Merge branch 'docker:master' into 6203-add-healthcheck-format

Author: Mohammed-Thaha

.github/workflows/build.yml

@@ -66,7 +66,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Build
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           targets: ${{ matrix.target }}
           set: |
@@ -88,7 +88,7 @@ jobs:
           fi
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: ${{ env.ARTIFACT_NAME }}
           path: /tmp/out/*
@@ -101,7 +101,7 @@ jobs:
       -
         name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           username: ${{ secrets.DOCKERHUB_CLIBIN_USERNAME }}
           password: ${{ secrets.DOCKERHUB_CLIBIN_TOKEN }}
@@ -125,7 +125,7 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
       -
         name: Build and push image
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           files: |
             ./docker-bake.hcl
@@ -168,7 +168,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Build
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           targets: plugins-cross
           set: |

.github/workflows/codeql.yml

@@ -63,18 +63,18 @@ jobs:
         name: Update Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: "1.26.1"
+          go-version: "1.26.3"
           cache: false
       -
         name: Initialize CodeQL
-        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           languages: go
       -
         name: Autobuild
-        uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
       -
         name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
         with:
           category: "/language:go"

.github/workflows/test.yml

@@ -33,7 +33,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
       -
         name: Test
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           targets: test-coverage
       -
@@ -67,7 +67,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: "1.26.1"
+          go-version: "1.26.3"
           cache: false
       -
         name: Test

.github/workflows/validate-milestone.yml

@@ -0,0 +1,35 @@
+name: validate-milestone
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    types: [opened, synchronize, milestoned, demilestoned, edited]
+
+jobs:
+  validate-milestone:
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          sparse-checkout: VERSION
+
+      - name: Validate milestone matches VERSION
+        run: |
+          expected=$(cat VERSION)
+          milestone="${{ github.event.pull_request.milestone.title }}"
+
+          if [[ -z "$milestone" ]]; then
+            echo "::error::PR must have a milestone set (expected: $expected)"
+            exit 1
+          fi
+
+          if [[ "$milestone" != "$expected" ]]; then
+            echo "::error::Milestone '$milestone' does not match VERSION '$expected'"
+            exit 1
+          fi
+
+          echo "Milestone: $milestone ✓"

.github/workflows/validate.yml

@@ -38,7 +38,7 @@ jobs:
     steps:
       -
         name: Run
-        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7
+        uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0
         with:
           targets: ${{ matrix.target }}
 
@@ -96,7 +96,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: "1.26.1"
+          go-version: "1.26.3"
           cache: false
       -
         name: Run gocompat check

.golangci.yml

@@ -5,7 +5,7 @@ run:
   # which causes it to fallback to go1.17 semantics.
   #
   # TODO(thaJeztah): update "usetesting" settings to enable go1.24 features once our minimum version is go1.24
-  go: "1.26.1"
+  go: "1.26.3"
 
   timeout: 5m
 
@@ -110,8 +110,15 @@ linters:
       excludes:
         - G104 # G104: Errors unhandled; (TODO: reduce unhandled errors, or explicitly ignore)
         - G115 # G115: integer overflow conversion; (TODO: verify these: https://github.com/docker/cli/issues/5584)
+        - G117 # G117: Exported struct field matches secret pattern (false positives for legitimate field names)
+        - G118 # G118: Goroutine uses context.Background/TODO while request-scoped context is available (TODO: evaluate these)
+        - G122 # G122: Filesystem operation in filepath.Walk/WalkDir callback uses race-prone path (TODO: evaluate these)
         - G306 # G306: Expect WriteFile permissions to be 0600 or less (too restrictive; also flags "0o644" permissions)
         - G307 # G307: Deferring unsafe method "*os.File" on type "Close" (also EXC0008); (TODO: evaluate these and fix where needed: G307: Deferring unsafe method "*os.File" on type "Close")
+        - G702 # G702: Command injection via taint analysis (TODO: evaluate these)
+        - G703 # G703: Path traversal via taint analysis (TODO: evaluate these)
+        - G704 # G704: SSRF via taint analysis (TODO: evaluate these)
+        - G705 # G705: XSS via taint analysis (TODO: evaluate these)
 
     govet:
       enable:

Dockerfile

@@ -8,7 +8,7 @@ ARG BASE_VARIANT=alpine
 ARG ALPINE_VERSION=3.23
 ARG BASE_DEBIAN_DISTRO=bookworm
 
-ARG GO_VERSION=1.26.1
+ARG GO_VERSION=1.26.3
 
 # XX_VERSION specifies the version of the xx utility to use.
 # It must be a valid tag in the docker.io/tonistiigi/xx image repository.
@@ -25,12 +25,12 @@ ARG GOTESTSUM_VERSION=v1.13.0
 # BUILDX_VERSION sets the version of buildx to use for the e2e tests.
 # It must be a tag in the docker.io/docker/buildx-bin image repository
 # on Docker Hub.
-ARG BUILDX_VERSION=0.31.1
+ARG BUILDX_VERSION=0.33.0
 
 # COMPOSE_VERSION is the version of compose to install in the dev container.
 # It must be a tag in the docker.io/docker/compose-bin image repository
 # on Docker Hub.
-ARG COMPOSE_VERSION=v5.1.0
+ARG COMPOSE_VERSION=v5.1.3
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 

VERSION

@@ -1 +1 @@
-29.4.0-dev
+29.5.0

cli-plugins/hooks/template.go

@@ -13,6 +13,8 @@ import (
 	"github.com/spf13/cobra"
 )
 
+const maxMessages = 10
+
 func ParseTemplate(hookTemplate string, cmd *cobra.Command) ([]string, error) {
 	out := hookTemplate
 	if strings.Contains(hookTemplate, "{{") {
@@ -38,7 +40,10 @@ func ParseTemplate(hookTemplate string, cmd *cobra.Command) ([]string, error) {
 		}
 		out = b.String()
 	}
-	return strings.Split(out, "\n"), nil
+	if n := strings.Count(out, "\n"); n > maxMessages {
+		return nil, fmt.Errorf("hook template contains too many messages (%d): maximum is %d", n, maxMessages)
+	}
+	return strings.SplitN(out, "\n", maxMessages), nil
 }
 
 var ErrHookTemplateParse = errors.New("failed to parse hook template")

cli-plugins/manager/manager_test.go

@@ -177,9 +177,8 @@ func TestGetPluginDirs(t *testing.T) {
 	pluginDirs := getPluginDirs(cli.ConfigFile())
 	assert.Equal(t, strings.Join(expected, ":"), strings.Join(pluginDirs, ":"))
 
-	extras := []string{
-		"foo", "bar", "baz",
-	}
+	extras := make([]string, 0, 3+len(expected))
+	extras = append(extras, "foo", "bar", "baz")
 	expected = append(extras, expected...)
 	cli.SetConfigFile(&configfile.ConfigFile{
 		CLIPluginsExtraDirs: extras,