fix(build): skip remote URL contexts from bake fs.read allowlist

When a service's build context is a remote git/HTTP URL, the path was unconditionally added to bake's --allow fs.read= entitlements. On Windows, bake then tries to evaluate the URL as a local filesystem path and fails because `https:` is invalid path syntax (colon is reserved for drive letters). Apply the same gitutil.ParseGitRef + "://" check already used for additional_contexts so that remote contexts are skipped from the fs.read allowlist. Fixes #13815 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com>
2026-06-28 12:13:24 +00:00 · 2026-06-01 08:39:58 +02:00 · 2026-06-01 08:39:58 +02:00 · 9834762bd7
commit 9834762bd7
parent d9d9e87882
1 changed files with 3 additions and 1 deletions
--- a/pkg/compose/build_bake.go
+++ b/pkg/compose/build_bake.go
@ -197,7 +197,9 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 			}
 		}

-		read = append(read, buildConfig.Context)
+		if _, _, err := gitutil.ParseGitRef(buildConfig.Context); !strings.Contains(buildConfig.Context, "://") && err != nil {
+			read = append(read, buildConfig.Context)
+		}
 		for _, path := range buildConfig.AdditionalContexts {
 			_, _, err := gitutil.ParseGitRef(path)
 			if !strings.Contains(path, "://") && err != nil {