Merge pull request #4518 from thaJeztah/23.0_backport_docker-cli-slows-bash-init

[23.0 backport] Stop slowing bash init by caching plugins path slowly

.github/workflows/build.yml

@@ -58,7 +58,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       -
         name: Build
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v3
         with:
           targets: ${{ matrix.target }}
           set: |
@@ -121,7 +121,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       -
         name: Build
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v3
         with:
           targets: plugins-cross
           set: |

.github/workflows/test.yml

@@ -26,7 +26,7 @@ jobs:
         uses: docker/setup-buildx-action@v2
       -
         name: Test
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v3
         with:
           targets: test-coverage
       -
@@ -63,7 +63,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v3
         with:
-          go-version: 1.19.8
+          go-version: 1.20.7
       -
         name: Test
         run: |

.github/workflows/validate.yml

@@ -29,14 +29,33 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
       -
         name: Run
-        uses: docker/bake-action@v2
+        uses: docker/bake-action@v3
         with:
           targets: ${{ matrix.target }}
 
+  # check that the generated Markdown and the checked-in files match
+  validate-md:
+    runs-on: ubuntu-20.04
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      -
+        name: Generate
+        shell: 'script --return --quiet --command "bash {0}"'
+        run: |
+          make -f docker.Makefile mddocs
+      -
+        name: Validate
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo 'fail: generated files do not match checked-in files'
+            git --no-pager diff
+            exit 1
+          fi
+
   validate-make:
     runs-on: ubuntu-20.04
     strategy:
@@ -49,8 +68,6 @@ jobs:
       -
         name: Checkout
         uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
       -
         name: Run
         shell: 'script --return --quiet --command "bash {0}"'

.golangci.yml

@@ -117,7 +117,10 @@ issues:
     - text: "package-comments: should have a package comment"
       linters:
         - revive
-
+    # FIXME temporarily suppress these (see https://github.com/gotestyourself/gotest.tools/issues/272)
+    - text: "SA1019: (assert|cmp|is)\\.ErrorType is deprecated"
+      linters:
+        - staticcheck
     # Exclude some linters from running on tests files.
     - path: _test\.go
       linters:

Dockerfile

@@ -1,12 +1,12 @@
 # syntax=docker/dockerfile:1
 
 ARG BASE_VARIANT=alpine
-ARG GO_VERSION=1.19.8
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.20.7
+ARG ALPINE_VERSION=3.17
 ARG XX_VERSION=1.1.1
 ARG GOVERSIONINFO_VERSION=v1.3.0
-ARG GOTESTSUM_VERSION=v1.8.2
-ARG BUILDX_VERSION=0.10.4
+ARG GOTESTSUM_VERSION=v1.10.0
+ARG BUILDX_VERSION=0.11.2
 
 FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
 

cli-plugins/manager/metadata.go

@@ -23,6 +23,7 @@ type Metadata struct {
 	// URL is a pointer to the plugin's homepage.
 	URL string `json:",omitempty"`
 	// Experimental specifies whether the plugin is experimental.
+	//
 	// Deprecated: experimental features are now always enabled in the CLI
 	Experimental bool `json:",omitempty"`
 }

cli/command/checkpoint/client_test.go

@@ -14,21 +14,21 @@ type fakeClient struct {
 	checkpointListFunc   func(container string, options types.CheckpointListOptions) ([]types.Checkpoint, error)
 }
 
-func (cli *fakeClient) CheckpointCreate(ctx context.Context, container string, options types.CheckpointCreateOptions) error {
+func (cli *fakeClient) CheckpointCreate(_ context.Context, container string, options types.CheckpointCreateOptions) error {
 	if cli.checkpointCreateFunc != nil {
 		return cli.checkpointCreateFunc(container, options)
 	}
 	return nil
 }
 
-func (cli *fakeClient) CheckpointDelete(ctx context.Context, container string, options types.CheckpointDeleteOptions) error {
+func (cli *fakeClient) CheckpointDelete(_ context.Context, container string, options types.CheckpointDeleteOptions) error {
 	if cli.checkpointDeleteFunc != nil {
 		return cli.checkpointDeleteFunc(container, options)
 	}
 	return nil
 }
 
-func (cli *fakeClient) CheckpointList(ctx context.Context, container string, options types.CheckpointListOptions) ([]types.Checkpoint, error) {
+func (cli *fakeClient) CheckpointList(_ context.Context, container string, options types.CheckpointListOptions) ([]types.Checkpoint, error) {
 	if cli.checkpointListFunc != nil {
 		return cli.checkpointListFunc(container, options)
 	}

cli/command/cli.go

@@ -164,8 +164,8 @@ func (cli *DockerCli) ContentTrustEnabled() bool {
 
 // BuildKitEnabled returns buildkit is enabled or not.
 func (cli *DockerCli) BuildKitEnabled() (bool, error) {
-	// use DOCKER_BUILDKIT env var value if set
-	if v, ok := os.LookupEnv("DOCKER_BUILDKIT"); ok {
+	// use DOCKER_BUILDKIT env var value if set and not empty
+	if v := os.Getenv("DOCKER_BUILDKIT"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return false, errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")

cli/command/completion/functions.go

@@ -94,6 +94,6 @@ func NetworkNames(dockerCli command.Cli) ValidArgsFn {
 }
 
 // NoComplete is used for commands where there's no relevant completion
-func NoComplete(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+func NoComplete(*cobra.Command, []string, string) ([]string, cobra.ShellCompDirective) {
 	return nil, cobra.ShellCompDirectiveNoFileComp
 }

cli/command/config/client_test.go

@@ -10,34 +10,34 @@ import (
 
 type fakeClient struct {
 	client.Client
-	configCreateFunc  func(swarm.ConfigSpec) (types.ConfigCreateResponse, error)
-	configInspectFunc func(string) (swarm.Config, []byte, error)
-	configListFunc    func(types.ConfigListOptions) ([]swarm.Config, error)
+	configCreateFunc  func(context.Context, swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+	configInspectFunc func(context.Context, string) (swarm.Config, []byte, error)
+	configListFunc    func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
 	configRemoveFunc  func(string) error
 }
 
 func (c *fakeClient) ConfigCreate(ctx context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 	if c.configCreateFunc != nil {
-		return c.configCreateFunc(spec)
+		return c.configCreateFunc(ctx, spec)
 	}
 	return types.ConfigCreateResponse{}, nil
 }
 
 func (c *fakeClient) ConfigInspectWithRaw(ctx context.Context, id string) (swarm.Config, []byte, error) {
 	if c.configInspectFunc != nil {
-		return c.configInspectFunc(id)
+		return c.configInspectFunc(ctx, id)
 	}
 	return swarm.Config{}, nil, nil
 }
 
 func (c *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 	if c.configListFunc != nil {
-		return c.configListFunc(options)
+		return c.configListFunc(ctx, options)
 	}
 	return []swarm.Config{}, nil
 }
 
-func (c *fakeClient) ConfigRemove(ctx context.Context, name string) error {
+func (c *fakeClient) ConfigRemove(_ context.Context, name string) error {
 	if c.configRemoveFunc != nil {
 		return c.configRemoveFunc(name)
 	}

cli/command/config/create_test.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"context"
 	"io"
 	"os"
 	"path/filepath"
@@ -22,7 +23,7 @@ const configDataFile = "config-create-with-name.golden"
 func TestConfigCreateErrors(t *testing.T) {
 	testCases := []struct {
 		args             []string
-		configCreateFunc func(swarm.ConfigSpec) (types.ConfigCreateResponse, error)
+		configCreateFunc func(context.Context, swarm.ConfigSpec) (types.ConfigCreateResponse, error)
 		expectedError    string
 	}{
 		{
@@ -35,7 +36,7 @@ func TestConfigCreateErrors(t *testing.T) {
 		},
 		{
 			args: []string{"name", filepath.Join("testdata", configDataFile)},
-			configCreateFunc: func(configSpec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+			configCreateFunc: func(_ context.Context, configSpec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 				return types.ConfigCreateResponse{}, errors.Errorf("error creating config")
 			},
 			expectedError: "error creating config",
@@ -57,7 +58,7 @@ func TestConfigCreateWithName(t *testing.T) {
 	name := "foo"
 	var actual []byte
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 			if spec.Name != name {
 				return types.ConfigCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
 			}
@@ -96,7 +97,7 @@ func TestConfigCreateWithLabels(t *testing.T) {
 	}
 
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 			if !reflect.DeepEqual(spec, expected) {
 				return types.ConfigCreateResponse{}, errors.Errorf("expected %+v, got %+v", expected, spec)
 			}
@@ -122,7 +123,7 @@ func TestConfigCreateWithTemplatingDriver(t *testing.T) {
 	name := "foo"
 
 	cli := test.NewFakeCli(&fakeClient{
-		configCreateFunc: func(spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
+		configCreateFunc: func(_ context.Context, spec swarm.ConfigSpec) (types.ConfigCreateResponse, error) {
 			if spec.Name != name {
 				return types.ConfigCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
 			}

cli/command/config/inspect_test.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"testing"
@@ -18,7 +19,7 @@ func TestConfigInspectErrors(t *testing.T) {
 	testCases := []struct {
 		args              []string
 		flags             map[string]string
-		configInspectFunc func(configID string) (swarm.Config, []byte, error)
+		configInspectFunc func(_ context.Context, configID string) (swarm.Config, []byte, error)
 		expectedError     string
 	}{
 		{
@@ -26,7 +27,7 @@ func TestConfigInspectErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo"},
-			configInspectFunc: func(configID string) (swarm.Config, []byte, error) {
+			configInspectFunc: func(_ context.Context, configID string) (swarm.Config, []byte, error) {
 				return swarm.Config{}, nil, errors.Errorf("error while inspecting the config")
 			},
 			expectedError: "error while inspecting the config",
@@ -40,7 +41,7 @@ func TestConfigInspectErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo", "bar"},
-			configInspectFunc: func(configID string) (swarm.Config, []byte, error) {
+			configInspectFunc: func(_ context.Context, configID string) (swarm.Config, []byte, error) {
 				if configID == "foo" {
 					return *Config(ConfigName("foo")), nil, nil
 				}
@@ -68,12 +69,12 @@ func TestConfigInspectWithoutFormat(t *testing.T) {
 	testCases := []struct {
 		name              string
 		args              []string
-		configInspectFunc func(configID string) (swarm.Config, []byte, error)
+		configInspectFunc func(_ context.Context, configID string) (swarm.Config, []byte, error)
 	}{
 		{
 			name: "single-config",
 			args: []string{"foo"},
-			configInspectFunc: func(name string) (swarm.Config, []byte, error) {
+			configInspectFunc: func(_ context.Context, name string) (swarm.Config, []byte, error) {
 				if name != "foo" {
 					return swarm.Config{}, nil, errors.Errorf("Invalid name, expected %s, got %s", "foo", name)
 				}
@@ -83,7 +84,7 @@ func TestConfigInspectWithoutFormat(t *testing.T) {
 		{
 			name: "multiple-configs-with-labels",
 			args: []string{"foo", "bar"},
-			configInspectFunc: func(name string) (swarm.Config, []byte, error) {
+			configInspectFunc: func(_ context.Context, name string) (swarm.Config, []byte, error) {
 				return *Config(ConfigID("ID-"+name), ConfigName(name), ConfigLabels(map[string]string{
 					"label1": "label-foo",
 				})), nil, nil
@@ -100,7 +101,7 @@ func TestConfigInspectWithoutFormat(t *testing.T) {
 }
 
 func TestConfigInspectWithFormat(t *testing.T) {
-	configInspectFunc := func(name string) (swarm.Config, []byte, error) {
+	configInspectFunc := func(_ context.Context, name string) (swarm.Config, []byte, error) {
 		return *Config(ConfigName("foo"), ConfigLabels(map[string]string{
 			"label1": "label-foo",
 		})), nil, nil
@@ -109,7 +110,7 @@ func TestConfigInspectWithFormat(t *testing.T) {
 		name              string
 		format            string
 		args              []string
-		configInspectFunc func(name string) (swarm.Config, []byte, error)
+		configInspectFunc func(_ context.Context, name string) (swarm.Config, []byte, error)
 	}{
 		{
 			name:              "simple-template",
@@ -139,11 +140,11 @@ func TestConfigInspectWithFormat(t *testing.T) {
 func TestConfigInspectPretty(t *testing.T) {
 	testCases := []struct {
 		name              string
-		configInspectFunc func(string) (swarm.Config, []byte, error)
+		configInspectFunc func(context.Context, string) (swarm.Config, []byte, error)
 	}{
 		{
 			name: "simple",
-			configInspectFunc: func(id string) (swarm.Config, []byte, error) {
+			configInspectFunc: func(_ context.Context, id string) (swarm.Config, []byte, error) {
 				return *Config(
 					ConfigLabels(map[string]string{
 						"lbl1": "value1",

cli/command/config/ls_test.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"context"
 	"io"
 	"testing"
 	"time"
@@ -19,7 +20,7 @@ import (
 func TestConfigListErrors(t *testing.T) {
 	testCases := []struct {
 		args           []string
-		configListFunc func(types.ConfigListOptions) ([]swarm.Config, error)
+		configListFunc func(context.Context, types.ConfigListOptions) ([]swarm.Config, error)
 		expectedError  string
 	}{
 		{
@@ -27,7 +28,7 @@ func TestConfigListErrors(t *testing.T) {
 			expectedError: "accepts no argument",
 		},
 		{
-			configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+			configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 				return []swarm.Config{}, errors.Errorf("error listing configs")
 			},
 			expectedError: "error listing configs",
@@ -47,7 +48,7 @@ func TestConfigListErrors(t *testing.T) {
 
 func TestConfigList(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*Config(ConfigID("ID-1-foo"),
 					ConfigName("1-foo"),
@@ -77,7 +78,7 @@ func TestConfigList(t *testing.T) {
 
 func TestConfigListWithQuietOption(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*Config(ConfigID("ID-foo"), ConfigName("foo")),
 				*Config(ConfigID("ID-bar"), ConfigName("bar"), ConfigLabels(map[string]string{
@@ -94,7 +95,7 @@ func TestConfigListWithQuietOption(t *testing.T) {
 
 func TestConfigListWithConfigFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*Config(ConfigID("ID-foo"), ConfigName("foo")),
 				*Config(ConfigID("ID-bar"), ConfigName("bar"), ConfigLabels(map[string]string{
@@ -113,7 +114,7 @@ func TestConfigListWithConfigFormat(t *testing.T) {
 
 func TestConfigListWithFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 			return []swarm.Config{
 				*Config(ConfigID("ID-foo"), ConfigName("foo")),
 				*Config(ConfigID("ID-bar"), ConfigName("bar"), ConfigLabels(map[string]string{
@@ -130,7 +131,7 @@ func TestConfigListWithFormat(t *testing.T) {
 
 func TestConfigListWithFilter(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		configListFunc: func(options types.ConfigListOptions) ([]swarm.Config, error) {
+		configListFunc: func(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 			assert.Check(t, is.Equal("foo", options.Filters.Get("name")[0]))
 			assert.Check(t, is.Equal("lbl1=Label-bar", options.Filters.Get("label")[0]))
 			return []swarm.Config{

cli/command/container/client_test.go

@@ -64,7 +64,7 @@ func (f *fakeClient) ContainerExecInspect(_ context.Context, execID string) (typ
 	return types.ContainerExecInspect{}, nil
 }
 
-func (f *fakeClient) ContainerExecStart(ctx context.Context, execID string, config types.ExecStartCheck) error {
+func (f *fakeClient) ContainerExecStart(context.Context, string, types.ExecStartCheck) error {
 	return nil
 }
 
@@ -89,7 +89,7 @@ func (f *fakeClient) ContainerRemove(ctx context.Context, container string, opti
 	return nil
 }
 
-func (f *fakeClient) ImageCreate(ctx context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
+func (f *fakeClient) ImageCreate(_ context.Context, parentReference string, options types.ImageCreateOptions) (io.ReadCloser, error) {
 	if f.imageCreateFunc != nil {
 		return f.imageCreateFunc(parentReference, options)
 	}

cli/command/container/prune.go

@@ -75,6 +75,6 @@ func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint6
 
 // RunPrune calls the Container Prune API
 // This returns the amount of space reclaimed and a detailed output string
-func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
+func RunPrune(dockerCli command.Cli, _ bool, filter opts.FilterOpt) (uint64, string, error) {
 	return runPrune(dockerCli, pruneOptions{force: true, filter: filter})
 }

cli/command/container/run.go

@@ -173,11 +173,11 @@ func runContainer(dockerCli command.Cli, opts *runOptions, copts *containerOptio
 			dockerCli.ConfigFile().DetachKeys = opts.detachKeys
 		}
 
-		close, err := attachContainer(ctx, dockerCli, &errCh, config, createResponse.ID)
+		closeFn, err := attachContainer(ctx, dockerCli, &errCh, config, createResponse.ID)
 		if err != nil {
 			return err
 		}
-		defer close()
+		defer closeFn()
 	}
 
 	statusChan := waitExitOrRemoved(ctx, dockerCli, createResponse.ID, copts.autoRemove)

cli/command/context/create.go

@@ -118,10 +118,7 @@ func createNewContext(o *CreateOptions, cli command.Cli, s store.Writer) error {
 	if err := s.CreateOrUpdate(contextMetadata); err != nil {
 		return err
 	}
-	if err := s.ResetTLSMaterial(o.Name, &contextTLSData); err != nil {
-		return err
-	}
-	return nil
+	return s.ResetTLSMaterial(o.Name, &contextTLSData)
 }
 
 func checkContextNameForCreation(s store.Reader, name string) error {

cli/command/formatter/formatter.go

@@ -19,7 +19,7 @@ const (
 	JSONFormatKey   = "json"
 
 	DefaultQuietFormat = "{{.ID}}"
-	jsonFormat         = "{{json .}}"
+	JSONFormat         = "{{json .}}"
 )
 
 // Format is the format string rendered using the Context
@@ -62,7 +62,7 @@ func (c *Context) preFormat() {
 	case c.Format.IsTable():
 		c.finalFormat = c.finalFormat[len(TableFormatKey):]
 	case c.Format.IsJSON():
-		c.finalFormat = jsonFormat
+		c.finalFormat = JSONFormat
 	}
 
 	c.finalFormat = strings.Trim(c.finalFormat, " ")

cli/command/idresolver/client_test.go

@@ -14,14 +14,14 @@ type fakeClient struct {
 	serviceInspectFunc func(string) (swarm.Service, []byte, error)
 }
 
-func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, nodeID string) (swarm.Node, []byte, error) {
+func (cli *fakeClient) NodeInspectWithRaw(_ context.Context, nodeID string) (swarm.Node, []byte, error) {
 	if cli.nodeInspectFunc != nil {
 		return cli.nodeInspectFunc(nodeID)
 	}
 	return swarm.Node{}, []byte{}, nil
 }
 
-func (cli *fakeClient) ServiceInspectWithRaw(ctx context.Context, serviceID string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+func (cli *fakeClient) ServiceInspectWithRaw(_ context.Context, serviceID string, _ types.ServiceInspectOptions) (swarm.Service, []byte, error) {
 	if cli.serviceInspectFunc != nil {
 		return cli.serviceInspectFunc(serviceID)
 	}

cli/command/image/build/context_test.go

@@ -18,7 +18,7 @@ import (
 
 const dockerfileContents = "FROM busybox"
 
-func prepareEmpty(t *testing.T) string {
+func prepareEmpty(_ *testing.T) string {
 	return ""
 }
 

cli/command/image/client_test.go

@@ -87,7 +87,7 @@ func (cli *fakeClient) ImageLoad(_ context.Context, input io.Reader, quiet bool)
 	return types.ImageLoadResponse{}, nil
 }
 
-func (cli *fakeClient) ImageList(ctx context.Context, options types.ImageListOptions) ([]types.ImageSummary, error) {
+func (cli *fakeClient) ImageList(_ context.Context, options types.ImageListOptions) ([]types.ImageSummary, error) {
 	if cli.imageListFunc != nil {
 		return cli.imageListFunc(options)
 	}

cli/command/network/client_test.go

@@ -52,6 +52,6 @@ func (c *fakeClient) NetworkRemove(ctx context.Context, networkID string) error
 	return nil
 }
 
-func (c *fakeClient) NetworkInspectWithRaw(ctx context.Context, network string, options types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
+func (c *fakeClient) NetworkInspectWithRaw(context.Context, string, types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
 	return types.NetworkResource{}, nil, nil
 }

cli/command/network/prune.go

@@ -70,7 +70,7 @@ func runPrune(dockerCli command.Cli, options pruneOptions) (output string, err e
 
 // RunPrune calls the Network Prune API
 // This returns the amount of space reclaimed and a detailed output string
-func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
+func RunPrune(dockerCli command.Cli, _ bool, filter opts.FilterOpt) (uint64, string, error) {
 	output, err := runPrune(dockerCli, pruneOptions{force: true, filter: filter})
 	return 0, output, err
 }

cli/command/node/client_test.go

@@ -20,49 +20,49 @@ type fakeClient struct {
 	serviceInspectFunc func(ctx context.Context, serviceID string, opts types.ServiceInspectOptions) (swarm.Service, []byte, error)
 }
 
-func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+func (cli *fakeClient) NodeInspectWithRaw(context.Context, string) (swarm.Node, []byte, error) {
 	if cli.nodeInspectFunc != nil {
 		return cli.nodeInspectFunc()
 	}
 	return swarm.Node{}, []byte{}, nil
 }
 
-func (cli *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+func (cli *fakeClient) NodeList(context.Context, types.NodeListOptions) ([]swarm.Node, error) {
 	if cli.nodeListFunc != nil {
 		return cli.nodeListFunc()
 	}
 	return []swarm.Node{}, nil
 }
 
-func (cli *fakeClient) NodeRemove(ctx context.Context, nodeID string, options types.NodeRemoveOptions) error {
+func (cli *fakeClient) NodeRemove(context.Context, string, types.NodeRemoveOptions) error {
 	if cli.nodeRemoveFunc != nil {
 		return cli.nodeRemoveFunc()
 	}
 	return nil
 }
 
-func (cli *fakeClient) NodeUpdate(ctx context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error {
+func (cli *fakeClient) NodeUpdate(_ context.Context, nodeID string, version swarm.Version, node swarm.NodeSpec) error {
 	if cli.nodeUpdateFunc != nil {
 		return cli.nodeUpdateFunc(nodeID, version, node)
 	}
 	return nil
 }
 
-func (cli *fakeClient) Info(ctx context.Context) (types.Info, error) {
+func (cli *fakeClient) Info(context.Context) (types.Info, error) {
 	if cli.infoFunc != nil {
 		return cli.infoFunc()
 	}
 	return types.Info{}, nil
 }
 
-func (cli *fakeClient) TaskInspectWithRaw(ctx context.Context, taskID string) (swarm.Task, []byte, error) {
+func (cli *fakeClient) TaskInspectWithRaw(_ context.Context, taskID string) (swarm.Task, []byte, error) {
 	if cli.taskInspectFunc != nil {
 		return cli.taskInspectFunc(taskID)
 	}
 	return swarm.Task{}, []byte{}, nil
 }
 
-func (cli *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+func (cli *fakeClient) TaskList(_ context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
 	if cli.taskListFunc != nil {
 		return cli.taskListFunc(options)
 	}

cli/command/plugin/client_test.go

@@ -20,42 +20,42 @@ type fakeClient struct {
 	pluginInspectFunc func(name string) (*types.Plugin, []byte, error)
 }
 
-func (c *fakeClient) PluginCreate(ctx context.Context, createContext io.Reader, createOptions types.PluginCreateOptions) error {
+func (c *fakeClient) PluginCreate(_ context.Context, createContext io.Reader, createOptions types.PluginCreateOptions) error {
 	if c.pluginCreateFunc != nil {
 		return c.pluginCreateFunc(createContext, createOptions)
 	}
 	return nil
 }
 
-func (c *fakeClient) PluginEnable(ctx context.Context, name string, enableOptions types.PluginEnableOptions) error {
+func (c *fakeClient) PluginEnable(_ context.Context, name string, enableOptions types.PluginEnableOptions) error {
 	if c.pluginEnableFunc != nil {
 		return c.pluginEnableFunc(name, enableOptions)
 	}
 	return nil
 }
 
-func (c *fakeClient) PluginDisable(context context.Context, name string, disableOptions types.PluginDisableOptions) error {
+func (c *fakeClient) PluginDisable(_ context.Context, name string, disableOptions types.PluginDisableOptions) error {
 	if c.pluginDisableFunc != nil {
 		return c.pluginDisableFunc(name, disableOptions)
 	}
 	return nil
 }
 
-func (c *fakeClient) PluginRemove(context context.Context, name string, removeOptions types.PluginRemoveOptions) error {
+func (c *fakeClient) PluginRemove(_ context.Context, name string, removeOptions types.PluginRemoveOptions) error {
 	if c.pluginRemoveFunc != nil {
 		return c.pluginRemoveFunc(name, removeOptions)
 	}
 	return nil
 }
 
-func (c *fakeClient) PluginInstall(context context.Context, name string, installOptions types.PluginInstallOptions) (io.ReadCloser, error) {
+func (c *fakeClient) PluginInstall(_ context.Context, name string, installOptions types.PluginInstallOptions) (io.ReadCloser, error) {
 	if c.pluginInstallFunc != nil {
 		return c.pluginInstallFunc(name, installOptions)
 	}
 	return nil, nil
 }
 
-func (c *fakeClient) PluginList(context context.Context, filter filters.Args) (types.PluginsListResponse, error) {
+func (c *fakeClient) PluginList(_ context.Context, filter filters.Args) (types.PluginsListResponse, error) {
 	if c.pluginListFunc != nil {
 		return c.pluginListFunc(filter)
 	}
@@ -63,7 +63,7 @@ func (c *fakeClient) PluginList(context context.Context, filter filters.Args) (t
 	return types.PluginsListResponse{}, nil
 }
 
-func (c *fakeClient) PluginInspectWithRaw(ctx context.Context, name string) (*types.Plugin, []byte, error) {
+func (c *fakeClient) PluginInspectWithRaw(_ context.Context, name string) (*types.Plugin, []byte, error) {
 	if c.pluginInspectFunc != nil {
 		return c.pluginInspectFunc(name)
 	}
@@ -71,6 +71,6 @@ func (c *fakeClient) PluginInspectWithRaw(ctx context.Context, name string) (*ty
 	return nil, nil, nil
 }
 
-func (c *fakeClient) Info(ctx context.Context) (types.Info, error) {
+func (c *fakeClient) Info(context.Context) (types.Info, error) {
 	return types.Info{}, nil
 }

cli/command/registry/login_test.go

@@ -34,11 +34,11 @@ type fakeClient struct {
 	client.Client
 }
 
-func (c fakeClient) Info(ctx context.Context) (types.Info, error) {
+func (c fakeClient) Info(context.Context) (types.Info, error) {
 	return types.Info{}, nil
 }
 
-func (c fakeClient) RegistryLogin(ctx context.Context, auth types.AuthConfig) (registrytypes.AuthenticateOKBody, error) {
+func (c fakeClient) RegistryLogin(_ context.Context, auth types.AuthConfig) (registrytypes.AuthenticateOKBody, error) {
 	if auth.Password == expiredPassword {
 		return registrytypes.AuthenticateOKBody{}, fmt.Errorf("Invalid Username or Password")
 	}

cli/command/secret/client_test.go

@@ -10,36 +10,36 @@ import (
 
 type fakeClient struct {
 	client.Client
-	secretCreateFunc  func(swarm.SecretSpec) (types.SecretCreateResponse, error)
-	secretInspectFunc func(string) (swarm.Secret, []byte, error)
-	secretListFunc    func(types.SecretListOptions) ([]swarm.Secret, error)
-	secretRemoveFunc  func(string) error
+	secretCreateFunc  func(context.Context, swarm.SecretSpec) (types.SecretCreateResponse, error)
+	secretInspectFunc func(context.Context, string) (swarm.Secret, []byte, error)
+	secretListFunc    func(context.Context, types.SecretListOptions) ([]swarm.Secret, error)
+	secretRemoveFunc  func(context.Context, string) error
 }
 
 func (c *fakeClient) SecretCreate(ctx context.Context, spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
 	if c.secretCreateFunc != nil {
-		return c.secretCreateFunc(spec)
+		return c.secretCreateFunc(ctx, spec)
 	}
 	return types.SecretCreateResponse{}, nil
 }
 
 func (c *fakeClient) SecretInspectWithRaw(ctx context.Context, id string) (swarm.Secret, []byte, error) {
 	if c.secretInspectFunc != nil {
-		return c.secretInspectFunc(id)
+		return c.secretInspectFunc(ctx, id)
 	}
 	return swarm.Secret{}, nil, nil
 }
 
 func (c *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 	if c.secretListFunc != nil {
-		return c.secretListFunc(options)
+		return c.secretListFunc(ctx, options)
 	}
 	return []swarm.Secret{}, nil
 }
 
 func (c *fakeClient) SecretRemove(ctx context.Context, name string) error {
 	if c.secretRemoveFunc != nil {
-		return c.secretRemoveFunc(name)
+		return c.secretRemoveFunc(ctx, name)
 	}
 	return nil
 }

cli/command/secret/create_test.go

@@ -1,6 +1,7 @@
 package secret
 
 import (
+	"context"
 	"io"
 	"os"
 	"path/filepath"
@@ -21,7 +22,7 @@ const secretDataFile = "secret-create-with-name.golden"
 func TestSecretCreateErrors(t *testing.T) {
 	testCases := []struct {
 		args             []string
-		secretCreateFunc func(swarm.SecretSpec) (types.SecretCreateResponse, error)
+		secretCreateFunc func(context.Context, swarm.SecretSpec) (types.SecretCreateResponse, error)
 		expectedError    string
 	}{
 		{
@@ -34,7 +35,7 @@ func TestSecretCreateErrors(t *testing.T) {
 		},
 		{
 			args: []string{"name", filepath.Join("testdata", secretDataFile)},
-			secretCreateFunc: func(secretSpec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+			secretCreateFunc: func(_ context.Context, secretSpec swarm.SecretSpec) (types.SecretCreateResponse, error) {
 				return types.SecretCreateResponse{}, errors.Errorf("error creating secret")
 			},
 			expectedError: "error creating secret",
@@ -66,7 +67,7 @@ func TestSecretCreateWithName(t *testing.T) {
 	}
 
 	cli := test.NewFakeCli(&fakeClient{
-		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+		secretCreateFunc: func(_ context.Context, spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
 			if !reflect.DeepEqual(spec, expected) {
 				return types.SecretCreateResponse{}, errors.Errorf("expected %+v, got %+v", expected, spec)
 			}
@@ -89,7 +90,7 @@ func TestSecretCreateWithDriver(t *testing.T) {
 	name := "foo"
 
 	cli := test.NewFakeCli(&fakeClient{
-		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+		secretCreateFunc: func(_ context.Context, spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
 			if spec.Name != name {
 				return types.SecretCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
 			}
@@ -118,7 +119,7 @@ func TestSecretCreateWithTemplatingDriver(t *testing.T) {
 	name := "foo"
 
 	cli := test.NewFakeCli(&fakeClient{
-		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+		secretCreateFunc: func(_ context.Context, spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
 			if spec.Name != name {
 				return types.SecretCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
 			}
@@ -148,7 +149,7 @@ func TestSecretCreateWithLabels(t *testing.T) {
 	name := "foo"
 
 	cli := test.NewFakeCli(&fakeClient{
-		secretCreateFunc: func(spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
+		secretCreateFunc: func(_ context.Context, spec swarm.SecretSpec) (types.SecretCreateResponse, error) {
 			if spec.Name != name {
 				return types.SecretCreateResponse{}, errors.Errorf("expected name %q, got %q", name, spec.Name)
 			}

cli/command/secret/inspect_test.go

@@ -1,6 +1,7 @@
 package secret
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"testing"
@@ -18,7 +19,7 @@ func TestSecretInspectErrors(t *testing.T) {
 	testCases := []struct {
 		args              []string
 		flags             map[string]string
-		secretInspectFunc func(secretID string) (swarm.Secret, []byte, error)
+		secretInspectFunc func(ctx context.Context, secretID string) (swarm.Secret, []byte, error)
 		expectedError     string
 	}{
 		{
@@ -26,7 +27,7 @@ func TestSecretInspectErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo"},
-			secretInspectFunc: func(secretID string) (swarm.Secret, []byte, error) {
+			secretInspectFunc: func(_ context.Context, secretID string) (swarm.Secret, []byte, error) {
 				return swarm.Secret{}, nil, errors.Errorf("error while inspecting the secret")
 			},
 			expectedError: "error while inspecting the secret",
@@ -40,7 +41,7 @@ func TestSecretInspectErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo", "bar"},
-			secretInspectFunc: func(secretID string) (swarm.Secret, []byte, error) {
+			secretInspectFunc: func(_ context.Context, secretID string) (swarm.Secret, []byte, error) {
 				if secretID == "foo" {
 					return *Secret(SecretName("foo")), nil, nil
 				}
@@ -68,12 +69,12 @@ func TestSecretInspectWithoutFormat(t *testing.T) {
 	testCases := []struct {
 		name              string
 		args              []string
-		secretInspectFunc func(secretID string) (swarm.Secret, []byte, error)
+		secretInspectFunc func(ctx context.Context, secretID string) (swarm.Secret, []byte, error)
 	}{
 		{
 			name: "single-secret",
 			args: []string{"foo"},
-			secretInspectFunc: func(name string) (swarm.Secret, []byte, error) {
+			secretInspectFunc: func(_ context.Context, name string) (swarm.Secret, []byte, error) {
 				if name != "foo" {
 					return swarm.Secret{}, nil, errors.Errorf("Invalid name, expected %s, got %s", "foo", name)
 				}
@@ -83,7 +84,7 @@ func TestSecretInspectWithoutFormat(t *testing.T) {
 		{
 			name: "multiple-secrets-with-labels",
 			args: []string{"foo", "bar"},
-			secretInspectFunc: func(name string) (swarm.Secret, []byte, error) {
+			secretInspectFunc: func(_ context.Context, name string) (swarm.Secret, []byte, error) {
 				return *Secret(SecretID("ID-"+name), SecretName(name), SecretLabels(map[string]string{
 					"label1": "label-foo",
 				})), nil, nil
@@ -102,7 +103,7 @@ func TestSecretInspectWithoutFormat(t *testing.T) {
 }
 
 func TestSecretInspectWithFormat(t *testing.T) {
-	secretInspectFunc := func(name string) (swarm.Secret, []byte, error) {
+	secretInspectFunc := func(_ context.Context, name string) (swarm.Secret, []byte, error) {
 		return *Secret(SecretName("foo"), SecretLabels(map[string]string{
 			"label1": "label-foo",
 		})), nil, nil
@@ -111,7 +112,7 @@ func TestSecretInspectWithFormat(t *testing.T) {
 		name              string
 		format            string
 		args              []string
-		secretInspectFunc func(name string) (swarm.Secret, []byte, error)
+		secretInspectFunc func(_ context.Context, name string) (swarm.Secret, []byte, error)
 	}{
 		{
 			name:              "simple-template",
@@ -141,11 +142,11 @@ func TestSecretInspectWithFormat(t *testing.T) {
 func TestSecretInspectPretty(t *testing.T) {
 	testCases := []struct {
 		name              string
-		secretInspectFunc func(string) (swarm.Secret, []byte, error)
+		secretInspectFunc func(context.Context, string) (swarm.Secret, []byte, error)
 	}{
 		{
 			name: "simple",
-			secretInspectFunc: func(id string) (swarm.Secret, []byte, error) {
+			secretInspectFunc: func(_ context.Context, id string) (swarm.Secret, []byte, error) {
 				return *Secret(
 					SecretLabels(map[string]string{
 						"lbl1": "value1",

cli/command/secret/ls_test.go

@@ -1,6 +1,7 @@
 package secret
 
 import (
+	"context"
 	"io"
 	"testing"
 	"time"
@@ -19,7 +20,7 @@ import (
 func TestSecretListErrors(t *testing.T) {
 	testCases := []struct {
 		args           []string
-		secretListFunc func(types.SecretListOptions) ([]swarm.Secret, error)
+		secretListFunc func(context.Context, types.SecretListOptions) ([]swarm.Secret, error)
 		expectedError  string
 	}{
 		{
@@ -27,7 +28,7 @@ func TestSecretListErrors(t *testing.T) {
 			expectedError: "accepts no argument",
 		},
 		{
-			secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+			secretListFunc: func(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 				return []swarm.Secret{}, errors.Errorf("error listing secrets")
 			},
 			expectedError: "error listing secrets",
@@ -47,7 +48,7 @@ func TestSecretListErrors(t *testing.T) {
 
 func TestSecretList(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+		secretListFunc: func(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 			return []swarm.Secret{
 				*Secret(SecretID("ID-1-foo"),
 					SecretName("1-foo"),
@@ -79,7 +80,7 @@ func TestSecretList(t *testing.T) {
 
 func TestSecretListWithQuietOption(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+		secretListFunc: func(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 			return []swarm.Secret{
 				*Secret(SecretID("ID-foo"), SecretName("foo")),
 				*Secret(SecretID("ID-bar"), SecretName("bar"), SecretLabels(map[string]string{
@@ -96,7 +97,7 @@ func TestSecretListWithQuietOption(t *testing.T) {
 
 func TestSecretListWithConfigFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+		secretListFunc: func(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 			return []swarm.Secret{
 				*Secret(SecretID("ID-foo"), SecretName("foo")),
 				*Secret(SecretID("ID-bar"), SecretName("bar"), SecretLabels(map[string]string{
@@ -115,7 +116,7 @@ func TestSecretListWithConfigFormat(t *testing.T) {
 
 func TestSecretListWithFormat(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+		secretListFunc: func(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 			return []swarm.Secret{
 				*Secret(SecretID("ID-foo"), SecretName("foo")),
 				*Secret(SecretID("ID-bar"), SecretName("bar"), SecretLabels(map[string]string{
@@ -132,7 +133,7 @@ func TestSecretListWithFormat(t *testing.T) {
 
 func TestSecretListWithFilter(t *testing.T) {
 	cli := test.NewFakeCli(&fakeClient{
-		secretListFunc: func(options types.SecretListOptions) ([]swarm.Secret, error) {
+		secretListFunc: func(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 			assert.Check(t, is.Equal("foo", options.Filters.Get("name")[0]), "foo")
 			assert.Check(t, is.Equal("lbl1=Label-bar", options.Filters.Get("label")[0]))
 			return []swarm.Secret{

cli/command/secret/remove_test.go

@@ -1,6 +1,7 @@
 package secret
 
 import (
+	"context"
 	"io"
 	"strings"
 	"testing"
@@ -14,7 +15,7 @@ import (
 func TestSecretRemoveErrors(t *testing.T) {
 	testCases := []struct {
 		args             []string
-		secretRemoveFunc func(string) error
+		secretRemoveFunc func(context.Context, string) error
 		expectedError    string
 	}{
 		{
@@ -23,7 +24,7 @@ func TestSecretRemoveErrors(t *testing.T) {
 		},
 		{
 			args: []string{"foo"},
-			secretRemoveFunc: func(name string) error {
+			secretRemoveFunc: func(_ context.Context, name string) error {
 				return errors.Errorf("error removing secret")
 			},
 			expectedError: "error removing secret",
@@ -45,7 +46,7 @@ func TestSecretRemoveWithName(t *testing.T) {
 	names := []string{"foo", "bar"}
 	var removedSecrets []string
 	cli := test.NewFakeCli(&fakeClient{
-		secretRemoveFunc: func(name string) error {
+		secretRemoveFunc: func(_ context.Context, name string) error {
 			removedSecrets = append(removedSecrets, name)
 			return nil
 		},
@@ -62,7 +63,7 @@ func TestSecretRemoveContinueAfterError(t *testing.T) {
 	var removedSecrets []string
 
 	cli := test.NewFakeCli(&fakeClient{
-		secretRemoveFunc: func(name string) error {
+		secretRemoveFunc: func(_ context.Context, name string) error {
 			removedSecrets = append(removedSecrets, name)
 			if name == "foo" {
 				return errors.Errorf("error removing secret: %s", name)

cli/command/service/progress/progress.go

@@ -414,7 +414,7 @@ type globalProgressUpdater struct {
 	done        bool
 }
 
-func (u *globalProgressUpdater) update(service swarm.Service, tasks []swarm.Task, activeNodes map[string]struct{}, rollback bool) (bool, error) {
+func (u *globalProgressUpdater) update(_ swarm.Service, tasks []swarm.Task, activeNodes map[string]struct{}, rollback bool) (bool, error) {
 	tasksByNode := u.tasksByNode(tasks)
 
 	// We don't have perfect knowledge of how many nodes meet the

cli/command/service/update_test.go

@@ -504,23 +504,23 @@ type secretAPIClientMock struct {
 	listResult []swarm.Secret
 }
 
-func (s secretAPIClientMock) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+func (s secretAPIClientMock) SecretList(context.Context, types.SecretListOptions) ([]swarm.Secret, error) {
 	return s.listResult, nil
 }
 
-func (s secretAPIClientMock) SecretCreate(ctx context.Context, secret swarm.SecretSpec) (types.SecretCreateResponse, error) {
+func (s secretAPIClientMock) SecretCreate(context.Context, swarm.SecretSpec) (types.SecretCreateResponse, error) {
 	return types.SecretCreateResponse{}, nil
 }
 
-func (s secretAPIClientMock) SecretRemove(ctx context.Context, id string) error {
+func (s secretAPIClientMock) SecretRemove(context.Context, string) error {
 	return nil
 }
 
-func (s secretAPIClientMock) SecretInspectWithRaw(ctx context.Context, name string) (swarm.Secret, []byte, error) {
+func (s secretAPIClientMock) SecretInspectWithRaw(context.Context, string) (swarm.Secret, []byte, error) {
 	return swarm.Secret{}, []byte{}, nil
 }
 
-func (s secretAPIClientMock) SecretUpdate(ctx context.Context, id string, version swarm.Version, secret swarm.SecretSpec) error {
+func (s secretAPIClientMock) SecretUpdate(context.Context, string, swarm.Version, swarm.SecretSpec) error {
 	return nil
 }
 

cli/command/stack/client_test.go

@@ -43,7 +43,7 @@ type fakeClient struct {
 	configRemoveFunc  func(configID string) error
 }
 
-func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
+func (cli *fakeClient) ServerVersion(context.Context) (types.Version, error) {
 	return types.Version{
 		Version:    "docker-dev",
 		APIVersion: api.DefaultVersion,
@@ -54,7 +54,7 @@ func (cli *fakeClient) ClientVersion() string {
 	return cli.version
 }
 
-func (cli *fakeClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+func (cli *fakeClient) ServiceList(_ context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
 	if cli.serviceListFunc != nil {
 		return cli.serviceListFunc(options)
 	}
@@ -69,7 +69,7 @@ func (cli *fakeClient) ServiceList(ctx context.Context, options types.ServiceLis
 	return servicesList, nil
 }
 
-func (cli *fakeClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+func (cli *fakeClient) NetworkList(_ context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
 	if cli.networkListFunc != nil {
 		return cli.networkListFunc(options)
 	}
@@ -84,7 +84,7 @@ func (cli *fakeClient) NetworkList(ctx context.Context, options types.NetworkLis
 	return networksList, nil
 }
 
-func (cli *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+func (cli *fakeClient) SecretList(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 	if cli.secretListFunc != nil {
 		return cli.secretListFunc(options)
 	}
@@ -99,7 +99,7 @@ func (cli *fakeClient) SecretList(ctx context.Context, options types.SecretListO
 	return secretsList, nil
 }
 
-func (cli *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+func (cli *fakeClient) ConfigList(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 	if cli.configListFunc != nil {
 		return cli.configListFunc(options)
 	}
@@ -114,28 +114,28 @@ func (cli *fakeClient) ConfigList(ctx context.Context, options types.ConfigListO
 	return configsList, nil
 }
 
-func (cli *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+func (cli *fakeClient) TaskList(_ context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
 	if cli.taskListFunc != nil {
 		return cli.taskListFunc(options)
 	}
 	return []swarm.Task{}, nil
 }
 
-func (cli *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+func (cli *fakeClient) NodeList(_ context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
 	if cli.nodeListFunc != nil {
 		return cli.nodeListFunc(options)
 	}
 	return []swarm.Node{}, nil
 }
 
-func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+func (cli *fakeClient) NodeInspectWithRaw(_ context.Context, ref string) (swarm.Node, []byte, error) {
 	if cli.nodeInspectWithRaw != nil {
 		return cli.nodeInspectWithRaw(ref)
 	}
 	return swarm.Node{}, nil, nil
 }
 
-func (cli *fakeClient) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+func (cli *fakeClient) ServiceUpdate(_ context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
 	if cli.serviceUpdateFunc != nil {
 		return cli.serviceUpdateFunc(serviceID, version, service, options)
 	}
@@ -143,7 +143,7 @@ func (cli *fakeClient) ServiceUpdate(ctx context.Context, serviceID string, vers
 	return types.ServiceUpdateResponse{}, nil
 }
 
-func (cli *fakeClient) ServiceRemove(ctx context.Context, serviceID string) error {
+func (cli *fakeClient) ServiceRemove(_ context.Context, serviceID string) error {
 	if cli.serviceRemoveFunc != nil {
 		return cli.serviceRemoveFunc(serviceID)
 	}
@@ -152,7 +152,7 @@ func (cli *fakeClient) ServiceRemove(ctx context.Context, serviceID string) erro
 	return nil
 }
 
-func (cli *fakeClient) NetworkRemove(ctx context.Context, networkID string) error {
+func (cli *fakeClient) NetworkRemove(_ context.Context, networkID string) error {
 	if cli.networkRemoveFunc != nil {
 		return cli.networkRemoveFunc(networkID)
 	}
@@ -161,7 +161,7 @@ func (cli *fakeClient) NetworkRemove(ctx context.Context, networkID string) erro
 	return nil
 }
 
-func (cli *fakeClient) SecretRemove(ctx context.Context, secretID string) error {
+func (cli *fakeClient) SecretRemove(_ context.Context, secretID string) error {
 	if cli.secretRemoveFunc != nil {
 		return cli.secretRemoveFunc(secretID)
 	}
@@ -170,7 +170,7 @@ func (cli *fakeClient) SecretRemove(ctx context.Context, secretID string) error
 	return nil
 }
 
-func (cli *fakeClient) ConfigRemove(ctx context.Context, configID string) error {
+func (cli *fakeClient) ConfigRemove(_ context.Context, configID string) error {
 	if cli.configRemoveFunc != nil {
 		return cli.configRemoveFunc(configID)
 	}
@@ -179,7 +179,7 @@ func (cli *fakeClient) ConfigRemove(ctx context.Context, configID string) error
 	return nil
 }
 
-func (cli *fakeClient) ServiceInspectWithRaw(ctx context.Context, serviceID string, opts types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+func (cli *fakeClient) ServiceInspectWithRaw(_ context.Context, serviceID string, _ types.ServiceInspectOptions) (swarm.Service, []byte, error) {
 	return swarm.Service{
 		ID: serviceID,
 		Spec: swarm.ServiceSpec{

cli/command/stack/deploy.go

@@ -28,7 +28,7 @@ func newDeployCommand(dockerCli command.Cli) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			return RunDeploy(dockerCli, cmd.Flags(), config, opts)
+			return swarm.RunDeploy(dockerCli, opts, config)
 		},
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			return completeNames(dockerCli)(cmd, args, toComplete)
@@ -47,7 +47,9 @@ func newDeployCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-// RunDeploy performs a stack deploy against the specified swarm cluster
-func RunDeploy(dockerCli command.Cli, flags *pflag.FlagSet, config *composetypes.Config, opts options.Deploy) error {
+// RunDeploy performs a stack deploy against the specified swarm cluster.
+//
+// Deprecated: use [swarm.RunDeploy] instead.
+func RunDeploy(dockerCli command.Cli, _ *pflag.FlagSet, config *composetypes.Config, opts options.Deploy) error {
 	return swarm.RunDeploy(dockerCli, opts, config)
 }

cli/command/stack/list.go

@@ -23,7 +23,7 @@ func newListCommand(dockerCli command.Cli) *cobra.Command {
 		Short:   "List stacks",
 		Args:    cli.NoArgs,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			return RunList(cmd, dockerCli, opts)
+			return RunList(dockerCli, opts)
 		},
 		ValidArgsFunction: completion.NoComplete,
 	}
@@ -34,24 +34,24 @@ func newListCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunList performs a stack list against the specified swarm cluster
-func RunList(cmd *cobra.Command, dockerCli command.Cli, opts options.List) error {
-	stacks := []*formatter.Stack{}
+func RunList(dockerCli command.Cli, opts options.List) error {
 	ss, err := swarm.GetStacks(dockerCli)
 	if err != nil {
 		return err
 	}
+	stacks := make([]*formatter.Stack, 0, len(ss))
 	stacks = append(stacks, ss...)
 	return format(dockerCli, opts, stacks)
 }
 
 func format(dockerCli command.Cli, opts options.List, stacks []*formatter.Stack) error {
-	format := formatter.Format(opts.Format)
-	if format == "" || format == formatter.TableFormatKey {
-		format = formatter.SwarmStackTableFormat
+	fmt := formatter.Format(opts.Format)
+	if fmt == "" || fmt == formatter.TableFormatKey {
+		fmt = formatter.SwarmStackTableFormat
 	}
 	stackCtx := formatter.Context{
 		Output: dockerCli.Out(),
-		Format: format,
+		Format: fmt,
 	}
 	sort.Slice(stacks, func(i, j int) bool {
 		return sortorder.NaturalLess(stacks[i].Name, stacks[j].Name) ||

cli/command/stack/ps.go

@@ -23,7 +23,7 @@ func newPsCommand(dockerCli command.Cli) *cobra.Command {
 			if err := validateStackName(opts.Namespace); err != nil {
 				return err
 			}
-			return RunPs(dockerCli, cmd.Flags(), opts)
+			return swarm.RunPS(dockerCli, opts)
 		},
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			return completeNames(dockerCli)(cmd, args, toComplete)
@@ -38,7 +38,9 @@ func newPsCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-// RunPs performs a stack ps against the specified swarm cluster
-func RunPs(dockerCli command.Cli, flags *pflag.FlagSet, opts options.PS) error {
+// RunPs performs a stack ps against the specified swarm cluster.
+//
+// Deprecated: use [swarm.RunPS] instead.
+func RunPs(dockerCli command.Cli, _ *pflag.FlagSet, opts options.PS) error {
 	return swarm.RunPS(dockerCli, opts)
 }

cli/command/stack/remove.go

@@ -22,7 +22,7 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 			if err := validateStackNames(opts.Namespaces); err != nil {
 				return err
 			}
-			return RunRemove(dockerCli, cmd.Flags(), opts)
+			return swarm.RunRemove(dockerCli, opts)
 		},
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			return completeNames(dockerCli)(cmd, args, toComplete)
@@ -31,7 +31,9 @@ func newRemoveCommand(dockerCli command.Cli) *cobra.Command {
 	return cmd
 }
 
-// RunRemove performs a stack remove against the specified swarm cluster
-func RunRemove(dockerCli command.Cli, flags *pflag.FlagSet, opts options.Remove) error {
+// RunRemove performs a stack remove against the specified swarm cluster.
+//
+// Deprecated: use [swarm.RunRemove] instead.
+func RunRemove(dockerCli command.Cli, _ *pflag.FlagSet, opts options.Remove) error {
 	return swarm.RunRemove(dockerCli, opts)
 }

cli/command/stack/services.go

@@ -30,7 +30,7 @@ func newServicesCommand(dockerCli command.Cli) *cobra.Command {
 			if err := validateStackName(opts.Namespace); err != nil {
 				return err
 			}
-			return RunServices(dockerCli, cmd.Flags(), opts)
+			return RunServices(dockerCli, opts)
 		},
 		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 			return completeNames(dockerCli)(cmd, args, toComplete)
@@ -44,16 +44,18 @@ func newServicesCommand(dockerCli command.Cli) *cobra.Command {
 }
 
 // RunServices performs a stack services against the specified swarm cluster
-func RunServices(dockerCli command.Cli, flags *pflag.FlagSet, opts options.Services) error {
-	services, err := GetServices(dockerCli, flags, opts)
+func RunServices(dockerCli command.Cli, opts options.Services) error {
+	services, err := swarm.GetServices(dockerCli, opts)
 	if err != nil {
 		return err
 	}
 	return formatWrite(dockerCli, services, opts)
 }
 
-// GetServices returns the services for the specified swarm cluster
-func GetServices(dockerCli command.Cli, flags *pflag.FlagSet, opts options.Services) ([]swarmtypes.Service, error) {
+// GetServices returns the services for the specified swarm cluster.
+//
+// Deprecated: use [swarm.GetServices] instead.
+func GetServices(dockerCli command.Cli, _ *pflag.FlagSet, opts options.Services) ([]swarmtypes.Service, error) {
 	return swarm.GetServices(dockerCli, opts)
 }
 

cli/command/stack/swarm/client_test.go

@@ -43,7 +43,7 @@ type fakeClient struct {
 	configRemoveFunc  func(configID string) error
 }
 
-func (cli *fakeClient) ServerVersion(ctx context.Context) (types.Version, error) {
+func (cli *fakeClient) ServerVersion(context.Context) (types.Version, error) {
 	return types.Version{
 		Version:    "docker-dev",
 		APIVersion: api.DefaultVersion,
@@ -54,7 +54,7 @@ func (cli *fakeClient) ClientVersion() string {
 	return cli.version
 }
 
-func (cli *fakeClient) ServiceList(ctx context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
+func (cli *fakeClient) ServiceList(_ context.Context, options types.ServiceListOptions) ([]swarm.Service, error) {
 	if cli.serviceListFunc != nil {
 		return cli.serviceListFunc(options)
 	}
@@ -69,7 +69,7 @@ func (cli *fakeClient) ServiceList(ctx context.Context, options types.ServiceLis
 	return servicesList, nil
 }
 
-func (cli *fakeClient) NetworkList(ctx context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
+func (cli *fakeClient) NetworkList(_ context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
 	if cli.networkListFunc != nil {
 		return cli.networkListFunc(options)
 	}
@@ -84,7 +84,7 @@ func (cli *fakeClient) NetworkList(ctx context.Context, options types.NetworkLis
 	return networksList, nil
 }
 
-func (cli *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+func (cli *fakeClient) SecretList(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 	if cli.secretListFunc != nil {
 		return cli.secretListFunc(options)
 	}
@@ -99,7 +99,7 @@ func (cli *fakeClient) SecretList(ctx context.Context, options types.SecretListO
 	return secretsList, nil
 }
 
-func (cli *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+func (cli *fakeClient) ConfigList(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 	if cli.configListFunc != nil {
 		return cli.configListFunc(options)
 	}
@@ -114,28 +114,28 @@ func (cli *fakeClient) ConfigList(ctx context.Context, options types.ConfigListO
 	return configsList, nil
 }
 
-func (cli *fakeClient) TaskList(ctx context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
+func (cli *fakeClient) TaskList(_ context.Context, options types.TaskListOptions) ([]swarm.Task, error) {
 	if cli.taskListFunc != nil {
 		return cli.taskListFunc(options)
 	}
 	return []swarm.Task{}, nil
 }
 
-func (cli *fakeClient) NodeList(ctx context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
+func (cli *fakeClient) NodeList(_ context.Context, options types.NodeListOptions) ([]swarm.Node, error) {
 	if cli.nodeListFunc != nil {
 		return cli.nodeListFunc(options)
 	}
 	return []swarm.Node{}, nil
 }
 
-func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+func (cli *fakeClient) NodeInspectWithRaw(_ context.Context, ref string) (swarm.Node, []byte, error) {
 	if cli.nodeInspectWithRaw != nil {
 		return cli.nodeInspectWithRaw(ref)
 	}
 	return swarm.Node{}, nil, nil
 }
 
-func (cli *fakeClient) ServiceUpdate(ctx context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
+func (cli *fakeClient) ServiceUpdate(_ context.Context, serviceID string, version swarm.Version, service swarm.ServiceSpec, options types.ServiceUpdateOptions) (types.ServiceUpdateResponse, error) {
 	if cli.serviceUpdateFunc != nil {
 		return cli.serviceUpdateFunc(serviceID, version, service, options)
 	}
@@ -143,7 +143,7 @@ func (cli *fakeClient) ServiceUpdate(ctx context.Context, serviceID string, vers
 	return types.ServiceUpdateResponse{}, nil
 }
 
-func (cli *fakeClient) ServiceRemove(ctx context.Context, serviceID string) error {
+func (cli *fakeClient) ServiceRemove(_ context.Context, serviceID string) error {
 	if cli.serviceRemoveFunc != nil {
 		return cli.serviceRemoveFunc(serviceID)
 	}
@@ -152,7 +152,7 @@ func (cli *fakeClient) ServiceRemove(ctx context.Context, serviceID string) erro
 	return nil
 }
 
-func (cli *fakeClient) NetworkRemove(ctx context.Context, networkID string) error {
+func (cli *fakeClient) NetworkRemove(_ context.Context, networkID string) error {
 	if cli.networkRemoveFunc != nil {
 		return cli.networkRemoveFunc(networkID)
 	}
@@ -161,7 +161,7 @@ func (cli *fakeClient) NetworkRemove(ctx context.Context, networkID string) erro
 	return nil
 }
 
-func (cli *fakeClient) SecretRemove(ctx context.Context, secretID string) error {
+func (cli *fakeClient) SecretRemove(_ context.Context, secretID string) error {
 	if cli.secretRemoveFunc != nil {
 		return cli.secretRemoveFunc(secretID)
 	}
@@ -170,7 +170,7 @@ func (cli *fakeClient) SecretRemove(ctx context.Context, secretID string) error
 	return nil
 }
 
-func (cli *fakeClient) ConfigRemove(ctx context.Context, configID string) error {
+func (cli *fakeClient) ConfigRemove(_ context.Context, configID string) error {
 	if cli.configRemoveFunc != nil {
 		return cli.configRemoveFunc(configID)
 	}

cli/command/swarm/client_test.go

@@ -21,63 +21,63 @@ type fakeClient struct {
 	swarmUnlockFunc       func(req swarm.UnlockRequest) error
 }
 
-func (cli *fakeClient) Info(ctx context.Context) (types.Info, error) {
+func (cli *fakeClient) Info(context.Context) (types.Info, error) {
 	if cli.infoFunc != nil {
 		return cli.infoFunc()
 	}
 	return types.Info{}, nil
 }
 
-func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+func (cli *fakeClient) NodeInspectWithRaw(context.Context, string) (swarm.Node, []byte, error) {
 	if cli.nodeInspectFunc != nil {
 		return cli.nodeInspectFunc()
 	}
 	return swarm.Node{}, []byte{}, nil
 }
 
-func (cli *fakeClient) SwarmInit(ctx context.Context, req swarm.InitRequest) (string, error) {
+func (cli *fakeClient) SwarmInit(context.Context, swarm.InitRequest) (string, error) {
 	if cli.swarmInitFunc != nil {
 		return cli.swarmInitFunc()
 	}
 	return "", nil
 }
 
-func (cli *fakeClient) SwarmInspect(ctx context.Context) (swarm.Swarm, error) {
+func (cli *fakeClient) SwarmInspect(context.Context) (swarm.Swarm, error) {
 	if cli.swarmInspectFunc != nil {
 		return cli.swarmInspectFunc()
 	}
 	return swarm.Swarm{}, nil
 }
 
-func (cli *fakeClient) SwarmGetUnlockKey(ctx context.Context) (types.SwarmUnlockKeyResponse, error) {
+func (cli *fakeClient) SwarmGetUnlockKey(context.Context) (types.SwarmUnlockKeyResponse, error) {
 	if cli.swarmGetUnlockKeyFunc != nil {
 		return cli.swarmGetUnlockKeyFunc()
 	}
 	return types.SwarmUnlockKeyResponse{}, nil
 }
 
-func (cli *fakeClient) SwarmJoin(ctx context.Context, req swarm.JoinRequest) error {
+func (cli *fakeClient) SwarmJoin(context.Context, swarm.JoinRequest) error {
 	if cli.swarmJoinFunc != nil {
 		return cli.swarmJoinFunc()
 	}
 	return nil
 }
 
-func (cli *fakeClient) SwarmLeave(ctx context.Context, force bool) error {
+func (cli *fakeClient) SwarmLeave(context.Context, bool) error {
 	if cli.swarmLeaveFunc != nil {
 		return cli.swarmLeaveFunc()
 	}
 	return nil
 }
 
-func (cli *fakeClient) SwarmUpdate(ctx context.Context, version swarm.Version, swarm swarm.Spec, flags swarm.UpdateFlags) error {
+func (cli *fakeClient) SwarmUpdate(_ context.Context, _ swarm.Version, swarm swarm.Spec, flags swarm.UpdateFlags) error {
 	if cli.swarmUpdateFunc != nil {
 		return cli.swarmUpdateFunc(swarm, flags)
 	}
 	return nil
 }
 
-func (cli *fakeClient) SwarmUnlock(ctx context.Context, req swarm.UnlockRequest) error {
+func (cli *fakeClient) SwarmUnlock(_ context.Context, req swarm.UnlockRequest) error {
 	if cli.swarmUnlockFunc != nil {
 		return cli.swarmUnlockFunc(req)
 	}

cli/command/swarm/ipnet_slice_test.go

@@ -10,7 +10,7 @@ import (
 )
 
 // Helper function to set static slices
-func getCIDR(ip net.IP, cidr *net.IPNet, err error) net.IPNet {
+func getCIDR(_ net.IP, cidr *net.IPNet, _ error) net.IPNet {
 	return *cidr
 }
 

cli/command/system/info.go

@@ -12,7 +12,9 @@ import (
 	pluginmanager "github.com/docker/cli/cli-plugins/manager"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/debug"
+	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/templates"
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/swarm"
@@ -62,10 +64,7 @@ func NewInfoCommand(dockerCli command.Cli) *cobra.Command {
 		ValidArgsFunction: completion.NoComplete,
 	}
 
-	flags := cmd.Flags()
-
-	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
-
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", flagsHelper.InspectFormatHelp)
 	return cmd
 }
 
@@ -507,6 +506,10 @@ func printServerWarningsLegacy(dockerCli command.Cli, info types.Info) {
 }
 
 func formatInfo(dockerCli command.Cli, info info, format string) error {
+	if format == formatter.JSONFormatKey {
+		format = formatter.JSONFormat
+	}
+
 	// Ensure slice/array fields render as `[]` not `null`
 	if info.ClientInfo != nil && info.ClientInfo.Plugins == nil {
 		info.ClientInfo.Plugins = make([]pluginmanager.Plugin, 0)

cli/command/system/info_test.go

@@ -396,6 +396,11 @@ func TestPrettyPrintInfo(t *testing.T) {
 				assert.NilError(t, formatInfo(cli, tc.dockerInfo, "{{json .}}"))
 				golden.Assert(t, cli.OutBuffer().String(), tc.jsonGolden+".json.golden")
 				assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+
+				cli = test.NewFakeCli(&fakeClient{})
+				assert.NilError(t, formatInfo(cli, tc.dockerInfo, "json"))
+				golden.Assert(t, cli.OutBuffer().String(), tc.jsonGolden+".json.golden")
+				assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
 			}
 		})
 	}

cli/command/system/testdata/docker-client-version.json.golden

@@ -0,0 +1 @@
+{"Client":{"Platform":{"Name":""},"Version":"18.99.5-ce","ApiVersion":"1.38","DefaultAPIVersion":"1.38","GitCommit":"deadbeef","GoVersion":"go1.10.2","Os":"linux","Arch":"amd64","BuildTime":"Wed May 30 22:21:05 2018","Context":"my-context"},"Server":{"Platform":{"Name":"Docker Enterprise Edition (EE) 2.0"},"Components":[{"Name":"Engine","Version":"17.06.2-ee-15","Details":{"ApiVersion":"1.30","Arch":"amd64","BuildTime":"Mon Jul  9 23:38:38 2018","Experimental":"false","GitCommit":"64ddfa6","GoVersion":"go1.8.7","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"Universal Control Plane","Version":"17.06.2-ee-15","Details":{"ApiVersion":"1.30","Arch":"amd64","BuildTime":"Mon Jul  2 21:24:07 UTC 2018","GitCommit":"4513922","GoVersion":"go1.9.4","MinApiVersion":"1.20","Os":"linux","Version":"3.0.3-tp2"}},{"Name":"Kubernetes","Version":"1.8+","Details":{"buildDate":"2018-04-26T16:51:21Z","compiler":"gc","gitCommit":"8d637aedf46b9c21dde723e29c645b9f27106fa5","gitTreeState":"clean","gitVersion":"v1.8.11-docker-8d637ae","goVersion":"go1.8.3","major":"1","minor":"8+","platform":"linux/amd64"}},{"Name":"Calico","Version":"v3.0.8","Details":{"cni":"v2.0.6","kube-controllers":"v2.0.5","node":"v3.0.8"}}],"Version":"","ApiVersion":"","GitCommit":"","GoVersion":"","Os":"","Arch":""}}

cli/command/system/version.go

@@ -11,7 +11,9 @@ import (
 	"github.com/docker/cli/cli"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
+	"github.com/docker/cli/cli/command/formatter"
 	"github.com/docker/cli/cli/command/formatter/tabwriter"
+	flagsHelper "github.com/docker/cli/cli/flags"
 	"github.com/docker/cli/cli/version"
 	"github.com/docker/cli/templates"
 	"github.com/docker/docker/api/types"
@@ -20,7 +22,7 @@ import (
 	"github.com/tonistiigi/go-rosetta"
 )
 
-var versionTemplate = `{{with .Client -}}
+const defaultVersionTemplate = `{{with .Client -}}
 Client:{{if ne .Platform.Name ""}} {{.Platform.Name}}{{end}}
  Version:	{{.Version}}
  API version:	{{.APIVersion}}{{if ne .APIVersion .DefaultAPIVersion}} (downgraded from {{.DefaultAPIVersion}}){{end}}
@@ -101,9 +103,7 @@ func NewVersionCommand(dockerCli command.Cli) *cobra.Command {
 		ValidArgsFunction: completion.NoComplete,
 	}
 
-	flags := cmd.Flags()
-	flags.StringVarP(&opts.format, "format", "f", "", "Format the output using the given Go template")
-
+	cmd.Flags().StringVarP(&opts.format, "format", "f", "", flagsHelper.InspectFormatHelp)
 	return cmd
 }
 
@@ -194,8 +194,11 @@ func prettyPrintVersion(dockerCli command.Cli, vd versionInfo, tmpl *template.Te
 }
 
 func newVersionTemplate(templateFormat string) (*template.Template, error) {
-	if templateFormat == "" {
-		templateFormat = versionTemplate
+	switch templateFormat {
+	case "":
+		templateFormat = defaultVersionTemplate
+	case formatter.JSONFormatKey:
+		templateFormat = formatter.JSONFormat
 	}
 	tmpl := templates.New("version").Funcs(template.FuncMap{"getDetailsOrder": getDetailsOrder})
 	tmpl, err := tmpl.Parse(templateFormat)

cli/command/system/version_test.go

@@ -6,12 +6,11 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/docker/cli/internal/test"
+	"github.com/docker/docker/api/types"
 	"gotest.tools/v3/assert"
 	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
-
-	"github.com/docker/cli/internal/test"
-	"github.com/docker/docker/api/types"
 )
 
 func TestVersionWithoutServer(t *testing.T) {
@@ -30,7 +29,7 @@ func TestVersionWithoutServer(t *testing.T) {
 	assert.Assert(t, !strings.Contains(out, "Server:"), "actual: %s", out)
 }
 
-func TestVersionAlign(t *testing.T) {
+func TestVersionFormat(t *testing.T) {
 	vi := versionInfo{
 		Client: clientVersion{
 			Version:           "18.99.5-ce",
@@ -104,10 +103,28 @@ func TestVersionAlign(t *testing.T) {
 		},
 	})
 
-	cli := test.NewFakeCli(&fakeClient{})
-	tmpl, err := newVersionTemplate("")
-	assert.NilError(t, err)
-	assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
-	assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.golden"))
-	assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	t.Run("default", func(t *testing.T) {
+		cli := test.NewFakeCli(&fakeClient{})
+		tmpl, err := newVersionTemplate("")
+		assert.NilError(t, err)
+		assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
+		assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.golden"))
+		assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	})
+	t.Run("json", func(t *testing.T) {
+		cli := test.NewFakeCli(&fakeClient{})
+		tmpl, err := newVersionTemplate("json")
+		assert.NilError(t, err)
+		assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
+		assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.json.golden"))
+		assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	})
+	t.Run("json template", func(t *testing.T) {
+		cli := test.NewFakeCli(&fakeClient{})
+		tmpl, err := newVersionTemplate("{{json .}}")
+		assert.NilError(t, err)
+		assert.NilError(t, prettyPrintVersion(cli, vi, tmpl))
+		assert.Check(t, golden.String(cli.OutBuffer().String(), "docker-client-version.json.golden"))
+		assert.Check(t, is.Equal("", cli.ErrBuffer().String()))
+	})
 }

cli/command/task/client_test.go

@@ -14,14 +14,14 @@ type fakeClient struct {
 	serviceInspectWithRaw func(ref string, options types.ServiceInspectOptions) (swarm.Service, []byte, error)
 }
 
-func (cli *fakeClient) NodeInspectWithRaw(ctx context.Context, ref string) (swarm.Node, []byte, error) {
+func (cli *fakeClient) NodeInspectWithRaw(_ context.Context, ref string) (swarm.Node, []byte, error) {
 	if cli.nodeInspectWithRaw != nil {
 		return cli.nodeInspectWithRaw(ref)
 	}
 	return swarm.Node{}, nil, nil
 }
 
-func (cli *fakeClient) ServiceInspectWithRaw(ctx context.Context, ref string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
+func (cli *fakeClient) ServiceInspectWithRaw(_ context.Context, ref string, options types.ServiceInspectOptions) (swarm.Service, []byte, error) {
 	if cli.serviceInspectWithRaw != nil {
 		return cli.serviceInspectWithRaw(ref, options)
 	}

cli/command/trust/inspect_pretty_test.go

@@ -27,15 +27,15 @@ type fakeClient struct {
 	apiclient.Client
 }
 
-func (c *fakeClient) Info(ctx context.Context) (types.Info, error) {
+func (c *fakeClient) Info(context.Context) (types.Info, error) {
 	return types.Info{}, nil
 }
 
-func (c *fakeClient) ImageInspectWithRaw(ctx context.Context, imageID string) (types.ImageInspect, []byte, error) {
+func (c *fakeClient) ImageInspectWithRaw(context.Context, string) (types.ImageInspect, []byte, error) {
 	return types.ImageInspect{}, []byte{}, nil
 }
 
-func (c *fakeClient) ImagePush(ctx context.Context, image string, options types.ImagePushOptions) (io.ReadCloser, error) {
+func (c *fakeClient) ImagePush(context.Context, string, types.ImagePushOptions) (io.ReadCloser, error) {
 	return &utils.NoopCloser{Reader: bytes.NewBuffer([]byte{})}, nil
 }
 

cli/command/volume/create_test.go

@@ -50,6 +50,7 @@ func TestVolumeCreateErrors(t *testing.T) {
 			cmd.Flags().Set(key, value)
 		}
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }

cli/command/volume/inspect_test.go

@@ -62,6 +62,7 @@ func TestVolumeInspectErrors(t *testing.T) {
 			cmd.Flags().Set(key, value)
 		}
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }

cli/command/volume/list_test.go

@@ -43,6 +43,7 @@ func TestVolumeListErrors(t *testing.T) {
 			cmd.Flags().Set(key, value)
 		}
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }

cli/command/volume/prune.go

@@ -8,11 +8,15 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/command/completion"
 	"github.com/docker/cli/opts"
+	"github.com/docker/docker/api/types/versions"
+	"github.com/docker/docker/errdefs"
 	units "github.com/docker/go-units"
+	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 )
 
 type pruneOptions struct {
+	all    bool
 	force  bool
 	filter opts.FilterOpt
 }
@@ -41,18 +45,37 @@ func NewPruneCommand(dockerCli command.Cli) *cobra.Command {
 	}
 
 	flags := cmd.Flags()
+	flags.BoolVarP(&options.all, "all", "a", false, "Remove all unused volumes, not just anonymous ones")
+	flags.SetAnnotation("all", "version", []string{"1.42"})
 	flags.BoolVarP(&options.force, "force", "f", false, "Do not prompt for confirmation")
 	flags.Var(&options.filter, "filter", `Provide filter values (e.g. "label=<label>")`)
 
 	return cmd
 }
 
-const warning = `WARNING! This will remove all local volumes not used by at least one container.
+const (
+	unusedVolumesWarning = `WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue?`
+	allVolumesWarning = `WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue?`
+)
 
 func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint64, output string, err error) {
 	pruneFilters := command.PruneFilters(dockerCli, options.filter.Value())
 
+	warning := unusedVolumesWarning
+	if versions.GreaterThanOrEqualTo(dockerCli.CurrentVersion(), "1.42") {
+		if options.all {
+			if pruneFilters.Contains("all") {
+				return 0, "", errdefs.InvalidParameter(errors.New("conflicting options: cannot specify both --all and --filter all=1"))
+			}
+			pruneFilters.Add("all", "true")
+			warning = allVolumesWarning
+		}
+	} else {
+		// API < v1.42 removes all volumes (anonymous and named) by default.
+		warning = allVolumesWarning
+	}
 	if !options.force && !command.PromptForConfirmation(dockerCli.In(), dockerCli.Out(), warning) {
 		return 0, "", nil
 	}
@@ -75,6 +98,6 @@ func runPrune(dockerCli command.Cli, options pruneOptions) (spaceReclaimed uint6
 
 // RunPrune calls the Volume Prune API
 // This returns the amount of space reclaimed and a detailed output string
-func RunPrune(dockerCli command.Cli, all bool, filter opts.FilterOpt) (uint64, string, error) {
+func RunPrune(dockerCli command.Cli, _ bool, filter opts.FilterOpt) (uint64, string, error) {
 	return runPrune(dockerCli, pruneOptions{force: true, filter: filter})
 }

cli/command/volume/prune_test.go

@@ -13,22 +13,26 @@ import (
 	"github.com/docker/docker/api/types/filters"
 	"github.com/pkg/errors"
 	"gotest.tools/v3/assert"
+	is "gotest.tools/v3/assert/cmp"
 	"gotest.tools/v3/golden"
 	"gotest.tools/v3/skip"
 )
 
 func TestVolumePruneErrors(t *testing.T) {
 	testCases := []struct {
+		name            string
 		args            []string
 		flags           map[string]string
 		volumePruneFunc func(args filters.Args) (types.VolumesPruneReport, error)
 		expectedError   string
 	}{
 		{
+			name:          "accepts no arguments",
 			args:          []string{"foo"},
 			expectedError: "accepts no argument",
 		},
 		{
+			name: "forced but other error",
 			flags: map[string]string{
 				"force": "true",
 			},
@@ -37,19 +41,75 @@ func TestVolumePruneErrors(t *testing.T) {
 			},
 			expectedError: "error pruning volumes",
 		},
+		{
+			name: "conflicting options",
+			flags: map[string]string{
+				"all":    "true",
+				"filter": "all=1",
+			},
+			expectedError: "conflicting options: cannot specify both --all and --filter all=1",
+		},
 	}
 	for _, tc := range testCases {
-		cmd := NewPruneCommand(
-			test.NewFakeCli(&fakeClient{
-				volumePruneFunc: tc.volumePruneFunc,
-			}),
-		)
-		cmd.SetArgs(tc.args)
-		for key, value := range tc.flags {
-			cmd.Flags().Set(key, value)
-		}
-		cmd.SetOut(io.Discard)
-		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			cmd := NewPruneCommand(
+				test.NewFakeCli(&fakeClient{
+					volumePruneFunc: tc.volumePruneFunc,
+				}),
+			)
+			cmd.SetArgs(tc.args)
+			for key, value := range tc.flags {
+				cmd.Flags().Set(key, value)
+			}
+			cmd.SetOut(io.Discard)
+			cmd.SetErr(io.Discard)
+			assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
+		})
+	}
+}
+
+func TestVolumePruneSuccess(t *testing.T) {
+	testCases := []struct {
+		name            string
+		args            []string
+		volumePruneFunc func(args filters.Args) (types.VolumesPruneReport, error)
+	}{
+		{
+			name: "all",
+			args: []string{"--all"},
+			volumePruneFunc: func(pruneFilter filters.Args) (types.VolumesPruneReport, error) {
+				assert.Check(t, is.Equal([]string{"true"}, pruneFilter.Get("all")))
+				return types.VolumesPruneReport{}, nil
+			},
+		},
+		{
+			name: "all-forced",
+			args: []string{"--all", "--force"},
+			volumePruneFunc: func(pruneFilter filters.Args) (types.VolumesPruneReport, error) {
+				return types.VolumesPruneReport{}, nil
+			},
+		},
+		{
+			name: "label-filter",
+			args: []string{"--filter", "label=foobar"},
+			volumePruneFunc: func(pruneFilter filters.Args) (types.VolumesPruneReport, error) {
+				assert.Check(t, is.Equal([]string{"foobar"}, pruneFilter.Get("label")))
+				return types.VolumesPruneReport{}, nil
+			},
+		},
+	}
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			cli := test.NewFakeCli(&fakeClient{volumePruneFunc: tc.volumePruneFunc})
+			cmd := NewPruneCommand(cli)
+			cmd.SetOut(io.Discard)
+			cmd.SetArgs(tc.args)
+			err := cmd.Execute()
+			assert.NilError(t, err)
+			golden.Assert(t, cli.OutBuffer().String(), fmt.Sprintf("volume-prune-success.%s.golden", tc.name))
+		})
 	}
 }
 
@@ -109,7 +169,7 @@ func TestVolumePrunePromptNo(t *testing.T) {
 	}
 }
 
-func simplePruneFunc(args filters.Args) (types.VolumesPruneReport, error) {
+func simplePruneFunc(filters.Args) (types.VolumesPruneReport, error) {
 	return types.VolumesPruneReport{
 		VolumesDeleted: []string{
 			"foo", "bar", "baz",

cli/command/volume/remove_test.go

@@ -33,6 +33,7 @@ func TestVolumeRemoveErrors(t *testing.T) {
 			}))
 		cmd.SetArgs(tc.args)
 		cmd.SetOut(io.Discard)
+		cmd.SetErr(io.Discard)
 		assert.ErrorContains(t, cmd.Execute(), tc.expectedError)
 	}
 }

cli/command/volume/testdata/volume-prune-no.golden

@@ -1,2 +1,2 @@
-WARNING! This will remove all local volumes not used by at least one container.
+WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue? [y/N] Total reclaimed space: 0B

cli/command/volume/testdata/volume-prune-success.all-forced.golden

@@ -0,0 +1 @@
+Total reclaimed space: 0B

cli/command/volume/testdata/volume-prune-success.all.golden

@@ -0,0 +1,2 @@
+WARNING! This will remove all local volumes not used by at least one container.
+Are you sure you want to continue? [y/N] Total reclaimed space: 0B

cli/command/volume/testdata/volume-prune-success.label-filter.golden

@@ -0,0 +1,2 @@
+WARNING! This will remove anonymous local volumes not used by at least one container.
+Are you sure you want to continue? [y/N] Total reclaimed space: 0B

cli/command/volume/testdata/volume-prune-yes.golden

@@ -1,4 +1,4 @@
-WARNING! This will remove all local volumes not used by at least one container.
+WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue? [y/N] Deleted Volumes:
 foo
 bar

cli/compose/convert/service_test.go

@@ -596,14 +596,14 @@ type fakeClient struct {
 	configListFunc func(types.ConfigListOptions) ([]swarm.Config, error)
 }
 
-func (c *fakeClient) SecretList(ctx context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
+func (c *fakeClient) SecretList(_ context.Context, options types.SecretListOptions) ([]swarm.Secret, error) {
 	if c.secretListFunc != nil {
 		return c.secretListFunc(options)
 	}
 	return []swarm.Secret{}, nil
 }
 
-func (c *fakeClient) ConfigList(ctx context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
+func (c *fakeClient) ConfigList(_ context.Context, options types.ConfigListOptions) ([]swarm.Config, error) {
 	if c.configListFunc != nil {
 		return c.configListFunc(options)
 	}

cli/compose/schema/schema.go

@@ -17,7 +17,7 @@ const (
 
 type portsFormatChecker struct{}
 
-func (checker portsFormatChecker) IsFormat(input interface{}) bool {
+func (checker portsFormatChecker) IsFormat(_ interface{}) bool {
 	// TODO: implement this
 	return true
 }

cli/config/configfile/file.go

@@ -95,6 +95,9 @@ func (configFile *ConfigFile) ContainsAuth() bool {
 
 // GetAuthConfigs returns the mapping of repo to auth configuration
 func (configFile *ConfigFile) GetAuthConfigs() map[string]types.AuthConfig {
+	if configFile.AuthConfigs == nil {
+		configFile.AuthConfigs = make(map[string]types.AuthConfig)
+	}
 	return configFile.AuthConfigs
 }
 

cli/config/configfile/file_test.go

@@ -186,7 +186,7 @@ func (c *mockNativeStore) GetAll() (map[string]types.AuthConfig, error) {
 	return c.authConfigs, nil
 }
 
-func (c *mockNativeStore) Store(authConfig types.AuthConfig) error {
+func (c *mockNativeStore) Store(_ types.AuthConfig) error {
 	return nil
 }
 

cli/config/credentials/file_store.go

@@ -52,7 +52,8 @@ func (c *fileStore) GetAll() (map[string]types.AuthConfig, error) {
 
 // Store saves the given credentials in the file store.
 func (c *fileStore) Store(authConfig types.AuthConfig) error {
-	c.file.GetAuthConfigs()[authConfig.ServerAddress] = authConfig
+	authConfigs := c.file.GetAuthConfigs()
+	authConfigs[authConfig.ServerAddress] = authConfig
 	return c.file.Save()
 }
 

cli/connhelper/commandconn/commandconn.go

@@ -32,7 +32,7 @@ import (
 )
 
 // New returns net.Conn
-func New(ctx context.Context, cmd string, args ...string) (net.Conn, error) {
+func New(_ context.Context, cmd string, args ...string) (net.Conn, error) {
 	var (
 		c   commandConn
 		err error

cli/flags/options.go

@@ -83,7 +83,7 @@ func (o *ClientOptions) InstallFlags(flags *pflag.FlagSet) {
 
 	// opts.ValidateHost is not used here, so as to allow connection helpers
 	hostOpt := opts.NewNamedListOptsRef("hosts", &o.Hosts, nil)
-	flags.VarP(hostOpt, "host", "H", "Daemon socket(s) to connect to")
+	flags.VarP(hostOpt, "host", "H", "Daemon socket to connect to")
 	flags.StringVarP(&o.Context, "context", "c", "",
 		`Name of the context to use to connect to the daemon (overrides `+client.EnvOverrideHost+` env var and default context set with "docker context use")`)
 }

cli/registry/client/client.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	manifesttypes "github.com/docker/cli/cli/manifest/types"
+	"github.com/docker/cli/cli/trust"
 	"github.com/docker/distribution"
 	"github.com/docker/distribution/reference"
 	distributionclient "github.com/docker/distribution/registry/client"
@@ -78,6 +79,7 @@ func (c *client) MountBlob(ctx context.Context, sourceRef reference.Canonical, t
 	if err != nil {
 		return err
 	}
+	repoEndpoint.actions = trust.ActionsPushAndPull
 	repo, err := c.getRepositoryForReference(ctx, targetRef, repoEndpoint)
 	if err != nil {
 		return err
@@ -103,6 +105,7 @@ func (c *client) PutManifest(ctx context.Context, ref reference.Named, manifest
 		return digest.Digest(""), err
 	}
 
+	repoEndpoint.actions = trust.ActionsPushAndPull
 	repo, err := c.getRepositoryForReference(ctx, ref, repoEndpoint)
 	if err != nil {
 		return digest.Digest(""), err
@@ -152,7 +155,9 @@ func (c *client) getHTTPTransportForRepoEndpoint(ctx context.Context, repoEndpoi
 		c.authConfigResolver(ctx, repoEndpoint.info.Index),
 		repoEndpoint.endpoint,
 		repoEndpoint.Name(),
-		c.userAgent)
+		c.userAgent,
+		repoEndpoint.actions,
+	)
 	return httpTransport, errors.Wrap(err, "failed to configure transport")
 }
 

cli/registry/client/endpoint.go

@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"time"
 
+	"github.com/docker/cli/cli/trust"
 	"github.com/docker/distribution/reference"
 	"github.com/docker/distribution/registry/client/auth"
 	"github.com/docker/distribution/registry/client/transport"
@@ -17,6 +18,7 @@ import (
 type repositoryEndpoint struct {
 	info     *registry.RepositoryInfo
 	endpoint registry.APIEndpoint
+	actions  []string
 }
 
 // Name returns the repository name
@@ -74,7 +76,7 @@ func getDefaultEndpointFromRepoInfo(repoInfo *registry.RepositoryInfo) (registry
 }
 
 // getHTTPTransport builds a transport for use in communicating with a registry
-func getHTTPTransport(authConfig authtypes.AuthConfig, endpoint registry.APIEndpoint, repoName string, userAgent string) (http.RoundTripper, error) {
+func getHTTPTransport(authConfig authtypes.AuthConfig, endpoint registry.APIEndpoint, repoName, userAgent string, actions []string) (http.RoundTripper, error) {
 	// get the http transport, this will be used in a client to upload manifest
 	base := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
@@ -98,8 +100,11 @@ func getHTTPTransport(authConfig authtypes.AuthConfig, endpoint registry.APIEndp
 		passThruTokenHandler := &existingTokenHandler{token: authConfig.RegistryToken}
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, passThruTokenHandler))
 	} else {
+		if len(actions) == 0 {
+			actions = trust.ActionsPullOnly
+		}
 		creds := registry.NewStaticCredentialStore(&authConfig)
-		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, "push", "pull")
+		tokenHandler := auth.NewTokenHandler(authTransport, creds, repoName, actions...)
 		basicHandler := auth.NewBasicHandler(creds)
 		modifiers = append(modifiers, auth.NewAuthorizer(challengeManager, tokenHandler, basicHandler))
 	}
@@ -120,7 +125,7 @@ type existingTokenHandler struct {
 	token string
 }
 
-func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, params map[string]string) error {
+func (th *existingTokenHandler) AuthorizeRequest(req *http.Request, _ map[string]string) error {
 	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", th.token))
 	return nil
 }

cli/trust/trust.go

@@ -82,16 +82,15 @@ type simpleCredentialStore struct {
 	auth types.AuthConfig
 }
 
-func (scs simpleCredentialStore) Basic(u *url.URL) (string, string) {
+func (scs simpleCredentialStore) Basic(*url.URL) (string, string) {
 	return scs.auth.Username, scs.auth.Password
 }
 
-func (scs simpleCredentialStore) RefreshToken(u *url.URL, service string) string {
+func (scs simpleCredentialStore) RefreshToken(*url.URL, string) string {
 	return scs.auth.IdentityToken
 }
 
-func (scs simpleCredentialStore) SetRefreshToken(*url.URL, string, string) {
-}
+func (scs simpleCredentialStore) SetRefreshToken(*url.URL, string, string) {}
 
 // GetNotaryRepository returns a NotaryRepository which stores all the
 // information needed to operate on a notary repository.

cmd/docker/builder.go

@@ -44,9 +44,9 @@ func processBuilder(dockerCli command.Cli, cmd *cobra.Command, args, osargs []st
 	var buildKitDisabled, useBuilder, useAlias bool
 	var envs []string
 
-	// check DOCKER_BUILDKIT env var is present and
-	// if not assume we want to use the builder component
-	if v, ok := os.LookupEnv("DOCKER_BUILDKIT"); ok {
+	// check DOCKER_BUILDKIT env var is not empty
+	// if it is assume we want to use the builder component
+	if v := os.Getenv("DOCKER_BUILDKIT"); v != "" {
 		enabled, err := strconv.ParseBool(v)
 		if err != nil {
 			return args, osargs, nil, errors.Wrap(err, "DOCKER_BUILDKIT environment variable expects boolean value")

cmd/docker/docker.go

@@ -402,14 +402,22 @@ func areFlagsSupported(cmd *cobra.Command, details versionDetails) error {
 	errs := []string{}
 
 	cmd.Flags().VisitAll(func(f *pflag.Flag) {
-		if !f.Changed {
+		if !f.Changed || len(f.Annotations) == 0 {
 			return
 		}
-		if !isVersionSupported(f, details.CurrentVersion()) {
+		// Important: in the code below, calls to "details.CurrentVersion()" and
+		// "details.ServerInfo()" are deliberately executed inline to make them
+		// be executed "lazily". This is to prevent making a connection with the
+		// daemon to perform a "ping" (even for flags that do not require a
+		// daemon connection).
+		//
+		// See commit b39739123b845f872549e91be184cc583f5b387c for details.
+
+		if _, ok := f.Annotations["version"]; ok && !isVersionSupported(f, details.CurrentVersion()) {
 			errs = append(errs, fmt.Sprintf(`"--%s" requires API version %s, but the Docker daemon API version is %s`, f.Name, getFlagAnnotation(f, "version"), details.CurrentVersion()))
 			return
 		}
-		if !isOSTypeSupported(f, details.ServerInfo().OSType) {
+		if _, ok := f.Annotations["ostype"]; ok && !isOSTypeSupported(f, details.ServerInfo().OSType) {
 			errs = append(errs, fmt.Sprintf(
 				`"--%s" is only supported on a Docker daemon running on %s, but the Docker daemon is running on %s`,
 				f.Name,

contrib/completion/bash/docker

@@ -1142,7 +1142,10 @@ __docker_complete_user_group() {
 	fi
 }
 
-DOCKER_PLUGINS_PATH=$(docker info --format '{{range .ClientInfo.Plugins}}{{.Path}}:{{end}}')
+__docker_plugins_path() {
+	local docker_plugins_path=$(docker info --format '{{range .ClientInfo.Plugins}}{{.Path}}:{{end}}')
+	echo "${docker_plugins_path//:/ }"
+}
 
 __docker_complete_plugin() {
 	local path=$1
@@ -5383,7 +5386,7 @@ _docker_volume_prune() {
 
 	case "$cur" in
 		-*)
-			COMPREPLY=( $( compgen -W "--filter --force -f --help" -- "$cur" ) )
+			COMPREPLY=( $( compgen -W "--all -a --filter --force -f --help" -- "$cur" ) )
 			;;
 	esac
 }
@@ -5503,7 +5506,7 @@ _docker() {
 	# Create completion functions for all registered plugins
 	local known_plugin_commands=()
 	local plugin_name=""
-	for plugin_path in ${DOCKER_PLUGINS_PATH//:/ }; do
+	for plugin_path in $(__docker_plugins_path); do
 		plugin_name=$(basename "$plugin_path" | sed 's/ *$//')
 		plugin_name=${plugin_name#docker-}
 		plugin_name=${plugin_name%%.*}

contrib/completion/zsh/_docker

@@ -2527,6 +2527,8 @@ __docker_volume_subcommand() {
         (prune)
             _arguments $(__docker_arguments) \
                 $opts_help \
+                "($help -a --all)"{-a,--all}"[Remove all unused local volumes, not just anonymous ones]" \
+                "($help)*--filter=[Filter values]:filter:__docker_complete_prune_filters" \
                 "($help -f --force)"{-f,--force}"[Do not prompt for confirmation]" && ret=0
             ;;
         (rm)

docker-bake.hcl

@@ -1,5 +1,5 @@
 variable "GO_VERSION" {
-    default = "1.19.8"
+    default = "1.20.7"
 }
 variable "VERSION" {
     default = ""

dockerfiles/Dockerfile.authors

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG ALPINE_VERSION=3.16
+ARG ALPINE_VERSION=3.17
 
 FROM alpine:${ALPINE_VERSION} AS gen
 RUN apk add --no-cache bash git

dockerfiles/Dockerfile.dev

@@ -1,9 +1,9 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.8
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.20.7
+ARG ALPINE_VERSION=3.17
 
-ARG BUILDX_VERSION=0.10.4
+ARG BUILDX_VERSION=0.11.2
 FROM docker/buildx-bin:${BUILDX_VERSION} AS buildx
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS golang
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
     && gofumpt --version
 
 FROM golang AS gotestsum
-ARG GOTESTSUM_VERSION=v1.8.2
+ARG GOTESTSUM_VERSION=v1.10.0
 RUN --mount=type=cache,target=/root/.cache/go-build \
     --mount=type=cache,target=/go/pkg/mod \
     --mount=type=tmpfs,target=/go/src/ \

dockerfiles/Dockerfile.lint

@@ -1,8 +1,8 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.8
-ARG ALPINE_VERSION=3.16
-ARG GOLANGCI_LINT_VERSION=v1.49.0
+ARG GO_VERSION=1.20.7
+ARG ALPINE_VERSION=3.17
+ARG GOLANGCI_LINT_VERSION=v1.52.2
 
 FROM golangci/golangci-lint:${GOLANGCI_LINT_VERSION}-alpine AS golangci-lint
 

dockerfiles/Dockerfile.vendor

@@ -1,7 +1,7 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.8
-ARG ALPINE_VERSION=3.16
+ARG GO_VERSION=1.20.7
+ARG ALPINE_VERSION=3.17
 ARG MODOUTDATED_VERSION=v0.8.0
 
 FROM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
@@ -9,7 +9,7 @@ RUN apk add --no-cache bash git rsync
 WORKDIR /src
 
 FROM base AS vendored
-ENV GOPROXY=direct
+ENV GOPROXY=https://proxy.golang.org|direct
 RUN --mount=target=/context \
     --mount=target=.,type=tmpfs  \
     --mount=target=/go/pkg/mod,type=cache <<EOT

docs/reference/commandline/cli.md

@@ -92,18 +92,18 @@ The base command for the Docker CLI.
 
 ### Options
 
-| Name                | Type     | Default                  | Description                                                                                                                           |
-|:--------------------|:---------|:-------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|
-| `--config`          | `string` | `/root/.docker`          | Location of client config files                                                                                                       |
-| `-c`, `--context`   | `string` |                          | Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with `docker context use`) |
-| `-D`, `--debug`     |          |                          | Enable debug mode                                                                                                                     |
-| `-H`, `--host`      | `list`   |                          | Daemon socket(s) to connect to                                                                                                        |
-| `-l`, `--log-level` | `string` | `info`                   | Set the logging level (`debug`, `info`, `warn`, `error`, `fatal`)                                                                     |
-| `--tls`             |          |                          | Use TLS; implied by --tlsverify                                                                                                       |
-| `--tlscacert`       | `string` | `/root/.docker/ca.pem`   | Trust certs signed only by this CA                                                                                                    |
-| `--tlscert`         | `string` | `/root/.docker/cert.pem` | Path to TLS certificate file                                                                                                          |
-| `--tlskey`          | `string` | `/root/.docker/key.pem`  | Path to TLS key file                                                                                                                  |
-| `--tlsverify`       |          |                          | Use TLS and verify the remote                                                                                                         |
+| Name                             | Type     | Default                  | Description                                                                                                                           |
+|:---------------------------------|:---------|:-------------------------|:--------------------------------------------------------------------------------------------------------------------------------------|
+| `--config`                       | `string` | `/root/.docker`          | Location of client config files                                                                                                       |
+| `-c`, `--context`                | `string` |                          | Name of the context to use to connect to the daemon (overrides DOCKER_HOST env var and default context set with `docker context use`) |
+| `-D`, `--debug`                  |          |                          | Enable debug mode                                                                                                                     |
+| [`-H`](#host), [`--host`](#host) | `list`   |                          | Daemon socket to connect to                                                                                                           |
+| `-l`, `--log-level`              | `string` | `info`                   | Set the logging level (`debug`, `info`, `warn`, `error`, `fatal`)                                                                     |
+| `--tls`                          |          |                          | Use TLS; implied by --tlsverify                                                                                                       |
+| `--tlscacert`                    | `string` | `/root/.docker/ca.pem`   | Trust certs signed only by this CA                                                                                                    |
+| `--tlscert`                      | `string` | `/root/.docker/cert.pem` | Path to TLS certificate file                                                                                                          |
+| `--tlskey`                       | `string` | `/root/.docker/key.pem`  | Path to TLS key file                                                                                                                  |
+| `--tlsverify`                    |          |                          | Use TLS and verify the remote                                                                                                         |
 
 
 <!---MARKER_GEN_END-->
@@ -378,6 +378,56 @@ list of root Certificate Authorities.
 
 ## Examples
 
+### <a name="host"></a> Specify daemon host (-H, --host)
+
+You can use the `-H`, `--host` flag to specify a socket to use when you invoke
+a `docker` command. You can use the following protocols:
+
+| Scheme                                 | Description               | Example                          |
+|----------------------------------------|---------------------------|----------------------------------|
+| `unix://[<path>]`                      | Unix socket (Linux only)  | `unix:///var/run/docker.sock`    |
+| `tcp://[<IP or host>[:port]]`          | TCP connection            | `tcp://174.17.0.1:2376`          |
+| `ssh://[username@]<IP or host>[:port]` | SSH connection            | `ssh://user@192.168.64.5`        |
+| `npipe://[<name>]`                     | Named pipe (Windows only) | `npipe:////./pipe/docker_engine` |
+
+If you don't specify the `-H` flag, and you're not using a custom
+[context](https://docs.docker.com/engine/context/working-with-contexts),
+commands use the following default sockets:
+
+- `unix:///var/run/docker.sock` on macOS and Linux
+- `npipe:////./pipe/docker_engine` on Windows
+
+To achieve a similar effect without having to specify the `-H` flag for every
+command, you could also [create a context](context_create.md),
+or alternatively, use the
+[`DOCKER_HOST` environment variable](#environment-variables).
+
+For more information about the `-H` flag, see
+[Daemon socket option](dockerd.md#daemon-socket-option).
+
+#### Using TCP sockets
+
+The following example shows how to invoke `docker ps` over TCP, to a remote
+daemon with IP address `174.17.0.1`, listening on port `2376`:
+
+```console
+$ docker -H tcp://174.17.0.1:2376 ps
+```
+
+> **Note**
+>
+> By convention, the Docker daemon uses port `2376` for secure TLS connections,
+> and port `2375` for insecure, non-TLS connections.
+
+#### Using SSH sockets
+
+When you use SSH invoke a command on a remote daemon, the request gets forwarded
+to the `/var/run/docker.sock` Unix socket on the SSH host.
+
+```console
+$ docker -H ssh://user@192.168.64.5 ps
+```
+
 ### Display help text
 
 To list the help on any command just execute the command, followed by the

docs/reference/commandline/dockerd.md

@@ -1251,9 +1251,11 @@ This is a full example of the allowed configuration options on Linux:
   "fixed-cidr-v6": "",
   "group": "",
   "hosts": [],
-  "http-proxy": "http://proxy.example.com:80",
-  "https-proxy": "https://proxy.example.com:443",
-  "no-proxy": "*.test.example.com,.example.org",
+  "proxies": {
+    "http-proxy": "http://proxy.example.com:80",
+    "https-proxy": "https://proxy.example.com:443",
+    "no-proxy": "*.test.example.com,.example.org",
+  },
   "icc": false,
   "init": false,
   "init-path": "/usr/libexec/docker-init",

docs/reference/commandline/info.md

@@ -9,9 +9,9 @@ Display system-wide information
 
 ### Options
 
-| Name                                   | Type     | Default | Description                                   |
-|:---------------------------------------|:---------|:--------|:----------------------------------------------|
-| [`-f`](#format), [`--format`](#format) | `string` |         | Format the output using the given Go template |
+| Name                                   | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:---------------------------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`-f`](#format), [`--format`](#format) | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
 
 
 <!---MARKER_GEN_END-->

docs/reference/commandline/run.md

@@ -91,7 +91,7 @@ Create and run a new container from an image
 | `-P`, `--publish-all`                         |               |           | Publish all exposed ports to random ports                                                                                                                                                                                                                                                                        |
 | [`--pull`](#pull)                             | `string`      | `missing` | Pull image before running (`always`, `missing`, `never`)                                                                                                                                                                                                                                                         |
 | `-q`, `--quiet`                               |               |           | Suppress the pull output                                                                                                                                                                                                                                                                                         |
-| `--read-only`                                 |               |           | Mount the container's root filesystem as read only                                                                                                                                                                                                                                                               |
+| [`--read-only`](#read-only)                   |               |           | Mount the container's root filesystem as read only                                                                                                                                                                                                                                                               |
 | [`--restart`](#restart)                       | `string`      | `no`      | Restart policy to apply when a container exits                                                                                                                                                                                                                                                                   |
 | `--rm`                                        |               |           | Automatically remove the container when it exits                                                                                                                                                                                                                                                                 |
 | `--runtime`                                   | `string`      |           | Runtime to use for this container                                                                                                                                                                                                                                                                                |
@@ -118,14 +118,11 @@ Create and run a new container from an image
 
 ## Description
 
-The `docker run` command first `creates` a writeable container layer over the
-specified image, and then `starts` it using the specified command. That is,
-`docker run` is equivalent to the API `/containers/create` then
-`/containers/(id)/start`. A stopped container can be restarted with all its
-previous changes intact using `docker start`. See `docker ps -a` to view a list
-of all containers.
+The `docker run` command runs a command in a new container, pulling the image if needed and starting the container.
+
+You can restart a stopped container with all its previous changes intact using `docker start`.
+Use `docker ps -a` to view a list of all containers, including those that are stopped.
 
-For information on connecting a container to a network, see the ["*Docker network overview*"](https://docs.docker.com/network/).
 
 ## Examples
 
@@ -144,9 +141,9 @@ d6c0fe130dba        debian:7            "/bin/bash"         26 seconds ago
 This example runs a container named `test` using the `debian:latest`
 image. The `-it` instructs Docker to allocate a pseudo-TTY connected to
 the container's stdin; creating an interactive `bash` shell in the container.
-In the example, the `bash` shell is quit by entering
-`exit 13`. This exit code is passed on to the caller of
-`docker run`, and is recorded in the `test` container's metadata.
+The example quits the `bash` shell by entering
+`exit 13`, passing the exit code on to the caller of
+`docker run`, and recording it in the `test` container's metadata.
 
 ### <a name="cidfile"></a> Capture container ID (--cidfile)
 
@@ -154,9 +151,9 @@ In the example, the `bash` shell is quit by entering
 $ docker run --cidfile /tmp/docker_test.cid ubuntu echo "test"
 ```
 
-This will create a container and print `test` to the console. The `cidfile`
+This creates a container and prints `test` to the console. The `cidfile`
 flag makes Docker attempt to create a new file and write the container ID to it.
-If the file exists already, Docker will return an error. Docker will close this
+If the file exists already, Docker returns an error. Docker closes this
 file when `docker run` exits.
 
 ### <a name="privileged"></a> Full container capabilities (--privileged)
@@ -167,9 +164,9 @@ root@bc338942ef20:/# mount -t tmpfs none /mnt
 mount: permission denied
 ```
 
-This will *not* work, because by default, most potentially dangerous kernel
-capabilities are dropped; including `cap_sys_admin` (which is required to mount
-filesystems). However, the `--privileged` flag will allow it to run:
+This *doesn't* work, because by default, Docker drops most potentially dangerous kernel
+capabilities, including `CAP_SYS_ADMIN ` (which is required to mount
+filesystems). However, the `--privileged` flag allows it to run:
 
 ```console
 $ docker run -t -i --privileged ubuntu bash
@@ -190,8 +187,8 @@ flag exists to allow special use-cases, like running Docker within Docker.
 $ docker  run -w /path/to/dir/ -i -t  ubuntu pwd
 ```
 
-The `-w` lets the command being executed inside directory given, here
-`/path/to/dir/`. If the path does not exist it is created inside the container.
+The `-w` option runs the command executed inside the directory specified, in this example,
+`/path/to/dir/`. If the path does not exist, Docker creates it inside the container.
 
 ### <a name="storage-opt"></a> Set storage driver options per container (--storage-opt)
 
@@ -199,14 +196,17 @@ The `-w` lets the command being executed inside directory given, here
 $ docker run -it --storage-opt size=120G fedora /bin/bash
 ```
 
-This (size) will allow to set the container filesystem size to 120G at creation time.
+This (size) constraints the container filesystem size to 120G at creation time.
 This option is only available for the `devicemapper`, `btrfs`, `overlay2`,
-`windowsfilter` and `zfs` graph drivers.
-For the `devicemapper`, `btrfs`, `windowsfilter` and `zfs` graph drivers,
-user cannot pass a size less than the Default BaseFS Size.
+`windowsfilter` and `zfs` storage drivers.
+
 For the `overlay2` storage driver, the size option is only available if the
 backing filesystem is `xfs` and mounted with the `pquota` mount option.
-Under these conditions, user can pass any size less than the backing filesystem size.
+Under these conditions, you can pass any size less than the backing filesystem size.
+
+For the `windowsfilter`, `devicemapper`, `btrfs`, and `zfs` storage drivers,
+you cannot pass a size less than the Default BaseFS Size.
+
 
 ### <a name="tmpfs"></a> Mount tmpfs (--tmpfs)
 
@@ -217,32 +217,41 @@ $ docker run -d --tmpfs /run:rw,noexec,nosuid,size=65536k my_image
 The `--tmpfs` flag mounts an empty tmpfs into the container with the `rw`,
 `noexec`, `nosuid`, `size=65536k` options.
 
-### <a name="volume"></a> Mount volume (-v, --read-only)
+### <a name="volume"></a> Mount volume (-v)
 
 ```console
-$ docker  run  -v `pwd`:`pwd` -w `pwd` -i -t  ubuntu pwd
+$ docker  run  -v $(pwd):$(pwd) -w $(pwd) -i -t  ubuntu pwd
 ```
 
-The `-v` flag mounts the current working directory into the container. The `-w`
-lets the command being executed inside the current working directory, by
-changing into the directory to the value returned by `pwd`. So this
-combination executes the command using the container, but inside the
-current working directory.
+The example above mounts the current directory into the container at the same path
+using the `-v` flag, sets it as the working directory, and then runs the `pwd` command inside the container.
+
+As of Docker Engine version 23, you can use relative paths on the host.
+
+```console
+$ docker  run  -v ./content:/content -w /content -i -t  ubuntu pwd
+```
+
+The example above mounts the `content` directory in the current directory into the container at the
+`/content` path using the `-v` flag, sets it as the working directory, and then
+runs the `pwd` command inside the container.
 
 ```console
 $ docker run -v /doesnt/exist:/foo -w /foo -i -t ubuntu bash
 ```
 
 When the host directory of a bind-mounted volume doesn't exist, Docker
-will automatically create this directory on the host for you. In the
-example above, Docker will create the `/doesnt/exist`
+automatically creates this directory on the host for you. In the
+example above, Docker creates the `/doesnt/exist`
 folder before starting your container.
 
+### <a name="read-only"></a> Mount volume read-only (--read-only)
+
 ```console
 $ docker run --read-only -v /icanwrite busybox touch /icanwrite/here
 ```
 
-Volumes can be used in combination with `--read-only` to control where
+You can use volumes in combination with the `--read-only` flag to control where
 a container writes files. The `--read-only` flag mounts the container's root
 filesystem as read only prohibiting writes to locations other than the
 specified volumes for the container.
@@ -256,7 +265,7 @@ binary (refer to [get the Linux binary](https://docs.docker.com/engine/install/b
 you give the container the full access to create and manipulate the host's
 Docker daemon.
 
-On Windows, the paths must be specified using Windows-style semantics.
+On Windows, you must specify the paths using Windows-style path semantics.
 
 ```powershell
 PS C:\> docker run -v c:\foo:c:\dest microsoft/nanoserver cmd /s /c type c:\dest\somefile.txt
@@ -266,9 +275,9 @@ PS C:\> docker run -v c:\foo:d: microsoft/nanoserver cmd /s /c type d:\somefile.
 Contents of file
 ```
 
-The following examples will fail when using Windows-based containers, as the
+The following examples fails when using Windows-based containers, as the
 destination of a volume or bind mount inside the container must be one of:
-a non-existing or empty directory; or a drive other than C:. Further, the source
+a non-existing or empty directory; or a drive other than `C:`. Further, the source
 of a bind mount must be a local directory, not a file.
 
 ```powershell
@@ -282,13 +291,12 @@ docker run -v c:\foo:c:\existing-directory-with-contents ...
 
 For in-depth information about volumes, refer to [manage data in containers](https://docs.docker.com/storage/volumes/)
 
-
 ### <a name="mount"></a> Add bind mounts or volumes using the --mount flag
 
-The `--mount` flag allows you to mount volumes, host-directories and `tmpfs`
+The `--mount` flag allows you to mount volumes, host-directories, and `tmpfs`
 mounts in a container.
 
-The `--mount` flag supports most options that are supported by the `-v` or the
+The `--mount` flag supports most options supported by the `-v` or the
 `--volume` flag, but uses a different syntax. For in-depth information on the
 `--mount` flag, and a comparison between `--volume` and `--mount`, refer to
 [Bind mounts](https://docs.docker.com/storage/bind-mounts/).
@@ -314,10 +322,10 @@ $ docker run -p 127.0.0.1:80:8080/tcp ubuntu bash
 This binds port `8080` of the container to TCP port `80` on `127.0.0.1` of the host
 machine. You can also specify `udp` and `sctp` ports.
 The [Docker User Guide](https://docs.docker.com/network/links/)
-explains in detail how to manipulate ports in Docker.
+explains in detail how to use ports in Docker.
 
 Note that ports which are not bound to the host (i.e., `-p 80:80` instead of
-`-p 127.0.0.1:80:80`) will be accessible from the outside. This also applies if
+`-p 127.0.0.1:80:80`) are externally accessible. This also applies if
 you configured UFW to block this specific port, as Docker manages its
 own iptables rules. [Read more](https://docs.docker.com/network/iptables/)
 
@@ -345,7 +353,7 @@ When creating (and running) a container from an image, the daemon checks if the
 image exists in the local image cache. If the image is missing, an error is
 returned to the CLI, allowing it to initiate a pull.
 
-The default (`missing`) is to only pull the image if it is not present in the
+The default (`missing`) is to only pull the image if it's not present in the
 daemon's image cache. This default allows you to run images that only exist
 locally (for example, images you built from a Dockerfile, but that have not
 been pushed to a registry), and reduces networking.
@@ -378,7 +386,7 @@ $ docker run -e MYVAR1 --env MYVAR2=foo --env-file ./env.list ubuntu bash
 
 Use the `-e`, `--env`, and `--env-file` flags to set simple (non-array)
 environment variables in the container you're running, or overwrite variables
-that are defined in the Dockerfile of the image you're running.
+defined in the Dockerfile of the image you're running.
 
 You can define the variable and its value when running the container:
 
@@ -388,7 +396,7 @@ VAR1=value1
 VAR2=value2
 ```
 
-You can also use variables that you've exported to your local environment:
+You can also use variables exported to your local environment:
 
 ```console
 export VAR1=value1
@@ -402,7 +410,7 @@ VAR2=value2
 When running the command, the Docker CLI client checks the value the variable
 has in your local environment and passes it to the container.
 If no `=` is provided and that variable is not exported in your local
-environment, the variable won't be set in the container.
+environment, the variable isn't set in the container.
 
 You can also load the environment variables from a file. This file should use
 the syntax `<variable>=value` (which sets the variable to the given value) or
@@ -446,7 +454,7 @@ $ docker run --label-file ./labels ubuntu bash
 
 The label-file format is similar to the format for loading environment
 variables. (Unlike environment variables, labels are not visible to processes
-running inside a container.) The following example illustrates a label-file
+running inside a container.) The following example shows a label-file
 format:
 
 ```console
@@ -465,8 +473,9 @@ the Docker User Guide.
 
 ### <a name="network"></a> Connect a container to a network (--network)
 
-When you start a container use the `--network` flag to connect it to a network.
-The following commands create a network named `my-net`, and adds a `busybox` container
+To start a container and connect it to a network, use the `--network` option.
+
+The following commands create a network named `my-net` and adds a `busybox` container
 to the `my-net` network.
 
 ```console
@@ -484,7 +493,7 @@ $ docker run -itd --network=my-net --ip=10.10.9.75 busybox
 If you want to add a running container to a network use the `docker network connect` subcommand.
 
 You can connect multiple containers to the same network. Once connected, the
-containers can communicate easily using only another container's IP address
+containers can communicate using only another container's IP address
 or name. For `overlay` networks or custom plugins that support multi-host
 connectivity, containers connected to the same multi-host network but launched
 from different Engines can also communicate in this way.
@@ -498,6 +507,8 @@ from different Engines can also communicate in this way.
 You can disconnect a container from a network using the `docker network
 disconnect` command.
 
+For more information on connecting a container to a network when using the `run` command, see the ["*Docker network overview*"](https://docs.docker.com/network/).
+
 ### <a name="volumes-from"></a> Mount volumes from container (--volumes-from)
 
 ```console
@@ -505,13 +516,13 @@ $ docker run --volumes-from 777f7dc92da7 --volumes-from ba8c0c54f0f2:ro -i -t ub
 ```
 
 The `--volumes-from` flag mounts all the defined volumes from the referenced
-containers. Containers can be specified by repetitions of the `--volumes-from`
+containers. You can specify more than one container by repetitions of the `--volumes-from`
 argument. The container ID may be optionally suffixed with `:ro` or `:rw` to
 mount the volumes in read-only or read-write mode, respectively. By default,
-the volumes are mounted in the same mode (read write or read only) as
+Docker mounts the volumes in the same mode (read write or read only) as
 the reference container.
 
-Labeling systems like SELinux require that proper labels are placed on volume
+Labeling systems like SELinux require placing proper labels on volume
 content mounted into a container. Without a label, the security system might
 prevent the processes running inside the container from using the content. By
 default, Docker does not change the labels set by the OS.
@@ -541,17 +552,17 @@ only to the container's `STDIN`.
 $ docker run -a stderr ubuntu echo test
 ```
 
-This isn't going to print anything unless there's an error because we've
-only attached to the `STDERR` of the container. The container's logs
-still store what's been written to `STDERR` and `STDOUT`.
+This isn't going to print anything to the console unless there's an error because output
+is only attached to the `STDERR` of the container. The container's logs
+still store what's written to `STDERR` and `STDOUT`.
 
 ```console
 $ cat somefile | docker run -i -a stdin mybuilder dobuild
 ```
 
-This is a way of using `--attach` to pipe a build file into a container.
-The container's ID will be printed after the build is done and the build
-logs could be retrieved using `docker logs`. This is
+This example shows a way of using `--attach` to pipe a file into a container.
+The command prints the container's ID after the build completes and you can retrieve
+the build logs using `docker logs`. This is
 useful if you need to pipe a file or something else into a container and
 retrieve the container's ID once the container has finished running.
 
@@ -571,15 +582,15 @@ brw-rw---- 1 root disk 8, 3 Feb  9 16:05 /dev/sdd
 crw-rw-rw- 1 root root 1, 5 Feb  9 16:05 /dev/foobar
 ```
 
-It is often necessary to directly expose devices to a container. The `--device`
-option enables that. For example, a specific block storage device or loop
-device or audio device can be added to an otherwise unprivileged container
+It's often necessary to directly expose devices to a container. The `--device`
+option enables that. For example, adding a specific block storage device or loop
+device or audio device to an otherwise unprivileged container
 (without the `--privileged` flag) and have the application directly access it.
 
-By default, the container will be able to `read`, `write` and `mknod` these devices.
+By default, the container is able to `read`, `write` and `mknod` these devices.
 This can be overridden using a third `:rwm` set of options to each `--device`
-flag. If the container is running in privileged mode, then the permissions specified
-will be ignored.
+flag. If the container is running in privileged mode, then Docker ignores the
+specified permissions.
 
 ```console
 $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk  /dev/xvdc
@@ -600,8 +611,8 @@ fdisk: unable to open /dev/xvdc: Operation not permitted
 
 > **Note**
 >
-> The `--device` option cannot be safely used with ephemeral devices. Block devices
-> that may be removed should not be added to untrusted containers with `--device`.
+> The `--device` option cannot be safely used with ephemeral devices. You shouldn't 
+> add block devices that may be removed to untrusted containers with `--device`.
 
 For Windows, the format of the string passed to the `--device` option is in
 the form of `--device=<IdType>/<Id>`. Beginning with Windows Server 2019
@@ -612,8 +623,8 @@ Refer to the table defined in the [Windows container
 docs](https://docs.microsoft.com/en-us/virtualization/windowscontainers/deploy-containers/hardware-devices-in-containers)
 for a list of container-supported device interface class GUIDs.
 
-If this option is specified for a process-isolated Windows container, _all_
-devices that implement the requested device interface class GUID are made
+If you specify this option for a process-isolated Windows container, Docker makes
+_all_ devices that implement the requested device interface class GUID
 available in the container. For example, the command below makes all COM
 ports on the host visible in the container.
 
@@ -628,16 +639,16 @@ PS C:\> docker run --device=class/86E0D1E0-8089-11D0-9CE4-08003E301F73 mcr.micro
 
 ### <a name="device-cgroup-rule"></a> Using dynamically created devices (--device-cgroup-rule)
 
-Devices available to a container are assigned at creation time. The
-assigned devices will both be added to the cgroup.allow file and
-created into the container once it is run. This poses a problem when
-a new device needs to be added to running container.
+Docker assigns devices available to a container at creation time. The
+assigned devices are added to the cgroup.allow file and
+created into the container when it runs. This poses a problem when
+you need to add a new device to running container.
 
-One of the solutions is to add a more permissive rule to a container
+One solution is to add a more permissive rule to a container
 allowing it access to a wider range of devices. For example, supposing
-our container needs access to a character device with major `42` and
-any number of minor number (added as new devices appear), the
-following rule would be added:
+the container needs access to a character device with major `42` and
+any number of minor numbers (added as new devices appear), add the
+following rule:
 
 ```console
 $ docker run -d --device-cgroup-rule='c 42:* rmw' -name my-container my-image
@@ -646,18 +657,19 @@ $ docker run -d --device-cgroup-rule='c 42:* rmw' -name my-container my-image
 Then, a user could ask `udev` to execute a script that would `docker exec my-container mknod newDevX c 42 <minor>`
 the required device when it is added.
 
-> **Note**: initially present devices still need to be explicitly added to the
+> **Note**: You still need to explicitly add initially present devices to the
 > `docker run` / `docker create` command.
 
 ### <a name="gpus"></a> Access an NVIDIA GPU
 
 The `--gpus` flag allows you to access NVIDIA GPU resources. First you need to
-install [nvidia-container-runtime](https://nvidia.github.io/nvidia-container-runtime/).
-Visit [Specify a container's resources](https://docs.docker.com/config/containers/resource_constraints/)
+install the [nvidia-container-runtime](https://nvidia.github.io/nvidia-container-runtime/).
+
+Read [Specify a container's resources](https://docs.docker.com/config/containers/resource_constraints/)
 for more information.
 
-To use `--gpus`, specify which GPUs (or all) to use. If no value is provided, all
-available GPUs are used. The example below exposes all available GPUs.
+To use `--gpus`, specify which GPUs (or all) to use. If you provide no value, Docker uses all
+available GPUs. The example below exposes all available GPUs.
 
 ```console
 $ docker run -it --rm --gpus all ubuntu nvidia-smi
@@ -678,7 +690,7 @@ $ docker run -it --rm --gpus '"device=0,2"' nvidia-smi
 
 ### <a name="restart"></a> Restart policies (--restart)
 
-Use Docker's `--restart` to specify a container's *restart policy*. A restart
+Use the `--restart` flag to specify a container's *restart policy*. A restart
 policy controls whether the Docker daemon restarts a container after exit.
 Docker supports the following restart policies:
 
@@ -686,17 +698,17 @@ Docker supports the following restart policies:
 |:---------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
 | `no`                       | Do not automatically restart the container when it exits. This is the default.                                                                                                                                                                                   |
 | `on-failure[:max-retries]` | Restart only if the container exits with a non-zero exit status. Optionally, limit the number of restart retries the Docker daemon attempts.                                                                                                                     |
-| `unless-stopped`           | Restart the container unless it is explicitly stopped or Docker itself is stopped or restarted.                                                                                                                                                                  |
-| `always`                   | Always restart the container regardless of the exit status. When you specify always, the Docker daemon will try to restart the container indefinitely. The container will also always start on daemon startup, regardless of the current state of the container. |
+| `unless-stopped`           | Restart the container unless it's explicitly stopped or Docker itself is stopped or restarted.                                                                                                                                                                  |
+| `always`                   | Always restart the container regardless of the exit status. When you specify always, the Docker daemon tries to restart the container indefinitely. The container always starts on daemon startup, regardless of the current state of the container. |
 
 ```console
 $ docker run --restart=always redis
 ```
 
 This will run the `redis` container with a restart policy of **always**
-so that if the container exits, Docker will restart it.
+so that if the container exits, Docker restarts it.
 
-More detailed information on restart policies can be found in the
+You can find more detailed information on restart policies in the
 [Restart Policies (--restart)](../run.md#restart-policies---restart)
 section of the Docker run reference page.
 
@@ -742,8 +754,8 @@ for the bridge device).
 
 Since setting `ulimit` settings in a container requires extra privileges not
 available in the default container, you can set these using the `--ulimit` flag.
-`--ulimit` is specified with a soft and hard limit as such:
-`<type>=<soft limit>[:<hard limit>]`, for example:
+Specify `--ulimit` with a soft and hard limit in the format
+`<type>=<soft limit>[:<hard limit>]`. For example:
 
 ```console
 $ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n"
@@ -752,21 +764,25 @@ $ docker run --ulimit nofile=1024:1024 --rm debian sh -c "ulimit -n"
 
 > **Note**
 >
-> If you do not provide a `hard limit`, the `soft limit` is used
-> for both values. If no `ulimits` are set, they are inherited from
-> the default `ulimits` set on the daemon. The `as` option is disabled now.
+> If you don't provide a hard limit value, Docker uses the soft limit value
+> for both values. If you don't provide any values, they are inherited from
+> the default `ulimits` set on the daemon.
+
+> **Note**
+>
+> The `as` option is deprecated.
 > In other words, the following script is not supported:
 >
 > ```console
 > $ docker run -it --ulimit as=1024 fedora /bin/bash
 > ```
 
-The values are sent to the appropriate `syscall` as they are set.
-Docker doesn't perform any byte conversion. Take this into account when setting the values.
+Docker sends the values to the appropriate OS `syscall` and doesn't perform any byte conversion.
+Take this into account when setting the values.
 
 #### For `nproc` usage
 
-Be careful setting `nproc` with the `ulimit` flag as `nproc` is designed by Linux to set the
+Be careful setting `nproc` with the `ulimit` flag as Linux uses `nproc` to set the
 maximum number of processes available to a user, not to a container. For example, start four
 containers with `daemon` user:
 
@@ -780,36 +796,36 @@ $ docker run -d -u daemon --ulimit nproc=3 busybox top
 $ docker run -d -u daemon --ulimit nproc=3 busybox top
 ```
 
-The 4th container fails and reports "[8] System error: resource temporarily unavailable" error.
+The 4th container fails and reports a "[8] System error: resource temporarily unavailable" error.
 This fails because the caller set `nproc=3` resulting in the first three containers using up
 the three processes quota set for the `daemon` user.
 
 ### <a name="stop-signal"></a> Stop container with signal (--stop-signal)
 
-The `--stop-signal` flag sets the system call signal that will be sent to the
+The `--stop-signal` flag sends the system call signal to the
 container to exit. This signal can be a signal name in the format `SIG<NAME>`,
 for instance `SIGKILL`, or an unsigned number that matches a position in the
 kernel's syscall table, for instance `9`.
 
-The default is defined by [`STOPSIGNAL`](https://docs.docker.com/engine/reference/builder/#stopsignal)
+The default value is defined by [`STOPSIGNAL`](https://docs.docker.com/engine/reference/builder/#stopsignal)
 in the image, or `SIGTERM` if the image has no `STOPSIGNAL` defined.
 
 ### <a name="security-opt"></a> Optional security options (--security-opt)
 
-On Windows, this flag can be used to specify the `credentialspec` option.
+On Windows, you can use this flag to specify the `credentialspec` option.
 The `credentialspec` must be in the format `file://spec.txt` or `registry://keyname`.
 
 ### <a name="stop-timeout"></a> Stop container with timeout (--stop-timeout)
 
 The `--stop-timeout` flag sets the number of seconds to wait for the container
 to stop after sending the pre-defined (see `--stop-signal`) system call signal.
-If the container does not exit after the timeout elapses, it is forcibly killed
+If the container does not exit after the timeout elapses, it's forcibly killed
 with a `SIGKILL` signal.
 
-If `--stop-timeout` is set to `-1`, no timeout is applied, and the daemon will
-wait indefinitely for the container to exit.
+If you set `--stop-timeout` to `-1`, no timeout is applied, and the daemon
+waits indefinitely for the container to exit.
 
-The default is determined by the daemon, and is 10 seconds for Linux containers,
+The Daemon determines the default, and is 10 seconds for Linux containers,
 and 30 seconds for Windows containers.
 
 ### <a name="isolation"></a> Specify isolation technology for container (--isolation)
@@ -857,12 +873,12 @@ PS C:\> docker run -d --isolation hyperv microsoft/nanoserver powershell echo hy
 
 ### <a name="memory"></a> Specify hard limits on memory available to containers (-m, --memory)
 
-These parameters always set an upper limit on the memory available to the container. On Linux, this
-is set on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`.
+These parameters always set an upper limit on the memory available to the container. Linux sets this
+on the cgroup and applications in a container can query it at `/sys/fs/cgroup/memory/memory.limit_in_bytes`.
 
-On Windows, this will affect containers differently depending on what type of isolation is used.
+On Windows, this affects containers differently depending on what type of isolation you use.
 
-- With `process` isolation, Windows will report the full memory of the host system, not the limit to applications running inside the container
+- With `process` isolation, Windows reports the full memory of the host system, not the limit to applications running inside the container
 
     ```powershell
     PS C:\> docker run -it -m 2GB --isolation=process microsoft/nanoserver powershell Get-ComputerInfo *memory*
@@ -877,7 +893,7 @@ On Windows, this will affect containers differently depending on what type of is
     OsMaxProcessMemorySize     : 137438953344
     ```
 
-- With `hyperv` isolation, Windows will create a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."
+- With `hyperv` isolation, Windows creates a utility VM that is big enough to hold the memory limit, plus the minimal OS needed to host the container. That size is reported as "Total Physical Memory."
 
     ```powershell
     PS C:\> docker run -it -m 2GB --isolation=hyperv microsoft/nanoserver powershell Get-ComputerInfo *memory*
@@ -892,7 +908,6 @@ On Windows, this will affect containers differently depending on what type of is
     OsMaxProcessMemorySize     : 137438953344
     ```
 
-
 ### <a name="sysctl"></a> Configure namespaced kernel parameters (sysctls) at runtime (--sysctl)
 
 The `--sysctl` sets namespaced kernel parameters (sysctls) in the
@@ -909,6 +924,7 @@ $ docker run --sysctl net.ipv4.ip_forward=1 someimage
 > inside of a container that also modify the host system. As the kernel
 > evolves we expect to see more sysctls become namespaced.
 
+
 #### Currently supported sysctls
 
 IPC Namespace:
@@ -922,3 +938,13 @@ Network Namespace:
 
 - Sysctls beginning with `net.*`
 - If you use the `--network=host` option using these sysctls are not allowed.
+
+## Command internals
+
+The `docker run` command is equivalent to the following API calls:
+
+- `/<API version>/containers/create`
+  - If that call returns a 404 (image not found), and depending on the `--pull` option ("always", "missing", "never") the call can trigger a `docker pull <image>`.
+- `/containers/create` again after pulling the image.
+- `/containers/(id)/start` to start the container.
+- `/containers/(id)/attach` to attach to the container when starting with the `-it` flags for interactive containers.

docs/reference/commandline/system_info.md

@@ -9,9 +9,9 @@ Display system-wide information
 
 ### Options
 
-| Name             | Type     | Default | Description                                   |
-|:-----------------|:---------|:--------|:----------------------------------------------|
-| `-f`, `--format` | `string` |         | Format the output using the given Go template |
+| Name             | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:-----------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `-f`, `--format` | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
 
 
 <!---MARKER_GEN_END-->

docs/reference/commandline/tag.md

@@ -12,27 +12,45 @@ Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
 
 ## Description
 
-An image name is made up of slash-separated name components, optionally prefixed
-by a registry hostname. The hostname must comply with standard DNS rules, but
-may not contain underscores. If a hostname is present, it may optionally be
-followed by a port number in the format `:8080`. If not present, the command
-uses Docker's public registry located at `registry-1.docker.io` by default. Name
-components may contain lowercase letters, digits and separators. A separator
-is defined as a period, one or two underscores, or one or more hyphens. A name
-component may not start or end with a separator.
+A full image name has the following format and components:
 
-A tag name must be valid ASCII and may contain lowercase and uppercase letters,
-digits, underscores, periods and hyphens. A tag name may not start with a
-period or a hyphen and may contain a maximum of 128 characters.
+`[HOST[:PORT_NUMBER]/]PATH`
 
-You can group your images together using names and tags, and then upload them
-to [*Share images on Docker Hub*](https://docs.docker.com/get-started/part3/).
+- `HOST`: The optional registry hostname specifies where the image is located.
+The hostname must comply with standard DNS rules, but may not contain
+underscores. If the hostname is not specified, the command uses Docker's public
+registry at `registry-1.docker.io` by default. Note that `docker.io` is the
+canonical reference for Docker's public registry.
+- `PORT_NUMBER`: If a hostname is present, it may optionally be followed by a
+registry port number in the format `:8080`.
+- `PATH`: The path consists consists of slash-separated components. Each
+component may contain lowercase letters, digits and separators. A separator is
+defined as a period, one or two underscores, or one or more hyphens. A component
+may not start or end with a separator. While the
+[OCI Distribution Specification](https://github.com/opencontainers/distribution-spec)
+supports more than two slash-separated components, most registries only support
+two slash-separated components. For Docker's public registry, the path format is
+as follows:
+  - `[NAMESPACE/]REPOSITORY`: The first, optional component is typically a
+user's or an organization's namespace. The second, mandatory component is the
+repository name. When the namespace is not present, Docker uses `library`
+as the default namespace.
+
+After the image name, the optional `TAG` is a custom, human-readable manifest
+identifier that is typically a specific version or variant of an image. The tag
+must be valid ASCII and can contain lowercase and uppercase letters, digits,
+underscores, periods, and hyphens. It cannot start with a period or hyphen and
+must be no longer than 128 characters. If the tag is not specified, the command uses `latest` by default.
+
+You can group your images together using names and tags, and then
+[push](https://docs.docker.com/engine/reference/commandline/push) them to a
+registry.
 
 ## Examples
 
 ### Tag an image referenced by ID
 
-To tag a local image with ID "0e5574283393" into the "fedora" repository with
+To tag a local image with ID "0e5574283393" as "fedora/httpd" with the tag
 "version1.0":
 
 ```console
@@ -41,8 +59,7 @@ $ docker tag 0e5574283393 fedora/httpd:version1.0
 
 ### Tag an image referenced by Name
 
-To tag a local image with name "httpd" into the "fedora" repository with
-"version1.0":
+To tag a local image "httpd" as "fedora/httpd" with the tag "version1.0":
 
 ```console
 $ docker tag httpd fedora/httpd:version1.0
@@ -53,18 +70,18 @@ existing local version `httpd:latest`.
 
 ### Tag an image referenced by Name and Tag
 
-To tag a local image with name "httpd" and tag "test" into the "fedora"
-repository with "version1.0.test":
+To tag a local image with the name "httpd" and the tag "test" as "fedora/httpd"
+with the tag "version1.0.test":
 
 ```console
 $ docker tag httpd:test fedora/httpd:version1.0.test
 ```
 
-### Tag an image for a private repository
+### Tag an image for a private registry
 
-To push an image to a private registry and not the central Docker
-registry you must tag it with the registry hostname and port (if needed).
+To push an image to a private registry and not the public Docker registry you
+must include the registry hostname and port (if needed).
 
 ```console
 $ docker tag 0e5574283393 myregistryhost:5000/fedora/httpd:version1.0
-```
+```

docs/reference/commandline/version.md

@@ -5,9 +5,9 @@ Show the Docker version information
 
 ### Options
 
-| Name                                   | Type     | Default | Description                                   |
-|:---------------------------------------|:---------|:--------|:----------------------------------------------|
-| [`-f`](#format), [`--format`](#format) | `string` |         | Format the output using the given Go template |
+| Name                                   | Type     | Default | Description                                                                                                                                                                                                                                                        |
+|:---------------------------------------|:---------|:--------|:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [`-f`](#format), [`--format`](#format) | `string` |         | Format output using a custom template:<br>'json':             Print in JSON format<br>'TEMPLATE':         Print output using the given Go template.<br>Refer to https://docs.docker.com/go/formatting/ for more information about formatting output with templates |
 
 
 <!---MARKER_GEN_END-->

docs/reference/commandline/volume_prune.md

@@ -5,24 +5,26 @@ Remove all unused local volumes
 
 ### Options
 
-| Name                  | Type     | Default | Description                                  |
-|:----------------------|:---------|:--------|:---------------------------------------------|
-| [`--filter`](#filter) | `filter` |         | Provide filter values (e.g. `label=<label>`) |
-| `-f`, `--force`       |          |         | Do not prompt for confirmation               |
+| Name                          | Type     | Default | Description                                        |
+|:------------------------------|:---------|:--------|:---------------------------------------------------|
+| [`-a`](#all), [`--all`](#all) |          |         | Remove all unused volumes, not just anonymous ones |
+| [`--filter`](#filter)         | `filter` |         | Provide filter values (e.g. `label=<label>`)       |
+| `-f`, `--force`               |          |         | Do not prompt for confirmation                     |
 
 
 <!---MARKER_GEN_END-->
 
 ## Description
 
-Remove all unused local volumes. Unused local volumes are those which are not referenced by any containers
+Remove all unused local volumes. Unused local volumes are those which are not
+referenced by any containers. By default, it only removes anonymous volumes.
 
 ## Examples
 
 ```console
 $ docker volume prune
 
-WARNING! This will remove all local volumes not used by at least one container.
+WARNING! This will remove anonymous local volumes not used by at least one container.
 Are you sure you want to continue? [y/N] y
 Deleted Volumes:
 07c7bdf3e34ab76d921894c2b834f073721fccfbbcba792aa7648e3a7a664c2e
@@ -31,6 +33,10 @@ my-named-vol
 Total reclaimed space: 36 B
 ```
 
+### <a name="all"></a> Filtering (--all, -a)
+
+Use the `--all` flag to prune both unused anonymous and named volumes.
+
 ### <a name="filter"></a> Filtering (--filter)
 
 The filtering flag (`--filter`) format is of "key=value". If there is more

e2e/testdata/Dockerfile.gencerts

@@ -1,6 +1,6 @@
 # syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.19.8
+ARG GO_VERSION=1.20.7
 
 FROM golang:${GO_VERSION}-alpine AS generated
 RUN go install github.com/dmcgowan/quicktls@master

internal/test/cli.go

@@ -181,7 +181,7 @@ func (c *FakeCli) ManifestStore() manifeststore.Store {
 }
 
 // RegistryClient returns a fake client for testing
-func (c *FakeCli) RegistryClient(insecure bool) registryclient.RegistryClient {
+func (c *FakeCli) RegistryClient(bool) registryclient.RegistryClient {
 	return c.registryClient
 }
 

internal/test/network/client.go

@@ -4,30 +4,15 @@ import (
 	"context"
 
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/filters"
-	"github.com/docker/docker/api/types/network"
+	"github.com/docker/docker/client"
 )
 
 // FakeClient is a fake NetworkAPIClient
 type FakeClient struct {
+	client.NetworkAPIClient
 	NetworkInspectFunc func(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error)
 }
 
-// NetworkConnect fakes connecting to a network
-func (c *FakeClient) NetworkConnect(ctx context.Context, networkID, container string, config *network.EndpointSettings) error {
-	return nil
-}
-
-// NetworkCreate fakes creating a network
-func (c *FakeClient) NetworkCreate(_ context.Context, _ string, options types.NetworkCreate) (types.NetworkCreateResponse, error) {
-	return types.NetworkCreateResponse{}, nil
-}
-
-// NetworkDisconnect fakes disconnecting from a network
-func (c *FakeClient) NetworkDisconnect(ctx context.Context, networkID, container string, force bool) error {
-	return nil
-}
-
 // NetworkInspect fakes inspecting a network
 func (c *FakeClient) NetworkInspect(ctx context.Context, networkID string, options types.NetworkInspectOptions) (types.NetworkResource, error) {
 	if c.NetworkInspectFunc != nil {
@@ -35,23 +20,3 @@ func (c *FakeClient) NetworkInspect(ctx context.Context, networkID string, optio
 	}
 	return types.NetworkResource{}, nil
 }
-
-// NetworkInspectWithRaw fakes inspecting a network with a raw response
-func (c *FakeClient) NetworkInspectWithRaw(_ context.Context, _ string, _ types.NetworkInspectOptions) (types.NetworkResource, []byte, error) {
-	return types.NetworkResource{}, nil, nil
-}
-
-// NetworkList fakes listing networks
-func (c *FakeClient) NetworkList(_ context.Context, options types.NetworkListOptions) ([]types.NetworkResource, error) {
-	return nil, nil
-}
-
-// NetworkRemove fakes removing networks
-func (c *FakeClient) NetworkRemove(ctx context.Context, networkID string) error {
-	return nil
-}
-
-// NetworksPrune fakes pruning networks
-func (c *FakeClient) NetworksPrune(_ context.Context, pruneFilter filters.Args) (types.NetworksPruneReport, error) {
-	return types.NetworksPruneReport{}, nil
-}

internal/test/notary/client.go

@@ -13,7 +13,7 @@ import (
 )
 
 // GetOfflineNotaryRepository returns a OfflineNotaryRepository
-func GetOfflineNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+func GetOfflineNotaryRepository(trust.ImageRefAndAuth, []string) (client.Repository, error) {
 	return OfflineNotaryRepository{}, nil
 }
 
@@ -22,12 +22,12 @@ type OfflineNotaryRepository struct{}
 
 // Initialize creates a new repository by using rootKey as the root Key for the
 // TUF repository.
-func (o OfflineNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
+func (o OfflineNotaryRepository) Initialize([]string, ...data.RoleName) error {
 	return storage.ErrOffline{}
 }
 
 // InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
-func (o OfflineNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
+func (o OfflineNotaryRepository) InitializeWithCertificate([]string, []data.PublicKey, ...data.RoleName) error {
 	return storage.ErrOffline{}
 }
 
@@ -39,30 +39,30 @@ func (o OfflineNotaryRepository) Publish() error {
 
 // AddTarget creates new changelist entries to add a target to the given roles
 // in the repository when the changelist gets applied at publish time.
-func (o OfflineNotaryRepository) AddTarget(target *client.Target, roles ...data.RoleName) error {
+func (o OfflineNotaryRepository) AddTarget(*client.Target, ...data.RoleName) error {
 	return nil
 }
 
 // RemoveTarget creates new changelist entries to remove a target from the given
 // roles in the repository when the changelist gets applied at publish time.
-func (o OfflineNotaryRepository) RemoveTarget(targetName string, roles ...data.RoleName) error {
+func (o OfflineNotaryRepository) RemoveTarget(string, ...data.RoleName) error {
 	return nil
 }
 
 // ListTargets lists all targets for the current repository. The list of
 // roles should be passed in order from highest to lowest priority.
-func (o OfflineNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+func (o OfflineNotaryRepository) ListTargets(...data.RoleName) ([]*client.TargetWithRole, error) {
 	return nil, storage.ErrOffline{}
 }
 
 // GetTargetByName returns a target by the given name.
-func (o OfflineNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+func (o OfflineNotaryRepository) GetTargetByName(string, ...data.RoleName) (*client.TargetWithRole, error) {
 	return nil, storage.ErrOffline{}
 }
 
 // GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
 // roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
-func (o OfflineNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
+func (o OfflineNotaryRepository) GetAllTargetMetadataByName(string) ([]client.TargetSignedStruct, error) {
 	return nil, storage.ErrOffline{}
 }
 
@@ -82,53 +82,53 @@ func (o OfflineNotaryRepository) GetDelegationRoles() ([]data.Role, error) {
 }
 
 // AddDelegation creates changelist entries to add provided delegation public keys and paths.
-func (o OfflineNotaryRepository) AddDelegation(name data.RoleName, delegationKeys []data.PublicKey, paths []string) error {
+func (o OfflineNotaryRepository) AddDelegation(data.RoleName, []data.PublicKey, []string) error {
 	return nil
 }
 
 // AddDelegationRoleAndKeys creates a changelist entry to add provided delegation public keys.
-func (o OfflineNotaryRepository) AddDelegationRoleAndKeys(name data.RoleName, delegationKeys []data.PublicKey) error {
+func (o OfflineNotaryRepository) AddDelegationRoleAndKeys(data.RoleName, []data.PublicKey) error {
 	return nil
 }
 
 // AddDelegationPaths creates a changelist entry to add provided paths to an existing delegation.
-func (o OfflineNotaryRepository) AddDelegationPaths(name data.RoleName, paths []string) error {
+func (o OfflineNotaryRepository) AddDelegationPaths(data.RoleName, []string) error {
 	return nil
 }
 
 // RemoveDelegationKeysAndPaths creates changelist entries to remove provided delegation key IDs and paths.
-func (o OfflineNotaryRepository) RemoveDelegationKeysAndPaths(name data.RoleName, keyIDs, paths []string) error {
+func (o OfflineNotaryRepository) RemoveDelegationKeysAndPaths(data.RoleName, []string, []string) error {
 	return nil
 }
 
 // RemoveDelegationRole creates a changelist to remove all paths and keys from a role, and delete the role in its entirety.
-func (o OfflineNotaryRepository) RemoveDelegationRole(name data.RoleName) error {
+func (o OfflineNotaryRepository) RemoveDelegationRole(data.RoleName) error {
 	return nil
 }
 
 // RemoveDelegationPaths creates a changelist entry to remove provided paths from an existing delegation.
-func (o OfflineNotaryRepository) RemoveDelegationPaths(name data.RoleName, paths []string) error {
+func (o OfflineNotaryRepository) RemoveDelegationPaths(data.RoleName, []string) error {
 	return nil
 }
 
 // RemoveDelegationKeys creates a changelist entry to remove provided keys from an existing delegation.
-func (o OfflineNotaryRepository) RemoveDelegationKeys(name data.RoleName, keyIDs []string) error {
+func (o OfflineNotaryRepository) RemoveDelegationKeys(data.RoleName, []string) error {
 	return nil
 }
 
 // ClearDelegationPaths creates a changelist entry to remove all paths from an existing delegation.
-func (o OfflineNotaryRepository) ClearDelegationPaths(name data.RoleName) error {
+func (o OfflineNotaryRepository) ClearDelegationPaths(data.RoleName) error {
 	return nil
 }
 
 // Witness creates change objects to witness (i.e. re-sign) the given
 // roles on the next publish. One change is created per role
-func (o OfflineNotaryRepository) Witness(roles ...data.RoleName) ([]data.RoleName, error) {
+func (o OfflineNotaryRepository) Witness(...data.RoleName) ([]data.RoleName, error) {
 	return nil, nil
 }
 
 // RotateKey rotates a private key and returns the public component from the remote server
-func (o OfflineNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
+func (o OfflineNotaryRepository) RotateKey(data.RoleName, bool, []string) error {
 	return storage.ErrOffline{}
 }
 
@@ -139,7 +139,7 @@ func (o OfflineNotaryRepository) GetCryptoService() signed.CryptoService {
 
 // SetLegacyVersions allows the number of legacy versions of the root
 // to be inspected for old signing keys to be configured.
-func (o OfflineNotaryRepository) SetLegacyVersions(version int) {}
+func (o OfflineNotaryRepository) SetLegacyVersions(int) {}
 
 // GetGUN is a getter for the GUN object from a Repository
 func (o OfflineNotaryRepository) GetGUN() data.GUN {
@@ -147,7 +147,7 @@ func (o OfflineNotaryRepository) GetGUN() data.GUN {
 }
 
 // GetUninitializedNotaryRepository returns an UninitializedNotaryRepository
-func GetUninitializedNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+func GetUninitializedNotaryRepository(trust.ImageRefAndAuth, []string) (client.Repository, error) {
 	return UninitializedNotaryRepository{}, nil
 }
 
@@ -160,12 +160,12 @@ type UninitializedNotaryRepository struct {
 
 // Initialize creates a new repository by using rootKey as the root Key for the
 // TUF repository.
-func (u UninitializedNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
+func (u UninitializedNotaryRepository) Initialize([]string, ...data.RoleName) error {
 	return client.ErrRepositoryNotExist{}
 }
 
 // InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
-func (u UninitializedNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
+func (u UninitializedNotaryRepository) InitializeWithCertificate([]string, []data.PublicKey, ...data.RoleName) error {
 	return client.ErrRepositoryNotExist{}
 }
 
@@ -177,18 +177,18 @@ func (u UninitializedNotaryRepository) Publish() error {
 
 // ListTargets lists all targets for the current repository. The list of
 // roles should be passed in order from highest to lowest priority.
-func (u UninitializedNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+func (u UninitializedNotaryRepository) ListTargets(...data.RoleName) ([]*client.TargetWithRole, error) {
 	return nil, client.ErrRepositoryNotExist{}
 }
 
 // GetTargetByName returns a target by the given name.
-func (u UninitializedNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+func (u UninitializedNotaryRepository) GetTargetByName(string, ...data.RoleName) (*client.TargetWithRole, error) {
 	return nil, client.ErrRepositoryNotExist{}
 }
 
 // GetAllTargetMetadataByName searches the entire delegation role tree to find the specified target by name for all
 // roles, and returns a list of TargetSignedStructs for each time it finds the specified target.
-func (u UninitializedNotaryRepository) GetAllTargetMetadataByName(name string) ([]client.TargetSignedStruct, error) {
+func (u UninitializedNotaryRepository) GetAllTargetMetadataByName(string) ([]client.TargetSignedStruct, error) {
 	return nil, client.ErrRepositoryNotExist{}
 }
 
@@ -203,12 +203,12 @@ func (u UninitializedNotaryRepository) GetDelegationRoles() ([]data.Role, error)
 }
 
 // RotateKey rotates a private key and returns the public component from the remote server
-func (u UninitializedNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
+func (u UninitializedNotaryRepository) RotateKey(data.RoleName, bool, []string) error {
 	return client.ErrRepositoryNotExist{}
 }
 
 // GetEmptyTargetsNotaryRepository returns an EmptyTargetsNotaryRepository
-func GetEmptyTargetsNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+func GetEmptyTargetsNotaryRepository(trust.ImageRefAndAuth, []string) (client.Repository, error) {
 	return EmptyTargetsNotaryRepository{}, nil
 }
 
@@ -220,12 +220,12 @@ type EmptyTargetsNotaryRepository struct {
 
 // Initialize creates a new repository by using rootKey as the root Key for the
 // TUF repository.
-func (e EmptyTargetsNotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
+func (e EmptyTargetsNotaryRepository) Initialize([]string, ...data.RoleName) error {
 	return nil
 }
 
 // InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
-func (e EmptyTargetsNotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
+func (e EmptyTargetsNotaryRepository) InitializeWithCertificate([]string, []data.PublicKey, ...data.RoleName) error {
 	return nil
 }
 
@@ -237,12 +237,12 @@ func (e EmptyTargetsNotaryRepository) Publish() error {
 
 // ListTargets lists all targets for the current repository. The list of
 // roles should be passed in order from highest to lowest priority.
-func (e EmptyTargetsNotaryRepository) ListTargets(roles ...data.RoleName) ([]*client.TargetWithRole, error) {
+func (e EmptyTargetsNotaryRepository) ListTargets(...data.RoleName) ([]*client.TargetWithRole, error) {
 	return []*client.TargetWithRole{}, nil
 }
 
 // GetTargetByName returns a target by the given name.
-func (e EmptyTargetsNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+func (e EmptyTargetsNotaryRepository) GetTargetByName(name string, _ ...data.RoleName) (*client.TargetWithRole, error) {
 	return nil, client.ErrNoSuchTarget(name)
 }
 
@@ -281,12 +281,12 @@ func (e EmptyTargetsNotaryRepository) GetDelegationRoles() ([]data.Role, error)
 }
 
 // RotateKey rotates a private key and returns the public component from the remote server
-func (e EmptyTargetsNotaryRepository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
+func (e EmptyTargetsNotaryRepository) RotateKey(data.RoleName, bool, []string) error {
 	return nil
 }
 
 // GetLoadedNotaryRepository returns a LoadedNotaryRepository
-func GetLoadedNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+func GetLoadedNotaryRepository(trust.ImageRefAndAuth, []string) (client.Repository, error) {
 	return LoadedNotaryRepository{}, nil
 }
 
@@ -506,7 +506,7 @@ func (l LoadedNotaryRepository) GetCryptoService() signed.CryptoService {
 }
 
 // GetLoadedWithNoSignersNotaryRepository returns a LoadedWithNoSignersNotaryRepository
-func GetLoadedWithNoSignersNotaryRepository(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client.Repository, error) {
+func GetLoadedWithNoSignersNotaryRepository(trust.ImageRefAndAuth, []string) (client.Repository, error) {
 	return LoadedWithNoSignersNotaryRepository{}, nil
 }
 
@@ -529,7 +529,7 @@ func (l LoadedWithNoSignersNotaryRepository) ListTargets(roles ...data.RoleName)
 }
 
 // GetTargetByName returns a target by the given name.
-func (l LoadedWithNoSignersNotaryRepository) GetTargetByName(name string, roles ...data.RoleName) (*client.TargetWithRole, error) {
+func (l LoadedWithNoSignersNotaryRepository) GetTargetByName(name string, _ ...data.RoleName) (*client.TargetWithRole, error) {
 	if name == "" || name == loadedGreenTarget.Name {
 		return &client.TargetWithRole{Target: loadedGreenTarget, Role: data.CanonicalTargetsRole}, nil
 	}

opts/capabilities.go

@@ -21,15 +21,15 @@ const (
 // This function only handles rudimentary formatting; no validation is performed,
 // as the list of available capabilities can be updated over time, thus should be
 // handled by the daemon.
-func NormalizeCapability(cap string) string {
-	cap = strings.ToUpper(strings.TrimSpace(cap))
-	if cap == AllCapabilities || cap == ResetCapabilities {
-		return cap
+func NormalizeCapability(capability string) string {
+	capability = strings.ToUpper(strings.TrimSpace(capability))
+	if capability == AllCapabilities || capability == ResetCapabilities {
+		return capability
 	}
-	if !strings.HasPrefix(cap, "CAP_") {
-		cap = "CAP_" + cap
+	if !strings.HasPrefix(capability, "CAP_") {
+		capability = "CAP_" + capability
 	}
-	return cap
+	return capability
 }
 
 // CapabilitiesMap normalizes the given capabilities and converts them to a map.

vendor.mod

@@ -7,10 +7,10 @@ module github.com/docker/cli
 go 1.18
 
 require (
-	github.com/containerd/containerd v1.6.19
+	github.com/containerd/containerd v1.6.21
 	github.com/creack/pty v1.1.11
-	github.com/docker/distribution v2.8.1+incompatible
-	github.com/docker/docker v23.0.3+incompatible
+	github.com/docker/distribution v2.8.2+incompatible
+	github.com/docker/docker v23.0.7-0.20230715134620-0420d2b33c42+incompatible // v23.0.7-dev
 	github.com/docker/docker-credential-helpers v0.7.0
 	github.com/docker/go-connections v0.4.0
 	github.com/docker/go-units v0.5.0
@@ -23,13 +23,13 @@ require (
 	github.com/mitchellh/mapstructure v1.3.2
 	github.com/moby/buildkit v0.10.6
 	github.com/moby/patternmatcher v0.5.0
-	github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3
+	github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83
 	github.com/moby/sys/sequential v0.5.0
 	github.com/moby/sys/signal v0.7.0
 	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f
 	github.com/morikuni/aec v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1
+	github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spf13/cobra v1.6.1
@@ -38,11 +38,11 @@ require (
 	github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d
 	github.com/xeipuuv/gojsonschema v1.2.0
 	golang.org/x/sync v0.1.0
-	golang.org/x/sys v0.5.0
-	golang.org/x/term v0.5.0
-	golang.org/x/text v0.7.0
+	golang.org/x/sys v0.6.0
+	golang.org/x/term v0.6.0
+	golang.org/x/text v0.8.0
 	gopkg.in/yaml.v2 v2.4.0
-	gotest.tools/v3 v3.4.0
+	gotest.tools/v3 v3.5.0
 )
 
 require (
@@ -61,7 +61,7 @@ require (
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/moby/sys/symlink v0.2.0 // indirect
-	github.com/opencontainers/runc v1.1.3 // indirect
+	github.com/opencontainers/runc v1.1.7 // indirect
 	github.com/prometheus/client_golang v1.14.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/common v0.37.0 // indirect
@@ -71,7 +71,7 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	go.etcd.io/etcd/raft/v3 v3.5.6 // indirect
 	golang.org/x/crypto v0.2.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	google.golang.org/genproto v0.0.0-20220706185917-7780775163c4 // indirect
 	google.golang.org/grpc v1.48.0 // indirect

vendor.sum

@@ -38,7 +38,7 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
-github.com/Microsoft/hcsshim v0.9.7 h1:mKNHW/Xvv1aFH87Jb6ERDzXTJTLPlmzfZ28VBFD/bfg=
+github.com/Microsoft/hcsshim v0.9.8 h1:lf7xxK2+Ikbj9sVf2QZsouGjRjEp2STj1yDHgoVtU5k=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d h1:hi6J4K6DKrR4/ljxn6SF6nURyu785wKMuQcjt7H3VCQ=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
@@ -66,11 +66,9 @@ github.com/certifi/gocertifi v0.0.0-20200922220541-2c3bb06c6054/go.mod h1:sGbDF6
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
 github.com/cloudflare/cfssl v0.0.0-20180323000720-5d63dbd981b5 h1:PqZ3bA4yzwywivzk7PBQWngJp2/PAS0bWRZerKteicY=
@@ -83,26 +81,23 @@ github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWH
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
 github.com/cockroachdb/logtags v0.0.0-20190617123548-eb05cc24525f/go.mod h1:i/u985jwjWRlyHXQbwatDASoW0RMlZ/3i9yJHE2xLkI=
-github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
-github.com/containerd/containerd v1.6.19 h1:F0qgQPrG0P2JPgwpxWxYavrVeXAG0ezUIB9Z/4FTUAU=
-github.com/containerd/containerd v1.6.19/go.mod h1:HZCDMn4v/Xl2579/MvtOC2M206i+JJ6VxFWU/NetrGY=
+github.com/containerd/containerd v1.6.21 h1:eSTAmnvDKRPWan+MpSSfNyrtleXd86ogK9X8fMWpe/Q=
+github.com/containerd/containerd v1.6.21/go.mod h1:apei1/i5Ux2FzrK6+DM/suEsGuK/MeVOfy8tR2q7Wnw=
 github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11 h1:07n33Z8lZxZ2qwegKbObQohDhXDQxiMMz1NOUGYlesw=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
-github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v23.0.3+incompatible h1:9GhVsShNWz1hO//9BNg/dpMnZW25KydO4wtVxWAIbho=
-github.com/docker/docker v23.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
+github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/docker v23.0.7-0.20230715134620-0420d2b33c42+incompatible h1:2YPQGRAPTR51dHn0mNq0gPFbvLOKthzXuAvFBM2Ox5o=
+github.com/docker/docker v23.0.7-0.20230715134620-0420d2b33c42+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
@@ -114,7 +109,6 @@ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6Uezg
 github.com/docker/go-metrics v0.0.0-20180209012529-399ea8c73916/go.mod h1:/u0gXw0Gay3ceNrsHubL3BtdOL2fHf93USgMTe0W5dI=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
-github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
 github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 h1:UhxFibDNY/bfvqU5CAUmr9zpesgbU6SWc8/B4mflAE4=
@@ -127,7 +121,6 @@ github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.m
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
-github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fvbommel/sortorder v1.0.2 h1:mV4o8B2hKboCdkJm+a7uX/SIpZob4JzUpc5GGnM45eo=
 github.com/fvbommel/sortorder v1.0.2/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
@@ -150,7 +143,6 @@ github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfC
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
@@ -257,9 +249,8 @@ github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrD
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
-github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI=
-github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
@@ -283,9 +274,8 @@ github.com/moby/buildkit v0.10.6 h1:DJlEuLIgnu34HQKF4n9Eg6q2YqQVC0eOpMb4p2eRS2w=
 github.com/moby/buildkit v0.10.6/go.mod h1:tQuuyTWtOb9D+RE425cwOCUkX0/oZ+5iBZ+uWpWQ9bU=
 github.com/moby/patternmatcher v0.5.0 h1:YCZgJOeULcxLw1Q+sVR636pmS7sPEn1Qo2iAN6M7DBo=
 github.com/moby/patternmatcher v0.5.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3 h1:05e6sB9az9OINsgqSy1PiSC9i0ffkpfQd0oJGAigo6k=
-github.com/moby/swarmkit/v2 v2.0.0-20230309194213-a745a8755ce3/go.mod h1:GvjR7mC8YuUd9Mq44lrrIZPaXyKPAGEUMBpAQzaj3dI=
-github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
+github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83 h1:jUbNDiRMDXd2rYoa4bcI+g3nIb4A1R8HNCe9wdCdh8I=
+github.com/moby/swarmkit/v2 v2.0.0-20230315203717-e28e8ba9bc83/go.mod h1:GvjR7mC8YuUd9Mq44lrrIZPaXyKPAGEUMBpAQzaj3dI=
 github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc=
 github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo=
 github.com/moby/sys/signal v0.7.0 h1:25RW3d5TnQEoKvRbEKUGay6DCQ46IxAVTT9CUMgmsSI=
@@ -301,7 +291,6 @@ github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3Rllmb
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
-github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
@@ -313,12 +302,10 @@ github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1 h1:9iFHD5Kt9hkOfeawBNiEeEaV7bmC4/Z5wJp8E9BptMs=
-github.com/opencontainers/image-spec v1.0.3-0.20220303224323-02efb9a75ee1/go.mod h1:K/JAU0m27RFhDRX4PcFdIKntROP6y5Ed6O91aZYDQfs=
-github.com/opencontainers/runc v1.1.3 h1:vIXrkId+0/J2Ymu2m7VjGvbSlAId9XNRPhn2p4b+d8w=
-github.com/opencontainers/runc v1.1.3/go.mod h1:1J5XiS+vdZ3wCyZybsuxXZWGrgSr8fFJHLXuG2PsnNg=
-github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b h1:YWuSjZCQAPM8UUBLkYUk1e+rZcvWHJmFb6i6rM44Xs8=
+github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b/go.mod h1:3OVijpioIKYWTqjiG0zfF6wvoJ4fAXGbjdZuI2NgsRQ=
+github.com/opencontainers/runc v1.1.7 h1:y2EZDS8sNng4Ksf0GUYNhKbTShZJPJg1FiXJNH/uoCk=
+github.com/opencontainers/runc v1.1.7/go.mod h1:CbUumNnWCuTGFukNXahoo/RFBZvDAgRh/smNYNOhA50=
 github.com/opentracing/opentracing-go v1.1.0 h1:pWlfV3Bxv7k65HYwkikxat0+s3pV4bsqf19k25Ur8rU=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -364,11 +351,7 @@ github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20220502022130-f33da4d89646/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
@@ -398,14 +381,10 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
-github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
 github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a h1:tlJ7tGUHvcvL1v3yR6NcCc9nOqh2L+CG6HWrYQtwzQ0=
 github.com/theupdateframework/notary v0.7.1-0.20210315103452-bf96a202a09a/go.mod h1:Y94A6rPp2OwNfP/7vmf8O2xx2IykP8pPXQ1DLouGnEw=
 github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d h1:wvQZpqy8p0D/FUia6ipKDhXrzPzBVJE4PZyPc5+5Ay0=
 github.com/tonistiigi/go-rosetta v0.0.0-20200727161949-f79598599c5d/go.mod h1:xKQhd7snlzKFuUi1taTGWjpRE8iFTA06DeacYi3CVFQ=
-github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/vishvananda/netlink v1.1.0/go.mod h1:cTgwzPIzzgDAYoQrMm0EdrjRUBkTqKYppBueQtXaqoE=
-github.com/vishvananda/netns v0.0.0-20191106174202-0a2b9b5464df/go.mod h1:JP3t17pCcGlemwknint6hfoeCVQrEMVwxRLRjXpq+BU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb h1:zGWFAtiMcyryUHoUjUJX0/lt1H2+i2Ka2n+D3DImSNo=
 github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -500,13 +479,12 @@ golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81R
 golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -537,13 +515,11 @@ golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190606203320-7fc4e5ec1444/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190801041406-cbf593c0f2f3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20191115151921-52ab43148777/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -574,19 +550,17 @@ golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -595,8 +569,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -645,7 +619,6 @@ golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -766,8 +739,8 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
-gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
+gotest.tools/v3 v3.5.0 h1:Ljk6PdHdOhAb5aDMWXjDLMMhph+BpztA4v1QdqEW2eY=
+gotest.tools/v3 v3.5.0/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

vendor/github.com/docker/distribution/.dockerignore

@@ -0,0 +1 @@
+bin/

vendor/github.com/docker/distribution/.golangci.yml

@@ -18,3 +18,10 @@ run:
   deadline: 2m
   skip-dirs:
     - vendor
+
+issues:
+  exclude-rules:
+    # io/ioutil is deprecated, but won't be removed until Go v2. It's safe to ignore for the release/2.8 branch.
+    - text: "SA1019: \"io/ioutil\" has been deprecated since Go 1.16"
+      linters:
+        - staticcheck

vendor/github.com/docker/distribution/.mailmap

@@ -44,6 +44,8 @@ Thomas Berger <loki@lokis-chaos.de> Thomas Berger <tbe@users.noreply.github.com>
 Samuel Karp <skarp@amazon.com> Samuel Karp <samuelkarp@users.noreply.github.com>
 Justin Cormack <justin.cormack@docker.com>
 sayboras <sayboras@yahoo.com>
-CrazyMax <github@crazymax.dev>
 CrazyMax <github@crazymax.dev> <1951866+crazy-max@users.noreply.github.com>
-CrazyMax <github@crazymax.dev> <crazy-max@users.noreply.github.com>
+Hayley Swimelar <hswimelar@gmail.com>
+Jose D. Gomez R <jose.gomez@suse.com>
+Shengjing Zhu <zhsj@debian.org>
+Silvin Lubecki <31478878+silvin-lubecki@users.noreply.github.com>

vendor/github.com/docker/distribution/Dockerfile

@@ -1,49 +1,59 @@
-# syntax=docker/dockerfile:1.3
+# syntax=docker/dockerfile:1
 
-ARG GO_VERSION=1.16.15
-ARG GORELEASER_XX_VERSION=1.2.5
+ARG GO_VERSION=1.19.9
+ARG ALPINE_VERSION=3.16
+ARG XX_VERSION=1.2.1
 
-FROM --platform=$BUILDPLATFORM crazymax/goreleaser-xx:${GORELEASER_XX_VERSION} AS goreleaser-xx
-FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine AS base
-COPY --from=goreleaser-xx / /
-RUN apk add --no-cache file git
-WORKDIR /go/src/github.com/docker/distribution
-
-FROM base AS build
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine${ALPINE_VERSION} AS base
+COPY --from=xx / /
+RUN apk add --no-cache bash coreutils file git
 ENV GO111MODULE=auto
 ENV CGO_ENABLED=0
-# GIT_REF is used by goreleaser-xx to handle the proper git ref when available.
-# It will fallback to the working tree info if empty and use "git tag --points-at"
-# or "git describe" to define the version info.
-ARG GIT_REF
-ARG TARGETPLATFORM
-ARG PKG="github.com/distribution/distribution"
-ARG BUILDTAGS="include_oss include_gcs"
-RUN --mount=type=bind,rw \
-  --mount=type=cache,target=/root/.cache/go-build \
-  --mount=target=/go/pkg/mod,type=cache \
-  goreleaser-xx --debug \
-    --name="registry" \
-    --dist="/out" \
-    --main="./cmd/registry" \
-    --flags="-v" \
-    --ldflags="-s -w -X '$PKG/version.Version={{.Version}}' -X '$PKG/version.Revision={{.Commit}}' -X '$PKG/version.Package=$PKG'" \
-    --tags="$BUILDTAGS" \
-    --files="LICENSE" \
-    --files="README.md"
+WORKDIR /go/src/github.com/docker/distribution
 
-FROM scratch AS artifact
-COPY --from=build /out/*.tar.gz /
-COPY --from=build /out/*.zip /
-COPY --from=build /out/*.sha256 /
+FROM base AS version
+ARG PKG="github.com/docker/distribution"
+RUN --mount=target=. \
+  VERSION=$(git describe --match 'v[0-9]*' --dirty='.m' --always --tags) REVISION=$(git rev-parse HEAD)$(if ! git diff --no-ext-diff --quiet --exit-code; then echo .m; fi); \
+  echo "-X ${PKG}/version.Version=${VERSION#v} -X ${PKG}/version.Revision=${REVISION} -X ${PKG}/version.Package=${PKG}" | tee /tmp/.ldflags; \
+  echo -n "${VERSION}" | tee /tmp/.version;
+
+FROM base AS build
+ARG TARGETPLATFORM
+ARG LDFLAGS="-s -w"
+ARG BUILDTAGS="include_oss include_gcs"
+RUN --mount=type=bind,target=/go/src/github.com/docker/distribution,rw \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=target=/go/pkg/mod,type=cache \
+    --mount=type=bind,source=/tmp/.ldflags,target=/tmp/.ldflags,from=version \
+      set -x ; xx-go build -trimpath -ldflags "$(cat /tmp/.ldflags) ${LDFLAGS}" -o /usr/bin/registry ./cmd/registry \
+      && xx-verify --static /usr/bin/registry
 
 FROM scratch AS binary
-COPY --from=build /usr/local/bin/registry* /
+COPY --from=build /usr/bin/registry /
 
-FROM alpine:3.14
+FROM base AS releaser
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+WORKDIR /work
+RUN --mount=from=binary,target=/build \
+    --mount=type=bind,target=/src \
+    --mount=type=bind,source=/tmp/.version,target=/tmp/.version,from=version \
+      VERSION=$(cat /tmp/.version) \
+      && mkdir -p /out \
+      && cp /build/registry /src/README.md /src/LICENSE . \
+      && tar -czvf "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz" * \
+      && sha256sum -z "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz" | awk '{ print $1 }' > "/out/registry_${VERSION#v}_${TARGETOS}_${TARGETARCH}${TARGETVARIANT}.tar.gz.sha256"
+
+FROM scratch AS artifact
+COPY --from=releaser /out /
+
+FROM alpine:${ALPINE_VERSION}
 RUN apk add --no-cache ca-certificates
 COPY cmd/registry/config-dev.yml /etc/docker/registry/config.yml
-COPY --from=build /usr/local/bin/registry /bin/registry
+COPY --from=binary /registry /bin/registry
 VOLUME ["/var/lib/registry"]
 EXPOSE 5000
 ENTRYPOINT ["registry"]

vendor/github.com/docker/distribution/Makefile

@@ -50,7 +50,7 @@ version/version.go:
 
 check: ## run all linters (TODO: enable "unused", "varcheck", "ineffassign", "unconvert", "staticheck", "goimports", "structcheck")
 	@echo "$(WHALE) $@"
-	golangci-lint run
+	@GO111MODULE=off golangci-lint run
 
 test: ## run tests, except integration test with test.short
 	@echo "$(WHALE) $@"

vendor/github.com/docker/distribution/docker-bake.hcl

@@ -1,15 +1,3 @@
-// GITHUB_REF is the actual ref that triggers the workflow
-// https://docs.github.com/en/actions/learn-github-actions/environment-variables#default-environment-variables
-variable "GITHUB_REF" {
-  default = ""
-}
-
-target "_common" {
-  args = {
-    GIT_REF = GITHUB_REF
-  }
-}
-
 group "default" {
   targets = ["image-local"]
 }
@@ -20,13 +8,11 @@ target "docker-metadata-action" {
 }
 
 target "binary" {
-  inherits = ["_common"]
   target = "binary"
   output = ["./bin"]
 }
 
 target "artifact" {
-  inherits = ["_common"]
   target = "artifact"
   output = ["./bin"]
 }
@@ -43,8 +29,13 @@ target "artifact-all" {
   ]
 }
 
+// Special target: https://github.com/docker/metadata-action#bake-definition
+target "docker-metadata-action" {
+  tags = ["registry:local"]
+}
+
 target "image" {
-  inherits = ["_common", "docker-metadata-action"]
+  inherits = ["docker-metadata-action"]
 }
 
 target "image-local" {