Commit graph

5830 commits

Author SHA1 Message Date
dependabot[bot]
f32009d4a2 build(deps): bump actions/checkout from 6.0.2 to 7.0.0
Some checks failed
ci / validate (lint) (push) Has been cancelled
ci / validate (validate-docs) (push) Has been cancelled
ci / validate (validate-go-mod) (push) Has been cancelled
ci / validate (validate-headers) (push) Has been cancelled
ci / binary (push) Has been cancelled
ci / bin-image-test (push) Has been cancelled
ci / test (push) Has been cancelled
ci / e2e (plugin, oldstable) (push) Has been cancelled
ci / e2e (standalone, oldstable) (push) Has been cancelled
ci / e2e (plugin, stable) (push) Has been cancelled
ci / e2e (standalone, stable) (push) Has been cancelled
docs-upstream / docs-yaml (push) Has been cancelled
merge / bin-image-prepare (push) Has been cancelled
merge / module-image (push) Has been cancelled
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
zizmor / zizmor (push) Has been cancelled
ci / binary-finalize (push) Has been cancelled
ci / coverage (push) Has been cancelled
ci / release (push) Has been cancelled
docs-upstream / validate (push) Has been cancelled
merge / bin-image (push) Has been cancelled
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 7.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](de0fac2e45...9c091bb21b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:49:14 +02:00
dependabot[bot]
f4bc599fdb build(deps): bump github/codeql-action/upload-sarif
Bumps [github/codeql-action/upload-sarif](https://github.com/github/codeql-action) from 3.36.3 to 4.36.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](411c4c9a36...8aad20d150)

---
updated-dependencies:
- dependency-name: github/codeql-action/upload-sarif
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:45:50 +02:00
dependabot[bot]
2ed5bf2b61 build(deps): bump codecov/codecov-action from 5.5.3 to 7.0.0
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.3 to 7.0.0.
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](1af58845a9...fb8b3582c8)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:45:10 +02:00
dependabot[bot]
d32d8c3c76 build(deps): bump mxschmitt/action-tmate from 3.23 to 3.24
Bumps [mxschmitt/action-tmate](https://github.com/mxschmitt/action-tmate) from 3.23 to 3.24.
- [Release notes](https://github.com/mxschmitt/action-tmate/releases)
- [Changelog](https://github.com/mxschmitt/action-tmate/blob/master/RELEASE.md)
- [Commits](c0afd6f790...35b54afac2)

---
updated-dependencies:
- dependency-name: mxschmitt/action-tmate
  dependency-version: '3.24'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:38:15 +02:00
dependabot[bot]
774d04dcef build(deps): bump test-summary/action from 2.4 to 2.6
Bumps [test-summary/action](https://github.com/test-summary/action) from 2.4 to 2.6.
- [Release notes](https://github.com/test-summary/action/releases)
- [Commits](31493c76ec...37b508cfee)

---
updated-dependencies:
- dependency-name: test-summary/action
  dependency-version: '2.6'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:37:45 +02:00
dependabot[bot]
2c87234df8 build(deps): bump actions/setup-go from 6.3.0 to 6.5.0
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 6.3.0 to 6.5.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](4b73464bb3...924ae3a1cd)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-version: 6.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:36:51 +02:00
dependabot[bot]
d00abb6f94 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v7...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:36:16 +02:00
dependabot[bot]
6b2e8d20c3 build(deps): bump the docker-actions group with 3 updates
Bumps the docker-actions group with 3 updates: [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action), [docker/github-builder/.github/workflows/bake.yml](https://github.com/docker/github-builder) and [docker/bake-action](https://github.com/docker/bake-action).


Updates `docker/setup-buildx-action` from 4.0.0 to 4.1.0
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](4d04d5d948...d7f5e7f509)

Updates `docker/github-builder/.github/workflows/bake.yml` from 1.4.0 to 1.12.0
- [Release notes](https://github.com/docker/github-builder/releases)
- [Commits](70313223e2...5f637c833a)

Updates `docker/bake-action` from 7.0.0 to 7.2.0
- [Release notes](https://github.com/docker/bake-action/releases)
- [Commits](82490499d2...6614cfa25e)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: docker-actions
- dependency-name: docker/github-builder/.github/workflows/bake.yml
  dependency-version: 1.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: docker-actions
- dependency-name: docker/bake-action
  dependency-version: 7.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: docker-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:34:25 +02:00
dependabot[bot]
43dc875f65 build(deps): bump actions/stale from 10.2.0 to 10.3.0
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](b5d41d4e1d...eb5cf3af3a)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-version: 10.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-07 11:10:54 +02:00
Sebastiaan van Stijn
0e20fb76c6 gha: dependabot: group docker/* actions updates
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-07-07 11:09:54 +02:00
Guillaume Lours
69ba683e15 ci: address review feedback on release job
Some checks are pending
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
zizmor / zizmor (push) Waiting to run
- Replace ncipollo/release-action with softprops/action-gh-release
  (v3.0.1, SHA-pinned), the action used across Docker repositories;
  input mapping is one-to-one.
- Duplicate the artifact listing/type checks into binary-finalize:
  one copy inspects the artifact as assembled, on every push/PR (lost
  when the tag guard moved to job level); the release-job copy still
  inspects what was downloaded and gets attached to the release.
- Set overwrite_files: false so a job re-run never replaces assets
  already uploaded to an existing release: unlike ncipollo, softprops
  updates an existing release instead of failing. A re-run may still
  refresh the release name/notes.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-07-07 10:56:13 +02:00
Guillaume Lours
336f21f846 ci: harden GitHub Actions workflows
The pinned codeql-action/upload-sarif v2 (v2.28.1) falls in the
vulnerable range of CVE-2025-24362 and the v2 line has no patched
release, so bump to v3.36.3. Scope the release job to tag refs so its
contents:write token is only minted when a release is actually
created. In merge.yml, drop a dead conditional (workflow only triggers
on push) and pass DOCKERDESKTOP_REPO to github-script via env rather
than inline interpolation, as recommended against script injection.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-07-07 10:56:13 +02:00
Sebastiaan van Stijn
b9d8a1a3e2 CODEOWNERS: add compose-reviewers
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-07-07 10:39:47 +02:00
CrazyMax
a666b63a3c ci: fix docs-upstream workflow
Some checks are pending
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
docs-upstream / docs-yaml (push) Waiting to run
docs-upstream / validate (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
zizmor / zizmor (push) Waiting to run
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-07-06 17:29:12 +02:00
CrazyMax
be7b72e0ef fix zizmor findings
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-07-06 17:11:24 +02:00
CrazyMax
50bd8945a1 chore: setup dependabot for github actions
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-07-06 17:11:24 +02:00
CrazyMax
1c9aa35c21 ci: zizmor workflow
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-07-06 17:11:24 +02:00
Sebastiaan van Stijn
26550b0d1f ci: remove unused desktop-edge-test workflow
It's not currently used, and we can probably trigger this from the
desktop repository itself.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-07-06 11:18:38 +02:00
dependabot[bot]
dc8e27bea2 build(deps): bump github.com/docker/cli
Bumps [github.com/docker/cli](https://github.com/docker/cli) from 29.6.0+incompatible to 29.6.1+incompatible.
- [Commits](https://github.com/docker/cli/compare/v29.6.0...v29.6.1)

---
updated-dependencies:
- dependency-name: github.com/docker/cli
  dependency-version: 29.6.1+incompatible
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 10:45:35 +02:00
blackflytech
ff711700cd Fix grammar in Attestations field comment
Signed-off-by: blackflytech <blackflytech@outlook.com>
2026-07-06 10:36:46 +02:00
dependabot[bot]
077d09592f build(deps): bump go.yaml.in/yaml/v4 from 4.0.0-rc.4 to 4.0.0-rc.6
Bumps [go.yaml.in/yaml/v4](https://github.com/yaml/go-yaml) from 4.0.0-rc.4 to 4.0.0-rc.6.
- [Commits](https://github.com/yaml/go-yaml/compare/v4.0.0-rc.4...v4.0.0-rc.6)

---
updated-dependencies:
- dependency-name: go.yaml.in/yaml/v4
  dependency-version: 4.0.0-rc.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 10:30:27 +02:00
Derek Misler
81e420139a ci: add concurrency group to pr-review-trigger to prevent duplicate reviews
Signed-off-by: Derek Misler <derek.misler@docker.com>
2026-07-06 10:25:22 +02:00
Sebastiaan van Stijn
133914bc46 build(deps): bump github.com/moby/sys/user to v0.4.1
Some checks are pending
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
merge / desktop-edge-test (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
- user: prevent possible DoS via unbounded parsing of user and group
  database files in GHSA-mjcv-p78q-w5fw. This fixes a similar issue
  as CVE-2026-47262 in containerd.
- user: prevent falling back to looking up numeric usernames
  Improve handling of numeric user/group to prevent looking up numeric
  values as usernames. This fixes a similar issue as [CVE-2026-46680] in
  containerd.
- user: update minimum go version to go1.18
- assorted testing and linting fixes.

[CVE-2026-46680]: https://github.com/advisories/GHSA-fqw6-gf59-qr4w

full diff: https://github.com/moby/sys/compare/user/v0.4.0...user/v0.4.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-07-06 10:12:18 +02:00
dependabot[bot]
bab62f4d6f build(deps): bump github.com/moby/buildkit from 0.31.0 to 0.31.1
Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.31.0 to 0.31.1.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](https://github.com/moby/buildkit/compare/v0.31.0...v0.31.1)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-version: 0.31.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-06 10:04:43 +02:00
Guillaume Lours
9d444a667a pre_start: support pre_start lifecycle hooks
Some checks failed
ci / validate (lint) (push) Has been cancelled
ci / validate (validate-docs) (push) Has been cancelled
ci / validate (validate-go-mod) (push) Has been cancelled
ci / validate (validate-headers) (push) Has been cancelled
ci / binary (push) Has been cancelled
ci / bin-image-test (push) Has been cancelled
ci / test (push) Has been cancelled
ci / e2e (plugin, oldstable) (push) Has been cancelled
ci / e2e (standalone, oldstable) (push) Has been cancelled
ci / e2e (plugin, stable) (push) Has been cancelled
ci / e2e (standalone, stable) (push) Has been cancelled
merge / bin-image-prepare (push) Has been cancelled
merge / module-image (push) Has been cancelled
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
ci / binary-finalize (push) Has been cancelled
ci / coverage (push) Has been cancelled
ci / release (push) Has been cancelled
merge / bin-image (push) Has been cancelled
merge / desktop-edge-test (push) Has been cancelled
runPreStart executes a service's pre_start hooks sequentially as
ephemeral containers that share the first non-running replica's
volumes via VolumesFrom and attach to the same networks. A non-zero
hook exit gates service start.

per_replica: false is the only currently supported mode; per_replica:
true is rejected up front. The donor replica is the lowest-numbered
one so the choice is deterministic. ContainerWait uses
WaitConditionNextExit, and the wait loop deterministically handles
the daemon's clean-close (nil on Error + exit code on Result) and
transport-error races to avoid spurious hook failures.

The log stream is opened before ContainerStart to avoid racing
AutoRemove on fast-exiting hooks, and runs under a derived context
so a daemon that keeps the connection open cannot deadlock the call.
Hook containers carry project/service/version labels; the two
cleanup paths force-remove the never-started container explicitly
and warn when removal fails.

pre_start runs once per service when no replica is already running
(initial up, force-recreate or spec change), and is skipped on
scale-up so additional replicas don't re-trigger the hooks.

Coverage: 11 unit tests (including scheduler-race stress) with
goroutine-leak verification via goleak, plus 10 E2E tests (success
path, hook failure gating start, build-image inheritance, idempotent
re-up, spec change, force-recreate, mid-sequence failure, ordering,
scale-up, scaled service).

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-30 10:49:04 +02:00
Nick Janetakis
943f8c929c Generate docs with make docs
Some checks failed
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
merge / desktop-edge-test (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
docs-upstream / docs-yaml (push) Has been cancelled
docs-upstream / validate (push) Has been cancelled
Signed-off-by: Nick Janetakis <nick.janetakis@gmail.com>
2026-06-29 20:56:31 +02:00
Nick Janetakis
2a6a4e5179 Normalize --no-TTY flag to --no-tty
Signed-off-by: Nick Janetakis <nick.janetakis@gmail.com>
2026-06-29 20:56:31 +02:00
vmphase
0a56eeba3c fix(compose/port): show private port in portNotFoundError message
Signed-off-by: vmphase <vmphasee@gmail.com>
2026-06-29 18:51:14 +02:00
Guillaume Lours
55c61ceef9 fix(reconcile): hash resolved service refs to match executor
The reconciler hashed the raw service config while the executor
hashed the form with network_mode/ipc/pid/volumes_from references
resolved to container IDs. Persisted hash and recomputed hash
never matched, so dependents were recreated on every `up`.

Resolve references against observed containers before hashing,
and cascade recreation to namespace-sharing dependents when a
parent is replaced — otherwise the dependent would keep a stale
"container:<old_id>" reference. Also dedup stops in
planStopDependents via stoppedByPlan: with the cascade restored,
the dependent would otherwise receive two Stop nodes.

Fixes #13878.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-29 17:50:27 +02:00
Guillaume Lours
a2fb49dc68 bump compose-go to version v2.13.0
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-29 17:30:09 +02:00
Guillaume Lours
ab0d7898de fix(run): scope Running events to project.Services
emitRunningEvents iterated the full ObservedState.Containers map,
which is intentionally broader than the operation scope (it covers
DisabledServices for orphan classification). compose run --no-deps
SERVICE leaves project.Services empty and moves every other service
to DisabledServices, so their running containers were reported as
Running even though this command must not manage them.

Filter the iteration by project.Services, matching the reconciler
scope, and document the contract on the function.

Fixes #13882

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-29 15:10:14 +02:00
Guillaume Lours
e87f7b79df fix(oci): route authorizer token fetches through provided transport
Some checks failed
ci / validate (lint) (push) Has been cancelled
ci / validate (validate-docs) (push) Has been cancelled
ci / validate (validate-go-mod) (push) Has been cancelled
ci / validate (validate-headers) (push) Has been cancelled
ci / binary (push) Has been cancelled
ci / bin-image-test (push) Has been cancelled
ci / test (push) Has been cancelled
ci / e2e (plugin, oldstable) (push) Has been cancelled
ci / e2e (standalone, oldstable) (push) Has been cancelled
ci / e2e (plugin, stable) (push) Has been cancelled
ci / e2e (standalone, stable) (push) Has been cancelled
merge / bin-image-prepare (push) Has been cancelled
merge / module-image (push) Has been cancelled
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
ci / binary-finalize (push) Has been cancelled
ci / coverage (push) Has been cancelled
ci / release (push) Has been cancelled
merge / bin-image (push) Has been cancelled
merge / desktop-edge-test (push) Has been cancelled
The transport passed to NewResolver was applied only via
docker.WithClient. Pass it via docker.WithAuthClient too so the
authorizer's OAuth token fetches use it instead of http.DefaultClient.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-25 15:38:37 +02:00
Docker Agent
a3c1c0dc2e chore: migrate to docker-agent-action v2.0.1
Some checks are pending
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
merge / desktop-edge-test (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
- Bump docker-agent-action to v2.0.1 (e96a4bb)
- Add review_requested to pr-review-trigger.yml pull_request types

Signed-off-by: Docker Agent <svc-github-docker-agent@docker.com>
2026-06-24 14:51:31 +02:00
Docker Agent
899e88475a chore: migrate cagent-action to docker-agent-action (v2.0.0)
Some checks are pending
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
merge / desktop-edge-test (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Signed-off-by: Derek Misler <derek.misler@docker.com>
2026-06-23 22:42:46 +02:00
Guillaume Lours
3d0dd57fbd docs: ps --format json outputs JSON Lines, not a JSON array
Some checks failed
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
merge / desktop-edge-test (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
docs-upstream / docs-yaml (push) Has been cancelled
docs-upstream / validate (push) Has been cancelled
Output was aligned with `docker ps --format json` in v2.21.0 (#10918)
but the docs were never updated.

Fixes #13850

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-23 16:18:12 +02:00
Ijtihed Kilani
9cd844243f fix(publish): honor env_file required: false for missing files
Signed-off-by: Ijtihed Kilani <ijtihedk@gmail.com>
2026-06-23 15:11:58 +02:00
Yohta Kimura
43922d55b0 Fix rawsetenv nil-pointer guard for inherit-from-shell env vars
When a service declares an env var without a value (e.g. `- KEY` or
`KEY:`), MappingWithEquals stores it as a nil *string. The previous
condition `existing != nil && ...` skipped the warning for this case,
allowing silent overwrites. Change to `existing == nil || ...` so the
warning fires for both nil (shell-inherit) and value-mismatch cases.

Add e2e tests for both list-style (`- KEY`) and map-style (`KEY:`)
YAML forms to lock in the behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Yohta Kimura <38206553+rajyan@users.noreply.github.com>
2026-06-23 15:01:33 +02:00
Yohta Kimura
cdaeeac6ed Document rawsetenv in stop section and sequence diagram
The stop section only mentioned setenv being ignored; rawsetenv
is handled identically by the code but was missing from the docs.
The mermaid sequence diagram also lacked a rawsetenv step.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Yohta Kimura <38206553+rajyan@users.noreply.github.com>
2026-06-23 15:01:33 +02:00
Yohta Kimura
5c9d611b5f Handle rawsetenv collisions with overwrite and warning
rawsetenv injects provider variables without the service-name prefix, so
a key can collide with a value already set on the dependent service,
whether declared by the user in environment or emitted by another
provider. Log a warning and overwrite on collision, document the
precedence and the non-deterministic ordering between concurrent
providers, and cover the user-environment override with an e2e test.

Signed-off-by: Yohta Kimura <38206553+rajyan@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-23 15:01:33 +02:00
Yohta Kimura
332e0add14 Add rawsetenv message type for provider plugins
Providers can now send rawsetenv messages to inject environment
variables into dependent services without the automatic service name
prefix. This enables use cases where applications require exact
variable names that cannot be altered.

Closes #13727

Signed-off-by: Yohta Kimura <38206553+rajyan@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-06-23 15:01:33 +02:00
Guillaume Lours
46b806eafb pkg/e2e: drop unused run param from getEnv
The run parameter was always passed as false at the single call site
and the run==true branch was dead code. Remove it so unparam stops
flagging callers added by PR #13742.

Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-23 10:44:11 +02:00
Guillaume Lours
913b500140 bump compose-go to version v2.12.1
Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
2026-06-23 10:35:10 +02:00
Sebastiaan van Stijn
9b55a6e9c1 chore(deps): github.com/docker/buildx v0.35.0, buildkit v0.31.0
Some checks are pending
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
merge / desktop-edge-test (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-22 09:00:18 +02:00
Sebastiaan van Stijn
81867eafa5 chore(deps): github.com/docker/cli v29.6.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-22 09:00:18 +02:00
Sebastiaan van Stijn
fcd38aa0f6 chore(deps): go.opentelemetry.io/otel v1.44.0, go.opentelemetry.io/contrib v0.69.0
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-22 09:00:18 +02:00
Sebastiaan van Stijn
5d0f6e2ff3 chore(deps): bump github.com/golang-jwt/jwt/v5 to v5.3.1
Some checks failed
ci / validate (lint) (push) Has been cancelled
ci / validate (validate-docs) (push) Has been cancelled
ci / validate (validate-go-mod) (push) Has been cancelled
ci / validate (validate-headers) (push) Has been cancelled
ci / binary (push) Has been cancelled
ci / bin-image-test (push) Has been cancelled
ci / test (push) Has been cancelled
ci / e2e (plugin, oldstable) (push) Has been cancelled
ci / e2e (standalone, oldstable) (push) Has been cancelled
ci / e2e (plugin, stable) (push) Has been cancelled
ci / e2e (standalone, stable) (push) Has been cancelled
merge / bin-image-prepare (push) Has been cancelled
merge / module-image (push) Has been cancelled
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
ci / binary-finalize (push) Has been cancelled
ci / coverage (push) Has been cancelled
ci / release (push) Has been cancelled
merge / bin-image (push) Has been cancelled
merge / desktop-edge-test (push) Has been cancelled
full diff: https://github.com/golang-jwt/jwt/compare/v5.3.0...v5.3.1

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-19 17:06:10 +02:00
Sebastiaan van Stijn
f0744b1df2 pkg/e2e: fix malformed JWT in fixtures
This fixture was not a valid JWT; the first 2 elements decode, but the last
one is malformed;

    echo 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9' | base64 -d
    {"alg":"HS256","typ":"JWT"}⏎

    echo 'eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ' | base64 -d
    {"sub":"1234567890","name":"John Doe","iat":1516239022⏎

    echo 'SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw' | base64 -d
    I�J�IHNJ(]�O��lj~�:N�%_�u
                            ,⏎

This causes problems if the JWT parser is strict and rejecting invalid
JWT's.

It was added in 55b5f233c2, and probably copied
from an example, like https://github.com/knottx/JWTCodable#example-jwt-token,
but the last 2 bytes were truncated.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-19 16:07:02 +02:00
Sebastiaan van Stijn
6042df78f0 chore(deps): bump github.com/containerd/containerd/v2 to v2.2.5
Some checks are pending
ci / validate (lint) (push) Waiting to run
ci / validate (validate-docs) (push) Waiting to run
ci / validate (validate-go-mod) (push) Waiting to run
ci / validate (validate-headers) (push) Waiting to run
ci / binary (push) Waiting to run
ci / binary-finalize (push) Blocked by required conditions
ci / bin-image-test (push) Waiting to run
ci / test (push) Waiting to run
ci / e2e (plugin, oldstable) (push) Waiting to run
ci / e2e (standalone, oldstable) (push) Waiting to run
ci / e2e (plugin, stable) (push) Waiting to run
ci / e2e (standalone, stable) (push) Waiting to run
ci / coverage (push) Blocked by required conditions
ci / release (push) Blocked by required conditions
merge / bin-image-prepare (push) Waiting to run
merge / bin-image (push) Blocked by required conditions
merge / module-image (push) Waiting to run
merge / desktop-edge-test (push) Blocked by required conditions
Scorecards supply-chain security / Scorecards analysis (push) Waiting to run
- full diff: https://github.com/containerd/containerd/compare/v2.2.4...v2.2.5
- release notes: https://github.com/containerd/containerd/releases/tag/v2.2.5

The fifth patch release for containerd 2.2 contains various fixes
and updates including security patches.

-  CVE-2026-50195 / [GHSA-cvxm-645q-p574] CRI: checkpoint import allows local image tag poisoning
-  CVE-2026-53488 / [GHSA-xhf5-7wjv-pqxp] CRI: image-config LABEL flows to host-root command execution from an image pull
-  CVE-2026-53492 / [GHSA-33vj-92qq-66hc] CRI: CDI annotation smuggling during CRI checkpoint restore
-  CVE-2026-53489 / [GHSA-rgh6-rfwx-v388] CRI: Arbitrary host file read via symlink following in CRI checkpoint restore
-  CVE-2026-47262 / [GHSA-jpcc-p29g-p8mq] containerd image-triggered runtime DoS via unbounded group parsing

[GHSA-cvxm-645q-p574]: https://github.com/containerd/containerd/security/advisories/GHSA-cvxm-645q-p574
[GHSA-xhf5-7wjv-pqxp]: https://github.com/containerd/containerd/security/advisories/GHSA-xhf5-7wjv-pqxp
[GHSA-33vj-92qq-66hc]: https://github.com/containerd/containerd/security/advisories/GHSA-33vj-92qq-66hc
[GHSA-rgh6-rfwx-v388]: https://github.com/containerd/containerd/security/advisories/GHSA-rgh6-rfwx-v388
[GHSA-jpcc-p29g-p8mq]: https://github.com/containerd/containerd/security/advisories/GHSA-jpcc-p29g-p8mq

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2026-06-19 11:24:37 +02:00
Nicolas De Loof
82a0ad9c44 watch: do not rebuild depends_on services on file change
`compose up --build` populates BuildOptions.Deps=true so the initial
startup also builds images for depends_on services. The watch rebuild
path reused the same BuildOptions pointer, only resetting Build.Services
to the watched service. Build.Deps stayed true, so s.build() switched
back to IncludeDependencies and rebuilt the upstream dependency too.

Fix it by working on a local copy of BuildOptions in rebuild() and
explicitly setting Deps=false. Using a local copy also removes the data
race on the shared pointer when concurrent file events fire.

Also fix a related leak in doBuildBake: the loop populating bake
configuration iterates over every service in the project (needed so
additional_contexts: service:xxx references can resolve), but it was
emitting the "Image X Building" progress event and tracking expected
images for services that were not part of serviceToBeBuild. Filter
those side-effects to the actual build set so the watch rebuild log
shows only the watched service.

Adds an e2e test reproducing the bug.

Fixes #13853

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Nicolas De Loof <nicolas.deloof@gmail.com>
2026-06-19 11:23:50 +02:00
Domantas Petrauskas
0afb4c8c4c fix(publish): bypass Docker Desktop proxy for loopback registries
Some checks failed
ci / validate (lint) (push) Has been cancelled
ci / validate (validate-docs) (push) Has been cancelled
ci / validate (validate-go-mod) (push) Has been cancelled
ci / validate (validate-headers) (push) Has been cancelled
ci / binary (push) Has been cancelled
ci / bin-image-test (push) Has been cancelled
ci / test (push) Has been cancelled
ci / e2e (plugin, oldstable) (push) Has been cancelled
ci / e2e (standalone, oldstable) (push) Has been cancelled
ci / e2e (plugin, stable) (push) Has been cancelled
ci / e2e (standalone, stable) (push) Has been cancelled
merge / bin-image-prepare (push) Has been cancelled
merge / module-image (push) Has been cancelled
Scorecards supply-chain security / Scorecards analysis (push) Has been cancelled
ci / binary-finalize (push) Has been cancelled
ci / coverage (push) Has been cancelled
ci / release (push) Has been cancelled
merge / bin-image (push) Has been cancelled
merge / desktop-edge-test (push) Has been cancelled
`docker compose publish` routed all registry traffic through Docker
Desktop's HTTP proxy. Publishing to a registry on localhost therefore
failed on Windows with:

    proxyconnect tcp: open ./pipe/dockerHttpProxy: The system cannot
    find the path specified.

even though `docker push`/`docker pull` worked against the same registry.

Two bugs in internal/desktop/proxy.go:

1. No loopback bypass. ProxyTransport forced every request through the
   Docker Desktop proxy and its DialContext always dialed the proxy
   socket, so loopback targets could never connect directly. Proxy
   selection now bypasses the proxy only for loopback targets
   (localhost, 127.0.0.0/8, ::1); all other registry traffic stays
   routed through Docker Desktop's PAC-aware proxy so Desktop keeps
   ownership of proxy decisions (e.g. enterprise-managed proxies). The
   local process NO_PROXY/no_proxy is deliberately not honored, so a
   broad value such as * or .corp cannot bypass centrally managed
   proxy policy.

2. Malformed Windows pipe path. The proxy named-pipe endpoint was
   hardcoded as npipe://./pipe/..., yielding the relative path
   ./pipe/dockerHttpProxy. It is now derived from the engine endpoint,
   preserving its namespace. Docker Desktop reports the backslash form
   npipe://\\.\pipe\docker_cli, so the derivation uses LastIndexAny to
   handle both backslash and forward-slash forms.

Publishing to localhost now connects directly like `docker push`, while
every non-loopback registry still goes through the Docker Desktop proxy.

Fixes #13824

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Domantas Petrauskas <dom.petrauskas@gmail.com>
2026-06-15 21:18:19 +02:00