vendor: github.com/docker/buildx v0.20.1

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

_vendor/github.com/docker/buildx/docs/bake-reference.md

@@ -221,8 +221,10 @@ The following table shows the complete list of attributes that you can assign to
 | [`attest`](#targetattest)                       | List    | Build attestations                                                   |
 | [`cache-from`](#targetcache-from)               | List    | External cache sources                                               |
 | [`cache-to`](#targetcache-to)                   | List    | External cache destinations                                          |
+| [`call`](#targetcall)                           | String  | Specify the frontend method to call for the target.                  |
 | [`context`](#targetcontext)                     | String  | Set of files located in the specified path or URL                    |
 | [`contexts`](#targetcontexts)                   | Map     | Additional build contexts                                            |
+| [`description`](#targetdescription)             | String  | Description of a target                                              |
 | [`dockerfile-inline`](#targetdockerfile-inline) | String  | Inline Dockerfile string                                             |
 | [`dockerfile`](#targetdockerfile)               | String  | Dockerfile location                                                  |
 | [`inherits`](#targetinherits)                   | List    | Inherit attributes from other targets                                |
@@ -371,6 +373,13 @@ target "app" {
 }
 ```
 
+Supported values are:
+
+- `build` builds the target (default)
+- `check`: evaluates [build checks](https://docs.docker.com/build/checks/) for the target
+- `outline`: displays the target's build arguments and their default values if available
+- `targets`: lists all Bake targets in the loaded definition, along with its [description](#targetdescription).
+
 For more information about frontend methods, refer to the CLI reference for
 [`docker buildx build --call`](https://docs.docker.com/reference/cli/docker/buildx/build/#call).
 
@@ -481,6 +490,25 @@ FROM baseapp
 RUN echo "Hello world"
 ```
 
+### `target.description`
+
+Defines a human-readable description for the target, clarifying its purpose or
+functionality.
+
+```hcl
+target "lint" {
+    description = "Runs golangci-lint to detect style errors"
+    args = {
+        GOLANGCI_LINT_VERSION = null
+    }
+    dockerfile = "lint.Dockerfile"
+}
+```
+
+This attribute is useful when combined with the `docker buildx bake --list=targets`
+option, providing a more informative output when listing the available build
+targets in a Bake file.
+
 ### `target.dockerfile-inline`
 
 Uses the string value as an inline Dockerfile for the build target.

_vendor/modules.txt

@@ -1,6 +1,6 @@
 # github.com/moby/moby v27.5.0+incompatible
 # github.com/moby/buildkit v0.19.0
-# github.com/docker/buildx v0.20.0
+# github.com/docker/buildx v0.20.1
 # github.com/docker/cli v27.5.0+incompatible
 # github.com/docker/compose/v2 v2.32.4
 # github.com/docker/scout-cli v1.15.0

data/buildx/docker_buildx_bake.yaml

@@ -20,6 +20,7 @@ options:
       value_type: stringArray
       default_value: '[]'
       description: Allow build to access specified resources
+      details_url: '#allow'
       deprecated: false
       hidden: false
       experimental: false
@@ -218,6 +219,80 @@ inherited_options:
       kubernetes: false
       swarm: false
 examples: |-
+    ### Allow extra privileged entitlement (--allow) {#allow}
+
+    ```text
+    --allow=ENTITLEMENT[=VALUE]
+    ```
+
+    Entitlements are designed to provide controlled access to privileged
+    operations. By default, Buildx and BuildKit operates with restricted
+    permissions to protect users and their systems from unintended side effects or
+    security risks. The `--allow` flag explicitly grants access to additional
+    entitlements, making it clear when a build or bake operation requires elevated
+    privileges.
+
+    In addition to BuildKit's `network.host` and `security.insecure` entitlements
+    (see [`docker buildx build --allow`](/reference/cli/docker/buildx/build/#allow),
+    Bake supports file system entitlements that grant granular control over file
+    system access. These are particularly useful when working with builds that need
+    access to files outside the default working directory.
+
+    Bake supports the following filesystem entitlements:
+
+    - `--allow fs=<path|*>` - Grant read and write access to files outside of the
+      working directory.
+    - `--allow fs.read=<path|*>` - Grant read access to files outside of the
+      working directory.
+    - `--allow fs.write=<path|*>` - Grant write access to files outside of the
+      working directory.
+
+    The `fs` entitlements take a path value (relative or absolute) to a directory
+    on the filesystem. Alternatively, you can pass a wildcard (`*`) to allow Bake
+    to access the entire filesystem.
+
+    ### Example: fs.read
+
+    Given the following Bake configuration, Bake would need to access the parent
+    directory, relative to the Bake file.
+
+    ```hcl
+    target "app" {
+      context = "../src"
+    }
+    ```
+
+    Assuming `docker buildx bake app` is executed in the same directory as the
+    `docker-bake.hcl` file, you would need to explicitly allow Bake to read from
+    the `../src` directory. In this case, the following invocations all work:
+
+    ```console
+    $ docker buildx bake --allow fs.read=* app
+    $ docker buildx bake --allow fs.read=../src app
+    $ docker buildx bake --allow fs=* app
+    ```
+
+    ### Example: fs.write
+
+    The following `docker-bake.hcl` file requires write access to the `/tmp`
+    directory.
+
+    ```hcl
+    target "app" {
+      output = "/tmp"
+    }
+    ```
+
+    Assuming `docker buildx bake app` is executed outside of the `/tmp` directory,
+    you would need to allow the `fs.write` entitlement, either by specifying the
+    path or using a wildcard:
+
+    ```console
+    $ docker buildx bake --allow fs=/tmp app
+    $ docker buildx bake --allow fs.write=/tmp app
+    $ docker buildx bake --allow fs.write=* app
+    ```
+
     ### Override the configured builder instance (--builder) {#builder}
 
     Same as [`buildx --builder`](/reference/cli/docker/buildx/#builder).

go.mod

@@ -3,7 +3,7 @@ module github.com/docker/docs
 go 1.23.1
 
 require (
-	github.com/docker/buildx v0.20.0 // indirect
+	github.com/docker/buildx v0.20.1 // indirect
 	github.com/docker/cli v27.5.0+incompatible // indirect
 	github.com/docker/compose/v2 v2.32.4 // indirect
 	github.com/docker/scout-cli v1.15.0 // indirect
@@ -12,7 +12,7 @@ require (
 )
 
 replace (
-	github.com/docker/buildx => github.com/docker/buildx v0.20.0
+	github.com/docker/buildx => github.com/docker/buildx v0.20.1
 	github.com/docker/cli => github.com/docker/cli v27.5.0+incompatible
 	github.com/docker/compose/v2 => github.com/docker/compose/v2 v2.32.4
 	github.com/docker/scout-cli => github.com/docker/scout-cli v1.15.0

go.sum

@@ -90,6 +90,8 @@ github.com/docker/buildx v0.19.2 h1:2zXzgP2liQKgQ5BiOqMc+wz7hfWgAIMWw5MR6QDG++I=
 github.com/docker/buildx v0.19.2/go.mod h1:k4WP+XmGRYL0a7l4RZAI2TqpwhuAuSQ5U/rosRgFmAA=
 github.com/docker/buildx v0.20.0 h1:XM2EvwEfohbxLPAheVm03biNHpspB/dA6U9F0c6yJsI=
 github.com/docker/buildx v0.20.0/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic=
+github.com/docker/buildx v0.20.1 h1:q88EfoYwrWEKVqNb9stOFq8fUlFp/OPlDcFE+QUYZBM=
+github.com/docker/buildx v0.20.1/go.mod h1:VVi4Nvo4jd/IkRvwyExbIyW7u82fivK61MRx5I0oKic=
 github.com/docker/cli v24.0.2+incompatible h1:QdqR7znue1mtkXIJ+ruQMGQhpw2JzMJLRXp6zpzF6tM=
 github.com/docker/cli v24.0.2+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v24.0.4+incompatible h1:Y3bYF9ekNTm2VFz5U/0BlMdJy73D+Y1iAAZ8l63Ydzw=