bake: derive git auth host from remote URL

[crazy-max]

This PR refactors Bake Git authentication secret handling by introducing a dedicated gitauth helper that centralizes how secrets are built from environment variables. The same helper is now used in both build option creation and remote bake file reads, so the behavior is consistent across those paths while preserving existing support for BUILDX_BAKE_GIT_AUTH_TOKEN and BUILDX_BAKE_GIT_AUTH_HEADER.

It also adds automatic host-based Git auth secret derivation for remote Bake invocations. When a remote URL is in play, Bake now emits both base BuildKit secret IDs and host-scoped IDs (for example GIT_AUTH_TOKEN.<host> / GIT_AUTH_HEADER.<host>) based on the resolved remote URL logic, enabling per-host auth routing automatically without introducing host-suffixed auth env vars.

[tonistiigi]

I don't think users should need to set the host in the env variable. We can just get the host from the remote URL and connect these automatically.

[tonistiigi]

nit: bit cleaner to return string, bool from such functions.

[tonistiigi]

I still don't get it.

(assuming this isn't breaking existing users badly), this should be only set if the Bake command is using remote input, not based on if the target is using remote URL or not what seems to happen atm.

Additionally, there is no point in adding the main secret key and host key with the same value. Only host key should be set, and only for the host that was "bake remote URL", not any host that happened to be remote URL for a bake target.

[crazy-max]

there is no point in adding the main secret key and host key with the same value.

Ah right, this should only emit host-scoped git auth secrets (no generic main key).

(assuming this isn't breaking existing users badly), this should be only set if the Bake command is using remote input, not based on if the target is using remote URL or not what seems to happen atm.

I kept target remote-context handling for backward compatibility for now. I'm a bit hesitant to switch to strict remote input only immediately, because the current behavior follows context resolution in

buildx/bake/bake.go

Lines 1294 to 1331 in 268f1c7

	func updateContext(t *build.Inputs, inp *Input) {
	if inp == nil || inp.State == nil {
	return
	}
	for k, v := range t.NamedContexts {
	if v.Path == "." {
	t.NamedContexts[k] = build.NamedContext{Path: inp.URL}
	}
	if strings.HasPrefix(v.Path, "cwd://") || strings.HasPrefix(v.Path, "target:") || strings.HasPrefix(v.Path, "docker-image:") {
	continue
	}
	if urlutil.IsRemoteURL(v.Path) {
	continue
	}
	st := llb.Scratch().File(llb.Copy(*inp.State, v.Path, "/"), llb.WithCustomNamef("set context %s to %s", k, v.Path))
	t.NamedContexts[k] = build.NamedContext{State: &st, Path: inp.URL}
	}
	if t.ContextPath == "." {
	t.ContextPath = inp.URL
	return
	}
	if strings.HasPrefix(t.ContextPath, "cwd://") {
	return
	}
	if urlutil.IsRemoteURL(t.ContextPath) {
	return
	}
	st := llb.Scratch().File(
	llb.Copy(*inp.State, t.ContextPath, "/", &llb.CopyInfo{
	CopyDirContentsOnly: true,
	}),
	llb.WithCustomNamef("set context to %s", t.ContextPath),
	)
	t.ContextState = &st
	t.ContextPath = inp.URL
	}

And changing that could break existing flows. If you prefer, I can still change it to strict remote input only behavior.

[tonistiigi]

The change in remote.go seems right, but this one still seems to use target.ContextPath as ther remote URL, what may not be correct. A target context URL and the bake remote definition URL may not be the same and these env secrets should be based on the remote definition URL only iiuc.

[crazy-max]

but this one still seems to use target.ContextPath as ther remote URL, what may not be correct

Ok I was following the context resolution in

buildx/bake/bake.go

Lines 1294 to 1331 in 268f1c7

	func updateContext(t *build.Inputs, inp *Input) {
	if inp == nil || inp.State == nil {
	return
	}
	for k, v := range t.NamedContexts {
	if v.Path == "." {
	t.NamedContexts[k] = build.NamedContext{Path: inp.URL}
	}
	if strings.HasPrefix(v.Path, "cwd://") || strings.HasPrefix(v.Path, "target:") || strings.HasPrefix(v.Path, "docker-image:") {
	continue
	}
	if urlutil.IsRemoteURL(v.Path) {
	continue
	}
	st := llb.Scratch().File(llb.Copy(*inp.State, v.Path, "/"), llb.WithCustomNamef("set context %s to %s", k, v.Path))
	t.NamedContexts[k] = build.NamedContext{State: &st, Path: inp.URL}
	}
	if t.ContextPath == "." {
	t.ContextPath = inp.URL
	return
	}
	if strings.HasPrefix(t.ContextPath, "cwd://") {
	return
	}
	if urlutil.IsRemoteURL(t.ContextPath) {
	return
	}
	st := llb.Scratch().File(
	llb.Copy(*inp.State, t.ContextPath, "/", &llb.CopyInfo{
	CopyDirContentsOnly: true,
	}),
	llb.WithCustomNamef("set context to %s", t.ContextPath),
	)
	t.ContextState = &st
	t.ContextPath = inp.URL
	}

where ContextPath is set to inp.URL but not needed. I'm changing this.

[tonistiigi]

This should do some kind of 1) both are URLs 2) both URLs use same host , check instead of just !cwd://