Update buildkit (#48)

* Remove duplicate "not found" from some error messages I noticed this when building a Dockerfile that failed because a file didn't exist, so went through error messages that looked like they had a duplicate "not found" in the output; [+] Building 0.9s (6/9) => [internal] load build definition from Dockerfile 0.2s => => transferring dockerfile: 306B 0.0s => [internal] load .dockerignore 0.1s => => transferring context: 2B 0.0s => [internal] load metadata for docker.io/library/alpine:latest 0.0s => CACHED [1/5] FROM docker.io/library/alpine 0.0s => [internal] load build context 0.6s => => transferring context: 701B 0.5s => ERROR [2/5] ADD no-such-file.txt / 0.0s ------ > [2/5] ADD no-such-file.txt /: ------ failed to compute cache key: "/no-such-file.txt" not found: not found Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * git: support subdir component Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Update SSH agent socket handling to support Windows OpenSSH using named pipes. Signed-off-by: Siebe Schaap <siebe@digibites.nl> * Update Windows named pipe handling for SSH forwarding to use x/sys/windows rather than syscall. Signed-off-by: Siebe Schaap <siebe@digibites.nl> * Rename SSH agent forwarding helper parsePlatformSocketPath() to getWindowsPipeDialer(). Signed-off-by: Siebe Schaap <siebe@digibites.nl> * Fix regular expression to test for Windows named pipe in SSH agent path; allowed backslashes in host. Signed-off-by: Siebe Schaap <siebe@digibites.nl> * update to go 1.16 This updates all occurrences of Go 1.13 to Go 1.16; also updated the code that's used to redact credentials in URLs to use the Go implementation. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * go.mod: update docker and docker cli to v20.10.7 - pkg/signal: ignore SIGURG on all platforms - pkg/archive: use v2 capabilities in layer archives - update ishidawataru/sctp to fix possible socket leak when bind fails docker/cli: - config: print deprecation warning when falling back to ~/.dockercfg Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * hack: update proto generators for arm64 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * test: fix mirror cache handling Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * cache: fix possible nil dereferences Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * move RegistryConfig to resolver package This allows using the resolver package without having to import the buildkit daemon configuration. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * vendor: fix broken gosum Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add hack/shell helper for dev shell environment Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * session: make sure all token request keep correct context Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * filesync: ensure sendclose is always called Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Enable stargz snapshotter to use session for snapshot auth Signed-off-by: ktock <ktokunaga.mail@gmail.com> * Implement low-level parser primitives for heredocs This provides the basic functionality for the parser to recognize and parse provided heredocs in supported commands. Signed-off-by: Justin Chadwell <me@jedevc.com> * Add support for parsing heredocs in ADD/COPY and RUN Signed-off-by: Justin Chadwell <me@jedevc.com> * Integrate heredoc support into ADD/COPY and RUN This modifies the command structures to support inline files, as well as provides the logic to compile them down into appropriate LLB definitions. Signed-off-by: Justin Chadwell <me@jedevc.com> * Add integration tests for dockerfile heredocs Signed-off-by: Justin Chadwell <me@jedevc.com> * Update docker/docker to master / v21.xx-dev (post libnetwork integration) full diff: https://github.com/docker/docker/compare/v20.10.7..0ad2293d0e5b This applies the same / similar local changes to buildkit as were made in the branch that moby is currently vendoring: moby/buildkit@244e8cd...cpuguy83:update_libnetwork_import Unfortunately, this (again) requires a "replace" rule (probably until we tagged a release with this change). Go mod refuses to pick a version from master, and (without the replace rule), does weird, reverting docker to a very old version, predating the sirupsen rename: > [vendored 4/4] RUN --mount=target=/src,rw --mount=target=/go/pkg/mod,type=cache go mod tidy && go mod vendor && mkdir /out && cp -r go.mod go.sum vendor /out: #10 0.500 go: finding github.com/docker/docker 8dbd90ec00daa26dc45d7da2431c965dec99e8b4 #10 0.599 warning: ignoring symlink /src/examples/kube-consistent-hash #10 1.027 go: github.com/moby/buildkit/util/testutil/integration imports #10 1.027 github.com/docker/docker/testutil/daemon imports #10 1.027 github.com/docker/docker/opts imports #10 1.027 github.com/docker/libnetwork/ipamutils imports #10 1.027 github.com/docker/libnetwork/osl imports #10 1.027 github.com/Sirupsen/logrus: github.com/Sirupsen/logrus@v1.8.1: parsing go.mod: #10 1.027 module declares its path as: github.com/sirupsen/logrus #10 1.027 but was required as: github.com/Sirupsen/logrus ------ error: failed to solve: rpc error: code = Unknown desc = executor failed running [/bin/sh -c go mod tidy && go mod vendor && mkdir /out && cp -r go.mod go.sum vendor /out]: exit code: 1 make: *** [vendor] Error 1 Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * Fix doc about Stargz Snapshotter and registry authentication Signed-off-by: ktock <ktokunaga.mail@gmail.com> * dockerfile: add documentation for here-docs Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add differ support for local source Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: don't allow content diff for now Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Fix file modes with remote ADD commands Signed-off-by: Justin Chadwell <me@jedevc.com> * cache: avoid concurrent maps write on prune remove() needs to be called while holding the manager lock Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * metadata: hold lock on storageitem update The locks usage is mixed up because two locks separate locks are actually needed. With a specific lock, calls to SetValue can be protected. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Dockerfile: install fuse-overlayfs from apk fuse-overlayfs is available as an apk since Alpine 3.14. Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * vendor: update vt100 to fork and remove replace rule Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add support for opentelemetry Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * replace opentracing with opentelemetry tracers Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * hack: avoid updating generated proto version This can be done as a separate change when needed. Also should analyze if this would affect the gogo incompatibility issues with newer proto. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * session: avoid tracing health checkpoint Upstream fixes needed for cleaner solution Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * disable otel error logging Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * correctly validate span from context Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: ensure config resolve errors keep source location Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * remove go fork for building windows/arm64 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Dockerfile: remove nsswitch as default in go1.16 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * retryhandler: use net.ErrClosed for error check Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * replace uses of deprecated containerd/sys.RunningInUserNS() This utility was moved to a separate package, which has no dependencies. Signed-off-by: Sebastiaan van Stijn <github@gone.nl> * integration: add common context base to all integration tests Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * vendor: update opentelemetry to 1.0.0-rc Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add current tracing context detection and exec propagation Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> (cherry picked from commit bc9a83144c83e9fd78007b7bfe92e8082c59d40e) * add transform package to convert from otlp Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * tracing: add delegated exporter Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * otlgrpc: provide a way to get otlp client from grpc conn Hopefully this can be removed with a future upstream change that could make this configurable. The package also needs internal dependency that is copied in. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * enable collecting traces via control api Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * support collecting traces from llb.Exec Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * client: pass delegated exporter as parameter Avoid client package having dependency on global detect package. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * update runc binary to v1.0.0 GA Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> * handle unconfigured spans without errors Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: add constraints to vertex and validate Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: add constraints to async llb Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * llb: ensure meta resolver uses platform form constraints Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * flightcontrol: reduce contention between goroutines Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Avoid nil pointer dereference when copying from image with no layers Fix this panic when copying from an image with no layers: ``` panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0xdd8c17] goroutine 326 [running]: github.com/moby/buildkit/cache/contenthash.(*cacheManager).Checksum(0xc0005ec030, 0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, ...) /src/cache/contenthash/checksum.go:95 +0x37 github.com/moby/buildkit/cache/contenthash.Checksum(0x1682c00, 0xc000842140, 0x0, 0x0, 0xc0005d4023, 0x1, 0x0, 0x0, 0x0, 0x0, ...) /src/cache/contenthash/checksum.go:59 +0xd5 github.com/moby/buildkit/solver/llbsolver.NewContentHashFunc.func1.1(0x0, 0x4425d6) /src/solver/llbsolver/result.go:59 +0x20a golang.org/x/sync/errgroup.(*Group).Go.func1(0xc00056a360, 0xc000594510) /src/vendor/golang.org/x/sync/errgroup/errgroup.go:57 +0x59 created by golang.org/x/sync/errgroup.(*Group).Go /src/vendor/golang.org/x/sync/errgroup/errgroup.go:54 +0x66 ``` When the path is "/", we allow it because it's a noop. Based on moby#2185 Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Add test for copying from scratch Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Check that scratch is mounted as empty dir Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Make error message consistent when layer is empty Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * Test with tonistiigi/test:nolayers as well Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * ensure containerd io is complete and closed before returning Signed-off-by: Cory Bennett <cbennett@netflix.com> * [moby#2112] progress.Controller should own the progress.Writer to prevent leaks Signed-off-by: Cory Bennett <cbennett@netflix.com> * [moby#2112] progress.FromContext returns a writer factory this allows progress.Controller to manage the writer lifecycle Signed-off-by: Cory Bennett <cbennett@netflix.com> * contenthash: use SeekLowerBound to seek radix tree Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: fix git version detection Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Add support for heredocs with ONBUILD Signed-off-by: Justin Chadwell <me@jedevc.com> * dockerfile: use none differ for dockerfile/dockerignore This avoids wrong metadata matches on small files Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * progressui: print logs for failed step as summary in plain mode Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * grpcerrors: avoid rpc error wrapping in error messages Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * exec: improve error message on exec errors Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Improve heredoc parsing to allow more generic words Previously, heredoc names were restricted to simple alphanumeric strings. However, heredocs should support much more complex use-cases, including quoting anywhere, as well as allowing special symbols like `.` for easily expressing file extensions. This patch adds support for these more complex cases, by using the shell lexer to parse each heredoc name. Additionally, we include improvements to the lexer to optionally preserve escape tokens to avoid problems when lexing words that have already been lexed before. Signed-off-by: Justin Chadwell <me@jedevc.com> * Improve progress and history messages for heredoc-related commands Signed-off-by: Justin Chadwell <me@jedevc.com> * Remove unneeded Finalize method from ImmutableRef. Finalize was only used outside the cache package in one place, which called it with the commit arg set to false. The code path followed when commit==false turned out to essentially be a no-op because it set "retain cache" to true if it was already set to true. It was thus safe to remove the only external call to it and remove it from the interface. This should be helpful for future efforts to simplify the equal{Mutable,Immutable} fields in cacheRecord, which exist due to the "lazy commit" feature that Finalize is tied into. Signed-off-by: Erik Sipsma <erik@sipsma.dev> * Fix ref leak if fileop ref fails to mount. Signed-off-by: Erik Sipsma <erik@sipsma.dev> * add error suggest pkg Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: suggest mistyped flag names Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: provide suggestions for mount options Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: add tests for error suggestions Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * dockerfile: remove unnecessary error wrappings Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * enable riscv64 build Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Update QEMU emulators Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> * dockerfile: move run network to stable channel Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Automatically detect default git branch Instead of just assuming that the default branch is master, use ls-remote to find out. Also removed tests that didn't specifiy a branch but required authentication, because those will fail now that the repo is actually checked. Signed-off-by: Levi Harrison <levisamuelharrison@gmail.com> * Moved getDefaultBranch function to gitsource It is my suspecion that the tests were failing on previous commits because of the lack of authentication and other stuff like that available in gitidentifier as compared to gitsource Signed-off-by: Levi Harrison <levisamuelharrison@gmail.com> * Fix tests Unfortunately, further test cases will have to be removed because gitindentifier will now leave the branch blank instead of filling it in Signed-off-by: Levi Harrison <levisamuelharrison@gmail.com> * git: fix default branch detection Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Enable to forcefully specify compression type Signed-off-by: ktock <ktokunaga.mail@gmail.com> * Add full timestamp to logs Signed-off-by: Yamazaki Masashi <masi19bw@gmail.com> * Remove meaningless encode Signed-off-by: Yamazaki Masashi <masi19bw@gmail.com> * Ignore missing providers for blobs w/ same chainid. GetByBlob checks to see if there are any other blobs with the same (uncompressed) ChainID and, if so, reuses their unpacked snapshot if it exists. The problem is if this code finds a match, it was trying to get the matching record, but couldn't do so when the match is lazy because the caller doesn't necessarily have descriptor handlers setup for it. This commit changes the behavior to just ignore any match with the same ChainID that's also lazy as they just aren't usable for the snapshot-reuse optimization. Signed-off-by: Erik Sipsma <erik@sipsma.dev> * authprovider: handle eaccess on storing token seeds Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * log with traceID and spanID Signed-off-by: Morlay <morlay.null@gmail.com> * github: update CI buildkit to v0.9.0-rc1 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * initial version of github cache Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * vendor: add goactionscache Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * caps: add cap for gha cache backend Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * remove tracetransform package Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * resolver: increase default idle conns reuse The current default were even lower than stdlib defaults. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * refactor to use util/bklog instead of using logurs directly Signed-off-by: Morlay <morlay.null@gmail.com> * GitHub Actions cache docs Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> * Skips getting UID/GUID if passwd/group file is not found When running a WORKDIR instruction, buildkit will create that folder and chown it to the currently set user. For this, it will try to read the /etc/passwd file to get the proper UID, and if that user is not found in the file, the root user will be considered as the owner. However, Windows image do not have that file, which will result in an error while building the image. We can consider not finding the /etc/passwd file as the same as not finding the user in the file, which would solve this issue. Signed-off-by: Claudiu Belu <cbelu@cloudbasesolutions.com> * add per domain semaphore to limit concurrent connections This is a safer alternative until we figure out why http.Transport based limiting fails. Some connections like cache export/import do not have a domain key atm and these connections use global pool. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * update to github.com/containerd/containerd v1.5.3 Signed-off-by: coryb <cbennett@netflix.com> * vendor: update go-actions-cache with custom client support Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * tracing: update to otelhttp roundtripper Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Enhance test matrix Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> * fix dropped pull progress output due to canceled context fixes moby#2248 Signed-off-by: coryb <cbennett@netflix.com> * Add span for layer export This can be a significant amount of time that isn't currently accounted for in traces. Signed-off-by: Aaron Lehmann <alehmann@netflix.com> * new implementation for limiting tcp connections The previous implementation had many issues. Eg. on fetch, even if the data already existed and no remote connections were needed the request would still be waiting in the queue. Or if two fetches of same blob happened together they would take up two places in queue although there was only one remote request. Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * limited: allow extra high-priority connection for json requests Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * ensure wrappers support seeking to continue partial downloads Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * contentutil: change offset to int64 to simplify Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Exporter config digest typo Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> * daemonless: wait for daemon to finish before exit Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * github: update CI buildkit to v0.9.0 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add docs for new config options Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * add ktock and crazy-max to maintainers Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Update Dockerfile references to use 1.3 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * docs: update images-readme to v0.9 Signed-off-by: Tonis Tiigi <tonistiigi@gmail.com> * Bump to codecov/codecov-action v2 Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com> * wip Co-authored-by: Sebastiaan van Stijn <github@gone.nl> Co-authored-by: Tonis Tiigi <tonistiigi@gmail.com> Co-authored-by: Siebe Schaap <siebe@digibites.nl> Co-authored-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp> Co-authored-by: Sebastiaan van Stijn <thaJeztah@users.noreply.github.com> Co-authored-by: ktock <ktokunaga.mail@gmail.com> Co-authored-by: Justin Chadwell <me@jedevc.com> Co-authored-by: Akihiro Suda <suda.kyoto@gmail.com> Co-authored-by: Aaron Lehmann <alehmann@netflix.com> Co-authored-by: Cory Bennett <cbennett@netflix.com> Co-authored-by: Erik Sipsma <erik@sipsma.dev> Co-authored-by: CrazyMax <crazy-max@users.noreply.github.com> Co-authored-by: Levi Harrison <levisamuelharrison@gmail.com> Co-authored-by: masibw <masi19bw@gmail.com> Co-authored-by: Morlay <morlay.null@gmail.com> Co-authored-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> Co-authored-by: Claudiu Belu <cbelu@cloudbasesolutions.com>
earthly · Jul 28, 2021 · 199ad6a · 199ad6a
1 parent 467c8f2
commit 199ad6a
Show file tree

Hide file tree

Showing 346 changed files with 14,279 additions and 1,055 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -83,29 +83,26 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        pkg:
+          - ./client ./cmd/buildctl ./worker/containerd ./solver ./frontend
+          - ./frontend/dockerfile
+        worker:
+          - containerd
+          - containerd-1.4
+          - containerd-snapshotter-stargz
+          - oci
+          - oci-rootless
+          - oci-snapshotter-stargz
+        typ:
+          - integration
+          - dockerfile
+        exclude:
+          - pkg: ./client ./cmd/buildctl ./worker/containerd ./solver ./frontend
+            typ: dockerfile
         include:
-          -
-            pkg: ./client
-            typ: integration
-          -
-            pkg: ./cmd/buildctl ./worker/containerd
-            typ: integration
-          -
-            pkg: ./solver
-            typ: integration
-          -
-            pkg: ''
+          - pkg: ./...
             skip-integration-tests: 1
             typ: integration gateway
-          -
-            pkg: ./frontend
-            typ: ''
-          -
-            pkg: ./frontend/dockerfile
-            typ: ''
-          -
-            pkg: ./frontend/dockerfile
-            typ: dockerfile
     steps:
       -
         name: Checkout
@@ -135,14 +132,17 @@ jobs:
         with:
           driver-opts: image=${{ env.REPO_SLUG_ORIGIN }}
       -
-        name: Test ${{ matrix.pkg }} ${{ matrix.typ }}
+        name: Test pkg=${{ matrix.pkg }} ; typ=${{ matrix.typ }} ; skipit=${{ matrix.skip-integration-tests }} ; worker=${{ matrix.worker }}
         run: |
+          export TESTFLAGS="-v --parallel=6 --timeout=20m"
+          if [ -n "${{ matrix.worker }}" ]; then
+            export TESTFLAGS="${TESTFLAGS} --run=//worker=${{ matrix.worker }}$"
+          fi
           ./hack/test ${{ matrix.typ }}
-          mv ./coverage/coverage.txt ./coverage/coverage-${{ github.job }}-$(echo "${{ matrix.coverage-pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.typ }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]').txt
+          mv ./coverage/coverage.txt ./coverage/coverage-${{ github.job }}-$(echo "${{ matrix.pkg }}-${{ matrix.skip-integration-tests }}-${{ matrix.typ }}-${{ matrix.worker }}" | tr -dc '[:alnum:]-\n\r' | tr '[:upper:]' '[:lower:]').txt
         env:
           TEST_COVERAGE: 1
           TESTPKGS: ${{ matrix.pkg }}
-          TESTFLAGS: -v --parallel=6 --timeout=20m
           SKIP_INTEGRATION_TESTS: ${{ matrix.skip-integration-tests }}
           CACHEDIR_FROM: /tmp/.buildkit-cache/${{ env.CACHEKEY_INTEGRATION_TESTS }} /tmp/.buildkit-cache/${{ env.CACHEKEY_BINARIES }}
       -
@@ -224,7 +224,7 @@ jobs:
               .join(',');
       -
         name: Send to Codecov
-        uses: codecov/codecov-action@v1
+        uses: codecov/codecov-action@v2
         with:
           files: ${{ steps.files.outputs.result }}
 

diff --git a/.golangci.yml b/.golangci.yml
@@ -7,7 +7,6 @@ run:
 
   build-tags:
     - dfrunsecurity
-    - dfrunnetwork
     - dfheredoc
 
 linters:

diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,7 @@
-# syntax = docker/dockerfile:1.2
+# syntax = docker/dockerfile:1.3
 
 ARG RUNC_VERSION=v1.0.0
-ARG CONTAINERD_VERSION=v1.5.2
+ARG CONTAINERD_VERSION=v1.5.3
 # containerd v1.4 for integration tests
 ARG CONTAINERD_ALT_VERSION=v1.4.6
 # available targets: buildkitd, buildkitd.oci_only, buildkitd.containerd_only

diff --git a/MAINTAINERS b/MAINTAINERS
@@ -152,8 +152,10 @@ made through a pull request.
 		people = [
 			"akihirosuda",
 			"coryb",
+			"crazy-max",
 			"hinshun",
 			"ijc",
+			"ktock",
 			"sipsma",
 			"tiborvass",
 			"tonistiigi",
@@ -191,16 +193,26 @@ made through a pull request.
 	Email = "github@corybennett.org"
 	GitHub = "coryb"
 
+	[people.crazy-max]
+	Name = "Kevin Alvarez"
+	Email = "contact@crazymax.dev"
+	GitHub = "crazy-max"
+
 	[people.hinshun]
 	Name = "Edgar Lee"
 	Email = "edgarhinshunlee@gmail.com"
 	GitHub = "hinshun"
 
-	[People.ijc]
+	[people.ijc]
 	Name = "Ian Campbell"
 	Email = "ian.campbell@docker.com"
 	GitHub = "ijc"
 
+	[people.ktock]
+	Name = "Kohei Tokunaga"
+	Email = "ktokunaga.mail@gmail.com"
+	GitHub = "ktock"
+
 	[people.sipsma]
 	Name = "Erik Sipsma"
 	Email = "erik@sipsma.dev"

diff --git a/README.md b/README.md
@@ -57,6 +57,7 @@ You don't need to read this document unless you want to use the full-featured st
     - [Inline (push image and cache together)](#inline-push-image-and-cache-together)
     - [Registry (push image and cache separately)](#registry-push-image-and-cache-separately)
     - [Local directory](#local-directory-1)
+    - [GitHub Actions cache (experimental)](#github-actions-cache-experimental)
     - [`--export-cache` options](#--export-cache-options)
     - [`--import-cache` options](#--import-cache-options)
   - [Consistent hashing](#consistent-hashing)
@@ -231,8 +232,8 @@ Keys supported by image output:
 * `unpack=true`: unpack image after creation (for use with containerd)
 * `dangling-name-prefix=[value]`: name image with `prefix@<digest>` , used for anonymous images
 * `name-canonical=true`: add additional canonical name `name@<digest>`
-* `compression=[uncompressed,gzip]`: choose compression type for layer, gzip is default value
-
+* `compression=[uncompressed,gzip]`: choose compression type for layers newly created and cached, gzip is default value
+* `force-compression=true`: forcefully apply `compression` option to all layers (including already existing layers).
 
 If credentials are required, `buildctl` will attempt to read Docker configuration file `$DOCKER_CONFIG/config.json`.
 `$DOCKER_CONFIG` defaults to `~/.docker`.
@@ -314,6 +315,7 @@ BuildKit supports the following cache exporters:
 * `inline`: embed the cache into the image, and push them to the registry together
 * `registry`: push the image and the cache separately
 * `local`: export to a local directory
+* `gha`: export to GitHub Actions cache
 
 In most case you want to use the `inline` cache exporter.
 However, note that the `inline` cache exporter only supports `min` cache mode. 
@@ -340,7 +342,7 @@ However, the standalone `buildctl` does NOT require `--opt build-arg:BUILDKIT_IN
 buildctl build ... \
   --output type=image,name=localhost:5000/myrepo:image,push=true \
   --export-cache type=registry,ref=localhost:5000/myrepo:buildcache \
-  --import-cache type=registry,ref=localhost:5000/myrepo:buildcache \
+  --import-cache type=registry,ref=localhost:5000/myrepo:buildcache
 ```
 
 #### Local directory
@@ -352,18 +354,37 @@ buildctl build ... --import-cache type=local,src=path/to/input-dir
 
 The directory layout conforms to OCI Image Spec v1.0.
 
+#### GitHub Actions cache (experimental)
+
+```bash
+buildctl build ... \
+  --output type=image,name=docker.io/username/image,push=true \
+  --export-cache type=gha \
+  --import-cache type=gha
+```
+
+Following attributes are required to authenticate against the [Github Actions Cache service API](https://github.com/tonistiigi/go-actions-cache/blob/master/api.md#authentication):
+* `url`: Cache server URL (default `$ACTIONS_CACHE_URL`)
+* `token`: Access token (default `$ACTIONS_RUNTIME_TOKEN`)
+
+:information_source: This type of cache can be used with [Docker Build Push Action](https://github.com/docker/build-push-action)
+where `url` and `token` will be automatically set. To use this backend in a inline `run` step, you have to include [crazy-max/ghaction-github-runtime](https://github.com/crazy-max/ghaction-github-runtime)
+in your workflow to expose the runtime.
+
 #### `--export-cache` options
--   `type`: `inline`, `registry`, or `local`
+-   `type`: `inline`, `registry`, `local` or `gha`
 -   `mode=min` (default): only export layers for the resulting image
--   `mode=max`: export all the layers of all intermediate steps. Not supported for `inline` cache exporter.
+-   `mode=max`: export all the layers of all intermediate steps. Not supported for `inline` and `gha` cache exporter.
 -   `ref=docker.io/user/image:tag`: reference for `registry` cache exporter
 -   `dest=path/to/output-dir`: directory for `local` cache exporter
+-   `scope=buildkit`: scope for `gha` cache exporter (default `buildkit`)
 -   `oci-mediatypes=true|false`: whether to use OCI mediatypes in exported manifests for `local` and `registry` exporter. Since BuildKit `v0.8` defaults to true.
 
 #### `--import-cache` options
--   `type`: `registry` or `local`. Use `registry` to import `inline` cache.
+-   `type`: `registry`, `local` or `gha`. Use `registry` to import `inline` cache.
 -   `ref=docker.io/user/image:tag`: reference for `registry` cache importer
 -   `src=path/to/input-dir`: directory for `local` cache importer
+-   `scope=buildkit`: scope for `gha` cache importer (default `buildkit`)
 -   `digest=sha256:deadbeef`: digest of the manifest list to import for `local` cache importer.
 -   `tag=customtag`: custom tag of image for `local` cache importer.
     Defaults to the digest of "latest" tag in `index.json` is for digest, not for tag

diff --git a/cache/blobs.go b/cache/blobs.go
@@ -26,7 +26,8 @@ var ErrNoBlobs = errors.Errorf("no blobs for snapshot")
 // computeBlobChain ensures every ref in a parent chain has an associated blob in the content store. If
 // a blob is missing and createIfNeeded is true, then the blob will be created, otherwise ErrNoBlobs will
 // be returned. Caller must hold a lease when calling this function.
-func (sr *immutableRef) computeBlobChain(ctx context.Context, createIfNeeded bool, compressionType compression.Type, s session.Group) error {
+// If forceCompression is specified but the blob of compressionType doesn't exist, this function creates it.
+func (sr *immutableRef) computeBlobChain(ctx context.Context, createIfNeeded bool, compressionType compression.Type, forceCompression bool, s session.Group) error {
 	if _, ok := leases.FromContext(ctx); !ok {
 		return errors.Errorf("missing lease requirement for computeBlobChain")
 	}
@@ -39,22 +40,31 @@ func (sr *immutableRef) computeBlobChain(ctx context.Context, createIfNeeded boo
 		ctx = winlayers.UseWindowsLayerMode(ctx)
 	}
 
-	return computeBlobChain(ctx, sr, createIfNeeded, compressionType, s)
+	return computeBlobChain(ctx, sr, createIfNeeded, compressionType, forceCompression, s)
 }
 
-func computeBlobChain(ctx context.Context, sr *immutableRef, createIfNeeded bool, compressionType compression.Type, s session.Group) error {
+func computeBlobChain(ctx context.Context, sr *immutableRef, createIfNeeded bool, compressionType compression.Type, forceCompression bool, s session.Group) error {
 	baseCtx := ctx
 	eg, ctx := errgroup.WithContext(ctx)
 	var currentDescr ocispec.Descriptor
 	if sr.parent != nil {
 		eg.Go(func() error {
-			return computeBlobChain(ctx, sr.parent, createIfNeeded, compressionType, s)
+			return computeBlobChain(ctx, sr.parent, createIfNeeded, compressionType, forceCompression, s)
 		})
 	}
 	eg.Go(func() error {
 		dp, err := g.Do(ctx, sr.ID(), func(ctx context.Context) (interface{}, error) {
 			refInfo := sr.Info()
 			if refInfo.Blob != "" {
+				if forceCompression {
+					desc, err := sr.ociDesc()
+					if err != nil {
+						return nil, err
+					}
+					if err := ensureCompression(ctx, sr, desc, compressionType, s); err != nil {
+						return nil, err
+					}
+				}
 				return nil, nil
 			} else if !createIfNeeded {
 				return nil, errors.WithStack(ErrNoBlobs)
@@ -127,6 +137,12 @@ func computeBlobChain(ctx context.Context, sr *immutableRef, createIfNeeded bool
 				return nil, errors.Errorf("unknown layer compression type")
 			}
 
+			if forceCompression {
+				if err := ensureCompression(ctx, sr, descr, compressionType, s); err != nil {
+					return nil, err
+				}
+			}
+
 			return descr, nil
 
 		})
@@ -224,3 +240,39 @@ func isTypeWindows(sr *immutableRef) bool {
 	}
 	return false
 }
+
+// ensureCompression ensures the specified ref has the blob of the specified compression Type.
+func ensureCompression(ctx context.Context, ref *immutableRef, desc ocispec.Descriptor, compressionType compression.Type, s session.Group) error {
+	// Resolve converters
+	layerConvertFunc, _, err := getConverters(desc, compressionType)
+	if err != nil {
+		return err
+	} else if layerConvertFunc == nil {
+		return nil // no need to convert
+	}
+
+	// First, lookup local content store
+	if _, err := ref.getCompressionBlob(ctx, compressionType); err == nil {
+		return nil // found the compression variant. no need to convert.
+	}
+
+	// Convert layer compression type
+	if err := (lazyRefProvider{
+		ref:     ref,
+		desc:    desc,
+		dh:      ref.descHandlers[desc.Digest],
+		session: s,
+	}).Unlazy(ctx); err != nil {
+		return err
+	}
+	newDesc, err := layerConvertFunc(ctx, ref.cm.ContentStore, desc)
+	if err != nil {
+		return err
+	}
+
+	// Start to track converted layer
+	if err := ref.addCompressionBlob(ctx, newDesc.Digest, compressionType); err != nil {
+		return err
+	}
+	return nil
+}