From 826d2be5a42421e77246117a38fb588b1c0d421d Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Tue, 25 Nov 2025 20:56:48 -0600
Subject: [PATCH] Add build environment configuration and validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add configuration model and validation for build-time environment
variables that will be injected into protocol build Dockerfiles.

Changes:
- Add BuildEnv map[string]string field to Config struct
- Add validation functions for env var keys (uppercase, no reserved keys)
- Add validation functions for env var values (no shell metacharacters)
- Extend Provider interface with SetBuildEnv, GetBuildEnv, GetAllBuildEnv,
  UnsetBuildEnv, and UnsetAllBuildEnv methods
- Implement for DefaultProvider, PathProvider, and KubernetesProvider
- Add comprehensive tests for validation and provider operations

This is the foundation for THV-2732 custom package registry support.
The CLI commands and template integration will follow in a separate PR.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 pkg/config/buildenv.go            | 138 ++++++++++++++++++++++++++
 pkg/config/buildenv_test.go       | 154 ++++++++++++++++++++++++++++++
 pkg/config/config.go              |   1 +
 pkg/config/interface.go           |  82 ++++++++++++++++
 pkg/config/interface_test.go      | 116 ++++++++++++++++++++++
 pkg/config/mocks/mock_provider.go |  71 ++++++++++++++
 6 files changed, 562 insertions(+)
 create mode 100644 pkg/config/buildenv.go
 create mode 100644 pkg/config/buildenv_test.go

diff --git a/pkg/config/buildenv.go b/pkg/config/buildenv.go
new file mode 100644
index 000000000..0e89f875a
--- /dev/null
+++ b/pkg/config/buildenv.go
@@ -0,0 +1,138 @@
+package config
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// Build environment validation constants
+const (
+	errInvalidEnvKeyFormat  = "invalid environment variable name: %s (must match pattern %s)"
+	errReservedEnvKey       = "environment variable name %s is reserved and cannot be overridden"
+	errInvalidEnvValueChars = "environment variable value contains potentially dangerous characters"
+)
+
+// envKeyPattern matches valid environment variable names.
+// Must start with uppercase letter, followed by uppercase letters, numbers, or underscores.
+var envKeyPattern = regexp.MustCompile(`^[A-Z][A-Z0-9_]*$`)
+
+// reservedEnvKeys lists environment variables that cannot be overridden for security reasons.
+var reservedEnvKeys = map[string]bool{
+	"PATH":            true,
+	"HOME":            true,
+	"USER":            true,
+	"SHELL":           true,
+	"PWD":             true,
+	"HOSTNAME":        true,
+	"TERM":            true,
+	"LANG":            true,
+	"LC_ALL":          true,
+	"LD_PRELOAD":      true,
+	"LD_LIBRARY_PATH": true,
+}
+
+// ValidateBuildEnvKey validates that an environment variable key follows the required pattern
+// and is not a reserved variable.
+func ValidateBuildEnvKey(key string) error {
+	if !envKeyPattern.MatchString(key) {
+		return fmt.Errorf(errInvalidEnvKeyFormat, key, "^[A-Z][A-Z0-9_]*$")
+	}
+
+	if reservedEnvKeys[key] {
+		return fmt.Errorf(errReservedEnvKey, key)
+	}
+
+	return nil
+}
+
+// ValidateBuildEnvValue validates that an environment variable value does not contain
+// potentially dangerous characters that could enable shell injection in Dockerfiles.
+func ValidateBuildEnvValue(value string) error {
+	// Check for shell metacharacters that could enable injection
+	dangerousPatterns := []string{
+		"`",  // Command substitution
+		"$(", // Command substitution
+		"${", // Variable expansion (could be used for injection)
+		"\\", // Escape sequences
+		"\n", // Newlines could break Dockerfile syntax
+		"\r", // Carriage returns
+		"\"", // Double quotes could break ENV syntax
+		";",  // Command separator
+		"&&", // Command chaining
+		"||", // Command chaining
+		"|",  // Pipe
+		">",  // Redirection
+		"<",  // Redirection
+	}
+
+	for _, pattern := range dangerousPatterns {
+		if strings.Contains(value, pattern) {
+			return fmt.Errorf("%s: contains '%s'", errInvalidEnvValueChars, pattern)
+		}
+	}
+
+	return nil
+}
+
+// ValidateBuildEnvEntry validates both the key and value of a build environment variable.
+func ValidateBuildEnvEntry(key, value string) error {
+	if err := ValidateBuildEnvKey(key); err != nil {
+		return err
+	}
+	return ValidateBuildEnvValue(value)
+}
+
+// setBuildEnv is a helper function that validates and sets a build environment variable.
+func setBuildEnv(p Provider, key, value string) error {
+	if err := ValidateBuildEnvEntry(key, value); err != nil {
+		return err
+	}
+
+	return p.UpdateConfig(func(c *Config) {
+		if c.BuildEnv == nil {
+			c.BuildEnv = make(map[string]string)
+		}
+		c.BuildEnv[key] = value
+	})
+}
+
+// getBuildEnv is a helper function that retrieves a build environment variable.
+func getBuildEnv(p Provider, key string) (value string, exists bool) {
+	config := p.GetConfig()
+	if config.BuildEnv == nil {
+		return "", false
+	}
+	value, exists = config.BuildEnv[key]
+	return value, exists
+}
+
+// getAllBuildEnv is a helper function that retrieves all build environment variables.
+func getAllBuildEnv(p Provider) map[string]string {
+	config := p.GetConfig()
+	if config.BuildEnv == nil {
+		return make(map[string]string)
+	}
+	// Return a copy to prevent external modifications
+	result := make(map[string]string, len(config.BuildEnv))
+	for k, v := range config.BuildEnv {
+		result[k] = v
+	}
+	return result
+}
+
+// unsetBuildEnv is a helper function that removes a specific build environment variable.
+func unsetBuildEnv(p Provider, key string) error {
+	return p.UpdateConfig(func(c *Config) {
+		if c.BuildEnv != nil {
+			delete(c.BuildEnv, key)
+		}
+	})
+}
+
+// unsetAllBuildEnv is a helper function that removes all build environment variables.
+func unsetAllBuildEnv(p Provider) error {
+	return p.UpdateConfig(func(c *Config) {
+		c.BuildEnv = nil
+	})
+}
diff --git a/pkg/config/buildenv_test.go b/pkg/config/buildenv_test.go
new file mode 100644
index 000000000..76a774c68
--- /dev/null
+++ b/pkg/config/buildenv_test.go
@@ -0,0 +1,154 @@
+package config
+
+import (
+	"testing"
+)
+
+func TestValidateBuildEnvKey(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		key     string
+		wantErr bool
+	}{
+		// Valid keys
+		{name: "simple uppercase", key: "NPM_CONFIG_REGISTRY", wantErr: false},
+		{name: "with numbers", key: "GO111MODULE", wantErr: false},
+		{name: "single letter", key: "A", wantErr: false},
+		{name: "all caps with underscore", key: "PIP_INDEX_URL", wantErr: false},
+		{name: "uv default index", key: "UV_DEFAULT_INDEX", wantErr: false},
+		{name: "goproxy", key: "GOPROXY", wantErr: false},
+		{name: "goprivate", key: "GOPRIVATE", wantErr: false},
+		{name: "node options", key: "NODE_OPTIONS", wantErr: false},
+
+		// Invalid keys - pattern mismatch
+		{name: "lowercase", key: "npm_config_registry", wantErr: true},
+		{name: "starts with number", key: "1VAR", wantErr: true},
+		{name: "starts with underscore", key: "_VAR", wantErr: true},
+		{name: "contains lowercase", key: "NPM_config_REGISTRY", wantErr: true},
+		{name: "contains hyphen", key: "NPM-CONFIG", wantErr: true},
+		{name: "contains space", key: "NPM CONFIG", wantErr: true},
+		{name: "empty string", key: "", wantErr: true},
+		{name: "contains dot", key: "NPM.CONFIG", wantErr: true},
+
+		// Reserved keys
+		{name: "reserved PATH", key: "PATH", wantErr: true},
+		{name: "reserved HOME", key: "HOME", wantErr: true},
+		{name: "reserved USER", key: "USER", wantErr: true},
+		{name: "reserved SHELL", key: "SHELL", wantErr: true},
+		{name: "reserved LD_PRELOAD", key: "LD_PRELOAD", wantErr: true},
+		{name: "reserved LD_LIBRARY_PATH", key: "LD_LIBRARY_PATH", wantErr: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := ValidateBuildEnvKey(tt.key)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateBuildEnvKey(%q) error = %v, wantErr %v", tt.key, err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestValidateBuildEnvValue(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		value   string
+		wantErr bool
+	}{
+		// Valid values
+		{name: "simple URL", value: "https://npm.corp.example.com", wantErr: false},
+		{name: "URL with path", value: "https://artifactory.corp.example.com/api/npm/npm-remote/", wantErr: false},
+		{name: "URL with port", value: "https://registry.example.com:8443", wantErr: false},
+		{name: "simple string", value: "latest", wantErr: false},
+		{name: "comma-separated", value: "github.com/myorg/*,gitlab.mycompany.com/*", wantErr: false},
+		{name: "memory limit", value: "--max-old-space-size=4096", wantErr: false},
+		{name: "empty string", value: "", wantErr: false},
+		{name: "with equals sign", value: "key=value", wantErr: false},
+		{name: "with single quotes", value: "it's fine", wantErr: false},
+
+		// Invalid values - dangerous characters
+		{name: "backtick command substitution", value: "`whoami`", wantErr: true},
+		{name: "dollar paren command substitution", value: "$(whoami)", wantErr: true},
+		{name: "variable expansion", value: "${HOME}", wantErr: true},
+		{name: "backslash escape", value: "test\\nvalue", wantErr: true},
+		{name: "newline", value: "test\nvalue", wantErr: true},
+		{name: "carriage return", value: "test\rvalue", wantErr: true},
+		{name: "double quote", value: "test\"value", wantErr: true},
+		{name: "semicolon", value: "test;whoami", wantErr: true},
+		{name: "and chain", value: "test&&whoami", wantErr: true},
+		{name: "or chain", value: "test||whoami", wantErr: true},
+		{name: "pipe", value: "test|whoami", wantErr: true},
+		{name: "output redirect", value: "test>file", wantErr: true},
+		{name: "input redirect", value: "test<file", wantErr: true},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := ValidateBuildEnvValue(tt.value)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateBuildEnvValue(%q) error = %v, wantErr %v", tt.value, err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestValidateBuildEnvEntry(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		key     string
+		value   string
+		wantErr bool
+	}{
+		{
+			name:    "valid entry",
+			key:     "NPM_CONFIG_REGISTRY",
+			value:   "https://npm.corp.example.com",
+			wantErr: false,
+		},
+		{
+			name:    "invalid key",
+			key:     "npm_config_registry",
+			value:   "https://npm.corp.example.com",
+			wantErr: true,
+		},
+		{
+			name:    "invalid value",
+			key:     "NPM_CONFIG_REGISTRY",
+			value:   "$(whoami)",
+			wantErr: true,
+		},
+		{
+			name:    "reserved key",
+			key:     "PATH",
+			value:   "/usr/local/bin",
+			wantErr: true,
+		},
+		{
+			name:    "both invalid",
+			key:     "path",
+			value:   "$(whoami)",
+			wantErr: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			err := ValidateBuildEnvEntry(tt.key, tt.value)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ValidateBuildEnvEntry(%q, %q) error = %v, wantErr %v", tt.key, tt.value, err, tt.wantErr)
+			}
+		})
+	}
+}
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 4eebcd23f..fe1fb645c 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -34,6 +34,7 @@ type Config struct {
 	OTEL                   OpenTelemetryConfig `yaml:"otel,omitempty"`
 	DefaultGroupMigration  bool                `yaml:"default_group_migration,omitempty"`
 	DisableUsageMetrics    bool                `yaml:"disable_usage_metrics,omitempty"`
+	BuildEnv               map[string]string   `yaml:"build_env,omitempty"`
 }
 
 // Secrets contains the settings for secrets management.
diff --git a/pkg/config/interface.go b/pkg/config/interface.go
index 39afd332a..d6d9da30b 100644
--- a/pkg/config/interface.go
+++ b/pkg/config/interface.go
@@ -23,6 +23,13 @@ type Provider interface {
 	SetCACert(certPath string) error
 	GetCACert() (certPath string, exists bool, accessible bool)
 	UnsetCACert() error
+
+	// Build environment operations
+	SetBuildEnv(key, value string) error
+	GetBuildEnv(key string) (value string, exists bool)
+	GetAllBuildEnv() map[string]string
+	UnsetBuildEnv(key string) error
+	UnsetAllBuildEnv() error
 }
 
 // DefaultProvider implements Provider using the default XDG config path
@@ -88,6 +95,31 @@ func (d *DefaultProvider) UnsetCACert() error {
 	return unsetCACert(d)
 }
 
+// SetBuildEnv validates and sets a build environment variable
+func (d *DefaultProvider) SetBuildEnv(key, value string) error {
+	return setBuildEnv(d, key, value)
+}
+
+// GetBuildEnv returns a specific build environment variable
+func (d *DefaultProvider) GetBuildEnv(key string) (value string, exists bool) {
+	return getBuildEnv(d, key)
+}
+
+// GetAllBuildEnv returns all build environment variables
+func (d *DefaultProvider) GetAllBuildEnv() map[string]string {
+	return getAllBuildEnv(d)
+}
+
+// UnsetBuildEnv removes a specific build environment variable
+func (d *DefaultProvider) UnsetBuildEnv(key string) error {
+	return unsetBuildEnv(d, key)
+}
+
+// UnsetAllBuildEnv removes all build environment variables
+func (d *DefaultProvider) UnsetAllBuildEnv() error {
+	return unsetAllBuildEnv(d)
+}
+
 // PathProvider implements Provider using a specific config path
 type PathProvider struct {
 	configPath string
@@ -159,6 +191,31 @@ func (p *PathProvider) UnsetCACert() error {
 	return unsetCACert(p)
 }
 
+// SetBuildEnv validates and sets a build environment variable
+func (p *PathProvider) SetBuildEnv(key, value string) error {
+	return setBuildEnv(p, key, value)
+}
+
+// GetBuildEnv returns a specific build environment variable
+func (p *PathProvider) GetBuildEnv(key string) (value string, exists bool) {
+	return getBuildEnv(p, key)
+}
+
+// GetAllBuildEnv returns all build environment variables
+func (p *PathProvider) GetAllBuildEnv() map[string]string {
+	return getAllBuildEnv(p)
+}
+
+// UnsetBuildEnv removes a specific build environment variable
+func (p *PathProvider) UnsetBuildEnv(key string) error {
+	return unsetBuildEnv(p, key)
+}
+
+// UnsetAllBuildEnv removes all build environment variables
+func (p *PathProvider) UnsetAllBuildEnv() error {
+	return unsetAllBuildEnv(p)
+}
+
 // KubernetesProvider is a no-op implementation of Provider for Kubernetes environments.
 // In Kubernetes, configuration is managed by the cluster, not by local files.
 type KubernetesProvider struct{}
@@ -225,6 +282,31 @@ func (*KubernetesProvider) UnsetCACert() error {
 	return nil
 }
 
+// SetBuildEnv is a no-op for Kubernetes environments
+func (*KubernetesProvider) SetBuildEnv(_, _ string) error {
+	return nil
+}
+
+// GetBuildEnv returns empty for Kubernetes environments
+func (*KubernetesProvider) GetBuildEnv(_ string) (value string, exists bool) {
+	return "", false
+}
+
+// GetAllBuildEnv returns empty map for Kubernetes environments
+func (*KubernetesProvider) GetAllBuildEnv() map[string]string {
+	return make(map[string]string)
+}
+
+// UnsetBuildEnv is a no-op for Kubernetes environments
+func (*KubernetesProvider) UnsetBuildEnv(_ string) error {
+	return nil
+}
+
+// UnsetAllBuildEnv is a no-op for Kubernetes environments
+func (*KubernetesProvider) UnsetAllBuildEnv() error {
+	return nil
+}
+
 // NewProvider creates the appropriate config provider based on the runtime environment
 func NewProvider() Provider {
 	if runtime.IsKubernetesRuntime() {
diff --git a/pkg/config/interface_test.go b/pkg/config/interface_test.go
index 71a5822ed..43813ca20 100644
--- a/pkg/config/interface_test.go
+++ b/pkg/config/interface_test.go
@@ -346,3 +346,119 @@ func TestProviderRegistryOperations(t *testing.T) {
 		assert.NoError(t, err)
 	})
 }
+
+func TestProviderBuildEnvOperations(t *testing.T) {
+	t.Parallel()
+	logger.Initialize()
+
+	t.Run("PathProvider_BuildEnvOperations", func(t *testing.T) {
+		t.Parallel()
+		tempDir := t.TempDir()
+		configPath := filepath.Join(tempDir, "buildenv_config.yaml")
+		provider := NewPathProvider(configPath)
+
+		// Create initial config
+		_, err := provider.LoadOrCreateConfig()
+		require.NoError(t, err)
+
+		// Test GetAllBuildEnv when empty
+		envVars := provider.GetAllBuildEnv()
+		assert.Empty(t, envVars)
+
+		// Test GetBuildEnv when not set
+		value, exists := provider.GetBuildEnv("NPM_CONFIG_REGISTRY")
+		assert.False(t, exists)
+		assert.Equal(t, "", value)
+
+		// Test SetBuildEnv
+		err = provider.SetBuildEnv("NPM_CONFIG_REGISTRY", "https://npm.corp.example.com")
+		assert.NoError(t, err)
+
+		// Test GetBuildEnv after setting
+		value, exists = provider.GetBuildEnv("NPM_CONFIG_REGISTRY")
+		assert.True(t, exists)
+		assert.Equal(t, "https://npm.corp.example.com", value)
+
+		// Test SetBuildEnv with multiple variables
+		err = provider.SetBuildEnv("GOPROXY", "https://goproxy.corp.example.com")
+		assert.NoError(t, err)
+
+		// Test GetAllBuildEnv with multiple variables
+		envVars = provider.GetAllBuildEnv()
+		assert.Len(t, envVars, 2)
+		assert.Equal(t, "https://npm.corp.example.com", envVars["NPM_CONFIG_REGISTRY"])
+		assert.Equal(t, "https://goproxy.corp.example.com", envVars["GOPROXY"])
+
+		// Test UnsetBuildEnv
+		err = provider.UnsetBuildEnv("NPM_CONFIG_REGISTRY")
+		assert.NoError(t, err)
+
+		value, exists = provider.GetBuildEnv("NPM_CONFIG_REGISTRY")
+		assert.False(t, exists)
+		assert.Equal(t, "", value)
+
+		// Verify GOPROXY still exists
+		value, exists = provider.GetBuildEnv("GOPROXY")
+		assert.True(t, exists)
+		assert.Equal(t, "https://goproxy.corp.example.com", value)
+
+		// Test UnsetAllBuildEnv
+		err = provider.UnsetAllBuildEnv()
+		assert.NoError(t, err)
+
+		envVars = provider.GetAllBuildEnv()
+		assert.Empty(t, envVars)
+	})
+
+	t.Run("PathProvider_BuildEnvValidation", func(t *testing.T) {
+		t.Parallel()
+		tempDir := t.TempDir()
+		configPath := filepath.Join(tempDir, "buildenv_validation_config.yaml")
+		provider := NewPathProvider(configPath)
+
+		// Create initial config
+		_, err := provider.LoadOrCreateConfig()
+		require.NoError(t, err)
+
+		// Test invalid key format
+		err = provider.SetBuildEnv("invalid_key", "value")
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "invalid environment variable name")
+
+		// Test reserved key
+		err = provider.SetBuildEnv("PATH", "/usr/local/bin")
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "reserved")
+
+		// Test invalid value with shell metacharacters
+		err = provider.SetBuildEnv("TEST_VAR", "$(whoami)")
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "dangerous characters")
+	})
+
+	t.Run("KubernetesProvider_BuildEnvOperations", func(t *testing.T) {
+		t.Parallel()
+		provider := NewKubernetesProvider()
+
+		// Test SetBuildEnv (should be no-op)
+		err := provider.SetBuildEnv("NPM_CONFIG_REGISTRY", "https://npm.corp.example.com")
+		assert.NoError(t, err)
+
+		// Test GetBuildEnv (should return empty)
+		value, exists := provider.GetBuildEnv("NPM_CONFIG_REGISTRY")
+		assert.False(t, exists)
+		assert.Equal(t, "", value)
+
+		// Test GetAllBuildEnv (should return empty map)
+		envVars := provider.GetAllBuildEnv()
+		assert.Empty(t, envVars)
+
+		// Test UnsetBuildEnv (should be no-op)
+		err = provider.UnsetBuildEnv("NPM_CONFIG_REGISTRY")
+		assert.NoError(t, err)
+
+		// Test UnsetAllBuildEnv (should be no-op)
+		err = provider.UnsetAllBuildEnv()
+		assert.NoError(t, err)
+	})
+}
diff --git a/pkg/config/mocks/mock_provider.go b/pkg/config/mocks/mock_provider.go
index 040507b29..f59811998 100644
--- a/pkg/config/mocks/mock_provider.go
+++ b/pkg/config/mocks/mock_provider.go
@@ -40,6 +40,35 @@ func (m *MockProvider) EXPECT() *MockProviderMockRecorder {
 	return m.recorder
 }
 
+// GetAllBuildEnv mocks base method.
+func (m *MockProvider) GetAllBuildEnv() map[string]string {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetAllBuildEnv")
+	ret0, _ := ret[0].(map[string]string)
+	return ret0
+}
+
+// GetAllBuildEnv indicates an expected call of GetAllBuildEnv.
+func (mr *MockProviderMockRecorder) GetAllBuildEnv() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetAllBuildEnv", reflect.TypeOf((*MockProvider)(nil).GetAllBuildEnv))
+}
+
+// GetBuildEnv mocks base method.
+func (m *MockProvider) GetBuildEnv(key string) (string, bool) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "GetBuildEnv", key)
+	ret0, _ := ret[0].(string)
+	ret1, _ := ret[1].(bool)
+	return ret0, ret1
+}
+
+// GetBuildEnv indicates an expected call of GetBuildEnv.
+func (mr *MockProviderMockRecorder) GetBuildEnv(key any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "GetBuildEnv", reflect.TypeOf((*MockProvider)(nil).GetBuildEnv), key)
+}
+
 // GetCACert mocks base method.
 func (m *MockProvider) GetCACert() (string, bool, bool) {
 	m.ctrl.T.Helper()
@@ -102,6 +131,20 @@ func (mr *MockProviderMockRecorder) LoadOrCreateConfig() *gomock.Call {
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "LoadOrCreateConfig", reflect.TypeOf((*MockProvider)(nil).LoadOrCreateConfig))
 }
 
+// SetBuildEnv mocks base method.
+func (m *MockProvider) SetBuildEnv(key, value string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "SetBuildEnv", key, value)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// SetBuildEnv indicates an expected call of SetBuildEnv.
+func (mr *MockProviderMockRecorder) SetBuildEnv(key, value any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetBuildEnv", reflect.TypeOf((*MockProvider)(nil).SetBuildEnv), key, value)
+}
+
 // SetCACert mocks base method.
 func (m *MockProvider) SetCACert(certPath string) error {
 	m.ctrl.T.Helper()
@@ -158,6 +201,34 @@ func (mr *MockProviderMockRecorder) SetRegistryURL(registryURL, allowPrivateRegi
 	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "SetRegistryURL", reflect.TypeOf((*MockProvider)(nil).SetRegistryURL), registryURL, allowPrivateRegistryIp)
 }
 
+// UnsetAllBuildEnv mocks base method.
+func (m *MockProvider) UnsetAllBuildEnv() error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UnsetAllBuildEnv")
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UnsetAllBuildEnv indicates an expected call of UnsetAllBuildEnv.
+func (mr *MockProviderMockRecorder) UnsetAllBuildEnv() *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UnsetAllBuildEnv", reflect.TypeOf((*MockProvider)(nil).UnsetAllBuildEnv))
+}
+
+// UnsetBuildEnv mocks base method.
+func (m *MockProvider) UnsetBuildEnv(key string) error {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "UnsetBuildEnv", key)
+	ret0, _ := ret[0].(error)
+	return ret0
+}
+
+// UnsetBuildEnv indicates an expected call of UnsetBuildEnv.
+func (mr *MockProviderMockRecorder) UnsetBuildEnv(key any) *gomock.Call {
+	mr.mock.ctrl.T.Helper()
+	return mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "UnsetBuildEnv", reflect.TypeOf((*MockProvider)(nil).UnsetBuildEnv), key)
+}
+
 // UnsetCACert mocks base method.
 func (m *MockProvider) UnsetCACert() error {
 	m.ctrl.T.Helper()