fix(build): skip remote URL contexts from bake fs.read allowlist#13816
fix(build): skip remote URL contexts from bake fs.read allowlist#13816ndeloof wants to merge 1 commit into
Conversation
When a service's build context is a remote git/HTTP URL, the path was unconditionally added to bake's --allow fs.read= entitlements. On Windows, bake then tries to evaluate the URL as a local filesystem path and fails because `https:` is invalid path syntax (colon is reserved for drive letters). Apply the same gitutil.ParseGitRef + "://" check already used for additional_contexts so that remote contexts are skipped from the fs.read allowlist. Fixes #13815 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Signed-off-by: Nicolas De loof <nicolas.deloof@gmail.com>
ndeloof
force-pushed
the
fix-bake-remote-context-fs-read
branch
from
aeec62e to
165676e
Compare
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
The fix correctly applies the same gitutil.ParseGitRef + "://" URL filter that was already guarding AdditionalContexts to the main buildConfig.Context field, preventing remote URLs from being passed as --allow fs.read=<url> to bake. The new guard is logically sound and mirrors the existing pattern exactly.
No high or medium severity issues were found.
There was a problem hiding this comment.
Pull request overview
Fixes docker compose build failing on Windows when a service’s build.context is a remote git/HTTP URL by ensuring such remote contexts are not passed to buildx bake as --allow fs.read=<url> (which bake interprets as a local filesystem path on Windows).
Changes:
- Skip adding
build.contextto the bakefs.readallowlist when it looks like a remote URL (://) or a git ref (pergitutil.ParseGitRef), matching the existing filtering already used foradditional_contexts.
|
This lines up with the split from #13815: local build contexts worked on the same Windows setup, while the remote Git URL context failed when bake treated the URL like an The guard here matches the existing services:
api:
build: https://github.com/example/repo.git#mainand asserting the bake path does not include that URL in |
Summary
docker compose buildfailing on Windows when a service'sbuild:context is a remote git/HTTP URLgitutil.ParseGitRef+://filter to the mainContextthat was already applied toadditional_contexts, so remote URLs are not passed to bake as--allow fs.read=<url>Why
On Windows, bake interprets
fs.readentries as local filesystem paths. When the value is a URL likehttps://github.com/.../repo.git#main, evaluation fails with:because
https:is invalid Windows path syntax (colon is reserved for drive letters). Thefs.readentitlement is only meaningful for local paths anyway.Fixes #13815
Test plan
docker compose builddoes not build from remote files. #13815 (uses remote git URLs as build contexts)docker compose buildcompletes successfully on the same project, building both services from their remote git sources🤖 Generated with Claude Code