0265834c33"}
+		}
+		h.AssertNil(t, encoding.WriteTOML(strings.TrimSuffix(pPath, ".placeholder"), analyzedMD))
+	}
+}
--- a/acceptance/rebaser_test.go
+++ b/acceptance/rebaser_test.go
@ -0,0 +1,58 @@
+//go:build acceptance
+
+package acceptance
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+var (
+	rebaserTest  *PhaseTest
+	rebaserPath  string
+	rebaserImage string
+)
+
+func TestRebaser(t *testing.T) {
+	testImageDockerContextFolder := filepath.Join("testdata", "rebaser")
+	rebaserTest = NewPhaseTest(t, "rebaser", testImageDockerContextFolder)
+	rebaserTest.Start(t, updateTOMLFixturesWithTestRegistry)
+	defer rebaserTest.Stop(t)
+
+	rebaserImage = rebaserTest.testImageRef
+	rebaserPath = rebaserTest.containerBinaryPath
+
+	for _, platformAPI := range api.Platform.Supported {
+		spec.Run(t, "acceptance-rebaser/"+platformAPI.String(), testRebaser(platformAPI.String()), spec.Sequential(), spec.Report(report.Terminal{}))
+	}
+}
+
+func testRebaser(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
+	return func(t *testing.T, when spec.G, it spec.S) {
+		when("called with insecure registry flag", func() {
+			it.Before(func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
+			})
+			it("should do an http request", func() {
+				insecureRegistry := "host.docker.internal"
+				rebaserOutputImageName := insecureRegistry + "/bar"
+				_, _, err := h.DockerRunWithError(t,
+					rebaserImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "CNB_INSECURE_REGISTRIES="+insecureRegistry,
+					),
+					h.WithArgs(ctrPath(rebaserPath), rebaserOutputImageName),
+				)
+
+				h.AssertStringContains(t, err.Error(), "http://host.docker.internal")
+			})
+		})
+	}
+}
--- a/acceptance/restorer_test.go
+++ b/acceptance/restorer_test.go
@ -0,0 +1,338 @@
+//go:build acceptance
+
+package acceptance
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-containerregistry/pkg/name"
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	"github.com/buildpacks/lifecycle/api"
+	"github.com/buildpacks/lifecycle/cmd"
+	"github.com/buildpacks/lifecycle/platform/files"
+	h "github.com/buildpacks/lifecycle/testhelpers"
+)
+
+const emptyImageSHA = "03cbce912ef1a8a658f73c660ab9c539d67188622f00b15c4f15b89b884f0e10"
+
+var (
+	restoreImage          string
+	restoreRegAuthConfig  string
+	restoreRegNetwork     string
+	restorerPath          string
+	restoreDaemonFixtures *daemonImageFixtures
+	restoreRegFixtures    *regImageFixtures
+	restoreTest           *PhaseTest
+)
+
+func TestRestorer(t *testing.T) {
+	testImageDockerContext := filepath.Join("testdata", "restorer")
+	restoreTest = NewPhaseTest(t, "restorer", testImageDockerContext)
+	restoreTest.Start(t, updateTOMLFixturesWithTestRegistry)
+	defer restoreTest.Stop(t)
+
+	restoreImage = restoreTest.testImageRef
+	restorerPath = restoreTest.containerBinaryPath
+	restoreRegAuthConfig = restoreTest.targetRegistry.authConfig
+	restoreRegNetwork = restoreTest.targetRegistry.network
+	restoreDaemonFixtures = restoreTest.targetDaemon.fixtures
+	restoreRegFixtures = restoreTest.targetRegistry.fixtures
+
+	for _, platformAPI := range api.Platform.Supported {
+		spec.Run(t, "acceptance-restorer/"+platformAPI.String(), testRestorerFunc(platformAPI.String()), spec.Parallel(), spec.Report(report.Terminal{}))
+	}
+}
+
+func testRestorerFunc(platformAPI string) func(t *testing.T, when spec.G, it spec.S) {
+	return func(t *testing.T, when spec.G, it spec.S) {
+		var copyDir, containerName string
+		it.Before(func() {
+			containerName = "test-container-" + h.RandString(10)
+			var err error
+			copyDir, err = os.MkdirTemp("", "test-docker-copy-")
+			h.AssertNil(t, err)
+		})
+
+		it.After(func() {
+			if h.DockerContainerExists(t, containerName) {
+				h.Run(t, exec.Command("docker", "rm", containerName))
+			}
+			_ = os.RemoveAll(copyDir)
+		})
+
+		when("called with arguments", func() {
+			it("errors", func() {
+				command := exec.Command("docker", "run", "--rm", "--env", "CNB_PLATFORM_API="+platformAPI, restoreImage, "some-arg")
+				output, err := command.CombinedOutput()
+				h.AssertNotNil(t, err)
+				expected := "failed to parse arguments: received unexpected Args"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("called without any cache flag", func() {
+			it("outputs it will not restore cache layer data", func() {
+				command := exec.Command("docker", "run", "--rm", "--env", "CNB_PLATFORM_API="+platformAPI, restoreImage)
+				output, err := command.CombinedOutput()
+				h.AssertNil(t, err)
+				expected := "No cached data will be used, no cache specified"
+				h.AssertStringContains(t, string(output), expected)
+			})
+		})
+
+		when("analyzed.toml exists with app metadata", func() {
+			it("restores app metadata", func() {
+				output := h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					ctrPath("/layers"),
+					restoreImage,
+					h.WithFlags(append(
+						dockerSocketMount,
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+					)...),
+					h.WithArgs(),
+				)
+
+				h.AssertStringContains(t, output, "Restoring metadata for \"some-buildpack-id:launch-layer\"")
+			})
+
+			when("restores app metadata using an insecure registry", func() {
+				it.Before(func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "")
+				})
+				it("does an http request ", func() {
+					insecureRegistry := "host.docker.internal"
+
+					_, _, err := h.DockerRunWithError(t,
+						restoreImage,
+						h.WithFlags(append(
+							dockerSocketMount,
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "CNB_INSECURE_REGISTRIES="+insecureRegistry,
+							"--env", "CNB_BUILD_IMAGE="+insecureRegistry+"/bar",
+						)...),
+					)
+
+					h.AssertStringContains(t, err.Error(), "http://host.docker.internal")
+				})
+			})
+		})
+
+		when("using cache-dir", func() {
+			when("there is cache present from a previous build", func() {
+				it("restores cached layer data", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						"/layers",
+						restoreImage,
+						h.WithFlags("--env", "CNB_PLATFORM_API="+platformAPI),
+						h.WithArgs("-cache-dir", "/cache"),
+					)
+
+					// check restored cache file is present
+					cachedFile := filepath.Join(copyDir, "layers", "cacher_buildpack", "cached-layer", "data")
+					h.AssertPathExists(t, cachedFile)
+
+					// check restored cache file content is correct
+					contents, err := os.ReadFile(cachedFile)
+					h.AssertNil(t, err)
+					h.AssertEq(t, string(contents), "cached-data\n")
+				})
+
+				it("does not restore cache=true layers not in cache", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						"/layers",
+						restoreImage,
+						h.WithFlags("--env", "CNB_PLATFORM_API="+platformAPI),
+						h.WithArgs("-cache-dir", "/cache"),
+					)
+
+					// check uncached layer is not restored
+					uncachedFile := filepath.Join(copyDir, "layers", "cacher_buildpack", "uncached-layer")
+					h.AssertPathDoesNotExist(t, uncachedFile)
+				})
+
+				it("does not restore layer data from unused buildpacks", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						"/layers",
+						restoreImage,
+						h.WithFlags("--env", "CNB_PLATFORM_API="+platformAPI),
+						h.WithArgs("-cache-dir", "/cache"),
+					)
+
+					// check no content is not present from unused buildpack
+					unusedBpLayer := filepath.Join(copyDir, "layers", "unused_buildpack")
+					h.AssertPathDoesNotExist(t, unusedBpLayer)
+				})
+
+				it("does not restore corrupted layer data", func() {
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						"/layers",
+						restoreImage,
+						h.WithFlags("--env", "CNB_PLATFORM_API="+platformAPI),
+						h.WithArgs("-cache-dir", "/cache"),
+					)
+
+					// check corrupted layer is not restored
+					corruptedFile := filepath.Join(copyDir, "layers", "corrupted_buildpack", "corrupted-layer")
+					h.AssertPathDoesNotExist(t, corruptedFile)
+				})
+			})
+		})
+
+		when("restoring builder image metadata for extensions", func() {
+			it("accepts -build-image and saves the metadata to /kaniko/cache", func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.10"), "Platform API < 0.10 does not restore builder image metadata")
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					"/",
+					restoreImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "DOCKER_CONFIG=/docker-config",
+						"--network", restoreRegNetwork,
+					),
+					h.WithArgs("-build-image", restoreRegFixtures.SomeCacheImage), // some-cache-image simulates a builder image in a registry
+				)
+				t.Log("records builder image digest in analyzed.toml")
+				analyzedMD, err := files.Handler.ReadAnalyzed(filepath.Join(copyDir, "layers", "analyzed.toml"), cmd.DefaultLogger)
+				h.AssertNil(t, err)
+				h.AssertStringContains(t, analyzedMD.BuildImage.Reference, restoreRegFixtures.SomeCacheImage+"@sha256:")
+				t.Log("writes builder manifest and config to the kaniko cache")
+				ref, err := name.ParseReference(analyzedMD.BuildImage.Reference)
+				h.AssertNil(t, err)
+				fis, err := os.ReadDir(filepath.Join(copyDir, "kaniko", "cache", "base"))
+				h.AssertNil(t, err)
+				h.AssertEq(t, len(fis), 1)
+				h.AssertPathExists(t, filepath.Join(copyDir, "kaniko", "cache", "base", ref.Identifier(), "oci-layout"))
+			})
+		})
+
+		when("restoring run image metadata for extensions", func() {
+			it("saves metadata to /kaniko/cache", func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not restore run image metadata")
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					"/",
+					restoreImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "DOCKER_CONFIG=/docker-config",
+						"--network", restoreRegNetwork,
+					),
+					h.WithArgs(
+						"-analyzed", "/layers/some-extend-true-analyzed.toml",
+						"-log-level", "debug",
+					),
+				)
+				t.Log("updates run image reference in analyzed.toml to include digest and target data")
+				analyzedMD, err := files.Handler.ReadAnalyzed(filepath.Join(copyDir, "layers", "some-extend-true-analyzed.toml"), cmd.DefaultLogger)
+				h.AssertNil(t, err)
+				h.AssertStringContains(t, analyzedMD.RunImage.Reference, restoreRegFixtures.ReadOnlyRunImage+"@sha256:")
+				h.AssertEq(t, analyzedMD.RunImage.Image, restoreRegFixtures.ReadOnlyRunImage)
+				h.AssertEq(t, analyzedMD.RunImage.TargetMetadata.OS, "linux")
+				t.Log("does not return the digest for an empty image")
+				h.AssertStringDoesNotContain(t, analyzedMD.RunImage.Reference, restoreRegFixtures.ReadOnlyRunImage+"@sha256:"+emptyImageSHA)
+				t.Log("writes run image manifest and config to the kaniko cache")
+				ref, err := name.ParseReference(analyzedMD.RunImage.Reference)
+				h.AssertNil(t, err)
+				fis, err := os.ReadDir(filepath.Join(copyDir, "kaniko", "cache", "base"))
+				h.AssertNil(t, err)
+				h.AssertEq(t, len(fis), 1)
+				h.AssertPathExists(t, filepath.Join(copyDir, "kaniko", "cache", "base", ref.Identifier(), "oci-layout"))
+			})
+		})
+
+		when("target data", func() {
+			it("updates run image reference in analyzed.toml to include digest and target data on newer platforms", func() {
+				h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.10"), "")
+				h.DockerRunAndCopy(t,
+					containerName,
+					copyDir,
+					"/",
+					restoreImage,
+					h.WithFlags(
+						"--env", "CNB_PLATFORM_API="+platformAPI,
+						"--env", "DOCKER_CONFIG=/docker-config",
+						"--network", restoreRegNetwork,
+					),
+					h.WithArgs(
+						"-analyzed", "/layers/some-extend-false-analyzed.toml",
+						"-log-level", "debug",
+					),
+				)
+				if api.MustParse(platformAPI).AtLeast("0.12") {
+					t.Log("updates run image reference in analyzed.toml to include digest and target data")
+					analyzedMD, err := files.Handler.ReadAnalyzed(filepath.Join(copyDir, "layers", "some-extend-false-analyzed.toml"), cmd.DefaultLogger)
+					h.AssertNil(t, err)
+					h.AssertStringContains(t, analyzedMD.RunImage.Reference, restoreRegFixtures.ReadOnlyRunImage+"@sha256:")
+					h.AssertEq(t, analyzedMD.RunImage.Image, restoreRegFixtures.ReadOnlyRunImage)
+					h.AssertEq(t, analyzedMD.RunImage.TargetMetadata.OS, "linux")
+					t.Log("does not return the digest for an empty image")
+					h.AssertStringDoesNotContain(t, analyzedMD.RunImage.Reference, restoreRegFixtures.ReadOnlyRunImage+"@sha256:"+emptyImageSHA)
+					t.Log("does not write run image manifest and config to the kaniko cache")
+					fis, err := os.ReadDir(filepath.Join(copyDir, "kaniko"))
+					h.AssertNil(t, err)
+					h.AssertEq(t, len(fis), 1) // .gitkeep
+				} else {
+					t.Log("updates run image reference in analyzed.toml to include digest only")
+					analyzedMD, err := files.Handler.ReadAnalyzed(filepath.Join(copyDir, "layers", "some-extend-false-analyzed.toml"), cmd.DefaultLogger)
+					h.AssertNil(t, err)
+					h.AssertStringContains(t, analyzedMD.RunImage.Reference, restoreRegFixtures.ReadOnlyRunImage+"@sha256:")
+					h.AssertEq(t, analyzedMD.RunImage.Image, restoreRegFixtures.ReadOnlyRunImage)
+					h.AssertNil(t, analyzedMD.RunImage.TargetMetadata)
+					t.Log("does not return the digest for an empty image")
+					h.AssertStringDoesNotContain(t, analyzedMD.RunImage.Reference, restoreRegFixtures.ReadOnlyRunImage+"@sha256:"+emptyImageSHA)
+				}
+			})
+
+			when("-daemon", func() {
+				it("updates run image reference in analyzed.toml to include digest and target data on newer platforms", func() {
+					h.SkipIf(t, api.MustParse(platformAPI).LessThan("0.12"), "Platform API < 0.12 does not support -daemon flag")
+					h.DockerRunAndCopy(t,
+						containerName,
+						copyDir,
+						"/",
+						restoreImage,
+						h.WithFlags(append(
+							dockerSocketMount,
+							"--env", "CNB_PLATFORM_API="+platformAPI,
+							"--env", "DOCKER_CONFIG=/docker-config",
+							"--network", restoreRegNetwork,
+						)...),
+						h.WithArgs(
+							"-analyzed", "/layers/some-extend-false-analyzed.toml",
+							"-daemon",
+							"-log-level", "debug",
+						),
+					)
+					t.Log("updates run image reference in analyzed.toml to include digest and target data")
+					analyzedMD, err := files.Handler.ReadAnalyzed(filepath.Join(copyDir, "layers", "some-extend-false-analyzed.toml"), cmd.DefaultLogger)
+					h.AssertNil(t, err)
+					h.AssertStringDoesNotContain(t, analyzedMD.RunImage.Reference, "@sha256:") // daemon image ID
+					h.AssertEq(t, analyzedMD.RunImage.Image, restoreRegFixtures.ReadOnlyRunImage)
+					h.AssertEq(t, analyzedMD.RunImage.TargetMetadata.OS, "linux")
+					t.Log("does not write run image manifest and config to the kaniko cache")
+					fis, err := os.ReadDir(filepath.Join(copyDir, "kaniko"))
+					h.AssertNil(t, err)
+					h.AssertEq(t, len(fis), 1) // .gitkeep
+				})
+			})
+		})
+	}
+}
--- a/acceptance/testdata/analyzer/Dockerfile
+++ b/acceptance/testdata/analyzer/Dockerfile
@ -0,0 +1,21 @@
+FROM ubuntu:bionic
+
+RUN apt-get update && apt-get install -y ca-certificates
+
+COPY container /
+
+WORKDIR /layers
+
+ENV CNB_USER_ID=2222
+
+ENV CNB_GROUP_ID=3333
+
+ARG cnb_platform_api
+ENV CNB_PLATFORM_API=${cnb_platform_api}
+
+RUN chown -R $CNB_USER_ID:$CNB_GROUP_ID /some-dir
+
+RUN chown -R $CNB_USER_ID:$CNB_GROUP_ID /layers
+
+# ensure docker config directory is root owned and NOT world readable
+RUN chown -R root /docker-config; chmod -R 700 /docker-config
--- a/acceptance/testdata/analyzer/container/cnb/order.toml
+++ b/acceptance/testdata/analyzer/container/cnb/order.toml
@ -0,0 +1,5 @@
+[[order]]
+
+  [[order.group]]
+    id = "simple_buildpack"
+    version = "simple_buildpack_version"
--- a/acceptance/testdata/analyzer/container/cnb/platform-0.7-stack.toml
+++ b/acceptance/testdata/analyzer/container/cnb/platform-0.7-stack.toml
@ -0,0 +1,2 @@
+[run-image]
+ image = "some-run-image"
--- a/acceptance/testdata/analyzer/container/cnb/run.toml
+++ b/acceptance/testdata/analyzer/container/cnb/run.toml
@ -0,0 +1,5 @@
+[[images]]
+ image = "some-run-image-from-run-toml"
+
+[[images]]
+ image = "some-other-run-image"
--- a/acceptance/testdata/analyzer/container/layers/group.toml
+++ b/acceptance/testdata/analyzer/container/layers/group.toml
@ -0,0 +1,4 @@
+[[group]]
+id = "some-buildpack-id"
+version = "some-buildpack-version"
+api = "0.10"
--- a/acceptance/testdata/analyzer/container/layers/other-group.toml
+++ b/acceptance/testdata/analyzer/container/layers/other-group.toml
@ -0,0 +1,4 @@
+[[group]]
+id = "some-other-buildpack-id"
+version = "some-other-buildpack-version"
+api = "0.10"
--- a/acceptance/testdata/analyzer/container/layers/unsupported-group.toml
+++ b/acceptance/testdata/analyzer/container/layers/unsupported-group.toml
@ -0,0 +1,4 @@
+[[group]]
+id = "some-other-buildpack-id"
+version = "some-other-buildpack-version"
+api = "0.1"
--- a/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/405fecb6a2fa4f29683f977e7e3b852bf6f8975a2aba647d234d2371894943da
+++ b/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/405fecb6a2fa4f29683f977e7e3b852bf6f8975a2aba647d234d2371894943da
--- a/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/9d5226e6ce3fb6aee2822206a5ef85f38c303d2b37bfc894b419fca2c0501269
+++ b/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/9d5226e6ce3fb6aee2822206a5ef85f38c303d2b37bfc894b419fca2c0501269
@ -0,0 +1 @@
+{"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["sh"],"Image":"sha256:688db7a53b2e8d0358c0e1f309856290bb25ce7acabbf9938f580582e921833f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"65aaed1d1f89cd3cd5aac9137c4786831e99a845ad823496c6008a22a725c780","container_config":{"Hostname":"65aaed1d1f89","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD [\"sh\"]"],"Image":"sha256:688db7a53b2e8d0358c0e1f309856290bb25ce7acabbf9938f580582e921833f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"created":"2022-11-18T01:19:29.442257773Z","docker_version":"20.10.12","history":[{"created":"2022-11-18T01:19:29.321465538Z","created_by":"/bin/sh -c #(nop) ADD file:36d9f497f679d56737ac1379d93f7b6a2e4c814e38e868a5a8e719c4b226ef6e in / "},{"created":"2022-11-18T01:19:29.442257773Z","created_by":"/bin/sh -c #(nop)  CMD [\"sh\"]","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:40cf597a9181e86497f4121c604f9f0ab208950a98ca21db883f26b0a548a2eb"]}}
--- a/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/f75f3d1a317fc82c793d567de94fc8df2bece37acd5f2bd364a0d91a0d1f3dab
+++ b/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/f75f3d1a317fc82c793d567de94fc8df2bece37acd5f2bd364a0d91a0d1f3dab
@ -0,0 +1,16 @@
+{
+   "schemaVersion": 2,
+   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+   "config": {
+      "mediaType": "application/vnd.docker.container.image.v1+json",
+      "size": 1457,
+      "digest": "sha256:9d5226e6ce3fb6aee2822206a5ef85f38c303d2b37bfc894b419fca2c0501269"
+   },
+   "layers": [
+      {
+         "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
+         "size": 772999,
+         "digest": "sha256:405fecb6a2fa4f29683f977e7e3b852bf6f8975a2aba647d234d2371894943da"
+      }
+   ]
+}
--- a/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/index.json
+++ b/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/index.json
@ -0,0 +1,14 @@
+{
+   "schemaVersion": 2,
+   "manifests": [
+      {
+         "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
+         "size": 527,
+         "digest": "sha256:f75f3d1a317fc82c793d567de94fc8df2bece37acd5f2bd364a0d91a0d1f3dab",
+         "platform": {
+            "architecture": "amd64",
+            "os": "linux"
+         }
+      }
+   ]
+}
--- a/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/oci-layout
+++ b/acceptance/testdata/analyzer/container/layout-repo/index.docker.io/library/busybox/latest/oci-layout
@ -0,0 +1,3 @@
+{
+    "imageLayoutVersion": "1.0.0"
+}
--- a/acceptance/testdata/launcher/container/cnb/lifecycle/.gitkeep
+++ b/acceptance/testdata/launcher/container/cnb/lifecycle/.gitkeep
--- a/acceptance/testdata/launcher/container/other-app/.gitkeep
+++ b/acceptance/testdata/launcher/container/other-app/.gitkeep
--- a/acceptance/testdata/analyzer/container/some-other-layers/group.toml
+++ b/acceptance/testdata/analyzer/container/some-other-layers/group.toml
@ -0,0 +1,4 @@
+[[group]]
+id = "another-buildpack-id"
+version = "another-buildpack-version"
+api = "0.10"
--- a/acceptance/testdata/analyzer/container/workspace/.gitkeep
+++ b/acceptance/testdata/analyzer/container/workspace/.gitkeep
--- a/acceptance/testdata/app-image/Dockerfile
+++ b/acceptance/testdata/app-image/Dockerfile
@ -0,0 +1,7 @@
+ARG fromImage
+
+FROM $fromImage
+
+ARG metadata
+
+LABEL io.buildpacks.lifecycle.metadata=$metadata
--- a/acceptance/testdata/app_image_metadata.json
+++ b/acceptance/testdata/app_image_metadata.json
@ -0,0 +1,54 @@
+{
+  "buildpacks": [
+    {
+      "key": "some-buildpack-id",
+      "layers": {
+        "launch-layer": {
+          "data": {
+            "launch-key": "launch-value"
+          },
+          "launch": true,
+          "sha": "launch-sha"
+        },
+        "launch-build-layer": {
+          "build": true,
+          "data": {
+            "launch-build-key": "launch-build-value"
+          },
+          "launch": true,
+          "sha": "launch-build-sha"
+        },
+        "launch-build-cache-layer": {
+          "build": true,
+          "cache": true,
+          "data": {
+            "launch-build-cache-key": "launch-build-cache-value"
+          },
+          "launch": true,
+          "sha": "launch-build-cache-sha"
+        },
+        "launch-cache-layer": {
+          "cache": true,
+          "data": {
+            "launch-cache-key": "launch-cache-value"
+          },
+          "launch": true,
+          "sha": "launch-cache-sha"
+        },
+        "launch-false-layer": {
+          "data": {
+            "launch-false-key": "launch-false-value"
+          },
+          "sha": "launch-false-sha"
+        }
+      },
+      "store": {
+        "metadata": {
+          "metadata-buildpack-store-data": {
+            "store-key": "store-val"
+          }
+        }
+      }
+    }
+  ]
+}
--- a/acceptance/testdata/builder/Dockerfile
+++ b/acceptance/testdata/builder/Dockerfile
@ -0,0 +1,17 @@
+FROM ubuntu:bionic
+
+ARG cnb_uid=1234
+ARG cnb_gid=1000
+
+COPY ./container/ /
+
+ENTRYPOINT ["/cnb/lifecycle/builder"]
+
+RUN groupadd cnb --gid ${cnb_gid} && \
+  useradd --uid ${cnb_uid} --gid ${cnb_gid} -m -s /bin/bash cnb
+
+RUN chown -R "${cnb_uid}:${cnb_gid}" "/layers"
+
+WORKDIR /layers
+
+USER ${cnb_uid}:${cnb_gid}
--- a/testdata/exporter/cleanup-cache/layers/buildpack.id/no-toml-layer/file-for-invalid-layer
+++ b/testdata/exporter/cleanup-cache/layers/buildpack.id/no-toml-layer/file-for-invalid-layer
--- a/acceptance/testdata/builder/container/cnb/buildpacks/hello_world/0.0.1/bin/build
+++ b/acceptance/testdata/builder/container/cnb/buildpacks/hello_world/0.0.1/bin/build
@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+echo "---> Hello World buildpack"
+
+# INPUT ARGUMENTS
+platform_dir=$2
+env_dir=${platform_dir}/env
+layers_dir=$1
+plan_path=$3
+
+# CNB_APP_DIR
+echo "CNB_APP_DIR: ${PWD}"
+
+# PLATFORM DIR
+echo "PLATFORM_DIR: ${platform_dir}"
+
+# LAYERS
+echo "LAYERS_DIR: ${layers_dir}"
+
+# PLAN
+echo "PLAN_PATH: ${plan_path}"
+echo "plan contents:"
+cat ${plan_path}
+echo
+
+# Set default start command
+cat > "${layers_dir}/launch.toml" << EOL
+[[processes]]
+type = "hello"
+command = ["echo world"]
+args = ["arg1"]
+EOL
+
+echo "---> Done"
--- a/acceptance/testdata/builder/container/cnb/buildpacks/hello_world/0.0.1/buildpack.toml
+++ b/acceptance/testdata/builder/container/cnb/buildpacks/hello_world/0.0.1/buildpack.toml
@ -0,0 +1,7 @@
+# Buildpack API version
+api = "0.10"
+
+# Buildpack ID and metadata
+[buildpack]
+id = "hello_world"
+version = "0.0.1"
--- a/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_2/0.0.2/bin/build
+++ b/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_2/0.0.2/bin/build
@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+echo "---> Hello World 2 buildpack"
+
+# INPUT ARGUMENTS
+platform_dir=$2
+env_dir=${platform_dir}/env
+layers_dir=$1
+plan_path=$3
+
+# CNB_APP_DIR
+echo "CNB_APP_DIR: ${PWD}"
+
+# PLATFORM DIR
+echo "PLATFORM_DIR: ${platform_dir}"
+
+# LAYERS
+echo "LAYERS_DIR: ${layers_dir}"
+
+# PLAN
+echo "PLAN_PATH: ${plan_path}"
+echo "plan contents:"
+cat ${plan_path}
+echo
+
+echo "---> Done"
--- a/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_2/0.0.2/buildpack.toml
+++ b/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_2/0.0.2/buildpack.toml
@ -0,0 +1,7 @@
+# Buildpack API version
+api = "0.10"
+
+# Buildpack ID and metadata
+[buildpack]
+id = "hello_world_2"
+version = "0.0.2"
--- a/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_3/0.0.3/bin/build
+++ b/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_3/0.0.3/bin/build
@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+echo "---> Hello World 3 buildpack"
+
+# INPUT ARGUMENTS
+platform_dir=$2
+env_dir=${platform_dir}/env
+layers_dir=$1
+plan_path=$3
+
+# CNB_APP_DIR
+echo "CNB_APP_DIR: ${PWD}"
+
+# PLATFORM DIR
+echo "PLATFORM_DIR: ${platform_dir}"
+
+# LAYERS
+echo "LAYERS_DIR: ${layers_dir}"
+
+# PLAN
+echo "PLAN_PATH: ${plan_path}"
+echo "plan contents:"
+cat ${plan_path}
+echo
+
+echo "CNB_TARGET_ARCH:" `printenv CNB_TARGET_ARCH`
+echo "CNB_TARGET_ARCH_VARIANT:" `printenv CNB_TARGET_ARCH_VARIANT`
+echo "CNB_TARGET_OS:" `printenv CNB_TARGET_OS`
+echo "CNB_TARGET_DISTRO_NAME:" `printenv CNB_TARGET_DISTRO_NAME`
+echo "CNB_TARGET_DISTRO_VERSION:" `printenv CNB_TARGET_DISTRO_VERSION`
+
+echo "---> Done"
--- a/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_3/0.0.3/buildpack.toml
+++ b/acceptance/testdata/builder/container/cnb/buildpacks/hello_world_3/0.0.3/buildpack.toml
@ -0,0 +1,7 @@
+# Buildpack API version
+api = "0.10"
+
+# Buildpack ID and metadata
+[buildpack]
+id = "hello_world_3"
+version = "0.0.3"
--- a/acceptance/testdata/builder/container/cnb/group_tomls/always_detect_group.toml
+++ b/acceptance/testdata/builder/container/cnb/group_tomls/always_detect_group.toml
@ -0,0 +1,4 @@
+[[group]]
+  api = "0.10"
+  id = "hello_world"
+  version = "0.0.1"
--- a/acceptance/testdata/builder/container/cnb/group_tomls/always_detect_group_buildpack2.toml
+++ b/acceptance/testdata/builder/container/cnb/group_tomls/always_detect_group_buildpack2.toml
@ -0,0 +1,4 @@
+[[group]]
+  api = "0.10"
+  id = "hello_world_2"
+  version = "0.0.2"
--- a/testdata/exporter/previous-image-exists/layers/buildpack.id/launch.toml
+++ b/testdata/exporter/previous-image-exists/layers/buildpack.id/launch.toml
--- a/acceptance/testdata/builder/container/cnb/group_tomls/group_with_ext.toml
+++ b/acceptance/testdata/builder/container/cnb/group_tomls/group_with_ext.toml
@ -0,0 +1,9 @@
+[[group]]
+  api = "0.10"
+  id = "hello_world"
+  version = "0.0.1"
+
+[[group-extensions]]
+  api = "0.10"
+  id = "hello_world"
+  version = "0.0.1"
--- a/acceptance/testdata/builder/container/cnb/group_tomls/invalid_buildpack_api_group.toml
+++ b/acceptance/testdata/builder/container/cnb/group_tomls/invalid_buildpack_api_group.toml
@ -0,0 +1,5 @@
+[[group]]
+  api = "0.2wrongapiblabla"
+  id = "hello_world"
+  version = "0.0.1"
+  
--- a/acceptance/testdata/builder/container/cnb/group_tomls/wrong_group.toml
+++ b/acceptance/testdata/builder/container/cnb/group_tomls/wrong_group.toml
@ -0,0 +1,3 @@
+I am a group.toml file which not correct as context and syntax.
+
+For more info please look at https://github.com/buildpacks/spec/blob/main/platform.md#grouptoml-toml
--- a/acceptance/testdata/builder/container/cnb/plan_tomls/always_detect_plan.toml
+++ b/acceptance/testdata/builder/container/cnb/plan_tomls/always_detect_plan.toml
@ -0,0 +1,10 @@
+[[entries]]
+
+  [[entries.providers]]
+    id = "hello_world"
+    version = "0.0.1"
+    
+  [[entries.requires]]
+      name = "different_plan_from_env.toml_reqires_subset_content"
+      [entries.requires.metadata]
+        # arbitrary data describing the required dependency
--- a/acceptance/testdata/builder/container/cnb/plan_tomls/always_detect_plan_buildpack_2.toml
+++ b/acceptance/testdata/builder/container/cnb/plan_tomls/always_detect_plan_buildpack_2.toml
@ -0,0 +1,10 @@
+[[entries]]
+
+  [[entries.providers]]
+    id = "hello_world_2"
+    version = "0.0.2"
+    
+  [[entries.requires]]
+      name = "different_plan_from_env.toml_reqires_subset_content"
+      [entries.requires.metadata]
+        # arbitrary data describing the required dependency
--- a/acceptance/testdata/builder/container/cnb/plan_tomls/always_detect_plan_buildpack_3.toml
+++ b/acceptance/testdata/builder/container/cnb/plan_tomls/always_detect_plan_buildpack_3.toml
@ -0,0 +1,10 @@
+[[entries]]
+
+  [[entries.providers]]
+    id = "hello_world_3"
+    version = "0.0.3"
+    
+  [[entries.requires]]
+      name = "03_plan.toml_requires_subset_content_idk"
+      [entries.requires.metadata]
+        # arbitrary data describing the required dependency
--- a/acceptance/testdata/builder/container/cnb/plan_tomls/different_plan_from_env.toml
+++ b/acceptance/testdata/builder/container/cnb/plan_tomls/different_plan_from_env.toml
@ -0,0 +1,11 @@
+[[entries]]
+
+  [[entries.providers]]
+    id = "hello_world"
+    version = "0.0.1"
+  
+  [[entries.requires]]
+      name = "different_plan_from_env.toml_reqires_subset_content"
+      [entries.requires.metadata]
+        # arbitrary data describing the required dependency
+        
--- a/acceptance/testdata/builder/container/cnb/plan_tomls/empty_plan.toml
+++ b/acceptance/testdata/builder/container/cnb/plan_tomls/empty_plan.toml
--- a/acceptance/testdata/builder/container/cnb/plan_tomls/wrong_plan.toml
+++ b/acceptance/testdata/builder/container/cnb/plan_tomls/wrong_plan.toml
@ -0,0 +1,3 @@
+I am a plan.toml file which not correct as context and syntax.
+
+For more info please look at https://github.com/buildpacks/spec/blob/main/platform.md#plantoml-toml
--- a/acceptance/testdata/builder/container/env_folders/different_buildpack_dir_from_env/hello_world/0.0.1/bin/build
+++ b/acceptance/testdata/builder/container/env_folders/different_buildpack_dir_from_env/hello_world/0.0.1/bin/build
@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+echo "---> Hello World buildpack"
+
+# INPUT ARGUMENTS
+platform_dir=$2
+env_dir=${platform_dir}/env
+layers_dir=$1
+plan_path=$3
+
+# acceptance test
+echo "CNB_BUILDPACK_DIR: ${CNB_BUILDPACK_DIR}"
--- a/acceptance/testdata/builder/container/env_folders/different_buildpack_dir_from_env/hello_world/0.0.1/buildpack.toml
+++ b/acceptance/testdata/builder/container/env_folders/different_buildpack_dir_from_env/hello_world/0.0.1/buildpack.toml
@ -0,0 +1,7 @@
+# Buildpack API version
+api = "0.10"
+
+# Buildpack ID and metadata
+[buildpack]
+id = "hello_world"
+version = "0.0.1"
--- a/acceptance/testdata/builder/container/env_folders/different_cnb_app_dir_from_env/.gitkeep
+++ b/acceptance/testdata/builder/container/env_folders/different_cnb_app_dir_from_env/.gitkeep
--- a/acceptance/testdata/builder/container/env_folders/different_platform_dir_from_env/.gitkeep
+++ b/acceptance/testdata/builder/container/env_folders/different_platform_dir_from_env/.gitkeep
--- a/acceptance/testdata/builder/container/layers/03_layer/analyzed.toml
+++ b/acceptance/testdata/builder/container/layers/03_layer/analyzed.toml
@ -0,0 +1,9 @@
+[run-image.target]
+  id = "my id"
+  os = "linux"
+  arch = "amd64"
+  arch-variant = "some-variant"
+  [run-image.target.distro]
+    name = "ubuntu"
+    version = "some-cute-version"
+
--- a/acceptance/testdata/builder/container/layers/03_layer/group.toml
+++ b/acceptance/testdata/builder/container/layers/03_layer/group.toml
@ -0,0 +1,4 @@
+[[group]]
+  api = "0.10"
+  id = "hello_world_3"
+  version = "0.0.3"
--- a/acceptance/testdata/builder/container/layers/03_layer/plan.toml
+++ b/acceptance/testdata/builder/container/layers/03_layer/plan.toml
@ -0,0 +1,6 @@
+[[entries]]
+
+  [[entries.providers]]
+    id = "hello_world_3"
+    version = "0.0.3"
+    
--- a/acceptance/testdata/builder/container/layers/analyzed.toml
+++ b/acceptance/testdata/builder/container/layers/analyzed.toml
@ -0,0 +1,6 @@
+[run-image]
+  [target]
+  id = "software"
+  os = "linux"
+  arch = "amd64"
+
--- a/acceptance/testdata/builder/container/layers/different_layer_dir_from_env/group.toml
+++ b/acceptance/testdata/builder/container/layers/different_layer_dir_from_env/group.toml
@ -0,0 +1,4 @@
+[[group]]
+  api = "0.10"
+  id = "hello_world_2"
+  version = "0.0.2"
--- a/acceptance/testdata/builder/container/layers/different_layer_dir_from_env/plan.toml
+++ b/acceptance/testdata/builder/container/layers/different_layer_dir_from_env/plan.toml
@ -0,0 +1,6 @@
+[[entries]]
+
+  [[entries.providers]]
+    id = "hello_world_2"
+    version = "0.0.2"
+    
--- a/acceptance/testdata/builder/container/platform/.gitkeep
+++ b/acceptance/testdata/builder/container/platform/.gitkeep
--- a/acceptance/testdata/builder/container/workspace/.gitkeep
+++ b/acceptance/testdata/builder/container/workspace/.gitkeep
--- a/acceptance/testdata/cache-dir/committed/io.buildpacks.lifecycle.cache.metadata
+++ b/acceptance/testdata/cache-dir/committed/io.buildpacks.lifecycle.cache.metadata
@ -0,0 +1,40 @@
+{
+  "buildpacks": [
+    {
+      "key": "some-buildpack-id",
+      "layers": {
+        "some-layer": {
+          "cache": true,
+          "data": {
+            "some-layer-key": "some-layer-value"
+          },
+          "sha": "some-layer-sha"
+        }
+      }
+    },
+    {
+      "key": "some-other-buildpack-id",
+      "layers": {
+        "some-layer": {
+          "cache": true,
+          "data": {
+            "some-layer-key": "some-layer-value"
+          },
+          "sha": "some-layer-sha"
+        }
+      }
+    },
+    {
+      "key": "another-buildpack-id",
+      "layers": {
+        "some-layer": {
+          "cache": true,
+          "data": {
+            "some-layer-key": "some-layer-value"
+          },
+          "sha": "some-layer-sha"
+        }
+      }
+    }
+  ]
+}
--- a/acceptance/testdata/cache-image/Dockerfile
+++ b/acceptance/testdata/cache-image/Dockerfile
@ -0,0 +1,7 @@
+ARG fromImage
+
+FROM $fromImage
+
+ARG metadata
+
+LABEL io.buildpacks.lifecycle.cache.metadata=$metadata
--- a/acceptance/testdata/cache_image_metadata.json
+++ b/acceptance/testdata/cache_image_metadata.json
@ -0,0 +1,16 @@
+{
+  "buildpacks": [
+    {
+      "key": "some-buildpack-id",
+      "layers": {
+        "some-layer": {
+          "cache": true,
+          "data": {
+            "some-layer-key": "some-layer-value"
+          },
+          "sha": "some-layer-sha"
+        }
+      }
+    }
+  ]
+}
--- a/acceptance/testdata/creator/Dockerfile
+++ b/acceptance/testdata/creator/Dockerfile
@ -0,0 +1,20 @@
+FROM ubuntu:bionic
+
+ARG cnb_uid=1234
+ARG cnb_gid=1000
+
+ENV CNB_USER_ID=${cnb_uid}
+ENV CNB_GROUP_ID=${cnb_gid}
+
+COPY ./container/ /
+
+RUN groupadd cnb --gid ${cnb_gid} && \
+  useradd --uid ${cnb_uid} --gid ${cnb_gid} -m -s /bin/bash cnb
+
+# chown the directories so the tests do not have to run as root
+RUN chown -R "${cnb_uid}:${cnb_gid}" "/layers"
+RUN chown -R "${cnb_uid}:${cnb_gid}" "/layout-repo"
+
+WORKDIR /layers
+
+USER ${cnb_uid}:${cnb_gid}
--- a/acceptance/testdata/creator/container/cnb/buildpacks/samples_hello-world/0.0.1/bin/build
+++ b/acceptance/testdata/creator/container/cnb/buildpacks/samples_hello-world/0.0.1/bin/build
@ -0,0 +1,106 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+echo "---> Hello World buildpack"
+
+# INPUT ARGUMENTS
+platform_dir=$2
+env_dir=${platform_dir}/env
+layers_dir=$1
+plan_path=$3
+
+if test -d /layers/sbom; then
+  echo "/layers/sbom should not exist during buildpack builds"
+  exit 1
+fi
+
+# LAYERS
+echo "     layers_dir: ${layers_dir}"
+
+# launch=true layer
+mkdir -p ${layers_dir}/some-layer/env
+
+echo -n "some-val" > ${layers_dir}/some-layer/env/SOME_VAR
+
+if test -f ${layers_dir}/some-layer.sbom.cdx.json; then
+  echo "${layers_dir}/some-layer.sbom.cdx.json restored with content: $(cat ${layers_dir}/some-layer.sbom.cdx.json)"
+fi
+
+echo -n "{\"key\": \"some-launch-true-bom-content\"}" > ${layers_dir}/some-layer.sbom.cdx.json
+
+if test -f ${layers_dir}/some-layer.toml; then
+  # mimic not downloading new content
+  echo "nop"
+else
+  # mimic downloading new content
+  sleep 1
+fi
+
+cat <<EOF > ${layers_dir}/some-layer.toml
+[types]
+  launch = true
+EOF
+
+# cache=true layer
+mkdir -p ${layers_dir}/some-cache-layer
+
+if test -f ${layers_dir}/some-cache-layer.sbom.cdx.json; then
+  echo "${layers_dir}/some-cache-layer.sbom.cdx.json restored with content: $(cat ${layers_dir}/some-cache-layer.sbom.cdx.json)"
+fi
+
+echo -n "{\"key\": \"some-cache-true-bom-content\"}" > ${layers_dir}/some-cache-layer.sbom.cdx.json
+
+cat <<EOF > ${layers_dir}/some-cache-layer.toml
+[types]
+  cache = true
+EOF
+
+# launch=true cache=true layer
+mkdir -p ${layers_dir}/some-launch-cache-layer
+
+if test -f ${layers_dir}/some-launch-cache-layer.sbom.cdx.json; then
+  echo "${layers_dir}/some-launch-cache-layer.sbom.cdx.json restored with content: $(cat ${layers_dir}/some-launch-cache-layer.sbom.cdx.json)"
+fi
+
+echo -n "{\"key\": \"some-launch-true-cache-true-bom-content\"}" > ${layers_dir}/some-launch-cache-layer.sbom.cdx.json
+
+cat <<EOF > ${layers_dir}/some-launch-cache-layer.toml
+[types]
+  launch = true
+  cache = true
+EOF
+
+# build=true layer
+mkdir -p ${layers_dir}/some-build-layer
+
+if test -f ${layers_dir}/some-build-layer.sbom.cdx.json; then
+  echo "${layers_dir}/some-build-layer.sbom.cdx.json" should never be restored
+  exit 1
+fi
+
+echo -n "{\"key\": \"some-bom-content\"}" > ${layers_dir}/some-build-layer.sbom.cdx.json
+
+cat <<EOF > ${layers_dir}/some-build-layer.toml
+[types]
+  build = true
+EOF
+
+# launch bom
+if test -f ${layers_dir}/launch.sbom.cdx.json; then
+  echo "${layers_dir}/launch.sbom.cdx.json should never be restored"
+  exit 1
+fi
+echo -n "{\"key\": \"some-bom-content\"}" > ${layers_dir}/launch.sbom.cdx.json
+
+# build bom
+if test -f ${layers_dir}/build.sbom.cdx.json; then
+  echo "${layers_dir}/build.sbom.cdx.json should never be restored"
+  exit 1
+fi
+echo -n "{\"key\": \"some-bom-content\"}" > ${layers_dir}/build.sbom.cdx.json
+
+# store.toml
+if test -f ${layers_dir}/store.toml; then
+  echo "${layers_dir}/store.toml restored with content: $(cat ${layers_dir}/store.toml)"
+fi
+printf "[metadata]\n\"some-key\" = \"some-value\"" > ${layers_dir}/store.toml
--- a/acceptance/testdata/creator/container/cnb/buildpacks/samples_hello-world/0.0.1/bin/detect
+++ b/acceptance/testdata/creator/container/cnb/buildpacks/samples_hello-world/0.0.1/bin/detect
@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+set -eo pipefail
+
+# 1. GET ARGS
+plan_path=$2
+
+exit 0
--- a/acceptance/testdata/creator/container/cnb/buildpacks/samples_hello-world/0.0.1/buildpack.toml
+++ b/acceptance/testdata/creator/container/cnb/buildpacks/samples_hello-world/0.0.1/buildpack.toml
@ -0,0 +1,13 @@
+# Buildpack API version
+api = "0.7"
+
+# Buildpack ID and metadata
+[buildpack]
+id = "samples/hello-world"
+version = "0.0.1"
+name = "Hello World Buildpack"
+sbom-formats = ["application/vnd.cyclonedx+json"]
+
+# Stacks that the buildpack will work with
+[[stacks]]
+id = "*"
--- a/acceptance/testdata/creator/container/cnb/extensions/samples_hello-world/0.0.1/extension.toml
+++ b/acceptance/testdata/creator/container/cnb/extensions/samples_hello-world/0.0.1/extension.toml
@ -0,0 +1,8 @@
+# Buildpack API version
+api = "0.9"
+
+# Extension ID and metadata
+[extension]
+id = "samples/hello-world"
+version = "0.0.1"
+name = "Hello World Extension"
--- a/acceptance/testdata/creator/container/cnb/order-with-extensions.toml
+++ b/acceptance/testdata/creator/container/cnb/order-with-extensions.toml
@ -0,0 +1,9 @@
+[[order]]
+[[order.group]]
+id = "samples/hello-world"
+version = "0.0.1"
+
+[[order-extensions]]
+[[order-extensions.group]]
+id = "samples/hello-world"
+version = "0.0.1"
--- a/acceptance/testdata/creator/container/cnb/order.toml
+++ b/acceptance/testdata/creator/container/cnb/order.toml
@ -0,0 +1,4 @@
+[[order]]
+[[order.group]]
+id = "samples/hello-world"
+version = "0.0.1"
--- a/acceptance/testdata/creator/container/cnb/run.toml
+++ b/acceptance/testdata/creator/container/cnb/run.toml
@ -0,0 +1,5 @@
+[[images]]
+ image = "some-run-image-from-run-toml"
+
+[[images]]
+ image = "some-other-run-image"
--- a/acceptance/testdata/creator/container/cnb/stack.toml
+++ b/acceptance/testdata/creator/container/cnb/stack.toml
--- a/acceptance/testdata/creator/container/layers/.gitkeep
+++ b/acceptance/testdata/creator/container/layers/.gitkeep
--- a/acceptance/testdata/creator/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/405fecb6a2fa4f29683f977e7e3b852bf6f8975a2aba647d234d2371894943da
+++ b/acceptance/testdata/creator/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/405fecb6a2fa4f29683f977e7e3b852bf6f8975a2aba647d234d2371894943da
--- a/acceptance/testdata/creator/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/9d5226e6ce3fb6aee2822206a5ef85f38c303d2b37bfc894b419fca2c0501269
+++ b/acceptance/testdata/creator/container/layout-repo/index.docker.io/library/busybox/latest/blobs/sha256/9d5226e6ce3fb6aee2822206a5ef85f38c303d2b37bfc894b419fca2c0501269
@ -0,0 +1 @@
+{"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["sh"],"Image":"sha256:688db7a53b2e8d0358c0e1f309856290bb25ce7acabbf9938f580582e921833f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"65aaed1d1f89cd3cd5aac9137c4786831e99a845ad823496c6008a22a725c780","container_config":{"Hostname":"65aaed1d1f89","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD [\"sh\"]"],"Image":"sha256:688db7a53b2e8d0358c0e1f309856290bb25ce7acabbf9938f580582e921833f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"created":"2022-11-18T01:19:29.442257773Z","docker_version":"20.10.12","history":[{"created":"2022-11-18T01:19:29.321465538Z","created_by":"/bin/sh -c #(nop) ADD file:36d9f497f679d56737ac1379d93f7b6a2e4c814e38e868a5a8e719c4b226ef6e in / "},{"created":"2022-11-18T01:19:29.442257773Z","created_by":"/bin/sh -c #(nop)  CMD [\"sh\"]","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:40cf597a9181e86497f4121c604f9f0ab208950a98ca21db883f26b0a548a2eb"]}}
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				{"architecture":"amd64","config":{"Hostname":"","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["sh"],"Image":"sha256:688db7a53b2e8d0358c0e1f309856290bb25ce7acabbf9938f580582e921833f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"container":"65aaed1d1f89cd3cd5aac9137c4786831e99a845ad823496c6008a22a725c780","container_config":{"Hostname":"65aaed1d1f89","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"],"Cmd":["/bin/sh","-c","#(nop) ","CMD [\"sh\"]"],"Image":"sha256:688db7a53b2e8d0358c0e1f309856290bb25ce7acabbf9938f580582e921833f","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":{}},"created":"2022-11-18T01:19:29.442257773Z","docker_version":"20.10.12","history":[{"created":"2022-11-18T01:19:29.321465538Z","created_by":"/bin/sh -c #(nop) ADD file:36d9f497f679d56737ac1379d93f7b6a2e4c814e38e868a5a8e719c4b226ef6e in / "},{"created":"2022-11-18T01:19:29.442257773Z","created_by":"/bin/sh -c #(nop) CMD [\"sh\"]","empty_layer":true}],"os":"linux","rootfs":{"type":"layers","diff_ids":["sha256:40cf597a9181e86497f4121c604f9f0ab208950a98ca21db883f26b0a548a2eb"]}}