From ecace2712a43f1c0562ea0bf9cc7d40476eac2bf Mon Sep 17 00:00:00 2001
From: Sadique Azmi <sadiquemobaraka5@gmail.com>
Date: Sun, 26 Oct 2025 04:48:26 +0530
Subject: [PATCH] fix: don't symlink buildkit-cni documentation files to bin/

The nerdctl-full tarball was incorrectly creating symlinks for all
files in libexec/cni/, including documentation files like README.md
and LICENSE. This resulted in non-executable files appearing in bin/
as buildkit-cni-README.md and buildkit-cni-LICENSE.

Add executable and regular file checks to the symlink creation loop
to filter out non-executable files. The fix uses [ -x "$f" ] to check
for execute permission and [ -f "$f" ] to ensure it's a regular file,
so only actual CNI plugin binaries are symlinked.

Tested: bin/ file count reduced from 46 to 44 files (removed 2 doc
symlinks). All 18 CNI plugin executables still correctly symlinked.

Fixes #4553

Signed-off-by: Sadique Azmi <sadiquemobaraka5@gmail.com>
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 15868503c24..2a4a8337cd2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -167,7 +167,7 @@ RUN BUILDKIT_VERSION=${BUILDKIT_VERSION%%@*}; \
   grep "${fname}" "/SHA256SUMS.d/buildkit-${BUILDKIT_VERSION}" | sha256sum -c && \
   tar xzf "${fname}" -C /out && \
   rm -f "${fname}" /out/bin/buildkit-qemu-* /out/bin/buildkit-cni-* /out/bin/buildkit-runc && \
-  for f in /out/libexec/cni/*; do ln -s ../libexec/cni/$(basename $f) /out/bin/buildkit-cni-$(basename $f); done && \
+  for f in /out/libexec/cni/*; do [ -x "$f" ] && [ -f "$f" ] && ln -s ../libexec/cni/$(basename $f) /out/bin/buildkit-cni-$(basename $f); done && \
   echo "- BuildKit: ${BUILDKIT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 # NOTE: github.com/moby/buildkit/examples/systemd is not included in BuildKit v0.8.x, will be included in v0.9.x
 RUN cd /out/lib/systemd/system && \