build(deps): bump the go-dependencies group with 6 updates (#2424 )

Bumps the go-dependencies group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/docker/go-connections](https://github.com/docker/go-connections) | `0.5.0` | `0.6.0` | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.40.0` | `0.41.0` | | [golang.org/x/mod](https://github.com/golang/mod) | `0.26.0` | `0.27.0` | | [golang.org/x/sys](https://github.com/golang/sys) | `0.34.0` | `0.35.0` | | [golang.org/x/term](https://github.com/golang/term) | `0.33.0` | `0.34.0` | | [golang.org/x/text](https://github.com/golang/text) | `0.27.0` | `0.28.0` | Updates `github.com/docker/go-connections` from 0.5.0 to 0.6.0 - [Commits](https://github.com/docker/go-connections/compare/v0.5.0...v0.6.0) Updates `golang.org/x/crypto` from 0.40.0 to 0.41.0 - [Commits](https://github.com/golang/crypto/compare/v0.40.0...v0.41.0) Updates `golang.org/x/mod` from 0.26.0 to 0.27.0 - [Commits](https://github.com/golang/mod/compare/v0.26.0...v0.27.0) Updates `golang.org/x/sys` from 0.34.0 to 0.35.0 - [Commits](https://github.com/golang/sys/compare/v0.34.0...v0.35.0) Updates `golang.org/x/term` from 0.33.0 to 0.34.0 - [Commits](https://github.com/golang/term/compare/v0.33.0...v0.34.0) Updates `golang.org/x/text` from 0.27.0 to 0.28.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.27.0...v0.28.0) --- updated-dependencies: - dependency-name: github.com/docker/go-connections dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/crypto dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/mod dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/term dependency-version: 0.34.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/text dependency-version: 0.28.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Update imgutil to improve containerd storage driver performance (#2427 )
2025-08-25 08:36:25 -05:00 · 2025-08-18 10:32:33 -05:00 · 2025-08-07 06:45:16 -05:00 · 2025-07-15 21:53:10 -05:00 · 2025-07-07 11:43:32 -05:00 · 2025-07-02 12:37:55 -05:00
291 changed files with 12883 additions and 2524 deletions
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@ -17,7 +17,9 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.21"
+          go-version: 1.24
+          check-latest: true
+          go-version-file: 'go.mod'
      - name: Set up go env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -20,10 +20,11 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        config: [macos, linux, windows-lcow, windows-wcow]
+        config: [macos, linux, windows-lcow]
        include:
          - config: macos
-            os: macos
+            # since macos-14 the latest runner is arm64
+            os: macos-arm64
            runner: macos-latest
            no_docker: "true"
            pack_bin: pack
@ -37,11 +38,6 @@ jobs:
            runner: [self-hosted, windows, lcow]
            no_docker: "false"
            pack_bin: pack.exe
-          - config: windows-wcow
-            os: windows
-            runner: [windows-2019]
-            no_docker: "false"
-            pack_bin: pack.exe
    runs-on: ${{ matrix.runner }}
    env:
      PACK_BIN: ${{ matrix.pack_bin }}
@ -74,8 +70,8 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.21"
          check-latest: true
+          go-version-file: 'go.mod'
      - name: Set up go env for Unix
        if: runner.os != 'Windows'
        run: |
@ -90,36 +86,6 @@ jobs:
        shell: powershell
      - name: Verify
        run: make verify
-      - name: Register runner IP
-        if: matrix.config == 'windows-wcow'
-        shell: powershell
-        run: |
-          # Get IP from default gateway interface
-          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
-
-          # Allow container-to-host registry traffic (from public interface, to the same interface)
-          New-NetfirewallRule -DisplayName test-registry -LocalAddress $IPAddress -RemoteAddress $IPAddress
-
-          # create or update daemon config to allow host as insecure-registry
-          $config=@{}
-          if (Test-Path C:\ProgramData\docker\config\daemon.json) {
-            $config=(Get-Content C:\ProgramData\docker\config\daemon.json | ConvertFrom-json)
-          }
-          $config | Add-Member -Force -Name "insecure-registries" -value @("$IPAddress/32") -MemberType NoteProperty
-          ConvertTo-json $config | Out-File -Encoding ASCII C:\ProgramData\docker\config\daemon.json
-
-          Restart-Service docker
-
-          # dump docker info for auditing
-          docker version
-          docker info
-
-          # Modify etc\hosts to include runner IP
-          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
-          "# Modified by CNB: https://github.com/buildpacks/ci/tree/main/gh-runners/windows
-          ${IPAddress} host.docker.internal
-          ${IPAddress} gateway.docker.internal
-          " | Out-File -Filepath C:\Windows\System32\drivers\etc\hosts -Encoding utf8
      - name: Test
        env:
          TEST_COVERAGE: 1
@ -157,7 +123,6 @@ jobs:
          PACK_BUILD: ${{ github.run_number }}
        shell: powershell
      - uses: actions/upload-artifact@v4
-        if: matrix.config != 'windows-lcow'
        with:
          name: pack-${{ matrix.os }}
          path: out/${{ env.PACK_BIN }}
@ -170,12 +135,16 @@ jobs:
          - name: linux-arm64
            goarch: arm64
            goos: linux
-          - name: macos-arm64
-            goarch: arm64
+          - name: macos
+            # since macos-14 default runner is arm, we need to build for intel architecture later
+            goarch: amd64
            goos: darwin
          - name: linux-s390x
            goarch: s390x
            goos: linux
+          - name: linux-ppc64le
+            goarch: ppc64le
+            goos: linux
    needs: test
    runs-on: ubuntu-latest
    steps:
@ -183,8 +152,8 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.21"
          check-latest: true
+          go-version-file: 'go.mod'
      - name: Build
        run: |
          [[ $GITHUB_REF =~ ^refs\/heads\/release/(.*)$ ]] && version=${BASH_REMATCH[1]} || version=0.0.0
@ -239,6 +208,12 @@ jobs:
          filename=pack-v${{ env.PACK_VERSION }}-linux-s390x.tgz
          tar -C pack-linux-s390x -vzcf $filename pack
          shasum -a 256 $filename > $filename.sha256
+      - name: Package artifacts - linux-ppc64le
+        run: |
+          chmod +x pack-linux-ppc64le/pack
+          filename=pack-v${{ env.PACK_VERSION }}-linux-ppc64le.tgz
+          tar -C pack-linux-ppc64le -vzcf $filename pack
+          shasum -a 256 $filename > $filename.sha256
      - name: Package artifacts - macos-arm64
        run: |
          chmod +x pack-macos-arm64/pack
@ -278,7 +253,7 @@ jobs:
          milestone: ${{ env.PACK_MILESTONE }}
      - name: Create Pre-Release
        if: ${{ env.PACK_VERSION != env.PACK_MILESTONE }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@ -314,6 +289,11 @@ jobs:
            ```bash
            (curl -sSL "https://github.com/buildpacks/pack/releases/download/v${{ env.PACK_VERSION }}/pack-v${{ env.PACK_VERSION }}-linux-s390x.tgz" | sudo tar -C /usr/local/bin/ --no-same-owner -xzv pack)
            ```
+            ##### PPC64LE
+
+            ```bash
+            (curl -sSL "https://github.com/buildpacks/pack/releases/download/v${{ env.PACK_VERSION }}/pack-v${{ env.PACK_VERSION }}-linux-ppc64le.tgz" | sudo tar -C /usr/local/bin/ --no-same-owner -xzv pack)
+            ```

            #### MacOS

@ -354,7 +334,7 @@ jobs:

      - name: Create Beta Release
        if: ${{ env.PACK_VERSION == env.PACK_MILESTONE }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/check-latest-release.yml
+++ b/.github/workflows/check-latest-release.yml
@ -70,9 +70,9 @@ jobs:
          fi
      - name: Scan latest release image
        id: scan-image
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v6
        with:
-          image: buildpacksio/pack:${{ steps.read-go.outputs.latest-release-version }}
+          image: docker.io/buildpacksio/pack:${{ steps.read-go.outputs.latest-release-version }}
      - name: Create issue if needed
        if: failure() && steps.scan-image.outcome == 'failure'
        env:
@ -91,7 +91,7 @@ jobs:
            search_output=$(gh issue list --search "$title" --label "$label")

            GITHUB_WORKFLOW_URL=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
-            body="Latest buildpacksio/pack v${{ steps.read-go.outputs.latest-release-version }} triggered CVE(s) from Grype. For further details, see: $GITHUB_WORKFLOW_URL"
+            body="Latest docker.io/buildpacksio/pack v${{ steps.read-go.outputs.latest-release-version }} triggered CVE(s) from Grype. For further details, see: $GITHUB_WORKFLOW_URL"

            if [ -z "${search_output// }" ]
            then
--- a/.github/workflows/compatibility.yml
+++ b/.github/workflows/compatibility.yml
@ -46,8 +46,8 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.21"
          check-latest: true
+          go-version-file: 'go.mod'
      - name: Set up go env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
@ -59,3 +59,4 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          make acceptance
+          docker network prune
--- a/.github/workflows/delivery-archlinux.yml
+++ b/.github/workflows/delivery-archlinux.yml
@ -11,64 +11,6 @@ on:
        required: true

 jobs:
-  pack-cli:
-    runs-on: ubuntu-latest
-    env:
-      PACKAGE_NAME: pack-cli
-    steps:
-      - uses: actions/checkout@v4
-      - name: Determine version
-        uses: actions/github-script@v7
-        id: version
-        with:
-          result-encoding: string
-          script: |
-            let payload = context.payload;
-            let tag = (payload.release && payload.release.tag_name) || (payload.inputs && payload.inputs.tag_name);
-            if (!tag) {
-              throw "ERROR: unable to determine tag"
-            }
-            return tag.replace(/^v/, '');
-      - name: Set PACK_VERSION
-        run: echo "PACK_VERSION=${{ steps.version.outputs.result }}" >> $GITHUB_ENV
-        shell: bash
-      - name: Setup working dir
-        run: |
-          mkdir -p ${{ env.PACKAGE_NAME }}
-          cp .github/workflows/delivery/archlinux/${{ env.PACKAGE_NAME }}/PKGBUILD ${{ env.PACKAGE_NAME }}/PKGBUILD
-      - name: Metadata
-        id: metadata
-        run: |
-          url=https://github.com/buildpacks/pack/archive/v${{ env.PACK_VERSION }}.tar.gz
-          filename=pack-${{ env.PACK_VERSION }}.tgz
-          fullpath=`pwd`/$filename
-
-          curl -sSL "$url" -o "$fullpath"
-          sha512=$(sha512sum "$fullpath" | awk '{ print $1 }')
-          echo "url=$url" >> $GITHUB_OUTPUT
-          echo "sha512=$sha512" >> $GITHUB_OUTPUT
-      - name: Fill PKGBUILD
-        uses: cschleiden/replace-tokens@v1
-        with:
-          files: ${{ env.PACKAGE_NAME }}/PKGBUILD
-          tokenPrefix: '{{'
-          tokenSuffix: '}}'
-        env:
-          PACK_VERSION: ${{ env.PACK_VERSION }}
-          SRC_TGZ_URL: ${{ steps.metadata.outputs.url }}
-          SRC_TGZ_SHA: ${{ steps.metadata.outputs.sha512 }}
-      - name: Print PKGBUILD
-        run: cat ${{ env.PACKAGE_NAME }}/PKGBUILD
-      - name: Test
-        uses: docker://archlinux:latest
-        with:
-          entrypoint: .github/workflows/delivery/archlinux/test-install-package.sh
-      - name: Publish
-        uses: docker://archlinux:latest
-        env:
-          AUR_KEY: ${{ secrets.AUR_KEY }}
-        with:
-          entrypoint: .github/workflows/delivery/archlinux/publish-package.sh
  pack-cli-bin:
    runs-on: ubuntu-latest
    env:
--- a/.github/workflows/delivery-docker.yml
+++ b/.github/workflows/delivery-docker.yml
@ -16,8 +16,9 @@ on:
        default: false

 env:
+  REGISTRY_NAME: 'docker.io'
+  USER_NAME: 'buildpacksio'
  IMG_NAME: 'pack'
-  USERNAME: 'buildpacksio'

 jobs:
  deliver-docker:
@ -52,7 +53,7 @@ jobs:
        with:
          ref: v${{ steps.version.outputs.result }}
      - name: Determine App Name
-        run: 'echo "IMG_NAME=${{ env.USERNAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV'
+        run: 'echo "IMG_NAME=${{ env.REGISTRY_NAME }}/${{ env.USER_NAME }}/${{ env.IMG_NAME }}" >> $GITHUB_ENV'
      - name: Login to Dockerhub
        uses: docker/login-action@v3
        with:
@ -60,12 +61,12 @@ jobs:
          password: ${{ secrets.DOCKER_PASSWORD }}
      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
-      - uses: buildpacks/github-actions/setup-tools@v5.5.1
+      - uses: buildpacks/github-actions/setup-tools@v5.9.2
      - name: Buildx Build/Publish
        run: |
          docker buildx build . \
            --tag ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} \
-            --platform linux/amd64,linux/arm64,linux/s390x \
+            --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le \
            --build-arg pack_version=${{ steps.version.outputs.result }} \
            --build-arg base_image=${{ matrix.base_image }} \
            --provenance=false \
@ -73,8 +74,8 @@ jobs:
      - name: Tag Image as Base
        if: ${{ (github.event.release != '' || github.event.inputs.tag_latest) && matrix.config == 'base' }}
        run: |
-          crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }} ${{ env.IMG_NAME }}:base
+          crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:base
      - name: Tag Image as Latest
        if: ${{ (github.event.release != '' || github.event.inputs.tag_latest) && matrix.config != 'base' }}
        run: |
-          crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }} ${{ env.IMG_NAME }}:latest
+          crane copy ${{ env.IMG_NAME }}:${{ steps.version.outputs.result }}${{ matrix.suffix }} ${{ env.IMG_NAME }}:latest
--- a/.github/workflows/delivery-homebrew.yml
+++ b/.github/workflows/delivery-homebrew.yml
@ -50,6 +50,11 @@ jobs:
                core.setOutput("linux_url", asset.browser_download_url);
              }

+              if (asset.name.endsWith("linux-arm64.tgz")) {
+                core.setOutput("linux_arm64_name", asset.name);
+                core.setOutput("linux_arm64_url", asset.browser_download_url);
+              }
+
              if (asset.name.endsWith("macos.tgz")) {
                core.setOutput("macos_name", asset.name);
                core.setOutput("macos_url", asset.browser_download_url);
@ -67,6 +72,10 @@ jobs:
          linux_sha256=$(sha256sum ${{ steps.assets.outputs.linux_name }} | cut -d ' ' -f1)
          echo "linux_sha256=$linux_sha256" >> $GITHUB_OUTPUT

+          curl -sSL ${{ steps.assets.outputs.linux_arm64_url }} -o ${{ steps.assets.outputs.linux_arm64_name }}
+          linux_arm64_sha256=$(sha256sum ${{ steps.assets.outputs.linux_arm64_name }} | cut -d ' ' -f1)
+          echo "linux_arm64_sha256=$linux_arm64_sha256" >> $GITHUB_OUTPUT
+
          curl -sSL ${{ steps.assets.outputs.macos_url }} -o ${{ steps.assets.outputs.macos_name }}
          macos_sha256=$(sha256sum ${{ steps.assets.outputs.macos_name }} | cut -d ' ' -f1)
          echo "macos_sha256=$macos_sha256" >> $GITHUB_OUTPUT
@ -83,6 +92,8 @@ jobs:
        env:
          LINUX_URL: ${{ steps.assets.outputs.linux_url }}
          LINUX_SHA: ${{ steps.checksums.outputs.linux_sha256 }}
+          LINUX_ARM64_URL: ${{ steps.assets.outputs.linux_arm64_url }}
+          LINUX_ARM64_SHA: ${{ steps.checksums.outputs.linux_arm64_sha256 }}
          MACOS_URL: ${{ steps.assets.outputs.macos_url }}
          MACOS_SHA: ${{ steps.checksums.outputs.macos_sha256 }}
          MACOS_ARM64_URL: ${{ steps.assets.outputs.macos_arm64_url }}
--- a/.github/workflows/delivery-ubuntu.yml
+++ b/.github/workflows/delivery-ubuntu.yml
@ -20,8 +20,8 @@ jobs:
      strategy:
        fail-fast: false
        matrix:
-          target: [bionic, focal, jammy, lunar]
-      runs-on: ubuntu-20.04
+          target: [bionic, focal, jammy, noble, oracular, plucky]
+      runs-on: ubuntu-22.04
      steps:
          - name: Checkout code
            uses: actions/checkout@v4
@ -103,9 +103,33 @@ jobs:
              GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
              PACKAGE_VERSION: ${{ steps.version.outputs.result }}

-          - name: Deliver lunar
-            if: matrix.target == 'lunar'
-            uses: docker://ubuntu:lunar
+          - name: Deliver noble
+            if: matrix.target == 'noble'
+            uses: docker://ubuntu:noble
+            with:
+              entrypoint: .github/workflows/delivery/ubuntu/deliver.sh
+            env:
+              DEBIAN_FRONTEND: "noninteractive"
+              GO_DEP_PACKAGE_NAME: golang
+              GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+              GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
+              PACKAGE_VERSION: ${{ steps.version.outputs.result }}
+
+          - name: Deliver oracular
+            if: matrix.target == 'oracular'
+            uses: docker://ubuntu:oracular
+            with:
+              entrypoint: .github/workflows/delivery/ubuntu/deliver.sh
+            env:
+              DEBIAN_FRONTEND: "noninteractive"
+              GO_DEP_PACKAGE_NAME: golang
+              GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+              GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
+              PACKAGE_VERSION: ${{ steps.version.outputs.result }}
+
+          - name: Deliver plucky
+            if: matrix.target == 'plucky'
+            uses: docker://ubuntu:plucky
            with:
              entrypoint: .github/workflows/delivery/ubuntu/deliver.sh
            env:
--- a/.github/workflows/delivery/archlinux/README.md
+++ b/.github/workflows/delivery/archlinux/README.md
@ -1,8 +1,8 @@
 # Arch Linux

-There are 3 maintained packages:
+There are two maintained packages by us and one official archlinux package:

- [pack-cli](https://aur.archlinux.org/packages/pack-cli/): The latest release of `pack`, compiled from source.
+- [pack-cli](https://archlinux.org/packages/extra/x86_64/pack-cli/): Official Archlinux package in the 'Extra' repo.
 - [pack-cli-bin](https://aur.archlinux.org/packages/pack-cli-bin/): The latest release of `pack`, precompiled.
 - [pack-cli-git](https://aur.archlinux.org/packages/pack-cli-git/): An unreleased version of `pack`, compiled from source of the `main` branch.

--- a/.github/workflows/delivery/archlinux/pack-cli/PKGBUILD
+++ b/.github/workflows/delivery/archlinux/pack-cli/PKGBUILD
@ -1,22 +0,0 @@
-# Maintainer: Michael William Le Nguyen <michael at mail dot ttp dot codes>
-# Maintainer: Buildpacks Maintainers <cncf-buildpacks-maintainers at lists dot cncf dot io>
-pkgname=pack-cli
-pkgver={{PACK_VERSION}}
-pkgrel=1
-pkgdesc="CLI for building apps using Cloud Native Buildpacks"
-arch=('x86_64')
-url="https://buildpacks.io/"
-license=('Apache')
-makedepends=('go-pie')
-source=("{{SRC_TGZ_URL}}")
-sha512sums=("{{SRC_TGZ_SHA}}")
-build() {
-	export GOPATH="${srcdir}/go"
-	cd "${srcdir}/pack-${pkgver}"
-	PACK_VERSION="v${pkgver}" make build
-}
-package() {
-	export GOPATH="${srcdir}/go"
-	go clean -modcache
-	install -D -m755 "${srcdir}/pack-${pkgver}/out/pack" "${pkgdir}/usr/bin/pack"
-}
--- a/.github/workflows/delivery/homebrew/pack.rb
+++ b/.github/workflows/delivery/homebrew/pack.rb
@ -14,7 +14,10 @@ class Pack < Formula
  elsif OS.mac?
    url "{{MACOS_URL}}"
    sha256 "{{MACOS_SHA}}"
-  else 
+  elsif OS.linux? && Hardware::CPU.arm?
+    url "{{LINUX_ARM64_URL}}"
+    sha256 "{{LINUX_ARM64_SHA}}"
+  else
    url "{{LINUX_URL}}"
    sha256 "{{LINUX_SHA}}"
  end
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@ -26,6 +26,29 @@ Alternatively, you can use Gitpod to run pre-configured dev environment in the c

 * Symlinks - Some of our tests attempt to create symlinks. On Windows, this requires the [permission to be provided](https://stackoverflow.com/a/24353758).

+### Testing GitHub actions on forks
+
+The pack release process involves chaining a series of GitHub actions together, such as:
+* The "build" workflow, which creates:
+    * .tgz files containing the pack binaries and shasums for the .tgz files
+    * a draft release with the above artifacts
+* The "delivery-docker" workflow, which builds and pushes OCI images containing the pack binary
+* The "benchmark" workflow, which runs performance checks for each commit and uploads reports to GitHub Pages
+
+It can be rather cumbersome to test changes to these workflows, as they are heavily intertwined. Thus, we recommend forking the buildpacks/pack repository on GitHub and running through the entire release process end-to-end.
+
+For the fork, it is necessary to complete the following preparations:
+
+* Add the following secrets:
+    * `DOCKER_PASSWORD` for the delivery-docker workflow, if not using ghcr.io
+    * `DOCKER_USERNAME` for the delivery-docker workflow, if not using ghcr.io
+    * `DEPLOY_KEY` for the release-merge workflow, as a SSH private key for repository access
+* Enable the issues feature on the repository and create `status/triage` and `type/bug` labels for the check-latest-release workflow
+* Create a branch named `gh-pages` for uploading benchmark reports for the benchmark workflow
+
+The `tools/test-fork.sh` script can be used to update the source code to reflect the state of the fork and disable workflows that should not run on the fork repository.
+It can be invoked like so: `./tools/test-fork.sh <registry repo name>`
+
 ## Tasks

 ### Building
@ -104,15 +127,15 @@ make prepare-for-pr
 ### Acceptance Tests
 Some options users can provide to our acceptance tests are:

-| ENV_VAR      | Description                                                            | Default |
-|--------------|------------------------------------------------------------------------|---------|
-| ACCEPTANCE_SUITE_CONFIG        | A set of configurations for how to run the acceptance tests, describing the version of `pack` used for testing, the version of `pack` used to create the builders used in the test, and the version of `lifecycle` binaries used to test with Github |  `[{"pack": "current", "pack_create_builder": "current", "lifecycle": "default"}]'`     |
-| COMPILE_PACK_WITH_VERSION     | Tell `pack` what version to consider itself    | `dev`    |
-| GITHUB_TOKEN | A Github Token, used when downloading `pack` and `lifecycle` releases from Github during the test setup | "" |
-| LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows    | buildpacksio/lifecycle:<lifecycle version>  |
-| LIFECYCLE_PATH        | Path to a `.tgz` file filled with a set of `lifecycle` binaries    | The Github release for the default version of lifecycle in `pack`  |
-| PACK_PATH        | Path to a `pack` executable.  | A compiled version of the current branch      |
-| PREVIOUS_LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | buildpacksio/lifecycle:<PREVIOUS_LIFECYCLE_PATH lifecycle version>, buildpacksio/lifecycle:<n-1 lifecycle version>  |
-| PREVIOUS_LIFECYCLE_PATH     |  Path to a `.tgz` file filled with a set of `lifecycle` binaries, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | The Github release for n-1 release of `lifecycle`     |
-| PREVIOUS_PACK_FIXTURES_PATH | Path to a set of fixtures, used to override the most up-to-date fixtures, in case of changed functionality  | `acceptance/testdata/pack_previous_fixtures_overrides`   |
-| PREVIOUS_PACK_PATH     | Path to a `pack` executable, used to test compatibility with n-1 version of `pack`          | The most recent release from `pack`'s Github release    |
+| ENV_VAR      | Description                                                            | Default                                                                                                                      |
+|--------------|------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
+| ACCEPTANCE_SUITE_CONFIG        | A set of configurations for how to run the acceptance tests, describing the version of `pack` used for testing, the version of `pack` used to create the builders used in the test, and the version of `lifecycle` binaries used to test with Github | `[{"pack": "current", "pack_create_builder": "current", "lifecycle": "default"}]'`                                           |
+| COMPILE_PACK_WITH_VERSION     | Tell `pack` what version to consider itself    | `dev`                                                                                                                        |
+| GITHUB_TOKEN | A Github Token, used when downloading `pack` and `lifecycle` releases from Github during the test setup | ""                                                                                                                           |
+| LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows    | docker.io/buildpacksio/lifecycle:<lifecycle version>                                                                         |
+| LIFECYCLE_PATH        | Path to a `.tgz` file filled with a set of `lifecycle` binaries    | The Github release for the default version of lifecycle in `pack`                                                            |
+| PACK_PATH        | Path to a `pack` executable.  | A compiled version of the current branch                                                                                     |
+| PREVIOUS_LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | docker.io/buildpacksio/lifecycle:<PREVIOUS_LIFECYCLE_PATH lifecycle version>, buildpacksio/lifecycle:<n-1 lifecycle version> |
+| PREVIOUS_LIFECYCLE_PATH     |  Path to a `.tgz` file filled with a set of `lifecycle` binaries, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | The Github release for n-1 release of `lifecycle`                                                                            |
+| PREVIOUS_PACK_FIXTURES_PATH | Path to a set of fixtures, used to override the most up-to-date fixtures, in case of changed functionality  | `acceptance/testdata/pack_previous_fixtures_overrides`                                                                       |
+| PREVIOUS_PACK_PATH     | Path to a `pack` executable, used to test compatibility with n-1 version of `pack`          | The most recent release from `pack`'s Github release                                                                         |
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 ARG base_image=gcr.io/distroless/static

-FROM golang:1.20 as builder
+FROM golang:1.24 as builder
 ARG pack_version
 ENV PACK_VERSION=$pack_version
 WORKDIR /app
--- a/8
+++ b/8
@ -58,7 +58,7 @@ BINDIR:=/usr/bin/
 ## build: Build the program
 build: out
 	@echo "=====> Building..."
-	$(GOCMD) build -ldflags "-s -w -X 'github.com/buildpacks/pack.Version=${PACK_VERSION}' -extldflags ${LDFLAGS}" -trimpath -o ./out/$(PACK_BIN) -a ./cmd/pack
+	$(GOCMD) build -ldflags "-s -w -X 'github.com/buildpacks/pack/pkg/client.Version=${PACK_VERSION}' -extldflags '${LDFLAGS}'" -trimpath -o ./out/$(PACK_BIN) -a

 ## all: Run clean, verify, test, and build operations
 all: clean verify test build
@ -160,12 +160,12 @@ install-goimports:
 ## install-golangci-lint: Install golangci-lint dependency
 install-golangci-lint:
 	@echo "=====> Installing golangci-lint..."
-	cd tools && $(GOCMD) install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.1
+	cd tools && $(GOCMD) install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.0.2

 ## mod-tidy: Tidy Go modules
 mod-tidy:
-	$(GOCMD) mod tidy  -compat=1.21
-	cd tools && $(GOCMD) mod tidy -compat=1.21
+	$(GOCMD) mod tidy  -compat=1.24
+	cd tools && $(GOCMD) mod tidy -compat=1.24

 ## tidy: Tidy modules and format the code
 tidy: mod-tidy format
--- a/README.md
+++ b/README.md
@ -34,9 +34,9 @@ Check out the command line documentation [here][pack-docs]

 To learn more about the details, check out the [specs repository][specs].

-[app-dev]: https://buildpacks.io/docs/app-developer-guide/
-[bp-author]: https://buildpacks.io/docs/buildpack-author-guide/
-[operator]: https://buildpacks.io/docs/operator-guide/
+[app-dev]: https://buildpacks.io/docs/for-app-developers/
+[bp-author]: https://buildpacks.io/docs/for-buildpack-authors/
+[operator]: https://buildpacks.io/docs/for-platform-operators/
 [buildpacks.io]: https://buildpacks.io/
 [install-pack]: https://buildpacks.io/docs/install-pack/
 [getting-started]: https://buildpacks.io/docs/app-journey
--- a/acceptance/acceptance_test.go
+++ b/acceptance/acceptance_test.go
--- a/acceptance/assertions/image.go
+++ b/acceptance/assertions/image.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package assertions

@ -60,7 +59,7 @@ func (a ImageAssertionManager) HasCreateTime(image string, expectedTime time.Tim
 	a.assert.TrueWithMessage(actualTime.Sub(expectedTime) < 5*time.Second && expectedTime.Sub(actualTime) < 5*time.Second, fmt.Sprintf("expected image create time %s to match expected time %s", actualTime, expectedTime))
 }

-func (a ImageAssertionManager) HasLabelWithData(image, label, data string) {
+func (a ImageAssertionManager) HasLabelContaining(image, label, data string) {
 	a.testObject.Helper()
 	inspect, err := a.imageManager.InspectLocal(image)
 	a.assert.Nil(err)
@ -69,6 +68,15 @@ func (a ImageAssertionManager) HasLabelWithData(image, label, data string) {
 	a.assert.Contains(label, data)
 }

+func (a ImageAssertionManager) HasLabelNotContaining(image, label, data string) {
+	a.testObject.Helper()
+	inspect, err := a.imageManager.InspectLocal(image)
+	a.assert.Nil(err)
+	label, ok := inspect.Config.Labels[label]
+	a.assert.TrueWithMessage(ok, fmt.Sprintf("expected label %s to exist", label))
+	a.assert.NotContains(label, data)
+}
+
 func (a ImageAssertionManager) HasLengthLayers(image string, length int) {
 	a.testObject.Helper()
 	inspect, err := a.imageManager.InspectLocal(image)
--- a/acceptance/assertions/lifecycle_output.go
+++ b/acceptance/assertions/lifecycle_output.go
@ -1,11 +1,11 @@
 //go:build acceptance
-// +build acceptance

 package assertions

 import (
 	"fmt"
 	"regexp"
+	"strings"
 	"testing"

 	h "github.com/buildpacks/pack/testhelpers"
@ -85,8 +85,12 @@ func (l LifecycleOutputAssertionManager) IncludesSeparatePhasesWithRunExtension(
 	l.assert.ContainsAll(l.output, "[detector]", "[analyzer]", "[extender (run)]", "[exporter]")
 }

-func (l LifecycleOutputAssertionManager) IncludesLifecycleImageTag(tag string) {
+func (l LifecycleOutputAssertionManager) IncludesTagOrEphemeralLifecycle(tag string) {
 	l.testObject.Helper()

-	l.assert.Contains(l.output, tag)
+	if !strings.Contains(l.output, tag) {
+		if !strings.Contains(l.output, "pack.local/lifecyle") {
+			l.testObject.Fatalf("Unable to locate reference to lifecycle image within output")
+		}
+	}
 }
--- a/acceptance/assertions/output.go
+++ b/acceptance/assertions/output.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package assertions

@ -32,6 +31,42 @@ func (o OutputAssertionManager) ReportsSuccessfulImageBuild(name string) {
 	o.assert.ContainsF(o.output, "Successfully built image '%s'", name)
 }

+func (o OutputAssertionManager) ReportsSuccessfulIndexLocallyCreated(name string) {
+	o.testObject.Helper()
+
+	o.assert.ContainsF(o.output, "Successfully created manifest list '%s'", name)
+}
+
+func (o OutputAssertionManager) ReportsSuccessfulIndexPushed(name string) {
+	o.testObject.Helper()
+
+	o.assert.ContainsF(o.output, "Successfully pushed manifest list '%s' to registry", name)
+}
+
+func (o OutputAssertionManager) ReportsSuccessfulManifestAddedToIndex(name string) {
+	o.testObject.Helper()
+
+	o.assert.ContainsF(o.output, "Successfully added image '%s' to index", name)
+}
+
+func (o OutputAssertionManager) ReportsSuccessfulIndexDeleted() {
+	o.testObject.Helper()
+
+	o.assert.Contains(o.output, "Successfully deleted manifest list(s) from local storage")
+}
+
+func (o OutputAssertionManager) ReportsSuccessfulIndexAnnotated(name, manifest string) {
+	o.testObject.Helper()
+
+	o.assert.ContainsF(o.output, "Successfully annotated image '%s' in index '%s'", name, manifest)
+}
+
+func (o OutputAssertionManager) ReportsSuccessfulRemoveManifestFromIndex(name string) {
+	o.testObject.Helper()
+
+	o.assert.ContainsF(o.output, "Successfully removed image(s) from index: '%s'", name)
+}
+
 func (o OutputAssertionManager) ReportSuccessfulQuietBuild(name string) {
 	o.testObject.Helper()
 	o.testObject.Log("quiet mode")
@ -82,6 +117,12 @@ func (o OutputAssertionManager) ReportsRunImageStackNotMatchingBuilder(runImageS
 	)
 }

+func (o OutputAssertionManager) ReportsDeprecatedUseOfStack() {
+	o.testObject.Helper()
+
+	o.assert.Contains(o.output, "Warning: deprecated usage of stack")
+}
+
 func (o OutputAssertionManager) WithoutColors() {
 	o.testObject.Helper()
 	o.testObject.Log("has no color")
@ -137,6 +178,12 @@ func (o OutputAssertionManager) IncludesUsagePrompt() {
 	o.assert.Contains(o.output, "Run 'pack --help' for usage.")
 }

+func (o OutputAssertionManager) ReportsBuilderCreated(name string) {
+	o.testObject.Helper()
+
+	o.assert.ContainsF(o.output, "Successfully created builder image '%s'", name)
+}
+
 func (o OutputAssertionManager) ReportsSettingDefaultBuilder(name string) {
 	o.testObject.Helper()

@ -167,7 +214,7 @@ func (o OutputAssertionManager) IncludesTrustedBuildersHeading() {
 	o.assert.Contains(o.output, "Trusted Builders:")
 }

-const googleBuilder = "gcr.io/buildpacks/builder:v1"
+const googleBuilder = "gcr.io/buildpacks/builder:google-22"

 func (o OutputAssertionManager) IncludesGoogleBuilder() {
 	o.testObject.Helper()
@ -182,8 +229,7 @@ func (o OutputAssertionManager) IncludesPrefixedGoogleBuilder() {
 }

 var herokuBuilders = []string{
-	"heroku/builder:20",
-	"heroku/builder:22",
+	"heroku/builder:24",
 }

 func (o OutputAssertionManager) IncludesHerokuBuilders() {
--- a/acceptance/assertions/test_buildpack_output.go
+++ b/acceptance/assertions/test_buildpack_output.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package assertions

--- a/acceptance/buildpacks/archive_buildpack.go
+++ b/acceptance/buildpacks/archive_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/buildpacks/folder_buildpack.go
+++ b/acceptance/buildpacks/folder_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

@ -47,4 +46,5 @@ var (
 	ExtFolderSimpleLayers      = folderBuildModule{name: "simple-layers-extension"}
 	MetaBpFolder               = folderBuildModule{name: "meta-buildpack"}
 	MetaBpDependency           = folderBuildModule{name: "meta-buildpack-dependency"}
+	MultiPlatformFolderBP      = folderBuildModule{name: "multi-platform-buildpack"}
 )
--- a/acceptance/buildpacks/manager.go
+++ b/acceptance/buildpacks/manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/buildpacks/package_file_buildpack.go
+++ b/acceptance/buildpacks/package_file_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/buildpacks/package_image_buildpack.go
+++ b/acceptance/buildpacks/package_image_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/config/asset_manager.go
+++ b/acceptance/config/asset_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

@ -354,9 +353,9 @@ func (b assetManagerBuilder) buildPack(compileVersion string) string {
 	b.assert.Nil(err)

 	cmd := exec.Command("go", "build",
+		// XXX the version setter is wrong here, there is no cmd.Version
 		"-ldflags", fmt.Sprintf("-X 'github.com/buildpacks/pack/cmd.Version=%s'", compileVersion),
 		"-o", packPath,
-		"./cmd/pack",
 	)
 	if filepath.Base(cwd) == "acceptance" {
 		cmd.Dir = filepath.Dir(cwd)
--- a/acceptance/config/github_asset_fetcher.go
+++ b/acceptance/config/github_asset_fetcher.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/input_configuration_manager.go
+++ b/acceptance/config/input_configuration_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/lifecycle_asset.go
+++ b/acceptance/config/lifecycle_asset.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/pack_assets.go
+++ b/acceptance/config/pack_assets.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/run_combination.go
+++ b/acceptance/config/run_combination.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/invoke/pack.go
+++ b/acceptance/invoke/pack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package invoke

@ -237,6 +236,11 @@ const (
 	MetaBuildpackFolder
 	PlatformRetries
 	FlattenBuilderCreationV2
+	FixesRunImageMetadata
+	ManifestCommands
+	PlatformOption
+	MultiPlatformBuildersAndBuildPackages
+	StackWarning
 )

 var featureTests = map[Feature]func(i *PackInvoker) bool{
@ -270,6 +274,21 @@ var featureTests = map[Feature]func(i *PackInvoker) bool{
 	FlattenBuilderCreationV2: func(i *PackInvoker) bool {
 		return i.atLeast("v0.33.1")
 	},
+	FixesRunImageMetadata: func(i *PackInvoker) bool {
+		return i.atLeast("v0.34.0")
+	},
+	ManifestCommands: func(i *PackInvoker) bool {
+		return i.atLeast("v0.34.0")
+	},
+	PlatformOption: func(i *PackInvoker) bool {
+		return i.atLeast("v0.34.0")
+	},
+	MultiPlatformBuildersAndBuildPackages: func(i *PackInvoker) bool {
+		return i.atLeast("v0.34.0")
+	},
+	StackWarning: func(i *PackInvoker) bool {
+		return i.atLeast("v0.37.0")
+	},
 }

 func (i *PackInvoker) SupportsFeature(f Feature) bool {
--- a/acceptance/invoke/pack_fixtures.go
+++ b/acceptance/invoke/pack_fixtures.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package invoke

--- a/acceptance/managers/image_manager.go
+++ b/acceptance/managers/image_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package managers

@ -23,10 +22,10 @@ var DefaultDuration = 10 * time.Second
 type ImageManager struct {
 	testObject *testing.T
 	assert     h.AssertionManager
-	dockerCli  client.CommonAPIClient
+	dockerCli  client.APIClient
 }

-func NewImageManager(t *testing.T, dockerCli client.CommonAPIClient) ImageManager {
+func NewImageManager(t *testing.T, dockerCli client.APIClient) ImageManager {
 	return ImageManager{
 		testObject: t,
 		assert:     h.NewAssertionManager(t),
@ -44,7 +43,7 @@ func (im ImageManager) CleanupImages(imageNames ...string) {

 func (im ImageManager) InspectLocal(image string) (dockertypes.ImageInspect, error) {
 	im.testObject.Helper()
-	inspect, _, err := im.dockerCli.ImageInspectWithRaw(context.Background(), image)
+	inspect, err := im.dockerCli.ImageInspect(context.Background(), image)
 	return inspect, err
 }

@ -90,7 +89,7 @@ func (im ImageManager) ExposePortOnImage(image, containerName string) TestContai
 	}, nil, nil, containerName)
 	im.assert.Nil(err)

-	err = im.dockerCli.ContainerStart(ctx, ctr.ID, dockertypes.ContainerStartOptions{})
+	err = im.dockerCli.ContainerStart(ctx, ctr.ID, container.StartOptions{})
 	im.assert.Nil(err)
 	return TestContainer{
 		testObject: im.testObject,
@ -120,7 +119,7 @@ func (im ImageManager) CreateContainer(name string) TestContainer {

 type TestContainer struct {
 	testObject *testing.T
-	dockerCli  client.CommonAPIClient
+	dockerCli  client.APIClient
 	assert     h.AssertionManager
 	name       string
 	id         string
@ -137,7 +136,7 @@ func (t TestContainer) RunWithOutput() string {
 func (t TestContainer) Cleanup() {
 	t.testObject.Helper()
 	t.dockerCli.ContainerKill(context.Background(), t.name, "SIGKILL")
-	t.dockerCli.ContainerRemove(context.Background(), t.name, dockertypes.ContainerRemoveOptions{Force: true})
+	t.dockerCli.ContainerRemove(context.Background(), t.name, container.RemoveOptions{Force: true})
 }

 func (t TestContainer) WaitForResponse(duration time.Duration) string {
--- a/acceptance/os/variables.go
+++ b/acceptance/os/variables.go
@ -1,5 +1,4 @@
 //go:build acceptance && !windows
-// +build acceptance,!windows

 package os

--- a/acceptance/os/variables_darwin.go
+++ b/acceptance/os/variables_darwin.go
@ -1,5 +1,4 @@
 //go:build acceptance && darwin && amd64
-// +build acceptance,darwin,amd64

 package os

--- a/acceptance/os/variables_darwin_arm64.go
+++ b/acceptance/os/variables_darwin_arm64.go
@ -1,5 +1,4 @@
 //go:build acceptance && darwin && arm64
-// +build acceptance,darwin,arm64

 package os

--- a/acceptance/os/variables_linux.go
+++ b/acceptance/os/variables_linux.go
@ -1,5 +1,4 @@
 //go:build acceptance && linux
-// +build acceptance,linux

 package os

--- a/acceptance/os/variables_windows.go
+++ b/acceptance/os/variables_windows.go
@ -1,5 +1,4 @@
 //go:build acceptance && windows
-// +build acceptance,windows

 package os

--- a/acceptance/suite_manager.go
+++ b/acceptance/suite_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package acceptance

--- a/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/buildpack.toml
@ -0,0 +1,21 @@
+api = "0.10"
+
+[buildpack]
+  id = "simple/layers"
+  version = "simple-layers-version"
+  name = "Simple Layers Buildpack"
+
+[[targets]]
+os = "linux"
+arch = "amd64"
+
+[[targets]]
+os = "linux"
+arch = "arm64"
+
+[[targets]]
+os = "windows"
+arch = "amd64"
+
+[[stacks]]
+  id = "*"
--- a/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/linux/amd64/bin/build
+++ b/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/linux/amd64/bin/build
@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+echo "---> Build: NOOP Buildpack"
--- a/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/linux/amd64/bin/detect
+++ b/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/linux/amd64/bin/detect
@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+## always detect
--- a/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/windows/amd64/bin/build.bat
+++ b/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/windows/amd64/bin/build.bat
@ -0,0 +1,3 @@
+@echo off
+
+echo ---- Build: NOOP Buildpack
--- a/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/windows/amd64/bin/detect.bat
+++ b/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/windows/amd64/bin/detect.bat
@ -0,0 +1,2 @@
+@echo off
+:: always detect
--- a/acceptance/testdata/mock_buildpacks/read-env-extension/bin/generate
+++ b/acceptance/testdata/mock_buildpacks/read-env-extension/bin/generate
@ -35,6 +35,6 @@ if [[ -z "$EXT_RUN_SWITCH" ]]; then
 else
  echo "Generating run.Dockerfile for run image switch..."
  cat >>"${output_dir}/run.Dockerfile" <<EOL
-FROM some-not-exist-run-image!
+FROM busybox:latest
 EOL
 fi
--- a/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/build
+++ b/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/build
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> BUILD: System Fail Detect buildpack (should never run)"
+
+# This should never be reached
+exit 1
--- a/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/detect
+++ b/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/detect
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> DETECT: System Fail Detect buildpack (will fail)"
+
+# Always fail detection
+exit 1
--- a/acceptance/testdata/mock_buildpacks/system-fail-detect/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/system-fail-detect/buildpack.toml
@ -0,0 +1,9 @@
+api = "0.7"
+
+[buildpack]
+  id = "system/fail-detect"
+  version = "system-fail-detect-version"
+  name = "System Fail Detect Buildpack"
+
+[[stacks]]
+  id = "pack.test.stack"
--- a/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/build
+++ b/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/build
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+echo "---> BUILD: System Post buildpack"
+
+set -o errexit
+set -o pipefail
+
+layers_dir=$1
+platform_dir=$2
+
+# Create a layer to verify it ran
+mkdir -p "${layers_dir}/system-post"
+cat > "${layers_dir}/system-post.toml" <<EOF
+launch = true
+cache = true
+EOF
+
+echo "System Post Buildpack was here" > "${layers_dir}/system-post/marker"
+
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/detect
+++ b/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/detect
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> DETECT: System Post buildpack"
+
+# Always pass detection for testing
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-post-buildpack/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/system-post-buildpack/buildpack.toml
@ -0,0 +1,9 @@
+api = "0.7"
+
+[buildpack]
+  id = "system/post"
+  version = "system-post-version"
+  name = "System Post Buildpack"
+
+[[stacks]]
+  id = "pack.test.stack"
--- a/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/build
+++ b/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/build
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+echo "---> BUILD: System Pre buildpack"
+
+set -o errexit
+set -o pipefail
+
+layers_dir=$1
+platform_dir=$2
+
+# Create a layer to verify it ran
+mkdir -p "${layers_dir}/system-pre"
+cat > "${layers_dir}/system-pre.toml" <<EOF
+launch = true
+cache = true
+EOF
+
+echo "System Pre Buildpack was here" > "${layers_dir}/system-pre/marker"
+
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/detect
+++ b/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/detect
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> DETECT: System Pre buildpack"
+
+# Always pass detection for testing
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-pre-buildpack/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/system-pre-buildpack/buildpack.toml
@ -0,0 +1,9 @@
+api = "0.7"
+
+[buildpack]
+  id = "system/pre"
+  version = "system-pre-version"
+  name = "System Pre Buildpack"
+
+[[stacks]]
+  id = "pack.test.stack"
--- a/acceptance/testdata/pack_fixtures/builder_multi_platform-no-targets.toml
+++ b/acceptance/testdata/pack_fixtures/builder_multi_platform-no-targets.toml
@ -0,0 +1,19 @@
+[[buildpacks]]
+id = "simple/layers"
+version = "simple-layers-version"
+uri = "{{ .BuildpackURI }}"
+
+[[order]]
+[[order.group]]
+id = "simple/layers"
+version = "simple-layers-version"
+
+[build]
+image = "{{ .BuildImage }}"
+
+[run]
+[[run.images]]
+image = "{{ .RunImage }}"
+
+
+
--- a/acceptance/testdata/pack_fixtures/builder_multi_platform.toml
+++ b/acceptance/testdata/pack_fixtures/builder_multi_platform.toml
@ -0,0 +1,28 @@
+[[buildpacks]]
+id = "simple/layers"
+version = "simple-layers-version"
+uri = "{{ .BuildpackURI }}"
+
+[[order]]
+[[order.group]]
+id = "simple/layers"
+version = "simple-layers-version"
+
+# Targets the buildpack will work with
+[[targets]]
+os = "linux"
+arch = "amd64"
+
+[[targets]]
+os = "windows"
+arch = "amd64"
+
+[build]
+image = "{{ .BuildImage }}"
+
+[run]
+[[run.images]]
+image = "{{ .RunImage }}"
+
+
+
--- a/acceptance/testdata/pack_fixtures/builder_with_failing_system_buildpack.toml
+++ b/acceptance/testdata/pack_fixtures/builder_with_failing_system_buildpack.toml
@ -0,0 +1,33 @@
+[[buildpacks]]
+  id = "simple-layers-buildpack"
+  uri = "file://{{.Fixtures}}/simple-layers-buildpack"
+
+[[buildpacks]]
+  id = "system/fail-detect"
+  uri = "file://{{.Fixtures}}/system-fail-detect"
+
+[[buildpacks]]
+  id = "system/post"
+  uri = "file://{{.Fixtures}}/system-post-buildpack"
+
+# System buildpacks configuration
+[system]
+[system.pre]
+buildpacks = [
+  { id = "system/fail-detect", version = "system-fail-detect-version", optional = false }
+]
+
+[system.post]
+buildpacks = [
+  { id = "system/post", version = "system-post-version", optional = true }
+]
+
+[[order]]
+[[order.group]]
+  id = "simple-layers-buildpack"
+  version = "simple-layers-buildpack-version"
+
+[stack]
+  id = "pack.test.stack"
+  build-image = "pack-test/build"
+  run-image = "pack-test/run"
--- a/acceptance/testdata/pack_fixtures/builder_with_optional_failing_system_buildpack.toml
+++ b/acceptance/testdata/pack_fixtures/builder_with_optional_failing_system_buildpack.toml
@ -0,0 +1,29 @@
+[[buildpacks]]
+  id = "simple-layers-buildpack"
+  uri = "file://{{.Fixtures}}/simple-layers-buildpack"
+
+[[buildpacks]]
+  id = "system/fail-detect"
+  uri = "file://{{.Fixtures}}/system-fail-detect"
+
+[[buildpacks]]
+  id = "system/pre"
+  uri = "file://{{.Fixtures}}/system-pre-buildpack"
+
+# System buildpacks configuration
+[system]
+[system.pre]
+buildpacks = [
+  { id = "system/fail-detect", version = "system-fail-detect-version", optional = true },
+  { id = "system/pre", version = "system-pre-version", optional = false }
+]
+
+[[order]]
+[[order.group]]
+  id = "simple-layers-buildpack"
+  version = "simple-layers-buildpack-version"
+
+[stack]
+  id = "pack.test.stack"
+  build-image = "pack-test/build"
+  run-image = "pack-test/run"
--- a/acceptance/testdata/pack_fixtures/builder_with_system_buildpacks.toml
+++ b/acceptance/testdata/pack_fixtures/builder_with_system_buildpacks.toml
@ -0,0 +1,33 @@
+[[buildpacks]]
+  id = "simple-layers-buildpack"
+  uri = "file://{{.Fixtures}}/simple-layers-buildpack"
+
+[[buildpacks]]
+  id = "system/pre"
+  uri = "file://{{.Fixtures}}/system-pre-buildpack"
+
+[[buildpacks]]
+  id = "system/post"
+  uri = "file://{{.Fixtures}}/system-post-buildpack"
+
+# System buildpacks configuration
+[system]
+[system.pre]
+buildpacks = [
+  { id = "system/pre", version = "system-pre-version", optional = false }
+]
+
+[system.post]
+buildpacks = [
+  { id = "system/post", version = "system-post-version", optional = true }
+]
+
+[[order]]
+[[order.group]]
+  id = "simple-layers-buildpack"
+  version = "simple-layers-buildpack-version"
+
+[stack]
+  id = "pack.test.stack"
+  build-image = "pack-test/build"
+  run-image = "pack-test/run"
--- a/acceptance/testdata/pack_fixtures/package_aggregate.toml
+++ b/acceptance/testdata/pack_fixtures/package_aggregate.toml
@ -5,4 +5,4 @@ uri = "{{ .BuildpackURI }}"
 image = "{{ .PackageName }}"

 [platform]
-os = "{{ .OS }}"
+os = "{{ .OS }}"
--- a/acceptance/testdata/pack_fixtures/package_multi_platform.toml
+++ b/acceptance/testdata/pack_fixtures/package_multi_platform.toml
@ -0,0 +1,5 @@
+[buildpack]
+uri = "{{ .BuildpackURI }}"
+
+[[dependencies]]
+uri = "{{ .PackageName }}"
--- a/acceptance/testdata/pack_fixtures/report_output.txt
+++ b/acceptance/testdata/pack_fixtures/report_output.txt
@ -2,9 +2,9 @@ Pack:
  Version:  {{ .Version }}
  OS/Arch:  {{ .OS }}/{{ .Arch }}

-Default Lifecycle Version:  0.18.4
+Default Lifecycle Version:  0.20.11

-Supported Platform APIs:  0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 0.11, 0.12
+Supported Platform APIs:  0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 0.11, 0.12, 0.13

 Config:
  default-builder-image = "{{ .DefaultBuilder }}"
--- a/benchmarks/build_test.go
+++ b/benchmarks/build_test.go
@ -1,5 +1,4 @@
 //go:build benchmarks
-// +build benchmarks

 package benchmarks

--- a/builder/config_reader.go
+++ b/builder/config_reader.go
@ -25,6 +25,8 @@ type Config struct {
 	Lifecycle       LifecycleConfig  `toml:"lifecycle"`
 	Run             RunConfig        `toml:"run"`
 	Build           BuildConfig      `toml:"build"`
+	Targets         []dist.Target    `toml:"targets"`
+	System          dist.System      `toml:"system"`
 }

 // ModuleCollection is a list of ModuleConfigs
@ -37,8 +39,8 @@ type ModuleConfig struct {
 }

 func (c *ModuleConfig) DisplayString() string {
-	if c.ModuleInfo.FullName() != "" {
-		return c.ModuleInfo.FullName()
+	if c.FullName() != "" {
+		return c.FullName()
 	}

 	return c.ImageOrURI.DisplayString()
--- a/builder/config_reader_test.go
+++ b/builder/config_reader_test.go
@ -157,6 +157,39 @@ uri = "noop-buildpack.tgz"
 				})
 			})
 		})
+
+		when("system buildpack is defined", func() {
+			it.Before(func() {
+				h.AssertNil(t, os.WriteFile(builderConfigPath, []byte(`
+[[system.pre.buildpacks]]
+  id = "id-1"
+  version = "1.0"
+  optional = false
+
+[[system.post.buildpacks]]
+  id = "id-2"
+  version = "2.0"
+  optional = true
+`), 0666))
+			})
+
+			it("returns a builder config", func() {
+				builderConfig, _, err := builder.ReadConfig(builderConfigPath)
+				h.AssertNil(t, err)
+				h.AssertEq(t, len(builderConfig.System.Pre.Buildpacks), 1)
+				h.AssertEq(t, len(builderConfig.System.Post.Buildpacks), 1)
+
+				// Verify system.pre.buildpacks
+				h.AssertEq(t, builderConfig.System.Pre.Buildpacks[0].ID, "id-1")
+				h.AssertEq(t, builderConfig.System.Pre.Buildpacks[0].Version, "1.0")
+				h.AssertEq(t, builderConfig.System.Pre.Buildpacks[0].Optional, false)
+
+				// Verify system.post.buildpacks
+				h.AssertEq(t, builderConfig.System.Post.Buildpacks[0].ID, "id-2")
+				h.AssertEq(t, builderConfig.System.Post.Buildpacks[0].Version, "2.0")
+				h.AssertEq(t, builderConfig.System.Post.Buildpacks[0].Optional, true)
+			})
+		})
 	})

 	when("#ValidateConfig()", func() {
--- a/buildpackage/config_reader.go
+++ b/buildpackage/config_reader.go
@ -19,7 +19,11 @@ type Config struct {
 	Buildpack    dist.BuildpackURI `toml:"buildpack"`
 	Extension    dist.BuildpackURI `toml:"extension"`
 	Dependencies []dist.ImageOrURI `toml:"dependencies"`
-	Platform     dist.Platform     `toml:"platform"`
+	// deprecated
+	Platform dist.Platform `toml:"platform"`
+
+	// Define targets for composite buildpacks
+	Targets []dist.Target `toml:"targets"`
 }

 func DefaultConfig() Config {
@ -117,6 +121,17 @@ func (r *ConfigReader) Read(path string) (Config, error) {
 	return packageConfig, nil
 }

+func (r *ConfigReader) ReadBuildpackDescriptor(path string) (dist.BuildpackDescriptor, error) {
+	buildpackCfg := dist.BuildpackDescriptor{}
+
+	_, err := toml.DecodeFile(path, &buildpackCfg)
+	if err != nil {
+		return dist.BuildpackDescriptor{}, err
+	}
+
+	return buildpackCfg, nil
+}
+
 func validateURI(uri, relativeBaseDir string) error {
 	locatorType, err := buildpack.GetLocatorType(uri, relativeBaseDir, nil)
 	if err != nil {
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@ -5,8 +5,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"

-	"github.com/buildpacks/pack/internal/docker"
-
 	"github.com/buildpacks/pack/buildpackage"
 	builderwriter "github.com/buildpacks/pack/internal/builder/writer"
 	"github.com/buildpacks/pack/internal/commands"
@ -106,6 +104,7 @@ func NewPackCommand(logger ConfigurableLogger) (*cobra.Command, error) {
 		rootCmd.AddCommand(commands.SetDefaultRegistry(logger, cfg, cfgPath))
 		rootCmd.AddCommand(commands.RemoveRegistry(logger, cfg, cfgPath))
 		rootCmd.AddCommand(commands.YankBuildpack(logger, cfg, packClient))
+		rootCmd.AddCommand(commands.NewManifestCommand(logger, packClient))
 	}

 	packHome, err := config.PackHome()
@ -139,7 +138,7 @@ func initConfig() (config.Config, string, error) {
 }

 func initClient(logger logging.Logger, cfg config.Config) (*client.Client, error) {
-	if err := docker.ProcessDockerContext(logger); err != nil {
+	if err := client.ProcessDockerContext(logger); err != nil {
 		return nil, err
 	}

--- a/cmd/docker_init.go
+++ b/cmd/docker_init.go
@ -20,7 +20,7 @@ import (
 	"github.com/buildpacks/pack/pkg/client"
 )

-func tryInitSSHDockerClient() (dockerClient.CommonAPIClient, error) {
+func tryInitSSHDockerClient() (dockerClient.APIClient, error) {
 	dockerHost := os.Getenv("DOCKER_HOST")
 	_url, err := url.Parse(dockerHost)
 	isSSH := err == nil && _url.Scheme == "ssh"
@ -70,7 +70,7 @@ func readSecret(prompt string) (pw []byte, err error) {
 		fmt.Fprint(os.Stderr, prompt)
 		pw, err = term.ReadPassword(fd)
 		fmt.Fprintln(os.Stderr)
-		return
+		return pw, err
 	}

 	var b [1]byte
--- a/go.mod
+++ b/go.mod
@ -1,138 +1,154 @@
 module github.com/buildpacks/pack

 require (
-	github.com/BurntSushi/toml v1.3.2
+	github.com/BurntSushi/toml v1.5.0
+	github.com/GoogleContainerTools/kaniko v1.24.0
 	github.com/Masterminds/semver v1.5.0
-	github.com/Microsoft/go-winio v0.6.1
+	github.com/Microsoft/go-winio v0.6.2
 	github.com/apex/log v1.9.0
-	github.com/buildpacks/imgutil v0.0.0-20240118145509-e94a1b7de8a9
-	github.com/buildpacks/lifecycle v0.18.4
-	github.com/docker/cli v24.0.7+incompatible
-	github.com/docker/docker v24.0.7+incompatible
-	github.com/docker/go-connections v0.5.0
+	github.com/buildpacks/imgutil v0.0.0-20250814164739-4b1c8875ba7e
+	github.com/buildpacks/lifecycle v0.20.11
+	github.com/containerd/errdefs v1.0.0
+	github.com/docker/cli v28.3.3+incompatible
+	github.com/docker/docker v28.3.3+incompatible
+	github.com/docker/go-connections v0.6.0
 	github.com/dustin/go-humanize v1.0.1
-	github.com/gdamore/tcell/v2 v2.7.0
-	github.com/go-git/go-git/v5 v5.11.0
+	github.com/gdamore/tcell/v2 v2.8.1
+	github.com/go-git/go-git/v5 v5.16.2
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.18.0
+	github.com/google/go-cmp v0.7.0
+	github.com/google/go-containerregistry v0.20.6
 	github.com/google/go-github/v30 v30.1.0
 	github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95
 	github.com/heroku/color v0.0.6
 	github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e
-	github.com/onsi/gomega v1.31.1
+	github.com/moby/go-archive v0.1.0
+	github.com/onsi/gomega v1.38.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0-rc5
+	github.com/opencontainers/image-spec v1.1.1
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
 	github.com/rivo/tview v0.0.0-20220307222120-9994674d60a8
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
 	github.com/sclevine/spec v1.4.0
-	github.com/spf13/cobra v1.8.0
-	golang.org/x/crypto v0.18.0
-	golang.org/x/mod v0.14.0
-	golang.org/x/oauth2 v0.16.0
-	golang.org/x/sync v0.6.0
-	golang.org/x/sys v0.16.0
-	golang.org/x/term v0.16.0
-	golang.org/x/text v0.14.0
+	github.com/spf13/cobra v1.9.1
+	golang.org/x/crypto v0.41.0
+	golang.org/x/mod v0.27.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/sys v0.35.0
+	golang.org/x/term v0.34.0
+	golang.org/x/text v0.28.0
 	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.30 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.7 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.1 // indirect
+	github.com/Azure/go-autorest/logger v0.2.2 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.21.2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.19.0 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.43 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 // indirect
-	github.com/aws/smithy-go v1.15.0 // indirect
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231003182221-725682229e60 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/containerd/containerd v1.7.7 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
-	github.com/containerd/typeurl v1.0.2 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/distribution/reference v0.5.0 // indirect
+	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/gdamore/encoding v1.0.0 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/gdamore/encoding v1.0.1 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
-	github.com/google/uuid v1.4.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.1 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/moby/buildkit v0.12.2 // indirect
+	github.com/moby/buildkit v0.22.0 // indirect
+	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/opencontainers/runc v1.1.9 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/prometheus/client_golang v1.17.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/selinux v1.12.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.64.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/rivo/uniseg v0.4.3 // indirect
-	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/skeema/knownhosts v1.2.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
-	golang.org/x/net v0.20.0 // indirect
-	golang.org/x/tools v0.16.1 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
+	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gotest.tools/v3 v3.4.0 // indirect
 )

-go 1.21
+replace github.com/BurntSushi/toml => github.com/BurntSushi/toml v1.3.2

-// Pin moby/buildkit until docker/docker is upgraded
-replace github.com/moby/buildkit => github.com/moby/buildkit v0.11.6
+go 1.24.4
--- a/go.sum
+++ b/go.sum
@ -1,45 +1,48 @@
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc=
-github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=
-github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs=
+github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=
+github.com/Azure/go-autorest/autorest v0.11.30 h1:iaZ1RGz/ALZtN5eq4Nr1SOFSlf2E4pDI3Tcsl+dZPVE=
+github.com/Azure/go-autorest/autorest v0.11.30/go.mod h1:t1kpPIOpIVX7annvothKvb0stsrXa37i7b+xpmBW8Fs=
 github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
 github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
-github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8=
-github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
+github.com/Azure/go-autorest/autorest/adal v0.9.24 h1:BHZfgGsGwdkHDyZdtQRQk1WeUdW0m2WPAwuHZwUi5i4=
+github.com/Azure/go-autorest/autorest/adal v0.9.24/go.mod h1:7T1+g0PYFmACYW5LlG2fcoPiPlFHjClyRGL7dRlP5c8=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 h1:Ov8avRZi2vmrE2JcXw+tu5K/yB41r7xK9GZDiBF7NdM=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.13/go.mod h1:5BAVfWLWXihP47vYrPuBKKf4cS0bXI+KM9Qx6ETDJYo=
 github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
-github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.7 h1:Q9R3utmFg9K1B4OYtAZ7ZUUvIUdzQt7G2MN5Hi/d670=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.7/go.mod h1:bVrAueELJ0CKLBpUHDIvD516TwmHmzqwCpvONWRsw3s=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/date v0.3.1 h1:o9Z8Jyt+VJJTCZ/UORishuHOusBwolhjokt9s5k8I4w=
+github.com/Azure/go-autorest/autorest/date v0.3.1/go.mod h1:Dz/RDmXlfiFFS/eW+b/xMUSFs1tboPVy6UjgADToWDM=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=
 github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=
-github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
-github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
+github.com/Azure/go-autorest/logger v0.2.2 h1:hYqBsEBywrrOSW24kkOCXRcKfKhK76OzLTfF+MYDE2o=
+github.com/Azure/go-autorest/logger v0.2.2/go.mod h1:I5fg9K52o+iuydlWfa9T5K6WFos9XYr9dYTFzpqgibw=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
+github.com/Azure/go-autorest/tracing v0.6.1 h1:YUMSrC/CeD1ZnnXcNYU4a/fzsO35u2Fsful9L/2nyR0=
+github.com/Azure/go-autorest/tracing v0.6.1/go.mod h1:/3EgjbsjraOqiicERAeu3m7/z0x1TzjQGAwDrJrXGkc=
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/GoogleContainerTools/kaniko v1.24.0 h1:PgzzuOwaraxC7UMw0F0YoxNHi+a6YeiAbDgc2GHrk+M=
+github.com/GoogleContainerTools/kaniko v1.24.0/go.mod h1:hO9q9uGMwrItm4wGcX7E0cMJIw84NM6gPETIt6vkwAk=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
-github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
-github.com/Microsoft/hcsshim v0.11.4 h1:68vKo2VN8DE9AdN4tnkWnmdhqdbpUFM8OF3Airm7fz8=
-github.com/Microsoft/hcsshim v0.11.4/go.mod h1:smjE4dvqPX9Zldna+t5FG3rnoHhaB7QYxPRqGcpAD9w=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
+github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@ -54,83 +57,87 @@ github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3st
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA=
-github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM=
-github.com/aws/aws-sdk-go-v2/config v1.19.0 h1:AdzDvwH6dWuVARCl3RTLGRc4Ogy+N7yLFxVxXe1ClQ0=
-github.com/aws/aws-sdk-go-v2/config v1.19.0/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8=
-github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE=
-github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2 h1:y6LX9GUoEA3mO0qpFl1ZQHj1rFyPWVphlzebiSt2tKE=
-github.com/aws/aws-sdk-go-v2/service/ecr v1.20.2/go.mod h1:Q0LcmaN/Qr8+4aSBrdrXXePqoX0eOuYpJLbYpilmWnA=
-github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2 h1:PpbXaecV3sLAS6rjQiaKw4/jyq3Z8gNzmoJupHAoBp0=
-github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.18.2/go.mod h1:fUHpGXr4DrXkEDpGAjClPsviWf+Bszeb0daKE0blxv8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k=
-github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ=
-github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8=
-github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
-github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231003182221-725682229e60 h1:ONd54l3oubhjMPcj7HpjPWvlFI6WXsu0/W7DsKCPI9w=
-github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231003182221-725682229e60/go.mod h1:eSn65Noe23f/Z7A2ESqw3dbhAFSEyzZf38nXcKVNxtE=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0 h1:E+UTVTDH6XTSjqxHWRuY8nB6s+05UllneWxnycplHFk=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 h1:wA2O6pZ2r5smqJunFP4hp7qptMW4EQxs8O6RVHPulOE=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0/go.mod h1:RZL7ov7c72wSmoM8bIiVxRHgcVdzhNkVW2J36C8RF4s=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
+github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 h1:50sS0RWhGpW/yZx2KcDNEb1u1MANv5BMEkJgcieEDTA=
+github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1/go.mod h1:ErZOtbzuHabipRTDTor0inoRlYwbsV1ovwSxjGs/uJo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/buildpacks/imgutil v0.0.0-20240118145509-e94a1b7de8a9 h1:kxe31xfMWJAIAzDfGQ3lL0j8QSSRfEHyLg7dRWIHA8I=
-github.com/buildpacks/imgutil v0.0.0-20240118145509-e94a1b7de8a9/go.mod h1:PsazEB9yz+NG/cgm0Z1oQ0Xq6rD/U7eNMt5Su41afYY=
-github.com/buildpacks/lifecycle v0.18.4 h1:LGl/4guzU+57hn08W8RwjLLizYtuNfCZHtxn8TP2+bE=
-github.com/buildpacks/lifecycle v0.18.4/go.mod h1:DxxfyFaCi9ovbbP2fhcKBlImfbTPiPEtM5UqSlD1TJ8=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/buildpacks/imgutil v0.0.0-20250814164739-4b1c8875ba7e h1:a+vpYYeK7E7+3uGqseiRutzKA7yNNjAOPON9+VOADiw=
+github.com/buildpacks/imgutil v0.0.0-20250814164739-4b1c8875ba7e/go.mod h1:UH4th60x/wM1DdH7+eSgzbp0kgsJMhVgngWzXoF21cs=
+github.com/buildpacks/lifecycle v0.20.11 h1:lr8smVyW59HvkdJj7H3rYbfiNT7ndkV4cV2lQiOnCuo=
+github.com/buildpacks/lifecycle v0.20.11/go.mod h1:+YlGlTCwJcyJSp5QvZKxH8k2JOpYzjTE9NYB6CA5CuE=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589/go.mod h1:OuDyvmLnMCwa2ep4Jkm6nyA0ocJuZlGyk2gGseVzERM=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/containerd/containerd v1.7.7 h1:QOC2K4A42RQpcrZyptP6z9EJZnlHfHJUfZrAAHe15q4=
-github.com/containerd/containerd v1.7.7/go.mod h1:3c4XZv6VeT9qgf9GMTxNTMFxGJrGpI2vz1yk4ye+YY8=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k=
-github.com/containerd/stargz-snapshotter/estargz v0.14.3/go.mod h1:KY//uOCIkSuNAHhJogcZtrNHdKrA99/FCCRjE3HD36o=
-github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY=
-github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
+github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
+github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
+github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
-github.com/distribution/reference v0.5.0 h1:/FUIFXtfc/x2gpa5/VGfiGLuOIdYa1t65IKK2OFGvA0=
-github.com/distribution/reference v0.5.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v24.0.7+incompatible h1:wa/nIwYFW7BVTGa7SWPVyyXU9lgORqUb1xfI36MSkFg=
-github.com/docker/cli v24.0.7+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
+github.com/docker/cli v28.3.3+incompatible h1:fp9ZHAr1WWPGdIWBM1b3zLtgCF+83gRdVMTJsUeiyAo=
+github.com/docker/cli v28.3.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM=
-github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
-github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
+github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@ -139,74 +146,82 @@ github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
+github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko=
 github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
+github.com/gdamore/encoding v1.0.1 h1:YzKZckdBL6jVt2Gc+5p82qhrGiqMdG/eNs6Wy0u3Uhw=
+github.com/gdamore/encoding v1.0.1/go.mod h1:0Z0cMFinngz9kS1QfMjCP8TY7em3bZYeeklsSDPivEo=
 github.com/gdamore/tcell/v2 v2.4.1-0.20210905002822-f057f0a857a1/go.mod h1:Az6Jt+M5idSED2YPGtwnfJV0kXohgdCBPmHGSYc1r04=
-github.com/gdamore/tcell/v2 v2.7.0 h1:I5LiGTQuwrysAt1KS9wg1yFfOI3arI3ucFrxtd/xqaA=
-github.com/gdamore/tcell/v2 v2.7.0/go.mod h1:hl/KtAANGBecfIPxk+FzKvThTqI84oplgbPEmVX60b8=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
+github.com/gdamore/tcell/v2 v2.8.1 h1:KPNxyqclpWpWQlPLx6Xui1pMk8S+7+R37h3g07997NU=
+github.com/gdamore/tcell/v2 v2.8.1/go.mod h1:bj8ori1BG3OYMjmb3IklZVWfZUJ1UBQt9JXrOCOhGWw=
+github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
+github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
+github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
-github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
+github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
+github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
-github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
+github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.18.0 h1:ShE7erKNPqRh5ue6Z9DUOlk04WsnFWPO6YGr3OxnfoQ=
-github.com/google/go-containerregistry v0.18.0/go.mod h1:u0qB2l7mvtWVR5kNcbFIhFY1hLbf8eeGapA+vbFDCtQ=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU=
+github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=
 github.com/google/go-github/v30 v30.1.0 h1:VLDx+UolQICEOKu2m4uAoMti1SxuEBAl7RSEG16L+Oo=
 github.com/google/go-github/v30 v30.1.0/go.mod h1:n8jBpHl45a/rlBUtRJMOG4GhNADUQFEufcolZ95JfU8=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
-github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
+github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
-github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
 github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ=
 github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E=
 github.com/heroku/color v0.0.6 h1:UTFFMrmMLFcL3OweqP1lAdp8i1y/9oHqkeHjQ/b/Ny0=
@ -217,10 +232,6 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@ -229,8 +240,8 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.1 h1:NE3C767s2ak2bweCZo3+rdP4U/HoyVXLv/X9f2gPS5g=
-github.com/klauspost/compress v1.17.1/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@ -241,6 +252,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
@ -253,103 +266,113 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
-github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e h1:Qa6dnn8DlasdXRnacluu8HzPts0S1I9zvvUPDbBnXFI=
 github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e/go.mod h1:waEya8ee1Ro/lgxpVhkJI4BVASzkm3UZqkx/cFJiYHM=
-github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs=
-github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4=
+github.com/moby/buildkit v0.22.0 h1:aWN06w1YGSVN1XfeZbj2ZbgY+zi5xDAjEFI8Cy9fTjA=
+github.com/moby/buildkit v0.22.0/go.mod h1:j4pP5hxiTWcz7xuTK2cyxQislHl/N2WWHzOy43DlLJw=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
+github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
+github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
+github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo/v2 v2.15.0 h1:79HwNRBAZHOEwrczrgSOPy+eFTTlIGELKy5as+ClttY=
-github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.31.1 h1:KYppCUK+bUgAZwHOu7EXVBKyQA6ILvOESHkn/tgoqvo=
-github.com/onsi/gomega v1.31.1/go.mod h1:y40C95dwAD1Nz36SsEnxvfFe8FFfNxzI5eJ0EYGyAy0=
+github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
+github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0-rc5 h1:Ygwkfw9bpDvs+c9E34SdgGOj41dX/cbdlwvlWt0pnFI=
-github.com/opencontainers/image-spec v1.1.0-rc5/go.mod h1:X4pATf0uXsnn3g5aiGIsVnJBR4mxhKzfwmvK/B2NTm8=
-github.com/opencontainers/runc v1.1.9 h1:XR0VIHTGce5eWPkaPesqTBrhW2yAcaraWfsEalNwQLM=
-github.com/opencontainers/runc v1.1.9/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
+github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
-github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
+github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
+github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
-github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4=
+github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/rivo/tview v0.0.0-20220307222120-9994674d60a8 h1:xe+mmCnDN82KhC010l3NfYlA8ZbOuzbXAzSYBa6wbMc=
 github.com/rivo/tview v0.0.0-20220307222120-9994674d60a8/go.mod h1:WIfMkQNY+oq/mWwtsjOYHIZBuwthioY2srOmljJkTnk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.3 h1:utMvzDsuh3suAEnhH0RdHmoPbU648o6CvXxTx4SBMOw=
 github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
 github.com/sclevine/spec v1.4.0 h1:z/Q9idDcay5m5irkZ28M7PtQM4aOISzOpj4bUPkDee8=
 github.com/sclevine/spec v1.4.0/go.mod h1:LvpgJaFyvQzRvc1kaDs0bulYwzC70PbiYjC4QnFHkOM=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
-github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
-github.com/sergi/go-diff v1.2.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
-github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
+github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@ -362,8 +385,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0=
 github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk=
 github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk=
@ -371,35 +394,68 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
-github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
-github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
+github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 h1:2f304B10LaZdB8kkVEaoXvAMVan2tl9AiK4G0odjQtE=
+github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=
+github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
+github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg=
+go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc=
-golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
-golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -412,14 +468,16 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo=
-golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.16.0 h1:aDkGMBSYxElaoP81NpoUoz2oo2R2wHdZpGToUxfyQrQ=
-golang.org/x/oauth2 v0.16.0/go.mod h1:hqZ+0LWXsiVoZpeld6jVt06P3adbS2Uu911W1SsJv2o=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -429,8 +487,12 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -442,7 +504,6 @@ golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210309074719-68d13333faf2/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -454,57 +515,70 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU=
-golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
-golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE=
-golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
-golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.16.1 h1:TLyB3WofjdOEepBHAU20JdNC1Zbg87elYofWYAY5oZA=
-golang.org/x/tools v0.16.1/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8=
-google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/genproto v0.0.0-20250519155744-55703ea1f237 h1:2zGWyk04EwQ3mmV4dd4M4U7P/igHi5p7CBJEg1rI6A8=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -516,13 +590,10 @@ gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
--- a/golangci.yaml
+++ b/golangci.yaml
@ -1,15 +1,10 @@
-run:
-  timeout: 6m
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
  enable:
    - bodyclose
-    - exportloopref
    - dogsled
    - gocritic
-    - goimports
-    - gosimple
    - govet
    - ineffassign
    - misspell
@ -17,16 +12,40 @@ linters:
    - revive
    - rowserrcheck
    - staticcheck
-    - stylecheck
-    - typecheck
    - unconvert
    - unused
    - whitespace
-
-linters-settings:
-  goimports:
-    local-prefixes: github.com/buildpacks/pack
-  revive:
-    rules:
-      - name: error-strings
-        disabled: true
+  settings:
+    revive:
+      rules:
+        - name: error-strings
+          disabled: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/buildpacks/pack
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  default: info
+  rules:
+    - linters:
+      - staticcheck: info
--- a/internal/build/container_ops.go
+++ b/internal/build/container_ops.go
@ -10,12 +10,13 @@ import (

 	"github.com/BurntSushi/toml"
 	"github.com/buildpacks/lifecycle/platform/files"
-	"github.com/docker/docker/api/types"
 	dcontainer "github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/errdefs"
-	darchive "github.com/docker/docker/pkg/archive"
+
+	darchive "github.com/moby/go-archive"
 	"github.com/pkg/errors"

+	cerrdefs "github.com/containerd/errdefs"
+
 	"github.com/buildpacks/pack/internal/builder"
 	"github.com/buildpacks/pack/internal/container"
 	"github.com/buildpacks/pack/internal/paths"
@ -51,7 +52,7 @@ func CopyOutMaybe(handler func(closer io.ReadCloser) error, srcs ...string) Cont
 		for _, src := range srcs {
 			reader, _, err := ctrClient.CopyFromContainer(ctx, containerID, src)
 			if err != nil {
-				if errdefs.IsNotFound(err) {
+				if cerrdefs.IsNotFound(err) {
 					continue
 				}
 				return err
@ -119,7 +120,7 @@ func copyDir(ctx context.Context, ctrClient DockerClient, containerID string, ap
 	doneChan := make(chan interface{})
 	pr, pw := io.Pipe()
 	go func() {
-		clientErr = ctrClient.CopyToContainer(ctx, containerID, "/", pr, types.CopyToContainerOptions{})
+		clientErr = ctrClient.CopyToContainer(ctx, containerID, "/", pr, dcontainer.CopyToContainerOptions{})
 		close(doneChan)
 	}()
 	func() {
@ -180,9 +181,9 @@ func copyDirWindows(ctx context.Context, ctrClient DockerClient, containerID str
 	if err != nil {
 		return errors.Wrapf(err, "creating prep container")
 	}
-	defer ctrClient.ContainerRemove(context.Background(), ctr.ID, types.ContainerRemoveOptions{Force: true})
+	defer ctrClient.ContainerRemove(context.Background(), ctr.ID, dcontainer.RemoveOptions{Force: true})

-	err = ctrClient.CopyToContainer(ctx, ctr.ID, "/windows", reader, types.CopyToContainerOptions{})
+	err = ctrClient.CopyToContainer(ctx, ctr.ID, "/windows", reader, dcontainer.CopyToContainerOptions{})
 	if err != nil {
 		return errors.Wrap(err, "copy app to container")
 	}
@ -198,13 +199,13 @@ func copyDirWindows(ctx context.Context, ctrClient DockerClient, containerID str
 	)
 }

-func findMount(info types.ContainerJSON, dst string) (types.MountPoint, error) {
+func findMount(info dcontainer.InspectResponse, dst string) (dcontainer.MountPoint, error) {
 	for _, m := range info.Mounts {
 		if m.Destination == dst {
 			return m, nil
 		}
 	}
-	return types.MountPoint{}, fmt.Errorf("no matching mount found for %s", dst)
+	return dcontainer.MountPoint{}, fmt.Errorf("no matching mount found for %s", dst)
 }

 func writeToml(ctrClient DockerClient, ctx context.Context, data interface{}, dstPath string, containerID string, os string, stdout, stderr io.Writer) error {
@ -230,7 +231,7 @@ func writeToml(ctrClient DockerClient, ctx context.Context, data interface{}, ds
 		return copyDirWindows(ctx, ctrClient, containerID, reader, dirName, stdout, stderr)
 	}

-	return ctrClient.CopyToContainer(ctx, containerID, "/", reader, types.CopyToContainerOptions{})
+	return ctrClient.CopyToContainer(ctx, containerID, "/", reader, dcontainer.CopyToContainerOptions{})
 }

 // WriteProjectMetadata writes a `project-metadata.toml` based on the ProjectMetadata provided to the destination path.
@ -327,7 +328,7 @@ func EnsureVolumeAccess(uid, gid int, os string, volumeNames ...string) Containe
 		if err != nil {
 			return err
 		}
-		defer ctrClient.ContainerRemove(context.Background(), ctr.ID, types.ContainerRemoveOptions{Force: true})
+		defer ctrClient.ContainerRemove(context.Background(), ctr.ID, dcontainer.RemoveOptions{Force: true})

 		return container.RunWithHandler(
 			ctx,
--- a/internal/build/container_ops_test.go
+++ b/internal/build/container_ops_test.go
@ -13,7 +13,6 @@ import (
 	"testing"

 	"github.com/buildpacks/lifecycle/platform/files"
-	"github.com/docker/docker/api/types"
 	dcontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/client"
@ -709,7 +708,7 @@ func cleanupContainer(ctx context.Context, ctrID string) {
 	}

 	// remove container
-	err = ctrClient.ContainerRemove(ctx, ctrID, types.ContainerRemoveOptions{})
+	err = ctrClient.ContainerRemove(ctx, ctrID, dcontainer.RemoveOptions{})
 	if err != nil {
 		return
 	}
--- a/internal/build/docker.go
+++ b/internal/build/docker.go
@ -6,19 +6,25 @@ import (

 	"github.com/docker/docker/api/types"
 	containertypes "github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
 	networktypes "github.com/docker/docker/api/types/network"
+	dockerClient "github.com/docker/docker/client"
 	specs "github.com/opencontainers/image-spec/specs-go/v1"
 )

 type DockerClient interface {
-	ImageRemove(ctx context.Context, image string, options types.ImageRemoveOptions) ([]types.ImageDeleteResponseItem, error)
+	ImageRemove(ctx context.Context, image string, options image.RemoveOptions) ([]image.DeleteResponse, error)
 	VolumeRemove(ctx context.Context, volumeID string, force bool) error
 	ContainerWait(ctx context.Context, container string, condition containertypes.WaitCondition) (<-chan containertypes.WaitResponse, <-chan error)
-	ContainerAttach(ctx context.Context, container string, options types.ContainerAttachOptions) (types.HijackedResponse, error)
-	ContainerStart(ctx context.Context, container string, options types.ContainerStartOptions) error
+	ContainerAttach(ctx context.Context, container string, options containertypes.AttachOptions) (types.HijackedResponse, error)
+	ContainerStart(ctx context.Context, container string, options containertypes.StartOptions) error
 	ContainerCreate(ctx context.Context, config *containertypes.Config, hostConfig *containertypes.HostConfig, networkingConfig *networktypes.NetworkingConfig, platform *specs.Platform, containerName string) (containertypes.CreateResponse, error)
-	CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
-	ContainerInspect(ctx context.Context, container string) (types.ContainerJSON, error)
-	ContainerRemove(ctx context.Context, container string, options types.ContainerRemoveOptions) error
-	CopyToContainer(ctx context.Context, container, path string, content io.Reader, options types.CopyToContainerOptions) error
+	CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, containertypes.PathStat, error)
+	ContainerInspect(ctx context.Context, container string) (containertypes.InspectResponse, error)
+	ContainerRemove(ctx context.Context, container string, options containertypes.RemoveOptions) error
+	CopyToContainer(ctx context.Context, container, path string, content io.Reader, options containertypes.CopyToContainerOptions) error
+	NetworkCreate(ctx context.Context, name string, options networktypes.CreateOptions) (networktypes.CreateResponse, error)
+	NetworkRemove(ctx context.Context, network string) error
 }
+
+var _ DockerClient = dockerClient.APIClient(nil)
--- a/internal/build/fakes/fake_builder.go
+++ b/internal/build/fakes/fake_builder.go
@ -117,8 +117,17 @@ func (b *FakeBuilder) RunImages() []builder.RunImageMetadata {
 	return b.ReturnForRunImages
 }

+func (b *FakeBuilder) System() dist.System { return dist.System{} }
+
 func WithBuilder(builder *FakeBuilder) func(*build.LifecycleOptions) {
 	return func(opts *build.LifecycleOptions) {
 		opts.Builder = builder
 	}
 }
+
+// WithEnableUsernsHost creates a LifecycleOptions option that enables userns=host
+func WithEnableUsernsHost() func(*build.LifecycleOptions) {
+	return func(opts *build.LifecycleOptions) {
+		opts.EnableUsernsHost = true
+	}
+}
--- a/internal/build/lifecycle_execution.go
+++ b/internal/build/lifecycle_execution.go
@ -7,11 +7,13 @@ import (
 	"os"
 	"path/filepath"
 	"strconv"
+	"time"

 	"github.com/BurntSushi/toml"
 	"github.com/buildpacks/lifecycle/api"
 	"github.com/buildpacks/lifecycle/auth"
 	"github.com/buildpacks/lifecycle/platform/files"
+	"github.com/docker/docker/api/types/network"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
@ -163,8 +165,11 @@ func (l *LifecycleExecution) PrevImageName() string {
 	return l.opts.PreviousImage
 }

+const maxNetworkRemoveRetries = 2
+
 func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseFactoryCreator) error {
 	phaseFactory := phaseFactoryCreator(l)
+
 	var buildCache Cache
 	if l.opts.CacheImage != "" || (l.opts.Cache.Build.Format == cache.CacheImage) {
 		cacheImageName := l.opts.CacheImage
@ -179,7 +184,11 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 	} else {
 		switch l.opts.Cache.Build.Format {
 		case cache.CacheVolume:
-			buildCache = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Build, "build", l.docker)
+			var err error
+			buildCache, err = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Build, "build", l.docker, l.logger)
+			if err != nil {
+				return err
+			}
 			l.logger.Debugf("Using build cache volume %s", style.Symbol(buildCache.Name()))
 		case cache.CacheBind:
 			buildCache = cache.NewBindCache(l.opts.Cache.Build, l.docker)
@ -194,7 +203,39 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 		l.logger.Debugf("Build cache %s cleared", style.Symbol(buildCache.Name()))
 	}

-	launchCache := cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Launch, "launch", l.docker)
+	launchCache, err := cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Launch, "launch", l.docker, l.logger)
+	if err != nil {
+		return err
+	}
+
+	if l.opts.Network == "" {
+		// start an ephemeral bridge network
+		driver := "bridge"
+		if l.os == "windows" {
+			driver = "nat"
+		}
+		networkName := fmt.Sprintf("pack.local-network-%x", randString(10))
+		resp, err := l.docker.NetworkCreate(ctx, networkName, network.CreateOptions{
+			Driver: driver,
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create ephemeral %s network: %w", driver, err)
+		}
+		defer func() {
+			for i := 0; i <= maxNetworkRemoveRetries; i++ {
+				time.Sleep(100 * time.Duration(i) * time.Millisecond) // wait if retrying
+				if err = l.docker.NetworkRemove(ctx, networkName); err != nil {
+					continue
+				}
+				break
+			}
+		}()
+		l.logger.Debugf("Created ephemeral bridge network %s with ID %s", networkName, resp.ID)
+		if resp.Warning != "" {
+			l.logger.Warn(resp.Warning)
+		}
+		l.opts.Network = networkName
+	}

 	if !l.opts.UseCreator {
 		if l.platformAPI.LessThan("0.7") {
@ -224,7 +265,10 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 			// lifecycle 0.17.0 (introduces support for Platform API 0.12) and above will ensure that
 			// this volume is owned by the CNB user,
 			// and hence the restorer (after dropping privileges) will be able to write to it.
-			kanikoCache = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker)
+			kanikoCache, err = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker, l.logger)
+			if err != nil {
+				return err
+			}
 		} else {
 			switch {
 			case buildCache.Type() == cache.Volume:
@ -236,7 +280,10 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 				return fmt.Errorf("build cache must be volume cache when building with extensions")
 			default:
 				// The kaniko cache is unused, so it doesn't matter that it's not usable.
-				kanikoCache = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker)
+				kanikoCache, err = cache.NewVolumeCache(l.opts.Image, l.opts.Cache.Kaniko, "kaniko", l.docker, l.logger)
+				if err != nil {
+					return err
+				}
 			}
 		}

@ -244,12 +291,9 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 			ephemeralRunImage string
 			err               error
 		)
-		currentRunImage := l.runImageAfterExtensions()
 		if l.runImageChanged() || l.hasExtensionsForRun() {
-			if currentRunImage == "" { // sanity check
-				return nil
-			}
-			if ephemeralRunImage, err = l.opts.FetchRunImageWithLifecycleLayer(currentRunImage); err != nil {
+			// Pull the run image by name in case we fail to pull it by identifier later.
+			if ephemeralRunImage, err = l.opts.FetchRunImageWithLifecycleLayer(l.runImageNameAfterExtensions()); err != nil {
 				return err
 			}
 		}
@ -261,11 +305,21 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 			return err
 		}

+		if l.runImageChanged() || l.hasExtensionsForRun() {
+			if newEphemeralRunImage, err := l.opts.FetchRunImageWithLifecycleLayer(l.runImageIdentifierAfterExtensions()); err == nil {
+				// If the run image was switched by extensions, the run image reference as written by the __restorer__ will be a digest reference
+				// that is pullable from a registry.
+				// However, if the run image is only extended (not switched), the run image reference as written by the __analyzer__ may be an image identifier
+				// (in the daemon case), and will not be pullable.
+				ephemeralRunImage = newEphemeralRunImage
+			}
+		}
+
 		group, _ := errgroup.WithContext(context.TODO())
 		if l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild() {
 			group.Go(func() error {
 				l.logger.Info(style.Step("EXTENDING (BUILD)"))
-				return l.ExtendBuild(ctx, kanikoCache, phaseFactory)
+				return l.ExtendBuild(ctx, kanikoCache, phaseFactory, l.extensionsAreExperimental())
 			})
 		} else {
 			group.Go(func() error {
@ -277,7 +331,7 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 		if l.platformAPI.AtLeast("0.12") && l.hasExtensionsForRun() {
 			group.Go(func() error {
 				l.logger.Info(style.Step("EXTENDING (RUN)"))
-				return l.ExtendRun(ctx, kanikoCache, phaseFactory, ephemeralRunImage)
+				return l.ExtendRun(ctx, kanikoCache, phaseFactory, ephemeralRunImage, l.extensionsAreExperimental())
 			})
 		}

@ -328,6 +382,12 @@ func (l *LifecycleExecution) Create(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@ -424,7 +484,7 @@ func (l *LifecycleExecution) Detect(ctx context.Context, phaseFactory PhaseFacto

 	envOp := NullOp()
 	if l.platformAPI.AtLeast("0.10") && l.hasExtensions() {
-		envOp = WithEnv("CNB_EXPERIMENTAL_MODE=warn")
+		envOp = If(l.extensionsAreExperimental(), WithEnv("CNB_EXPERIMENTAL_MODE=warn"))
 	}

 	configProvider := NewPhaseConfigProvider(
@ -444,7 +504,7 @@ func (l *LifecycleExecution) Detect(ctx context.Context, phaseFactory PhaseFacto
 		If(l.hasExtensions(), WithPostContainerRunOperations(
 			CopyOutToMaybe(filepath.Join(l.mountPaths.layersDir(), "analyzed.toml"), l.tmpDir))),
 		If(l.hasExtensions(), WithPostContainerRunOperations(
-			CopyOutToMaybe(filepath.Join(l.mountPaths.layersDir(), "generated", "build"), l.tmpDir))),
+			CopyOutToMaybe(filepath.Join(l.mountPaths.layersDir(), "generated"), l.tmpDir))),
 		envOp,
 	)

@ -453,6 +513,10 @@ func (l *LifecycleExecution) Detect(ctx context.Context, phaseFactory PhaseFacto
 	return detect.Run(ctx)
 }

+func (l *LifecycleExecution) extensionsAreExperimental() bool {
+	return l.PlatformAPI().AtLeast("0.10") && l.platformAPI.LessThan("0.13")
+}
+
 func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kanikoCache Cache, phaseFactory PhaseFactory) error {
 	// build up flags and ops
 	var flags []string
@ -481,6 +545,12 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	// for kaniko
 	kanikoCacheBindOp := NullOp()
 	if (l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild()) ||
@ -490,7 +560,7 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 			registryImages = append(registryImages, l.opts.BuilderImage)
 		}
 		if l.runImageChanged() || l.hasExtensionsForRun() {
-			registryImages = append(registryImages, l.runImageAfterExtensions())
+			registryImages = append(registryImages, l.runImageNameAfterExtensions())
 		}
 		if l.hasExtensionsForBuild() || l.hasExtensionsForRun() {
 			kanikoCacheBindOp = WithBinds(fmt.Sprintf("%s:%s", kanikoCache.Name(), l.mountPaths.kanikoCacheDir()))
@ -541,6 +611,8 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 		registryOp,
 		layoutOp,
 		layoutBindOp,
+		If(l.hasExtensions(), WithPostContainerRunOperations(
+			CopyOutToMaybe(filepath.Join(l.mountPaths.layersDir(), "analyzed.toml"), l.tmpDir))),
 	)

 	restore := phaseFactory.New(configProvider)
@ -586,6 +658,12 @@ func (l *LifecycleExecution) Analyze(ctx context.Context, buildCache, launchCach
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@ -709,7 +787,7 @@ func (l *LifecycleExecution) Build(ctx context.Context, phaseFactory PhaseFactor
 	return build.Run(ctx)
 }

-func (l *LifecycleExecution) ExtendBuild(ctx context.Context, kanikoCache Cache, phaseFactory PhaseFactory) error {
+func (l *LifecycleExecution) ExtendBuild(ctx context.Context, kanikoCache Cache, phaseFactory PhaseFactory, experimental bool) error {
 	flags := []string{"-app", l.mountPaths.appDir()}

 	configProvider := NewPhaseConfigProvider(
@ -718,7 +796,7 @@ func (l *LifecycleExecution) ExtendBuild(ctx context.Context, kanikoCache Cache,
 		WithLogPrefix("extender (build)"),
 		WithArgs(l.withLogLevel()...),
 		WithBinds(l.opts.Volumes...),
-		WithEnv("CNB_EXPERIMENTAL_MODE=warn"),
+		If(experimental, WithEnv("CNB_EXPERIMENTAL_MODE=warn")),
 		WithFlags(flags...),
 		WithNetwork(l.opts.Network),
 		WithRoot(),
@ -730,7 +808,7 @@ func (l *LifecycleExecution) ExtendBuild(ctx context.Context, kanikoCache Cache,
 	return extend.Run(ctx)
 }

-func (l *LifecycleExecution) ExtendRun(ctx context.Context, kanikoCache Cache, phaseFactory PhaseFactory, runImageName string) error {
+func (l *LifecycleExecution) ExtendRun(ctx context.Context, kanikoCache Cache, phaseFactory PhaseFactory, runImageName string, experimental bool) error {
 	flags := []string{"-app", l.mountPaths.appDir(), "-kind", "run"}

 	configProvider := NewPhaseConfigProvider(
@ -739,7 +817,7 @@ func (l *LifecycleExecution) ExtendRun(ctx context.Context, kanikoCache Cache, p
 		WithLogPrefix("extender (run)"),
 		WithArgs(l.withLogLevel()...),
 		WithBinds(l.opts.Volumes...),
-		WithEnv("CNB_EXPERIMENTAL_MODE=warn"),
+		If(experimental, WithEnv("CNB_EXPERIMENTAL_MODE=warn")),
 		WithFlags(flags...),
 		WithNetwork(l.opts.Network),
 		WithRoot(),
@ -775,7 +853,7 @@ func (l *LifecycleExecution) Export(ctx context.Context, buildCache, launchCache
 	} else {
 		flags = append(flags, "-run", l.mountPaths.runPath())
 		if l.hasExtensionsForRun() {
-			expEnv = WithEnv("CNB_EXPERIMENTAL_MODE=warn")
+			expEnv = If(l.extensionsAreExperimental(), WithEnv("CNB_EXPERIMENTAL_MODE=warn"))
 			kanikoCacheBindOp = WithBinds(fmt.Sprintf("%s:%s", kanikoCache.Name(), l.mountPaths.kanikoCacheDir()))
 		}
 	}
@ -795,6 +873,12 @@ func (l *LifecycleExecution) Export(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	cacheBindOp := NullOp()
 	switch buildCache.Type() {
 	case cache.Image:
@ -890,12 +974,25 @@ func (l *LifecycleExecution) hasExtensionsForBuild() bool {
 	if !l.hasExtensions() {
 		return false
 	}
-	// the directory is <layers>/generated/build inside the build container, but `CopyOutTo` only copies the directory
-	fis, err := os.ReadDir(filepath.Join(l.tmpDir, "build"))
+	generatedDir := filepath.Join(l.tmpDir, "generated")
+	fis, err := os.ReadDir(filepath.Join(generatedDir, "build"))
+	if err == nil && len(fis) > 0 {
+		// on older platforms, we need to find a file such as <layers>/generated/build/<buildpack-id>/Dockerfile
+		// on newer platforms, <layers>/generated/build doesn't exist
+		return true
+	}
+	// on newer platforms, we need to find a file such as <layers>/generated/<buildpack-id>/build.Dockerfile
+	fis, err = os.ReadDir(generatedDir)
 	if err != nil {
+		l.logger.Warnf("failed to read generated directory, assuming no build image extensions: %s", err)
 		return false
 	}
-	return len(fis) > 0
+	for _, fi := range fis {
+		if _, err := os.Stat(filepath.Join(generatedDir, fi.Name(), "build.Dockerfile")); err == nil {
+			return true
+		}
+	}
+	return false
 }

 func (l *LifecycleExecution) hasExtensionsForRun() bool {
@ -915,25 +1012,42 @@ func (l *LifecycleExecution) hasExtensionsForRun() bool {
 	return amd.RunImage.Extend
 }

-func (l *LifecycleExecution) runImageAfterExtensions() string {
+func (l *LifecycleExecution) runImageIdentifierAfterExtensions() string {
 	if !l.hasExtensions() {
 		return l.opts.RunImage
 	}
 	var amd files.Analyzed
 	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
-		l.logger.Warnf("failed to parse analyzed.toml file, assuming run image did not change: %s", err)
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming run image identifier did not change: %s", err)
+		return l.opts.RunImage
+	}
+	if amd.RunImage == nil || amd.RunImage.Reference == "" {
+		// this shouldn't be reachable
+		l.logger.Warnf("found no run image in analyzed.toml file, assuming run image identifier did not change...")
+		return l.opts.RunImage
+	}
+	return amd.RunImage.Reference
+}
+
+func (l *LifecycleExecution) runImageNameAfterExtensions() string {
+	if !l.hasExtensions() {
+		return l.opts.RunImage
+	}
+	var amd files.Analyzed
+	if _, err := toml.DecodeFile(filepath.Join(l.tmpDir, "analyzed.toml"), &amd); err != nil {
+		l.logger.Warnf("failed to parse analyzed.toml file, assuming run image name did not change: %s", err)
 		return l.opts.RunImage
 	}
 	if amd.RunImage == nil || amd.RunImage.Image == "" {
 		// this shouldn't be reachable
-		l.logger.Warnf("found no run image in analyzed.toml file, assuming run image did not change...")
+		l.logger.Warnf("found no run image in analyzed.toml file, assuming run image name did not change...")
 		return l.opts.RunImage
 	}
 	return amd.RunImage.Image
 }

 func (l *LifecycleExecution) runImageChanged() bool {
-	currentRunImage := l.runImageAfterExtensions()
+	currentRunImage := l.runImageNameAfterExtensions()
 	return currentRunImage != "" && currentRunImage != l.opts.RunImage
 }

--- a/internal/build/lifecycle_execution_test.go
+++ b/internal/build/lifecycle_execution_test.go
@ -17,6 +17,7 @@ import (
 	"github.com/buildpacks/lifecycle/api"
 	"github.com/buildpacks/lifecycle/platform/files"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@ -76,7 +77,8 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 		configProvider   *build.PhaseConfigProvider

 		extensionsForBuild, extensionsForRun bool
-		extensionsRunImage                   string
+		extensionsRunImageName               string
+		extensionsRunImageIdentifier         string
 		useCreatorWithExtensions             bool
 	)

@ -136,11 +138,15 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {

 		// construct fixtures for extensions
 		if extensionsForBuild {
-			// the directory is <layers>/generated/build inside the build container, but `CopyOutTo` only copies the directory
-			err = os.MkdirAll(filepath.Join(tmpDir, "build"), 0755)
-			h.AssertNil(t, err)
-			_, err = os.Create(filepath.Join(tmpDir, "build", "some-dockerfile"))
-			h.AssertNil(t, err)
+			if platformAPI.LessThan("0.13") {
+				err = os.MkdirAll(filepath.Join(tmpDir, "generated", "build", "some-buildpack-id"), 0755)
+				h.AssertNil(t, err)
+			} else {
+				err = os.MkdirAll(filepath.Join(tmpDir, "generated", "some-buildpack-id"), 0755)
+				h.AssertNil(t, err)
+				_, err = os.Create(filepath.Join(tmpDir, "generated", "some-buildpack-id", "build.Dockerfile"))
+				h.AssertNil(t, err)
+			}
 		}
 		amd := files.Analyzed{RunImage: &files.RunImage{
 			Extend: false,
@ -149,8 +155,11 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 		if extensionsForRun {
 			amd.RunImage.Extend = true
 		}
-		if extensionsRunImage != "" {
-			amd.RunImage.Image = extensionsRunImage
+		if extensionsRunImageName != "" {
+			amd.RunImage.Image = extensionsRunImageName
+		}
+		if extensionsRunImageIdentifier != "" {
+			amd.RunImage.Reference = extensionsRunImageIdentifier
 		}
 		f, err := os.Create(filepath.Join(tmpDir, "analyzed.toml"))
 		h.AssertNil(t, err)
@ -267,7 +276,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 			fakeBuilder *fakes.FakeBuilder
 			outBuf      bytes.Buffer
 			logger      *logging.LogWithWriters
-			docker      *client.Client
+			docker      *fakeDockerClient
 			fakeTermui  *fakes.FakeTermui
 		)

@ -281,7 +290,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 			fakeBuilder, err = fakes.NewFakeBuilder(fakes.WithSupportedPlatformAPIs([]*api.Version{api.MustParse("0.3")}))
 			h.AssertNil(t, err)
 			logger = logging.NewLogWithWriters(&outBuf, &outBuf)
-			docker, err = client.NewClientWithOpts(client.FromEnv, client.WithVersion("1.38"))
+			docker = &fakeDockerClient{}
 			h.AssertNil(t, err)
 			fakePhaseFactory = fakes.NewFakePhaseFactory()
 		})
@ -579,7 +588,32 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 				providedOrderExt = dist.Order{dist.OrderEntry{Group: []dist.ModuleRef{ /* don't care */ }}}

 				when("for build", func() {
-					when("present <layers>/generated/build", func() {
+					when("present in <layers>/generated/<buildpack-id>", func() {
+						extensionsForBuild = true
+
+						when("platform >= 0.13", func() {
+							platformAPI = api.MustParse("0.13")
+
+							it("runs the extender (build)", func() {
+								err := lifecycle.Run(context.Background(), func(execution *build.LifecycleExecution) build.PhaseFactory {
+									return fakePhaseFactory
+								})
+								h.AssertNil(t, err)
+
+								h.AssertEq(t, len(fakePhaseFactory.NewCalledWithProvider), 5)
+
+								var found bool
+								for _, entry := range fakePhaseFactory.NewCalledWithProvider {
+									if entry.Name() == "extender" {
+										found = true
+									}
+								}
+								h.AssertEq(t, found, true)
+							})
+						})
+					})
+
+					when("present in <layers>/generated/build", func() {
 						extensionsForBuild = true

 						when("platform < 0.10", func() {
@ -603,7 +637,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 							})
 						})

-						when("platform >= 0.10", func() {
+						when("platform 0.10 to 0.12", func() {
 							platformAPI = api.MustParse("0.10")

 							it("runs the extender (build)", func() {
@ -660,15 +694,17 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 						})

 						when("does not match provided run image", func() {
-							extensionsRunImage = "some-new-run-image"
+							extensionsRunImageName = "some-new-run-image"
+							extensionsRunImageIdentifier = "some-new-run-image-identifier"

 							it("pulls the new run image", func() {
 								err := lifecycle.Run(context.Background(), func(execution *build.LifecycleExecution) build.PhaseFactory {
 									return fakePhaseFactory
 								})
 								h.AssertNil(t, err)
+								h.AssertEq(t, fakeFetcher.callCount, 2)
 								h.AssertEq(t, fakeFetcher.calledWithArgAtCall[0], "some-new-run-image")
-								h.AssertEq(t, fakeFetcher.callCount, 1)
+								h.AssertEq(t, fakeFetcher.calledWithArgAtCall[1], "some-new-run-image-identifier")
 							})
 						})
 					})
@ -745,6 +781,46 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 			})
 		})

+		when("network is not provided", func() {
+			it("creates an ephemeral bridge network", func() {
+				beforeNetworks := func() int {
+					networks, err := docker.NetworkList(context.Background(), network.CreateOptions{})
+					h.AssertNil(t, err)
+					return len(networks)
+				}()
+
+				opts := build.LifecycleOptions{
+					Image:   imageName,
+					Builder: fakeBuilder,
+					Termui:  fakeTermui,
+				}
+
+				lifecycle, err := build.NewLifecycleExecution(logger, docker, "some-temp-dir", opts)
+				h.AssertNil(t, err)
+
+				err = lifecycle.Run(context.Background(), func(execution *build.LifecycleExecution) build.PhaseFactory {
+					return fakePhaseFactory
+				})
+				h.AssertNil(t, err)
+
+				for _, entry := range fakePhaseFactory.NewCalledWithProvider {
+					h.AssertContains(t, string(entry.HostConfig().NetworkMode), "pack.local-network-")
+					h.AssertEq(t, entry.HostConfig().NetworkMode.IsDefault(), false)
+					h.AssertEq(t, entry.HostConfig().NetworkMode.IsHost(), false)
+					h.AssertEq(t, entry.HostConfig().NetworkMode.IsNone(), false)
+					h.AssertEq(t, entry.HostConfig().NetworkMode.IsPrivate(), true)
+					h.AssertEq(t, entry.HostConfig().NetworkMode.IsUserDefined(), true)
+				}
+
+				afterNetworks := func() int {
+					networks, err := docker.NetworkList(context.Background(), network.CreateOptions{})
+					h.AssertNil(t, err)
+					return len(networks)
+				}()
+				h.AssertEq(t, beforeNetworks, afterNetworks)
+			})
+		})
+
 		when("Error cases", func() {
 			when("passed invalid", func() {
 				it("fails for cache-image", func() {
@ -2024,8 +2100,10 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 	})

 	when("#ExtendBuild", func() {
+		var experimental bool
 		it.Before(func() {
-			err := lifecycle.ExtendBuild(context.Background(), fakeKanikoCache, fakePhaseFactory)
+			experimental = true
+			err := lifecycle.ExtendBuild(context.Background(), fakeKanikoCache, fakePhaseFactory, experimental)
 			h.AssertNil(t, err)

 			lastCallIndex := len(fakePhaseFactory.NewCalledWithProvider) - 1
@ -2063,11 +2141,31 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 		it("configures the phase with root", func() {
 			h.AssertEq(t, configProvider.ContainerConfig().User, "root")
 		})
+
+		when("experimental is false", func() {
+			it.Before(func() {
+				experimental = false
+				err := lifecycle.ExtendBuild(context.Background(), fakeKanikoCache, fakePhaseFactory, experimental)
+				h.AssertNil(t, err)
+
+				lastCallIndex := len(fakePhaseFactory.NewCalledWithProvider) - 1
+				h.AssertNotEq(t, lastCallIndex, -1)
+
+				configProvider = fakePhaseFactory.NewCalledWithProvider[lastCallIndex]
+				h.AssertEq(t, configProvider.Name(), "extender")
+			})
+
+			it("CNB_EXPERIMENTAL_MODE=warn is not enable in the environment", func() {
+				h.AssertSliceNotContains(t, configProvider.ContainerConfig().Env, "CNB_EXPERIMENTAL_MODE=warn")
+			})
+		})
 	})

 	when("#ExtendRun", func() {
+		var experimental bool
 		it.Before(func() {
-			err := lifecycle.ExtendRun(context.Background(), fakeKanikoCache, fakePhaseFactory, "some-run-image")
+			experimental = true
+			err := lifecycle.ExtendRun(context.Background(), fakeKanikoCache, fakePhaseFactory, "some-run-image", experimental)
 			h.AssertNil(t, err)

 			lastCallIndex := len(fakePhaseFactory.NewCalledWithProvider) - 1
@ -2111,6 +2209,24 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 		it("configures the phase with root", func() {
 			h.AssertEq(t, configProvider.ContainerConfig().User, "root")
 		})
+
+		when("experimental is false", func() {
+			it.Before(func() {
+				experimental = false
+				err := lifecycle.ExtendRun(context.Background(), fakeKanikoCache, fakePhaseFactory, "some-run-image", experimental)
+				h.AssertNil(t, err)
+
+				lastCallIndex := len(fakePhaseFactory.NewCalledWithProvider) - 1
+				h.AssertNotEq(t, lastCallIndex, -1)
+
+				configProvider = fakePhaseFactory.NewCalledWithProvider[lastCallIndex]
+				h.AssertEq(t, configProvider.Name(), "extender")
+			})
+
+			it("CNB_EXPERIMENTAL_MODE=warn is not enable in the environment", func() {
+				h.AssertSliceNotContains(t, configProvider.ContainerConfig().Env, "CNB_EXPERIMENTAL_MODE=warn")
+			})
+		})
 	})

 	when("#Export", func() {
@ -2582,6 +2698,26 @@ func (f *fakeImageFetcher) fetchRunImage(name string) error {
 	return nil
 }

+type fakeDockerClient struct {
+	nNetworks int
+	build.DockerClient
+}
+
+func (f *fakeDockerClient) NetworkList(ctx context.Context, opts network.CreateOptions) ([]network.Inspect, error) {
+	ret := make([]network.Inspect, f.nNetworks)
+	return ret, nil
+}
+
+func (f *fakeDockerClient) NetworkCreate(ctx context.Context, name string, options network.CreateOptions) (network.CreateResponse, error) {
+	f.nNetworks++
+	return network.CreateResponse{}, nil
+}
+
+func (f *fakeDockerClient) NetworkRemove(ctx context.Context, network string) error {
+	f.nNetworks--
+	return nil
+}
+
 func newTestLifecycleExecErr(t *testing.T, logVerbose bool, tmpDir string, ops ...func(*build.LifecycleOptions)) (*build.LifecycleExecution, error) {
 	docker, err := client.NewClientWithOpts(client.FromEnv, client.WithVersion("1.38"))
 	h.AssertNil(t, err)
--- a/internal/build/lifecycle_executor.go
+++ b/internal/build/lifecycle_executor.go
@ -32,6 +32,7 @@ var (
 		api.MustParse("0.10"),
 		api.MustParse("0.11"),
 		api.MustParse("0.12"),
+		api.MustParse("0.13"),
 	}
 )

@ -44,6 +45,7 @@ type Builder interface {
 	RunImages() []builder.RunImageMetadata
 	Image() imgutil.Image
 	OrderExtensions() dist.Order
+	System() dist.System
 }

 type LifecycleExecutor struct {
@ -71,7 +73,7 @@ type LifecycleOptions struct {
 	Builder                         Builder
 	BuilderImage                    string // differs from Builder.Name() and Builder.Image().Name() in that it includes the registry context
 	LifecycleImage                  string
-	LifecycleApis                   []string // optional - populated only if custom lifecycle image is downloaded, from that lifecycle's container's Labels.
+	LifecycleApis                   []string // optional - populated only if custom lifecycle image is downloaded, from that lifecycle image's labels.
 	RunImage                        string
 	FetchRunImageWithLifecycleLayer func(name string) (string, error)
 	ProjectMetadata                 files.ProjectMetadata
@ -92,6 +94,7 @@ type LifecycleOptions struct {
 	Network                         string
 	AdditionalTags                  []string
 	Volumes                         []string
+	InsecureRegistries              []string
 	DefaultProcessType              string
 	FileFilter                      func(string) bool
 	Workspace                       string
@ -102,6 +105,7 @@ type LifecycleOptions struct {
 	SBOMDestinationDir              string
 	CreationTime                    *time.Time
 	Keychain                        authn.Keychain
+	EnableUsernsHost                bool
 }

 func NewLifecycleExecutor(logger logging.Logger, docker DockerClient) *LifecycleExecutor {
--- a/internal/build/phase.go
+++ b/internal/build/phase.go
@ -4,7 +4,6 @@ import (
 	"context"
 	"io"

-	"github.com/docker/docker/api/types"
 	dcontainer "github.com/docker/docker/api/types/container"
 	"github.com/pkg/errors"

@ -64,5 +63,5 @@ func (p *Phase) Run(ctx context.Context) error {
 }

 func (p *Phase) Cleanup() error {
-	return p.docker.ContainerRemove(context.Background(), p.ctr.ID, types.ContainerRemoveOptions{Force: true})
+	return p.docker.ContainerRemove(context.Background(), p.ctr.ID, dcontainer.RemoveOptions{Force: true})
 }
--- a/internal/build/phase_config_provider.go
+++ b/internal/build/phase_config_provider.go
@ -34,9 +34,16 @@ type PhaseConfigProvider struct {
 }

 func NewPhaseConfigProvider(name string, lifecycleExec *LifecycleExecution, ops ...PhaseConfigProviderOperation) *PhaseConfigProvider {
+	hostConf := new(container.HostConfig)
+	if lifecycleExec.opts.EnableUsernsHost {
+		hostConf.UsernsMode = "host"
+	}
+	if lifecycleExec.os != "windows" {
+		hostConf.SecurityOpt = []string{"no-new-privileges=true"}
+	}
 	provider := &PhaseConfigProvider{
 		ctrConf:     new(container.Config),
-		hostConf:    new(container.HostConfig),
+		hostConf:    hostConf,
 		name:        name,
 		os:          lifecycleExec.os,
 		infoWriter:  logging.GetWriterForLevel(lifecycleExec.logger, logging.InfoLevel),
--- a/internal/build/phase_config_provider_test.go
+++ b/internal/build/phase_config_provider_test.go
@ -59,6 +59,22 @@ func testPhaseConfigProvider(t *testing.T, when spec.G, it spec.S) {
 			h.AssertSliceContainsMatch(t, phaseConfigProvider.HostConfig().Binds, "pack-app-.*:/workspace")

 			h.AssertEq(t, phaseConfigProvider.HostConfig().Isolation, container.IsolationEmpty)
+			h.AssertEq(t, phaseConfigProvider.HostConfig().UsernsMode, container.UsernsMode(""))
+			h.AssertSliceContains(t, phaseConfigProvider.HostConfig().SecurityOpt, "no-new-privileges=true")
+		})
+
+		when("userns-host is enabled", func() {
+			it("sets user namespace mode to host", func() {
+				expectedBuilderImage := ifakes.NewImage("some-builder-name", "", nil)
+				fakeBuilder, err := fakes.NewFakeBuilder(fakes.WithImage(expectedBuilderImage))
+				h.AssertNil(t, err)
+				lifecycle := newTestLifecycleExec(t, false, "some-temp-dir", fakes.WithBuilder(fakeBuilder), fakes.WithEnableUsernsHost())
+				expectedPhaseName := "some-name"
+
+				phaseConfigProvider := build.NewPhaseConfigProvider(expectedPhaseName, lifecycle)
+
+				h.AssertEq(t, phaseConfigProvider.HostConfig().UsernsMode, container.UsernsMode("host"))
+			})
 		})

 		when("building for Windows", func() {
@ -72,6 +88,7 @@ func testPhaseConfigProvider(t *testing.T, when spec.G, it spec.S) {
 				phaseConfigProvider := build.NewPhaseConfigProvider("some-name", lifecycle)

 				h.AssertEq(t, phaseConfigProvider.HostConfig().Isolation, container.IsolationProcess)
+				h.AssertSliceNotContains(t, phaseConfigProvider.HostConfig().SecurityOpt, "no-new-privileges=true")
 			})
 		})

--- a/internal/build/phase_test.go
+++ b/internal/build/phase_test.go
@ -38,7 +38,7 @@ const phaseName = "phase"

 var (
 	repoName  string
-	ctrClient client.CommonAPIClient
+	ctrClient client.APIClient
 )

 // TestPhase is a integration test suite to ensure that the phase options are propagated to the container.
@ -70,7 +70,7 @@ func testPhase(t *testing.T, when spec.G, it spec.S) {
 		lifecycleExec  *build.LifecycleExecution
 		phaseFactory   build.PhaseFactory
 		outBuf, errBuf bytes.Buffer
-		docker         client.CommonAPIClient
+		docker         client.APIClient
 		logger         logging.Logger
 		osType         string
 	)
@ -508,7 +508,7 @@ func assertRunSucceeds(t *testing.T, phase build.RunnerCleaner, outBuf *bytes.Bu
 	h.AssertNilE(t, phase.Cleanup())
 }

-func CreateFakeLifecycleExecution(logger logging.Logger, docker client.CommonAPIClient, appDir string, repoName string, handler ...container.Handler) (*build.LifecycleExecution, error) {
+func CreateFakeLifecycleExecution(logger logging.Logger, docker client.APIClient, appDir string, repoName string, handler ...container.Handler) (*build.LifecycleExecution, error) {
 	builderImage, err := local.NewImage(repoName, docker, local.FromBaseImage(repoName))
 	if err != nil {
 		return nil, err
--- a/internal/builder/builder.go
+++ b/internal/builder/builder.go
@ -42,6 +42,7 @@ const (

 	orderPath          = "/cnb/order.toml"
 	stackPath          = "/cnb/stack.toml"
+	systemPath         = "/cnb/system.toml"
 	runPath            = "/cnb/run.toml"
 	platformDir        = "/platform"
 	lifecycleDir       = "/cnb/lifecycle"
@ -84,7 +85,9 @@ type Builder struct {
 	replaceOrder         bool
 	order                dist.Order
 	orderExtensions      dist.Order
+	system               dist.System
 	validateMixins       bool
+	saveProhibited       bool
 }

 type orderTOML struct {
@ -92,6 +95,10 @@ type orderTOML struct {
 	OrderExt dist.Order `toml:"order-extensions,omitempty"`
 }

+type systemTOML struct {
+	System dist.System `toml:"system"`
+}
+
 // moduleWithDiffID is a Build Module which content was written on disk in a tar file and the content hash was calculated
 type moduleWithDiffID struct {
 	tarPath string
@ -102,8 +109,24 @@ type moduleWithDiffID struct {
 type BuilderOption func(*options) error

 type options struct {
-	toFlatten buildpack.FlattenModuleInfos
-	labels    map[string]string
+	toFlatten      buildpack.FlattenModuleInfos
+	labels         map[string]string
+	runImage       string
+	saveProhibited bool
+}
+
+func WithRunImage(name string) BuilderOption {
+	return func(o *options) error {
+		o.runImage = name
+		return nil
+	}
+}
+
+func WithoutSave() BuilderOption {
+	return func(o *options) error {
+		o.saveProhibited = true
+		return nil
+	}
 }

 // FromImage constructs a builder from a builder image
@ -124,6 +147,11 @@ func constructBuilder(img imgutil.Image, newName string, errOnMissingLabel bool,
 		return nil, fmt.Errorf("builder %s missing label %s -- try recreating builder", style.Symbol(img.Name()), style.Symbol(metadataLabel))
 	}

+	system := dist.System{}
+	if _, err := dist.GetLabel(img, SystemLabel, &system); err != nil {
+		return nil, errors.Wrapf(err, "getting label %s", SystemLabel)
+	}
+
 	opts := &options{}
 	for _, op := range ops {
 		if err := op(opts); err != nil {
@ -140,6 +168,12 @@ func constructBuilder(img imgutil.Image, newName string, errOnMissingLabel bool,
 		return nil, err
 	}

+	if opts.runImage != "" {
+		// FIXME: for now the mirrors are gone if you override the run-image (open an issue if preserving the mirrors is desired)
+		metadata.RunImages = []RunImageMetadata{{Image: opts.runImage}}
+		metadata.Stack.RunImage = RunImageMetadata{Image: opts.runImage}
+	}
+
 	for labelKey, labelValue := range opts.labels {
 		err = img.SetLabel(labelKey, labelValue)
 		if err != nil {
@ -158,6 +192,8 @@ func constructBuilder(img imgutil.Image, newName string, errOnMissingLabel bool,
 		validateMixins:       true,
 		additionalBuildpacks: buildpack.NewManagedCollectionV2(opts.toFlatten),
 		additionalExtensions: buildpack.NewManagedCollectionV2(opts.toFlatten),
+		saveProhibited:       opts.saveProhibited,
+		system:               system,
 	}

 	if err := addImgLabelsToBuildr(bldr); err != nil {
@ -279,6 +315,9 @@ func (b *Builder) Stack() StackMetadata {
 	return b.metadata.Stack
 }

+// System returns the system buildpacks configuration
+func (b *Builder) System() dist.System { return b.system }
+
 // RunImages returns all run image metadata
 func (b *Builder) RunImages() []RunImageMetadata {
 	return append(b.metadata.RunImages, b.Stack().RunImage)
@ -401,6 +440,11 @@ func (b *Builder) SetStack(stackConfig builder.StackConfig) {
 	}
 }

+// SetSystem sets the system buildpacks of the builder
+func (b *Builder) SetSystem(system dist.System) {
+	b.system = system
+}
+
 // SetRunImage sets the run image of the builder
 func (b *Builder) SetRunImage(runConfig builder.RunConfig) {
 	var runImages []RunImageMetadata
@ -419,7 +463,11 @@ func (b *Builder) SetValidateMixins(to bool) {
 }

 // Save saves the builder
-func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata) error {
+func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata, additionalTags ...string) error {
+	if b.saveProhibited {
+		return fmt.Errorf("failed to save builder %s as saving is not allowed", b.Name())
+	}
+
 	logger.Debugf("Creating builder with the following buildpacks:")
 	for _, bpInfo := range b.metadata.Buildpacks {
 		logger.Debugf("-> %s", style.Symbol(bpInfo.FullName()))
@ -527,6 +575,24 @@ func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata) e
 		}
 	}

+	if len(b.system.Pre.Buildpacks) > 0 || len(b.system.Post.Buildpacks) > 0 {
+		resolvedSystemBp, err := processSystem(b.metadata.Buildpacks, b.system, buildpack.KindBuildpack)
+		if err != nil {
+			return errors.Wrap(err, "processing system buildpacks")
+		}
+
+		systemTar, err := b.systemLayer(resolvedSystemBp, tmpDir)
+		if err != nil {
+			return err
+		}
+		if err := b.image.AddLayer(systemTar); err != nil {
+			return errors.Wrap(err, "adding system.tar layer")
+		}
+		if err := dist.SetLabel(b.image, SystemLabel, b.system); err != nil {
+			return err
+		}
+	}
+
 	stackTar, err := b.stackLayer(tmpDir)
 	if err != nil {
 		return err
@ -586,7 +652,10 @@ func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata) e
 		return errors.Wrap(err, "failed to set working dir")
 	}

-	return b.image.Save()
+	logger.Debugf("Builder creation completed, starting image save")
+	err = b.image.Save(additionalTags...)
+	logger.Debugf("Image save completed")
+	return err
 }

 // Helpers
@ -738,6 +807,36 @@ func processOrder(modulesOnBuilder []dist.ModuleInfo, order dist.Order, kind str
 	return resolved, nil
 }

+func processSystem(modulesOnBuilder []dist.ModuleInfo, system dist.System, kind string) (dist.System, error) {
+	resolved := dist.System{}
+
+	// Pre buildpacks
+	for _, bp := range system.Pre.Buildpacks {
+		var (
+			ref dist.ModuleRef
+			err error
+		)
+		if ref, err = resolveRef(modulesOnBuilder, bp, kind); err != nil {
+			return dist.System{}, err
+		}
+		resolved.Pre.Buildpacks = append(resolved.Pre.Buildpacks, ref)
+	}
+
+	// Post buildpacks
+	for _, bp := range system.Post.Buildpacks {
+		var (
+			ref dist.ModuleRef
+			err error
+		)
+		if ref, err = resolveRef(modulesOnBuilder, bp, kind); err != nil {
+			return dist.System{}, err
+		}
+		resolved.Post.Buildpacks = append(resolved.Post.Buildpacks, ref)
+	}
+
+	return resolved, nil
+}
+
 func resolveRef(moduleList []dist.ModuleInfo, ref dist.ModuleRef, kind string) (dist.ModuleRef, error) {
 	var matching []dist.ModuleInfo
 	for _, bp := range moduleList {
@ -1065,6 +1164,29 @@ func orderFileContents(order dist.Order, orderExt dist.Order) (string, error) {
 	return buf.String(), nil
 }

+func (b *Builder) systemLayer(system dist.System, dest string) (string, error) {
+	contents, err := systemFileContents(system)
+	if err != nil {
+		return "", err
+	}
+	layerTar := filepath.Join(dest, "system.tar")
+	err = layer.CreateSingleFileTar(layerTar, systemPath, contents, b.layerWriterFactory)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to create system.toml layer tar")
+	}
+
+	return layerTar, nil
+}
+
+func systemFileContents(system dist.System) (string, error) {
+	buf := &bytes.Buffer{}
+	tomlData := systemTOML{System: system}
+	if err := toml.NewEncoder(buf).Encode(tomlData); err != nil {
+		return "", errors.Wrapf(err, "failed to marshal system.toml")
+	}
+	return buf.String(), nil
+}
+
 func (b *Builder) stackLayer(dest string) (string, error) {
 	buf := &bytes.Buffer{}
 	var err error
--- a/internal/builder/builder_test.go
+++ b/internal/builder/builder_test.go
@ -10,6 +10,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strings"
 	"testing"

@ -460,6 +461,18 @@ func testBuilder(t *testing.T, when spec.G, it spec.S) {
 				h.AssertOnTarEntry(t, layerTar, "/cnb/order.toml", h.ContentEquals("some content"))
 			})

+			it("adds additional tags as requested", func() {
+				h.AssertNil(t, subject.Save(logger, builder.CreatorMetadata{}, "additional-tag-one", "additional-tag-two"))
+				h.AssertEq(t, baseImage.IsSaved(), true)
+				h.AssertEq(t, baseImage.Name(), "some/builder")
+				savedNames := baseImage.SavedNames()
+				slices.Sort(savedNames)
+				h.AssertEq(t, 3, len(savedNames))
+				h.AssertEq(t, "additional-tag-one", savedNames[0])
+				h.AssertEq(t, "additional-tag-two", savedNames[1])
+				h.AssertEq(t, "some/builder", savedNames[2])
+			})
+
 			when("validating order", func() {
 				it.Before(func() {
 					subject.SetLifecycle(mockLifecycle)
@ -920,8 +933,35 @@ func testBuilder(t *testing.T, when spec.G, it spec.S) {
 					h.AssertTrue(t, strings.Contains(layers[2], h.LayerFileName(ext2v1)))
 				})
 			})
-		})

+			when("system buildpacks", func() {
+				it.Before(func() {
+					subject.SetLifecycle(mockLifecycle)
+					subject.AddBuildpack(bp1v1)
+					subject.SetSystem(dist.System{
+						Pre: dist.SystemBuildpacks{
+							Buildpacks: []dist.ModuleRef{
+								{ModuleInfo: dist.ModuleInfo{ID: bp1v1.Descriptor().Info().ID}}},
+						},
+					})
+				})
+
+				it("should write system buildpacks to system.toml)", func() {
+					err := subject.Save(logger, builder.CreatorMetadata{})
+					h.AssertNil(t, err)
+
+					layerTar, err := baseImage.FindLayerWithPath("/cnb/system.toml")
+					h.AssertNil(t, err)
+					h.AssertOnTarEntry(t, layerTar, "/cnb/system.toml", h.ContentEquals(`[system]
+  [system.pre]
+
+    [[system.pre.buildpacks]]
+      id = "buildpack-1-id"
+      version = "buildpack-1-version-1"
+`))
+				})
+			})
+		})
 		when("#SetLifecycle", func() {
 			it.Before(func() {
 				h.AssertNil(t, subject.Save(logger, builder.CreatorMetadata{}))
@ -1846,6 +1886,32 @@ func testBuilder(t *testing.T, when spec.G, it spec.S) {
 				})
 			})
 		})
+
+		when("#New", func() {
+			when("#WithRunImage", func() {
+				// Current runImage information in builder image:
+				// "stack": {"runImage": {"image": "prev/run", "mirrors": ["prev/mirror"]}}
+				var newBuilder *builder.Builder
+				newRunImage := "another/run"
+
+				it.Before(func() {
+					var err error
+					newBuilder, err = builder.New(builderImage, "newBuilder/image", builder.WithRunImage(newRunImage))
+					h.AssertNil(t, err)
+				})
+
+				it("overrides the run image metadata (which becomes run.toml)", func() {
+					// RunImages() returns Stacks + RunImages metadata.
+					metadata := newBuilder.RunImages()
+					h.AssertTrue(t, len(metadata) == 2)
+					for _, m := range metadata {
+						// Both images must be equal to the expected run-image
+						h.AssertEq(t, m.Image, newRunImage)
+						h.AssertEq(t, len(m.Mirrors), 0)
+					}
+				})
+			})
+		})
 	})

 	when("flatten", func() {
--- a/internal/builder/image_fetcher_wrapper.go
+++ b/internal/builder/image_fetcher_wrapper.go
@ -13,6 +13,14 @@ type ImageFetcher interface {
 	// If daemon is true, it will look return a `local.Image`. Pull, applicable only when daemon is true, will
 	// attempt to pull a remote image first.
 	Fetch(ctx context.Context, name string, options image.FetchOptions) (imgutil.Image, error)
+
+	// CheckReadAccess verifies if an image is accessible with read permissions
+	// When FetchOptions.Daemon is true and the image doesn't exist in the daemon,
+	// the behavior is dictated by the pull policy, which can have the following behavior
+	//   - PullNever: returns false
+	//   - PullAlways Or PullIfNotPresent: it will check read access for the remote image.
+	// When FetchOptions.Daemon is false it will check read access for the remote image.
+	CheckReadAccess(repo string, options image.FetchOptions) bool
 }

 type ImageFetcherWrapper struct {
@ -32,3 +40,7 @@ func (w *ImageFetcherWrapper) Fetch(
 ) (Inspectable, error) {
 	return w.fetcher.Fetch(ctx, name, options)
 }
+
+func (w *ImageFetcherWrapper) CheckReadAccessValidator(repo string, options image.FetchOptions) bool {
+	return w.fetcher.CheckReadAccess(repo, options)
+}
--- a/internal/builder/lifecycle.go
+++ b/internal/builder/lifecycle.go
@ -12,10 +12,9 @@ import (
 	"github.com/buildpacks/pack/pkg/archive"
 )

-// A snapshot of the latest tested lifecycle version values
+// DefaultLifecycleVersion A snapshot of the latest tested lifecycle version values
 const (
-	DefaultLifecycleVersion    = "0.18.4"
-	DefaultBuildpackAPIVersion = "0.2"
+	DefaultLifecycleVersion = "0.20.11"
 )

 // Blob is an interface to wrap opening blobs
@ -120,3 +119,8 @@ func (l *lifecycle) binaries() []string {
 	}
 	return binaries
 }
+
+// SupportedLinuxArchitecture returns true for each binary architecture available at https://github.com/buildpacks/lifecycle/releases/
+func SupportedLinuxArchitecture(arch string) bool {
+	return arch == "arm64" || arch == "ppc64le" || arch == "s390x"
+}
--- a/internal/builder/metadata.go
+++ b/internal/builder/metadata.go
@ -5,6 +5,7 @@ import "github.com/buildpacks/pack/pkg/dist"
 const (
 	OrderLabel           = "io.buildpacks.buildpack.order"
 	OrderExtensionsLabel = "io.buildpacks.buildpack.order-extensions"
+	SystemLabel          = "io.buildpacks.buildpack.system"
 )

 type Metadata struct {
--- a/internal/builder/suggested_builder.go
+++ b/internal/builder/suggested_builder.go
@ -1,45 +0,0 @@
-package builder
-
-type SuggestedBuilder struct {
-	Vendor             string
-	Image              string
-	DefaultDescription string
-}
-
-var SuggestedBuilders = []SuggestedBuilder{
-	{
-		Vendor:             "Google",
-		Image:              "gcr.io/buildpacks/builder:v1",
-		DefaultDescription: "GCP Builder for all runtimes",
-	},
-	{
-		Vendor:             "Heroku",
-		Image:              "heroku/builder:22",
-		DefaultDescription: "Heroku-22 (Ubuntu 22.04) base image with buildpacks for Go, Java, Node.js, PHP, Python, Ruby & Scala",
-	},
-	{
-		Vendor:             "Heroku",
-		Image:              "heroku/builder:20",
-		DefaultDescription: "Heroku-20 (Ubuntu 20.04) base image with buildpacks for Go, Java, Node.js, PHP, Python, Ruby & Scala",
-	},
-	{
-		Vendor:             "Paketo Buildpacks",
-		Image:              "paketobuildpacks/builder-jammy-base",
-		DefaultDescription: "Small base image with buildpacks for Java, Node.js, Golang, .NET Core, Python & Ruby",
-	},
-	{
-		Vendor:             "Paketo Buildpacks",
-		Image:              "paketobuildpacks/builder-jammy-full",
-		DefaultDescription: "Larger base image with buildpacks for Java, Node.js, Golang, .NET Core, Python, Ruby, & PHP",
-	},
-	{
-		Vendor:             "Paketo Buildpacks",
-		Image:              "paketobuildpacks/builder-jammy-tiny",
-		DefaultDescription: "Tiny base image (jammy build image, distroless run image) with buildpacks for Golang & Java",
-	},
-	{
-		Vendor:             "Paketo Buildpacks",
-		Image:              "paketobuildpacks/builder-jammy-buildpackless-static",
-		DefaultDescription: "Static base image (jammy build image, distroless run image) suitable for static binaries like Go or Rust",
-	},
-}
--- a/internal/builder/trusted_builder.go
+++ b/internal/builder/trusted_builder.go
@ -0,0 +1,113 @@
+package builder
+
+import (
+	"github.com/google/go-containerregistry/pkg/name"
+
+	"github.com/buildpacks/pack/internal/config"
+)
+
+type KnownBuilder struct {
+	Vendor             string
+	Image              string
+	DefaultDescription string
+	Suggested          bool
+	Trusted            bool
+}
+
+var KnownBuilders = []KnownBuilder{
+	{
+		Vendor:             "Google",
+		Image:              "gcr.io/buildpacks/builder:google-22",
+		DefaultDescription: "Ubuntu 22.04 base image with buildpacks for .NET, Dart, Go, Java, Node.js, PHP, Python, and Ruby",
+		Suggested:          true,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Heroku",
+		Image:              "heroku/builder:24",
+		DefaultDescription: "Ubuntu 24.04 AMD64+ARM64 base image with buildpacks for Go, Java, Node.js, PHP, Python, Ruby & Scala.",
+		Suggested:          true,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Heroku",
+		Image:              "heroku/builder:22",
+		DefaultDescription: "Ubuntu 22.04 AMD64 base image with buildpacks for Go, Java, Node.js, PHP, Python, Ruby & Scala.",
+		Suggested:          false,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Heroku",
+		Image:              "heroku/builder:20",
+		DefaultDescription: "Ubuntu 20.04 AMD64 base image with buildpacks for Go, Java, Node.js, PHP, Python, Ruby & Scala.",
+		Suggested:          false,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Paketo Buildpacks",
+		Image:              "paketobuildpacks/builder-jammy-base",
+		DefaultDescription: "Small base image with buildpacks for Java, Node.js, Golang, .NET Core, Python & Ruby",
+		Suggested:          true,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Paketo Buildpacks",
+		Image:              "paketobuildpacks/builder-jammy-full",
+		DefaultDescription: "Larger base image with buildpacks for Java, Node.js, Golang, .NET Core, Python, Ruby, & PHP",
+		Suggested:          true,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Paketo Buildpacks",
+		Image:              "paketobuildpacks/builder-jammy-tiny",
+		DefaultDescription: "Tiny base image (jammy build image, distroless run image) with buildpacks for Golang & Java",
+		Suggested:          true,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Paketo Buildpacks",
+		Image:              "paketobuildpacks/builder-jammy-buildpackless-static",
+		DefaultDescription: "Static base image (jammy build image, distroless run image) suitable for static binaries like Go or Rust",
+		Suggested:          true,
+		Trusted:            true,
+	},
+	{
+		Vendor:             "Paketo Buildpacks",
+		Image:              "paketobuildpacks/builder-ubi8-base",
+		DefaultDescription: "Universal Base Image (RHEL8) with buildpacks to build Node.js or Java runtimes. Support also the new extension feature (aka apply Dockerfile)",
+		Suggested:          true,
+		Trusted:            true,
+	},
+}
+
+func IsKnownTrustedBuilder(builderName string) bool {
+	for _, knownBuilder := range KnownBuilders {
+		if builderName == knownBuilder.Image && knownBuilder.Trusted {
+			return true
+		}
+	}
+	return false
+}
+
+func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) {
+	builderReference, err := name.ParseReference(builderName, name.WithDefaultTag(""))
+	if err != nil {
+		return false, err
+	}
+	for _, trustedBuilder := range cfg.TrustedBuilders {
+		trustedBuilderReference, err := name.ParseReference(trustedBuilder.Name, name.WithDefaultTag(""))
+		if err != nil {
+			return false, err
+		}
+		if trustedBuilderReference.Identifier() != "" {
+			if builderReference.Name() == trustedBuilderReference.Name() {
+				return true, nil
+			}
+		} else {
+			if builderReference.Context().RepositoryStr() == trustedBuilderReference.Context().RepositoryStr() {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
--- a/internal/builder/trusted_builder_test.go
+++ b/internal/builder/trusted_builder_test.go
@ -0,0 +1,102 @@
+package builder_test
+
+import (
+	"testing"
+
+	"github.com/heroku/color"
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	bldr "github.com/buildpacks/pack/internal/builder"
+	"github.com/buildpacks/pack/internal/config"
+
+	h "github.com/buildpacks/pack/testhelpers"
+)
+
+func TestTrustedBuilder(t *testing.T) {
+	color.Disable(true)
+	defer color.Disable(false)
+	spec.Run(t, "Trusted Builder", trustedBuilder, spec.Parallel(), spec.Report(report.Terminal{}))
+}
+
+func trustedBuilder(t *testing.T, when spec.G, it spec.S) {
+	when("IsKnownTrustedBuilder", func() {
+		it("matches exactly", func() {
+			h.AssertTrue(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base"))
+			h.AssertFalse(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base:latest"))
+			h.AssertFalse(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base:1.2.3"))
+			h.AssertFalse(t, bldr.IsKnownTrustedBuilder("my/private/builder"))
+		})
+	})
+
+	when("IsTrustedBuilder", func() {
+		it("trust image without tag", func() {
+			cfg := config.Config{
+				TrustedBuilders: []config.TrustedBuilder{
+					{
+						Name: "my/trusted/builder-jammy",
+					},
+				},
+			}
+
+			trustedBuilders := []string{
+				"my/trusted/builder-jammy",
+				"my/trusted/builder-jammy:latest",
+				"my/trusted/builder-jammy:1.2.3",
+			}
+
+			untrustedBuilders := []string{
+				"my/private/builder",            // random builder
+				"my/trusted/builder-jammy-base", // shared prefix
+			}
+
+			for _, builder := range trustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertTrue(t, isTrusted)
+			}
+
+			for _, builder := range untrustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertFalse(t, isTrusted)
+			}
+		})
+		it("trust image with tag", func() {
+			cfg := config.Config{
+				TrustedBuilders: []config.TrustedBuilder{
+					{
+						Name: "my/trusted/builder-jammy:1.2.3",
+					},
+					{
+						Name: "my/trusted/builder-jammy:latest",
+					},
+				},
+			}
+
+			trustedBuilders := []string{
+				"my/trusted/builder-jammy:1.2.3",
+				"my/trusted/builder-jammy:latest",
+			}
+
+			untrustedBuilders := []string{
+				"my/private/builder",
+				"my/trusted/builder-jammy",
+				"my/trusted/builder-jammy:2.0.0",
+				"my/trusted/builder-jammy-base",
+			}
+
+			for _, builder := range trustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertTrue(t, isTrusted)
+			}
+
+			for _, builder := range untrustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertFalse(t, isTrusted)
+			}
+		})
+	})
+}
--- a/internal/builder/version.go
+++ b/internal/builder/version.go
@ -31,7 +31,7 @@ func (v *Version) Equal(other *Version) bool {

 // MarshalText makes Version satisfy the encoding.TextMarshaler interface.
 func (v *Version) MarshalText() ([]byte, error) {
-	return []byte(v.Version.Original()), nil
+	return []byte(v.Original()), nil
 }

 // UnmarshalText makes Version satisfy the encoding.TextUnmarshaler interface.
--- a/internal/commands/build.go
+++ b/internal/commands/build.go
@ -1,20 +1,22 @@
 package commands

 import (
+	"fmt"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"time"

-	"github.com/buildpacks/pack/pkg/cache"
-
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"

+	bldr "github.com/buildpacks/pack/internal/builder"
+
 	"github.com/buildpacks/pack/internal/config"
 	"github.com/buildpacks/pack/internal/style"
+	"github.com/buildpacks/pack/pkg/cache"
 	"github.com/buildpacks/pack/pkg/client"
 	"github.com/buildpacks/pack/pkg/image"
 	"github.com/buildpacks/pack/pkg/logging"
@ -23,38 +25,43 @@ import (
 )

 type BuildFlags struct {
-	Publish              bool
-	ClearCache           bool
-	TrustBuilder         bool
-	Interactive          bool
-	Sparse               bool
-	DockerHost           string
-	CacheImage           string
-	Cache                cache.CacheOpts
-	AppPath              string
-	Builder              string
-	Registry             string
-	RunImage             string
-	Policy               string
-	Network              string
-	DescriptorPath       string
-	DefaultProcessType   string
-	LifecycleImage       string
-	Env                  []string
-	EnvFiles             []string
-	Buildpacks           []string
-	Extensions           []string
-	Volumes              []string
-	AdditionalTags       []string
-	Workspace            string
-	GID                  int
-	UID                  int
-	PreviousImage        string
-	SBOMDestinationDir   string
-	ReportDestinationDir string
-	DateTime             string
-	PreBuildpacks        []string
-	PostBuildpacks       []string
+	Publish                bool
+	ClearCache             bool
+	DisableSystemBuilpacks bool
+	TrustBuilder           bool
+	TrustExtraBuildpacks   bool
+	Interactive            bool
+	Sparse                 bool
+	EnableUsernsHost       bool
+	DockerHost             string
+	CacheImage             string
+	Cache                  cache.CacheOpts
+	AppPath                string
+	Builder                string
+	Registry               string
+	RunImage               string
+	Platform               string
+	Policy                 string
+	Network                string
+	DescriptorPath         string
+	DefaultProcessType     string
+	LifecycleImage         string
+	Env                    []string
+	EnvFiles               []string
+	Buildpacks             []string
+	Extensions             []string
+	Volumes                []string
+	AdditionalTags         []string
+	Workspace              string
+	GID                    int
+	UID                    int
+	PreviousImage          string
+	SBOMDestinationDir     string
+	ReportDestinationDir   string
+	DateTime               string
+	PreBuildpacks          []string
+	PostBuildpacks         []string
+	InsecureRegistries     []string
 }

 // Build an image from source code
@ -79,7 +86,7 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob

 			inputPreviousImage := client.ParseInputImageReference(flags.PreviousImage)

-			descriptor, actualDescriptorPath, err := parseProjectToml(flags.AppPath, flags.DescriptorPath)
+			descriptor, actualDescriptorPath, err := parseProjectToml(flags.AppPath, flags.DescriptorPath, logger)
 			if err != nil {
 				return err
 			}
@ -108,7 +115,11 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 				return err
 			}

-			trustBuilder := isTrustedBuilder(cfg, builder) || flags.TrustBuilder
+			isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+			if err != nil {
+				return err
+			}
+			trustBuilder := isTrusted || bldr.IsKnownTrustedBuilder(builder) || flags.TrustBuilder
 			if trustBuilder {
 				logger.Debugf("Builder %s is trusted", style.Symbol(builder))
 				if flags.LifecycleImage != "" {
@ -132,6 +143,7 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 			if err != nil {
 				return errors.Wrapf(err, "parsing pull policy %s", flags.Policy)
 			}
+
 			var lifecycleImage string
 			if flags.LifecycleImage != "" {
 				ref, err := name.ParseReference(flags.LifecycleImage)
@ -140,6 +152,12 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 				}
 				lifecycleImage = ref.Name()
 			}
+
+			err = isForbiddenTag(cfg, inputImageName.Name(), lifecycleImage, builder)
+			if err != nil {
+				return errors.Wrapf(err, "forbidden image name")
+			}
+
 			var gid = -1
 			if cmd.Flags().Changed("gid") {
 				gid = flags.GID
@ -165,13 +183,15 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 				Image:             inputImageName.Name(),
 				Publish:           flags.Publish,
 				DockerHost:        flags.DockerHost,
+				Platform:          flags.Platform,
 				PullPolicy:        pullPolicy,
 				ClearCache:        flags.ClearCache,
 				TrustBuilder: func(string) bool {
 					return trustBuilder
 				},
-				Buildpacks: buildpacks,
-				Extensions: extensions,
+				TrustExtraBuildpacks: flags.TrustExtraBuildpacks,
+				Buildpacks:           buildpacks,
+				Extensions:           extensions,
 				ContainerConfig: client.ContainerConfig{
 					Network: flags.Network,
 					Volumes: flags.Volumes,
@ -192,12 +212,15 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 				CreationTime:             dateTime,
 				PreBuildpacks:            flags.PreBuildpacks,
 				PostBuildpacks:           flags.PostBuildpacks,
+				DisableSystemBuildpacks:  flags.DisableSystemBuilpacks,
+				EnableUsernsHost:         flags.EnableUsernsHost,
 				LayoutConfig: &client.LayoutConfig{
 					Sparse:             flags.Sparse,
 					InputImage:         inputImageName,
 					PreviousInputImage: inputPreviousImage,
 					LayoutRepoDir:      cfg.LayoutRepositoryDir,
 				},
+				InsecureRegistries: flags.InsecureRegistries,
 			}); err != nil {
 				return errors.Wrap(err, "failed to build")
 			}
@ -231,6 +254,7 @@ func buildCommandFlags(cmd *cobra.Command, buildFlags *BuildFlags, cfg config.Co
 	cmd.Flags().StringVarP(&buildFlags.AppPath, "path", "p", "", "Path to app dir or zip-formatted file (defaults to current working directory)")
 	cmd.Flags().StringSliceVarP(&buildFlags.Buildpacks, "buildpack", "b", nil, "Buildpack to use. One of:\n  a buildpack by id and version in the form of '<buildpack>@<version>',\n  path to a buildpack directory (not supported on Windows),\n  path/URL to a buildpack .tar or .tgz file, or\n  a packaged buildpack image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("buildpack"))
 	cmd.Flags().StringSliceVarP(&buildFlags.Extensions, "extension", "", nil, "Extension to use. One of:\n  an extension by id and version in the form of '<extension>@<version>',\n  path to an extension directory (not supported on Windows),\n  path/URL to an extension .tar or .tgz file, or\n  a packaged extension image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("extension"))
+	cmd.Flags().StringArrayVar(&buildFlags.InsecureRegistries, "insecure-registry", []string{}, "List of insecure registries (only available for API >= 0.13)")
 	cmd.Flags().StringVarP(&buildFlags.Builder, "builder", "B", cfg.DefaultBuilder, "Builder image")
 	cmd.Flags().Var(&buildFlags.Cache, "cache",
 		`Cache options used to define cache techniques for build process.
@ -244,6 +268,7 @@ func buildCommandFlags(cmd *cobra.Command, buildFlags *BuildFlags, cfg config.Co
 	cmd.Flags().StringVar(&buildFlags.DateTime, "creation-time", "", "Desired create time in the output image config. Accepted values are Unix timestamps (e.g., '1641013200'), or 'now'. Platform API version must be at least 0.9 to use this feature.")
 	cmd.Flags().StringVarP(&buildFlags.DescriptorPath, "descriptor", "d", "", "Path to the project descriptor file")
 	cmd.Flags().StringVarP(&buildFlags.DefaultProcessType, "default-process", "D", "", `Set the default process type. (default "web")`)
+	cmd.Flags().BoolVar(&buildFlags.DisableSystemBuilpacks, "disable-system-buildpacks", false, "Disable System Buildpacks")
 	cmd.Flags().StringArrayVarP(&buildFlags.Env, "env", "e", []string{}, "Build-time environment variable, in the form 'VAR=VALUE' or 'VAR'.\nWhen using latter value-less form, value will be taken from current\n  environment at the time this command is executed.\nThis flag may be specified multiple times and will override\n  individual values defined by --env-file."+stringArrayHelp("env")+"\nNOTE: These are NOT available at image runtime.")
 	cmd.Flags().StringArrayVar(&buildFlags.EnvFiles, "env-file", []string{}, "Build-time environment variables file\nOne variable per line, of the form 'VAR=VALUE' or 'VAR'\nWhen using latter value-less form, value will be taken from current\n  environment at the time this command is executed\nNOTE: These are NOT available at image runtime.\"")
 	cmd.Flags().StringVar(&buildFlags.Network, "network", "", "Connect detect and build containers to network")
@ -257,11 +282,13 @@ Special value 'inherit' may be used in which case DOCKER_HOST environment variab
 This option may set DOCKER_HOST environment variable for the build container if needed.
 `)
 	cmd.Flags().StringVar(&buildFlags.LifecycleImage, "lifecycle-image", cfg.LifecycleImage, `Custom lifecycle image to use for analysis, restore, and export when builder is untrusted.`)
+	cmd.Flags().StringVar(&buildFlags.Platform, "platform", "", `Platform to build on (e.g., "linux/amd64").`)
 	cmd.Flags().StringVar(&buildFlags.Policy, "pull-policy", "", `Pull policy to use. Accepted values are always, never, and if-not-present. (default "always")`)
 	cmd.Flags().StringVarP(&buildFlags.Registry, "buildpack-registry", "r", cfg.DefaultRegistryName, "Buildpack Registry by name")
 	cmd.Flags().StringVar(&buildFlags.RunImage, "run-image", "", "Run image (defaults to default stack's run image)")
 	cmd.Flags().StringSliceVarP(&buildFlags.AdditionalTags, "tag", "t", nil, "Additional tags to push the output image to.\nTags should be in the format 'image:tag' or 'repository/image:tag'."+stringSliceHelp("tag"))
 	cmd.Flags().BoolVar(&buildFlags.TrustBuilder, "trust-builder", false, "Trust the provided builder.\nAll lifecycle phases will be run in a single container.\nFor more on trusted builders, and when to trust or untrust a builder, check out our docs here: https://buildpacks.io/docs/tools/pack/concepts/trusted_builders")
+	cmd.Flags().BoolVar(&buildFlags.TrustExtraBuildpacks, "trust-extra-buildpacks", false, "Trust buildpacks that are provided in addition to the buildpacks on the builder")
 	cmd.Flags().StringArrayVar(&buildFlags.Volumes, "volume", nil, "Mount host volume into the build container, in the form '<host path>:<target path>[:<options>]'.\n- 'host path': Name of the volume or absolute directory path to mount.\n- 'target path': The path where the file or directory is available in the container.\n- 'options' (default \"ro\"): An optional comma separated list of mount options.\n    - \"ro\", volume contents are read-only.\n    - \"rw\", volume contents are readable and writeable.\n    - \"volume-opt=<key>=<value>\", can be specified more than once, takes a key-value pair consisting of the option name and its value."+stringArrayHelp("volume"))
 	cmd.Flags().StringVar(&buildFlags.Workspace, "workspace", "", "Location at which to mount the app dir in the build image")
 	cmd.Flags().IntVar(&buildFlags.GID, "gid", 0, `Override GID of user's group in the stack's build and run images. The provided value must be a positive number`)
@ -271,6 +298,7 @@ This option may set DOCKER_HOST environment variable for the build container if
 	cmd.Flags().StringVar(&buildFlags.ReportDestinationDir, "report-output-dir", "", "Path to export build report.toml.\nOmitting the flag yield no report file.")
 	cmd.Flags().BoolVar(&buildFlags.Interactive, "interactive", false, "Launch a terminal UI to depict the build process")
 	cmd.Flags().BoolVar(&buildFlags.Sparse, "sparse", false, "Use this flag to avoid saving on disk the run-image layers when the application image is exported to OCI layout format")
+	cmd.Flags().BoolVar(&buildFlags.EnableUsernsHost, "userns-host", false, "Enable user namespace isolation for the build containers")
 	if !cfg.Experimental {
 		cmd.Flags().MarkHidden("interactive")
 		cmd.Flags().MarkHidden("sparse")
@ -314,6 +342,11 @@ func validateBuildFlags(flags *BuildFlags, cfg config.Config, inputImageRef clie
 		return client.NewExperimentError("Exporting to OCI layout is currently experimental.")
 	}

+	if _, err := os.Stat(inputImageRef.Name()); err == nil && flags.AppPath == "" {
+		logger.Warnf("You are building an image named '%s'. If you mean it as an app directory path, run 'pack build <args> --path %s'",
+			inputImageRef.Name(), inputImageRef.Name())
+	}
+
 	return nil
 }

@ -362,7 +395,7 @@ func addEnvVar(env map[string]string, item string) map[string]string {
 	return env
 }

-func parseProjectToml(appPath, descriptorPath string) (projectTypes.Descriptor, string, error) {
+func parseProjectToml(appPath, descriptorPath string, logger logging.Logger) (projectTypes.Descriptor, string, error) {
 	actualPath := descriptorPath
 	computePath := descriptorPath == ""

@ -377,6 +410,65 @@ func parseProjectToml(appPath, descriptorPath string) (projectTypes.Descriptor,
 		return projectTypes.Descriptor{}, "", errors.Wrap(err, "stat project descriptor")
 	}

-	descriptor, err := project.ReadProjectDescriptor(actualPath)
+	descriptor, err := project.ReadProjectDescriptor(actualPath, logger)
 	return descriptor, actualPath, err
 }
+
+func isForbiddenTag(cfg config.Config, input, lifecycle, builder string) error {
+	inputImage, err := name.ParseReference(input)
+	if err != nil {
+		return errors.Wrapf(err, "invalid image name %s", input)
+	}
+
+	if builder != "" {
+		builderImage, err := name.ParseReference(builder)
+		if err != nil {
+			return errors.Wrapf(err, "parsing builder image %s", builder)
+		}
+		if inputImage.Context().RepositoryStr() == builderImage.Context().RepositoryStr() {
+			return fmt.Errorf("name must not match builder image name")
+		}
+	}
+
+	if lifecycle != "" {
+		lifecycleImage, err := name.ParseReference(lifecycle)
+		if err != nil {
+			return errors.Wrapf(err, "parsing lifecycle image %s", lifecycle)
+		}
+		if inputImage.Context().RepositoryStr() == lifecycleImage.Context().RepositoryStr() {
+			return fmt.Errorf("name must not match lifecycle image name")
+		}
+	}
+
+	trustedBuilders := getTrustedBuilders(cfg)
+	for _, trustedBuilder := range trustedBuilders {
+		builder, err := name.ParseReference(trustedBuilder)
+		if err != nil {
+			return err
+		}
+		if inputImage.Context().RepositoryStr() == builder.Context().RepositoryStr() {
+			return fmt.Errorf("name must not match trusted builder name")
+		}
+	}
+
+	defaultLifecycleImageRef, err := name.ParseReference(config.DefaultLifecycleImageRepo)
+	if err != nil {
+		return errors.Wrapf(err, "parsing default lifecycle image %s", config.DefaultLifecycleImageRepo)
+	}
+
+	if inputImage.Context().RepositoryStr() == defaultLifecycleImageRef.Context().RepositoryStr() {
+		return fmt.Errorf("name must not match default lifecycle image name")
+	}
+
+	if cfg.DefaultBuilder != "" {
+		defaultBuilderImage, err := name.ParseReference(cfg.DefaultBuilder)
+		if err != nil {
+			return errors.Wrapf(err, "parsing default builder %s", cfg.DefaultBuilder)
+		}
+		if inputImage.Context().RepositoryStr() == defaultBuilderImage.Context().RegistryStr() {
+			return fmt.Errorf("name must not match default builder image name")
+		}
+	}
+
+	return nil
+}
--- a/internal/commands/build_test.go
+++ b/internal/commands/build_test.go
@ -17,11 +17,10 @@ import (
 	"github.com/sclevine/spec/report"
 	"github.com/spf13/cobra"

-	"github.com/buildpacks/pack/internal/paths"
-
 	"github.com/buildpacks/pack/internal/commands"
 	"github.com/buildpacks/pack/internal/commands/testmocks"
 	"github.com/buildpacks/pack/internal/config"
+	"github.com/buildpacks/pack/internal/paths"
 	"github.com/buildpacks/pack/pkg/client"
 	"github.com/buildpacks/pack/pkg/image"
 	"github.com/buildpacks/pack/pkg/logging"
@ -114,7 +113,20 @@ func testBuildCommand(t *testing.T, when spec.G, it spec.S) {
 				})
 			})

-			when("the builder is suggested", func() {
+			when("the builder is known to be trusted and suggested", func() {
+				it("sets the trust builder option", func() {
+					mockClient.EXPECT().
+						Build(gomock.Any(), EqBuildOptionsWithTrustedBuilder(true)).
+						Return(nil)
+
+					logger.WantVerbose(true)
+					command.SetArgs([]string{"image", "--builder", "heroku/builder:24"})
+					h.AssertNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "Builder 'heroku/builder:24' is trusted")
+				})
+			})
+
+			when("the builder is known to be trusted but not suggested", func() {
 				it("sets the trust builder option", func() {
 					mockClient.EXPECT().
 						Build(gomock.Any(), EqBuildOptionsWithTrustedBuilder(true)).
@ -126,6 +138,53 @@ func testBuildCommand(t *testing.T, when spec.G, it spec.S) {
 					h.AssertContains(t, outBuf.String(), "Builder 'heroku/builder:22' is trusted")
 				})
 			})
+
+			when("the image name matches a builder name", func() {
+				it("refuses to build", func() {
+					logger.WantVerbose(true)
+					command.SetArgs([]string{"heroku/builder:test", "--builder", "heroku/builder:24"})
+					h.AssertNotNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "name must not match builder image name")
+				})
+			})
+
+			when("the image name matches a trusted-builder name", func() {
+				it("refuses to build", func() {
+					logger.WantVerbose(true)
+					command.SetArgs([]string{"heroku/builder:test", "--builder", "test", "--trust-builder"})
+					h.AssertNotNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "name must not match trusted builder name")
+				})
+			})
+
+			when("the image name matches a lifecycle image name", func() {
+				it("refuses to build", func() {
+					logger.WantVerbose(true)
+					command.SetArgs([]string{"buildpacksio/lifecycle:test", "--builder", "test", "--trust-builder"})
+					h.AssertNotNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "name must not match default lifecycle image name")
+				})
+
+				it("refuses to build when using fully qualified name", func() {
+					logger.WantVerbose(true)
+					command.SetArgs([]string{"docker.io/buildpacksio/lifecycle:test", "--builder", "test", "--trust-builder"})
+					h.AssertNotNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "name must not match default lifecycle image name")
+				})
+			})
+
+			when("the builder is not trusted", func() {
+				it("warns the user that the builder is untrusted", func() {
+					mockClient.EXPECT().
+						Build(gomock.Any(), EqBuildOptionsWithTrustedBuilder(false)).
+						Return(nil)
+
+					logger.WantVerbose(true)
+					command.SetArgs([]string{"image", "--builder", "org/builder:unknown"})
+					h.AssertNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "Builder 'org/builder:unknown' is untrusted")
+				})
+			})
 		})

 		when("--buildpack-registry flag is specified but experimental isn't set in the config", func() {
@ -148,6 +207,17 @@ func testBuildCommand(t *testing.T, when spec.G, it spec.S) {
 			})
 		})

+		when("--platform", func() {
+			it("sets platform", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithPlatform("linux/amd64")).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--platform", "linux/amd64"})
+				h.AssertNil(t, command.Execute())
+			})
+		})
+
 		when("--pull-policy", func() {
 			it("sets pull-policy=never", func() {
 				mockClient.EXPECT().
@ -766,13 +836,9 @@ builder = "my-builder"
 		when("previous-image flag is provided", func() {
 			when("image is invalid", func() {
 				it("error must be thrown", func() {
-					mockClient.EXPECT().
-						Build(gomock.Any(), EqBuildOptionsWithPreviousImage("previous-image")).
-						Return(errors.New(""))
-
 					command.SetArgs([]string{"--builder", "my-builder", "/x@/y/?!z", "--previous-image", "previous-image"})
 					err := command.Execute()
-					h.AssertError(t, err, "failed to build")
+					h.AssertError(t, err, "forbidden image name")
 				})
 			})

@ -871,6 +937,43 @@ builder = "my-builder"
 			})
 		})

+		when("path to app dir or zip-formatted file is provided", func() {
+			it("builds with the specified path", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithPath("my-source")).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--path", "my-source"})
+				h.AssertNil(t, command.Execute())
+			})
+		})
+
+		when("a local path with the same string as the specified image name exists", func() {
+			when("an app path is specified", func() {
+				it("doesn't warn that the positional argument will not be treated as the source path", func() {
+					mockClient.EXPECT().
+						Build(gomock.Any(), EqBuildOptionsWithImage("my-builder", "testdata")).
+						Return(nil)
+
+					command.SetArgs([]string{"testdata", "--builder", "my-builder", "--path", "my-source"})
+					h.AssertNil(t, command.Execute())
+					h.AssertNotContainsMatch(t, outBuf.String(), `Warning: You are building an image named '([^']+)'\. If you mean it as an app directory path, run 'pack build <args> --path ([^']+)'`)
+				})
+			})
+
+			when("no app path is specified", func() {
+				it("warns that the positional argument will not be treated as the source path", func() {
+					mockClient.EXPECT().
+						Build(gomock.Any(), EqBuildOptionsWithImage("my-builder", "testdata")).
+						Return(nil)
+
+					command.SetArgs([]string{"testdata", "--builder", "my-builder"})
+					h.AssertNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "Warning: You are building an image named 'testdata'. If you mean it as an app directory path, run 'pack build <args> --path testdata'")
+				})
+			})
+		})
+
 		when("export to OCI layout is expected but experimental isn't set in the config", func() {
 			it("errors with a descriptive message", func() {
 				command.SetArgs([]string{"oci:image", "--builder", "my-builder"})
@ -879,6 +982,31 @@ builder = "my-builder"
 				h.AssertError(t, err, "Exporting to OCI layout is currently experimental.")
 			})
 		})
+
+		when("--insecure-registry is provided", func() {
+			it("sets one insecure registry", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithInsecureRegistries([]string{
+						"foo.bar",
+					})).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--insecure-registry", "foo.bar"})
+				h.AssertNil(t, command.Execute())
+			})
+
+			it("sets more than one insecure registry", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithInsecureRegistries([]string{
+						"foo.bar",
+						"foo.com",
+					})).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--insecure-registry", "foo.bar", "--insecure-registry", "foo.com"})
+				h.AssertNil(t, command.Execute())
+			})
+		})
 	})

 	when("export to OCI layout is expected", func() {
@ -958,6 +1086,15 @@ func EqBuildOptionsDefaultProcess(defaultProc string) gomock.Matcher {
 	}
 }

+func EqBuildOptionsWithPlatform(platform string) gomock.Matcher {
+	return buildOptionsMatcher{
+		description: fmt.Sprintf("Platform=%s", platform),
+		equals: func(o client.BuildOptions) bool {
+			return o.Platform == platform
+		},
+	}
+}
+
 func EqBuildOptionsWithPullPolicy(policy image.PullPolicy) gomock.Matcher {
 	return buildOptionsMatcher{
 		description: fmt.Sprintf("PullPolicy=%s", policy),
@ -1016,7 +1153,7 @@ func EqBuildOptionsWithTrustedBuilder(trustBuilder bool) gomock.Matcher {
 	return buildOptionsMatcher{
 		description: fmt.Sprintf("Trust Builder=%t", trustBuilder),
 		equals: func(o client.BuildOptions) bool {
-			return o.TrustBuilder(o.Builder)
+			return o.TrustBuilder(o.Builder) == trustBuilder
 		},
 	}
 }
@ -1106,6 +1243,15 @@ func EqBuildOptionsWithDateTime(t *time.Time) interface{} {
 	}
 }

+func EqBuildOptionsWithPath(path string) interface{} {
+	return buildOptionsMatcher{
+		description: fmt.Sprintf("AppPath=%s", path),
+		equals: func(o client.BuildOptions) bool {
+			return o.AppPath == path
+		},
+	}
+}
+
 func EqBuildOptionsWithLayoutConfig(image, previousImage string, sparse bool, layoutDir string) interface{} {
 	return buildOptionsMatcher{
 		description: fmt.Sprintf("image=%s, previous-image=%s, sparse=%t, layout-dir=%s", image, previousImage, sparse, layoutDir),
@ -1122,6 +1268,18 @@ func EqBuildOptionsWithLayoutConfig(image, previousImage string, sparse bool, la
 	}
 }

+func EqBuildOptionsWithInsecureRegistries(insecureRegistries []string) gomock.Matcher {
+	return buildOptionsMatcher{
+		description: fmt.Sprintf("Insercure Registries=%s", insecureRegistries),
+		equals: func(o client.BuildOptions) bool {
+			if len(o.InsecureRegistries) != len(insecureRegistries) {
+				return false
+			}
+			return reflect.DeepEqual(o.InsecureRegistries, insecureRegistries)
+		},
+	}
+}
+
 type buildOptionsMatcher struct {
 	equals      func(client.BuildOptions) bool
 	description string
--- a/internal/commands/builder_create.go
+++ b/internal/commands/builder_create.go
@ -2,6 +2,7 @@ package commands

 import (
 	"fmt"
+	"os"
 	"path/filepath"

 	"github.com/pkg/errors"
@ -18,12 +19,15 @@ import (

 // BuilderCreateFlags define flags provided to the CreateBuilder command
 type BuilderCreateFlags struct {
-	Publish         bool
-	BuilderTomlPath string
-	Registry        string
-	Policy          string
-	Flatten         []string
-	Label           map[string]string
+	Publish               bool
+	AppendImageNameSuffix bool
+	BuilderTomlPath       string
+	Registry              string
+	Policy                string
+	Flatten               []string
+	Targets               []string
+	Label                 map[string]string
+	AdditionalTags        []string
 }

 // CreateBuilder creates a builder image, based on a builder config
@ -87,17 +91,48 @@ Creating a custom builder allows you to control what buildpacks are used and wha
 				return err
 			}

+			multiArchCfg, err := processMultiArchitectureConfig(logger, flags.Targets, builderConfig.Targets, !flags.Publish)
+			if err != nil {
+				return err
+			}
+
+			if len(multiArchCfg.Targets()) == 0 {
+				logger.Infof("Pro tip: use --targets flag OR [[targets]] in builder.toml to specify the desired platform")
+			}
+
+			if !flags.Publish && flags.AppendImageNameSuffix {
+				logger.Warnf("--append-image-name-suffix will be ignored, use combined with --publish")
+			}
+
+			// Create temporary directory for lifecycle downloads when using Docker images
+			var tempDir string
+			if hasDockerLifecycle(builderConfig) {
+				tempDir, err = os.MkdirTemp("", "pack-builder-*")
+				if err != nil {
+					return errors.Wrap(err, "creating temporary directory")
+				}
+				defer func() {
+					if cleanupErr := os.RemoveAll(tempDir); cleanupErr != nil {
+						logger.Debugf("Failed to clean up temporary directory %s: %v", tempDir, cleanupErr)
+					}
+				}()
+			}
+
 			imageName := args[0]
 			if err := pack.CreateBuilder(cmd.Context(), client.CreateBuilderOptions{
-				RelativeBaseDir: relativeBaseDir,
-				BuildConfigEnv:  envMap,
-				BuilderName:     imageName,
-				Config:          builderConfig,
-				Publish:         flags.Publish,
-				Registry:        flags.Registry,
-				PullPolicy:      pullPolicy,
-				Flatten:         toFlatten,
-				Labels:          flags.Label,
+				RelativeBaseDir:       relativeBaseDir,
+				BuildConfigEnv:        envMap,
+				BuilderName:           imageName,
+				Config:                builderConfig,
+				Publish:               flags.Publish,
+				AppendImageNameSuffix: flags.AppendImageNameSuffix && flags.Publish,
+				Registry:              flags.Registry,
+				PullPolicy:            pullPolicy,
+				Flatten:               toFlatten,
+				Labels:                flags.Label,
+				Targets:               multiArchCfg.Targets(),
+				TempDirectory:         tempDir,
+				AdditionalTags:        flags.AdditionalTags,
 			}); err != nil {
 				return err
 			}
@ -113,9 +148,17 @@ Creating a custom builder allows you to control what buildpacks are used and wha
 	}
 	cmd.Flags().StringVarP(&flags.BuilderTomlPath, "config", "c", "", "Path to builder TOML file (required)")
 	cmd.Flags().BoolVar(&flags.Publish, "publish", false, "Publish the builder directly to the container registry specified in <image-name>, instead of the daemon.")
+	cmd.Flags().BoolVar(&flags.AppendImageNameSuffix, "append-image-name-suffix", false, "Append an [os]-[arch] suffix to intermediate image tags when creating a multi-arch image; useful when publishing to a registry that doesn't allow overwriting existing tags")
 	cmd.Flags().StringVar(&flags.Policy, "pull-policy", "", "Pull policy to use. Accepted values are always, never, and if-not-present. The default is always")
 	cmd.Flags().StringArrayVar(&flags.Flatten, "flatten", nil, "List of buildpacks to flatten together into a single layer (format: '<buildpack-id>@<buildpack-version>,<buildpack-id>@<buildpack-version>'")
 	cmd.Flags().StringToStringVarP(&flags.Label, "label", "l", nil, "Labels to add to the builder image, in the form of '<name>=<value>'")
+	cmd.Flags().StringSliceVarP(&flags.Targets, "target", "t", nil,
+		`Target platforms to build for.\nTargets should be in the format '[os][/arch][/variant]:[distroname@osversion@anotherversion];[distroname@osversion]'.
+- To specify two different architectures:  '--target "linux/amd64" --target "linux/arm64"'
+- To specify the distribution version: '--target "linux/arm/v6:ubuntu@14.04"'
+- To specify multiple distribution versions: '--target "linux/arm/v6:ubuntu@14.04"  --target "linux/arm/v6:ubuntu@16.04"'
+	`)
+	cmd.Flags().StringSliceVarP(&flags.AdditionalTags, "tag", "", nil, "Additional tags to push the output image to.\nTags should be in the format 'image:tag' or 'repository/image:tag'."+stringSliceHelp("tag"))

 	AddHelpFlag(cmd, "create")
 	return cmd
@ -125,6 +168,10 @@ func hasExtensions(builderConfig builder.Config) bool {
 	return len(builderConfig.Extensions) > 0 || len(builderConfig.OrderExtensions) > 0
 }

+func hasDockerLifecycle(builderConfig builder.Config) bool {
+	return buildpack.HasDockerLocator(builderConfig.Lifecycle.URI)
+}
+
 func validateCreateFlags(flags *BuilderCreateFlags, cfg config.Config) error {
 	if flags.Publish && flags.Policy == image.PullNever.String() {
 		return errors.Errorf("--publish and --pull-policy never cannot be used together. The --publish flag requires the use of remote images.")
--- a/internal/commands/builder_create_test.go
+++ b/internal/commands/builder_create_test.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"reflect"
 	"testing"

 	"github.com/golang/mock/gomock"
@ -17,6 +18,8 @@ import (
 	"github.com/buildpacks/pack/internal/commands"
 	"github.com/buildpacks/pack/internal/commands/testmocks"
 	"github.com/buildpacks/pack/internal/config"
+	"github.com/buildpacks/pack/pkg/client"
+	"github.com/buildpacks/pack/pkg/dist"
 	"github.com/buildpacks/pack/pkg/logging"
 	h "github.com/buildpacks/pack/testhelpers"
 )
@ -31,6 +34,23 @@ const validConfig = `

 `

+const validConfigWithTargets = `
+[[buildpacks]]
+id = "some.buildpack"
+
+[[order]]
+[[order.group]]
+id = "some.buildpack"
+
+[[targets]]
+os = "linux"
+arch = "amd64"
+
+[[targets]]
+os = "linux"
+arch = "arm64"
+`
+
 const validConfigWithExtensions = `
 [[buildpacks]]
  id = "some.buildpack"
@ -441,5 +461,127 @@ func testCreateCommand(t *testing.T, when spec.G, it spec.S) {
 				})
 			})
 		})
+
+		when("multi-platform builder is expected to be created", func() {
+			when("builder config has no targets defined", func() {
+				it.Before(func() {
+					h.AssertNil(t, os.WriteFile(builderConfigPath, []byte(validConfig), 0666))
+				})
+				when("daemon", func() {
+					it("errors when exporting to daemon", func() {
+						command.SetArgs([]string{
+							"some/builder",
+							"--config", builderConfigPath,
+							"--target", "linux/amd64",
+							"--target", "windows/amd64",
+						})
+						err := command.Execute()
+						h.AssertNotNil(t, err)
+						h.AssertError(t, err, "when exporting to daemon only one target is allowed")
+					})
+				})
+
+				when("--publish", func() {
+					it.Before(func() {
+						mockClient.EXPECT().CreateBuilder(gomock.Any(), EqCreateBuilderOptionsTargets([]dist.Target{
+							{OS: "linux", Arch: "amd64"},
+							{OS: "windows", Arch: "amd64"},
+						})).Return(nil)
+					})
+
+					it("creates a builder with the given targets", func() {
+						command.SetArgs([]string{
+							"some/builder",
+							"--config", builderConfigPath,
+							"--target", "linux/amd64",
+							"--target", "windows/amd64",
+							"--publish",
+						})
+						h.AssertNil(t, command.Execute())
+					})
+				})
+			})
+
+			when("builder config has targets defined", func() {
+				it.Before(func() {
+					h.AssertNil(t, os.WriteFile(builderConfigPath, []byte(validConfigWithTargets), 0666))
+				})
+
+				when("--publish", func() {
+					it.Before(func() {
+						mockClient.EXPECT().CreateBuilder(gomock.Any(), EqCreateBuilderOptionsTargets([]dist.Target{
+							{OS: "linux", Arch: "amd64"},
+							{OS: "linux", Arch: "arm64"},
+						})).Return(nil)
+					})
+
+					it("creates a builder with the given targets", func() {
+						command.SetArgs([]string{
+							"some/builder",
+							"--config", builderConfigPath,
+							"--publish",
+						})
+						h.AssertNil(t, command.Execute())
+					})
+				})
+
+				when("invalid target flag is used", func() {
+					it("errors with a message when invalid target flag is used", func() {
+						command.SetArgs([]string{
+							"some/builder",
+							"--config", builderConfigPath,
+							"--target", "something/wrong",
+							"--publish",
+						})
+						h.AssertNotNil(t, command.Execute())
+					})
+				})
+
+				when("--targets", func() {
+					it.Before(func() {
+						mockClient.EXPECT().CreateBuilder(gomock.Any(), EqCreateBuilderOptionsTargets([]dist.Target{
+							{OS: "linux", Arch: "amd64"},
+						})).Return(nil)
+					})
+
+					it("creates a builder with the given targets", func() {
+						command.SetArgs([]string{
+							"some/builder",
+							"--target", "linux/amd64",
+							"--config", builderConfigPath,
+						})
+						h.AssertNil(t, command.Execute())
+					})
+				})
+			})
+		})
 	})
 }
+
+func EqCreateBuilderOptionsTargets(targets []dist.Target) gomock.Matcher {
+	return createbuilderOptionsMatcher{
+		description: fmt.Sprintf("Target=%v", targets),
+		equals: func(o client.CreateBuilderOptions) bool {
+			if len(o.Targets) != len(targets) {
+				return false
+			}
+			return reflect.DeepEqual(o.Targets, targets)
+		},
+	}
+}
+
+type createbuilderOptionsMatcher struct {
+	equals      func(options client.CreateBuilderOptions) bool
+	description string
+}
+
+func (m createbuilderOptionsMatcher) Matches(x interface{}) bool {
+	if b, ok := x.(client.CreateBuilderOptions); ok {
+		return m.equals(b)
+	}
+	return false
+}
+
+func (m createbuilderOptionsMatcher) String() string {
+	return "is a CreateBuilderOption with " + m.description
+}
--- a/internal/commands/builder_inspect.go
+++ b/internal/commands/builder_inspect.go
@ -8,6 +8,8 @@ import (
 	"github.com/buildpacks/pack/internal/config"
 	"github.com/buildpacks/pack/pkg/client"
 	"github.com/buildpacks/pack/pkg/logging"
+
+	bldr "github.com/buildpacks/pack/internal/builder"
 )

 type BuilderInspector interface {
@ -61,10 +63,15 @@ func inspectBuilder(
 	inspector BuilderInspector,
 	writerFactory writer.BuilderWriterFactory,
 ) error {
+	isTrusted, err := bldr.IsTrustedBuilder(cfg, imageName)
+	if err != nil {
+		return err
+	}
+
 	builderInfo := writer.SharedBuilderInfo{
 		Name:      imageName,
 		IsDefault: imageName == cfg.DefaultBuilder,
-		Trusted:   isTrustedBuilder(cfg, imageName),
+		Trusted:   isTrusted,
 	}

 	localInfo, localErr := inspector.InspectBuilder(imageName, true, client.WithDetectionOrderDepth(flags.Depth))
--- a/internal/commands/builder_inspect_test.go
+++ b/internal/commands/builder_inspect_test.go
@ -254,8 +254,7 @@ func testBuilderInspectCommand(t *testing.T, when spec.G, it spec.S) {

 				assert.Matches(outBuf.String(), regexp.MustCompile(`Paketo Buildpacks:\s+'paketobuildpacks/builder-jammy-base'`))
 				assert.Matches(outBuf.String(), regexp.MustCompile(`Paketo Buildpacks:\s+'paketobuildpacks/builder-jammy-full'`))
-				assert.Matches(outBuf.String(), regexp.MustCompile(`Heroku:\s+'heroku/builder:20'`))
-				assert.Matches(outBuf.String(), regexp.MustCompile(`Heroku:\s+'heroku/builder:22'`))
+				assert.Matches(outBuf.String(), regexp.MustCompile(`Heroku:\s+'heroku/builder:24'`))
 			})
 		})

--- a/internal/commands/builder_suggest_test.go
+++ b/internal/commands/builder_suggest_test.go
@ -47,7 +47,7 @@ func testSuggestCommand(t *testing.T, when spec.G, it spec.S) {
 			})

 			it("displays descriptions from metadata", func() {
-				commands.WriteSuggestedBuilder(logger, mockClient, []bldr.SuggestedBuilder{{
+				commands.WriteSuggestedBuilder(logger, mockClient, []bldr.KnownBuilder{{
 					Vendor:             "Builder",
 					Image:              "gcr.io/some/builder:latest",
 					DefaultDescription: "Default description",
@ -65,7 +65,7 @@ func testSuggestCommand(t *testing.T, when spec.G, it spec.S) {
 			})

 			it("displays default descriptions", func() {
-				commands.WriteSuggestedBuilder(logger, mockClient, []bldr.SuggestedBuilder{{
+				commands.WriteSuggestedBuilder(logger, mockClient, []bldr.KnownBuilder{{
 					Vendor:             "Builder",
 					Image:              "gcr.io/some/builder:latest",
 					DefaultDescription: "Default description",
@ -81,7 +81,7 @@ func testSuggestCommand(t *testing.T, when spec.G, it spec.S) {
 			})

 			it("displays default descriptions", func() {
-				commands.WriteSuggestedBuilder(logger, mockClient, []bldr.SuggestedBuilder{{
+				commands.WriteSuggestedBuilder(logger, mockClient, []bldr.KnownBuilder{{
 					Vendor:             "Builder",
 					Image:              "gcr.io/some/builder:latest",
 					DefaultDescription: "Default description",
--- a/internal/commands/buildpack_inspect.go
+++ b/internal/commands/buildpack_inspect.go
@ -42,7 +42,7 @@ func BuildpackInspect(logger logging.Logger, cfg config.Config, client PackClien
 	return cmd
 }

-func buildpackInspect(logger logging.Logger, buildpackName, registryName string, flags BuildpackInspectFlags, cfg config.Config, pack PackClient) error {
+func buildpackInspect(logger logging.Logger, buildpackName, registryName string, flags BuildpackInspectFlags, _ config.Config, pack PackClient) error {
 	logger.Infof("Inspecting buildpack: %s\n", style.Symbol(buildpackName))

 	inspectedBuildpacksOutput, err := inspectAllBuildpacks(
--- a/Show More
+++ b/Show More