build(deps): bump the go-dependencies group with 6 updates (#2424 )

Bumps the go-dependencies group with 6 updates: | Package | From | To | | --- | --- | --- | | [github.com/docker/go-connections](https://github.com/docker/go-connections) | `0.5.0` | `0.6.0` | | [golang.org/x/crypto](https://github.com/golang/crypto) | `0.40.0` | `0.41.0` | | [golang.org/x/mod](https://github.com/golang/mod) | `0.26.0` | `0.27.0` | | [golang.org/x/sys](https://github.com/golang/sys) | `0.34.0` | `0.35.0` | | [golang.org/x/term](https://github.com/golang/term) | `0.33.0` | `0.34.0` | | [golang.org/x/text](https://github.com/golang/text) | `0.27.0` | `0.28.0` | Updates `github.com/docker/go-connections` from 0.5.0 to 0.6.0 - [Commits](https://github.com/docker/go-connections/compare/v0.5.0...v0.6.0) Updates `golang.org/x/crypto` from 0.40.0 to 0.41.0 - [Commits](https://github.com/golang/crypto/compare/v0.40.0...v0.41.0) Updates `golang.org/x/mod` from 0.26.0 to 0.27.0 - [Commits](https://github.com/golang/mod/compare/v0.26.0...v0.27.0) Updates `golang.org/x/sys` from 0.34.0 to 0.35.0 - [Commits](https://github.com/golang/sys/compare/v0.34.0...v0.35.0) Updates `golang.org/x/term` from 0.33.0 to 0.34.0 - [Commits](https://github.com/golang/term/compare/v0.33.0...v0.34.0) Updates `golang.org/x/text` from 0.27.0 to 0.28.0 - [Release notes](https://github.com/golang/text/releases) - [Commits](https://github.com/golang/text/compare/v0.27.0...v0.28.0) --- updated-dependencies: - dependency-name: github.com/docker/go-connections dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/crypto dependency-version: 0.41.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/mod dependency-version: 0.27.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/sys dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/term dependency-version: 0.34.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies - dependency-name: golang.org/x/text dependency-version: 0.28.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: go-dependencies ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Update imgutil to improve containerd storage driver performance (#2427 )
2025-08-25 08:36:25 -05:00 · 2025-08-18 10:32:33 -05:00 · 2025-08-07 06:45:16 -05:00 · 2025-07-15 21:53:10 -05:00 · 2025-07-07 11:43:32 -05:00 · 2025-07-02 12:37:55 -05:00
150 changed files with 4124 additions and 1284 deletions
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@ -17,7 +17,9 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.22"
+          go-version: 1.24
+          check-latest: true
+          go-version-file: 'go.mod'
      - name: Set up go env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -20,7 +20,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        config: [macos, linux, windows-lcow, windows-wcow]
+        config: [macos, linux, windows-lcow]
        include:
          - config: macos
            # since macos-14 the latest runner is arm64
@ -38,11 +38,6 @@ jobs:
            runner: [self-hosted, windows, lcow]
            no_docker: "false"
            pack_bin: pack.exe
-          - config: windows-wcow
-            os: windows
-            runner: [windows-2019]
-            no_docker: "false"
-            pack_bin: pack.exe
    runs-on: ${{ matrix.runner }}
    env:
      PACK_BIN: ${{ matrix.pack_bin }}
@ -75,8 +70,8 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.22"
          check-latest: true
+          go-version-file: 'go.mod'
      - name: Set up go env for Unix
        if: runner.os != 'Windows'
        run: |
@ -91,36 +86,6 @@ jobs:
        shell: powershell
      - name: Verify
        run: make verify
-      - name: Register runner IP
-        if: matrix.config == 'windows-wcow'
-        shell: powershell
-        run: |
-          # Get IP from default gateway interface
-          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
-
-          # Allow container-to-host registry traffic (from public interface, to the same interface)
-          New-NetfirewallRule -DisplayName test-registry -LocalAddress $IPAddress -RemoteAddress $IPAddress
-
-          # create or update daemon config to allow host as insecure-registry
-          $config=@{}
-          if (Test-Path C:\ProgramData\docker\config\daemon.json) {
-            $config=(Get-Content C:\ProgramData\docker\config\daemon.json | ConvertFrom-json)
-          }
-          $config | Add-Member -Force -Name "insecure-registries" -value @("$IPAddress/32") -MemberType NoteProperty
-          ConvertTo-json $config | Out-File -Encoding ASCII C:\ProgramData\docker\config\daemon.json
-
-          Restart-Service docker
-
-          # dump docker info for auditing
-          docker version
-          docker info
-
-          # Modify etc\hosts to include runner IP
-          $IPAddress=(Get-NetIPAddress -InterfaceAlias ((Get-NetRoute "0.0.0.0/0").InterfaceAlias) -AddressFamily IPv4)[0].IPAddress
-          "# Modified by CNB: https://github.com/buildpacks/ci/tree/main/gh-runners/windows
-          ${IPAddress} host.docker.internal
-          ${IPAddress} gateway.docker.internal
-          " | Out-File -Filepath C:\Windows\System32\drivers\etc\hosts -Encoding utf8
      - name: Test
        env:
          TEST_COVERAGE: 1
@ -158,7 +123,6 @@ jobs:
          PACK_BUILD: ${{ github.run_number }}
        shell: powershell
      - uses: actions/upload-artifact@v4
-        if: matrix.config != 'windows-lcow'
        with:
          name: pack-${{ matrix.os }}
          path: out/${{ env.PACK_BIN }}
@ -188,8 +152,8 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.22"
          check-latest: true
+          go-version-file: 'go.mod'
      - name: Build
        run: |
          [[ $GITHUB_REF =~ ^refs\/heads\/release/(.*)$ ]] && version=${BASH_REMATCH[1]} || version=0.0.0
@ -289,7 +253,7 @@ jobs:
          milestone: ${{ env.PACK_MILESTONE }}
      - name: Create Pre-Release
        if: ${{ env.PACK_VERSION != env.PACK_MILESTONE }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@ -370,7 +334,7 @@ jobs:

      - name: Create Beta Release
        if: ${{ env.PACK_VERSION == env.PACK_MILESTONE }}
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
--- a/.github/workflows/check-latest-release.yml
+++ b/.github/workflows/check-latest-release.yml
@ -70,9 +70,9 @@ jobs:
          fi
      - name: Scan latest release image
        id: scan-image
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v6
        with:
-          image: buildpacksio/pack:${{ steps.read-go.outputs.latest-release-version }}
+          image: docker.io/buildpacksio/pack:${{ steps.read-go.outputs.latest-release-version }}
      - name: Create issue if needed
        if: failure() && steps.scan-image.outcome == 'failure'
        env:
@ -91,7 +91,7 @@ jobs:
            search_output=$(gh issue list --search "$title" --label "$label")

            GITHUB_WORKFLOW_URL=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
-            body="Latest buildpacksio/pack v${{ steps.read-go.outputs.latest-release-version }} triggered CVE(s) from Grype. For further details, see: $GITHUB_WORKFLOW_URL"
+            body="Latest docker.io/buildpacksio/pack v${{ steps.read-go.outputs.latest-release-version }} triggered CVE(s) from Grype. For further details, see: $GITHUB_WORKFLOW_URL"

            if [ -z "${search_output// }" ]
            then
--- a/.github/workflows/compatibility.yml
+++ b/.github/workflows/compatibility.yml
@ -46,8 +46,8 @@ jobs:
      - name: Set up go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.22"
          check-latest: true
+          go-version-file: 'go.mod'
      - name: Set up go env
        run: |
          echo "GOPATH=$(go env GOPATH)" >> $GITHUB_ENV
@ -59,3 +59,4 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          make acceptance
+          docker network prune
--- a/.github/workflows/delivery-docker.yml
+++ b/.github/workflows/delivery-docker.yml
@ -16,7 +16,7 @@ on:
        default: false

 env:
-  REGISTRY_NAME: 'index.docker.io'
+  REGISTRY_NAME: 'docker.io'
  USER_NAME: 'buildpacksio'
  IMG_NAME: 'pack'

@ -61,7 +61,7 @@ jobs:
          password: ${{ secrets.DOCKER_PASSWORD }}
      - uses: docker/setup-qemu-action@v3
      - uses: docker/setup-buildx-action@v3
-      - uses: buildpacks/github-actions/setup-tools@v5.5.4
+      - uses: buildpacks/github-actions/setup-tools@v5.9.2
      - name: Buildx Build/Publish
        run: |
          docker buildx build . \
--- a/.github/workflows/delivery-homebrew.yml
+++ b/.github/workflows/delivery-homebrew.yml
@ -50,6 +50,11 @@ jobs:
                core.setOutput("linux_url", asset.browser_download_url);
              }

+              if (asset.name.endsWith("linux-arm64.tgz")) {
+                core.setOutput("linux_arm64_name", asset.name);
+                core.setOutput("linux_arm64_url", asset.browser_download_url);
+              }
+
              if (asset.name.endsWith("macos.tgz")) {
                core.setOutput("macos_name", asset.name);
                core.setOutput("macos_url", asset.browser_download_url);
@ -67,6 +72,10 @@ jobs:
          linux_sha256=$(sha256sum ${{ steps.assets.outputs.linux_name }} | cut -d ' ' -f1)
          echo "linux_sha256=$linux_sha256" >> $GITHUB_OUTPUT

+          curl -sSL ${{ steps.assets.outputs.linux_arm64_url }} -o ${{ steps.assets.outputs.linux_arm64_name }}
+          linux_arm64_sha256=$(sha256sum ${{ steps.assets.outputs.linux_arm64_name }} | cut -d ' ' -f1)
+          echo "linux_arm64_sha256=$linux_arm64_sha256" >> $GITHUB_OUTPUT
+
          curl -sSL ${{ steps.assets.outputs.macos_url }} -o ${{ steps.assets.outputs.macos_name }}
          macos_sha256=$(sha256sum ${{ steps.assets.outputs.macos_name }} | cut -d ' ' -f1)
          echo "macos_sha256=$macos_sha256" >> $GITHUB_OUTPUT
@ -83,6 +92,8 @@ jobs:
        env:
          LINUX_URL: ${{ steps.assets.outputs.linux_url }}
          LINUX_SHA: ${{ steps.checksums.outputs.linux_sha256 }}
+          LINUX_ARM64_URL: ${{ steps.assets.outputs.linux_arm64_url }}
+          LINUX_ARM64_SHA: ${{ steps.checksums.outputs.linux_arm64_sha256 }}
          MACOS_URL: ${{ steps.assets.outputs.macos_url }}
          MACOS_SHA: ${{ steps.checksums.outputs.macos_sha256 }}
          MACOS_ARM64_URL: ${{ steps.assets.outputs.macos_arm64_url }}
--- a/.github/workflows/delivery-ubuntu.yml
+++ b/.github/workflows/delivery-ubuntu.yml
@ -20,8 +20,8 @@ jobs:
      strategy:
        fail-fast: false
        matrix:
-          target: [bionic, focal, jammy, noble]
-      runs-on: ubuntu-20.04
+          target: [bionic, focal, jammy, noble, oracular, plucky]
+      runs-on: ubuntu-22.04
      steps:
          - name: Checkout code
            uses: actions/checkout@v4
@ -114,3 +114,27 @@ jobs:
              GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
              GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
              PACKAGE_VERSION: ${{ steps.version.outputs.result }}
+
+          - name: Deliver oracular
+            if: matrix.target == 'oracular'
+            uses: docker://ubuntu:oracular
+            with:
+              entrypoint: .github/workflows/delivery/ubuntu/deliver.sh
+            env:
+              DEBIAN_FRONTEND: "noninteractive"
+              GO_DEP_PACKAGE_NAME: golang
+              GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+              GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
+              PACKAGE_VERSION: ${{ steps.version.outputs.result }}
+
+          - name: Deliver plucky
+            if: matrix.target == 'plucky'
+            uses: docker://ubuntu:plucky
+            with:
+              entrypoint: .github/workflows/delivery/ubuntu/deliver.sh
+            env:
+              DEBIAN_FRONTEND: "noninteractive"
+              GO_DEP_PACKAGE_NAME: golang
+              GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+              GPG_PUBLIC_KEY: ${{ secrets.GPG_PUBLIC_KEY }}
+              PACKAGE_VERSION: ${{ steps.version.outputs.result }}
--- a/.github/workflows/delivery/homebrew/pack.rb
+++ b/.github/workflows/delivery/homebrew/pack.rb
@ -14,7 +14,10 @@ class Pack < Formula
  elsif OS.mac?
    url "{{MACOS_URL}}"
    sha256 "{{MACOS_SHA}}"
-  else 
+  elsif OS.linux? && Hardware::CPU.arm?
+    url "{{LINUX_ARM64_URL}}"
+    sha256 "{{LINUX_ARM64_SHA}}"
+  else
    url "{{LINUX_URL}}"
    sha256 "{{LINUX_SHA}}"
  end
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@ -127,15 +127,15 @@ make prepare-for-pr
 ### Acceptance Tests
 Some options users can provide to our acceptance tests are:

-| ENV_VAR      | Description                                                            | Default |
-|--------------|------------------------------------------------------------------------|---------|
-| ACCEPTANCE_SUITE_CONFIG        | A set of configurations for how to run the acceptance tests, describing the version of `pack` used for testing, the version of `pack` used to create the builders used in the test, and the version of `lifecycle` binaries used to test with Github |  `[{"pack": "current", "pack_create_builder": "current", "lifecycle": "default"}]'`     |
-| COMPILE_PACK_WITH_VERSION     | Tell `pack` what version to consider itself    | `dev`    |
-| GITHUB_TOKEN | A Github Token, used when downloading `pack` and `lifecycle` releases from Github during the test setup | "" |
-| LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows    | buildpacksio/lifecycle:<lifecycle version>  |
-| LIFECYCLE_PATH        | Path to a `.tgz` file filled with a set of `lifecycle` binaries    | The Github release for the default version of lifecycle in `pack`  |
-| PACK_PATH        | Path to a `pack` executable.  | A compiled version of the current branch      |
-| PREVIOUS_LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | buildpacksio/lifecycle:<PREVIOUS_LIFECYCLE_PATH lifecycle version>, buildpacksio/lifecycle:<n-1 lifecycle version>  |
-| PREVIOUS_LIFECYCLE_PATH     |  Path to a `.tgz` file filled with a set of `lifecycle` binaries, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | The Github release for n-1 release of `lifecycle`     |
-| PREVIOUS_PACK_FIXTURES_PATH | Path to a set of fixtures, used to override the most up-to-date fixtures, in case of changed functionality  | `acceptance/testdata/pack_previous_fixtures_overrides`   |
-| PREVIOUS_PACK_PATH     | Path to a `pack` executable, used to test compatibility with n-1 version of `pack`          | The most recent release from `pack`'s Github release    |
+| ENV_VAR      | Description                                                            | Default                                                                                                                      |
+|--------------|------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
+| ACCEPTANCE_SUITE_CONFIG        | A set of configurations for how to run the acceptance tests, describing the version of `pack` used for testing, the version of `pack` used to create the builders used in the test, and the version of `lifecycle` binaries used to test with Github | `[{"pack": "current", "pack_create_builder": "current", "lifecycle": "default"}]'`                                           |
+| COMPILE_PACK_WITH_VERSION     | Tell `pack` what version to consider itself    | `dev`                                                                                                                        |
+| GITHUB_TOKEN | A Github Token, used when downloading `pack` and `lifecycle` releases from Github during the test setup | ""                                                                                                                           |
+| LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows    | docker.io/buildpacksio/lifecycle:<lifecycle version>                                                                         |
+| LIFECYCLE_PATH        | Path to a `.tgz` file filled with a set of `lifecycle` binaries    | The Github release for the default version of lifecycle in `pack`                                                            |
+| PACK_PATH        | Path to a `pack` executable.  | A compiled version of the current branch                                                                                     |
+| PREVIOUS_LIFECYCLE_IMAGE        | Image reference to be used in untrusted builder workflows, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | docker.io/buildpacksio/lifecycle:<PREVIOUS_LIFECYCLE_PATH lifecycle version>, buildpacksio/lifecycle:<n-1 lifecycle version> |
+| PREVIOUS_LIFECYCLE_PATH     |  Path to a `.tgz` file filled with a set of `lifecycle` binaries, used to test compatibility of `pack` with the n-1 version of the `lifecycle`    | The Github release for n-1 release of `lifecycle`                                                                            |
+| PREVIOUS_PACK_FIXTURES_PATH | Path to a set of fixtures, used to override the most up-to-date fixtures, in case of changed functionality  | `acceptance/testdata/pack_previous_fixtures_overrides`                                                                       |
+| PREVIOUS_PACK_PATH     | Path to a `pack` executable, used to test compatibility with n-1 version of `pack`          | The most recent release from `pack`'s Github release                                                                         |
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 ARG base_image=gcr.io/distroless/static

-FROM golang:1.22 as builder
+FROM golang:1.24 as builder
 ARG pack_version
 ENV PACK_VERSION=$pack_version
 WORKDIR /app
--- a/8
+++ b/8
@ -58,7 +58,7 @@ BINDIR:=/usr/bin/
 ## build: Build the program
 build: out
 	@echo "=====> Building..."
-	$(GOCMD) build -ldflags "-s -w -X 'github.com/buildpacks/pack.Version=${PACK_VERSION}' -extldflags '${LDFLAGS}'" -trimpath -o ./out/$(PACK_BIN) -a ./cmd/pack
+	$(GOCMD) build -ldflags "-s -w -X 'github.com/buildpacks/pack/pkg/client.Version=${PACK_VERSION}' -extldflags '${LDFLAGS}'" -trimpath -o ./out/$(PACK_BIN) -a

 ## all: Run clean, verify, test, and build operations
 all: clean verify test build
@ -160,12 +160,12 @@ install-goimports:
 ## install-golangci-lint: Install golangci-lint dependency
 install-golangci-lint:
 	@echo "=====> Installing golangci-lint..."
-	cd tools && $(GOCMD) install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.51.1
+	cd tools && $(GOCMD) install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.0.2

 ## mod-tidy: Tidy Go modules
 mod-tidy:
-	$(GOCMD) mod tidy  -compat=1.22
-	cd tools && $(GOCMD) mod tidy -compat=1.22
+	$(GOCMD) mod tidy  -compat=1.24
+	cd tools && $(GOCMD) mod tidy -compat=1.24

 ## tidy: Tidy modules and format the code
 tidy: mod-tidy format
--- a/acceptance/acceptance_test.go
+++ b/acceptance/acceptance_test.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package acceptance

@ -48,7 +47,7 @@ const (
 )

 var (
-	dockerCli      client.CommonAPIClient
+	dockerCli      client.APIClient
 	registryConfig *h.TestRegistryConfig
 	suiteManager   *SuiteManager
 	imageManager   managers.ImageManager
@ -337,6 +336,7 @@ func testWithoutSpecificBuilderRequirement(
 									"--path", path,
 									"--publish",
 									"--target", "linux/amd64",
+									"--target", "linux/arm64",
 									"--target", "windows/amd64",
 								)

@ -347,7 +347,7 @@ func testWithoutSpecificBuilderRequirement(
 								assertImage.CanBePulledFromRegistry(packageName)

 								assertions.NewOutputAssertionManager(t, output).ReportsSuccessfulIndexPushed(packageName)
-								h.AssertRemoteImageIndex(t, packageName, types.OCIImageIndex, 2)
+								h.AssertRemoteImageIndex(t, packageName, types.OCIImageIndex, 3)
 							})
 						})

@ -374,6 +374,7 @@ func testWithoutSpecificBuilderRequirement(
 										"--config", packageTomlPath,
 										"--publish",
 										"--target", "linux/amd64",
+										"--target", "linux/arm64",
 										"--target", "windows/amd64",
 										"--verbose",
 									)
@ -402,6 +403,7 @@ func testWithoutSpecificBuilderRequirement(
 										"--path", depPath,
 										"--publish",
 										"--target", "linux/amd64",
+										"--target", "linux/arm64",
 										"--target", "windows/amd64",
 									)
 									assertions.NewOutputAssertionManager(t, output).ReportsPackagePublished(depPackageName)
@ -423,6 +425,7 @@ func testWithoutSpecificBuilderRequirement(
 										"--config", packageTomlPath,
 										"--publish",
 										"--target", "linux/amd64",
+										"--target", "linux/arm64",
 										"--target", "windows/amd64",
 									)

@ -433,7 +436,7 @@ func testWithoutSpecificBuilderRequirement(
 									assertImage.CanBePulledFromRegistry(packageName)

 									assertions.NewOutputAssertionManager(t, output).ReportsSuccessfulIndexPushed(packageName)
-									h.AssertRemoteImageIndex(t, packageName, types.OCIImageIndex, 2)
+									h.AssertRemoteImageIndex(t, packageName, types.OCIImageIndex, 3)
 								})
 							})
 						})
@ -472,7 +475,7 @@ func testWithoutSpecificBuilderRequirement(
 								assertImage.CanBePulledFromRegistry(packageName)

 								assertions.NewOutputAssertionManager(t, output).ReportsSuccessfulIndexPushed(packageName)
-								h.AssertRemoteImageIndex(t, packageName, types.OCIImageIndex, 2)
+								h.AssertRemoteImageIndex(t, packageName, types.OCIImageIndex, 3)
 							})
 						})
 					})
@ -1270,6 +1273,225 @@ func testAcceptance(
 				})
 			})

+			when("system buildpacks", func() {
+				var (
+					builderWithSystemBP                string
+					builderWithFailingSystemBP         string
+					builderWithOptionalFailingSystemBP string
+					regularBuilder                     string
+				)
+
+				it.Before(func() {
+					// Create builder with system buildpacks
+					builderWithSystemBP = fmt.Sprintf("pack.local/builder-with-system-bps/%s", h.RandString(10))
+					h.SkipIf(t, !createBuilderPack.Supports("builder create"), "pack builder create not supported")
+
+					createBuilderPack.JustRunSuccessfully(
+						"builder", "create", builderWithSystemBP,
+						"--config", createBuilderPack.FixtureManager().FixtureLocation("builder_with_system_buildpacks.toml"),
+					)
+
+					// Create builder with failing system buildpack
+					builderWithFailingSystemBP = fmt.Sprintf("pack.local/builder-fail-system/%s", h.RandString(10))
+					createBuilderPack.JustRunSuccessfully(
+						"builder", "create", builderWithFailingSystemBP,
+						"--config", createBuilderPack.FixtureManager().FixtureLocation("builder_with_failing_system_buildpack.toml"),
+					)
+
+					// Create builder with optional failing system buildpack
+					builderWithOptionalFailingSystemBP = fmt.Sprintf("pack.local/builder-optional-fail/%s", h.RandString(10))
+					createBuilderPack.JustRunSuccessfully(
+						"builder", "create", builderWithOptionalFailingSystemBP,
+						"--config", createBuilderPack.FixtureManager().FixtureLocation("builder_with_optional_failing_system_buildpack.toml"),
+					)
+
+					// Create regular builder for comparison
+					regularBuilder = fmt.Sprintf("pack.local/regular-builder/%s", h.RandString(10))
+					createBuilderPack.JustRunSuccessfully(
+						"builder", "create", regularBuilder,
+						"--config", createBuilderPack.FixtureManager().FixtureLocation("builder.toml"),
+					)
+				})
+
+				it.After(func() {
+					imageManager.CleanupImages(builderWithSystemBP)
+					imageManager.CleanupImages(builderWithFailingSystemBP)
+					imageManager.CleanupImages(builderWithOptionalFailingSystemBP)
+					imageManager.CleanupImages(regularBuilder)
+				})
+
+				when("inspecting builder with system buildpacks", func() {
+					it("shows system buildpacks in builder info", func() {
+						output := createBuilderPack.RunSuccessfully("builder", "inspect", builderWithSystemBP)
+
+						// Verify system buildpacks are shown in the output
+						h.AssertContains(t, output, "system/pre")
+						h.AssertContains(t, output, "system/post")
+					})
+				})
+
+				when("building with system buildpacks", func() {
+					var (
+						appImage string
+						appPath  string
+					)
+
+					it.Before(func() {
+						appPath = filepath.Join("testdata", "mock_app")
+						appImage = fmt.Sprintf("pack.local/app/%s", h.RandString(10))
+					})
+
+					it.After(func() {
+						imageManager.CleanupImages(appImage)
+					})
+
+					when("system buildpacks are enabled (default)", func() {
+						it("runs pre-system buildpacks before regular buildpacks", func() {
+							output := pack.RunSuccessfully(
+								"build", appImage,
+								"--path", appPath,
+								"--builder", builderWithSystemBP,
+								"--no-color",
+							)
+
+							// Verify pre-system buildpack ran before the main buildpack
+							h.AssertContains(t, output, "DETECT: System Pre buildpack")
+							h.AssertContains(t, output, "BUILD: System Pre buildpack")
+							h.AssertContains(t, output, "Simple Layers Buildpack")
+
+							// Verify order: system pre should come before main buildpack
+							systemPreIndex := strings.Index(output, "BUILD: System Pre buildpack")
+							mainBuildpackIndex := strings.Index(output, "Simple Layers Buildpack")
+							if systemPreIndex == -1 || mainBuildpackIndex == -1 || systemPreIndex >= mainBuildpackIndex {
+								t.Fatalf("Expected system pre buildpack to run before main buildpack")
+							}
+						})
+
+						it("runs post-system buildpacks after regular buildpacks", func() {
+							output := pack.RunSuccessfully(
+								"build", appImage,
+								"--path", appPath,
+								"--builder", builderWithSystemBP,
+								"--no-color",
+							)
+
+							// Verify post-system buildpack ran after the main buildpack
+							h.AssertContains(t, output, "BUILD: System Post buildpack")
+
+							// Verify order: system post should come after main buildpack
+							mainBuildpackIndex := strings.Index(output, "Simple Layers Buildpack")
+							systemPostIndex := strings.Index(output, "BUILD: System Post buildpack")
+							if mainBuildpackIndex == -1 || systemPostIndex == -1 || mainBuildpackIndex >= systemPostIndex {
+								t.Fatalf("Expected system post buildpack to run after main buildpack")
+							}
+						})
+
+						it("builds successfully with system buildpacks", func() {
+							output := pack.RunSuccessfully(
+								"build", appImage,
+								"--path", appPath,
+								"--builder", builderWithSystemBP,
+								"--verbose",
+							)
+
+							// Verify system buildpack contributed during build
+							h.AssertContains(t, output, "BUILD: System Pre buildpack")
+							h.AssertContains(t, output, "BUILD: System Post buildpack")
+
+							// Verify the image was successfully built
+							h.AssertContains(t, output, "Successfully built image")
+							assertImage.ExistsLocally(appImage)
+						})
+					})
+
+					when("--disable-system-buildpacks flag is used", func() {
+						it("does not run system buildpacks", func() {
+							output := pack.RunSuccessfully(
+								"build", appImage,
+								"--path", appPath,
+								"--builder", builderWithSystemBP,
+								"--disable-system-buildpacks",
+								"--no-color",
+							)
+
+							// Verify system buildpacks did not run
+							h.AssertNotContains(t, output, "DETECT: System Pre buildpack")
+							h.AssertNotContains(t, output, "BUILD: System Pre buildpack")
+							h.AssertNotContains(t, output, "BUILD: System Post buildpack")
+
+							// Verify main buildpack still runs
+							h.AssertContains(t, output, "Simple Layers Buildpack")
+
+							// Verify the image was successfully built
+							h.AssertContains(t, output, "Successfully built image")
+							assertImage.ExistsLocally(appImage)
+						})
+					})
+
+					when("builder has no system buildpacks", func() {
+						it("builds normally without system buildpacks", func() {
+							output := pack.RunSuccessfully(
+								"build", appImage,
+								"--path", appPath,
+								"--builder", regularBuilder,
+								"--no-color",
+							)
+
+							// Verify no system buildpacks ran
+							h.AssertNotContains(t, output, "System Pre buildpack")
+							h.AssertNotContains(t, output, "System Post buildpack")
+
+							// Verify main buildpack runs
+							h.AssertContains(t, output, "Simple Layers Buildpack")
+
+							// Verify the image was successfully built
+							h.AssertContains(t, output, "Successfully built image")
+							assertImage.ExistsLocally(appImage)
+						})
+					})
+
+					when("required system buildpack fails detection", func() {
+						it("fails the build", func() {
+							output, err := pack.Run(
+								"build", appImage,
+								"--path", appPath,
+								"--builder", builderWithFailingSystemBP,
+								"--no-color",
+							)
+
+							// Build should fail
+							h.AssertNotNil(t, err)
+							h.AssertContains(t, output, "DETECT: System Fail Detect buildpack (will fail)")
+							h.AssertContains(t, output, "No buildpack groups passed detection")
+						})
+					})
+
+					when("optional system buildpack fails detection", func() {
+						it("continues with the build", func() {
+							output := pack.RunSuccessfully(
+								"build", appImage,
+								"--path", appPath,
+								"--builder", builderWithOptionalFailingSystemBP,
+								"--no-color",
+							)
+
+							// Build should succeed despite optional system buildpack failing
+							h.AssertContains(t, output, "DETECT: System Fail Detect buildpack (will fail)")
+							h.AssertContains(t, output, "DETECT: System Pre buildpack")
+							h.AssertContains(t, output, "BUILD: System Pre buildpack")
+							h.AssertContains(t, output, "Simple Layers Buildpack")
+
+							// Verify the failed optional buildpack didn't run build
+							h.AssertNotContains(t, output, "BUILD: System Fail Detect buildpack")
+
+							// Verify the image was successfully built
+							h.AssertContains(t, output, "Successfully built image")
+							assertImage.ExistsLocally(appImage)
+						})
+					})
+				})
+			})
+
 			when("build", func() {
 				var repo, repoName string

@ -2181,20 +2403,45 @@ func testAcceptance(
 								imageManager.CleanupImages(runImageName)
 							})

-							it("fails with a message", func() {
-								output, err := pack.Run(
-									"build", repoName,
-									"-p", filepath.Join("testdata", "mock_app"),
-									"--run-image", runImageName,
-								)
-								assert.NotNil(err)
+							when("should validate stack", func() {
+								it.Before(func() {
+									h.SkipIf(t, pack.SupportsFeature(invoke.StackWarning), "stack is validated in prior versions")
+								})
+								it("fails with a message", func() {

-								assertOutput := assertions.NewOutputAssertionManager(t, output)
-								assertOutput.ReportsRunImageStackNotMatchingBuilder(
-									"other.stack.id",
-									"pack.test.stack",
-								)
+									output, err := pack.Run(
+										"build", repoName,
+										"-p", filepath.Join("testdata", "mock_app"),
+										"--run-image", runImageName,
+									)
+									assert.NotNil(err)
+
+									assertOutput := assertions.NewOutputAssertionManager(t, output)
+									assertOutput.ReportsRunImageStackNotMatchingBuilder(
+										"other.stack.id",
+										"pack.test.stack",
+									)
+								})
 							})
+
+							when("should not validate stack", func() {
+								it.Before(func() {
+									h.SkipIf(t, !pack.SupportsFeature(invoke.StackWarning), "stack is no longer validated")
+								})
+								it("succeeds with a warning", func() {
+
+									output, err := pack.Run(
+										"build", repoName,
+										"-p", filepath.Join("testdata", "mock_app"),
+										"--run-image", runImageName,
+									)
+									assert.Nil(err)
+
+									assertOutput := assertions.NewOutputAssertionManager(t, output)
+									assertOutput.ReportsDeprecatedUseOfStack()
+								})
+							})
+
 						})
 					})

@ -3348,11 +3595,12 @@ include = [ "*.jar", "media/mountain.jpg", "/media/person.png", ]
 						"--path", path,
 						"--publish",
 						"--target", "linux/amd64",
+						"--target", "linux/arm64",
 						"--target", "windows/amd64",
 					)
 					assertions.NewOutputAssertionManager(t, output).ReportsPackagePublished(multiArchBuildpackPackage)
 					assertions.NewOutputAssertionManager(t, output).ReportsSuccessfulIndexPushed(multiArchBuildpackPackage)
-					h.AssertRemoteImageIndex(t, multiArchBuildpackPackage, types.OCIImageIndex, 2)
+					h.AssertRemoteImageIndex(t, multiArchBuildpackPackage, types.OCIImageIndex, 3)

 					// runImage and buildImage are saved in the daemon, for this test we want them to be available in a registry
 					remoteRunImage = registryConfig.RepoName(runImage + h.RandString(8))
@ -3404,6 +3652,7 @@ include = [ "*.jar", "media/mountain.jpg", "/media/person.png", ]
 								"--config", builderTomlPath,
 								"--publish",
 								"--target", "linux/amd64",
+								"--target", "linux/arm64",
 								"--target", "windows/amd64",
 							)

@ -3413,7 +3662,7 @@ include = [ "*.jar", "media/mountain.jpg", "/media/person.png", ]
 							assertImage.CanBePulledFromRegistry(builderName)

 							assertions.NewOutputAssertionManager(t, output).ReportsSuccessfulIndexPushed(builderName)
-							h.AssertRemoteImageIndex(t, builderName, types.OCIImageIndex, 2)
+							h.AssertRemoteImageIndex(t, builderName, types.OCIImageIndex, 3)
 						})
 					})

@ -3898,7 +4147,7 @@ func generatePackageTomlWithOS(
 	return packageTomlFile.Name()
 }

-func createStack(t *testing.T, dockerCli client.CommonAPIClient, runImageMirror string) error {
+func createStack(t *testing.T, dockerCli client.APIClient, runImageMirror string) error {
 	t.Helper()
 	t.Log("creating stack images...")

@ -3919,7 +4168,7 @@ func createStack(t *testing.T, dockerCli client.CommonAPIClient, runImageMirror
 	return nil
 }

-func createStackImage(dockerCli client.CommonAPIClient, repoName string, dir string) error {
+func createStackImage(dockerCli client.APIClient, repoName string, dir string) error {
 	defaultFilterFunc := func(file string) bool { return true }

 	ctx := context.Background()
--- a/acceptance/assertions/image.go
+++ b/acceptance/assertions/image.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package assertions

--- a/acceptance/assertions/lifecycle_output.go
+++ b/acceptance/assertions/lifecycle_output.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package assertions

--- a/acceptance/assertions/output.go
+++ b/acceptance/assertions/output.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package assertions

@ -118,6 +117,12 @@ func (o OutputAssertionManager) ReportsRunImageStackNotMatchingBuilder(runImageS
 	)
 }

+func (o OutputAssertionManager) ReportsDeprecatedUseOfStack() {
+	o.testObject.Helper()
+
+	o.assert.Contains(o.output, "Warning: deprecated usage of stack")
+}
+
 func (o OutputAssertionManager) WithoutColors() {
 	o.testObject.Helper()
 	o.testObject.Log("has no color")
--- a/acceptance/assertions/test_buildpack_output.go
+++ b/acceptance/assertions/test_buildpack_output.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package assertions

--- a/acceptance/buildpacks/archive_buildpack.go
+++ b/acceptance/buildpacks/archive_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/buildpacks/folder_buildpack.go
+++ b/acceptance/buildpacks/folder_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/buildpacks/manager.go
+++ b/acceptance/buildpacks/manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/buildpacks/package_file_buildpack.go
+++ b/acceptance/buildpacks/package_file_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/buildpacks/package_image_buildpack.go
+++ b/acceptance/buildpacks/package_image_buildpack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package buildpacks

--- a/acceptance/config/asset_manager.go
+++ b/acceptance/config/asset_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

@ -354,9 +353,9 @@ func (b assetManagerBuilder) buildPack(compileVersion string) string {
 	b.assert.Nil(err)

 	cmd := exec.Command("go", "build",
+		// XXX the version setter is wrong here, there is no cmd.Version
 		"-ldflags", fmt.Sprintf("-X 'github.com/buildpacks/pack/cmd.Version=%s'", compileVersion),
 		"-o", packPath,
-		"./cmd/pack",
 	)
 	if filepath.Base(cwd) == "acceptance" {
 		cmd.Dir = filepath.Dir(cwd)
--- a/acceptance/config/github_asset_fetcher.go
+++ b/acceptance/config/github_asset_fetcher.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/input_configuration_manager.go
+++ b/acceptance/config/input_configuration_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/lifecycle_asset.go
+++ b/acceptance/config/lifecycle_asset.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/pack_assets.go
+++ b/acceptance/config/pack_assets.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/config/run_combination.go
+++ b/acceptance/config/run_combination.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package config

--- a/acceptance/invoke/pack.go
+++ b/acceptance/invoke/pack.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package invoke

@ -241,6 +240,7 @@ const (
 	ManifestCommands
 	PlatformOption
 	MultiPlatformBuildersAndBuildPackages
+	StackWarning
 )

 var featureTests = map[Feature]func(i *PackInvoker) bool{
@ -286,6 +286,9 @@ var featureTests = map[Feature]func(i *PackInvoker) bool{
 	MultiPlatformBuildersAndBuildPackages: func(i *PackInvoker) bool {
 		return i.atLeast("v0.34.0")
 	},
+	StackWarning: func(i *PackInvoker) bool {
+		return i.atLeast("v0.37.0")
+	},
 }

 func (i *PackInvoker) SupportsFeature(f Feature) bool {
--- a/acceptance/invoke/pack_fixtures.go
+++ b/acceptance/invoke/pack_fixtures.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package invoke

--- a/acceptance/managers/image_manager.go
+++ b/acceptance/managers/image_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package managers

@ -23,10 +22,10 @@ var DefaultDuration = 10 * time.Second
 type ImageManager struct {
 	testObject *testing.T
 	assert     h.AssertionManager
-	dockerCli  client.CommonAPIClient
+	dockerCli  client.APIClient
 }

-func NewImageManager(t *testing.T, dockerCli client.CommonAPIClient) ImageManager {
+func NewImageManager(t *testing.T, dockerCli client.APIClient) ImageManager {
 	return ImageManager{
 		testObject: t,
 		assert:     h.NewAssertionManager(t),
@ -44,7 +43,7 @@ func (im ImageManager) CleanupImages(imageNames ...string) {

 func (im ImageManager) InspectLocal(image string) (dockertypes.ImageInspect, error) {
 	im.testObject.Helper()
-	inspect, _, err := im.dockerCli.ImageInspectWithRaw(context.Background(), image)
+	inspect, err := im.dockerCli.ImageInspect(context.Background(), image)
 	return inspect, err
 }

@ -120,7 +119,7 @@ func (im ImageManager) CreateContainer(name string) TestContainer {

 type TestContainer struct {
 	testObject *testing.T
-	dockerCli  client.CommonAPIClient
+	dockerCli  client.APIClient
 	assert     h.AssertionManager
 	name       string
 	id         string
--- a/acceptance/os/variables.go
+++ b/acceptance/os/variables.go
@ -1,5 +1,4 @@
 //go:build acceptance && !windows
-// +build acceptance,!windows

 package os

--- a/acceptance/os/variables_darwin.go
+++ b/acceptance/os/variables_darwin.go
@ -1,5 +1,4 @@
 //go:build acceptance && darwin && amd64
-// +build acceptance,darwin,amd64

 package os

--- a/acceptance/os/variables_darwin_arm64.go
+++ b/acceptance/os/variables_darwin_arm64.go
@ -1,5 +1,4 @@
 //go:build acceptance && darwin && arm64
-// +build acceptance,darwin,arm64

 package os

--- a/acceptance/os/variables_linux.go
+++ b/acceptance/os/variables_linux.go
@ -1,5 +1,4 @@
 //go:build acceptance && linux
-// +build acceptance,linux

 package os

--- a/acceptance/os/variables_windows.go
+++ b/acceptance/os/variables_windows.go
@ -1,5 +1,4 @@
 //go:build acceptance && windows
-// +build acceptance,windows

 package os

--- a/acceptance/suite_manager.go
+++ b/acceptance/suite_manager.go
@ -1,5 +1,4 @@
 //go:build acceptance
-// +build acceptance

 package acceptance

--- a/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/multi-platform-buildpack/buildpack.toml
@ -9,6 +9,10 @@ api = "0.10"
 os = "linux"
 arch = "amd64"

+[[targets]]
+os = "linux"
+arch = "arm64"
+
 [[targets]]
 os = "windows"
 arch = "amd64"
--- a/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/build
+++ b/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/build
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> BUILD: System Fail Detect buildpack (should never run)"
+
+# This should never be reached
+exit 1
--- a/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/detect
+++ b/acceptance/testdata/mock_buildpacks/system-fail-detect/bin/detect
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> DETECT: System Fail Detect buildpack (will fail)"
+
+# Always fail detection
+exit 1
--- a/acceptance/testdata/mock_buildpacks/system-fail-detect/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/system-fail-detect/buildpack.toml
@ -0,0 +1,9 @@
+api = "0.7"
+
+[buildpack]
+  id = "system/fail-detect"
+  version = "system-fail-detect-version"
+  name = "System Fail Detect Buildpack"
+
+[[stacks]]
+  id = "pack.test.stack"
--- a/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/build
+++ b/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/build
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+echo "---> BUILD: System Post buildpack"
+
+set -o errexit
+set -o pipefail
+
+layers_dir=$1
+platform_dir=$2
+
+# Create a layer to verify it ran
+mkdir -p "${layers_dir}/system-post"
+cat > "${layers_dir}/system-post.toml" <<EOF
+launch = true
+cache = true
+EOF
+
+echo "System Post Buildpack was here" > "${layers_dir}/system-post/marker"
+
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/detect
+++ b/acceptance/testdata/mock_buildpacks/system-post-buildpack/bin/detect
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> DETECT: System Post buildpack"
+
+# Always pass detection for testing
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-post-buildpack/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/system-post-buildpack/buildpack.toml
@ -0,0 +1,9 @@
+api = "0.7"
+
+[buildpack]
+  id = "system/post"
+  version = "system-post-version"
+  name = "System Post Buildpack"
+
+[[stacks]]
+  id = "pack.test.stack"
--- a/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/build
+++ b/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/build
@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+
+echo "---> BUILD: System Pre buildpack"
+
+set -o errexit
+set -o pipefail
+
+layers_dir=$1
+platform_dir=$2
+
+# Create a layer to verify it ran
+mkdir -p "${layers_dir}/system-pre"
+cat > "${layers_dir}/system-pre.toml" <<EOF
+launch = true
+cache = true
+EOF
+
+echo "System Pre Buildpack was here" > "${layers_dir}/system-pre/marker"
+
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/detect
+++ b/acceptance/testdata/mock_buildpacks/system-pre-buildpack/bin/detect
@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+echo "---> DETECT: System Pre buildpack"
+
+# Always pass detection for testing
+exit 0
--- a/acceptance/testdata/mock_buildpacks/system-pre-buildpack/buildpack.toml
+++ b/acceptance/testdata/mock_buildpacks/system-pre-buildpack/buildpack.toml
@ -0,0 +1,9 @@
+api = "0.7"
+
+[buildpack]
+  id = "system/pre"
+  version = "system-pre-version"
+  name = "System Pre Buildpack"
+
+[[stacks]]
+  id = "pack.test.stack"
--- a/acceptance/testdata/pack_fixtures/builder_with_failing_system_buildpack.toml
+++ b/acceptance/testdata/pack_fixtures/builder_with_failing_system_buildpack.toml
@ -0,0 +1,33 @@
+[[buildpacks]]
+  id = "simple-layers-buildpack"
+  uri = "file://{{.Fixtures}}/simple-layers-buildpack"
+
+[[buildpacks]]
+  id = "system/fail-detect"
+  uri = "file://{{.Fixtures}}/system-fail-detect"
+
+[[buildpacks]]
+  id = "system/post"
+  uri = "file://{{.Fixtures}}/system-post-buildpack"
+
+# System buildpacks configuration
+[system]
+[system.pre]
+buildpacks = [
+  { id = "system/fail-detect", version = "system-fail-detect-version", optional = false }
+]
+
+[system.post]
+buildpacks = [
+  { id = "system/post", version = "system-post-version", optional = true }
+]
+
+[[order]]
+[[order.group]]
+  id = "simple-layers-buildpack"
+  version = "simple-layers-buildpack-version"
+
+[stack]
+  id = "pack.test.stack"
+  build-image = "pack-test/build"
+  run-image = "pack-test/run"
--- a/acceptance/testdata/pack_fixtures/builder_with_optional_failing_system_buildpack.toml
+++ b/acceptance/testdata/pack_fixtures/builder_with_optional_failing_system_buildpack.toml
@ -0,0 +1,29 @@
+[[buildpacks]]
+  id = "simple-layers-buildpack"
+  uri = "file://{{.Fixtures}}/simple-layers-buildpack"
+
+[[buildpacks]]
+  id = "system/fail-detect"
+  uri = "file://{{.Fixtures}}/system-fail-detect"
+
+[[buildpacks]]
+  id = "system/pre"
+  uri = "file://{{.Fixtures}}/system-pre-buildpack"
+
+# System buildpacks configuration
+[system]
+[system.pre]
+buildpacks = [
+  { id = "system/fail-detect", version = "system-fail-detect-version", optional = true },
+  { id = "system/pre", version = "system-pre-version", optional = false }
+]
+
+[[order]]
+[[order.group]]
+  id = "simple-layers-buildpack"
+  version = "simple-layers-buildpack-version"
+
+[stack]
+  id = "pack.test.stack"
+  build-image = "pack-test/build"
+  run-image = "pack-test/run"
--- a/acceptance/testdata/pack_fixtures/builder_with_system_buildpacks.toml
+++ b/acceptance/testdata/pack_fixtures/builder_with_system_buildpacks.toml
@ -0,0 +1,33 @@
+[[buildpacks]]
+  id = "simple-layers-buildpack"
+  uri = "file://{{.Fixtures}}/simple-layers-buildpack"
+
+[[buildpacks]]
+  id = "system/pre"
+  uri = "file://{{.Fixtures}}/system-pre-buildpack"
+
+[[buildpacks]]
+  id = "system/post"
+  uri = "file://{{.Fixtures}}/system-post-buildpack"
+
+# System buildpacks configuration
+[system]
+[system.pre]
+buildpacks = [
+  { id = "system/pre", version = "system-pre-version", optional = false }
+]
+
+[system.post]
+buildpacks = [
+  { id = "system/post", version = "system-post-version", optional = true }
+]
+
+[[order]]
+[[order.group]]
+  id = "simple-layers-buildpack"
+  version = "simple-layers-buildpack-version"
+
+[stack]
+  id = "pack.test.stack"
+  build-image = "pack-test/build"
+  run-image = "pack-test/run"
--- a/acceptance/testdata/pack_fixtures/report_output.txt
+++ b/acceptance/testdata/pack_fixtures/report_output.txt
@ -2,7 +2,7 @@ Pack:
  Version:  {{ .Version }}
  OS/Arch:  {{ .OS }}/{{ .Arch }}

-Default Lifecycle Version:  0.20.0
+Default Lifecycle Version:  0.20.11

 Supported Platform APIs:  0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 0.11, 0.12, 0.13

--- a/benchmarks/build_test.go
+++ b/benchmarks/build_test.go
@ -1,5 +1,4 @@
 //go:build benchmarks
-// +build benchmarks

 package benchmarks

--- a/builder/config_reader.go
+++ b/builder/config_reader.go
@ -26,6 +26,7 @@ type Config struct {
 	Run             RunConfig        `toml:"run"`
 	Build           BuildConfig      `toml:"build"`
 	Targets         []dist.Target    `toml:"targets"`
+	System          dist.System      `toml:"system"`
 }

 // ModuleCollection is a list of ModuleConfigs
@ -38,8 +39,8 @@ type ModuleConfig struct {
 }

 func (c *ModuleConfig) DisplayString() string {
-	if c.ModuleInfo.FullName() != "" {
-		return c.ModuleInfo.FullName()
+	if c.FullName() != "" {
+		return c.FullName()
 	}

 	return c.ImageOrURI.DisplayString()
--- a/builder/config_reader_test.go
+++ b/builder/config_reader_test.go
@ -157,6 +157,39 @@ uri = "noop-buildpack.tgz"
 				})
 			})
 		})
+
+		when("system buildpack is defined", func() {
+			it.Before(func() {
+				h.AssertNil(t, os.WriteFile(builderConfigPath, []byte(`
+[[system.pre.buildpacks]]
+  id = "id-1"
+  version = "1.0"
+  optional = false
+
+[[system.post.buildpacks]]
+  id = "id-2"
+  version = "2.0"
+  optional = true
+`), 0666))
+			})
+
+			it("returns a builder config", func() {
+				builderConfig, _, err := builder.ReadConfig(builderConfigPath)
+				h.AssertNil(t, err)
+				h.AssertEq(t, len(builderConfig.System.Pre.Buildpacks), 1)
+				h.AssertEq(t, len(builderConfig.System.Post.Buildpacks), 1)
+
+				// Verify system.pre.buildpacks
+				h.AssertEq(t, builderConfig.System.Pre.Buildpacks[0].ID, "id-1")
+				h.AssertEq(t, builderConfig.System.Pre.Buildpacks[0].Version, "1.0")
+				h.AssertEq(t, builderConfig.System.Pre.Buildpacks[0].Optional, false)
+
+				// Verify system.post.buildpacks
+				h.AssertEq(t, builderConfig.System.Post.Buildpacks[0].ID, "id-2")
+				h.AssertEq(t, builderConfig.System.Post.Buildpacks[0].Version, "2.0")
+				h.AssertEq(t, builderConfig.System.Post.Buildpacks[0].Optional, true)
+			})
+		})
 	})

 	when("#ValidateConfig()", func() {
--- a/cmd/docker_init.go
+++ b/cmd/docker_init.go
@ -20,7 +20,7 @@ import (
 	"github.com/buildpacks/pack/pkg/client"
 )

-func tryInitSSHDockerClient() (dockerClient.CommonAPIClient, error) {
+func tryInitSSHDockerClient() (dockerClient.APIClient, error) {
 	dockerHost := os.Getenv("DOCKER_HOST")
 	_url, err := url.Parse(dockerHost)
 	isSSH := err == nil && _url.Scheme == "ssh"
@ -70,7 +70,7 @@ func readSecret(prompt string) (pw []byte, err error) {
 		fmt.Fprint(os.Stderr, prompt)
 		pw, err = term.ReadPassword(fd)
 		fmt.Fprintln(os.Stderr)
-		return
+		return pw, err
 	}

 	var b [1]byte
--- a/go.mod
+++ b/go.mod
@ -1,146 +1,154 @@
 module github.com/buildpacks/pack

 require (
-	github.com/BurntSushi/toml v1.3.2
-	github.com/GoogleContainerTools/kaniko v1.22.0
+	github.com/BurntSushi/toml v1.5.0
+	github.com/GoogleContainerTools/kaniko v1.24.0
 	github.com/Masterminds/semver v1.5.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/apex/log v1.9.0
-	github.com/buildpacks/imgutil v0.0.0-20240605145725-186f89b2d168
-	github.com/buildpacks/lifecycle v0.19.6
-	github.com/docker/cli v26.1.4+incompatible
-	github.com/docker/docker v26.1.4+incompatible
-	github.com/docker/go-connections v0.5.0
+	github.com/buildpacks/imgutil v0.0.0-20250814164739-4b1c8875ba7e
+	github.com/buildpacks/lifecycle v0.20.11
+	github.com/containerd/errdefs v1.0.0
+	github.com/docker/cli v28.3.3+incompatible
+	github.com/docker/docker v28.3.3+incompatible
+	github.com/docker/go-connections v0.6.0
 	github.com/dustin/go-humanize v1.0.1
-	github.com/gdamore/tcell/v2 v2.7.4
-	github.com/go-git/go-git/v5 v5.12.0
+	github.com/gdamore/tcell/v2 v2.8.1
+	github.com/go-git/go-git/v5 v5.16.2
 	github.com/golang/mock v1.6.0
-	github.com/google/go-cmp v0.6.0
-	github.com/google/go-containerregistry v0.20.0
+	github.com/google/go-cmp v0.7.0
+	github.com/google/go-containerregistry v0.20.6
 	github.com/google/go-github/v30 v30.1.0
 	github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95
 	github.com/heroku/color v0.0.6
 	github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e
-	github.com/onsi/gomega v1.33.1
+	github.com/moby/go-archive v0.1.0
+	github.com/onsi/gomega v1.38.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.1.0
+	github.com/opencontainers/image-spec v1.1.1
 	github.com/pelletier/go-toml v1.9.5
 	github.com/pkg/errors v0.9.1
 	github.com/rivo/tview v0.0.0-20220307222120-9994674d60a8
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06
 	github.com/sclevine/spec v1.4.0
-	github.com/spf13/cobra v1.8.1
-	golang.org/x/crypto v0.25.0
-	golang.org/x/mod v0.19.0
-	golang.org/x/oauth2 v0.21.0
-	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.22.0
-	golang.org/x/term v0.22.0
-	golang.org/x/text v0.16.0
+	github.com/spf13/cobra v1.9.1
+	golang.org/x/crypto v0.41.0
+	golang.org/x/mod v0.27.0
+	golang.org/x/oauth2 v0.30.0
+	golang.org/x/sync v0.16.0
+	golang.org/x/sys v0.35.0
+	golang.org/x/term v0.34.0
+	golang.org/x/text v0.28.0
 	gopkg.in/yaml.v3 v3.0.1
 )

 require (
-	dario.cat/mergo v1.0.0 // indirect
+	dario.cat/mergo v1.0.2 // indirect
 	github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
-	github.com/Azure/go-autorest/autorest v0.11.29 // indirect
-	github.com/Azure/go-autorest/autorest/adal v0.9.23 // indirect
-	github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
-	github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
-	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
-	github.com/Azure/go-autorest/logger v0.2.1 // indirect
-	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/ProtonMail/go-crypto v1.0.0 // indirect
+	github.com/Azure/go-autorest/autorest v0.11.30 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.7 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.1 // indirect
+	github.com/Azure/go-autorest/logger v0.2.2 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.1 // indirect
+	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.26.0 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.27.7 // indirect
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.7 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.3 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.4 // indirect
-	github.com/aws/smithy-go v1.20.1 // indirect
-	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.29.14 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.67 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 // indirect
+	github.com/aws/smithy-go v1.22.3 // indirect
+	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
-	github.com/cloudflare/circl v1.3.7 // indirect
-	github.com/containerd/containerd v1.7.16 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
-	github.com/containerd/typeurl/v2 v2.1.1 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.0 // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/gdamore/encoding v1.0.0 // indirect
+	github.com/gdamore/encoding v1.0.1 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/gorilla/mux v1.8.0 // indirect
+	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.17.4 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/buildkit v0.13.2 // indirect
+	github.com/moby/buildkit v0.22.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/sys/sequential v0.5.0 // indirect
-	github.com/moby/sys/user v0.1.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
+	github.com/moby/sys/sequential v0.6.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
+	github.com/moby/sys/userns v0.1.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
-	github.com/opencontainers/selinux v1.11.0 // indirect
-	github.com/pjbgf/sha1cd v0.3.0 // indirect
-	github.com/prometheus/client_golang v1.19.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.48.0 // indirect
-	github.com/prometheus/procfs v0.12.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/opencontainers/selinux v1.12.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.64.0 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/rivo/uniseg v0.4.3 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
-	github.com/skeema/knownhosts v1.2.2 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect
-	go.opentelemetry.io/otel v1.25.0 // indirect
-	go.opentelemetry.io/otel/metric v1.25.0 // indirect
-	go.opentelemetry.io/otel/trace v1.25.0 // indirect
-	golang.org/x/net v0.24.0 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
+	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel/metric v1.36.0 // indirect
+	go.opentelemetry.io/otel/trace v1.36.0 // indirect
+	golang.org/x/net v0.42.0 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

-go 1.22
+replace github.com/BurntSushi/toml => github.com/BurntSushi/toml v1.3.2
+
+go 1.24.4
--- a/go.sum
+++ b/go.sum
@ -1,47 +1,48 @@
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
+dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
+dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
 github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
-github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc=
-github.com/Azure/go-autorest/autorest v0.11.29 h1:I4+HL/JDvErx2LjyzaVxllw2lRDB5/BT2Bm4g20iqYw=
-github.com/Azure/go-autorest/autorest v0.11.29/go.mod h1:ZtEzC4Jy2JDrZLxvWs8LrBWEBycl1hbT1eknI8MtfAs=
+github.com/Azure/go-autorest/autorest v0.11.28/go.mod h1:MrkzG3Y3AH668QyF9KRk5neJnGgmhQ6krbhR8Q5eMvA=
+github.com/Azure/go-autorest/autorest v0.11.30 h1:iaZ1RGz/ALZtN5eq4Nr1SOFSlf2E4pDI3Tcsl+dZPVE=
+github.com/Azure/go-autorest/autorest v0.11.30/go.mod h1:t1kpPIOpIVX7annvothKvb0stsrXa37i7b+xpmBW8Fs=
 github.com/Azure/go-autorest/autorest/adal v0.9.18/go.mod h1:XVVeme+LZwABT8K5Lc3hA4nAe8LDBVle26gTrguhhPQ=
 github.com/Azure/go-autorest/autorest/adal v0.9.22/go.mod h1:XuAbAEUv2Tta//+voMI038TrJBqjKam0me7qR+L8Cmk=
-github.com/Azure/go-autorest/autorest/adal v0.9.23 h1:Yepx8CvFxwNKpH6ja7RZ+sKX+DWYNldbLiALMC3BTz8=
-github.com/Azure/go-autorest/autorest/adal v0.9.23/go.mod h1:5pcMqFkdPhviJdlEy3kC/v1ZLnQl0MH6XA5YCcMhy4c=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 h1:wkAZRgT/pn8HhFyzfe9UnqOjJYqlembgCTi72Bm/xKk=
-github.com/Azure/go-autorest/autorest/azure/auth v0.5.12/go.mod h1:84w/uV8E37feW2NCJ08uT9VBfjfUHpgLVnG2InYD6cg=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.5/go.mod h1:ADQAXrkgm7acgWVUNamOgh8YNrv4p27l3Wc55oVfpzg=
-github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 h1:w77/uPk80ZET2F+AfQExZyEWtn+0Rk/uw17m9fv5Ajc=
+github.com/Azure/go-autorest/autorest/adal v0.9.24 h1:BHZfgGsGwdkHDyZdtQRQk1WeUdW0m2WPAwuHZwUi5i4=
+github.com/Azure/go-autorest/autorest/adal v0.9.24/go.mod h1:7T1+g0PYFmACYW5LlG2fcoPiPlFHjClyRGL7dRlP5c8=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.13 h1:Ov8avRZi2vmrE2JcXw+tu5K/yB41r7xK9GZDiBF7NdM=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.13/go.mod h1:5BAVfWLWXihP47vYrPuBKKf4cS0bXI+KM9Qx6ETDJYo=
 github.com/Azure/go-autorest/autorest/azure/cli v0.4.6/go.mod h1:piCfgPho7BiIDdEQ1+g4VmKyD5y+p/XtSNqE6Hc4QD0=
-github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.7 h1:Q9R3utmFg9K1B4OYtAZ7ZUUvIUdzQt7G2MN5Hi/d670=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.7/go.mod h1:bVrAueELJ0CKLBpUHDIvD516TwmHmzqwCpvONWRsw3s=
 github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/date v0.3.1 h1:o9Z8Jyt+VJJTCZ/UORishuHOusBwolhjokt9s5k8I4w=
+github.com/Azure/go-autorest/autorest/date v0.3.1/go.mod h1:Dz/RDmXlfiFFS/eW+b/xMUSFs1tboPVy6UjgADToWDM=
 github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
 github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=
 github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=
-github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
 github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
-github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
+github.com/Azure/go-autorest/logger v0.2.2 h1:hYqBsEBywrrOSW24kkOCXRcKfKhK76OzLTfF+MYDE2o=
+github.com/Azure/go-autorest/logger v0.2.2/go.mod h1:I5fg9K52o+iuydlWfa9T5K6WFos9XYr9dYTFzpqgibw=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
+github.com/Azure/go-autorest/tracing v0.6.1 h1:YUMSrC/CeD1ZnnXcNYU4a/fzsO35u2Fsful9L/2nyR0=
+github.com/Azure/go-autorest/tracing v0.6.1/go.mod h1:/3EgjbsjraOqiicERAeu3m7/z0x1TzjQGAwDrJrXGkc=
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/GoogleContainerTools/kaniko v1.22.0 h1:WIL8Wuc+lQW8sv1R+zOZsCy4lQtTzrVJ76K2VMkB++0=
-github.com/GoogleContainerTools/kaniko v1.22.0/go.mod h1:Kki7uX+HlskobmD7PRrGZvL0S9Aejf8kzfzoQUv68pQ=
+github.com/GoogleContainerTools/kaniko v1.24.0 h1:PgzzuOwaraxC7UMw0F0YoxNHi+a6YeiAbDgc2GHrk+M=
+github.com/GoogleContainerTools/kaniko v1.24.0/go.mod h1:hO9q9uGMwrItm4wGcX7E0cMJIw84NM6gPETIt6vkwAk=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/Microsoft/hcsshim v0.11.4 h1:68vKo2VN8DE9AdN4tnkWnmdhqdbpUFM8OF3Airm7fz8=
-github.com/Microsoft/hcsshim v0.11.4/go.mod h1:smjE4dvqPX9Zldna+t5FG3rnoHhaB7QYxPRqGcpAD9w=
-github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
-github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
+github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@ -56,70 +57,70 @@ github.com/aphistic/sweet v0.2.0/go.mod h1:fWDlIh/isSE9n6EPsRmC0det+whmX6dJid3st
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/aws/aws-sdk-go v1.20.6/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
-github.com/aws/aws-sdk-go-v2 v1.26.0 h1:/Ce4OCiM3EkpW7Y+xUnfAFpchU78K7/Ug01sZni9PgA=
-github.com/aws/aws-sdk-go-v2 v1.26.0/go.mod h1:35hUlJVYd+M++iLI3ALmVwMOyRYMmRqUXpTtRGW+K9I=
-github.com/aws/aws-sdk-go-v2/config v1.27.7 h1:JSfb5nOQF01iOgxFI5OIKWwDiEXWTyTgg1Mm1mHi0A4=
-github.com/aws/aws-sdk-go-v2/config v1.27.7/go.mod h1:PH0/cNpoMO+B04qET699o5W92Ca79fVtbUnvMIZro4I=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.7 h1:WJd+ubWKoBeRh7A5iNMnxEOs982SyVKOJD+K8HIezu4=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.7/go.mod h1:UQi7LMR0Vhvs+44w5ec8Q+VS+cd10cjwgHwiVkE0YGU=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.3 h1:p+y7FvkK2dxS+FEwRIDHDe//ZX+jDhP8HHE50ppj4iI=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.15.3/go.mod h1:/fYB+FZbDlwlAiynK9KDXlzZl3ANI9JkD0Uhz5FjNT4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.3 h1:ifbIbHZyGl1alsAhPIYsHOg5MuApgqOvVeI8wIugXfs=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.3/go.mod h1:oQZXg3c6SNeY6OZrDY+xHcF4VGIEoNotX2B4PrDeoJI=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.3 h1:Qvodo9gHG9F3E8SfYOspPeBt0bjSbsevK8WhRAUHcoY=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.3/go.mod h1:vCKrdLXtybdf/uQd/YfVR2r5pcbNuEYKzMQpcxmeSJw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/service/ecr v1.24.5 h1:wLPDAUFT50NEXGXpywRU3AA74pg35RJjWol/68ruvQQ=
-github.com/aws/aws-sdk-go-v2/service/ecr v1.24.5/go.mod h1:AOHmGMoPtSY9Zm2zBuwUJQBisIvYAZeA1n7b6f4e880=
-github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.5 h1:PQp21GBlGNaQ+AVJAB8w2KTmLx0DkFS2fDET2Iy3+f0=
-github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.21.5/go.mod h1:WMntdAol8KgeYsa5sDZPsRTXs4jVZIMYu0eQVVIQxnc=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.5 h1:K/NXvIftOlX+oGgWGIa3jDyYLDNsdVhsjHmsBH2GLAQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.5/go.mod h1:cl9HGLV66EnCmMNzq4sYOti+/xo8w34CsgzVtm2GgsY=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.2 h1:XOPfar83RIRPEzfihnp+U6udOveKZJvPQ76SKWrLRHc=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.2/go.mod h1:Vv9Xyk1KMHXrR3vNQe8W5LMFdTjSeWk0gBZBzvf3Qa0=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.2 h1:pi0Skl6mNl2w8qWZXcdOyg197Zsf4G97U7Sso9JXGZE=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.2/go.mod h1:JYzLoEVeLXk+L4tn1+rrkfhkxl6mLDEVaDSvGq9og90=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.4 h1:Ppup1nVNAOWbBOrcoOxaxPeEnSFB2RnnQdguhXpmeQk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.4/go.mod h1:+K1rNPVyGxkRuv9NNiaZ4YhBFuyw2MMA9SlIJ1Zlpz8=
-github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=
-github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
-github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6 h1:PlJRmqKlSlEUlwem1c3zdPaEMtJc/ktnV7naD5Qvsx4=
-github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231213181459-b0fcec718dc6/go.mod h1:08sPJIlDHu4HwQ1xScPgsBWezvM6U10ghGKBJu0mowA=
+github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM=
+github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg=
+github.com/aws/aws-sdk-go-v2/config v1.29.14 h1:f+eEi/2cKCg9pqKBoAIwRGzVb70MRKqWX4dg1BDcSJM=
+github.com/aws/aws-sdk-go-v2/config v1.29.14/go.mod h1:wVPHWcIFv3WO89w0rE10gzf17ZYy+UVS1Geq8Iei34g=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67 h1:9KxtdcIA/5xPNQyZRgUSpYOE6j9Bc4+D7nZua0KGYOM=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.67/go.mod h1:p3C44m+cfnbv763s52gCqrjaqyPikj9Sg47kUVaNZQQ=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0 h1:E+UTVTDH6XTSjqxHWRuY8nB6s+05UllneWxnycplHFk=
+github.com/aws/aws-sdk-go-v2/service/ecr v1.44.0/go.mod h1:iQ1skgw1XRK+6Lgkb0I9ODatAP72WoTILh0zXQ5DtbU=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0 h1:wA2O6pZ2r5smqJunFP4hp7qptMW4EQxs8O6RVHPulOE=
+github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.33.0/go.mod h1:RZL7ov7c72wSmoM8bIiVxRHgcVdzhNkVW2J36C8RF4s=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3 h1:1Gw+9ajCV1jogloEv1RRnvfRFia2cL6c9cuKV2Ps+G8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.25.3/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1 h1:hXmVKytPfTy5axZ+fYbR5d0cFmC3JvwLm5kM83luako=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.30.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19 h1:1XuUZ8mYJw9B6lzAkXhqHlJd/XvaX32evhproijJEZY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.19/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4=
+github.com/aws/smithy-go v1.22.3 h1:Z//5NuZCSW6R4PhQ93hShNbyBbn8BWCmCVCt+Q8Io5k=
+github.com/aws/smithy-go v1.22.3/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI=
+github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1 h1:50sS0RWhGpW/yZx2KcDNEb1u1MANv5BMEkJgcieEDTA=
+github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.9.1/go.mod h1:ErZOtbzuHabipRTDTor0inoRlYwbsV1ovwSxjGs/uJo=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/buildpacks/imgutil v0.0.0-20240605145725-186f89b2d168 h1:yVYVi1V7x1bXklOx9lpbTfteyzQKGZC/wkl+IlaVRlU=
-github.com/buildpacks/imgutil v0.0.0-20240605145725-186f89b2d168/go.mod h1:n2R6VRuWsAX3cyHCp/u0Z4WJcixny0gYg075J39owrk=
-github.com/buildpacks/lifecycle v0.19.6 h1:/bmfMs35aSkxyzYDF+iHl9VnYmUBBbHBmnvo8XNEINk=
-github.com/buildpacks/lifecycle v0.19.6/go.mod h1:sWrBJzf/7dWrcHrWiV/P2+3jS8G8Ki5tczq8jO3XVRQ=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
-github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
-github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
-github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/buildpacks/imgutil v0.0.0-20250814164739-4b1c8875ba7e h1:a+vpYYeK7E7+3uGqseiRutzKA7yNNjAOPON9+VOADiw=
+github.com/buildpacks/imgutil v0.0.0-20250814164739-4b1c8875ba7e/go.mod h1:UH4th60x/wM1DdH7+eSgzbp0kgsJMhVgngWzXoF21cs=
+github.com/buildpacks/lifecycle v0.20.11 h1:lr8smVyW59HvkdJj7H3rYbfiNT7ndkV4cV2lQiOnCuo=
+github.com/buildpacks/lifecycle v0.20.11/go.mod h1:+YlGlTCwJcyJSp5QvZKxH8k2JOpYzjTE9NYB6CA5CuE=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 h1:krfRl01rzPzxSxyLyrChD+U+MzsBXbm0OwYYB67uF+4=
 github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589/go.mod h1:OuDyvmLnMCwa2ep4Jkm6nyA0ocJuZlGyk2gGseVzERM=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/containerd/containerd v1.7.16 h1:7Zsfe8Fkj4Wi2My6DXGQ87hiqIrmOXolm72ZEkFU5Mg=
-github.com/containerd/containerd v1.7.16/go.mod h1:NL49g7A/Fui7ccmxV6zkBWwqMgmMxFWzujYCc+JLt7k=
+github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
+github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
-github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
-github.com/containerd/typeurl/v2 v2.1.1 h1:3Q4Pt7i8nYwy2KmQWIw2+1hTvwTE/6w9FqcttATPO/4=
-github.com/containerd/typeurl/v2 v2.1.1/go.mod h1:IDp2JFvbwZ31H8dQbEIY7sDl2L3o3HZj1hsSQlywkQ0=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
+github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
+github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
+github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -127,16 +128,16 @@ github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi
 github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v26.1.4+incompatible h1:I8PHdc0MtxEADqYJZvhBrW9bo8gawKwwenxRM7/rLu8=
-github.com/docker/cli v26.1.4+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v28.3.3+incompatible h1:fp9ZHAr1WWPGdIWBM1b3zLtgCF+83gRdVMTJsUeiyAo=
+github.com/docker/cli v28.3.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
-github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.8.0 h1:YQFtbBQb4VrpoPxhFuzEBPQ9E16qz5SpHLS+uswaCp8=
-github.com/docker/docker-credential-helpers v0.8.0/go.mod h1:UGFXcuoQ5TxPiB54nHOZ32AWRqQdECoh/Mg0AlEYb40=
-github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
-github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
+github.com/docker/docker v28.3.3+incompatible h1:Dypm25kh4rmk49v1eiVbsAtpAsYURjYkaKubwuBdxEI=
+github.com/docker/docker v28.3.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
+github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
+github.com/docker/go-connections v0.6.0 h1:LlMG9azAe1TqfR7sO+NJttz1gy6KO7VJBh+pMmjSD94=
+github.com/docker/go-connections v0.6.0/go.mod h1:AahvXYshr6JgfUJGdDCs2b5EZG/vmaMAntpSFH5BFKE=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@ -145,81 +146,82 @@ github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
+github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/gdamore/encoding v1.0.0 h1:+7OoQ1Bc6eTm5niUzBa0Ctsh6JbMW6Ra+YNuAtDBdko=
 github.com/gdamore/encoding v1.0.0/go.mod h1:alR0ol34c49FCSBLjhosxzcPHQbf2trDkoo5dl+VrEg=
+github.com/gdamore/encoding v1.0.1 h1:YzKZckdBL6jVt2Gc+5p82qhrGiqMdG/eNs6Wy0u3Uhw=
+github.com/gdamore/encoding v1.0.1/go.mod h1:0Z0cMFinngz9kS1QfMjCP8TY7em3bZYeeklsSDPivEo=
 github.com/gdamore/tcell/v2 v2.4.1-0.20210905002822-f057f0a857a1/go.mod h1:Az6Jt+M5idSED2YPGtwnfJV0kXohgdCBPmHGSYc1r04=
-github.com/gdamore/tcell/v2 v2.7.4 h1:sg6/UnTM9jGpZU+oFYAsDahfchWAFW8Xx2yFinNSAYU=
-github.com/gdamore/tcell/v2 v2.7.4/go.mod h1:dSXtXTSK0VsW1biw65DZLZ2NKr7j0qP/0J7ONmsraWg=
-github.com/gliderlabs/ssh v0.3.7 h1:iV3Bqi942d9huXnzEF2Mt+CY9gLu8DNM4Obd+8bODRE=
-github.com/gliderlabs/ssh v0.3.7/go.mod h1:zpHEXBstFnQYtGnB8k8kQLol82umzn/2/snG7alWVD8=
+github.com/gdamore/tcell/v2 v2.8.1 h1:KPNxyqclpWpWQlPLx6Xui1pMk8S+7+R37h3g07997NU=
+github.com/gdamore/tcell/v2 v2.8.1/go.mod h1:bj8ori1BG3OYMjmb3IklZVWfZUJ1UBQt9JXrOCOhGWw=
+github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
+github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
+github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
-github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
+github.com/go-git/go-git/v5 v5.16.2 h1:fT6ZIOjE5iEnkzKyxTHK1W4HGAsPhqEqiSAssSO77hM=
+github.com/go-git/go-git/v5 v5.16.2/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
+github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
+github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-containerregistry v0.20.0 h1:wRqHpOeVh3DnenOrPy9xDOLdnLatiGuuNRVelR2gSbg=
-github.com/google/go-containerregistry v0.20.0/go.mod h1:YCMFNQeeXeLF+dnhhWkqDItx/JSkH01j1Kis4PsjzFI=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-containerregistry v0.20.6 h1:cvWX87UxxLgaH76b4hIvya6Dzz9qHB31qAwjAohdSTU=
+github.com/google/go-containerregistry v0.20.6/go.mod h1:T0x8MuoAoKX/873bkeSfLD2FAkwCDf9/HZgsFJ02E2Y=
 github.com/google/go-github/v30 v30.1.0 h1:VLDx+UolQICEOKu2m4uAoMti1SxuEBAl7RSEG16L+Oo=
 github.com/google/go-github/v30 v30.1.0/go.mod h1:n8jBpHl45a/rlBUtRJMOG4GhNADUQFEufcolZ95JfU8=
 github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
 github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 h1:YBftPWNWd4WwGqtY2yeZL2ef8rHAxPBD8KFhJpmcqms=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0/go.mod h1:YN5jB8ie0yfIUg6VvR9Kz84aCaG7AsGZnLjhHbUqwPg=
+github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
+github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0 h1:asbCHRVmodnJTuQ3qamDwqVOIjwqUPTYmYuemVOx+Ys=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.22.0/go.mod h1:ggCgvZ2r7uOoQjOyu2Y1NhHmEPPzzuhWgcza5M1Ji1I=
 github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95 h1:S4qyfL2sEm5Budr4KVMyEniCy+PbS55651I/a+Kn/NQ=
 github.com/hectane/go-acl v0.0.0-20190604041725-da78bae5fc95/go.mod h1:QiyDdbZLaJ/mZP4Zwc9g2QsfaEA4o7XvvgZegSci5/E=
 github.com/heroku/color v0.0.6 h1:UTFFMrmMLFcL3OweqP1lAdp8i1y/9oHqkeHjQ/b/Ny0=
@ -230,10 +232,6 @@ github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLf
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/jpillora/backoff v0.0.0-20180909062703-3050d21c67d7/go.mod h1:2iMrUgbbvHEiQClaW2NsSzMyGHqN+rDFqY705q49KG0=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@ -242,8 +240,8 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.4 h1:Ej5ixsIri7BrIjBkRZLTo6ghwrEtHFk7ijlczPW4fZ4=
-github.com/klauspost/compress v1.17.4/go.mod h1:/dCuZOvVtNoHsyb+cuJD3itjs3NbnF6KH9zAO4BDxPM=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
@ -254,6 +252,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
@ -266,84 +266,92 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e h1:Qa6dnn8DlasdXRnacluu8HzPts0S1I9zvvUPDbBnXFI=
 github.com/mitchellh/ioprogress v0.0.0-20180201004757-6a23b12fa88e/go.mod h1:waEya8ee1Ro/lgxpVhkJI4BVASzkm3UZqkx/cFJiYHM=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.13.2 h1:nXNszM4qD9E7QtG7bFWPnDI1teUQFQglBzon/IU3SzI=
-github.com/moby/buildkit v0.13.2/go.mod h1:2cyVOv9NoHM7arphK9ZfHIWKn9YVZRFd1wXB8kKmEzY=
+github.com/moby/buildkit v0.22.0 h1:aWN06w1YGSVN1XfeZbj2ZbgY+zi5xDAjEFI8Cy9fTjA=
+github.com/moby/buildkit v0.22.0/go.mod h1:j4pP5hxiTWcz7xuTK2cyxQislHl/N2WWHzOy43DlLJw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
+github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
-github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
-github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg=
-github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
+github.com/moby/sys/sequential v0.6.0 h1:qrx7XFUd/5DxtqcoH1h438hF5TmOvzC/lspjy7zgvCU=
+github.com/moby/sys/sequential v0.6.0/go.mod h1:uyv8EUTrca5PnDsdMGXhZe6CCe8U/UiTWd+lL+7b/Ko=
+github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
+github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
+github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/onsi/ginkgo v1.6.0 h1:Ix8l273rp3QzYgXSR+c8d1fTG7UPgYkOSELPhiY/YGw=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
-github.com/onsi/ginkgo/v2 v2.17.2 h1:7eMhcy3GimbsA3hEnVKdw/PQM9XN9krpKVXsZdph0/g=
-github.com/onsi/ginkgo/v2 v2.17.2/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
+github.com/onsi/ginkgo/v2 v2.23.4 h1:ktYTpKJAVZnDT4VjxSbiBenUjmlL/5QkBEocaWXiQus=
+github.com/onsi/ginkgo/v2 v2.23.4/go.mod h1:Bt66ApGPBFzHyR+JO10Zbt0Gsp4uWxu5mIOTusL46e8=
 github.com/onsi/gomega v1.5.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
-github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
-github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
+github.com/onsi/gomega v1.38.0 h1:c/WX+w8SLAinvuKKQFh77WEucCnPk4j2OTUr7lt7BeY=
+github.com/onsi/gomega v1.38.0/go.mod h1:OcXcwId0b9QsE7Y49u+BTrL4IdKOBOKnD6VQNTJEB6o=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
+github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
-github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
+github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
+github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.19.0 h1:ygXvpU1AoN1MhdzckN+PyD9QJOSD4x7kmXYlnfbA6JU=
-github.com/prometheus/client_golang v1.19.0/go.mod h1:ZRM9uEAypZakd+q/x7+gmsvXdURP+DABIEIjnmDdp+k=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
-github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
+github.com/prometheus/common v0.64.0 h1:pdZeA+g617P7oGv1CzdTzyeShxAGrTBsolKNOLQPGO4=
+github.com/prometheus/common v0.64.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
-github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
-github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/rivo/tview v0.0.0-20220307222120-9994674d60a8 h1:xe+mmCnDN82KhC010l3NfYlA8ZbOuzbXAzSYBa6wbMc=
 github.com/rivo/tview v0.0.0-20220307222120-9994674d60a8/go.mod h1:WIfMkQNY+oq/mWwtsjOYHIZBuwthioY2srOmljJkTnk=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.3 h1:utMvzDsuh3suAEnhH0RdHmoPbU648o6CvXxTx4SBMOw=
 github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/fastuuid v1.1.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
 github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
@ -356,15 +364,15 @@ github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPx
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.2.2 h1:Iug2P4fLmDw9f41PB6thxUkNUkJzB5i+1/exaj40L3A=
-github.com/skeema/knownhosts v1.2.2/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
+github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/smartystreets/assertions v1.0.0/go.mod h1:kHHU4qYBaI3q23Pp3VPrmWhuIUrLW/7eUrw0BU5VaoM=
 github.com/smartystreets/go-aws-auth v0.0.0-20180515143844-0c1422d1fdb9/go.mod h1:SnhjPscd9TpLiy1LpzGSKh3bXCfxxXuqd9xmQJy3slM=
 github.com/smartystreets/gunit v1.0.0/go.mod h1:qwPWnhz6pn0NnRBP++URONOVyNkPyr4SauJk4cUOwJs=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@ -377,8 +385,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tj/assert v0.0.0-20171129193455-018094318fb0/go.mod h1:mZ9/Rh9oLWpLLDRpvE+3b7gP/C2YyLFYxNmcLnPTMe0=
 github.com/tj/assert v0.0.3 h1:Df/BlaZ20mq6kuai7f5z2TvPFiwC3xaWJSDQNiIS3Rk=
 github.com/tj/assert v0.0.3/go.mod h1:Ne6X72Q+TB1AteidzQncjw9PabbMp4PBMZ1k+vd1Pvk=
@ -386,8 +394,10 @@ github.com/tj/go-buffer v1.1.0/go.mod h1:iyiJpfFcR2B9sXu7KvjbT9fpM4mOelRSDTbntVj
 github.com/tj/go-elastic v0.0.0-20171221160941-36157cbbebc2/go.mod h1:WjeM0Oo1eNAjXGDx2yma7uG2XoyRZTq1uv3M/o7imD0=
 github.com/tj/go-kinesis v0.0.0-20171128231115-08b17f58cb1b/go.mod h1:/yhzCV0xPfx6jb1bBgRFjl5lytqVqZXEaeqWP8lTEao=
 github.com/tj/go-spin v1.1.0/go.mod h1:Mg1mzmePZm4dva8Qz60H2lHwmJ2loum4VIrLgVnKwh4=
-github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
-github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
+github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0 h1:2f304B10LaZdB8kkVEaoXvAMVan2tl9AiK4G0odjQtE=
+github.com/tonistiigi/go-csvvalue v0.0.0-20240814133006-030d3b2625d0/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=
+github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
+github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
@ -400,43 +410,52 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8=
-go.opentelemetry.io/otel v1.25.0 h1:gldB5FfhRl7OJQbUHt/8s0a7cE8fbsPAtdpRaApKy4k=
-go.opentelemetry.io/otel v1.25.0/go.mod h1:Wa2ds5NOXEMkCmUou1WA7ZBfLTHWIsp034OVD7AO+Vg=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0 h1:Mbi5PKN7u322woPa85d7ebZ+SOvEoPvoiBu+ryHWgfA=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0/go.mod h1:e7ciERRhZaOZXVjx5MiL8TK5+Xv7G5Gv5PA2ZDEJdL8=
-go.opentelemetry.io/otel/metric v1.25.0 h1:LUKbS7ArpFL/I2jJHdJcqMGxkRdxpPHE0VU/D4NuEwA=
-go.opentelemetry.io/otel/metric v1.25.0/go.mod h1:rkDLUSd2lC5lq2dFNrX9LGAbINP5B7WBkC78RXCpH5s=
-go.opentelemetry.io/otel/sdk v1.25.0 h1:PDryEJPC8YJZQSyLY5eqLeafHtG+X7FWnf3aXMtxbqo=
-go.opentelemetry.io/otel/sdk v1.25.0/go.mod h1:oFgzCM2zdsxKzz6zwpTZYLLQsFwc+K0daArPdIhuxkw=
-go.opentelemetry.io/otel/trace v1.25.0 h1:tqukZGLwQYRIFtSQM2u2+yfMVTgGVeqRLPUYx1Dq6RM=
-go.opentelemetry.io/otel/trace v1.25.0/go.mod h1:hCCs70XM/ljO+BeQkyFnbK28SBIJ/Emuha+ccrCRT7I=
-go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
-go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
+go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
+go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0 h1:wpMfgF8E1rkrT1Z6meFh1NDtownE9Ii3n3X2GJYjsaU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.33.0/go.mod h1:wAy0T/dUbs468uOlkT31xjvqQgEVXv58BRFWEgn5v/0=
+go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
+go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
+go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
+go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg=
+go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190426145343-a29dc8fdc734/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
-golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
-golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -449,14 +468,16 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.24.0 h1:1PcaxkF854Fu3+lvBIx5SYn9wRlBzzcnHZSiaFFAb0w=
-golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.21.0 h1:tsimM75w1tF/uws5rbeHzIWxEqElMehnc+iW793zsZs=
-golang.org/x/oauth2 v0.21.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -466,8 +487,12 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@ -490,36 +515,45 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
-golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
-golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
-golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
@ -527,24 +561,24 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
-google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 h1:9+tzLLstTlPTRyJTh+ah5wIMsBW5c4tQwGTN3thOW9Y=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2 h1:rIo7ocm2roD9DcFIX67Ym8icoGCKSARAiPljFhh5suQ=
-google.golang.org/genproto/googleapis/api v0.0.0-20240311132316-a219d84964c2/go.mod h1:O1cOfN1Cy6QEYr7VxtjOyP5AdAuR0aJ/MYZaaof623Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c h1:lfpJ/2rWPa/kJgxyyXM8PrNnfCzcmxJ265mADgwmvLI=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c/go.mod h1:WtryC6hu0hhx87FDGxWCDptyssuo68sk10vYjF+T9fY=
-google.golang.org/grpc v1.62.1 h1:B4n+nfKzOICUXMgyrNd19h/I9oH0L1pizfk1d4zSgTk=
-google.golang.org/grpc v1.62.1/go.mod h1:IWTG0VlJLCh1SkC58F7np9ka9mx/WNkjl4PGJaiq+QE=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
-google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/genproto v0.0.0-20250519155744-55703ea1f237 h1:2zGWyk04EwQ3mmV4dd4M4U7P/igHi5p7CBJEg1rI6A8=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 h1:Kog3KlB4xevJlAcbbbzPfRG0+X9fdoGM+UBRKVz6Wr0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237/go.mod h1:ezi0AVyMKDWy5xAncvjLWH7UcLBB5n7y2fQ8MzjJcto=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@ -556,12 +590,10 @@ gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200605160147-a5ece683394c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
--- a/golangci.yaml
+++ b/golangci.yaml
@ -1,15 +1,10 @@
-run:
-  timeout: 6m
-
+version: "2"
 linters:
-  disable-all: true
+  default: none
  enable:
    - bodyclose
-    - exportloopref
    - dogsled
    - gocritic
-    - goimports
-    - gosimple
    - govet
    - ineffassign
    - misspell
@ -17,16 +12,40 @@ linters:
    - revive
    - rowserrcheck
    - staticcheck
-    - stylecheck
-    - typecheck
    - unconvert
    - unused
    - whitespace
-
-linters-settings:
-  goimports:
-    local-prefixes: github.com/buildpacks/pack
-  revive:
-    rules:
-      - name: error-strings
-        disabled: true
+  settings:
+    revive:
+      rules:
+        - name: error-strings
+          disabled: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+formatters:
+  enable:
+    - goimports
+  settings:
+    goimports:
+      local-prefixes:
+        - github.com/buildpacks/pack
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+issues:
+  default: info
+  rules:
+    - linters:
+      - staticcheck: info
--- a/internal/build/container_ops.go
+++ b/internal/build/container_ops.go
@ -10,12 +10,13 @@ import (

 	"github.com/BurntSushi/toml"
 	"github.com/buildpacks/lifecycle/platform/files"
-	"github.com/docker/docker/api/types"
 	dcontainer "github.com/docker/docker/api/types/container"
-	"github.com/docker/docker/errdefs"
-	darchive "github.com/docker/docker/pkg/archive"
+
+	darchive "github.com/moby/go-archive"
 	"github.com/pkg/errors"

+	cerrdefs "github.com/containerd/errdefs"
+
 	"github.com/buildpacks/pack/internal/builder"
 	"github.com/buildpacks/pack/internal/container"
 	"github.com/buildpacks/pack/internal/paths"
@ -51,7 +52,7 @@ func CopyOutMaybe(handler func(closer io.ReadCloser) error, srcs ...string) Cont
 		for _, src := range srcs {
 			reader, _, err := ctrClient.CopyFromContainer(ctx, containerID, src)
 			if err != nil {
-				if errdefs.IsNotFound(err) {
+				if cerrdefs.IsNotFound(err) {
 					continue
 				}
 				return err
@ -119,7 +120,7 @@ func copyDir(ctx context.Context, ctrClient DockerClient, containerID string, ap
 	doneChan := make(chan interface{})
 	pr, pw := io.Pipe()
 	go func() {
-		clientErr = ctrClient.CopyToContainer(ctx, containerID, "/", pr, types.CopyToContainerOptions{})
+		clientErr = ctrClient.CopyToContainer(ctx, containerID, "/", pr, dcontainer.CopyToContainerOptions{})
 		close(doneChan)
 	}()
 	func() {
@ -182,7 +183,7 @@ func copyDirWindows(ctx context.Context, ctrClient DockerClient, containerID str
 	}
 	defer ctrClient.ContainerRemove(context.Background(), ctr.ID, dcontainer.RemoveOptions{Force: true})

-	err = ctrClient.CopyToContainer(ctx, ctr.ID, "/windows", reader, types.CopyToContainerOptions{})
+	err = ctrClient.CopyToContainer(ctx, ctr.ID, "/windows", reader, dcontainer.CopyToContainerOptions{})
 	if err != nil {
 		return errors.Wrap(err, "copy app to container")
 	}
@ -198,13 +199,13 @@ func copyDirWindows(ctx context.Context, ctrClient DockerClient, containerID str
 	)
 }

-func findMount(info types.ContainerJSON, dst string) (types.MountPoint, error) {
+func findMount(info dcontainer.InspectResponse, dst string) (dcontainer.MountPoint, error) {
 	for _, m := range info.Mounts {
 		if m.Destination == dst {
 			return m, nil
 		}
 	}
-	return types.MountPoint{}, fmt.Errorf("no matching mount found for %s", dst)
+	return dcontainer.MountPoint{}, fmt.Errorf("no matching mount found for %s", dst)
 }

 func writeToml(ctrClient DockerClient, ctx context.Context, data interface{}, dstPath string, containerID string, os string, stdout, stderr io.Writer) error {
@ -230,7 +231,7 @@ func writeToml(ctrClient DockerClient, ctx context.Context, data interface{}, ds
 		return copyDirWindows(ctx, ctrClient, containerID, reader, dirName, stdout, stderr)
 	}

-	return ctrClient.CopyToContainer(ctx, containerID, "/", reader, types.CopyToContainerOptions{})
+	return ctrClient.CopyToContainer(ctx, containerID, "/", reader, dcontainer.CopyToContainerOptions{})
 }

 // WriteProjectMetadata writes a `project-metadata.toml` based on the ProjectMetadata provided to the destination path.
--- a/internal/build/docker.go
+++ b/internal/build/docker.go
@ -19,12 +19,12 @@ type DockerClient interface {
 	ContainerAttach(ctx context.Context, container string, options containertypes.AttachOptions) (types.HijackedResponse, error)
 	ContainerStart(ctx context.Context, container string, options containertypes.StartOptions) error
 	ContainerCreate(ctx context.Context, config *containertypes.Config, hostConfig *containertypes.HostConfig, networkingConfig *networktypes.NetworkingConfig, platform *specs.Platform, containerName string) (containertypes.CreateResponse, error)
-	CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, types.ContainerPathStat, error)
-	ContainerInspect(ctx context.Context, container string) (types.ContainerJSON, error)
+	CopyFromContainer(ctx context.Context, container, srcPath string) (io.ReadCloser, containertypes.PathStat, error)
+	ContainerInspect(ctx context.Context, container string) (containertypes.InspectResponse, error)
 	ContainerRemove(ctx context.Context, container string, options containertypes.RemoveOptions) error
-	CopyToContainer(ctx context.Context, container, path string, content io.Reader, options types.CopyToContainerOptions) error
-	NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error)
+	CopyToContainer(ctx context.Context, container, path string, content io.Reader, options containertypes.CopyToContainerOptions) error
+	NetworkCreate(ctx context.Context, name string, options networktypes.CreateOptions) (networktypes.CreateResponse, error)
 	NetworkRemove(ctx context.Context, network string) error
 }

-var _ DockerClient = dockerClient.CommonAPIClient(nil)
+var _ DockerClient = dockerClient.APIClient(nil)
--- a/internal/build/fakes/fake_builder.go
+++ b/internal/build/fakes/fake_builder.go
@ -117,8 +117,17 @@ func (b *FakeBuilder) RunImages() []builder.RunImageMetadata {
 	return b.ReturnForRunImages
 }

+func (b *FakeBuilder) System() dist.System { return dist.System{} }
+
 func WithBuilder(builder *FakeBuilder) func(*build.LifecycleOptions) {
 	return func(opts *build.LifecycleOptions) {
 		opts.Builder = builder
 	}
 }
+
+// WithEnableUsernsHost creates a LifecycleOptions option that enables userns=host
+func WithEnableUsernsHost() func(*build.LifecycleOptions) {
+	return func(opts *build.LifecycleOptions) {
+		opts.EnableUsernsHost = true
+	}
+}
--- a/internal/build/lifecycle_execution.go
+++ b/internal/build/lifecycle_execution.go
@ -13,7 +13,7 @@ import (
 	"github.com/buildpacks/lifecycle/api"
 	"github.com/buildpacks/lifecycle/auth"
 	"github.com/buildpacks/lifecycle/platform/files"
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/pkg/errors"
 	"golang.org/x/sync/errgroup"
@ -215,7 +215,7 @@ func (l *LifecycleExecution) Run(ctx context.Context, phaseFactoryCreator PhaseF
 			driver = "nat"
 		}
 		networkName := fmt.Sprintf("pack.local-network-%x", randString(10))
-		resp, err := l.docker.NetworkCreate(ctx, networkName, types.NetworkCreate{
+		resp, err := l.docker.NetworkCreate(ctx, networkName, network.CreateOptions{
 			Driver: driver,
 		})
 		if err != nil {
@ -382,6 +382,12 @@ func (l *LifecycleExecution) Create(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@ -539,6 +545,12 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	// for kaniko
 	kanikoCacheBindOp := NullOp()
 	if (l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild()) ||
@ -646,6 +658,12 @@ func (l *LifecycleExecution) Analyze(ctx context.Context, buildCache, launchCach
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	if l.opts.PreviousImage != "" {
 		if l.opts.Image == nil {
 			return errors.New("image can't be nil")
@ -855,6 +873,12 @@ func (l *LifecycleExecution) Export(ctx context.Context, buildCache, launchCache
 		flags = append(flags, "-uid", strconv.Itoa(l.opts.UID))
 	}

+	if l.platformAPI.AtLeast("0.13") {
+		for _, reg := range l.opts.InsecureRegistries {
+			flags = append(flags, "-insecure-registry", reg)
+		}
+	}
+
 	cacheBindOp := NullOp()
 	switch buildCache.Type() {
 	case cache.Image:
--- a/internal/build/lifecycle_execution_test.go
+++ b/internal/build/lifecycle_execution_test.go
@ -16,8 +16,8 @@ import (
 	ifakes "github.com/buildpacks/imgutil/fakes"
 	"github.com/buildpacks/lifecycle/api"
 	"github.com/buildpacks/lifecycle/platform/files"
-	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/client"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/name"
@ -784,7 +784,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 		when("network is not provided", func() {
 			it("creates an ephemeral bridge network", func() {
 				beforeNetworks := func() int {
-					networks, err := docker.NetworkList(context.Background(), types.NetworkListOptions{})
+					networks, err := docker.NetworkList(context.Background(), network.CreateOptions{})
 					h.AssertNil(t, err)
 					return len(networks)
 				}()
@ -813,7 +813,7 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 				}

 				afterNetworks := func() int {
-					networks, err := docker.NetworkList(context.Background(), types.NetworkListOptions{})
+					networks, err := docker.NetworkList(context.Background(), network.CreateOptions{})
 					h.AssertNil(t, err)
 					return len(networks)
 				}()
@ -2703,14 +2703,14 @@ type fakeDockerClient struct {
 	build.DockerClient
 }

-func (f *fakeDockerClient) NetworkList(ctx context.Context, opts types.NetworkListOptions) ([]types.NetworkResource, error) {
-	ret := make([]types.NetworkResource, f.nNetworks)
+func (f *fakeDockerClient) NetworkList(ctx context.Context, opts network.CreateOptions) ([]network.Inspect, error) {
+	ret := make([]network.Inspect, f.nNetworks)
 	return ret, nil
 }

-func (f *fakeDockerClient) NetworkCreate(ctx context.Context, name string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
+func (f *fakeDockerClient) NetworkCreate(ctx context.Context, name string, options network.CreateOptions) (network.CreateResponse, error) {
 	f.nNetworks++
-	return types.NetworkCreateResponse{}, nil
+	return network.CreateResponse{}, nil
 }

 func (f *fakeDockerClient) NetworkRemove(ctx context.Context, network string) error {
--- a/internal/build/lifecycle_executor.go
+++ b/internal/build/lifecycle_executor.go
@ -45,6 +45,7 @@ type Builder interface {
 	RunImages() []builder.RunImageMetadata
 	Image() imgutil.Image
 	OrderExtensions() dist.Order
+	System() dist.System
 }

 type LifecycleExecutor struct {
@ -93,6 +94,7 @@ type LifecycleOptions struct {
 	Network                         string
 	AdditionalTags                  []string
 	Volumes                         []string
+	InsecureRegistries              []string
 	DefaultProcessType              string
 	FileFilter                      func(string) bool
 	Workspace                       string
@ -103,6 +105,7 @@ type LifecycleOptions struct {
 	SBOMDestinationDir              string
 	CreationTime                    *time.Time
 	Keychain                        authn.Keychain
+	EnableUsernsHost                bool
 }

 func NewLifecycleExecutor(logger logging.Logger, docker DockerClient) *LifecycleExecutor {
--- a/internal/build/phase_config_provider.go
+++ b/internal/build/phase_config_provider.go
@ -35,7 +35,9 @@ type PhaseConfigProvider struct {

 func NewPhaseConfigProvider(name string, lifecycleExec *LifecycleExecution, ops ...PhaseConfigProviderOperation) *PhaseConfigProvider {
 	hostConf := new(container.HostConfig)
-	hostConf.UsernsMode = "host"
+	if lifecycleExec.opts.EnableUsernsHost {
+		hostConf.UsernsMode = "host"
+	}
 	if lifecycleExec.os != "windows" {
 		hostConf.SecurityOpt = []string{"no-new-privileges=true"}
 	}
--- a/internal/build/phase_config_provider_test.go
+++ b/internal/build/phase_config_provider_test.go
@ -59,10 +59,24 @@ func testPhaseConfigProvider(t *testing.T, when spec.G, it spec.S) {
 			h.AssertSliceContainsMatch(t, phaseConfigProvider.HostConfig().Binds, "pack-app-.*:/workspace")

 			h.AssertEq(t, phaseConfigProvider.HostConfig().Isolation, container.IsolationEmpty)
-			h.AssertEq(t, phaseConfigProvider.HostConfig().UsernsMode, container.UsernsMode("host"))
+			h.AssertEq(t, phaseConfigProvider.HostConfig().UsernsMode, container.UsernsMode(""))
 			h.AssertSliceContains(t, phaseConfigProvider.HostConfig().SecurityOpt, "no-new-privileges=true")
 		})

+		when("userns-host is enabled", func() {
+			it("sets user namespace mode to host", func() {
+				expectedBuilderImage := ifakes.NewImage("some-builder-name", "", nil)
+				fakeBuilder, err := fakes.NewFakeBuilder(fakes.WithImage(expectedBuilderImage))
+				h.AssertNil(t, err)
+				lifecycle := newTestLifecycleExec(t, false, "some-temp-dir", fakes.WithBuilder(fakeBuilder), fakes.WithEnableUsernsHost())
+				expectedPhaseName := "some-name"
+
+				phaseConfigProvider := build.NewPhaseConfigProvider(expectedPhaseName, lifecycle)
+
+				h.AssertEq(t, phaseConfigProvider.HostConfig().UsernsMode, container.UsernsMode("host"))
+			})
+		})
+
 		when("building for Windows", func() {
 			it("sets process isolation", func() {
 				fakeBuilderImage := ifakes.NewImage("fake-builder", "", nil)
--- a/internal/build/phase_test.go
+++ b/internal/build/phase_test.go
@ -38,7 +38,7 @@ const phaseName = "phase"

 var (
 	repoName  string
-	ctrClient client.CommonAPIClient
+	ctrClient client.APIClient
 )

 // TestPhase is a integration test suite to ensure that the phase options are propagated to the container.
@ -70,7 +70,7 @@ func testPhase(t *testing.T, when spec.G, it spec.S) {
 		lifecycleExec  *build.LifecycleExecution
 		phaseFactory   build.PhaseFactory
 		outBuf, errBuf bytes.Buffer
-		docker         client.CommonAPIClient
+		docker         client.APIClient
 		logger         logging.Logger
 		osType         string
 	)
@ -508,7 +508,7 @@ func assertRunSucceeds(t *testing.T, phase build.RunnerCleaner, outBuf *bytes.Bu
 	h.AssertNilE(t, phase.Cleanup())
 }

-func CreateFakeLifecycleExecution(logger logging.Logger, docker client.CommonAPIClient, appDir string, repoName string, handler ...container.Handler) (*build.LifecycleExecution, error) {
+func CreateFakeLifecycleExecution(logger logging.Logger, docker client.APIClient, appDir string, repoName string, handler ...container.Handler) (*build.LifecycleExecution, error) {
 	builderImage, err := local.NewImage(repoName, docker, local.FromBaseImage(repoName))
 	if err != nil {
 		return nil, err
--- a/internal/builder/builder.go
+++ b/internal/builder/builder.go
@ -42,6 +42,7 @@ const (

 	orderPath          = "/cnb/order.toml"
 	stackPath          = "/cnb/stack.toml"
+	systemPath         = "/cnb/system.toml"
 	runPath            = "/cnb/run.toml"
 	platformDir        = "/platform"
 	lifecycleDir       = "/cnb/lifecycle"
@ -84,6 +85,7 @@ type Builder struct {
 	replaceOrder         bool
 	order                dist.Order
 	orderExtensions      dist.Order
+	system               dist.System
 	validateMixins       bool
 	saveProhibited       bool
 }
@ -93,6 +95,10 @@ type orderTOML struct {
 	OrderExt dist.Order `toml:"order-extensions,omitempty"`
 }

+type systemTOML struct {
+	System dist.System `toml:"system"`
+}
+
 // moduleWithDiffID is a Build Module which content was written on disk in a tar file and the content hash was calculated
 type moduleWithDiffID struct {
 	tarPath string
@ -141,6 +147,11 @@ func constructBuilder(img imgutil.Image, newName string, errOnMissingLabel bool,
 		return nil, fmt.Errorf("builder %s missing label %s -- try recreating builder", style.Symbol(img.Name()), style.Symbol(metadataLabel))
 	}

+	system := dist.System{}
+	if _, err := dist.GetLabel(img, SystemLabel, &system); err != nil {
+		return nil, errors.Wrapf(err, "getting label %s", SystemLabel)
+	}
+
 	opts := &options{}
 	for _, op := range ops {
 		if err := op(opts); err != nil {
@ -182,6 +193,7 @@ func constructBuilder(img imgutil.Image, newName string, errOnMissingLabel bool,
 		additionalBuildpacks: buildpack.NewManagedCollectionV2(opts.toFlatten),
 		additionalExtensions: buildpack.NewManagedCollectionV2(opts.toFlatten),
 		saveProhibited:       opts.saveProhibited,
+		system:               system,
 	}

 	if err := addImgLabelsToBuildr(bldr); err != nil {
@ -303,6 +315,9 @@ func (b *Builder) Stack() StackMetadata {
 	return b.metadata.Stack
 }

+// System returns the system buildpacks configuration
+func (b *Builder) System() dist.System { return b.system }
+
 // RunImages returns all run image metadata
 func (b *Builder) RunImages() []RunImageMetadata {
 	return append(b.metadata.RunImages, b.Stack().RunImage)
@ -425,6 +440,11 @@ func (b *Builder) SetStack(stackConfig builder.StackConfig) {
 	}
 }

+// SetSystem sets the system buildpacks of the builder
+func (b *Builder) SetSystem(system dist.System) {
+	b.system = system
+}
+
 // SetRunImage sets the run image of the builder
 func (b *Builder) SetRunImage(runConfig builder.RunConfig) {
 	var runImages []RunImageMetadata
@ -443,7 +463,7 @@ func (b *Builder) SetValidateMixins(to bool) {
 }

 // Save saves the builder
-func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata) error {
+func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata, additionalTags ...string) error {
 	if b.saveProhibited {
 		return fmt.Errorf("failed to save builder %s as saving is not allowed", b.Name())
 	}
@ -555,6 +575,24 @@ func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata) e
 		}
 	}

+	if len(b.system.Pre.Buildpacks) > 0 || len(b.system.Post.Buildpacks) > 0 {
+		resolvedSystemBp, err := processSystem(b.metadata.Buildpacks, b.system, buildpack.KindBuildpack)
+		if err != nil {
+			return errors.Wrap(err, "processing system buildpacks")
+		}
+
+		systemTar, err := b.systemLayer(resolvedSystemBp, tmpDir)
+		if err != nil {
+			return err
+		}
+		if err := b.image.AddLayer(systemTar); err != nil {
+			return errors.Wrap(err, "adding system.tar layer")
+		}
+		if err := dist.SetLabel(b.image, SystemLabel, b.system); err != nil {
+			return err
+		}
+	}
+
 	stackTar, err := b.stackLayer(tmpDir)
 	if err != nil {
 		return err
@ -614,7 +652,10 @@ func (b *Builder) Save(logger logging.Logger, creatorMetadata CreatorMetadata) e
 		return errors.Wrap(err, "failed to set working dir")
 	}

-	return b.image.Save()
+	logger.Debugf("Builder creation completed, starting image save")
+	err = b.image.Save(additionalTags...)
+	logger.Debugf("Image save completed")
+	return err
 }

 // Helpers
@ -766,6 +807,36 @@ func processOrder(modulesOnBuilder []dist.ModuleInfo, order dist.Order, kind str
 	return resolved, nil
 }

+func processSystem(modulesOnBuilder []dist.ModuleInfo, system dist.System, kind string) (dist.System, error) {
+	resolved := dist.System{}
+
+	// Pre buildpacks
+	for _, bp := range system.Pre.Buildpacks {
+		var (
+			ref dist.ModuleRef
+			err error
+		)
+		if ref, err = resolveRef(modulesOnBuilder, bp, kind); err != nil {
+			return dist.System{}, err
+		}
+		resolved.Pre.Buildpacks = append(resolved.Pre.Buildpacks, ref)
+	}
+
+	// Post buildpacks
+	for _, bp := range system.Post.Buildpacks {
+		var (
+			ref dist.ModuleRef
+			err error
+		)
+		if ref, err = resolveRef(modulesOnBuilder, bp, kind); err != nil {
+			return dist.System{}, err
+		}
+		resolved.Post.Buildpacks = append(resolved.Post.Buildpacks, ref)
+	}
+
+	return resolved, nil
+}
+
 func resolveRef(moduleList []dist.ModuleInfo, ref dist.ModuleRef, kind string) (dist.ModuleRef, error) {
 	var matching []dist.ModuleInfo
 	for _, bp := range moduleList {
@ -1093,6 +1164,29 @@ func orderFileContents(order dist.Order, orderExt dist.Order) (string, error) {
 	return buf.String(), nil
 }

+func (b *Builder) systemLayer(system dist.System, dest string) (string, error) {
+	contents, err := systemFileContents(system)
+	if err != nil {
+		return "", err
+	}
+	layerTar := filepath.Join(dest, "system.tar")
+	err = layer.CreateSingleFileTar(layerTar, systemPath, contents, b.layerWriterFactory)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to create system.toml layer tar")
+	}
+
+	return layerTar, nil
+}
+
+func systemFileContents(system dist.System) (string, error) {
+	buf := &bytes.Buffer{}
+	tomlData := systemTOML{System: system}
+	if err := toml.NewEncoder(buf).Encode(tomlData); err != nil {
+		return "", errors.Wrapf(err, "failed to marshal system.toml")
+	}
+	return buf.String(), nil
+}
+
 func (b *Builder) stackLayer(dest string) (string, error) {
 	buf := &bytes.Buffer{}
 	var err error
--- a/internal/builder/builder_test.go
+++ b/internal/builder/builder_test.go
@ -10,6 +10,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strings"
 	"testing"

@ -460,6 +461,18 @@ func testBuilder(t *testing.T, when spec.G, it spec.S) {
 				h.AssertOnTarEntry(t, layerTar, "/cnb/order.toml", h.ContentEquals("some content"))
 			})

+			it("adds additional tags as requested", func() {
+				h.AssertNil(t, subject.Save(logger, builder.CreatorMetadata{}, "additional-tag-one", "additional-tag-two"))
+				h.AssertEq(t, baseImage.IsSaved(), true)
+				h.AssertEq(t, baseImage.Name(), "some/builder")
+				savedNames := baseImage.SavedNames()
+				slices.Sort(savedNames)
+				h.AssertEq(t, 3, len(savedNames))
+				h.AssertEq(t, "additional-tag-one", savedNames[0])
+				h.AssertEq(t, "additional-tag-two", savedNames[1])
+				h.AssertEq(t, "some/builder", savedNames[2])
+			})
+
 			when("validating order", func() {
 				it.Before(func() {
 					subject.SetLifecycle(mockLifecycle)
@ -920,8 +933,35 @@ func testBuilder(t *testing.T, when spec.G, it spec.S) {
 					h.AssertTrue(t, strings.Contains(layers[2], h.LayerFileName(ext2v1)))
 				})
 			})
-		})

+			when("system buildpacks", func() {
+				it.Before(func() {
+					subject.SetLifecycle(mockLifecycle)
+					subject.AddBuildpack(bp1v1)
+					subject.SetSystem(dist.System{
+						Pre: dist.SystemBuildpacks{
+							Buildpacks: []dist.ModuleRef{
+								{ModuleInfo: dist.ModuleInfo{ID: bp1v1.Descriptor().Info().ID}}},
+						},
+					})
+				})
+
+				it("should write system buildpacks to system.toml)", func() {
+					err := subject.Save(logger, builder.CreatorMetadata{})
+					h.AssertNil(t, err)
+
+					layerTar, err := baseImage.FindLayerWithPath("/cnb/system.toml")
+					h.AssertNil(t, err)
+					h.AssertOnTarEntry(t, layerTar, "/cnb/system.toml", h.ContentEquals(`[system]
+  [system.pre]
+
+    [[system.pre.buildpacks]]
+      id = "buildpack-1-id"
+      version = "buildpack-1-version-1"
+`))
+				})
+			})
+		})
 		when("#SetLifecycle", func() {
 			it.Before(func() {
 				h.AssertNil(t, subject.Save(logger, builder.CreatorMetadata{}))
--- a/internal/builder/lifecycle.go
+++ b/internal/builder/lifecycle.go
@ -12,10 +12,9 @@ import (
 	"github.com/buildpacks/pack/pkg/archive"
 )

-// A snapshot of the latest tested lifecycle version values
+// DefaultLifecycleVersion A snapshot of the latest tested lifecycle version values
 const (
-	DefaultLifecycleVersion    = "0.20.0"
-	DefaultBuildpackAPIVersion = "0.2"
+	DefaultLifecycleVersion = "0.20.11"
 )

 // Blob is an interface to wrap opening blobs
--- a/internal/builder/metadata.go
+++ b/internal/builder/metadata.go
@ -5,6 +5,7 @@ import "github.com/buildpacks/pack/pkg/dist"
 const (
 	OrderLabel           = "io.buildpacks.buildpack.order"
 	OrderExtensionsLabel = "io.buildpacks.buildpack.order-extensions"
+	SystemLabel          = "io.buildpacks.buildpack.system"
 )

 type Metadata struct {
--- a/internal/builder/trusted_builder.go
+++ b/internal/builder/trusted_builder.go
@ -1,5 +1,11 @@
 package builder

+import (
+	"github.com/google/go-containerregistry/pkg/name"
+
+	"github.com/buildpacks/pack/internal/config"
+)
+
 type KnownBuilder struct {
 	Vendor             string
 	Image              string
@ -65,13 +71,43 @@ var KnownBuilders = []KnownBuilder{
 		Suggested:          true,
 		Trusted:            true,
 	},
+	{
+		Vendor:             "Paketo Buildpacks",
+		Image:              "paketobuildpacks/builder-ubi8-base",
+		DefaultDescription: "Universal Base Image (RHEL8) with buildpacks to build Node.js or Java runtimes. Support also the new extension feature (aka apply Dockerfile)",
+		Suggested:          true,
+		Trusted:            true,
+	},
 }

-var IsKnownTrustedBuilder = func(b string) bool {
+func IsKnownTrustedBuilder(builderName string) bool {
 	for _, knownBuilder := range KnownBuilders {
-		if b == knownBuilder.Image && knownBuilder.Trusted {
+		if builderName == knownBuilder.Image && knownBuilder.Trusted {
 			return true
 		}
 	}
 	return false
 }
+
+func IsTrustedBuilder(cfg config.Config, builderName string) (bool, error) {
+	builderReference, err := name.ParseReference(builderName, name.WithDefaultTag(""))
+	if err != nil {
+		return false, err
+	}
+	for _, trustedBuilder := range cfg.TrustedBuilders {
+		trustedBuilderReference, err := name.ParseReference(trustedBuilder.Name, name.WithDefaultTag(""))
+		if err != nil {
+			return false, err
+		}
+		if trustedBuilderReference.Identifier() != "" {
+			if builderReference.Name() == trustedBuilderReference.Name() {
+				return true, nil
+			}
+		} else {
+			if builderReference.Context().RepositoryStr() == trustedBuilderReference.Context().RepositoryStr() {
+				return true, nil
+			}
+		}
+	}
+	return false, nil
+}
--- a/internal/builder/trusted_builder_test.go
+++ b/internal/builder/trusted_builder_test.go
@ -0,0 +1,102 @@
+package builder_test
+
+import (
+	"testing"
+
+	"github.com/heroku/color"
+	"github.com/sclevine/spec"
+	"github.com/sclevine/spec/report"
+
+	bldr "github.com/buildpacks/pack/internal/builder"
+	"github.com/buildpacks/pack/internal/config"
+
+	h "github.com/buildpacks/pack/testhelpers"
+)
+
+func TestTrustedBuilder(t *testing.T) {
+	color.Disable(true)
+	defer color.Disable(false)
+	spec.Run(t, "Trusted Builder", trustedBuilder, spec.Parallel(), spec.Report(report.Terminal{}))
+}
+
+func trustedBuilder(t *testing.T, when spec.G, it spec.S) {
+	when("IsKnownTrustedBuilder", func() {
+		it("matches exactly", func() {
+			h.AssertTrue(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base"))
+			h.AssertFalse(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base:latest"))
+			h.AssertFalse(t, bldr.IsKnownTrustedBuilder("paketobuildpacks/builder-jammy-base:1.2.3"))
+			h.AssertFalse(t, bldr.IsKnownTrustedBuilder("my/private/builder"))
+		})
+	})
+
+	when("IsTrustedBuilder", func() {
+		it("trust image without tag", func() {
+			cfg := config.Config{
+				TrustedBuilders: []config.TrustedBuilder{
+					{
+						Name: "my/trusted/builder-jammy",
+					},
+				},
+			}
+
+			trustedBuilders := []string{
+				"my/trusted/builder-jammy",
+				"my/trusted/builder-jammy:latest",
+				"my/trusted/builder-jammy:1.2.3",
+			}
+
+			untrustedBuilders := []string{
+				"my/private/builder",            // random builder
+				"my/trusted/builder-jammy-base", // shared prefix
+			}
+
+			for _, builder := range trustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertTrue(t, isTrusted)
+			}
+
+			for _, builder := range untrustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertFalse(t, isTrusted)
+			}
+		})
+		it("trust image with tag", func() {
+			cfg := config.Config{
+				TrustedBuilders: []config.TrustedBuilder{
+					{
+						Name: "my/trusted/builder-jammy:1.2.3",
+					},
+					{
+						Name: "my/trusted/builder-jammy:latest",
+					},
+				},
+			}
+
+			trustedBuilders := []string{
+				"my/trusted/builder-jammy:1.2.3",
+				"my/trusted/builder-jammy:latest",
+			}
+
+			untrustedBuilders := []string{
+				"my/private/builder",
+				"my/trusted/builder-jammy",
+				"my/trusted/builder-jammy:2.0.0",
+				"my/trusted/builder-jammy-base",
+			}
+
+			for _, builder := range trustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertTrue(t, isTrusted)
+			}
+
+			for _, builder := range untrustedBuilders {
+				isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+				h.AssertNil(t, err)
+				h.AssertFalse(t, isTrusted)
+			}
+		})
+	})
+}
--- a/internal/builder/version.go
+++ b/internal/builder/version.go
@ -31,7 +31,7 @@ func (v *Version) Equal(other *Version) bool {

 // MarshalText makes Version satisfy the encoding.TextMarshaler interface.
 func (v *Version) MarshalText() ([]byte, error) {
-	return []byte(v.Version.Original()), nil
+	return []byte(v.Original()), nil
 }

 // UnmarshalText makes Version satisfy the encoding.TextUnmarshaler interface.
--- a/internal/commands/build.go
+++ b/internal/commands/build.go
@ -8,14 +8,15 @@ import (
 	"strings"
 	"time"

-	"github.com/buildpacks/pack/pkg/cache"
-
 	"github.com/google/go-containerregistry/pkg/name"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"

+	bldr "github.com/buildpacks/pack/internal/builder"
+
 	"github.com/buildpacks/pack/internal/config"
 	"github.com/buildpacks/pack/internal/style"
+	"github.com/buildpacks/pack/pkg/cache"
 	"github.com/buildpacks/pack/pkg/client"
 	"github.com/buildpacks/pack/pkg/image"
 	"github.com/buildpacks/pack/pkg/logging"
@ -24,40 +25,43 @@ import (
 )

 type BuildFlags struct {
-	Publish              bool
-	ClearCache           bool
-	TrustBuilder         bool
-	TrustExtraBuildpacks bool
-	Interactive          bool
-	Sparse               bool
-	DockerHost           string
-	CacheImage           string
-	Cache                cache.CacheOpts
-	AppPath              string
-	Builder              string
-	Registry             string
-	RunImage             string
-	Platform             string
-	Policy               string
-	Network              string
-	DescriptorPath       string
-	DefaultProcessType   string
-	LifecycleImage       string
-	Env                  []string
-	EnvFiles             []string
-	Buildpacks           []string
-	Extensions           []string
-	Volumes              []string
-	AdditionalTags       []string
-	Workspace            string
-	GID                  int
-	UID                  int
-	PreviousImage        string
-	SBOMDestinationDir   string
-	ReportDestinationDir string
-	DateTime             string
-	PreBuildpacks        []string
-	PostBuildpacks       []string
+	Publish                bool
+	ClearCache             bool
+	DisableSystemBuilpacks bool
+	TrustBuilder           bool
+	TrustExtraBuildpacks   bool
+	Interactive            bool
+	Sparse                 bool
+	EnableUsernsHost       bool
+	DockerHost             string
+	CacheImage             string
+	Cache                  cache.CacheOpts
+	AppPath                string
+	Builder                string
+	Registry               string
+	RunImage               string
+	Platform               string
+	Policy                 string
+	Network                string
+	DescriptorPath         string
+	DefaultProcessType     string
+	LifecycleImage         string
+	Env                    []string
+	EnvFiles               []string
+	Buildpacks             []string
+	Extensions             []string
+	Volumes                []string
+	AdditionalTags         []string
+	Workspace              string
+	GID                    int
+	UID                    int
+	PreviousImage          string
+	SBOMDestinationDir     string
+	ReportDestinationDir   string
+	DateTime               string
+	PreBuildpacks          []string
+	PostBuildpacks         []string
+	InsecureRegistries     []string
 }

 // Build an image from source code
@ -111,7 +115,11 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 				return err
 			}

-			trustBuilder := isTrustedBuilder(cfg, builder) || flags.TrustBuilder
+			isTrusted, err := bldr.IsTrustedBuilder(cfg, builder)
+			if err != nil {
+				return err
+			}
+			trustBuilder := isTrusted || bldr.IsKnownTrustedBuilder(builder) || flags.TrustBuilder
 			if trustBuilder {
 				logger.Debugf("Builder %s is trusted", style.Symbol(builder))
 				if flags.LifecycleImage != "" {
@ -204,12 +212,15 @@ func Build(logger logging.Logger, cfg config.Config, packClient PackClient) *cob
 				CreationTime:             dateTime,
 				PreBuildpacks:            flags.PreBuildpacks,
 				PostBuildpacks:           flags.PostBuildpacks,
+				DisableSystemBuildpacks:  flags.DisableSystemBuilpacks,
+				EnableUsernsHost:         flags.EnableUsernsHost,
 				LayoutConfig: &client.LayoutConfig{
 					Sparse:             flags.Sparse,
 					InputImage:         inputImageName,
 					PreviousInputImage: inputPreviousImage,
 					LayoutRepoDir:      cfg.LayoutRepositoryDir,
 				},
+				InsecureRegistries: flags.InsecureRegistries,
 			}); err != nil {
 				return errors.Wrap(err, "failed to build")
 			}
@ -243,6 +254,7 @@ func buildCommandFlags(cmd *cobra.Command, buildFlags *BuildFlags, cfg config.Co
 	cmd.Flags().StringVarP(&buildFlags.AppPath, "path", "p", "", "Path to app dir or zip-formatted file (defaults to current working directory)")
 	cmd.Flags().StringSliceVarP(&buildFlags.Buildpacks, "buildpack", "b", nil, "Buildpack to use. One of:\n  a buildpack by id and version in the form of '<buildpack>@<version>',\n  path to a buildpack directory (not supported on Windows),\n  path/URL to a buildpack .tar or .tgz file, or\n  a packaged buildpack image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("buildpack"))
 	cmd.Flags().StringSliceVarP(&buildFlags.Extensions, "extension", "", nil, "Extension to use. One of:\n  an extension by id and version in the form of '<extension>@<version>',\n  path to an extension directory (not supported on Windows),\n  path/URL to an extension .tar or .tgz file, or\n  a packaged extension image name in the form of '<hostname>/<repo>[:<tag>]'"+stringSliceHelp("extension"))
+	cmd.Flags().StringArrayVar(&buildFlags.InsecureRegistries, "insecure-registry", []string{}, "List of insecure registries (only available for API >= 0.13)")
 	cmd.Flags().StringVarP(&buildFlags.Builder, "builder", "B", cfg.DefaultBuilder, "Builder image")
 	cmd.Flags().Var(&buildFlags.Cache, "cache",
 		`Cache options used to define cache techniques for build process.
@ -256,6 +268,7 @@ func buildCommandFlags(cmd *cobra.Command, buildFlags *BuildFlags, cfg config.Co
 	cmd.Flags().StringVar(&buildFlags.DateTime, "creation-time", "", "Desired create time in the output image config. Accepted values are Unix timestamps (e.g., '1641013200'), or 'now'. Platform API version must be at least 0.9 to use this feature.")
 	cmd.Flags().StringVarP(&buildFlags.DescriptorPath, "descriptor", "d", "", "Path to the project descriptor file")
 	cmd.Flags().StringVarP(&buildFlags.DefaultProcessType, "default-process", "D", "", `Set the default process type. (default "web")`)
+	cmd.Flags().BoolVar(&buildFlags.DisableSystemBuilpacks, "disable-system-buildpacks", false, "Disable System Buildpacks")
 	cmd.Flags().StringArrayVarP(&buildFlags.Env, "env", "e", []string{}, "Build-time environment variable, in the form 'VAR=VALUE' or 'VAR'.\nWhen using latter value-less form, value will be taken from current\n  environment at the time this command is executed.\nThis flag may be specified multiple times and will override\n  individual values defined by --env-file."+stringArrayHelp("env")+"\nNOTE: These are NOT available at image runtime.")
 	cmd.Flags().StringArrayVar(&buildFlags.EnvFiles, "env-file", []string{}, "Build-time environment variables file\nOne variable per line, of the form 'VAR=VALUE' or 'VAR'\nWhen using latter value-less form, value will be taken from current\n  environment at the time this command is executed\nNOTE: These are NOT available at image runtime.\"")
 	cmd.Flags().StringVar(&buildFlags.Network, "network", "", "Connect detect and build containers to network")
@ -285,6 +298,7 @@ This option may set DOCKER_HOST environment variable for the build container if
 	cmd.Flags().StringVar(&buildFlags.ReportDestinationDir, "report-output-dir", "", "Path to export build report.toml.\nOmitting the flag yield no report file.")
 	cmd.Flags().BoolVar(&buildFlags.Interactive, "interactive", false, "Launch a terminal UI to depict the build process")
 	cmd.Flags().BoolVar(&buildFlags.Sparse, "sparse", false, "Use this flag to avoid saving on disk the run-image layers when the application image is exported to OCI layout format")
+	cmd.Flags().BoolVar(&buildFlags.EnableUsernsHost, "userns-host", false, "Enable user namespace isolation for the build containers")
 	if !cfg.Experimental {
 		cmd.Flags().MarkHidden("interactive")
 		cmd.Flags().MarkHidden("sparse")
@ -328,6 +342,11 @@ func validateBuildFlags(flags *BuildFlags, cfg config.Config, inputImageRef clie
 		return client.NewExperimentError("Exporting to OCI layout is currently experimental.")
 	}

+	if _, err := os.Stat(inputImageRef.Name()); err == nil && flags.AppPath == "" {
+		logger.Warnf("You are building an image named '%s'. If you mean it as an app directory path, run 'pack build <args> --path %s'",
+			inputImageRef.Name(), inputImageRef.Name())
+	}
+
 	return nil
 }

@ -432,7 +451,12 @@ func isForbiddenTag(cfg config.Config, input, lifecycle, builder string) error {
 		}
 	}

-	if inputImage.Context().RepositoryStr() == config.DefaultLifecycleImageRepo {
+	defaultLifecycleImageRef, err := name.ParseReference(config.DefaultLifecycleImageRepo)
+	if err != nil {
+		return errors.Wrapf(err, "parsing default lifecycle image %s", config.DefaultLifecycleImageRepo)
+	}
+
+	if inputImage.Context().RepositoryStr() == defaultLifecycleImageRef.Context().RepositoryStr() {
 		return fmt.Errorf("name must not match default lifecycle image name")
 	}

--- a/internal/commands/build_test.go
+++ b/internal/commands/build_test.go
@ -17,11 +17,10 @@ import (
 	"github.com/sclevine/spec/report"
 	"github.com/spf13/cobra"

-	"github.com/buildpacks/pack/internal/paths"
-
 	"github.com/buildpacks/pack/internal/commands"
 	"github.com/buildpacks/pack/internal/commands/testmocks"
 	"github.com/buildpacks/pack/internal/config"
+	"github.com/buildpacks/pack/internal/paths"
 	"github.com/buildpacks/pack/pkg/client"
 	"github.com/buildpacks/pack/pkg/image"
 	"github.com/buildpacks/pack/pkg/logging"
@ -165,6 +164,13 @@ func testBuildCommand(t *testing.T, when spec.G, it spec.S) {
 					h.AssertNotNil(t, command.Execute())
 					h.AssertContains(t, outBuf.String(), "name must not match default lifecycle image name")
 				})
+
+				it("refuses to build when using fully qualified name", func() {
+					logger.WantVerbose(true)
+					command.SetArgs([]string{"docker.io/buildpacksio/lifecycle:test", "--builder", "test", "--trust-builder"})
+					h.AssertNotNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "name must not match default lifecycle image name")
+				})
 			})

 			when("the builder is not trusted", func() {
@ -931,6 +937,43 @@ builder = "my-builder"
 			})
 		})

+		when("path to app dir or zip-formatted file is provided", func() {
+			it("builds with the specified path", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithPath("my-source")).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--path", "my-source"})
+				h.AssertNil(t, command.Execute())
+			})
+		})
+
+		when("a local path with the same string as the specified image name exists", func() {
+			when("an app path is specified", func() {
+				it("doesn't warn that the positional argument will not be treated as the source path", func() {
+					mockClient.EXPECT().
+						Build(gomock.Any(), EqBuildOptionsWithImage("my-builder", "testdata")).
+						Return(nil)
+
+					command.SetArgs([]string{"testdata", "--builder", "my-builder", "--path", "my-source"})
+					h.AssertNil(t, command.Execute())
+					h.AssertNotContainsMatch(t, outBuf.String(), `Warning: You are building an image named '([^']+)'\. If you mean it as an app directory path, run 'pack build <args> --path ([^']+)'`)
+				})
+			})
+
+			when("no app path is specified", func() {
+				it("warns that the positional argument will not be treated as the source path", func() {
+					mockClient.EXPECT().
+						Build(gomock.Any(), EqBuildOptionsWithImage("my-builder", "testdata")).
+						Return(nil)
+
+					command.SetArgs([]string{"testdata", "--builder", "my-builder"})
+					h.AssertNil(t, command.Execute())
+					h.AssertContains(t, outBuf.String(), "Warning: You are building an image named 'testdata'. If you mean it as an app directory path, run 'pack build <args> --path testdata'")
+				})
+			})
+		})
+
 		when("export to OCI layout is expected but experimental isn't set in the config", func() {
 			it("errors with a descriptive message", func() {
 				command.SetArgs([]string{"oci:image", "--builder", "my-builder"})
@ -939,6 +982,31 @@ builder = "my-builder"
 				h.AssertError(t, err, "Exporting to OCI layout is currently experimental.")
 			})
 		})
+
+		when("--insecure-registry is provided", func() {
+			it("sets one insecure registry", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithInsecureRegistries([]string{
+						"foo.bar",
+					})).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--insecure-registry", "foo.bar"})
+				h.AssertNil(t, command.Execute())
+			})
+
+			it("sets more than one insecure registry", func() {
+				mockClient.EXPECT().
+					Build(gomock.Any(), EqBuildOptionsWithInsecureRegistries([]string{
+						"foo.bar",
+						"foo.com",
+					})).
+					Return(nil)
+
+				command.SetArgs([]string{"image", "--builder", "my-builder", "--insecure-registry", "foo.bar", "--insecure-registry", "foo.com"})
+				h.AssertNil(t, command.Execute())
+			})
+		})
 	})

 	when("export to OCI layout is expected", func() {
@ -1175,6 +1243,15 @@ func EqBuildOptionsWithDateTime(t *time.Time) interface{} {
 	}
 }

+func EqBuildOptionsWithPath(path string) interface{} {
+	return buildOptionsMatcher{
+		description: fmt.Sprintf("AppPath=%s", path),
+		equals: func(o client.BuildOptions) bool {
+			return o.AppPath == path
+		},
+	}
+}
+
 func EqBuildOptionsWithLayoutConfig(image, previousImage string, sparse bool, layoutDir string) interface{} {
 	return buildOptionsMatcher{
 		description: fmt.Sprintf("image=%s, previous-image=%s, sparse=%t, layout-dir=%s", image, previousImage, sparse, layoutDir),
@ -1191,6 +1268,18 @@ func EqBuildOptionsWithLayoutConfig(image, previousImage string, sparse bool, la
 	}
 }

+func EqBuildOptionsWithInsecureRegistries(insecureRegistries []string) gomock.Matcher {
+	return buildOptionsMatcher{
+		description: fmt.Sprintf("Insercure Registries=%s", insecureRegistries),
+		equals: func(o client.BuildOptions) bool {
+			if len(o.InsecureRegistries) != len(insecureRegistries) {
+				return false
+			}
+			return reflect.DeepEqual(o.InsecureRegistries, insecureRegistries)
+		},
+	}
+}
+
 type buildOptionsMatcher struct {
 	equals      func(client.BuildOptions) bool
 	description string
--- a/internal/commands/builder_create.go
+++ b/internal/commands/builder_create.go
@ -2,6 +2,7 @@ package commands

 import (
 	"fmt"
+	"os"
 	"path/filepath"

 	"github.com/pkg/errors"
@ -18,13 +19,15 @@ import (

 // BuilderCreateFlags define flags provided to the CreateBuilder command
 type BuilderCreateFlags struct {
-	Publish         bool
-	BuilderTomlPath string
-	Registry        string
-	Policy          string
-	Flatten         []string
-	Targets         []string
-	Label           map[string]string
+	Publish               bool
+	AppendImageNameSuffix bool
+	BuilderTomlPath       string
+	Registry              string
+	Policy                string
+	Flatten               []string
+	Targets               []string
+	Label                 map[string]string
+	AdditionalTags        []string
 }

 // CreateBuilder creates a builder image, based on a builder config
@ -97,18 +100,39 @@ Creating a custom builder allows you to control what buildpacks are used and wha
 				logger.Infof("Pro tip: use --targets flag OR [[targets]] in builder.toml to specify the desired platform")
 			}

+			if !flags.Publish && flags.AppendImageNameSuffix {
+				logger.Warnf("--append-image-name-suffix will be ignored, use combined with --publish")
+			}
+
+			// Create temporary directory for lifecycle downloads when using Docker images
+			var tempDir string
+			if hasDockerLifecycle(builderConfig) {
+				tempDir, err = os.MkdirTemp("", "pack-builder-*")
+				if err != nil {
+					return errors.Wrap(err, "creating temporary directory")
+				}
+				defer func() {
+					if cleanupErr := os.RemoveAll(tempDir); cleanupErr != nil {
+						logger.Debugf("Failed to clean up temporary directory %s: %v", tempDir, cleanupErr)
+					}
+				}()
+			}
+
 			imageName := args[0]
 			if err := pack.CreateBuilder(cmd.Context(), client.CreateBuilderOptions{
-				RelativeBaseDir: relativeBaseDir,
-				BuildConfigEnv:  envMap,
-				BuilderName:     imageName,
-				Config:          builderConfig,
-				Publish:         flags.Publish,
-				Registry:        flags.Registry,
-				PullPolicy:      pullPolicy,
-				Flatten:         toFlatten,
-				Labels:          flags.Label,
-				Targets:         multiArchCfg.Targets(),
+				RelativeBaseDir:       relativeBaseDir,
+				BuildConfigEnv:        envMap,
+				BuilderName:           imageName,
+				Config:                builderConfig,
+				Publish:               flags.Publish,
+				AppendImageNameSuffix: flags.AppendImageNameSuffix && flags.Publish,
+				Registry:              flags.Registry,
+				PullPolicy:            pullPolicy,
+				Flatten:               toFlatten,
+				Labels:                flags.Label,
+				Targets:               multiArchCfg.Targets(),
+				TempDirectory:         tempDir,
+				AdditionalTags:        flags.AdditionalTags,
 			}); err != nil {
 				return err
 			}
@ -124,6 +148,7 @@ Creating a custom builder allows you to control what buildpacks are used and wha
 	}
 	cmd.Flags().StringVarP(&flags.BuilderTomlPath, "config", "c", "", "Path to builder TOML file (required)")
 	cmd.Flags().BoolVar(&flags.Publish, "publish", false, "Publish the builder directly to the container registry specified in <image-name>, instead of the daemon.")
+	cmd.Flags().BoolVar(&flags.AppendImageNameSuffix, "append-image-name-suffix", false, "Append an [os]-[arch] suffix to intermediate image tags when creating a multi-arch image; useful when publishing to a registry that doesn't allow overwriting existing tags")
 	cmd.Flags().StringVar(&flags.Policy, "pull-policy", "", "Pull policy to use. Accepted values are always, never, and if-not-present. The default is always")
 	cmd.Flags().StringArrayVar(&flags.Flatten, "flatten", nil, "List of buildpacks to flatten together into a single layer (format: '<buildpack-id>@<buildpack-version>,<buildpack-id>@<buildpack-version>'")
 	cmd.Flags().StringToStringVarP(&flags.Label, "label", "l", nil, "Labels to add to the builder image, in the form of '<name>=<value>'")
@ -133,6 +158,7 @@ Creating a custom builder allows you to control what buildpacks are used and wha
 - To specify the distribution version: '--target "linux/arm/v6:ubuntu@14.04"'
 - To specify multiple distribution versions: '--target "linux/arm/v6:ubuntu@14.04"  --target "linux/arm/v6:ubuntu@16.04"'
 	`)
+	cmd.Flags().StringSliceVarP(&flags.AdditionalTags, "tag", "", nil, "Additional tags to push the output image to.\nTags should be in the format 'image:tag' or 'repository/image:tag'."+stringSliceHelp("tag"))

 	AddHelpFlag(cmd, "create")
 	return cmd
@ -142,6 +168,10 @@ func hasExtensions(builderConfig builder.Config) bool {
 	return len(builderConfig.Extensions) > 0 || len(builderConfig.OrderExtensions) > 0
 }

+func hasDockerLifecycle(builderConfig builder.Config) bool {
+	return buildpack.HasDockerLocator(builderConfig.Lifecycle.URI)
+}
+
 func validateCreateFlags(flags *BuilderCreateFlags, cfg config.Config) error {
 	if flags.Publish && flags.Policy == image.PullNever.String() {
 		return errors.Errorf("--publish and --pull-policy never cannot be used together. The --publish flag requires the use of remote images.")
--- a/internal/commands/builder_inspect.go
+++ b/internal/commands/builder_inspect.go
@ -8,6 +8,8 @@ import (
 	"github.com/buildpacks/pack/internal/config"
 	"github.com/buildpacks/pack/pkg/client"
 	"github.com/buildpacks/pack/pkg/logging"
+
+	bldr "github.com/buildpacks/pack/internal/builder"
 )

 type BuilderInspector interface {
@ -61,10 +63,15 @@ func inspectBuilder(
 	inspector BuilderInspector,
 	writerFactory writer.BuilderWriterFactory,
 ) error {
+	isTrusted, err := bldr.IsTrustedBuilder(cfg, imageName)
+	if err != nil {
+		return err
+	}
+
 	builderInfo := writer.SharedBuilderInfo{
 		Name:      imageName,
 		IsDefault: imageName == cfg.DefaultBuilder,
-		Trusted:   isTrustedBuilder(cfg, imageName),
+		Trusted:   isTrusted,
 	}

 	localInfo, localErr := inspector.InspectBuilder(imageName, true, client.WithDetectionOrderDepth(flags.Depth))
--- a/internal/commands/buildpack_new.go
+++ b/internal/commands/buildpack_new.go
@ -104,7 +104,7 @@ func BuildpackNew(logger logging.Logger, creator BuildpackCreator) *cobra.Comman
 	cmd.Flags().StringSliceVarP(&flags.Stacks, "stacks", "s", nil, "Stack(s) this buildpack will be compatible with"+stringSliceHelp("stack"))
 	cmd.Flags().MarkDeprecated("stacks", "prefer `--targets` instead: https://github.com/buildpacks/rfcs/blob/main/text/0096-remove-stacks-mixins.md")
 	cmd.Flags().StringSliceVarP(&flags.Targets, "targets", "t", nil,
-		`Targets are the list platforms that one targeting, these are generated as part of scaffolding inside buildpack.toml file. one can provide target platforms in format [os][/arch][/variant]:[distroname@osversion@anotherversion];[distroname@osversion]
+		`Targets are of the form 'os/arch/variant', for example 'linux/amd64' or 'linux/arm64/v9'. The full format for targets follows the form [os][/arch][/variant]:[distroname@osversion@anotherversion];[distroname@osversion]
 	- Base case for two different architectures :  '--targets "linux/amd64" --targets "linux/arm64"'
 	- case for distribution version: '--targets "windows/amd64:windows-nano@10.0.19041.1415"'
 	- case for different architecture with distributed versions : '--targets "linux/arm/v6:ubuntu@14.04"  --targets "linux/arm/v6:ubuntu@16.04"'
--- a/internal/commands/buildpack_package.go
+++ b/internal/commands/buildpack_package.go
@ -20,16 +20,18 @@ import (

 // BuildpackPackageFlags define flags provided to the BuildpackPackage command
 type BuildpackPackageFlags struct {
-	PackageTomlPath   string
-	Format            string
-	Policy            string
-	BuildpackRegistry string
-	Path              string
-	FlattenExclude    []string
-	Targets           []string
-	Label             map[string]string
-	Publish           bool
-	Flatten           bool
+	PackageTomlPath       string
+	Format                string
+	Policy                string
+	BuildpackRegistry     string
+	Path                  string
+	FlattenExclude        []string
+	Targets               []string
+	Label                 map[string]string
+	Publish               bool
+	Flatten               bool
+	AppendImageNameSuffix bool
+	AdditionalTags        []string
 }

 // BuildpackPackager packages buildpacks
@ -117,31 +119,37 @@ func BuildpackPackage(logger logging.Logger, cfg config.Config, packager Buildpa

 			if len(multiArchCfg.Targets()) == 0 {
 				if isCompositeBP {
-					logger.Infof("Pro tip: use --targets flag OR [[targets]] in package.toml to specify the desired platform (os/arch/variant); using os %s", style.Symbol(bpPackageCfg.Platform.OS))
+					logger.Infof("Pro tip: use --target flag OR [[targets]] in package.toml to specify the desired platform (os/arch/variant); using os %s", style.Symbol(bpPackageCfg.Platform.OS))
 				} else {
-					logger.Infof("Pro tip: use --targets flag OR [[targets]] in buildpack.toml to specify the desired platform (os/arch/variant); using os %s", style.Symbol(bpPackageCfg.Platform.OS))
+					logger.Infof("Pro tip: use --target flag OR [[targets]] in buildpack.toml to specify the desired platform (os/arch/variant); using os %s", style.Symbol(bpPackageCfg.Platform.OS))
 				}
 			} else if !isCompositeBP {
 				// FIXME: Check if we can copy the config files during layers creation.
-				filesToClean, err := multiArchCfg.CopyConfigFiles(bpPath)
+				filesToClean, err := multiArchCfg.CopyConfigFiles(bpPath, "buildpack")
 				if err != nil {
 					return err
 				}
 				defer clean(filesToClean)
 			}

+			if !flags.Publish && flags.AppendImageNameSuffix {
+				logger.Warnf("--append-image-name-suffix will be ignored, use combined with --publish")
+			}
+
 			if err := packager.PackageBuildpack(cmd.Context(), client.PackageBuildpackOptions{
-				RelativeBaseDir: relativeBaseDir,
-				Name:            name,
-				Format:          flags.Format,
-				Config:          bpPackageCfg,
-				Publish:         flags.Publish,
-				PullPolicy:      pullPolicy,
-				Registry:        flags.BuildpackRegistry,
-				Flatten:         flags.Flatten,
-				FlattenExclude:  flags.FlattenExclude,
-				Labels:          flags.Label,
-				Targets:         multiArchCfg.Targets(),
+				RelativeBaseDir:       relativeBaseDir,
+				Name:                  name,
+				Format:                flags.Format,
+				Config:                bpPackageCfg,
+				Publish:               flags.Publish,
+				AppendImageNameSuffix: flags.AppendImageNameSuffix && flags.Publish,
+				PullPolicy:            pullPolicy,
+				Registry:              flags.BuildpackRegistry,
+				Flatten:               flags.Flatten,
+				FlattenExclude:        flags.FlattenExclude,
+				Labels:                flags.Label,
+				Targets:               multiArchCfg.Targets(),
+				AdditionalTags:        flags.AdditionalTags,
 			}); err != nil {
 				return err
 			}
@ -163,6 +171,7 @@ func BuildpackPackage(logger logging.Logger, cfg config.Config, packager Buildpa
 	cmd.Flags().StringVarP(&flags.PackageTomlPath, "config", "c", "", "Path to package TOML config")
 	cmd.Flags().StringVarP(&flags.Format, "format", "f", "", `Format to save package as ("image" or "file")`)
 	cmd.Flags().BoolVar(&flags.Publish, "publish", false, `Publish the buildpack directly to the container registry specified in <name>, instead of the daemon (applies to "--format=image" only).`)
+	cmd.Flags().BoolVar(&flags.AppendImageNameSuffix, "append-image-name-suffix", false, "When publishing to a registry that doesn't allow overwrite existing tags use this flag to append a [os]-[arch] suffix to package <name>")
 	cmd.Flags().StringVar(&flags.Policy, "pull-policy", "", "Pull policy to use. Accepted values are always, never, and if-not-present. The default is always")
 	cmd.Flags().StringVarP(&flags.Path, "path", "p", "", "Path to the Buildpack that needs to be packaged")
 	cmd.Flags().StringVarP(&flags.BuildpackRegistry, "buildpack-registry", "r", "", "Buildpack Registry name")
@ -176,6 +185,7 @@ Targets should be in the format '[os][/arch][/variant]:[distroname@osversion@ano
 - To specify the distribution version: '--target "linux/arm/v6:ubuntu@14.04"'
 - To specify multiple distribution versions: '--target "linux/arm/v6:ubuntu@14.04"  --target "linux/arm/v6:ubuntu@16.04"'
 	`)
+	cmd.Flags().StringSliceVarP(&flags.AdditionalTags, "tag", "", nil, "Additional tags to push the output image to.\nTags should be in the format 'image:tag' or 'repository/image:tag'."+stringSliceHelp("tag"))
 	if !cfg.Experimental {
 		cmd.Flags().MarkHidden("flatten")
 		cmd.Flags().MarkHidden("flatten-exclude")
--- a/internal/commands/buildpack_package_test.go
+++ b/internal/commands/buildpack_package_test.go
@ -265,6 +265,25 @@ func testPackageCommand(t *testing.T, when spec.G, it spec.S) {
 					})
 				})
 			})
+
+			when("additional tags are specified", func() {
+				it("forwards additional tags to buildpackPackager", func() {
+					expectedTags := []string{"additional-tag-1", "additional-tag-2"}
+					cmd := packageCommand(
+						withBuildpackPackager(fakeBuildpackPackager),
+					)
+					cmd.SetArgs([]string{
+						"my-specific-image",
+						"--tag", expectedTags[0], "--tag", expectedTags[1],
+					})
+					err := cmd.Execute()
+					h.AssertNil(t, err)
+
+					receivedOptions := fakeBuildpackPackager.CreateCalledWithOptions
+					h.AssertEq(t, receivedOptions.AdditionalTags[0], expectedTags[0])
+					h.AssertEq(t, receivedOptions.AdditionalTags[1], expectedTags[1])
+				})
+			})
 		})

 		when("no config path is specified", func() {
--- a/internal/commands/commands.go
+++ b/internal/commands/commands.go
@ -7,8 +7,6 @@ import (
 	"os/signal"
 	"syscall"

-	"github.com/buildpacks/pack/internal/builder"
-
 	"github.com/google/go-containerregistry/pkg/v1/types"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
@ -107,16 +105,6 @@ func getMirrors(config config.Config) map[string][]string {
 	return mirrors
 }

-func isTrustedBuilder(cfg config.Config, builderName string) bool {
-	for _, trustedBuilder := range cfg.TrustedBuilders {
-		if builderName == trustedBuilder.Name {
-			return true
-		}
-	}
-
-	return builder.IsKnownTrustedBuilder(builderName)
-}
-
 func deprecationWarning(logger logging.Logger, oldCmd, replacementCmd string) {
 	logger.Warnf("Command %s has been deprecated, please use %s instead", style.Symbol("pack "+oldCmd), style.Symbol("pack "+replacementCmd))
 }
--- a/internal/commands/config_trusted_builder.go
+++ b/internal/commands/config_trusted_builder.go
@ -51,7 +51,11 @@ func addTrustedBuilder(args []string, logger logging.Logger, cfg config.Config,
 	imageName := args[0]
 	builderToTrust := config.TrustedBuilder{Name: imageName}

-	if isTrustedBuilder(cfg, imageName) {
+	isTrusted, err := bldr.IsTrustedBuilder(cfg, imageName)
+	if err != nil {
+		return err
+	}
+	if isTrusted || bldr.IsKnownTrustedBuilder(imageName) {
 		logger.Infof("Builder %s is already trusted", style.Symbol(imageName))
 		return nil
 	}
--- a/internal/commands/extension_package.go
+++ b/internal/commands/extension_package.go
@ -2,6 +2,7 @@ package commands

 import (
 	"context"
+	"os"
 	"path/filepath"

 	"github.com/pkg/errors"
@ -11,6 +12,7 @@ import (
 	"github.com/buildpacks/pack/internal/config"
 	"github.com/buildpacks/pack/internal/style"
 	"github.com/buildpacks/pack/pkg/client"
+	"github.com/buildpacks/pack/pkg/dist"
 	"github.com/buildpacks/pack/pkg/image"
 	"github.com/buildpacks/pack/pkg/logging"
 )
@ -19,8 +21,11 @@ import (
 type ExtensionPackageFlags struct {
 	PackageTomlPath string
 	Format          string
+	Targets         []string
 	Publish         bool
 	Policy          string
+	Path            string
+	AdditionalTags  []string
 }

 // ExtensionPackager packages extensions
@ -32,9 +37,15 @@ type ExtensionPackager interface {
 func ExtensionPackage(logger logging.Logger, cfg config.Config, packager ExtensionPackager, packageConfigReader PackageConfigReader) *cobra.Command {
 	var flags ExtensionPackageFlags
 	cmd := &cobra.Command{
-		Use:   "package <name> --config <config-path>",
-		Short: "Package an extension in OCI format",
-		Args:  cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
+		Use:     "package <name> --config <config-path>",
+		Short:   "Package an extension in OCI format",
+		Args:    cobra.MatchAll(cobra.ExactArgs(1), cobra.OnlyValidArgs),
+		Example: "pack extension package /output/file.cnb --path /extracted/from/tgz/folder --format file\npack extension package registry/image-name --path  /extracted/from/tgz/folder --format image --publish",
+		Long: "extension package allows users to package (an) extension(s) into OCI format, which can then to be hosted in " +
+			"image repositories or persisted on disk as a '.cnb' file." +
+			"Packaged extensions can be used as inputs to `pack build` (using the `--extension` flag), " +
+			"and they can be included in the configs used in `pack builder create` and `pack extension package`. For more " +
+			"on how to package an extension, see: https://buildpacks.io/docs/buildpack-author-guide/package-a-buildpack/.",
 		RunE: logError(logger, func(cmd *cobra.Command, args []string) error {
 			if err := validateExtensionPackageFlags(&flags); err != nil {
 				return err
@ -51,6 +62,13 @@ func ExtensionPackage(logger logging.Logger, cfg config.Config, packager Extensi
 			}

 			exPackageCfg := pubbldpkg.DefaultExtensionConfig()
+			var exPath string
+			if flags.Path != "" {
+				if exPath, err = filepath.Abs(flags.Path); err != nil {
+					return errors.Wrap(err, "resolving extension path")
+				}
+				exPackageCfg.Extension.URI = exPath
+			}
 			relativeBaseDir := ""
 			if flags.PackageTomlPath != "" {
 				exPackageCfg, err = packageConfigReader.Read(flags.PackageTomlPath)
@ -74,6 +92,28 @@ func ExtensionPackage(logger logging.Logger, cfg config.Config, packager Extensi
 				}
 			}

+			targets, err := processExtensionPackageTargets(flags.Path, packageConfigReader, exPackageCfg)
+			if err != nil {
+				return err
+			}
+
+			daemon := !flags.Publish && flags.Format == ""
+			multiArchCfg, err := processMultiArchitectureConfig(logger, flags.Targets, targets, daemon)
+			if err != nil {
+				return err
+			}
+
+			if len(multiArchCfg.Targets()) == 0 {
+				logger.Infof("Pro tip: use --target flag OR [[targets]] in buildpack.toml to specify the desired platform (os/arch/variant); using os %s", style.Symbol(exPackageCfg.Platform.OS))
+			} else {
+				// FIXME: Check if we can copy the config files during layers creation.
+				filesToClean, err := multiArchCfg.CopyConfigFiles(exPath, "extension")
+				if err != nil {
+					return err
+				}
+				defer clean(filesToClean)
+			}
+
 			if err := packager.PackageExtension(cmd.Context(), client.PackageBuildpackOptions{
 				RelativeBaseDir: relativeBaseDir,
 				Name:            name,
@ -81,6 +121,8 @@ func ExtensionPackage(logger logging.Logger, cfg config.Config, packager Extensi
 				Config:          exPackageCfg,
 				Publish:         flags.Publish,
 				PullPolicy:      pullPolicy,
+				Targets:         multiArchCfg.Targets(),
+				AdditionalTags:  flags.AdditionalTags,
 			}); err != nil {
 				return err
 			}
@ -104,6 +146,15 @@ func ExtensionPackage(logger logging.Logger, cfg config.Config, packager Extensi
 	cmd.Flags().StringVarP(&flags.Format, "format", "f", "", `Format to save package as ("image" or "file")`)
 	cmd.Flags().BoolVar(&flags.Publish, "publish", false, `Publish the extension directly to the container registry specified in <name>, instead of the daemon (applies to "--format=image" only).`)
 	cmd.Flags().StringVar(&flags.Policy, "pull-policy", "", "Pull policy to use. Accepted values are always, never, and if-not-present. The default is always")
+	cmd.Flags().StringVarP(&flags.Path, "path", "p", "", "Path to the Extension that needs to be packaged")
+	cmd.Flags().StringSliceVarP(&flags.Targets, "target", "t", nil,
+		`Target platforms to build for.
+Targets should be in the format '[os][/arch][/variant]:[distroname@osversion@anotherversion];[distroname@osversion]'.
+- To specify two different architectures: '--target "linux/amd64" --target "linux/arm64"'
+- To specify the distribution version: '--target "linux/arm/v6:ubuntu@14.04"'
+- To specify multiple distribution versions: '--target "linux/arm/v6:ubuntu@14.04"  --target "linux/arm/v6:ubuntu@16.04"'
+	`)
+	cmd.Flags().StringSliceVarP(&flags.AdditionalTags, "tag", "", nil, "Additional tags to push the output image to.\nTags should be in the format 'image:tag' or 'repository/image:tag'."+stringSliceHelp("tag"))
 	AddHelpFlag(cmd, "package")
 	return cmd
 }
@ -114,3 +165,20 @@ func validateExtensionPackageFlags(p *ExtensionPackageFlags) error {
 	}
 	return nil
 }
+
+// processExtensionPackageTargets returns the list of targets defined on the extension.toml
+func processExtensionPackageTargets(path string, packageConfigReader PackageConfigReader, bpPackageCfg pubbldpkg.Config) ([]dist.Target, error) {
+	var targets []dist.Target
+
+	// Read targets from extension.toml
+	pathToExtensionToml := filepath.Join(path, "extension.toml")
+	if _, err := os.Stat(pathToExtensionToml); err == nil {
+		buildpackCfg, err := packageConfigReader.ReadBuildpackDescriptor(pathToExtensionToml)
+		if err != nil {
+			return nil, err
+		}
+		targets = buildpackCfg.Targets()
+	}
+
+	return targets, nil
+}
--- a/internal/commands/extension_package_test.go
+++ b/internal/commands/extension_package_test.go
@ -3,6 +3,7 @@ package commands_test
 import (
 	"bytes"
 	"fmt"
+	"path/filepath"
 	"testing"

 	"github.com/heroku/color"
@ -192,6 +193,58 @@ func testExtensionPackageCommand(t *testing.T, when spec.G, it spec.S) {
 				})
 			})
 		})
+
+		when("a path is specified", func() {
+			when("no multi-platform", func() {
+				it("creates a default config with the appropriate path", func() {
+					cmd := packageExtensionCommand(withExtensionPackager(fakeExtensionPackager))
+					cmd.SetArgs([]string{"some-name", "-p", ".."})
+					h.AssertNil(t, cmd.Execute())
+					bpPath, _ := filepath.Abs("..")
+					receivedOptions := fakeExtensionPackager.CreateCalledWithOptions
+					h.AssertEq(t, receivedOptions.Config.Extension.URI, bpPath)
+				})
+			})
+
+			when("multi-platform", func() {
+				var targets []dist.Target
+
+				when("single extension", func() {
+					it.Before(func() {
+						targets = []dist.Target{
+							{OS: "linux", Arch: "amd64"},
+							{OS: "windows", Arch: "amd64"},
+						}
+					})
+
+					it("creates a multi-platform extension package", func() {
+						cmd := packageExtensionCommand(withExtensionPackager(fakeExtensionPackager))
+						cmd.SetArgs([]string{"some-name", "-p", "some-path", "--target", "linux/amd64", "--target", "windows/amd64", "--format", "image", "--publish"})
+						h.AssertNil(t, cmd.Execute())
+						h.AssertEq(t, fakeExtensionPackager.CreateCalledWithOptions.Targets, targets)
+					})
+				})
+			})
+		})
+
+		when("additional tags are specified", func() {
+			it("forwards additional tags to PackageExtension", func() {
+				expectedTags := []string{"additional-tag-1", "additional-tag-2"}
+				cmd := packageExtensionCommand(
+					withExtensionPackager(fakeExtensionPackager),
+				)
+				cmd.SetArgs([]string{
+					"my-specific-image",
+					"--tag", expectedTags[0], "--tag", expectedTags[1],
+				})
+				err := cmd.Execute()
+				h.AssertNil(t, err)
+
+				receivedOptions := fakeExtensionPackager.CreateCalledWithOptions
+				h.AssertEq(t, receivedOptions.AdditionalTags[0], expectedTags[0])
+				h.AssertEq(t, receivedOptions.AdditionalTags[1], expectedTags[1])
+			})
+		})
 	})

 	when("invalid flags", func() {
@ -249,6 +302,20 @@ func testExtensionPackageCommand(t *testing.T, when spec.G, it spec.S) {
 				h.AssertError(t, cmd.Execute(), "parsing pull policy")
 			})
 		})
+
+		when("--target cannot be parsed", func() {
+			it("errors with a descriptive message", func() {
+				cmd := packageCommand()
+				cmd.SetArgs([]string{
+					"some-image-name", "--config", "/path/to/some/file",
+					"--target", "something/wrong", "--publish",
+				})
+
+				err := cmd.Execute()
+				h.AssertNotNil(t, err)
+				h.AssertError(t, err, "unknown target: 'something/wrong'")
+			})
+		})
 	})
 }

--- a/internal/commands/fakes/fake_package_config_reader.go
+++ b/internal/commands/fakes/fake_package_config_reader.go
@ -12,6 +12,7 @@ type FakePackageConfigReader struct {

 	ReadBuildpackDescriptorCalledWithArg string
 	ReadBuildpackDescriptorReturn        dist.BuildpackDescriptor
+	ReadExtensionDescriptorReturn        dist.ExtensionDescriptor
 	ReadBuildpackDescriptorReturnError   error
 }

--- a/internal/commands/rebase.go
+++ b/internal/commands/rebase.go
@ -52,7 +52,7 @@ func Rebase(logger logging.Logger, cfg config.Config, pack PackClient) *cobra.Co
 	cmd.Flags().StringVar(&opts.PreviousImage, "previous-image", "", "Image to rebase. Set to a particular tag reference, digest reference, or (when performing a daemon build) image ID. Use this flag in combination with <image-name> to avoid replacing the original image.")
 	cmd.Flags().StringVar(&opts.ReportDestinationDir, "report-output-dir", "", "Path to export build report.toml.\nOmitting the flag yield no report file.")
 	cmd.Flags().BoolVar(&opts.Force, "force", false, "Perform rebase operation without target validation (only available for API >= 0.12)")
-
+	cmd.Flags().StringArrayVar(&opts.InsecureRegistries, "insecure-registry", []string{}, "List of insecure registries (only available for API >= 0.13)")
 	AddHelpFlag(cmd, "rebase")
 	return cmd
 }
--- a/internal/commands/rebase_test.go
+++ b/internal/commands/rebase_test.go
@ -50,6 +50,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 	when("#RebaseCommand", func() {
 		when("no image is provided", func() {
 			it("fails to run", func() {
+				command.SetArgs([]string{})
 				err := command.Execute()
 				h.AssertError(t, err, "accepts 1 arg")
 			})
@ -80,6 +81,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					AdditionalMirrors: map[string][]string{
 						runImage: {testMirror1, testMirror2},
 					},
+					InsecureRegistries: []string{},
 				}
 			})

@ -122,6 +124,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					h.AssertError(t, command.Execute(), "parsing pull policy")
 				})
 			})
+
 			when("--pull-policy not set", func() {
 				when("no policy set in config", func() {
 					it("uses the default policy", func() {
@ -158,6 +161,7 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					})
 				})
 			})
+
 			when("image name and previous image are provided", func() {
 				var expectedOpts client.RebaseOptions

@ -182,7 +186,8 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 						AdditionalMirrors: map[string][]string{
 							runImage: {testMirror1, testMirror2},
 						},
-						PreviousImage: previousImage,
+						PreviousImage:      previousImage,
+						InsecureRegistries: []string{},
 					}
 					expectedOpts = opts
 				})
@ -196,6 +201,35 @@ func testRebaseCommand(t *testing.T, when spec.G, it spec.S) {
 					h.AssertNil(t, command.Execute())
 				})
 			})
+
+			when("--insecure-registry is provided", func() {
+				it("sets one insecure registry", func() {
+					opts.PullPolicy = image.PullAlways
+					opts.InsecureRegistries = []string{
+						"foo.bar",
+					}
+					mockClient.EXPECT().
+						Rebase(gomock.Any(), opts).
+						Return(nil)
+
+					command.SetArgs([]string{repoName, "--insecure-registry", "foo.bar"})
+					h.AssertNil(t, command.Execute())
+				})
+
+				it("sets more than one insecure registry", func() {
+					opts.PullPolicy = image.PullAlways
+					opts.InsecureRegistries = []string{
+						"foo.bar",
+						"foo.com",
+					}
+					mockClient.EXPECT().
+						Rebase(gomock.Any(), opts).
+						Return(nil)
+
+					command.SetArgs([]string{repoName, "--insecure-registry", "foo.bar", "--insecure-registry", "foo.com"})
+					h.AssertNil(t, command.Execute())
+				})
+			})
 		})
 	})
 }
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -149,4 +149,4 @@ func GetRegistry(cfg Config, registryName string) (Registry, error) {
 	return Registry{}, errors.Errorf("registry %s is not defined in your config file", style.Symbol(registryName))
 }

-const DefaultLifecycleImageRepo = "buildpacksio/lifecycle"
+const DefaultLifecycleImageRepo = "docker.io/buildpacksio/lifecycle"
--- a/internal/fakes/fake_images.go
+++ b/internal/fakes/fake_images.go
@ -18,7 +18,7 @@ import (

 type FakeImageCreator func(name string, topLayerSha string, identifier imgutil.Identifier) *fakes.Image

-func NewFakeBuilderImage(t *testing.T, tmpDir, name string, stackID, uid, gid string, metadata builder.Metadata, bpLayers dist.ModuleLayers, order dist.Order, exLayers dist.ModuleLayers, orderExtensions dist.Order, creator FakeImageCreator) *fakes.Image {
+func NewFakeBuilderImage(t *testing.T, tmpDir, name string, stackID, uid, gid string, metadata builder.Metadata, bpLayers dist.ModuleLayers, order dist.Order, exLayers dist.ModuleLayers, orderExtensions dist.Order, system dist.System, creator FakeImageCreator) *fakes.Image {
 	fakeBuilderImage := creator(name, "", nil)

 	h.AssertNil(t, fakeBuilderImage.SetLabel("io.buildpacks.stack.id", stackID))
@ -78,6 +78,19 @@ func NewFakeBuilderImage(t *testing.T, tmpDir, name string, stackID, uid, gid st
 	h.AssertNil(t, tarBuilder.WriteToPath(orderTar, archive.DefaultTarWriterFactory()))
 	h.AssertNil(t, fakeBuilderImage.AddLayer(orderTar))

+	if len(system.Pre.Buildpacks) > 0 || len(system.Post.Buildpacks) > 0 {
+		h.AssertNil(t, dist.SetLabel(fakeBuilderImage, "io.buildpacks.buildpack.system", system))
+		systemTarBuilder := archive.TarBuilder{}
+		systemTomlBytes := &bytes.Buffer{}
+		h.AssertNil(t, toml.NewEncoder(systemTomlBytes).Encode(systemTOML{System: system}))
+
+		systemTarBuilder.AddFile("/cnb/system.toml", 0777, archive.NormalizedDateTime, systemTomlBytes.Bytes())
+
+		systemTar := filepath.Join(tmpDir, fmt.Sprintf("system.%s.toml", h.RandString(8)))
+		h.AssertNil(t, systemTarBuilder.WriteToPath(systemTar, archive.DefaultTarWriterFactory()))
+		h.AssertNil(t, fakeBuilderImage.AddLayer(systemTar))
+	}
+
 	return fakeBuilderImage
 }

@ -85,3 +98,7 @@ type orderTOML struct {
 	Order           dist.Order `toml:"order"`
 	OrderExtensions dist.Order `toml:"orderExtensions"`
 }
+
+type systemTOML struct {
+	System dist.System `toml:"system"`
+}
--- a/internal/name/name.go
+++ b/internal/name/name.go
@ -4,6 +4,8 @@ import (
 	"fmt"
 	"strings"

+	"github.com/buildpacks/pack/pkg/dist"
+
 	gname "github.com/google/go-containerregistry/pkg/name"

 	"github.com/buildpacks/pack/internal/style"
@ -49,6 +51,24 @@ func TranslateRegistry(name string, registryMirrors map[string]string, logger Lo
 	return refName, nil
 }

+func AppendSuffix(name string, target dist.Target) (string, error) {
+	reference, err := gname.ParseReference(name, gname.WeakValidation)
+	if err != nil {
+		return "", err
+	}
+
+	suffixPlatformTag := targetToTag(target)
+	if suffixPlatformTag != "" {
+		if reference.Identifier() == "latest" {
+			return fmt.Sprintf("%s:%s", reference.Context(), suffixPlatformTag), nil
+		}
+		if !strings.Contains(reference.Identifier(), ":") {
+			return fmt.Sprintf("%s:%s-%s", reference.Context(), reference.Identifier(), suffixPlatformTag), nil
+		}
+	}
+	return name, nil
+}
+
 func getMirror(repo gname.Repository, registryMirrors map[string]string) (string, bool) {
 	mirror, ok := registryMirrors["*"]
 	if ok {
@ -58,3 +78,7 @@ func getMirror(repo gname.Repository, registryMirrors map[string]string) (string
 	mirror, ok = registryMirrors[repo.RegistryStr()]
 	return mirror, ok
 }
+
+func targetToTag(target dist.Target) string {
+	return strings.Join(target.ValuesAsSlice(), "-")
+}
--- a/internal/name/name_test.go
+++ b/internal/name/name_test.go
@ -4,6 +4,8 @@ import (
 	"io"
 	"testing"

+	"github.com/buildpacks/pack/pkg/dist"
+
 	"github.com/sclevine/spec"
 	"github.com/sclevine/spec/report"

@ -79,4 +81,111 @@ func testTranslateRegistry(t *testing.T, when spec.G, it spec.S) {
 			assert.Equal(output, expected)
 		})
 	})
+
+	when("#AppendSuffix", func() {
+		when("[os] is provided", func() {
+			when("[arch]] is provided", func() {
+				when("[arch-variant] is provided", func() {
+					when("tag is provided", func() {
+						it("append [os]-[arch]-[arch-variant] to the given tag", func() {
+							input := "my.registry.com/my-repo/my-image:some-tag"
+							target := dist.Target{
+								OS:          "linux",
+								Arch:        "amd64",
+								ArchVariant: "v6",
+							}
+
+							result, err := name.AppendSuffix(input, target)
+							assert.Nil(err)
+							assert.Equal(result, "my.registry.com/my-repo/my-image:some-tag-linux-amd64-v6")
+						})
+					})
+					when("tag is not provided", func() {
+						it("add tag: [os]-[arch]-[arch-variant] to the given <image>", func() {
+							input := "my.registry.com/my-repo/my-image"
+							target := dist.Target{
+								OS:          "linux",
+								Arch:        "amd64",
+								ArchVariant: "v6",
+							}
+
+							result, err := name.AppendSuffix(input, target)
+							assert.Nil(err)
+							assert.Equal(result, "my.registry.com/my-repo/my-image:linux-amd64-v6")
+						})
+					})
+				})
+				when("[arch-variant] is not provided", func() {
+					when("tag is provided", func() {
+						// my.registry.com/my-repo/my-image:some-tag
+						it("append [os]-[arch] to the given tag", func() {
+							input := "my.registry.com/my-repo/my-image:some-tag"
+							target := dist.Target{
+								OS:   "linux",
+								Arch: "amd64",
+							}
+
+							result, err := name.AppendSuffix(input, target)
+							assert.Nil(err)
+							assert.Equal(result, "my.registry.com/my-repo/my-image:some-tag-linux-amd64")
+						})
+					})
+					when("tag is NOT provided", func() {
+						// my.registry.com/my-repo/my-image
+						it("add tag: [os]-[arch] to the given <image>", func() {
+							input := "my.registry.com/my-repo/my-image"
+							target := dist.Target{
+								OS:   "linux",
+								Arch: "amd64",
+							}
+
+							result, err := name.AppendSuffix(input, target)
+							assert.Nil(err)
+							assert.Equal(result, "my.registry.com/my-repo/my-image:linux-amd64")
+						})
+					})
+				})
+			})
+
+			when("[arch] is not provided", func() {
+				when("tag is provided", func() {
+					// my.registry.com/my-repo/my-image:some-tag
+					it("append [os] to the given tag", func() {
+						input := "my.registry.com/my-repo/my-image:some-tag"
+						target := dist.Target{
+							OS: "linux",
+						}
+
+						result, err := name.AppendSuffix(input, target)
+						assert.Nil(err)
+						assert.Equal(result, "my.registry.com/my-repo/my-image:some-tag-linux")
+					})
+				})
+				when("tag is not provided", func() {
+					// my.registry.com/my-repo/my-image
+					it("add tag: [os] to the given <image>", func() {
+						input := "my.registry.com/my-repo/my-image"
+						target := dist.Target{
+							OS: "linux",
+						}
+
+						result, err := name.AppendSuffix(input, target)
+						assert.Nil(err)
+						assert.Equal(result, "my.registry.com/my-repo/my-image:linux")
+					})
+				})
+			})
+		})
+
+		when("[os] is not provided", func() {
+			it("doesn't append anything and return the same <image> name", func() {
+				input := "my.registry.com/my-repo/my-image"
+				target := dist.Target{}
+
+				result, err := name.AppendSuffix(input, target)
+				assert.Nil(err)
+				assert.Equal(result, input)
+			})
+		})
+	})
 }
--- a/internal/paths/defaults_unix.go
+++ b/internal/paths/defaults_unix.go
@ -1,5 +1,4 @@
-//go:build linux || darwin
-// +build linux darwin
+//go:build unix

 package paths

--- a/internal/registry/registry_cache_test.go
+++ b/internal/registry/registry_cache_test.go
@ -177,6 +177,7 @@ func testRegistryCache(t *testing.T, when spec.G, it spec.S) {
 						Email: "john@doe.org",
 						When:  time.Now(),
 					},
+					AllowEmptyCommits: true,
 				})
 				h.AssertNil(t, err)

--- a/internal/sshdialer/posix_test.go
+++ b/internal/sshdialer/posix_test.go
@ -1,5 +1,4 @@
 //go:build !windows
-// +build !windows

 package sshdialer_test

--- a/internal/sshdialer/server_test.go
+++ b/internal/sshdialer/server_test.go
@ -103,7 +103,7 @@ func prepareSSHServer(t *testing.T) (sshServer *SSHServer, stopSSH func(), err e

 	sshTCPListener, err := net.Listen("tcp4", "localhost:0")
 	if err != nil {
-		return
+		return sshServer, stopSSH, err
 	}

 	hasIPv6 := true
@ -115,11 +115,11 @@ func prepareSSHServer(t *testing.T) (sshServer *SSHServer, stopSSH func(), err e

 	host, p, err := net.SplitHostPort(sshTCPListener.Addr().String())
 	if err != nil {
-		return
+		return sshServer, stopSSH, err
 	}
 	port, err := strconv.ParseInt(p, 10, 32)
 	if err != nil {
-		return
+		return sshServer, stopSSH, err
 	}
 	sshServer.hostIPv4 = host
 	sshServer.portIPv4 = int(port)
@ -127,11 +127,11 @@ func prepareSSHServer(t *testing.T) (sshServer *SSHServer, stopSSH func(), err e
 	if hasIPv6 {
 		host, p, err = net.SplitHostPort(sshTCP6Listener.Addr().String())
 		if err != nil {
-			return
+			return sshServer, stopSSH, err
 		}
 		port, err = strconv.ParseInt(p, 10, 32)
 		if err != nil {
-			return
+			return sshServer, stopSSH, err
 		}
 		sshServer.hostIPv6 = host
 		sshServer.portIPv6 = int(port)
@ -231,12 +231,12 @@ func setupServerAuth(conf *ssh.ServerConfig) (err error) {
 		var bs []byte
 		bs, err = os.ReadFile(keyFileName)
 		if err != nil {
-			return
+			return err
 		}
 		var pk ssh.PublicKey
 		pk, _, _, _, err = ssh.ParseAuthorizedKey(bs)
 		if err != nil {
-			return
+			return err
 		}

 		bs = pk.Marshal()
@ -266,12 +266,12 @@ func setupServerAuth(conf *ssh.ServerConfig) (err error) {
 		var b []byte
 		b, err = os.ReadFile(keyFileName)
 		if err != nil {
-			return
+			return err
 		}
 		var signer ssh.Signer
 		signer, err = ssh.ParsePrivateKey(b)
 		if err != nil {
-			return
+			return err
 		}
 		conf.AddHostKey(signer)
 	}
--- a/internal/sshdialer/ssh_agent_unix.go
+++ b/internal/sshdialer/ssh_agent_unix.go
@ -1,5 +1,4 @@
-//go:build aix || darwin || dragonfly || freebsd || linux || netbsd || openbsd || solaris
-// +build aix darwin dragonfly freebsd linux netbsd openbsd solaris
+//go:build unix

 package sshdialer

--- a/internal/sshdialer/ssh_dialer.go
+++ b/internal/sshdialer/ssh_dialer.go
@ -138,19 +138,19 @@ func isWindowsMachine(sshClient *ssh.Client) (bool, error) {
 func networkAndAddressFromRemoteDockerHost(sshClient *ssh.Client) (network string, addr string, err error) {
 	session, err := sshClient.NewSession()
 	if err != nil {
-		return
+		return network, addr, err
 	}
 	defer session.Close()

 	out, err := session.CombinedOutput("set")
 	if err != nil {
-		return
+		return network, addr, err
 	}

 	remoteDockerHost := "unix:///var/run/docker.sock"
 	isWin, err := isWindowsMachine(sshClient)
 	if err != nil {
-		return
+		return network, addr, err
 	}

 	if isWin {
@ -168,7 +168,7 @@ func networkAndAddressFromRemoteDockerHost(sshClient *ssh.Client) (network strin

 	remoteDockerHostURL, err := urlPkg.Parse(remoteDockerHost)
 	if err != nil {
-		return
+		return network, addr, err
 	}
 	switch remoteDockerHostURL.Scheme {
 	case "unix":
@ -272,7 +272,6 @@ func NewSSHClientConfig(url *urlPkg.URL, config Config) (*ssh.ClientConfig, erro
 			ssh.KeyAlgoRSASHA512,
 			ssh.KeyAlgoRSASHA256,
 			ssh.KeyAlgoRSA,
-			ssh.KeyAlgoDSA,
 		},
 		Timeout: sshTimeout * time.Second,
 	}
--- a/internal/sshdialer/windows_test.go
+++ b/internal/sshdialer/windows_test.go
@ -1,5 +1,4 @@
 //go:build windows
-// +build windows

 package sshdialer_test

--- a/cmd/pack/main.go
+++ b/cmd/pack/main.go
--- a/pkg/archive/archive.go
+++ b/pkg/archive/archive.go
@ -369,11 +369,11 @@ func NormalizeHeader(header *tar.Header, normalizeModTime bool) {
 func IsZip(path string) (bool, error) {
 	r, err := zip.OpenReader(path)

-	switch {
-	case err == nil:
+	switch err {
+	case nil:
 		r.Close()
 		return true, nil
-	case err == zip.ErrFormat:
+	case zip.ErrFormat:
 		return false, nil
 	default:
 		return false, err
--- a/Show More
+++ b/Show More