From 7a31c2ccb0e08684adfde7e1ef82b26fa3a0d767 Mon Sep 17 00:00:00 2001
From: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Date: Wed, 3 Jun 2026 14:54:37 +0200
Subject: [PATCH 1/2] ci: fall back to local buildx builder for fork PRs

Fork pull requests don't receive repository secrets, so the
docker/login-action step failed with "Password required" and the
Docker Build Cloud builder (driver: cloud, endpoint: docker/secrets-engine)
was unreachable. This failed every lint/build/proto/vuln job and the
Linux keychain tests for external contributions.

Gate the Hub login on trusted events and switch the buildx driver to a
local docker-container builder for fork PRs, keeping cloud builds for
pushes, tags, and same-repo PRs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/gomodguard.yml  | 10 ++++++++--
 .github/workflows/govulncheck.yml | 10 ++++++++--
 .github/workflows/keychain.yml    | 10 ++++++++--
 .github/workflows/lint.yml        | 10 ++++++++--
 .github/workflows/proto-check.yml | 11 +++++++++--
 .github/workflows/proto-lint.yml  | 11 +++++++++--
 6 files changed, 50 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/gomodguard.yml b/.github/workflows/gomodguard.yml
index 2e2e6f75..02b3e80a 100644
--- a/.github/workflows/gomodguard.yml
+++ b/.github/workflows/gomodguard.yml
@@ -12,10 +12,16 @@ jobs:
       id-token: write
       pull-requests: write
       contents: write
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -25,8 +31,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: Lint
diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml
index fca2bb5f..2137b985 100644
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -12,10 +12,16 @@ jobs:
       id-token: write
       pull-requests: write
       contents: write
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -25,8 +31,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: govulncheck
diff --git a/.github/workflows/keychain.yml b/.github/workflows/keychain.yml
index 8abb6825..bb8bd0c1 100644
--- a/.github/workflows/keychain.yml
+++ b/.github/workflows/keychain.yml
@@ -25,10 +25,16 @@ jobs:
           # headless environment... need to still fix this
           # - fedora-43-kdewallet
           # - ubuntu-24-kdewallet
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -37,8 +43,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
       - name: Test
         run: DOCKER_TARGET=${{ matrix.subtest }} make keychain-linux-ci-unit-tests
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index f1839e58..9e3d6761 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -20,6 +20,11 @@ jobs:
       id-token: write
       pull-requests: write
       contents: write
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -28,6 +33,7 @@ jobs:
         with:
           go-version-file: go.work
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -36,8 +42,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
       - name: Lint
         run: make BUILDER=${{ steps.buildx.outputs.name }} ${{ matrix.target }}
diff --git a/.github/workflows/proto-check.yml b/.github/workflows/proto-check.yml
index c122e17c..12e29e37 100644
--- a/.github/workflows/proto-check.yml
+++ b/.github/workflows/proto-check.yml
@@ -15,11 +15,18 @@ jobs:
       pull-requests: write
       contents: write
 
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+
     steps:
       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -29,8 +36,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: Check if protobuf generate is clean
diff --git a/.github/workflows/proto-lint.yml b/.github/workflows/proto-lint.yml
index 403a8b86..032f38d7 100644
--- a/.github/workflows/proto-lint.yml
+++ b/.github/workflows/proto-lint.yml
@@ -15,11 +15,18 @@ jobs:
       pull-requests: write
       contents: write
 
+    env:
+      # Docker Hub credentials and the Docker Build Cloud builder are only
+      # available to same-repo events. Fork PRs run without secrets, so they
+      # fall back to a local buildx builder (slower, no shared cache).
+      IS_TRUSTED: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
+
     steps:
       - name: Checkout code
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Hub login
+        if: env.IS_TRUSTED == 'true'
         uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: dockerpublicbot
@@ -29,8 +36,8 @@ jobs:
         id: buildx
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
         with:
-          driver: cloud
-          endpoint: "docker/secrets-engine"
+          driver: ${{ env.IS_TRUSTED == 'true' && 'cloud' || 'docker-container' }}
+          endpoint: ${{ env.IS_TRUSTED == 'true' && 'docker/secrets-engine' || '' }}
           install: true
 
       - name: Lint

From 77bc744a41df22e725352a8de1c5911cfcd73d0b Mon Sep 17 00:00:00 2001
From: Alano Terblanche <18033717+Benehiko@users.noreply.github.com>
Date: Wed, 3 Jun 2026 15:02:25 +0200
Subject: [PATCH 2/2] fix: bump Go to 1.25.11 to resolve stdlib vulnerabilities

govulncheck flagged two standard-library vulnerabilities reachable from
our code across the plugin, credentialhelper, pass, and x modules:

  - GO-2026-5039: unescaped arbitrary input in net/textproto errors
  - GO-2026-5037: inefficient candidate hostname parsing in crypto/x509

Both are fixed in go1.25.11. Bump the go directive in go.work and every
module's go.mod (the Docker build derives GO_VERSION from go.work), and
refresh vendor/modules.txt via `go work vendor`. govulncheck now reports
zero affected vulnerabilities across all modules.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 client/go.mod                   | 2 +-
 go.work                         | 2 +-
 plugin/go.mod                   | 2 +-
 plugins/credentialhelper/go.mod | 2 +-
 plugins/pass/go.mod             | 2 +-
 store/go.mod                    | 2 +-
 vendor/modules.txt              | 8 ++++----
 x/go.mod                        | 2 +-
 8 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/client/go.mod b/client/go.mod
index 1548471e..aa1a529a 100644
--- a/client/go.mod
+++ b/client/go.mod
@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/client
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is
diff --git a/go.work b/go.work
index 6bd24cde..b356c01a 100644
--- a/go.work
+++ b/go.work
@@ -1,4 +1,4 @@
-go 1.25.10
+go 1.25.11
 
 use (
 	./client
diff --git a/plugin/go.mod b/plugin/go.mod
index 8342a44e..62e66793 100644
--- a/plugin/go.mod
+++ b/plugin/go.mod
@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/plugin
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is
diff --git a/plugins/credentialhelper/go.mod b/plugins/credentialhelper/go.mod
index 2f0a8c99..6fd22468 100644
--- a/plugins/credentialhelper/go.mod
+++ b/plugins/credentialhelper/go.mod
@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/plugins/credentialhelper
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is
diff --git a/plugins/pass/go.mod b/plugins/pass/go.mod
index 43a77609..a1e44cad 100644
--- a/plugins/pass/go.mod
+++ b/plugins/pass/go.mod
@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/plugins/pass
 
-go 1.25.10
+go 1.25.11
 
 replace github.com/docker/secrets-engine/client => ./../../client
 
diff --git a/store/go.mod b/store/go.mod
index e6c9fce6..25fd4e29 100644
--- a/store/go.mod
+++ b/store/go.mod
@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/store
 
-go 1.25.10
+go 1.25.11
 
 // This `replace` is only for CI to function.
 // The correct version will get resolved from below when this module is
diff --git a/vendor/modules.txt b/vendor/modules.txt
index 05376f15..88ca6519 100644
--- a/vendor/modules.txt
+++ b/vendor/modules.txt
@@ -40,13 +40,13 @@ github.com/davecgh/go-spew/spew
 github.com/docker/docker-credential-helpers/client
 github.com/docker/docker-credential-helpers/credentials
 # github.com/docker/secrets-engine/client v0.0.9 => ./client
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/docker/secrets-engine/plugin v0.0.22 => ./plugin
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/docker/secrets-engine/store v0.0.27 => ./store
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/docker/secrets-engine/x v0.0.32-do.not.use => ./x
-## explicit; go 1.25.10
+## explicit; go 1.25.11
 # github.com/go-logr/logr v1.4.3
 ## explicit; go 1.18
 github.com/go-logr/logr
diff --git a/x/go.mod b/x/go.mod
index 45d604d5..7da4bba0 100644
--- a/x/go.mod
+++ b/x/go.mod
@@ -1,6 +1,6 @@
 module github.com/docker/secrets-engine/x
 
-go 1.25.10
+go 1.25.11
 
 require (
 	connectrpc.com/connect v1.19.1