From 5cc1b1dda1e735e0d596628f4efcdc0197644320 Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 7 Jan 2025 18:31:26 +0000
Subject: [PATCH 1/2] twoliter: make "FROM" and "AS" cases match

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
 twoliter/embedded/build.Dockerfile | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/twoliter/embedded/build.Dockerfile b/twoliter/embedded/build.Dockerfile
index 8f53dd52..80197e73 100644
--- a/twoliter/embedded/build.Dockerfile
+++ b/twoliter/embedded/build.Dockerfile
@@ -16,7 +16,7 @@ ARG SDK
 ARG ARCH
 ARG GOARCH
 
-FROM ${SDK} as sdk
+FROM ${SDK} AS sdk
 
 ############################################################################################
 # Section 1: The following build stages are used to build rpm.spec packages
@@ -194,7 +194,7 @@ COPY --from=kitbuild /tmp/.${NOCACHE} /
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 # Generate the expected RPM macros and bconds.
-FROM sdk as rpm-macros-and-bconds
+FROM sdk AS rpm-macros-and-bconds
 ARG VARIANT
 ARG VARIANT_PLATFORM
 ARG VARIANT_RUNTIME
@@ -314,7 +314,7 @@ RUN --mount=target=/host \
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 # Builds a Bottlerocket image.
-FROM repobuild as imgbuild
+FROM repobuild AS imgbuild
 ARG ARCH
 ARG VERSION_ID
 ARG BUILD_ID
@@ -385,7 +385,7 @@ RUN --mount=target=/host \
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 # Creates an archive of the datastore migrations.
-FROM repobuild as migrationbuild
+FROM repobuild AS migrationbuild
 ARG ARCH
 ARG VERSION_ID
 ARG BUILD_ID
@@ -417,7 +417,7 @@ RUN --mount=target=/host \
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 # Creates an archive of kernel development sources and toolchain.
-FROM repobuild as kmodkitbuild
+FROM repobuild AS kmodkitbuild
 # The list of packages from the variant Cargo.toml package.metadata.build-variant.packages section.
 ARG PACKAGES
 ARG ARCH
@@ -461,7 +461,7 @@ COPY --from=kmodkitbuild /tmp/.${NOCACHE} /output/
 
 # =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^= =^..^=
 # Repack an existing image.
-FROM sdk as imgrepack
+FROM sdk AS imgrepack
 ARG ARCH
 ARG VERSION_ID
 ARG BUILD_ID

From be2328cafa63628a6ce94b8252642d04b22f4c0d Mon Sep 17 00:00:00 2001
From: Ben Cressey <bcressey@amazon.com>
Date: Tue, 7 Jan 2025 19:01:49 +0000
Subject: [PATCH 2/2] buildsys: skip build checks that aren't helpful

Newer versions of Docker warn about the "SDK" and "TOKEN" arguments.
Pass an argument to skip these checks while documenting why it's safe
to do so.

Signed-off-by: Ben Cressey <bcressey@amazon.com>
---
 tools/buildsys/src/builder.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tools/buildsys/src/builder.rs b/tools/buildsys/src/builder.rs
index 3ff18c77..34d439eb 100644
--- a/tools/buildsys/src/builder.rs
+++ b/tools/buildsys/src/builder.rs
@@ -691,6 +691,15 @@ impl DockerBuild {
         args.build_arg("NOCACHE", &self.common_build_args.nocache);
         args.build_arg("TOKEN", &self.common_build_args.token);
         args.build_arg("OUTPUT_SOCKET", &self.common_build_args.output_socket);
+
+        // Skip some build checks:
+        // - InvalidDefaultArgInFrom warns about the SDK argument, which is always set
+        // - SecretsUsedInArgOrEnv warns about the TOKEN argument, which is not a secret
+        args.build_arg(
+            "BUILDKIT_DOCKERFILE_CHECK",
+            "skip=InvalidDefaultArgInFrom,SecretsUsedInArgOrEnv",
+        );
+
         args
     }
 }