chore: Bump github.com/moby/buildkit from 0.13.2 to 0.25.0

[dependabot]

Bumps github.com/moby/buildkit from 0.13.2 to 0.25.0.

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.25.0

buildkit 0.25.0

Welcome to the v0.25.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Jonathan A. Sternberg
• Akihiro Suda
• Brian Goff
• greggu
• Sebastiaan van Stijn
• Søren Hansen
• Vigilans
• Sam Oluwalana
• Shivam
• Tianon Gravi
• nikelborm

Notable Changes

• Git sources now support working with SHA-256 based code repositories. #6194
• New Checksum has been added to llb.Image to specify verification digest of the image. Unlike the existing digest in the image reference, where digest overrides the tag if both are set, in this mode, the image is resolved by the tag and only verified by checksum. #6234
• The remote cache exporter (also used in provenance creation) has been completely rewritten to solve various concurrency and loop issues. There should be no user-visible changes in the cache format itself. #6129
• BuildKit daemon now supports a way to add custom fields to the provenance attestation to specify the environment BuildKit is running in. Additional field are picked up from config files in /etc/buildkitd/provenance.d directory. #6210
• Containerd executor on Windows now supports HyperVIsolation option. #6224
• Included runc container runtime has been updated to v1.3.1 #6236
• CNI plugins have been updated to v1.8.0 #6185
• Qemu emulation binaries have been updated to v10.0.4. #6215
• Fix possible infinite loop when exporting cache #6186
• Fix issue where some errors could lose their source or stack information when wrapped with errors.Join. #6226
• Multiple fixes to how the builds from Git context are recorded in provenance. #6213
• Fix issue where build arguments could be missing in the history record's provenance attestation. #6221
• Fix issue where materials=false could be incorrectly set in provenance attestation for a build that used frontend inputs. #6203
• Fix not setting the platform in the subject descriptor of the OCI artifact-style attestation manifest. This confused some registries. #6191
• Fix some improper formatting in error messages. #6192
• Fix issue with checking out annotated tags by full reference. #6244

Dependency Changes

• github.com/docker/cli v28.3.3 -> v28.4.0
• google.golang.org/protobuf v1.36.6 -> v1.36.9

... (truncated)

Commits

• 14d1ccb Merge pull request #6255 from jsternberg/v0.25-picks-0.25.0
• 9558f8a git: fix issue with checking out annotated tags by full ref
• f2a7ec9 Fix grpcerrors.AsGRPCStatus to ignore OK and Unknown status codes for
• 8b248a9 alpine: fix issue with openssh pkg in 3.22
• d369dc1 dockerfile: skip customenv tests in dockerd worker
• c8fad61 Merge pull request #6237 from jsternberg/hack-compose
• 2777c1b Merge pull request #6236 from tonistiigi/runc-v1.3.1
• 916074c hack: update hack/compose with newer otel collector
• eb49527 Merge pull request #6234 from tonistiigi/llb-image-checksum
• b7176d5 update runc to v1.3.1
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🍕 Here are the new binary sizes!

Name	New size (kiB)	size (kiB)	Delta (%)
macOS (amd)	52712	52064	🥺 +1.24
macOS (arm)	51716	51728	❤️ -0.02
linux (amd)	51128	50496	🥺 +1.25
linux (arm)	49800	49864	❤️ -0.13
windows (amd)	48140	47456	🥺 +1.44

[dependabot]

Superseded by #6085.