Merge pull request #5755 from crazy-max/0.20_backport_rc3

[v0.20] cherry-picks 0.20.0-rc3
moby · Feb 18, 2025 · 6cad2f9 · 6cad2f9
2 parents c45cd57 + b0f75aa
commit 6cad2f9
Show file tree

Hide file tree

Showing 31 changed files with 628 additions and 136 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile-upstream:master
 
-ARG RUNC_VERSION=v1.2.4
+ARG RUNC_VERSION=v1.2.5
 ARG CONTAINERD_VERSION=v2.0.2
 # CONTAINERD_ALT_VERSION_... defines fallback containerd version for integration tests
 ARG CONTAINERD_ALT_VERSION_17=v1.7.25

diff --git a/README.md b/README.md
@@ -516,7 +516,8 @@ GitHub Actions cache saves both cache metadata and layers to GitHub's Cache serv
 Similarly to using [actions/cache](https://github.com/actions/cache), caches are [scoped by branch](https://docs.github.com/en/actions/advanced-guides/caching-dependencies-to-speed-up-workflows#restrictions-for-accessing-a-cache), with the default and target branches being available to every branch.
 
 Following attributes are required to authenticate against the [GitHub Actions Cache service API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md#authentication):
-* `url`: Cache server URL (default `$ACTIONS_CACHE_URL`)
+* `url`: Cache server URL (default `$ACTIONS_CACHE_URL` or fallback to `$ACTIONS_RESULTS_URL`)
+* `url_v2`: Cache v2 server URL if `$ACTIONS_CACHE_SERVICE_V2` set on the runner (default `$ACTIONS_RESULTS_URL`)
 * `token`: Access token (default `$ACTIONS_RUNTIME_TOKEN`)
 
 :information_source: This type of cache can be used with [Docker Build Push Action](https://github.com/docker/build-push-action)

diff --git a/cache/remotecache/gha/gha.go b/cache/remotecache/gha/gha.go
@@ -63,10 +63,6 @@ func getConfig(attrs map[string]string) (*Config, error) {
 	if !ok {
 		scope = "buildkit"
 	}
-	url, ok := attrs[attrURL]
-	if !ok {
-		return nil, errors.Errorf("url not set for github actions cache")
-	}
 	token, ok := attrs[attrToken]
 	if !ok {
 		return nil, errors.Errorf("token not set for github actions cache")
@@ -80,12 +76,19 @@ func getConfig(attrs map[string]string) (*Config, error) {
 		}
 		apiVersionInt = int(i)
 	}
+	var url string
 	if apiVersionInt != 1 {
 		if v, ok := attrs[attrURLV2]; ok {
 			url = v
 			apiVersionInt = 2
 		}
 	}
+	if v, ok := attrs[attrURL]; ok && url == "" {
+		url = v
+	}
+	if url == "" {
+		return nil, errors.Errorf("url not set for github actions cache")
+	}
 	// best effort on old clients
 	if apiVersionInt == 0 {
 		if strings.Contains(url, "results-receiver.actions.githubusercontent.com") {

diff --git a/cache/remotecache/gha/gha_test.go b/cache/remotecache/gha/gha_test.go
@@ -1,8 +1,10 @@
 package gha
 
 import (
+	"maps"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -57,10 +59,25 @@ func testBasicGhaCacheImportExportExtraTimeout(t *testing.T, sb integration.Sand
 
 	destDir := t.TempDir()
 
-	runtimeToken := os.Getenv("ACTIONS_RUNTIME_TOKEN")
-	cacheURL := os.Getenv("ACTIONS_CACHE_URL")
-	if runtimeToken == "" || cacheURL == "" {
-		t.Skip("ACTIONS_RUNTIME_TOKEN and ACTIONS_CACHE_URL must be set")
+	var cacheVersion string
+	if v, ok := os.LookupEnv("ACTIONS_CACHE_SERVICE_V2"); ok {
+		if b, err := strconv.ParseBool(v); err == nil && b {
+			cacheVersion = "2"
+		}
+	}
+
+	cacheAttrs := map[string]string{}
+	if cacheVersion == "2" {
+		cacheAttrs["url_v2"] = os.Getenv("ACTIONS_RESULTS_URL")
+	}
+	cacheAttrs["url"] = os.Getenv("ACTIONS_CACHE_URL")
+	if cacheAttrs["url"] == "" {
+		cacheAttrs["url"] = os.Getenv("ACTIONS_RESULTS_URL")
+	}
+	cacheAttrs["token"] = os.Getenv("ACTIONS_RUNTIME_TOKEN")
+
+	if cacheAttrs["token"] == "" || (cacheAttrs["url"] == "" && cacheAttrs["url_v2"] == "") {
+		t.Skip("actions runtime token and cache url must be set")
 	}
 
 	scope := "buildkit-" + t.Name()
@@ -74,6 +91,12 @@ func testBasicGhaCacheImportExportExtraTimeout(t *testing.T, sb integration.Sand
 		}
 	}
 
+	cacheExportAttrs := map[string]string{
+		"scope": scope,
+		"mode":  "max",
+	}
+	maps.Copy(cacheExportAttrs, cacheAttrs)
+
 	_, err = c.Solve(sb.Context(), def, client.SolveOpt{
 		Exports: []client.ExportEntry{
 			{
@@ -82,13 +105,8 @@ func testBasicGhaCacheImportExportExtraTimeout(t *testing.T, sb integration.Sand
 			},
 		},
 		CacheExports: []client.CacheOptionsEntry{{
-			Type: "gha",
-			Attrs: map[string]string{
-				"url":   cacheURL,
-				"token": runtimeToken,
-				"scope": scope,
-				"mode":  "max",
-			},
+			Type:  "gha",
+			Attrs: cacheExportAttrs,
 		}},
 	}, nil)
 	require.NoError(t, err)
@@ -104,6 +122,11 @@ func testBasicGhaCacheImportExportExtraTimeout(t *testing.T, sb integration.Sand
 
 	destDir = t.TempDir()
 
+	cacheImportAttrs := map[string]string{
+		"scope": scope,
+	}
+	maps.Copy(cacheImportAttrs, cacheAttrs)
+
 	_, err = c.Solve(sb.Context(), def, client.SolveOpt{
 		Exports: []client.ExportEntry{
 			{
@@ -112,12 +135,8 @@ func testBasicGhaCacheImportExportExtraTimeout(t *testing.T, sb integration.Sand
 			},
 		},
 		CacheImports: []client.CacheOptionsEntry{{
-			Type: "gha",
-			Attrs: map[string]string{
-				"url":   cacheURL,
-				"token": runtimeToken,
-				"scope": scope,
-			},
+			Type:  "gha",
+			Attrs: cacheImportAttrs,
 		}},
 	}, nil)
 	require.NoError(t, err)

diff --git a/client/build_test.go b/client/build_test.go
@@ -1838,7 +1838,7 @@ func testClientGatewayContainerSecurityMode(t *testing.T, sb integration.Sandbox
 
 	command := []string{"sh", "-c", `cat /proc/self/status | grep CapEff | cut -f 2`}
 	mode := llb.SecurityModeSandbox
-	var allowedEntitlements []entitlements.Entitlement
+	var allowedEntitlements []string
 	var assertCaps func(caps uint64)
 	secMode := sb.Value("secmode")
 	if secMode == securitySandbox {
@@ -1850,7 +1850,7 @@ func testClientGatewayContainerSecurityMode(t *testing.T, sb integration.Sandbox
 			*/
 			require.Equal(t, uint64(0xa80425fb), caps)
 		}
-		allowedEntitlements = []entitlements.Entitlement{}
+		allowedEntitlements = []string{}
 		if expectFail {
 			return
 		}
@@ -1869,9 +1869,9 @@ func testClientGatewayContainerSecurityMode(t *testing.T, sb integration.Sandbox
 			require.Equal(t, uint64(0x3fffffffff), caps&0x3fffffffff)
 		}
 		mode = llb.SecurityModeInsecure
-		allowedEntitlements = []entitlements.Entitlement{entitlements.EntitlementSecurityInsecure}
+		allowedEntitlements = []string{entitlements.EntitlementSecurityInsecure.String()}
 		if expectFail {
-			allowedEntitlements = []entitlements.Entitlement{}
+			allowedEntitlements = []string{}
 		}
 	}
 
@@ -2046,13 +2046,13 @@ func testClientGatewayContainerHostNetworking(t *testing.T, sb integration.Sandb
 	ctx := sb.Context()
 	product := "buildkit_test"
 
-	var allowedEntitlements []entitlements.Entitlement
+	var allowedEntitlements []string
 	netMode := pb.NetMode_UNSET
 	if sb.Value("netmode") == hostNetwork {
 		netMode = pb.NetMode_HOST
-		allowedEntitlements = []entitlements.Entitlement{entitlements.EntitlementNetworkHost}
+		allowedEntitlements = []string{entitlements.EntitlementNetworkHost.String()}
 		if expectFail {
-			allowedEntitlements = []entitlements.Entitlement{}
+			allowedEntitlements = []string{}
 		}
 	}
 	c, err := New(sb.Context(), sb.Address())