From 9834762bd79ce88ab079f6ceca7c1dfeb39fa123 Mon Sep 17 00:00:00 2001
From: Nicolas De loof <nicolas.deloof@gmail.com>
Date: Mon, 1 Jun 2026 08:39:58 +0200
Subject: [PATCH] fix(build): skip remote URL contexts from bake fs.read
 allowlist

When a service's build context is a remote git/HTTP URL, the path was
unconditionally added to bake's --allow fs.read= entitlements. On Windows,
bake then tries to evaluate the URL as a local filesystem path and fails
because `https:` is invalid path syntax (colon is reserved for drive
letters).

Apply the same gitutil.ParseGitRef + "://" check already used for
additional_contexts so that remote contexts are skipped from the fs.read
allowlist.

Fixes #13815

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com>
---
 pkg/compose/build_bake.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkg/compose/build_bake.go b/pkg/compose/build_bake.go
index dc691cca9..df77c9c97 100644
--- a/pkg/compose/build_bake.go
+++ b/pkg/compose/build_bake.go
@@ -197,7 +197,9 @@ func (s *composeService) doBuildBake(ctx context.Context, project *types.Project
 			}
 		}
 
-		read = append(read, buildConfig.Context)
+		if _, _, err := gitutil.ParseGitRef(buildConfig.Context); !strings.Contains(buildConfig.Context, "://") && err != nil {
+			read = append(read, buildConfig.Context)
+		}
 		for _, path := range buildConfig.AdditionalContexts {
 			_, _, err := gitutil.ParseGitRef(path)
 			if !strings.Contains(path, "://") && err != nil {