Update buildkit to v0.28.1

[Elijah-Destigni]

https://redhat.atlassian.net/issues?jql=project%20in%20(%22Trusted%20Artifact%20Signer%22)%0Aand%20issuetype%20%3D%20Vulnerability%0Aand%20status%20not%20in%20(Closed%2C%20%22Release%20Pending%22)%0Aand%20affectedVersion%20%3D%201.3.0%0AORDER%20BY%20due%20DESC&selectedIssue=SECURESIGN-4078

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8d10283b-2ba3-4296-978a-2b3db1caf9f4

📥 Commits

Reviewing files that changed from the base of the PR and between f361ef6 and f267e3c.

📒 Files selected for processing (1)

• .tool-versions

✅ Files skipped from review due to trivial changes (1)

• .tool-versions

---

📝 Walkthrough

Walkthrough

Updated Go toolchain directives from 1.25.3 to 1.25.5 across multiple modules and bumped numerous direct and indirect dependency versions; no source code logic or exported APIs were changed.

Changes

Cohort / File(s)	Summary
Root module go.mod	Bumped go directive to 1.25.5 and updated multiple direct/indirect dependencies (AWS SDK v2 modules, containerd, docker/moby, github.com/spdx/tools-golang, golang.org/x/*, theupdateframework/go-tuf/v2, etc.).
Tools module (large transitive refresh) tools/go.mod	Updated go directive to 1.25.5 and performed a broad refresh of transitive deps: added/removed/updated many toolchain and tooling libraries (cloud SDKs, sigstore, go-openapi, compression/hashing libs, kube/auth, misc). High churn in indirect requirements.
Acceptance module acceptance/go.mod	Only updated go directive from 1.25.3 to 1.25.5; no dependency list changes.
Tools kubectl module tools/kubectl/go.mod	Only updated go directive from 1.25.3 to 1.25.5; no dependency list changes.
Build image config Dockerfile, Dockerfile.dist	Updated build-stage base images to Go 1.25.5 (docker.io/library/golang:1.25.5 and registry.access.redhat.com/ubi9/go-toolset:1.25.5 with new digest). No other Dockerfile logic changed.
Toolchain file .tool-versions	Updated pinned Go toolchain from golang 1.25.3 to golang 1.25.5.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims to update buildkit to v0.28.1, but the changeset only updates Go versions (1.25.3 to 1.25.5) and dependencies in go.mod files, with no buildkit version change visible.	Update the title to accurately reflect the main changes, such as 'Update Go version to 1.25.5 and refresh dependencies' or 'Bump Go toolchain to 1.25.5 across modules'.
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess whether it relates to the changeset.	Add a pull request description explaining the purpose of the Go version bump and dependency updates to help reviewers understand the rationale and scope.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Update buildkit to v0.28.1 and bump Go dependencies

✨ Enhancement

Walkthroughs

Description

• Update Go version from 1.25.3 to 1.25.5
• Upgrade buildkit from v0.26.3 to v0.28.1
• Update multiple indirect dependencies for security and compatibility
• Bump AWS SDK, containerd, Docker, and other core dependencies

Diagram

flowchart LR
  A["Go 1.25.3"] -->|upgrade| B["Go 1.25.5"]
  C["buildkit v0.26.3"] -->|upgrade| D["buildkit v0.28.1"]
  E["Multiple dependencies"] -->|update| F["Latest compatible versions"]
  D --> G["Updated go.mod"]
  F --> G
  G --> H["Updated go.sum"]

Loading

File Changes

1. go.mod Dependencies +36/-36

Dependency version updates and buildkit upgrade

• Updated Go version from 1.25.3 to 1.25.5
• Upgraded github.com/moby/buildkit from v0.26.3 to v0.28.1
• Updated github.com/spdx/tools-golang from v0.5.5 to v0.5.7
• Bumped golang.org/x/net from v0.49.0 to v0.51.0
• Updated golang.org/x/text from v0.33.0 to v0.34.0
• Updated multiple AWS SDK v2 packages to latest versions
• Upgraded containerd, Docker, and related dependencies
• Updated golang.org/x/crypto, golang.org/x/mod, golang.org/x/term, golang.org/x/tools

go.mod

---

2. go.sum Dependencies +72/-76

Checksum updates for all dependency upgrades

• Updated checksums for Go 1.25.5 and buildkit v0.28.1
• Removed old checksum entries for github.com/anchore/go-struct-converter
 v0.0.0-20230627203149-c72ef8859ca9
• Added new checksum for github.com/anchore/go-struct-converter v0.1.0
• Updated checksums for all bumped AWS SDK v2 packages
• Updated checksums for containerd, Docker, and related packages
• Updated checksums for golang.org packages (crypto, mod, net, term, text, tools)
• Removed obsolete checksum entry for sigs.k8s.io/yaml v1.4.0

go.sum

---

[qodo-code-review]

Code Review by Qodo

Looking for bugs?

Check back in a few minutes. An AI review agent is analyzing this pull request.

[joejstuart]

Thanks for the PR!

I'm not sure how important it is, but we usually try and keep the golang version the same across all go.mod files. Would you mind updating the rest to 1.25.5?

./go.mod
./tools/go.mod
./tools/kubectl/go.mod
./acceptance/go.mod

[simonbaird]

When we update golang we have to also update the builder base image in two dockerfiles.

[simonbaird]

Actually I can push a commit on top of this to do that.

[simonbaird]

Thanks for the PR!

I'm not sure how important it is, but we usually try and keep the golang version the same across all go.mod files. Would you mind updating the rest to 1.25.5?

./go.mod
./tools/go.mod
./tools/kubectl/go.mod
./acceptance/go.mod

Oh I did this also. 👍

[simonbaird]

You should be able to reproduce the test failure locally with this:

make test

Something to do with undefined: archive.Compression in one of the docker modules I think.