Add -run flag support for restorer in Platform API 0.14

jjbustamante · claude · jjbustamante · commit 153d0e9eaa75 · 2026-01-23T10:22:47.000-05:00
This implements the missing feature from Platform API 0.14 where the restorer should accept a -run flag to enable read access validation for run images selected by extensions during the restore phase. When extensions switch the run image to one listed in run.toml, the restorer needs to verify accessibility using the platform's authentication context (CNB_REGISTRY_AUTH). This prevents builds from proceeding with images the system cannot actually access. Changes: - Add -run flag to restorer when Platform API >= 0.14 - Write run.toml file via WriteRunToml operation - Add tests verifying flag is present for Platform API >= 0.14 - Add tests verifying flag is absent for Platform API < 0.14 Fixes #2515 References: - Spec PR: buildpacks/spec#408 - Lifecycle PR: buildpacks/lifecycle#1364 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Juan Bustamante <bustamantejj@gmail.com>
diff --git a/internal/build/lifecycle_execution.go b/internal/build/lifecycle_execution.go
@@ -551,6 +551,13 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 		}
 	}
 
+	// for run
+	runOp := NullOp()
+	if l.platformAPI.AtLeast("0.14") {
+		flags = append(flags, "-run", l.mountPaths.runPath())
+		runOp = WithContainerOperations(WriteRunToml(l.mountPaths.runPath(), l.opts.Builder.RunImages(), l.os))
+	}
+
 	// for kaniko
 	kanikoCacheBindOp := NullOp()
 	if (l.platformAPI.AtLeast("0.10") && l.hasExtensionsForBuild()) ||
@@ -607,6 +614,7 @@ func (l *LifecycleExecution) Restore(ctx context.Context, buildCache Cache, kani
 		cacheBindOp,
 		dockerOp,
 		flagsOp,
+		runOp,
 		kanikoCacheBindOp,
 		registryOp,
 		layoutOp,
diff --git a/internal/build/lifecycle_execution_test.go b/internal/build/lifecycle_execution_test.go
@@ -2046,6 +2046,28 @@ func testLifecycleExecution(t *testing.T, when spec.G, it spec.S) {
 			})
 		})
 
+		when("platform >= 0.14", func() {
+			platformAPI = api.MustParse("0.14")
+
+			it("provides -run flag", func() {
+				h.AssertIncludeAllExpectedPatterns(t,
+					configProvider.ContainerConfig().Cmd,
+					[]string{"-run", "/layers/run.toml"},
+				)
+			})
+		})
+
+		when("platform < 0.14", func() {
+			platformAPI = api.MustParse("0.13")
+
+			it("does not provide -run flag", func() {
+				h.AssertSliceNotContains(t,
+					configProvider.ContainerConfig().Cmd,
+					"-run",
+				)
+			})
+		})
+
 		when("layout is true", func() {
 			when("platform >= 0.12", func() {
 				platformAPI = api.MustParse("0.12")
