Merge pull request #19829 from docker-tools-robot/dispatch/buildx-ref-v0.14.0

Update buildx reference to v0.14.0

_vendor/modules.txt

@@ -1,6 +1,6 @@
 # github.com/moby/moby v26.0.0+incompatible
 # github.com/moby/buildkit v0.13.1
-# github.com/docker/buildx v0.13.1
-# github.com/docker/cli v26.0.0+incompatible
+# github.com/docker/buildx v0.14.0
+# github.com/docker/cli v26.0.1-0.20240410153731-b6c552212837+incompatible
 # github.com/docker/compose/v2 v2.0.0-00010101000000-000000000000
 # github.com/docker/scout-cli v1.7.0

data/buildx/docker_buildx_bake.yaml

@@ -41,7 +41,8 @@ options:
       swarm: false
     - option: metadata-file
       value_type: string
-      description: Write build result metadata to the file
+      description: Write build result metadata to a file
+      details_url: '#metadata-file'
       deprecated: false
       hidden: false
       experimental: false
@@ -189,6 +190,77 @@ examples: |-
     See the [Bake file reference](/build/bake/reference/)
     for more details.
 
+    ### Write build results metadata to a file (--metadata-file) {#metadata-file}
+
+    Similar to [`buildx build --metadata-file`](/reference/cli/docker/buildx/build/#metadata-file) but
+    writes a map of results for each target such as:
+
+    ```hcl
+    # docker-bake.hcl
+    group "default" {
+      targets = ["db", "webapp-dev"]
+    }
+
+    target "db" {
+      dockerfile = "Dockerfile.db"
+      tags = ["docker.io/username/db"]
+    }
+
+    target "webapp-dev" {
+      dockerfile = "Dockerfile.webapp"
+      tags = ["docker.io/username/webapp"]
+    }
+    ```
+
+    ```console
+    $ docker buildx bake --load --metadata-file metadata.json .
+    $ cat metadata.json
+    ```
+
+    ```json
+    {
+      "db": {
+        "buildx.build.provenance": {},
+        "buildx.build.ref": "mybuilder/mybuilder0/0fjb6ubs52xx3vygf6fgdl611",
+        "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+        "containerimage.descriptor": {
+          "annotations": {
+            "config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
+            "org.opencontainers.image.created": "2022-02-08T21:28:03Z"
+          },
+          "digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3",
+          "mediaType": "application/vnd.oci.image.manifest.v1+json",
+          "size": 506
+        },
+        "containerimage.digest": "sha256:19ffeab6f8bc9293ac2c3fdf94ebe28396254c993aea0b5a542cfb02e0883fa3"
+      },
+      "webapp-dev": {
+        "buildx.build.provenance": {},
+        "buildx.build.ref": "mybuilder/mybuilder0/kamngmcgyzebqxwu98b4lfv3n",
+        "containerimage.config.digest": "sha256:9651cc2b3c508f697c9c43b67b64c8359c2865c019e680aac1c11f4b875b67e0",
+        "containerimage.descriptor": {
+          "annotations": {
+            "config.digest": "sha256:9651cc2b3c508f697c9c43b67b64c8359c2865c019e680aac1c11f4b875b67e0",
+            "org.opencontainers.image.created": "2022-02-08T21:28:15Z"
+          },
+          "digest": "sha256:6d9ac9237a84afe1516540f40a0fafdc86859b2141954b4d643af7066d598b74",
+          "mediaType": "application/vnd.oci.image.manifest.v1+json",
+          "size": 506
+        },
+        "containerimage.digest": "sha256:6d9ac9237a84afe1516540f40a0fafdc86859b2141954b4d643af7066d598b74"
+      }
+    }
+    ```
+
+    > **Note**
+    >
+    > Build record [provenance](/build/attestations/slsa-provenance/#provenance-attestation-example)
+    > (`buildx.build.provenance`) includes minimal provenance by default. Set the
+    > `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
+    > * `min` sets minimal provenance (default).
+    > * `max` sets full provenance.
+    > * `disabled`, `false` or `0` does not set any provenance.
+
     ### Don't use cache when building the image (--no-cache) {#no-cache}
 
     Same as `build --no-cache`. Don't use cache when building the image.
@@ -261,6 +333,7 @@ examples: |-
     * `context`
     * `dockerfile`
     * `labels`
+    * `load`
     * `no-cache`
     * `no-cache-filter`
     * `output`

data/buildx/docker_buildx_build.yaml

@@ -205,7 +205,7 @@ options:
       swarm: false
     - option: iidfile
       value_type: string
-      description: Write the image ID to the file
+      description: Write the image ID to a file
       deprecated: false
       hidden: false
       experimental: false
@@ -264,7 +264,7 @@ options:
       swarm: false
     - option: metadata-file
       value_type: string
-      description: Write build result metadata to the file
+      description: Write build result metadata to a file
       details_url: '#metadata-file'
       deprecated: false
       hidden: false
@@ -773,7 +773,7 @@ examples: |-
     Shorthand for [`--output=type=docker`](#docker). Will automatically load the
     single-platform build result to `docker images`.
 
-    ### Write build result metadata to the file (--metadata-file) {#metadata-file}
+    ### Write build result metadata to a file (--metadata-file) {#metadata-file}
 
     To output build metadata such as the image digest, pass the `--metadata-file` flag.
     The metadata will be written as a JSON object to the specified file. The
@@ -786,6 +786,7 @@ examples: |-
 
     ```json
     {
+      "buildx.build.provenance": {},
       "buildx.build.ref": "mybuilder/mybuilder0/0fjb6ubs52xx3vygf6fgdl611",
       "containerimage.config.digest": "sha256:2937f66a9722f7f4a2df583de2f8cb97fc9196059a410e7f00072fc918930e66",
       "containerimage.descriptor": {
@@ -801,6 +802,15 @@ examples: |-
     }
     ```
 
+    > **Note**
+    >
+    > Build record [provenance](/build/attestations/slsa-provenance/#provenance-attestation-example)
+    > (`buildx.build.provenance`) includes minimal provenance by default. Set the
+    > `BUILDX_METADATA_PROVENANCE` environment variable to customize this behavior:
+    > * `min` sets minimal provenance (default).
+    > * `max` sets full provenance.
+    > * `disabled`, `false` or `0` does not set any provenance.
+
     ### Ignore build cache for specific stages (--no-cache-filter) {#no-cache-filter}
 
     The `--no-cache-filter` lets you specify one or more stages of a multi-stage
@@ -877,7 +887,7 @@ examples: |-
     ```console
     $ docker buildx build -o . .
     $ docker buildx build -o outdir .
-    $ docker buildx build -o - - > out.tar
+    $ docker buildx build -o - . > out.tar
     $ docker buildx build -o type=docker .
     $ docker buildx build -o type=docker,dest=- . > myimage.tar
     $ docker buildx build -t tonistiigi/foo -o type=registry
@@ -1074,10 +1084,18 @@ examples: |-
     --secret=[type=TYPE[,KEY=VALUE]
     ```
 
-    Exposes secret to the build. The secret can be used by the build using
-    [`RUN --mount=type=secret` mount](/reference/dockerfile/#run---mounttypesecret).
+    Exposes secrets (authentication credentials, tokens) to the build.
+    A secret can be mounted into the build using a `RUN --mount=type=secret` mount in the
+    [Dockerfile](/reference/dockerfile/#run---mounttypesecret).
+    For more information about how to use build secrets, see
+    [Build secrets](/build/building/secrets/).
 
-    If `type` is unset it will be detected. Supported types are:
+    Supported types are:
+
+    - [`file`](#file)
+    - [`env`](#env)
+
+    Buildx attempts to detect the `type` automatically if unset.
 
     #### `file`
 

data/buildx/docker_buildx_debug_build.yaml

@@ -192,7 +192,7 @@ options:
       swarm: false
     - option: iidfile
       value_type: string
-      description: Write the image ID to the file
+      description: Write the image ID to a file
       deprecated: false
       hidden: false
       experimental: false
@@ -250,7 +250,7 @@ options:
       swarm: false
     - option: metadata-file
       value_type: string
-      description: Write build result metadata to the file
+      description: Write build result metadata to a file
       deprecated: false
       hidden: false
       experimental: false

go.mod

@@ -5,8 +5,8 @@ go 1.21
 toolchain go1.21.1
 
 require (
-	github.com/docker/buildx v0.13.1 // indirect
-	github.com/docker/cli v26.0.0+incompatible // indirect
+	github.com/docker/buildx v0.14.0 // indirect
+	github.com/docker/cli v26.0.1-0.20240410153731-b6c552212837+incompatible // indirect
 	github.com/docker/compose/v2 v2.0.0-00010101000000-000000000000 // indirect
 	github.com/docker/scout-cli v1.7.0 // indirect
 	github.com/moby/buildkit v0.13.1 // indirect
@@ -14,7 +14,7 @@ require (
 )
 
 replace (
-	github.com/docker/buildx => github.com/docker/buildx v0.13.1
+	github.com/docker/buildx => github.com/docker/buildx v0.14.0
 	github.com/docker/cli => github.com/docker/cli v26.0.0+incompatible
 	github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.26.1
 	github.com/docker/scout-cli => github.com/docker/scout-cli v1.7.0

go.sum

@@ -66,6 +66,8 @@ github.com/docker/buildx v0.13.1-0.20240307093612-37b7ad1465d2 h1:kuFvsZyZCYqxWB
 github.com/docker/buildx v0.13.1-0.20240307093612-37b7ad1465d2/go.mod h1:f2n6vggoX4sNNZ0XoRZ0Wtv6J1/rbDTabgdHtpW9NNM=
 github.com/docker/buildx v0.13.1 h1:uZjBcb477zh02tnHk0rqNV/DZOxbf/OiHw6Mc8OhDYU=
 github.com/docker/buildx v0.13.1/go.mod h1:f2n6vggoX4sNNZ0XoRZ0Wtv6J1/rbDTabgdHtpW9NNM=
+github.com/docker/buildx v0.14.0 h1:FxqcfE7xgeEC4oQlKLpuvfobRDVDXrHE3jByM+mdyqk=
+github.com/docker/buildx v0.14.0/go.mod h1:Vy/2lC9QsJvo33+7KKkN/GDE5WxnVqW0/dpcN7ZqPJY=
 github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM=
 github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v24.0.4+incompatible h1:Y3bYF9ekNTm2VFz5U/0BlMdJy73D+Y1iAAZ8l63Ydzw=