chore(deps): bump github.com/moby/buildkit from 0.30.0 to 0.31.0

[dependabot]

Bumps github.com/moby/buildkit from 0.30.0 to 0.31.0.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.31.0

buildkit 0.31.0

Welcome to the v0.31.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Bjorn Neergaard
• Jonathan A. Sternberg
• Akihiro Suda
• Bryce Gibson
• Ava Barron
• Brian Goff
• Jiří Moravčík
• ZRHann
• Kevin NZUGUEM
• Maya Chen
• Natnael Gebremariam
• Sai Kiran Maggidi
• okhowang(王沛文)

Notable Changes

• Built-in Dockerfile frontend has been updated to v1.25.0 changelog
• Exec steps now support a network proxy feature where all container traffic will be routed through an HTTP proxy server. This allows capturing the network traffic for inspection in build progress and provenance attestation. Source policies can define the requests that build containers are allowed to make and the ones that should be blocked. Network proxy can be enabled for the whole BuildKit daemon or enabled on a per-build basis. #6858 #6816 #6740 #6863
• The local exporter now supports a mode=delete attribute which will replace the destination directory with the contents of the build result instead of merging it. Similar to the --delete flag in rsync. #6561 #6864
• LLB APIs now support per-step resource limits for CPU and memory. #6569
• LLB APIs support a new Passthrough operation that allows defining dependency build graph branches that are required to be built but do not add any outputs to the final result. The state.Requires() client helper can be used to define such dependencies in the build graph. #6829
• All image results now default to using OCI media types. Previously this was applied based on whether annotations or attestations were needed. oci-mediatypes=false can be used for legacy Docker media types. This change raises the compatibility version of BuildKit v0.31.0 to 30. #6824
• Local cache exporter now supports the reset option to clear the unreferenced existing cache. #6612
• The local build result outputs now use a new implementation with better security guarantees in case the destination directory is mutated externally during the transfer. #6561
• New build metrics about build counts and durations have been added to the OTEL provider. #6736
• Parallel request limits for registry connections can now be set via configuration file. #6776
• In special modes where the client does not expose the session connection to transfer credentials, builds can now still fall back to anonymous registry auth instead of erroring. #6760
• Embedded binfmt emulators in the release image have been updated to QEMU v10.2.3. #6846
• Runc container runtime has been updated to v1.3.6
• Created attestations now use in-toto v1 statement format. #6823
• Due to the upgraded CLI library, the internal buildctl completion scripts flag --generate-bash-completion is no longer supported and has been replaced with --generate-shell-completion. #6848
• Fix an issue in default GC policy rules where the first rule for prioritizing releasing cache mounts and local sources did not apply. #6856
• Fix an issue where parent directories could be created with incorrect permissions due to system umask when using BuildKit embedded in Dockerd. #6828
• Fix possible segfault from race condition when HTTP server returned 401 error. #6791
• Fix source policy exact match rules losing the destination value during conversion. #6861

... (truncated)

Commits

• c411f0a Merge pull request #6876 from thaJeztah/bump_runc
• f292e5c Dockerfile: update runc binary to v1.3.6
• d31ba4a Merge pull request #6867 from okhowang/fix/platforms-data-race
• e819928 Merge pull request #6869 from crazy-max/update-policy-helpers
• e4d0dba chore: update generated files
• c13539b vendor: update policy-helpers to d5411a945cfc
• f4f035c Merge pull request #6864 from crazy-max/mode-delete-old-daemon
• e26b5d4 fix: add mutex to protect Worker.Platforms from data race
• 9176018 Merge pull request #6861 from ZRHann/fix-sourcepolicy-exact-convert
• 128c322 Merge pull request #6863 from tonistiigi/exec-proxy-cni-dial-update
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

^{Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.}

[zeabur-review-agent]

Note

Currently processing new changes in this PR, please wait...

📦 Commits (1)

Reviewed via multi-agent panel

📂 Files selected for processing (2)

Details available in the full review

[zeabur-review-agent]

🧙 Aggregated Code Review — PR #526

Bump github.com/moby/buildkit from 0.30.0 to 0.31.0

Panel Consensus: Request Changes

Reviewer	Verdict
Aragorn	✅ Approve
Legolas	🔴 Request Changes
Gimli	🔴 Request Changes
Sam	🔴 Request Changes
Merry	🔴 Request Changes

Result: 4/5 request changes → Request Changes

---

🔴 BLOCKER (unanimous across 4 reviewers)

#	Location	Finding
B1	gomod2nix.toml:136-138	Stale Nix lockfile. gomod2nix.toml still pins github.com/moby/buildkit at v0.30.0 while go.mod now requires v0.31.0. Since flake.nix builds via buildGoApplication consuming this lockfile, nix build will fail. Fix: run gomod2nix to regenerate.

🟠 SUGGESTED CHANGES

#	Location	Finding
F1	go.mod / PR title	PR title scopes this to buildkit only, but the diff also raises the Go directive (1.25.5 → 1.25.9) and bumps transitive deps (aws/smithy-go, golang.org/x/exp). Update the title/description to reflect full scope.

🟢 INFO

#	Location	Finding
I1	pkg/zeaburpack/parser.go:18	The only BuildKit API consumed (frontend/dockerfile/parser.Parse) is unchanged between v0.30.0 and v0.31.0. No source-level breakage.
I2	CI workflows	All 5 CI workflows use go-version-file: go.mod, so the toolchain bump auto-resolves correctly.

---

Required Actions Before Merge

1. Regenerate gomod2nix.toml (gomod2nix in repo root).
2. (Optional) Update PR title/description to reflect full dependency scope.

---

Synthesized by Gandalf from 5/7 reviewer reports.