git url: support specifying tag and commit together

e.g., https://github.com/user/repo.git##tag=mytag,commit=cafebab

Fix issue 5871

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Author: AkihiroSuda

client/llb/source.go

@@ -322,6 +322,15 @@ func Git(url, ref string, opts ...GitOption) State {
 		addCap(&gi.Constraints, pb.CapSourceGitMountSSHSock)
 	}
 
+	commitHash := gi.CommitHash
+	if commitHash == "" && remote != nil && remote.Fragment != nil {
+		commitHash = remote.Fragment.CommitHash
+	}
+	if commitHash != "" {
+		attrs[pb.AttrCommitHash] = commitHash
+		addCap(&gi.Constraints, pb.CapSourceGitCommitHash)
+	}
+
 	addCap(&gi.Constraints, pb.CapSourceGit)
 
 	source := NewSource("git://"+id, attrs, gi.Constraints)
@@ -345,6 +354,7 @@ type GitInfo struct {
 	addAuthCap       bool
 	KnownSSHHosts    string
 	MountSSHSock     string
+	CommitHash       string
 }
 
 func KeepGitDir() GitOption {
@@ -373,6 +383,12 @@ func MountSSHSock(sshID string) GitOption {
 	})
 }
 
+func CommitHash(v string) GitOption {
+	return gitOptionFunc(func(gi *GitInfo) {
+		gi.CommitHash = v
+	})
+}
+
 // AuthOption can be used with either HTTP or Git sources.
 type AuthOption interface {
 	GitOption

frontend/dockerfile/dockerfile2llb/convert.go

@@ -1513,7 +1513,7 @@ func dispatchCopy(d *dispatchState, cfg copyConfig) error {
 			if gitRef.SubDir != "" {
 				commit += ":" + gitRef.SubDir
 			}
-			gitOptions := []llb.GitOption{llb.WithCustomName(pgName)}
+			gitOptions := []llb.GitOption{llb.WithCustomName(pgName), llb.CommitHash(gitRef.CommitHash)}
 			if cfg.keepGitDir {
 				gitOptions = append(gitOptions, llb.KeepGitDir())
 			}

frontend/dockerui/context.go

@@ -149,7 +149,7 @@ func DetectGitContext(ref string, keepGit bool) (*llb.State, bool) {
 	if g.SubDir != "" {
 		commit += ":" + g.SubDir
 	}
-	gitOpts := []llb.GitOption{WithInternalName("load git source " + ref)}
+	gitOpts := []llb.GitOption{WithInternalName("load git source " + ref), llb.CommitHash(g.CommitHash)}
 	if keepGit {
 		gitOpts = append(gitOpts, llb.KeepGitDir())
 	}

frontend/gateway/grpcclient/client.go

@@ -272,6 +272,7 @@ func defaultLLBCaps() []*apicaps.PBCap {
 		{ID: string(opspb.CapSourceGit), Enabled: true},
 		{ID: string(opspb.CapSourceGitKeepDir), Enabled: true},
 		{ID: string(opspb.CapSourceGitFullURL), Enabled: true},
+		{ID: string(opspb.CapSourceGitCommitHash), Enabled: true},
 		{ID: string(opspb.CapSourceHTTP), Enabled: true},
 		{ID: string(opspb.CapSourceHTTPChecksum), Enabled: true},
 		{ID: string(opspb.CapSourceHTTPPerm), Enabled: true},

solver/pb/attr.go

@@ -6,6 +6,7 @@ const AttrAuthHeaderSecret = "git.authheadersecret"
 const AttrAuthTokenSecret = "git.authtokensecret"
 const AttrKnownSSHHosts = "git.knownsshhosts"
 const AttrMountSSHSock = "git.mountsshsock"
+const AttrCommitHash = "git.commithash"
 const AttrLocalSessionID = "local.session"
 const AttrLocalUniqueID = "local.unique"
 const AttrIncludePatterns = "local.includepattern"

solver/pb/caps.go

@@ -29,6 +29,7 @@ const (
 	CapSourceGitKnownSSHHosts apicaps.CapID = "source.git.knownsshhosts"
 	CapSourceGitMountSSHSock  apicaps.CapID = "source.git.mountsshsock"
 	CapSourceGitSubdir        apicaps.CapID = "source.git.subdir"
+	CapSourceGitCommitHash    apicaps.CapID = "source.git.commithash"
 
 	CapSourceHTTP         apicaps.CapID = "source.http"
 	CapSourceHTTPAuth     apicaps.CapID = "source.http.auth"
@@ -214,6 +215,12 @@ func init() {
 		Status:  apicaps.CapStatusExperimental,
 	})
 
+	Caps.Init(apicaps.Cap{
+		ID:      CapSourceGitCommitHash,
+		Enabled: true,
+		Status:  apicaps.CapStatusExperimental,
+	})
+
 	Caps.Init(apicaps.Cap{
 		ID:      CapSourceHTTP,
 		Enabled: true,

source/git/identifier.go

@@ -1,6 +1,7 @@
 package git
 
 import (
+	"fmt"
 	"path"
 
 	"github.com/moby/buildkit/solver/llbsolver/provenance"
@@ -13,6 +14,7 @@ import (
 type GitIdentifier struct {
 	Remote           string
 	Ref              string
+	CommitHash       string
 	Subdir           string
 	KeepGitDir       bool
 	AuthTokenSecret  string
@@ -33,6 +35,10 @@ func NewGitIdentifier(remoteURL string) (*GitIdentifier, error) {
 	repo := GitIdentifier{Remote: u.Remote}
 	if u.Fragment != nil {
 		repo.Ref = u.Fragment.Ref
+		repo.CommitHash = u.Fragment.CommitHash
+		if repo.CommitHash != "" && !gitutil.IsCommitSHA(repo.CommitHash) {
+			return nil, fmt.Errorf("invalid commit hash: %q", repo.CommitHash)
+		}
 		repo.Subdir = u.Fragment.Subdir
 	}
 	if sd := path.Clean(repo.Subdir); sd == "/" || sd == "." {

source/git/source.go

@@ -92,6 +92,11 @@ func (gs *gitSource) Identifier(scheme, ref string, attrs map[string]string, pla
 			id.KnownSSHHosts = v
 		case pb.AttrMountSSHSock:
 			id.MountSSHSock = v
+		case pb.AttrCommitHash:
+			if !gitutil.IsCommitSHA(v) {
+				return nil, fmt.Errorf("invalid commit hash %q", v)
+			}
+			id.CommitHash = v
 		}
 	}
 
@@ -349,10 +354,14 @@ func (gs *gitSourceHandler) CacheKey(ctx context.Context, g session.Group, index
 	gs.locker.Lock(remote)
 	defer gs.locker.Unlock(remote)
 
-	if ref := gs.src.Ref; ref != "" && gitutil.IsCommitSHA(ref) {
-		cacheKey := gs.shaToCacheKey(ref, "")
+	refCommitHash := gs.src.CommitHash
+	if refCommitHash == "" && gitutil.IsCommitSHA(gs.src.Ref) {
+		refCommitHash = gs.src.Ref
+	}
+	if refCommitHash != "" {
+		cacheKey := gs.shaToCacheKey(refCommitHash, "")
 		gs.cacheKey = cacheKey
-		return cacheKey, ref, nil, true, nil
+		return cacheKey, refCommitHash, nil, true, nil
 	}
 
 	gs.getAuthToken(ctx, g)
@@ -536,6 +545,7 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 		subdir = "."
 	}
 
+	checkedoutRef := "HEAD"
 	if gs.src.KeepGitDir && subdir == "." {
 		checkoutDirGit := filepath.Join(checkoutDir, ".git")
 		if err := os.MkdirAll(checkoutDir, 0711); err != nil {
@@ -605,6 +615,7 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to checkout remote %s", urlutil.RedactCredentials(gs.src.Remote))
 		}
+		checkedoutRef = ref // HEAD may not exist
 		if subdir != "." {
 			d, err := os.Open(filepath.Join(cd, subdir))
 			if err != nil {
@@ -635,6 +646,16 @@ func (gs *gitSourceHandler) Snapshot(ctx context.Context, g session.Group) (out
 	}
 
 	git = git.New(gitutil.WithWorkTree(checkoutDir), gitutil.WithGitDir(gitDir))
+	if gs.src.CommitHash != "" {
+		actualHashBuf, err := git.Run(ctx, "rev-parse", checkedoutRef)
+		if err != nil {
+			return nil, errors.Wrapf(err, "failed to rev-parse %s for %s", checkedoutRef, urlutil.RedactCredentials(gs.src.Remote))
+		}
+		actualHash := strings.TrimSpace(string(actualHashBuf))
+		if actualHash != gs.src.CommitHash {
+			return nil, fmt.Errorf("expected commit hash %s, got %s", gs.src.CommitHash, actualHash)
+		}
+	}
 	_, err = git.Run(ctx, "submodule", "update", "--init", "--recursive", "--depth=1")
 	if err != nil {
 		return nil, errors.Wrapf(err, "failed to update submodules for %s", urlutil.RedactCredentials(gs.src.Remote))

source/git/source_test.go

@@ -304,54 +304,70 @@ func testFetchUnreferencedRefSha(t *testing.T, ref string, keepGitDir bool) {
 }
 
 func TestFetchByTag(t *testing.T) {
-	testFetchByTag(t, "lightweight-tag", "third", false, true, false)
+	testFetchByTag(t, "lightweight-tag", "third", false, true, false, testCommitHashModeNone)
 }
 
 func TestFetchByTagKeepGitDir(t *testing.T) {
-	testFetchByTag(t, "lightweight-tag", "third", false, true, true)
+	testFetchByTag(t, "lightweight-tag", "third", false, true, true, testCommitHashModeNone)
 }
 
 func TestFetchByTagFull(t *testing.T) {
-	testFetchByTag(t, "refs/tags/lightweight-tag", "third", false, true, true)
+	testFetchByTag(t, "refs/tags/lightweight-tag", "third", false, true, true, testCommitHashModeNone)
 }
 
 func TestFetchByAnnotatedTag(t *testing.T) {
-	testFetchByTag(t, "v1.2.3", "second", true, false, false)
+	testFetchByTag(t, "v1.2.3", "second", true, false, false, testCommitHashModeNone)
 }
 
 func TestFetchByAnnotatedTagKeepGitDir(t *testing.T) {
-	testFetchByTag(t, "v1.2.3", "second", true, false, true)
+	testFetchByTag(t, "v1.2.3", "second", true, false, true, testCommitHashModeNone)
 }
 
 func TestFetchByAnnotatedTagFull(t *testing.T) {
-	testFetchByTag(t, "refs/tags/v1.2.3", "second", true, false, true)
+	testFetchByTag(t, "refs/tags/v1.2.3", "second", true, false, true, testCommitHashModeNone)
 }
 
 func TestFetchByBranch(t *testing.T) {
-	testFetchByTag(t, "feature", "withsub", false, true, false)
+	testFetchByTag(t, "feature", "withsub", false, true, false, testCommitHashModeNone)
 }
 
 func TestFetchByBranchKeepGitDir(t *testing.T) {
-	testFetchByTag(t, "feature", "withsub", false, true, true)
+	testFetchByTag(t, "feature", "withsub", false, true, true, testCommitHashModeNone)
 }
 
 func TestFetchByBranchFull(t *testing.T) {
-	testFetchByTag(t, "refs/heads/feature", "withsub", false, true, true)
+	testFetchByTag(t, "refs/heads/feature", "withsub", false, true, true, testCommitHashModeNone)
 }
 
 func TestFetchByRef(t *testing.T) {
-	testFetchByTag(t, "test", "feature", false, true, false)
+	testFetchByTag(t, "test", "feature", false, true, false, testCommitHashModeNone)
 }
 
 func TestFetchByRefKeepGitDir(t *testing.T) {
-	testFetchByTag(t, "test", "feature", false, true, true)
+	testFetchByTag(t, "test", "feature", false, true, true, testCommitHashModeNone)
 }
 
 func TestFetchByRefFull(t *testing.T) {
-	testFetchByTag(t, "refs/test", "feature", false, true, true)
+	testFetchByTag(t, "refs/test", "feature", false, true, true, testCommitHashModeNone)
 }
 
-func testFetchByTag(t *testing.T, tag, expectedCommitSubject string, isAnnotatedTag, hasFoo13File, keepGitDir bool) {
+func TestFetchByTagWithCommitHash(t *testing.T) {
+	testFetchByTag(t, "lightweight-tag", "third", false, true, false, testCommitHashModeValid)
+}
+
+func TestFetchByTagWithCommitHashInvalid(t *testing.T) {
+	testFetchByTag(t, "lightweight-tag", "third", false, true, false, testCommitHashModeInvalid)
+}
+
+type testCommitHashMode int
+
+const (
+	testCommitHashModeNone testCommitHashMode = iota
+	testCommitHashModeValid
+	testCommitHashModeInvalid
+)
+
+func testFetchByTag(t *testing.T, tag, expectedCommitSubject string, isAnnotatedTag, hasFoo13File, keepGitDir bool, commitHashMode testCommitHashMode) {
 	if runtime.GOOS == "windows" {
 		t.Skip("Depends on unimplemented containerd bind-mount support on Windows")
 	}
@@ -366,6 +382,24 @@ func testFetchByTag(t *testing.T, tag, expectedCommitSubject string, isAnnotated
 
 	id := &GitIdentifier{Remote: repo.mainURL, Ref: tag, KeepGitDir: keepGitDir}
 
+	if commitHashMode != testCommitHashModeNone {
+		cmd := exec.Command("git", "rev-parse", tag)
+		cmd.Dir = repo.mainPath
+
+		out, err := cmd.Output()
+		require.NoError(t, err)
+
+		sha := strings.TrimSpace(string(out))
+		require.Equal(t, 40, len(sha))
+
+		id.CommitHash = sha
+
+		if commitHashMode == testCommitHashModeInvalid {
+			// Make the hash value invalid
+			id.CommitHash = "deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"
+		}
+	}
+
 	g, err := gs.Resolve(ctx, id, nil, nil)
 	require.NoError(t, err)
 
@@ -383,6 +417,10 @@ func testFetchByTag(t *testing.T, tag, expectedCommitSubject string, isAnnotated
 	require.Equal(t, 40, len(pin1))
 
 	ref1, err := g.Snapshot(ctx, nil)
+	if commitHashMode == testCommitHashModeInvalid {
+		require.ErrorContains(t, err, "expected commit hash "+id.CommitHash)
+		return
+	}
 	require.NoError(t, err)
 	defer ref1.Release(context.TODO())
 

util/gitutil/git_ref.go

@@ -25,6 +25,10 @@ type GitRef struct {
 	// Commit is optional.
 	Commit string
 
+	// CommitHash verifies Commit if specified.
+	// CommitHash is optional.
+	CommitHash string
+
 	// SubDir is a directory path inside the repo.
 	// SubDir is optional.
 	SubDir string
@@ -97,7 +101,7 @@ func ParseGitRef(ref string) (*GitRef, error) {
 		_, res.Remote, _ = strings.Cut(res.Remote, "://")
 	}
 	if remote.Fragment != nil {
-		res.Commit, res.SubDir = remote.Fragment.Ref, remote.Fragment.Subdir
+		res.Commit, res.CommitHash, res.SubDir = remote.Fragment.Ref, remote.Fragment.CommitHash, remote.Fragment.Subdir
 	}
 
 	repoSplitBySlash := strings.Split(res.Remote, "/")