bake fails to resolve inter-target dependencies when definitions are split across files #3343
Description
Contributing guidelines
- I've read the contributing guidelines and wholeheartedly agree
I've found a bug and checked that ...
- ... the documentation does not mention anything about my problem
- ... there are no open or closed issues that are related to my problem
Description
The docker buildx bake --check command fails to validate a build when target dependencies are split across multiple HCL files. While the actual build command (docker buildx bake <target>) works correctly, the validation logic incorrectly reports an unsupported context source target error.
Expected behaviour
The docker buildx bake --check command should successfully validate the dependency graph across all provided HCL files without errors, behaving consistently with the actual build process which correctly resolves the same dependencies.
Actual behaviour
The docker buildx bake --check command fails with an unsupported context source target error. This indicates the validation logic cannot resolve a dependency specified with contexts = { my_context = "target:my_target" } when the referenced target's definition is in another HCL file loaded via the -f flag. The regular build command without --check succeeds.
Buildx version
github.com/docker/buildx v0.26.1 1a8287f
Docker info
Client: Docker Engine - Community
Version: 28.3.3
Context: default
Debug Mode: false
Plugins:
buildx: Docker Buildx (Docker Inc.)
Version: v0.26.1
Path: /usr/libexec/docker/cli-plugins/docker-buildx
compose: Docker Compose (Docker Inc.)
Version: v2.39.1
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 4
Running: 4
Paused: 0
Stopped: 0
Images: 6
Server Version: 28.3.3
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
CDI spec directories:
/etc/cdi
/var/run/cdi
Swarm: inactive
Runtimes: io.containerd.runc.v2 runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 05044ec0a9a75232cad458027ca83437aae3f4da
runc version: v1.2.5-0-g59923ef
init version: de40ad0
Security Options:
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.6.87.1-microsoft-standard-WSL2
Operating System: Ubuntu 24.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.62GiB
Name: volt-lpt
ID: 9dcce5e7-a038-4a29-b3a1-d2f38b7e795d
Docker Root Dir: /var/lib/docker
Debug Mode: false
Experimental: false
Insecure Registries:
::1/128
127.0.0.0/8
Registry Mirrors:
https://mirror.gcr.io/
Live Restore Enabled: false
Builders list
NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS
default* docker
\_ default \_ default running v0.23.2 linux/amd64 (+3), linux/386
Configuration
Here is a minimal setup to reproduce the issue.
- File structure
├── build.hcl
├── providers.hcl
└── dockerfiles/
├── app/
│ └── Dockerfile
├── base/
│ └── Dockerfile
└── builder/
└── Dockerfile
- File content:
- providers.hcl
# Defines the builder and a base application layer that depends on it.
target "builder" {
dockerfile = "dockerfiles/builder/Dockerfile"
tags = ["my-builder:latest"]
}
target "base" {
dockerfile = "dockerfiles/base/Dockerfile"
contexts = {
# This "target:" reference causes the error
builder = "target:builder"
}
tags = ["my-base:latest"]
}- build.hcl
# Defines the final application, which depends on the base layer.
target "app" {
dockerfile = "dockerfiles/app/Dockerfile"
contexts = {
# This "target:" reference also causes the error
base = "target:base"
}
tags = ["myapp:latest"]
}- Dockerfiles
dockerfiles/builder/Dockerfile:
# syntax=docker/dockerfile:1
# check=error=true
FROM alpine:latest AS builder
RUN echo "This is the builder" > /builder.txtdockerfiles/base/Dockerfile:
# syntax=docker/dockerfile:1
# check=error=true
FROM builder AS base
RUN echo "This is the base image" > /base.txt
COPY --from=builder /builder.txt /dockerfiles/app/Dockerfile:
# syntax=docker/dockerfile:1
# check=error=true
FROM base AS app
RUN echo "This is the final application" > /app.txt
COPY --from=base /base.txt /- Invoked Command that Fails:
docker buildx bake -f providers.hcl -f build.hcl app --check
Build logs
[+] Building 5.7s (8/8) FINISHED docker:default
=> [internal] load local bake definitions 0.0s
=> => reading providers.hcl 367B / 367B 0.0s
=> => reading build.hcl 250B / 250B 0.0s
=> [builder internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 161B 0.0s
=> [app] resolve image config for docker-image://docker.io/docker/dockerfile:1 0.2s
=> CACHED [app] docker-image://docker.io/docker/dockerfile:1@sha256:9857836c9ee4268391bb5b09f9f157f3c91bb15821bb77969642813b0d00518d 0.0s
=> [builder internal] load metadata for docker.io/library/alpine:latest 4.5s
=> [builder internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [base internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 188B 0.0s
=> [app internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 184B 0.0s
app
error: unsupported context source target for base
dockerfiles/app/Dockerfile:5
--------------------
3 | FROM base AS app
4 | RUN echo "This is the final application" > /app.txt
5 | >>> COPY --from=base /base.txt /
--------------------
base
error: unsupported context source target for builder
dockerfiles/base/Dockerfile:5
--------------------
3 | FROM builder AS base
4 | RUN echo "This is the base image" > /base.txt
5 | >>> COPY --from=builder /builder.txt /
--------------------
builder
Check complete, no warnings found.
Additional info
The bug is specific to the --check flag. Running the same command without it executes the build successfully, proving that the core dependency resolution logic is working as intended. The issue lies only within the pre-flight validation check.