chore(deps): bump the moby group with 2 updates

[dependabot]

Bumps the moby group with 2 updates: github.com/docker/cli and github.com/moby/buildkit.

Updates github.com/docker/cli from 29.4.3+incompatible to 29.5.0+incompatible

Commits

• 98f1464 Merge pull request #6988 from thaJeztah/make_shell
• 50712c9 README: simplify instructions for using dev container
• 653dc8f Merge pull request #6485 from paulchen5/6484-update-pull-request-template
• 1394582 Merge pull request #6987 from thaJeztah/contributing_links
• f99747b docs: fix stale links in CONTRIBUTING.md
• ddac061 PR template: remove outdated contributing guide link
• bd55370 Merge pull request #6984 from thaJeztah/cleanup_experimental
• f907b27 Merge pull request #6985 from thaJeztah/rm_builder_stub
• 5201f58 Merge pull request #6971 from matte1782/docs-authz-64kib-buffer-2026-05
• 5d48774 Merge pull request #6986 from thaJeztah/cleanup_docs_readme
• Additional commits viewable in compare view

Updates github.com/moby/buildkit from 0.29.0 to 0.30.0

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.30.0

Welcome to the v0.30.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• CrazyMax
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Natnael Gebremariam
• Akihiro Suda
• Dawei Wei
• Dmitrii Kostyrev
• Jiří Moravčík
• Vladimir Kuznichenkov

Notable Changes

• Builtin Dockerfile frontend has been updated to v1.24.0 changelog
• BuildKit now supports the concept of "compatibility version" for improved reproducible builds support across different BuildKit versions. This allows users to specify a version for which the build should be compatible with, and BuildKit will attempt to maintain compatibility with that version when possible. Compatibility version will be stored in the provenance attestation of the build and can be used to independently verify the artifacts of the build on other BuildKit versions. The current compatibility version and backward compatibility with old versions are defined in Build reproducibility docs #6681
• Git sources now support fetch-by-commit option where commit is fetched by the SHA and then associated with the reference. This is useful when checking out mutable references refs/NR/merge where the commit SHA may change during invocation and cause checksum mismatch error #6708
• The LLB API now supports Git bundle format. Git bundles can be loaded from registry or OCI layout blobs and Git sources can be checked out into bundle format for snapshotting #6711
• Provenance attestations for multi-pass or chained builds now include request details for root requests and individual input requests, allowing full reconstruction of such complex builds #6739
• The version of the built-in Dockerfile frontend that was used is now included in the provenance metadata and reported via worker info APIs. #6705
• Improve error reporting for registry errors on cache export #6762
• S3 cache now supports additional options retry_mode and retry_max_attempts to configure retry behavior of S3 client #6657
• S3 cache now supports disable_accept_encoding option for GCS interoperability #6642
• Reduce potential lock contention in gateway forwarder for improved performance on parallel builds #6741
• A new log level option has been added to the buildkitd TOML configuration; previous "debug" and "trace" options have been deprecated #6732
• Allow gateway frontend requests to forward to the built-in Dockerfile frontend the same way as to external frontends #6643
• Session connection health checks have been improved to better detect loss of connectivity and avoid stuck builds #6649
• Fix issue with Git subdirectory value not being included in ConfigSource section of SLSA provenance for builds from Git sources #6724
• Avoid potential deadlock if the credential helper in the client is misbehaving and never returns credentials #6709
• Fix possible data race in provenance computation on parallel builds #6758
• Fix possible provenance capture race in concurrent no-cache builds that could leave source pins empty and fail with an invalid checksum digest error #6764
• Fix possible data race in progress writer #6679
• Fix data race in S3 cache reader #6675
• Fix possible Git config lookup errors on Windows #6639
• Fix build cancellation not working properly when blocked on credential callback #6641

Dependency Changes

• github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0 -> v1.21.0
• github.com/Microsoft/hcsshim v0.14.0-rc.1 -> v0.14.1
• github.com/aws/aws-sdk-go-v2 v1.41.4 -> v1.41.7

... (truncated)

Commits

• dd2170e Merge pull request #6770 from crazy-max/v0.30-picks-0.30.0
• e4b9769 test: gate merge diff tests through worker capabilities
• d5956a1 skip pin race test on workers without merge diff support
• 505ab37 solver: fix race in walkProvenance
• f2e48d2 Merge pull request #6762 from jsternberg/add-error-details
• f7a40a0 Merge pull request #6758 from tonistiigi/fix-provenance-data-race
• 80e934d remotecache: propagate details field from registry when included
• a7c8749 Merge pull request #6761 from moby/dependabot/github_actions/github/codeql-ac...
• df37b67 build(deps): bump github/codeql-action from 4.35.3 to 4.35.4
• c7ba941 Merge pull request #6759 from moby/dependabot/github_actions/docker/github-bu...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions