Notable Changes (v0.29.0)
Builtin Dockerfile frontend has been updated to v1.23.0 changelog
Git sources can now initialize all files from a Git checkout with commit time in the LLB API for better reproducibility. See Dockerfile changelog for how to enable this in the Dockerfile frontend #6600
Various file access operations in Git and HTTP sources have been hardened for improved security #6613
Frontends can now report updated SOURCE_DATE_EPOCH with result metadata that can be used by exporters #6601
Fix possible panic when listing build history after recent deletions #6614
Fix possible issue where builds from Git repositories could start to fail after submodule rename #6563
Fix possible process lifecycle event ordering issue in interactive container API that could cause deadlocks in the client #6531
Fix regression where build progress skipped the message about layers being pushed to the registry #6587
Fix possible cgroup initialization failure in BuildKit container image entrypoint on some environments #6585
Fix issue with resolving symlinks via file access methods of the Gateway API #6559
Fix possible "parent snapshot does not exist" error when exporting images in parallel #6558
Fix possible panic from zstd compression #6599
Fix issue where cache imports from an uninitialized local cache tag could fail the build #6554
Included CNI plugins have been updated to v1.9.1 #6583
Included QEMU emulator support has been updated to v10.2.1 #6580
Runc container runtime has been updated to v1.3.5 #6625

Notable Changes (v0.28.1)
Fix insufficient validation of Git URL #ref:subdir fragments that could allow access to restricted files outside the checked-out repository root. GHSA-4vrq-3vrq-g6gg
Fix a vulnerability where an untrusted custom frontend could cause files to be written outside the BuildKit state directory. GHSA-4c29-8rgm-jvjj
Fix a panic when processing invalid .dockerignore patterns during COPY. #6610 moby/patternmatcher#9

Notable Changes (v0.28.0)
Builtin Dockerfile frontend has been updated to v1.22.0 changelog
The default provenance format has been switched to SLSA v1.0 from the previous v0.2. The old format can still be generated by setting the version attribute. #6526
Provenance attestation for an image can now be directly pulled via Source metadata request. #6516 #6514 #6537
Pushing result images and exporting build cache now happens in parallel, for better performance. #6451
LLB definition now supports two new Source types for accessing raw blobs from image registries and from OCI layouts. New sources use identifier protocols docker-image+blob:// and oci-layout+blob://. #4286
LLB API now supports custom checksum requests for HTTP sources, allowing fetching checksums for different algorithms than the default SHA256 and with optional suffixes. #6527 #6537
LLB API now supports validating HTTP sources with PGP signatures, similarly to previous support for Git sources. #6527
With the update to a newer version of the in-toto library, the provenance attestation key InvocationID has changed to InvocationId to strictly follow the SLSA spec. This change doesn't affect BuildKit/Buildx Golang tooling, but could affect 3rd party tools if they are using case-sensitive JSON parsing. #6533
Embedded Qemu emulator support has been updated to v10.1.3 #6524
Update BuildKit Cgroups implementation to work in (Kubernetes) environments that don't have their own Cgroup namespace. #6368 (@dduvall's change)
Buildctl binary now supports bash completion. #6474
PGP signature verification now supports combined public keys as input for defining the required signer. #6519
Fix possible "failed to read expected number of bytes" error when reading attestation chains #6520
Fix possible error from race condition when creating images in parallel #6477

Notable Changes (v0.27.1)
Fix possible panic when verifying signature of GitHub Actions cache moby/policy-helpers#21

Notable Changes (v0.27.0)
Built-in Dockerfile frontend has been updated to v1.21.0
This is a first version of BuildKit with signed release images and artifacts built using Docker Github Builder
Allow convert decisions from Session Source Policy implementations #6427
Github Cache backend now support optional signed cache that is cryptographically verified on import #6397
Provide a gateway interface for reading container filesystems during builds #6262
Push registry remote cache blobs in parallel for faster uploads #6455
Cache attestation chain pull-through responses for better performance #6435
Allow custom AuthConfig providers in client #6408
Surface policy deny messages in build errors #6458
Fix Git 2.52 support for matching some error conditions #6452
Expose the build reference in exporter buildinfo #6424
Improve expired keys handling in Git signature verification #6412
Cache gateway forwarder mounts and deduplicate snapshot responses #6387
Remove development gateway frontend options in favor of build-contexts #6350
Prevent status stream from closing too early by using an inactivity timeout #6396
Recover from history.db corruption #6371
Fix xattr copy failures on SELinux systems #6015
Fix error return when requesting attestation from non-index image #6473
Fix possible "digest not found" error when fetching attestation chain due to missing lease #6464
Fix Windows copy operations around protected files #6369
Fix possible race condition in gateway bridge forwarder #6355
Fix concurrency in source policy evaluation to prevent parallel panics #6448

Deployment:

• gitlab-cloud-runners staging
• gitlab-cloud-runners production
• WMCS and Trusted runners