Merge pull request #1027 from docker/dependabot/npm_and_yarn/sigstore/sign-4.1.1

build(deps): bump @sigstore/sign from 4.1.0 to 4.1.1
2026-03-19 10:04:24 +01:00 · 2026-03-19 09:01:22 +00:00 · 2026-03-19 09:59:27 +01:00 · 2026-03-19 09:58:55 +01:00 · 2026-03-18 22:53:43 +00:00 · 2026-03-18 22:04:45 +01:00
6 changed files with 164 additions and 45 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -53,7 +53,7 @@ jobs:
          npm publish --provenance --access public
      -
        name: Create Release
-        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe  # v2.6.1
        with:
          draft: true
          generate_release_notes: true
--- a/tests/buildx/build.test.ts
+++ b/tests/buildx/build.test.ts
@@ -60,7 +60,11 @@ describe('gitContext', () => {
  type GitContextTestCase = {
    ref: string;
    checksum?: string;
    subdir?: string;
    attrs?: Record<string, string>;
    format: GitContextFormat | undefined;
    prHeadRef: boolean;
    sendGitQueryAsInput: boolean;
    buildxQuerySupport: boolean;
@@ -79,28 +83,57 @@ describe('gitContext', () => {
    [{ref: 'refs/pull/15/merge', format: undefined, prHeadRef: false, sendGitQueryAsInput: true, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/merge&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/pull/15/merge', format: undefined, prHeadRef: true, sendGitQueryAsInput: true, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/head&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: true, buildxQuerySupport: false}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {}}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/heads/master', checksum: undefined, format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {checksum: 'cafebabe'}}, 'https://github.com/docker/actions-toolkit.git#cafebabe'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {subdir: 'subdir'}}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37:subdir'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {ref: 'refs/tags/v1.0.0'}}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {'keep-git-dir': 'true'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&keep-git-dir=true'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: false, attrs: {'keep-git-dir': 'true'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&keep-git-dir=true'],
    [{ref: 'refs/heads/master', checksum: undefined, format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {checksum: 'cafebabe', 'keep-git-dir': 'true'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=cafebabe&keep-git-dir=true'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {submodules: 'false'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&submodules=false'],
    [{ref: 'refs/heads/master', format: undefined, prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: false, attrs: {submodules: 'false'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&submodules=false'],
    // query format
    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/pull/15/merge', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/merge&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/tags/v1.0.0', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/tags/v1.0.0&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/pull/15/merge', format: 'query', prHeadRef: true, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git?ref=refs/pull/15/head&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, subdir: 'subdir'}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&subdir=subdir'],
    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, subdir: '.'}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/heads/master', checksum: undefined, format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {ref: 'refs/tags/v1.0.0', checksum: 'cafebabe', subdir: 'subdir', submodules: 'false'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=cafebabe&subdir=subdir&submodules=false'],
    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, subdir: 'subdir', attrs: {'keep-git-dir': 'true'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&subdir=subdir&keep-git-dir=true'],
    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {submodules: 'true'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&submodules=true'],
    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {submodules: 'false'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&submodules=false'],
    [{ref: 'refs/heads/master', format: 'query', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {'keep-git-dir': 'true', submodules: 'false'}}, 'https://github.com/docker/actions-toolkit.git?ref=refs/heads/master&checksum=860c1904a1ce19322e91ac35af1ab07466440c37&keep-git-dir=true&submodules=false'],
    // fragment format
    [{ref: 'refs/heads/master', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'master', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/pull/15/merge', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#refs/pull/15/merge'],
    [{ref: 'refs/tags/v1.0.0', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/pull/15/merge', format: 'fragment', prHeadRef: true, sendGitQueryAsInput: false, buildxQuerySupport: true}, 'https://github.com/docker/actions-toolkit.git#refs/pull/15/head'],
    [{ref: 'refs/heads/master', checksum: undefined, format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {checksum: 'cafebabe', subdir: 'subdir', ref: 'refs/tags/v1.0.0'}}, 'https://github.com/docker/actions-toolkit.git#cafebabe:subdir'],
    [{ref: 'refs/heads/master', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, attrs: {'keep-git-dir': 'true'}}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/heads/master', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, subdir: 'subdir'}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37:subdir'],
    [{ref: 'refs/heads/master', format: 'fragment', prHeadRef: false, sendGitQueryAsInput: false, buildxQuerySupport: true, subdir: '.'}, 'https://github.com/docker/actions-toolkit.git#860c1904a1ce19322e91ac35af1ab07466440c37'],
    [{ref: 'refs/pull/15/merge', format: 'fragment', prHeadRef: true, sendGitQueryAsInput: false, buildxQuerySupport: true, subdir: 'subdir'}, 'https://github.com/docker/actions-toolkit.git#refs/pull/15/head:subdir'],
  ];
  test.each(gitContextCases)('given %o should return %o', async (input: GitContextTestCase, expected: string) => {
-    const {ref, format, prHeadRef, sendGitQueryAsInput, buildxQuerySupport} = input;
+    const {ref, checksum, format, prHeadRef, sendGitQueryAsInput, buildxQuerySupport, subdir, attrs} = input;
    process.env.DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF = prHeadRef ? 'true' : '';
    process.env.BUILDX_SEND_GIT_QUERY_AS_INPUT = sendGitQueryAsInput ? 'true' : '';
    const buildx = new Buildx();
    vi.spyOn(buildx, 'versionSatisfies').mockResolvedValue(buildxQuerySupport);
    const build = new Build({buildx});
-    expect(await build.gitContext(ref, '860c1904a1ce19322e91ac35af1ab07466440c37', format)).toEqual(expected);
+    expect(
      await build.gitContext({
        ref,
        ...('checksum' in input ? {checksum} : {checksum: '860c1904a1ce19322e91ac35af1ab07466440c37'}),
        format,
        subdir,
        attrs
      })
    ).toEqual(expected);
  });
 });
--- a/package.json
+++ b/package.json
@@ -51,11 +51,11 @@
    "@actions/io": "^3.0.2",
    "@actions/tool-cache": "^4.0.0",
    "@sigstore/bundle": "^4.0.0",
-    "@sigstore/sign": "^4.1.0",
+    "@sigstore/sign": "^4.1.1",
-    "@sigstore/tuf": "^4.0.1",
+    "@sigstore/tuf": "^4.0.2",
    "@sigstore/verify": "^3.1.0",
    "async-retry": "^1.3.3",
-    "csv-parse": "^6.1.0",
+    "csv-parse": "^6.2.0",
    "gunzip-maybe": "^1.4.2",
    "handlebars": "^4.7.8",
    "he": "^1.2.0",
--- a/src/buildx/bake.ts
+++ b/src/buildx/bake.ts
@@ -44,6 +44,7 @@ export interface BakeCmdOpts {
  sbom?: string;
  source?: string;
  targets?: Array<string>;
  vars?: Array<string>;
  githubToken?: string; // for auth with remote definitions on private repos
 }
@@ -138,6 +139,11 @@ export class Bake {
        args.push('--set', override);
      }
    }
    if (cmdOpts.vars) {
      for (const v of cmdOpts.vars) {
        args.push('--var', v);
      }
    }
    if (cmdOpts.allow) {
      for (const allow of cmdOpts.allow) {
        args.push('--allow', allow);
--- a/src/buildx/build.ts
+++ b/src/buildx/build.ts
@@ -38,6 +38,14 @@ export interface ResolveSecretsOpts {
  redact?: boolean;
 }
 export interface GitContextOpts {
  ref?: string;
  checksum?: string;
  subdir?: string;
  attrs?: Record<string, string>;
  format?: GitContextFormat;
 }
 export class Build {
  private readonly buildx: Buildx;
  private readonly iidFilename: string;
@@ -49,31 +57,52 @@ export class Build {
    this.metadataFilename = `build-metadata-${Util.generateRandomString()}.json`;
  }
-  public async gitContext(ref?: string, sha?: string, format?: GitContextFormat): Promise<string> {
+  public async gitContext(opts?: GitContextOpts): Promise<string> {
    const gitContextCommonAttrs = new Set(['ref', 'checksum', 'subdir']);
    const setPullRequestHeadRef = Util.parseBoolOrDefault(process.env.DOCKER_DEFAULT_GIT_CONTEXT_PR_HEAD_REF);
-    ref = ref || github.context.ref;
+    const commonAttrs = {
-    sha = sha || github.context.sha;
+      ref: opts?.attrs?.ref,
      checksum: opts?.attrs?.checksum,
      subdir: opts?.attrs?.subdir
    };
    const gitChecksum = opts?.checksum || commonAttrs.checksum || github.context.sha;
    let ref = opts?.ref || commonAttrs.ref || github.context.ref;
    const subdir = opts?.subdir || commonAttrs.subdir;
    const attrs = Object.entries(opts?.attrs || {}).filter(([name]) => !gitContextCommonAttrs.has(name));
    if (!ref.startsWith('refs/')) {
      ref = `refs/heads/${ref}`;
    } else if (ref.startsWith(`refs/pull/`) && setPullRequestHeadRef) {
      ref = ref.replace(/\/merge$/g, '/head');
    }
    const baseURL = `${GitHub.serverURL}/${github.context.repo.owner}/${github.context.repo.repo}.git`;
    let format = opts?.format;
    if (!format) {
      const sendGitQueryAsInput = Util.parseBoolOrDefault(process.env.BUILDX_SEND_GIT_QUERY_AS_INPUT);
-      if (sendGitQueryAsInput && (await this.buildx.versionSatisfies('>=0.29.0'))) {
+      if (attrs.length > 0) {
        format = 'query';
      } else if (sendGitQueryAsInput && (await this.buildx.versionSatisfies('>=0.29.0'))) {
        format = 'query';
      } else {
        format = 'fragment';
      }
    }
    if (format === 'query') {
-      return `${baseURL}?ref=${ref}${sha ? `&checksum=${sha}` : ''}`;
+      const query = [`ref=${ref}`];
      if (gitChecksum) {
        query.push(`checksum=${gitChecksum}`);
      }
      if (subdir && subdir !== '.') {
        query.push(`subdir=${subdir}`);
      }
      for (const [name, value] of attrs) {
        query.push(`${name}=${value}`);
      }
      return `${baseURL}?${query.join('&')}`;
    }
-    if (sha && !ref.startsWith(`refs/pull/`)) {
+    const fragmentRef = gitChecksum && !ref.startsWith(`refs/pull/`) ? gitChecksum : ref;
-      return `${baseURL}#${sha}`;
+    return `${baseURL}#${fragmentRef}${subdir && subdir !== '.' ? `:${subdir}` : ''}`;
    }
    return `${baseURL}#${ref}`;
  }
  public getImageIDFilePath(): string {
--- a/yarn.lock
+++ b/yarn.lock
@@ -380,8 +380,8 @@ __metadata:
    "@actions/tool-cache": "npm:^4.0.0"
    "@eslint/js": "npm:^9.39.3"
    "@sigstore/bundle": "npm:^4.0.0"
-    "@sigstore/sign": "npm:^4.1.0"
+    "@sigstore/sign": "npm:^4.1.1"
-    "@sigstore/tuf": "npm:^4.0.1"
+    "@sigstore/tuf": "npm:^4.0.2"
    "@sigstore/verify": "npm:^3.1.0"
    "@types/gunzip-maybe": "npm:^1.4.3"
    "@types/he": "npm:^1.2.3"
@@ -395,7 +395,7 @@ __metadata:
    "@vitest/coverage-v8": "npm:^4.0.18"
    "@vitest/eslint-plugin": "npm:^1.6.9"
    async-retry: "npm:^1.3.3"
-    csv-parse: "npm:^6.1.0"
+    csv-parse: "npm:^6.2.0"
    eslint: "npm:^9.39.3"
    eslint-config-prettier: "npm:^10.1.8"
    eslint-plugin-prettier: "npm:^5.5.5"
@@ -696,6 +696,13 @@ __metadata:
  languageName: node
  linkType: hard
 "@gar/promise-retry@npm:^1.0.0, @gar/promise-retry@npm:^1.0.2":
  version: 1.0.3
  resolution: "@gar/promise-retry@npm:1.0.3"
  checksum: 10/0d13ea3bb1025755e055648f6e290d2a7e0c87affaf552218f09f66b3fcd9ea9d5c9cc5fe2aa6e285e1530437768e40f9448fe9a86f4f3417b216dcf488d3d1a
  languageName: node
  linkType: hard
 "@gar/promisify@npm:^1.1.3":
  version: 1.1.3
  resolution: "@gar/promisify@npm:1.1.3"
@@ -837,6 +844,13 @@ __metadata:
  languageName: node
  linkType: hard
 "@npmcli/redact@npm:^4.0.0":
  version: 4.0.0
  resolution: "@npmcli/redact@npm:4.0.0"
  checksum: 10/5d52df2b5267f4369c97a2b2f7c427e3d7aa4b6a83e7a1b522e196f6e9d50024c620bd0cb2052067c74d1aaa0c330d9bc04e1d335bfb46180e705bb33423e74c
  languageName: node
  linkType: hard
 "@octokit/auth-token@npm:^6.0.0":
  version: 6.0.0
  resolution: "@octokit/auth-token@npm:6.0.0"
@@ -1234,6 +1248,13 @@ __metadata:
  languageName: node
  linkType: hard
 "@sigstore/core@npm:^3.2.0":
  version: 3.2.0
  resolution: "@sigstore/core@npm:3.2.0"
  checksum: 10/2425d20297d57a5f5a62f0e6c2f4280818015ea00b3defebdac63f13c7d01db988602c316c16e374ba091c3649dd9a22ae8c9ba3ac165f736b0503164c5da5f5
  languageName: node
  linkType: hard
 "@sigstore/protobuf-specs@npm:^0.5.0":
  version: 0.5.0
  resolution: "@sigstore/protobuf-specs@npm:0.5.0"
@@ -1241,27 +1262,27 @@ __metadata:
  languageName: node
  linkType: hard
-"@sigstore/sign@npm:^4.1.0":
+"@sigstore/sign@npm:^4.1.1":
-  version: 4.1.0
+  version: 4.1.1
-  resolution: "@sigstore/sign@npm:4.1.0"
+  resolution: "@sigstore/sign@npm:4.1.1"
  dependencies:
    "@gar/promise-retry": "npm:^1.0.2"
    "@sigstore/bundle": "npm:^4.0.0"
-    "@sigstore/core": "npm:^3.1.0"
+    "@sigstore/core": "npm:^3.2.0"
    "@sigstore/protobuf-specs": "npm:^0.5.0"
-    make-fetch-happen: "npm:^15.0.3"
+    make-fetch-happen: "npm:^15.0.4"
    proc-log: "npm:^6.1.0"
-    promise-retry: "npm:^2.0.1"
+  checksum: 10/c9424813ed83ae26111dd3a190dbfd776901cfc245ebb9aa68e133a7ffcbf8fc053f01d999a451e44805a291921ba4d2dfe80e3fd41b20cd5becd26aae5f5e7c
  checksum: 10/e5441d4cacf0f203f329e96bb7a3ca77682cfdf90d6448ad368344056fd8d55c01742e2b636545d55364490a87988f767f2b23168b2d9cc52ef3d8fe9e9496aa
  languageName: node
  linkType: hard
-"@sigstore/tuf@npm:^4.0.1":
+"@sigstore/tuf@npm:^4.0.2":
-  version: 4.0.1
+  version: 4.0.2
-  resolution: "@sigstore/tuf@npm:4.0.1"
+  resolution: "@sigstore/tuf@npm:4.0.2"
  dependencies:
    "@sigstore/protobuf-specs": "npm:^0.5.0"
    tuf-js: "npm:^4.1.0"
-  checksum: 10/1a9725aa95eba55badf24442fe8a71c6d68f8b7d17a6b2a5e4b5590117f0181881b3485cfa57ea375b7c3a38421dbffdfcbe86e6623d903e17e3a8359837e268
+  checksum: 10/14882b8e71be4185ec417744b97a47392a50da00aafd4207a46bb74b40aa019ebf22d928052fd2d31a8da0da1efe7ebebac5a70898b31a74239a1ada997be754
  languageName: node
  linkType: hard
@@ -2178,10 +2199,10 @@ __metadata:
  languageName: node
  linkType: hard
-"csv-parse@npm:^6.1.0":
+"csv-parse@npm:^6.2.0":
-  version: 6.1.0
+  version: 6.2.0
-  resolution: "csv-parse@npm:6.1.0"
+  resolution: "csv-parse@npm:6.2.0"
-  checksum: 10/607d92611435fdfb7631242644a2582bfb218fad8c6c6d6416db31647c2e63a3110f16c9837de6baaa3edf318212765cfc6e72d672d99690fd7f565d6c93d6f4
+  checksum: 10/45d0659e11bf2126a2e9b63c2b4206ebaef6ffcaad9b0b98bf4863ad1d94656ad6e00c4cf87c6b0767b5edc1d1dd133d906f7181e689e62fd84b3a9947643eff
  languageName: node
  linkType: hard
@@ -2655,22 +2676,25 @@ __metadata:
  languageName: node
  linkType: hard
-"fast-xml-builder@npm:^1.0.0":
+"fast-xml-builder@npm:^1.1.4":
-  version: 1.0.0
+  version: 1.1.4
-  resolution: "fast-xml-builder@npm:1.0.0"
+  resolution: "fast-xml-builder@npm:1.1.4"
-  checksum: 10/06c04d80545e5c9f4d1d6cca00567b5cc09953a92c6328fa48cfb4d7f42630313b8c2bb62e9cb81accee7bb5e1c5312fcae06c3d20dbe52d969a5938233316da
+  dependencies:
    path-expression-matcher: "npm:^1.1.3"
  checksum: 10/32937866aaf5a90e69d1f4ee6e15e875248d5b5d2afd70277e9e8323074de4980cef24575a591b8e43c29f405d5f12377b3bad3842dc412b0c5c17a3eaee4b6b
  languageName: node
  linkType: hard
 "fast-xml-parser@npm:^5.0.7":
-  version: 5.4.1
+  version: 5.5.6
-  resolution: "fast-xml-parser@npm:5.4.1"
+  resolution: "fast-xml-parser@npm:5.5.6"
  dependencies:
-    fast-xml-builder: "npm:^1.0.0"
+    fast-xml-builder: "npm:^1.1.4"
    path-expression-matcher: "npm:^1.1.3"
    strnum: "npm:^2.1.2"
  bin:
    fxparser: src/cli/cli.js
-  checksum: 10/2b40067c3ad3542ca197d1353bcb0416cd5db20d5c66d74ac176b99af6ff9bd55a6182d36856a2fd477c95b8fc1f07405475f1662a31185480130ba7076c702a
+  checksum: 10/91a42a0cf99c83b0e721ceef9c189509e96c91c1875901c6ce6017f78ad25284f646a77a541e96ee45a15c2f13b7780d090c906c3ec3f262db03e7feb1e62315
  languageName: node
  linkType: hard
@@ -3457,7 +3481,7 @@ __metadata:
  languageName: node
  linkType: hard
-"make-fetch-happen@npm:^15.0.1, make-fetch-happen@npm:^15.0.3":
+"make-fetch-happen@npm:^15.0.1":
  version: 15.0.3
  resolution: "make-fetch-happen@npm:15.0.3"
  dependencies:
@@ -3476,6 +3500,26 @@ __metadata:
  languageName: node
  linkType: hard
 "make-fetch-happen@npm:^15.0.4":
  version: 15.0.5
  resolution: "make-fetch-happen@npm:15.0.5"
  dependencies:
    "@gar/promise-retry": "npm:^1.0.0"
    "@npmcli/agent": "npm:^4.0.0"
    "@npmcli/redact": "npm:^4.0.0"
    cacache: "npm:^20.0.1"
    http-cache-semantics: "npm:^4.1.1"
    minipass: "npm:^7.0.2"
    minipass-fetch: "npm:^5.0.0"
    minipass-flush: "npm:^1.0.5"
    minipass-pipeline: "npm:^1.2.4"
    negotiator: "npm:^1.0.0"
    proc-log: "npm:^6.0.0"
    ssri: "npm:^13.0.0"
  checksum: 10/d2649effb06c00cb2b266057cb1c8c1e99cfc8d1378e7d9c26cc8f00be41bc63d59b77a5576ed28f8105acc57fb16220b64217f8d3a6a066a594c004aa163afa
  languageName: node
  linkType: hard
 "minimatch@npm:^10.0.3":
  version: 10.0.3
  resolution: "minimatch@npm:10.0.3"
@@ -3897,6 +3941,13 @@ __metadata:
  languageName: node
  linkType: hard
 "path-expression-matcher@npm:^1.1.3":
  version: 1.1.3
  resolution: "path-expression-matcher@npm:1.1.3"
  checksum: 10/9a607d0bf9807cf86b0a29fb4263f0c00285c13bedafb6ad3efc8bc87ae878da2faf657a9138ac918726cb19f147235a0ca695aec3e4ea1ee04641b6520e6c9e
  languageName: node
  linkType: hard
 "path-is-absolute@npm:^1.0.0":
  version: 1.0.1
  resolution: "path-is-absolute@npm:1.0.1"
@@ -4789,9 +4840,9 @@ __metadata:
  linkType: hard
 "undici@npm:^6.23.0":
-  version: 6.23.0
+  version: 6.24.1
-  resolution: "undici@npm:6.23.0"
+  resolution: "undici@npm:6.24.1"
-  checksum: 10/56950995e7b628e62c996430445d17995ca9b70f6f2afe760a63da54205660d968bd08f0741b6f4fb008f40aa35c69cce979cd96ced399585d8c897a76a4f1d1
+  checksum: 10/4f84e6045520eef9ba8eabb96360b50c759f59905c1703b12187c2dbcc6d1584c5d7ecddeb45b0ed6cac84ca2d132b21bfd8a38f77fa30378b1ac5d2ae390fd9
  languageName: node
  linkType: hard
Author	SHA1	Message	Date
CrazyMax	9505deb078	Merge pull request #1027 from docker/dependabot/npm_and_yarn/sigstore/sign-4.1.1 Some checks failed publish / publish (push) Has been cancelled Details build(deps): bump @sigstore/sign from 4.1.0 to 4.1.1	2026-03-19 10:04:24 +01:00
dependabot[bot]	af784a2022	build(deps): bump @sigstore/sign from 4.1.0 to 4.1.1 Bumps [@sigstore/sign](https://github.com/sigstore/sigstore-js) from 4.1.0 to 4.1.1. - [Release notes](https://github.com/sigstore/sigstore-js/releases) - [Commits](https://github.com/sigstore/sigstore-js/compare/sigstore@4.1.0...@sigstore/sign@4.1.1) --- updated-dependencies: - dependency-name: "@sigstore/sign" dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-19 09:01:22 +00:00
CrazyMax	afcc1c08a8	Merge pull request #1026 from docker/dependabot/npm_and_yarn/sigstore/tuf-4.0.2 build(deps): bump @sigstore/tuf from 4.0.1 to 4.0.2	2026-03-19 09:59:27 +01:00
CrazyMax	af0890ba7a	Merge pull request #1025 from crazy-max/git-context-attrs buildx(build): support extensible git context attrs	2026-03-19 09:58:55 +01:00
dependabot[bot]	c4109c3fc2	build(deps): bump @sigstore/tuf from 4.0.1 to 4.0.2 Bumps [@sigstore/tuf](https://github.com/sigstore/sigstore-js) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/sigstore/sigstore-js/releases) - [Commits](https://github.com/sigstore/sigstore-js/compare/@sigstore/sign@4.0.1...@sigstore/tuf@4.0.2) --- updated-dependencies: - dependency-name: "@sigstore/tuf" dependency-version: 4.0.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-18 22:53:43 +00:00
CrazyMax	e314ca9bb5	buildx(build): support extensible git context attrs Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-18 22:04:45 +01:00
CrazyMax	29efe4d6a8	Merge pull request #1024 from crazy-max/subdir-dot Some checks failed publish / publish (push) Has been cancelled Details buildx(build): ignore dot git context subdir	2026-03-18 09:59:13 +01:00
CrazyMax	aacbc67b8d	buildx(build): ignore dot git context subdir Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-18 09:53:58 +01:00
CrazyMax	d71b84aad5	Merge pull request #1020 from crazy-max/build-git-context-opts Some checks failed publish / publish (push) Has been cancelled Details buildx(build): support git context subdir and other query options	2026-03-18 09:24:44 +01:00
CrazyMax	ea05649ce1	Merge pull request #1023 from crazy-max/bake-vars bake: var cmd opt support	2026-03-18 09:24:22 +01:00
CrazyMax	012ae0603d	bake: var cmd opt support Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-18 09:15:22 +01:00
CrazyMax	6194cf96c1	Merge pull request #1022 from docker/dependabot/npm_and_yarn/fast-xml-parser-5.5.6 build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6	2026-03-18 09:00:41 +01:00
CrazyMax	e804b694a2	Merge pull request #1021 from docker/dependabot/npm_and_yarn/csv-parse-6.2.0 build(deps): bump csv-parse from 6.1.0 to 6.2.0	2026-03-18 09:00:07 +01:00
dependabot[bot]	d2a882884d	build(deps): bump fast-xml-parser from 5.4.1 to 5.5.6 Bumps [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) from 5.4.1 to 5.5.6. - [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases) - [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/NaturalIntelligence/fast-xml-parser/compare/v5.4.1...v5.5.6) --- updated-dependencies: - dependency-name: fast-xml-parser dependency-version: 5.5.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-18 01:53:33 +00:00
dependabot[bot]	d820ad4123	build(deps): bump csv-parse from 6.1.0 to 6.2.0 Bumps [csv-parse](https://github.com/adaltas/node-csv/tree/HEAD/packages/csv-parse) from 6.1.0 to 6.2.0. - [Changelog](https://github.com/adaltas/node-csv/blob/master/packages/csv-parse/CHANGELOG.md) - [Commits](https://github.com/adaltas/node-csv/commits/csv-parse@6.2.0/packages/csv-parse) --- updated-dependencies: - dependency-name: csv-parse dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-17 22:53:46 +00:00
CrazyMax	a5d905690f	Merge pull request #1019 from docker/dependabot/github_actions/softprops/action-gh-release-2.6.1 build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1	2026-03-17 15:42:31 +01:00
CrazyMax	6233293ae6	buildx(build): support git context subdir and other query options Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>	2026-03-17 13:09:33 +01:00
dependabot[bot]	9d10fe0e06	build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 2.5.0 to 2.6.1. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](`a06a81a03e...153bb8e044`) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-version: 2.6.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-16 22:53:05 +00:00
CrazyMax	a8dc8088d4	Merge pull request #1018 from docker/dependabot/npm_and_yarn/undici-6.24.1 build(deps): bump undici from 6.23.0 to 6.24.1	2026-03-14 12:51:58 +01:00
dependabot[bot]	4bc2c14908	build(deps): bump undici from 6.23.0 to 6.24.1 Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](https://github.com/nodejs/undici/compare/v6.23.0...v6.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>	2026-03-14 09:18:22 +00:00