chore(deps): bump the docker group across 1 directory with 3 updates

[dependabot]

Bumps the docker group with 3 updates in the / directory: github.com/docker/cli, github.com/docker/docker and github.com/moby/buildkit.

Updates github.com/docker/cli from 27.5.0+incompatible to 28.0.1+incompatible

Commits

• 068a01e Merge pull request #5870 from thaJeztah/carry_5855
• d75f8d8 Add detailed descriptions for --ulimit options in docker run documentation
• ffdfc5f Merge pull request #5742 from mertssmnoglu/fix-dockerfile-exec-form
• 6bd9908 Merge pull request #5867 from thaJeztah/bump_go_jose
• 7559583 vendor: github.com/go-jose/go-jose/v4 v4.0.5
• 41277f5 Merge pull request #5865 from robmry/doc_default_bridge
• 4e7497e Update dockerd command line ref, default bridge opts
• be66909 Update dockerd command line ref, changes in 28.0
• 111468c Merge pull request #5864 from thaJeztah/gha_bump_docker
• 427c136 gha: add docker 28 to test matrix
• Additional commits viewable in compare view

Updates github.com/docker/docker from 27.5.0+incompatible to 28.0.1+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.0.1

28.0.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.1 milestone
• moby/moby, 28.0.1 milestone

Networking

• Remove dependency on kernel modules ip_set, ip_set_hash_net and netfilter_xt_set.
  • The dependency was introduced in release 28.0.0 but proved too disruptive. The iptables rules using these modules have been replaced. moby/moby#49530
• Allow daemon startup on a host with IPv6 disabled without requiring --ip6tables=false. moby/moby#49525
• Fix a bug that was causing containers with --restart=always and a published port already in use to restart in a tight loop. moby/moby#49507
• Fix an issue with Swarm ingress, caused by incorrect ordering of iptables rules. moby/moby#49538
• Fix creation of a swarm-scoped network from a --config-only network. moby/moby#49521
• Fix docker network inspect reporting an IPv6 gateway with CIDR suffix for a newly created network with no specific IPAM config, until a daemon restart. moby/moby#49520
• Improve the error reported when kernel modules ip_set, ip_set_hash_net and netilter_xt_set are not available. moby/moby#49524
• Move most of Docker's iptables rules out of the filter-FORWARD chain, so that other applications are free to append rules that must follow Docker's rules. moby/moby#49518
• Update --help output and man page lo state which options only apply to the default bridge network. moby/moby#49522

Bug fixes and enhancements

• Fix docker context create always returning an error when using the "skip-tls-verify" option. docker/cli#5850
• Fix shell completion suggesting IDs instead of names for services and nodes. docker/cli#5848
• Fix unintentionally printing exit status to standard error output when docker exec/run returns a non-zero status. docker/cli#5854
• Fix regression protocol "tcp" is not supported by the RootlessKit port driver "slirp4netns". moby/moby#49514
• containerd image store: Fix docker inspect not being able to show multi-platform images with missing layers for all platforms. moby/moby#49533
• containerd image store: Fix docker images --tree reporting wrong content size. moby/moby#49535
• Fix compilation on i386 moby/moby#49526

Packaging updates

• Update github.com/go-jose/go-jose/v4 to v4.0.5 to address. GHSA-c6gw-w398-hv78 / CVE-2025-27144 docker/cli#5867
• Update Buildx to v0.21.1. docker/docker-ce-packaging#1167
• Update Compose to v2.33.1. docker/docker-ce-packaging#1168

API

• containerd image store: Fix GET /images/json?manifests=1 not filling Manifests for index-only images. moby/moby#49533
• containerd image store: Fix GET /images/json and /images/<name>/json Size.Content field including the size of content that's not available locally. moby/moby#49535

v28.0.0

28.0.0

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.0.0 milestone

... (truncated)

Commits

• bbd0a17 Merge pull request #49538 from robmry/docker_ingress
• 8ae4858 Merge pull request #49545 from robmry/revert_check-config_ipset
• 1814363 Revert "contrib/check-config: add ipset related flags"
• 558da63 Jump to DOCKER-INGRESS from DOCKER-FORWARD
• f92fdfe Merge pull request #49530 from robmry/disable_ip_set
• 88bc9a3 Merge pull request #49535 from vvoland/c8d-fixcontentsize
• 76417bf Don't use ipset
• c35159e c8d/manifests: Fix Content size including missing content
• 0510499 Merge pull request #49533 from vvoland/c8d-inspectlist-indeximg
• 0274c63 Merge pull request #49518 from robmry/docker_forward_chain
• Additional commits viewable in compare view

Updates github.com/moby/buildkit from 0.18.2 to 0.20.1

Release notes

Sourced from github.com/moby/buildkit's releases.

v0.20.1

Welcome to the v0.20.1 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• Tõnis Tiigi
• Akihiro Suda
• CrazyMax

Notable Changes

• Fix panic during CDI manager initialization. #5769 cncf-tags/container-device-interface#254
• Fix gRPC message size when writing SBOMs. #5798 containerd/containerd#11457
• Update azblob client retries for GitHub Actions cache backend. #5797 tonistiigi/go-actions-cache#33
• Embedded binfmt emulators in the release image have been updated to QEMU v9.2.2. #5808
• Update documentation and examples for rootless mode. #5765

Dependency Changes

• github.com/containerd/containerd/v2 v2.0.2 -> v2.0.3
• github.com/tonistiigi/go-actions-cache 1a5174abd055 -> 3e9a6642607f
• tags.cncf.io/container-device-interface v0.8.0 -> v0.8.1

Previous release can be found at v0.20.0

v0.20.0

Welcome to the v0.20.0 release of buildkit!

Please try out the release binaries and report any issues at https://github.com/moby/buildkit/issues.

Contributors

• CrazyMax
• Tõnis Tiigi
• Sebastiaan van Stijn
• Jonathan A. Sternberg
• Akihiro Suda
• Anthony Nandaa
• Shaun Thompson
• Austin Vazquez
• Bertrand Paquet
• Brian Goff

... (truncated)

Commits

• de56a3c Merge pull request #5803 from crazy-max/0.20_picks_0.20.1
• cc210c8 vendor: update containerd to v2.0.3
• 2c40436 dockerfile: normalize platform in image config
• bfe3c17 rootless: update docs and examples
• b1b594e update binfmt to v9.2.2
• b15731b vendor: update action-cache with longer azure retries
• 547d083 vendor: update cdi to v0.8.1 for panic fix
• 121ecd5 Merge pull request #5761 from jsternberg/v0.20.0-picks
• c7153d1 cache(gha): fix missing user-agent for importer
• c016cda cache(gha): set user-agent for github cache service requests
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.