vendor: update go.podman.io/... and buildah to latest

cmd/podman/common/build.go

@@ -608,10 +608,12 @@ func buildFlagsWrapperToOptions(c *cobra.Command, contextDir string, flags *Buil
 		SBOMScanOptions:         sbomScanOptions,
 		SignBy:                  flags.SignBy,
 		SignaturePolicyPath:     flags.SignaturePolicy,
+		SourcePolicyFile:        flags.SourcePolicyFile,
 		Squash:                  flags.Squash,
 		SystemContext:           systemContext,
 		Target:                  flags.Target,
 		TransientMounts:         flags.Volumes,
+		TransientRunMounts:      flags.TransientRunMounts,
 		UnsetEnvs:               flags.UnsetEnvs,
 		UnsetLabels:             flags.UnsetLabels,
 		UnsetAnnotations:        flags.UnsetAnnotations,

docs/source/markdown/options/source-policy-file.md

@@ -0,0 +1,64 @@
+####> This option file is used in:
+####>   podman build, farm build
+####> If file is edited, make sure the changes
+####> are applicable to all of those.
+#### **--source-policy-file**=*pathname*
+
+Specifies the path to a BuildKit-compatible source policy JSON file.  When
+specified, source references (e.g., base images in FROM instructions) are
+evaluated against the policy rules before being used.
+
+Source policies allow controlling which images can be used as base images and
+optionally converting image references (e.g., pinning tags to specific digests)
+without modifying Containerfiles.  This is useful for enforcing organizational
+policies and ensuring build reproducibility.
+
+The policy file is a JSON document containing an array of rules.  Each rule has:
+- **action**: The action to take when the rule matches.  Valid actions are:
+  - **ALLOW**: Explicitly allow the source (no transformation).
+  - **DENY**: Block the source and fail the build.
+  - **CONVERT**: Transform the source to a different reference specified in `updates`.
+- **selector**: Specifies which sources the rule applies to.
+  - **identifier**: The source identifier to match (e.g., `docker-image://docker.io/library/alpine:latest`).
+  - **matchType**: How to match the identifier.  Valid types are `EXACT` and `WILDCARD` (supports `*` and `?` glob patterns).  Defaults to `WILDCARD` if not specified.
+- **updates**: For `CONVERT` actions, specifies the replacement identifier.
+
+Rules are evaluated in order; the first matching rule wins.  If no rule matches,
+the source is allowed by default.
+
+Note: Source policy CONVERT rules are processed after **--build-context** substitutions
+but before any substitutions specified in **containers-registries.conf(5)**.  This provides
+multiple ways to override which base image is used for a particular stage, in order of
+precedence: `--build-context`, then source policy, then registries.conf.
+
+Example policy file that pins alpine:latest to a specific digest:
+```json
+{
+  "rules": [
+    {
+      "action": "CONVERT",
+      "selector": {
+        "identifier": "docker-image://docker.io/library/alpine:latest"
+      },
+      "updates": {
+        "identifier": "docker-image://docker.io/library/alpine@sha256:..."
+      }
+    }
+  ]
+}
+```
+
+Example policy file that denies all ubuntu images:
+```json
+{
+  "rules": [
+    {
+      "action": "DENY",
+      "selector": {
+        "identifier": "docker-image://docker.io/library/ubuntu:*",
+        "matchType": "WILDCARD"
+      }
+    }
+  ]
+}
+```

docs/source/markdown/podman-build.1.md.in

@@ -174,7 +174,6 @@ from the base image's image ID.
 This option is not supported on the remote client, including Mac and Windows
 (excluding WSL2) machines.
 
-
 @@option decryption-key
 
 @@option device
@@ -259,6 +258,20 @@ This option is not supported on the remote client, including Mac and Windows
 
 @@option metadata-file
 
+#### **--mount**=*mount-specification*
+
+Adds this mount to each `RUN` command in a Containerfile before executing.  For example:
+
+`podman build --mount=type=secret,id=mysecret …`
+
+and a Containerfile entry of:
+
+`RUN cat /run/secrets/mysecret`
+
+Has the same effect as:
+
+`RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret`
+
 @@option network.image
 
 @@option no-cache
@@ -445,6 +458,8 @@ Sign the image using a GPG key with the specified FINGERPRINT. (This option is n
 
 @@option source-date-epoch
 
+@@option source-policy-file
+
 @@option squash
 
 @@option squash-all

docs/source/markdown/podman-farm-build.1.md.in

@@ -153,6 +153,20 @@ Build image on local machine as well as on farm nodes.
 
 @@option memory-swap
 
+#### **--mount**=*mount-specification*
+
+Adds this mount to each `RUN` command in a Containerfile before executing.  For example:
+
+`podman build --mount=type=secret,id=mysecret …`
+
+and a Containerfile entry of:
+
+`RUN cat /run/secrets/mysecret`
+
+Has the same effect as:
+
+`RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret`
+
 @@option network.image
 
 @@option no-cache
@@ -217,6 +231,8 @@ Build only on farm nodes that match the given platforms.
 
 @@option source-date-epoch
 
+@@option source-policy-file
+
 @@option squash
 
 @@option squash-all

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/checkpoint-restore/checkpointctl v1.5.0
 	github.com/checkpoint-restore/go-criu/v7 v7.2.0
 	github.com/containernetworking/plugins v1.9.0
-	github.com/containers/buildah v1.42.1-0.20260126144005-964d45f717ce
+	github.com/containers/buildah v1.42.1-0.20260216192603-e473f9d26ec6
 	github.com/containers/gvisor-tap-vsock v0.8.8
 	github.com/containers/libhvee v0.10.1-0.20250829163521-178d10e67860
 	github.com/containers/ocicrypt v1.2.1
@@ -61,11 +61,11 @@ require (
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/pflag v1.0.10
 	github.com/stretchr/testify v1.11.1
-	github.com/vbauerster/mpb/v8 v8.11.3
+	github.com/vbauerster/mpb/v8 v8.12.0
 	github.com/vishvananda/netlink v1.3.1
-	go.podman.io/common v0.66.2-0.20260204175822-4e7127fdc31f
-	go.podman.io/image/v5 v5.38.1-0.20260204175822-4e7127fdc31f
-	go.podman.io/storage v1.61.1-0.20260204175822-4e7127fdc31f
+	go.podman.io/common v0.67.1-0.20260217150212-026c3538f3d1
+	go.podman.io/image/v5 v5.39.2-0.20260217150212-026c3538f3d1
+	go.podman.io/storage v1.62.1-0.20260217150212-026c3538f3d1
 	golang.org/x/crypto v0.48.0
 	golang.org/x/net v0.50.0
 	golang.org/x/sync v0.19.0
@@ -89,8 +89,7 @@ require (
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
-	github.com/clipperhouse/stringish v0.1.1 // indirect
-	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
@@ -129,11 +128,11 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
-	github.com/klauspost/compress v1.18.3 // indirect
+	github.com/klauspost/compress v1.18.4 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
-	github.com/mattn/go-runewidth v0.0.19 // indirect
+	github.com/mattn/go-runewidth v0.0.20 // indirect
 	github.com/mdlayher/socket v0.5.1 // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mistifyio/go-zfs/v4 v4.0.0 // indirect
@@ -182,7 +181,7 @@ require (
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/oauth2 v0.35.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect

go.sum

@@ -37,10 +37,8 @@ github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObk
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0 h1:p3BQDXSxOhOG0P9z6/hGnII4LGiEPOYBhs8asl/fC04=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
-github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
-github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
-github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
-github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@@ -57,8 +55,8 @@ github.com/containernetworking/cni v1.3.0 h1:v6EpN8RznAZj9765HhXQrtXgX+ECGebEYEm
 github.com/containernetworking/cni v1.3.0/go.mod h1:Bs8glZjjFfGPHMw6hQu82RUgEPNGEaBb9KS5KtNMnJ4=
 github.com/containernetworking/plugins v1.9.0 h1:Mg3SXBdRGkdXyFC4lcwr6u2ZB2SDeL6LC3U+QrEANuQ=
 github.com/containernetworking/plugins v1.9.0/go.mod h1:JG3BxoJifxxHBhG3hFyxyhid7JgRVBu/wtooGEvWf1c=
-github.com/containers/buildah v1.42.1-0.20260126144005-964d45f717ce h1:JNPN3qlLtAZRzggCPK1ffZ4MWuDogG+NtIvQv2bINOY=
-github.com/containers/buildah v1.42.1-0.20260126144005-964d45f717ce/go.mod h1:F10eTynOMnjfEzsX8pmZRIJEb5/3+mTEzmRHXB/6+hk=
+github.com/containers/buildah v1.42.1-0.20260216192603-e473f9d26ec6 h1:j8qnAjmrLf6x47qChpQZla1JzdMZ2BEmhTFlE0e9EUU=
+github.com/containers/buildah v1.42.1-0.20260216192603-e473f9d26ec6/go.mod h1:rnvz1cLM9/wTR4BYODd62GHIwTrWzQsn5J1+qEbjgJ8=
 github.com/containers/common v0.64.2 h1:1xepE7QwQggUXxmyQ1Dbh6Cn0yd7ktk14sN3McSWf5I=
 github.com/containers/common v0.64.2/go.mod h1:o29GfYy4tefUuShm8mOn2AiL5Mpzdio+viHI7n24KJ4=
 github.com/containers/gvisor-tap-vsock v0.8.8 h1:5FznbOYMIuaCv8B6zQ7M6wjqP63Lasy0A6GpViEnjTg=
@@ -102,8 +100,8 @@ github.com/disiqueira/gotree/v3 v3.0.2 h1:ik5iuLQQoufZBNPY518dXhiO5056hyNBIK9lWh
 github.com/disiqueira/gotree/v3 v3.0.2/go.mod h1:ZuyjE4+mUQZlbpkI24AmruZKhg3VHEgPLDY8Qk+uUu8=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/cli v29.1.5+incompatible h1:GckbANUt3j+lsnQ6eCcQd70mNSOismSHWt8vk2AX8ao=
-github.com/docker/cli v29.1.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.2.1+incompatible h1:n3Jt0QVCN65eiVBoUTZQM9mcQICCJt3akW4pKAbKdJg=
+github.com/docker/cli v29.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
@@ -215,8 +213,8 @@ github.com/kevinburke/ssh_config v1.5.0 h1:3cPZmE54xb5j3G5xQCjSvokqNwU2uW+3ry1+P
 github.com/kevinburke/ssh_config v1.5.0/go.mod h1:q2RIzfka+BXARoNexmF9gkxEX7DmvbW9P4hIVx2Kg4M=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.3 h1:9PJRvfbmTabkOX8moIpXPbMMbYN60bWImDDU7L+/6zw=
-github.com/klauspost/compress v1.18.3/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/compress v1.18.4 h1:RPhnKRAQ4Fh8zU2FY/6ZFDwTVTxgJ/EMydqSTzE9a2c=
+github.com/klauspost/compress v1.18.4/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
@@ -237,8 +235,8 @@ github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHP
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
-github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mattn/go-runewidth v0.0.20 h1:WcT52H91ZUAwy8+HUkdM3THM6gXqXuLJi9O3rjcQQaQ=
+github.com/mattn/go-runewidth v0.0.20/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/mattn/go-sqlite3 v1.14.34 h1:3NtcvcUnFBPsuRcno8pUtupspG/GM+9nZ88zgJcp6Zk=
@@ -395,8 +393,8 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/vbatts/tar-split v0.12.2 h1:w/Y6tjxpeiFMR47yzZPlPj/FcPLpXbTUi/9H7d3CPa4=
 github.com/vbatts/tar-split v0.12.2/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
-github.com/vbauerster/mpb/v8 v8.11.3 h1:iniBmO4ySXCl4gVdmJpgrtormH5uvjpxcx/dMyVU9Jw=
-github.com/vbauerster/mpb/v8 v8.11.3/go.mod h1:n9M7WbP0NFjpgKS5XdEC3tMRgZTNM/xtC8zWGkiMuy0=
+github.com/vbauerster/mpb/v8 v8.12.0 h1:+gneY3ifzc88tKDzOtfG8k8gfngCx615S2ZmFM4liWg=
+github.com/vbauerster/mpb/v8 v8.12.0/go.mod h1:V02YIuMVo301Y1VE9VtZlD8s84OMsk+EKN6mwvf/588=
 github.com/vishvananda/netlink v1.3.1 h1:3AEMt62VKqz90r0tmNhog0r/PpWKmrEShJU0wJW6bV0=
 github.com/vishvananda/netlink v1.3.1/go.mod h1:ARtKouGSTGchR8aMwmkzC0qiNPrrWO5JS/XMVl45+b4=
 github.com/vishvananda/netns v0.0.5 h1:DfiHV+j8bA32MFM7bfEunvT8IAqQ/NzSJHtcmW5zdEY=
@@ -445,12 +443,12 @@ go.opentelemetry.io/otel/trace v1.38.0 h1:Fxk5bKrDZJUH+AMyyIXGcFAPah0oRcT+LuNtJr
 go.opentelemetry.io/otel/trace v1.38.0/go.mod h1:j1P9ivuFsTceSWe1oY+EeW3sc+Pp42sO++GHkg4wwhs=
 go.opentelemetry.io/proto/otlp v1.7.1 h1:gTOMpGDb0WTBOP8JaO72iL3auEZhVmAQg4ipjOVAtj4=
 go.opentelemetry.io/proto/otlp v1.7.1/go.mod h1:b2rVh6rfI/s2pHWNlB7ILJcRALpcNDzKhACevjI+ZnE=
-go.podman.io/common v0.66.2-0.20260204175822-4e7127fdc31f h1:+0VKagql2xFs+5ugEk/v9t5oSdpWtYqNf9xqQGmHO0I=
-go.podman.io/common v0.66.2-0.20260204175822-4e7127fdc31f/go.mod h1:VmtRqeaeFq7DrgWmx9TeUcwGh72jtyyBHWjHEENgZfU=
-go.podman.io/image/v5 v5.38.1-0.20260204175822-4e7127fdc31f h1:+kQbbmMs0MakSrmYK6/XDE+g7c/MKaqqSYa6H722F6c=
-go.podman.io/image/v5 v5.38.1-0.20260204175822-4e7127fdc31f/go.mod h1:d3wkDEdmkuEkXEMP6qqmc85P7fvhlT1BsdMqkfubuTU=
-go.podman.io/storage v1.61.1-0.20260204175822-4e7127fdc31f h1:z/zp+wPHdiQ2EeY3Wr99TeJwc9ZZ4o3zPTBNixSgcR4=
-go.podman.io/storage v1.61.1-0.20260204175822-4e7127fdc31f/go.mod h1:yuLB1ikwsdGrGqSGBWv7fMbOeHupCaMn5iJ1biqxrpI=
+go.podman.io/common v0.67.1-0.20260217150212-026c3538f3d1 h1:MhQdvsUa8hef3qN+hRtu6+O/QsF6Cpsd0XP2gZUW3bU=
+go.podman.io/common v0.67.1-0.20260217150212-026c3538f3d1/go.mod h1:KKYaKM+ZTve0ZW+3yvd05PpWawetNGNzb05dDUw+LG0=
+go.podman.io/image/v5 v5.39.2-0.20260217150212-026c3538f3d1 h1:41n9FLO6l3xQ7yVAE9oxKNwmJgXbFRTeS1BHTAQjt80=
+go.podman.io/image/v5 v5.39.2-0.20260217150212-026c3538f3d1/go.mod h1:ZcbaWguhrYsWLx6kbX+gcVq9yzIrvzu21JF2bgQIlMc=
+go.podman.io/storage v1.62.1-0.20260217150212-026c3538f3d1 h1:JdxkufArDqjwqWWA+45NsqdAZ9zTSqQmonncbuRzQxo=
+go.podman.io/storage v1.62.1-0.20260217150212-026c3538f3d1/go.mod h1:B83Ad8mtO0GZs7rEwb66f0Ed5G57NyKI/iJZHoJrpUE=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
@@ -491,8 +489,8 @@ golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
 golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
+golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

pkg/api/handlers/compat/images_build.go

@@ -116,11 +116,13 @@ type BuildQuery struct {
 	ShmSize                 int                `schema:"shmsize"`
 	SkipUnusedStages        bool               `schema:"skipunusedstages"`
 	SourceDateEpoch         int64              `schema:"sourcedateepoch"`
+	SourcePolicy            string             `schema:"sourcePolicy"`
 	Squash                  bool               `schema:"squash"`
 	TLSVerify               bool               `schema:"tlsVerify"`
 	Tags                    []string           `schema:"t"`
 	Target                  string             `schema:"target"`
 	Timestamp               int64              `schema:"timestamp"`
+	TransientRunMounts      []string           `schema:"transientRunMounts"`
 	Ulimits                 string             `schema:"ulimits"`
 	UnsetEnvs               []string           `schema:"unsetenv"`
 	UnsetLabels             []string           `schema:"unsetlabel"`
@@ -587,8 +589,29 @@ func createBuildOptions(query *BuildQuery, buildCtx *BuildContext, queryValues u
 		return nil, nil, utils.GetGenericBadRequestError(err)
 	}
 
+	var temporaryFiles []string
 	cleanup := func() {
 		auth.RemoveAuthfile(authfile)
+		for _, temporaryFile := range temporaryFiles {
+			os.Remove(temporaryFile)
+		}
+	}
+	makeTemporaryFileWithContent := func(data []byte, pattern string) (string, error) {
+		if pattern == "" {
+			pattern = "podman-build-"
+		}
+		f, err := os.CreateTemp(parse.GetTempDir(), pattern)
+		if err != nil {
+			return "", err
+		}
+		filename := f.Name()
+		temporaryFiles = append(temporaryFiles, filename)
+		_, err = f.Write(data)
+		err = errors.Join(err, f.Close())
+		if err != nil {
+			return "", err
+		}
+		return filename, nil
 	}
 
 	// Process from image
@@ -744,6 +767,7 @@ func createBuildOptions(query *BuildQuery, buildCtx *BuildContext, queryValues u
 		Squash:                         query.Squash,
 		SystemContext:                  systemContext,
 		Target:                         query.Target,
+		TransientRunMounts:             query.TransientRunMounts,
 		UnsetEnvs:                      query.UnsetEnvs,
 		UnsetLabels:                    query.UnsetLabels,
 		UnsetAnnotations:               query.UnsetAnnotations,
@@ -768,6 +792,15 @@ func createBuildOptions(query *BuildQuery, buildCtx *BuildContext, queryValues u
 		})
 	}
 
+	// Process source policy
+	if _, found := queryValues["sourcePolicy"]; found {
+		filename, err := makeTemporaryFileWithContent([]byte(query.SourcePolicy), "podman-source-policy-")
+		if err != nil {
+			return nil, cleanup, utils.GetBadRequestError("sourcePolicy", query.SourcePolicy, err)
+		}
+		buildOptions.SourcePolicyFile = filename
+	}
+
 	// Process timestamps
 	if _, found := queryValues["sourcedateepoch"]; found {
 		ts := time.Unix(query.SourceDateEpoch, 0)