Update Coverage for client and proveance

Signed-off-by: Natnael Gebremariam <ngebremariam@microsoft.com>

Author: ngebremariam-msft

.github/workflows/.test.yml

@@ -89,6 +89,8 @@ jobs:
         name: Build
         uses: docker/bake-action@v6
         with:
+          files: |
+            ./docker-bake.hcl
           targets: integration-tests-base
           set: |
             *.cache-from=type=gha,scope=${{ inputs.cache_scope }}
@@ -110,11 +112,13 @@ jobs:
           - containerd-rootless
           - containerd-1.7
           - containerd-2.0
-          - containerd-snapshotter-stargz
+          # Disabled: requires kernel modules not available on GitHub-hosted runners
+          # - containerd-snapshotter-stargz
           - oci
           - oci-rootless
           - oci-rootless-slirp4netns-detachnetns
-          - oci-snapshotter-stargz
+          # Disabled: requires kernel modules not available on GitHub-hosted runners
+          # - oci-snapshotter-stargz
         pkg: ${{ fromJson(needs.prepare.outputs.pkgs) }}
         kind: ${{ fromJson(needs.prepare.outputs.kinds) }}
         tags: ${{ fromJson(needs.prepare.outputs.tags) }}
@@ -155,6 +159,8 @@ jobs:
         name: Build test image
         uses: docker/bake-action@v6
         with:
+          files: |
+            ./docker-bake.hcl
           targets: integration-tests
           set: |
             *.cache-from=type=gha,scope=${{ inputs.cache_scope }}

client/client_test.go

@@ -1710,11 +1710,30 @@ func testFrontendImageNaming(t *testing.T, sb integration.Sandbox) {
 }
 
 func testSecretMounts(t *testing.T, sb integration.Sandbox) {
-	integration.SkipOnPlatform(t, "windows")
+	// https://docs.docker.com/engine/swarm/secrets/
+
+	// Windows vs Linux secret implementation differences:
+	//
+	// Linux: Secrets are mounted as files using tmpfs at /run/secrets/ (RAM-based, encrypted)
+	//
+	// Windows: Secrets are stored in C:\ProgramData\Docker\internal\secrets (clear text on disk)
+	//          Symbolic links point to the desired target (default: C:\ProgramData\Docker\secrets)
+	//          Windows does NOT support tmpfs or non-directory file bind-mounts
+	//          UID/GID/mode options are NOT supported on Windows
+	//          Recommend BitLocker for at-rest encryption
+	//
+	// BuildKit Issue: The "invalid windows mount type: 'tmpfs'" error occurs because BuildKit
+	// currently tries to use tmpfs for all secret mounts. This needs to be fixed in BuildKit's
+	// secret mount implementation to use the Windows symlink approach instead.
+
+	// For now, this test is Linux-only until BuildKit properly implements Windows secret mounts
+	// without tmpfs. Use testSecretEnv for Windows-compatible environment-based secrets.
+	integration.SkipOnPlatform(t, "windows", "Windows does not support tmpfs for secret mounts")
 	c, err := New(sb.Context(), sb.Address())
 	require.NoError(t, err)
 	defer c.Close()
 
+	// Test 1: Basic secret mount with content verification (Linux only)
 	st := llb.Image("busybox:latest").
 		Run(llb.Shlex(`sh -c 'mount | grep mysecret | grep "type tmpfs" && [ "$(cat /run/secrets/mysecret)" = 'foo-secret' ]'`), llb.AddSecret("/run/secrets/mysecret"))
 
@@ -1728,7 +1747,7 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 	}, nil)
 	require.NoError(t, err)
 
-	// test optional, mount should not exist when secret not present in SolveOpt
+	// Test 2: Optional secret - mount should not exist when secret not present in SolveOpt
 	st = llb.Image("busybox:latest").
 		Run(llb.Shlex(`test ! -f /run/secrets/mysecret2`), llb.AddSecret("/run/secrets/mysecret2", llb.SecretOptional))
 
@@ -1743,6 +1762,7 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 	_, err = c.Solve(sb.Context(), def, SolveOpt{}, nil)
 	require.NoError(t, err)
 
+	// Test 3: Required secret missing - should error
 	st = llb.Image("busybox:latest").
 		Run(llb.Shlex(`echo secret3`), llb.AddSecret("/run/secrets/mysecret3"))
 
@@ -1754,7 +1774,7 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 	}, nil)
 	require.Error(t, err)
 
-	// test id,perm,uid
+	// Test 4: Secret with custom ID and file permissions
 	st = llb.Image("busybox:latest").
 		Run(llb.Shlex(`sh -c '[ "$(stat -c "%u %g %f" /run/secrets/mysecret4)" = "1 1 81ff" ]' `), llb.AddSecret("/run/secrets/mysecret4", llb.SecretID("mysecret"), llb.SecretFileOpt(1, 1, 0777)))
 
@@ -1768,7 +1788,7 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 	}, nil)
 	require.NoError(t, err)
 
-	// test empty cert still creates secret file
+	// Test 5: Empty secret still creates secret file
 	st = llb.Image("busybox:latest").
 		Run(llb.Shlex(`test -f /run/secrets/mysecret5`), llb.AddSecret("/run/secrets/mysecret5", llb.SecretID("mysecret")))
 
@@ -1784,13 +1804,22 @@ func testSecretMounts(t *testing.T, sb integration.Sandbox) {
 }
 
 func testSecretEnv(t *testing.T, sb integration.Sandbox) {
-	integration.SkipOnPlatform(t, "windows")
 	c, err := New(sb.Context(), sb.Address())
 	require.NoError(t, err)
 	defer c.Close()
 
-	st := llb.Image("busybox:latest").
-		Run(llb.Shlex(`sh -c '[ "$(echo ${MY_SECRET})" = 'foo-secret' ]'`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true)))
+	imgName := integration.UnixOrWindows("busybox:latest", "nanoserver:latest")
+	var st llb.ExecState
+
+	// Test 1: Verify secret value is accessible as environment variable
+	switch imgName {
+	case "nanoserver:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`cmd /C "if "%MY_SECRET%"=="foo-secret" (exit 0) else (exit 1)"`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true)))
+	case "busybox:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`sh -c '[ "$(echo ${MY_SECRET})" = 'foo-secret' ]'`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true)))
+	}
 
 	def, err := st.Marshal(sb.Context())
 	require.NoError(t, err)
@@ -1802,9 +1831,15 @@ func testSecretEnv(t *testing.T, sb integration.Sandbox) {
 	}, nil)
 	require.NoError(t, err)
 
-	// test optional
-	st = llb.Image("busybox:latest").
-		Run(llb.Shlex(`sh -c '[ -z "${MY_SECRET}" ]'`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true), llb.SecretOptional))
+	// Test 2: Optional secret not provided should be unset/empty
+	switch imgName {
+	case "nanoserver:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`cmd /C "if not defined MY_SECRET (exit 0) else (exit 1)"`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true), llb.SecretOptional))
+	case "busybox:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`sh -c '[ -z "${MY_SECRET}" ]'`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true), llb.SecretOptional))
+	}
 
 	def, err = st.Marshal(sb.Context())
 	require.NoError(t, err)
@@ -1817,8 +1852,15 @@ func testSecretEnv(t *testing.T, sb integration.Sandbox) {
 	_, err = c.Solve(sb.Context(), def, SolveOpt{}, nil)
 	require.NoError(t, err)
 
-	st = llb.Image("busybox:latest").
-		Run(llb.Shlex(`echo foo`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true)))
+	// Test 3: Required secret not provided should error
+	switch imgName {
+	case "nanoserver:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`cmd /C "echo foo"`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true)))
+	case "busybox:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`echo foo`), llb.AddSecret("MY_SECRET", llb.SecretAsEnv(true)))
+	}
 
 	def, err = st.Marshal(sb.Context())
 	require.NoError(t, err)
@@ -1828,12 +1870,21 @@ func testSecretEnv(t *testing.T, sb integration.Sandbox) {
 	}, nil)
 	require.Error(t, err)
 
-	// test id
-	st = llb.Image("busybox:latest").
-		Run(llb.Shlex(`sh -c '[ "$(echo ${MYPASSWORD}-${MYTOKEN})" = "pw-token" ]' `),
-			llb.AddSecret("MYPASSWORD", llb.SecretID("pass"), llb.SecretAsEnv(true)),
-			llb.AddSecret("MYTOKEN", llb.SecretAsEnv(true)),
-		)
+	// Test 4: Multiple secrets with custom IDs
+	switch imgName {
+	case "nanoserver:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`cmd /C "if "%MYPASSWORD%-%MYTOKEN%"=="pw-token" (exit 0) else (exit 1)"`),
+				llb.AddSecret("MYPASSWORD", llb.SecretID("pass"), llb.SecretAsEnv(true)),
+				llb.AddSecret("MYTOKEN", llb.SecretAsEnv(true)),
+			)
+	case "busybox:latest":
+		st = llb.Image(imgName).
+			Run(llb.Shlex(`sh -c '[ "$(echo ${MYPASSWORD}-${MYTOKEN})" = "pw-token" ]' `),
+				llb.AddSecret("MYPASSWORD", llb.SecretID("pass"), llb.SecretAsEnv(true)),
+				llb.AddSecret("MYTOKEN", llb.SecretAsEnv(true)),
+			)
+	}
 
 	def, err = st.Marshal(sb.Context())
 	require.NoError(t, err)
@@ -5125,7 +5176,7 @@ func testBuildExportWithUncompressed(t *testing.T, sb integration.Sandbox) {
 }
 
 func testBuildExportZstd(t *testing.T, sb integration.Sandbox) {
-	integration.SkipOnPlatform(t, "windows")
+	integration.SkipOnPlatform(t, "windows", "Windows container support incomplete: AddMount() fails with 'number of mounts should always be 1 for Windows layers', OCI export fails with 'windowsLcowDiff does not implement Compare method'")
 	workers.CheckFeatureCompat(t, sb, workers.FeatureOCIExporter)
 	c, err := New(sb.Context(), sb.Address())
 	require.NoError(t, err)

frontend/dockerfile/dockerfile_provenance_test.go

@@ -1349,7 +1349,6 @@ ENV FOO=bar
 
 // https://github.com/moby/buildkit/issues/3562
 func testDuplicatePlatformProvenance(t *testing.T, sb integration.Sandbox) {
-	integration.SkipOnPlatform(t, "windows")
 	workers.CheckFeatureCompat(t, sb, workers.FeatureProvenance)
 	ctx := sb.Context()
 
@@ -1361,19 +1360,24 @@ func testDuplicatePlatformProvenance(t *testing.T, sb integration.Sandbox) {
 
 	dockerfile := []byte(
 		`
-FROM alpine as base-linux
-FROM nanoserver as base-windows
+FROM alpine AS base-linux
+FROM nanoserver AS base-windows
 FROM base-$TARGETOS
 `,
 	)
 	dir := integration.Tmpdir(
 		t,
 		fstest.CreateFile("Dockerfile", dockerfile, 0600),
 	)
+
+	platform := integration.UnixOrWindows(
+		"linux/amd64,linux/amd64",     // Linux worker: duplicate call on Linux platform
+		"windows/amd64,windows/amd64", // Windows worker: duplicate call on Windows platform
+	)
 	_, err = f.Solve(sb.Context(), c, client.SolveOpt{
 		FrontendAttrs: map[string]string{
 			"attest:provenance": "mode=max",
-			"platform":          "linux/amd64,linux/amd64",
+			"platform":          platform,
 		},
 		LocalMounts: map[string]fsutil.FS{
 			dockerui.DefaultLocalNameDockerfile: dir,