Update buildkit to v0.28.1

[Elijah-Destigni]

https://redhat.atlassian.net/issues?jql=project%20in%20(%22Trusted%20Artifact%20Signer%22)%0Aand%20issuetype%20%3D%20Vulnerability%0Aand%20status%20not%20in%20(Closed%2C%20%22Release%20Pending%22)%0Aand%20affectedVersion%20%3D%201.3.0%0AORDER%20BY%20due%20DESC&selectedIssue=SECURESIGN-4078

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0de2372d-1c97-4094-8b69-4d1d2c1c1641

📥 Commits

Reviewing files that changed from the base of the PR and between 2ca630d and b11865b.

⛔ Files ignored due to path filters (2)

• go.sum is excluded by !**/*.sum
• tools/go.sum is excluded by !**/*.sum

📒 Files selected for processing (4)

• acceptance/go.mod
• benchmark/simple/simple.go
• go.mod
• tools/go.mod

✅ Files skipped from review due to trivial changes (4)

• acceptance/go.mod
• benchmark/simple/simple.go
• go.mod
• tools/go.mod

---

📝 Walkthrough

Walkthrough

Updated Go toolchain from 1.25.3 to 1.25.5 across modules, refreshed numerous dependency versions in module files, updated Docker build-stage base images, and added //go:build benchmark constraints to multiple benchmark files; no exported APIs or functional source logic were changed.

Changes

Cohort / File(s)	Summary
Root module go.mod	Updated go directive to 1.25.5; bumped many direct/indirect dependencies (AWS SDK v2 modules, containerd, moby/Docker libs, github.com/spdx/tools-golang, golang.org/x/*, theupdateframework/go-tuf/v2, etc.).
Tools module (large transitive refresh) tools/go.mod	Updated go directive to 1.25.5; broad transitive dependency refresh with many version bumps, additions, and removals across cloud SDKs, sigstore, go-openapi, compression/hashing libs, kube/auth, and misc tooling.
Acceptance & kubectl modules acceptance/go.mod, tools/kubectl/go.mod	Only updated go directive to 1.25.5; no other dependency changes.
Build image config Dockerfile, Dockerfile.dist	Updated build-stage base images to Go 1.25.5 (docker.io/library/golang:1.25.5 and registry.access.redhat.com/ubi9/go-toolset:1.25.5 with new digest). No other Docker logic changed.
Toolchain file .tool-versions	Pinned Go toolchain updated from golang 1.25.3 to golang 1.25.5.
Benchmark files (build tags) benchmark/... benchmark/internal/registry/registry.go, benchmark/internal/suite/closer.go, benchmark/internal/suite/suite.go, benchmark/internal/untar/untar.go, benchmark/offliner/base_images.go, benchmark/offliner/nab.go, benchmark/offliner/offliner.go, benchmark/offliner/offliner_test.go, benchmark/offliner/referrers.go, benchmark/offliner/refs.go, benchmark/offliner/related.go, benchmark/offliner/scans.go, benchmark/offliner/subjects.go, benchmark/simple/simple.go	Added //go:build benchmark constraints to these benchmark files. Minor change in offliner.go: removed trailing newline from usage message. In simple.go the embedded publicKey literal was converted from escaped single-line to a multi-line string; no functional changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions updating buildkit to v0.28.1, but the actual changeset focuses on updating Go toolchain versions (1.25.3 to 1.25.5) and adding build constraints. No buildkit version changes are evident in the provided file summaries.	Update the title to accurately reflect the primary changes: updating Go to 1.25.5 and adding benchmark build constraints. For example: 'Update Go to 1.25.5 and restrict benchmark builds'
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check	❓ Inconclusive	The description is a Jira query URL related to vulnerabilities (SECURESIGN-4078) and does not provide meaningful information about what changes were made or why.	Replace the Jira link with an actual description explaining the changes: Go version bump to 1.25.5, dependency updates, and the addition of build constraints to benchmark files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.11.4)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/docs/product/migration-guide for migration instructions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Update buildkit to v0.28.1 and bump Go dependencies

✨ Enhancement

Walkthroughs

Description

• Update Go version from 1.25.3 to 1.25.5
• Upgrade buildkit from v0.26.3 to v0.28.1
• Update multiple indirect dependencies for security and compatibility
• Bump AWS SDK, containerd, Docker, and other core dependencies

Diagram

flowchart LR
  A["Go 1.25.3"] -->|upgrade| B["Go 1.25.5"]
  C["buildkit v0.26.3"] -->|upgrade| D["buildkit v0.28.1"]
  E["Multiple dependencies"] -->|update| F["Latest compatible versions"]
  D --> G["Updated go.mod"]
  F --> G
  G --> H["Updated go.sum"]

Loading

File Changes

1. go.mod Dependencies +36/-36

Dependency version updates and buildkit upgrade

• Updated Go version from 1.25.3 to 1.25.5
• Upgraded github.com/moby/buildkit from v0.26.3 to v0.28.1
• Updated github.com/spdx/tools-golang from v0.5.5 to v0.5.7
• Bumped golang.org/x/net from v0.49.0 to v0.51.0
• Updated golang.org/x/text from v0.33.0 to v0.34.0
• Updated multiple AWS SDK v2 packages to latest versions
• Upgraded containerd, Docker, and related dependencies
• Updated golang.org/x/crypto, golang.org/x/mod, golang.org/x/term, golang.org/x/tools

go.mod

---

2. go.sum Dependencies +72/-76

Checksum updates for all dependency upgrades

• Updated checksums for Go 1.25.5 and buildkit v0.28.1
• Removed old checksum entries for github.com/anchore/go-struct-converter
 v0.0.0-20230627203149-c72ef8859ca9
• Added new checksum for github.com/anchore/go-struct-converter v0.1.0
• Updated checksums for all bumped AWS SDK v2 packages
• Updated checksums for containerd, Docker, and related packages
• Updated checksums for golang.org packages (crypto, mod, net, term, text, tools)
• Removed obsolete checksum entry for sigs.k8s.io/yaml v1.4.0

go.sum

---

[qodo-code-review]

Code Review by Qodo

Looking for bugs?

Check back in a few minutes. An AI review agent is analyzing this pull request.

[joejstuart]

Thanks for the PR!

I'm not sure how important it is, but we usually try and keep the golang version the same across all go.mod files. Would you mind updating the rest to 1.25.5?

./go.mod
./tools/go.mod
./tools/kubectl/go.mod
./acceptance/go.mod

[simonbaird]

When we update golang we have to also update the builder base image in two dockerfiles.

[simonbaird]

Actually I can push a commit on top of this to do that.

[simonbaird]

Thanks for the PR!

I'm not sure how important it is, but we usually try and keep the golang version the same across all go.mod files. Would you mind updating the rest to 1.25.5?

./go.mod
./tools/go.mod
./tools/kubectl/go.mod
./acceptance/go.mod

Oh I did this also. 👍

[simonbaird]

You should be able to reproduce the test failure locally with this:

make test

Something to do with undefined: archive.Compression in one of the docker modules I think.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@benchmark/offliner/offliner.go`:
- Line 1: The build constraint `//go:build benchmark` at the top of
benchmark/offliner/*.go (e.g., offliner.go) causes all package files to be
excluded when `go run .` is invoked without tags; update either the source or
the Makefile: either remove or conditionally guard the `//go:build benchmark`
line from the Go files so they build normally, or modify the Makefile benchmark
target to invoke `go run -tags=benchmark .` (or add `-tags=benchmark` to `go
build`/`go test` invocations) so the files are included; change the approach
consistently across the package (files like offliner.go, base_images.go,
refs.go) to ensure the package is not empty at build time.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 75a805fe-92a8-4cf5-b870-7afdf5a00686

📥 Commits

Reviewing files that changed from the base of the PR and between f267e3c and 2ca630d.

📒 Files selected for processing (14)

• benchmark/internal/registry/registry.go
• benchmark/internal/suite/closer.go
• benchmark/internal/suite/suite.go
• benchmark/internal/untar/untar.go
• benchmark/offliner/base_images.go
• benchmark/offliner/nab.go
• benchmark/offliner/offliner.go
• benchmark/offliner/offliner_test.go
• benchmark/offliner/referrers.go
• benchmark/offliner/refs.go
• benchmark/offliner/related.go
• benchmark/offliner/scans.go
• benchmark/offliner/subjects.go
• benchmark/simple/simple.go

✅ Files skipped from review due to trivial changes (11)

• benchmark/offliner/base_images.go
• benchmark/internal/suite/closer.go
• benchmark/offliner/subjects.go
• benchmark/offliner/scans.go
• benchmark/internal/suite/suite.go
• benchmark/offliner/related.go
• benchmark/offliner/referrers.go
• benchmark/offliner/nab.go
• benchmark/internal/registry/registry.go
• benchmark/offliner/refs.go
• benchmark/internal/untar/untar.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm benchmark build tags on offliner sources:"
rg -n '^//go:build benchmark' benchmark/offliner/offliner.go benchmark/offliner/offliner_test.go

echo
echo "2) Confirm benchmark run target does/doesn't pass tags:"
rg -n -C3 'benchmark_%|go run \.|-tags=benchmark' Makefile

Repository: conforma/cli

Length of output: 1772

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Checking for build tags in benchmark/offliner files:"
if fd offliner.go benchmark/offliner/ 2>/dev/null; then
  fd offliner.go benchmark/offliner/ | head -5 | while read -r f; do
    echo "File: $f"
    head -1 "$f"
  done
fi

echo
echo "2) Checking Makefile for benchmark target:"
if [ -f Makefile ]; then
  grep -n -A5 'benchmark_%' Makefile || echo "Pattern not found"
fi

Repository: conforma/cli

Length of output: 457

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Files in benchmark/offliner/:"
ls -la benchmark/offliner/ 2>/dev/null || echo "Directory listing failed"

echo
echo "Checking for other offliner files with build tags:"
find benchmark/offliner/ -name "*.go" -type f -exec head -1 {} + 2>/dev/null | head -20

Repository: conforma/cli

Length of output: 1278

---

Benchmark target breaks—all Go files are excluded by the build constraint

Line 1 adds //go:build benchmark, but ALL nine Go files in benchmark/offliner/ (base_images.go, nab.go, offliner.go, offliner_test.go, referrers.go, refs.go, related.go, scans.go, subjects.go) have this constraint. The Makefile benchmark target runs go run . without -tags=benchmark (line 170), which excludes every buildable file and causes the build to fail with no source files.

Proposed fix (Makefile)

 .PHONY: benchmark_%
 benchmark_%: benchmark/%/data.tar.gz
 	`@cd` benchmark/$*
-	`@go` run .
+	`@go` run -tags=benchmark .

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@benchmark/offliner/offliner.go` at line 1, The build constraint `//go:build
benchmark` at the top of benchmark/offliner/*.go (e.g., offliner.go) causes all
package files to be excluded when `go run .` is invoked without tags; update
either the source or the Makefile: either remove or conditionally guard the
`//go:build benchmark` line from the Go files so they build normally, or modify
the Makefile benchmark target to invoke `go run -tags=benchmark .` (or add
`-tags=benchmark` to `go build`/`go test` invocations) so the files are
included; change the approach consistently across the package (files like
offliner.go, base_images.go, refs.go) to ensure the package is not empty at
build time.