Thanks for the suggestion @grouville, I gave it a try under https://github.com/dagger/dagger/pull/12922/changes/0fb4d41a03569731d1eab65ca11241a86940d56f and it seems to be working.

But that seems safer than accidentally reusing a checkout when kept .git state / tags actually changed the result.

erring on the side of safety feels good, especially since this rebase is rather large. Maybe we could come back to it later if we really want to.

PS the above link is to a temporary PR i've been testing with, once I get everything passing I'll try to merge or squash it into the existing lockfile PR.

Summary

Fixes #13046 by making the module implementation-scoped cache identity include the AsModuleVariantDigest computed by moduleSource.asModule. Toolchain constructor customization defaults are part of that variant digest, so changing a default from alpha to beta now gives omitted-argument calls a distinct function cache key.

The change also persists AsModuleVariantDigest in the module payload so imported persisted modules keep the same variant-sensitive identity.

Testin...

cached-execs and use-cached-exec-service also needed an update but the corresponding tests were passing because their failure was silenced when they were marked as flaky in 6fdf164c7f.

This commit removes the mark and updates the golden tests.

Problem

Workspace.path should return the path of the detected workspace. Today, in some cases, it returns the path where workspace detection started.

Repro:

cd PATH/TO/WORKSPACE/subdir
dagger core current-workspace path
# actual: subdir
# expected: . or the detected workspace path

This is inconsistent with:

dagger core current-workspace directory --path=.

which loads the detected workspace, not subdir.

Likely cause: core/workspace/detect.go sets Path from...

Fixes #13051.

Summary

Workspace.path now always reports the detected workspace path. The directory where detection started is stored separately and exposed through Workspace.cwd.

This adds WorkspaceCwd.path, WorkspaceCwd.directory, and WorkspaceCwd.file. Relative paths on those fields resolve from the current working directory within the workspace; absolute paths still resolve from the workspace boundary.

The change also keeps nested uninitialized workspace flows coherent: `w...

Refs #13051.

Summary

Workspace.file and Workspace.directory now resolve relative paths from the workspace directory, not from the nested cwd where workspace detection started.

This is intentionally narrower than fixing Workspace.path on main. The public Workspace.path behavior is left unchanged for now, while Workspace carries an internal filesystem path base for the file and directory APIs.

For remote rootfs-backed workspaces, the internal filesystem path includes the dete...

Let container commands inherit a workspace

Problem

When a command runs inside a Dagger container and opens its own Dagger connection, the inner client detects its workspace from the container filesystem.

That is often the wrong workspace.

Here, "workspace" means the Workspace object selected by the outer caller: its source, config, lock state, and module layout.

For example, ../dagger_e2e-helm/e2e/helm/helm_test.go runs as a Go test suite, and the tests use the Dagger SDK:

Enforcing policies with hooks/middleware in Dagger pipelines is an important enterprise feature — you want guardrails that apply consistently across all pipelines without requiring each pipeline author to implement them.

The use cases:

• Security: no container images from untrusted registries
• Compliance: all builds must produce a SBOM, all containers must be signed
• Cost: pipelines above a certain complexity require manager approval
• Quality: no deployments to production without pass...

Dagger Attributes as a concept makes sense — it's the missing metadata layer that lets functions declare capabilities and constraints without baking them into the type system.

A few use cases where attributes would shine:

1. Cache invalidation hints:

// @cache: content-addressable (invalidate only when inputs change)
// @cache: none (always re-run, e.g. for fetching external state)
// @cache: time-based (invalidate after N hours)
func (m *Module) BuildImage(src *Directory) *Contai...

Hi there!

We're currently using Dagger extensively in our company's pipelines. On some of our monolithic repositories that hold our modules, we've committed codegen and also have additional checks to verify that the codegen is in sync for a given PR.

A recent change in Dagger has seemingly made it such that dagger develop will introduce changes to go.mod and go.sum if there are upstream dependency updates. For us, this doesn't feel quite ideal as it can lead to polluting PRs with ...

we've committed codegen and also have additional checks to verify that the codegen is in sync for a given PR

We are working toward this goal, as natively supported: push to have codegen files committed (and used at runtime), migrating from dagger develop to dagger generate and generate functions will automatically come with built-in check. That to say what your doing will be the default way to deal with modules.

With that, maybe we can simply not run the go mod tidy in more ...

We are working toward this goal, as natively supported: push to have codegen files committed (and used at runtime), migrating from dagger develop to dagger generate and generate functions will automatically come with built-in check. That to say what your doing will be the default way to deal with modules.

I'm happy to see that our ideas around codegen make sense for others too 🚀

With that, maybe we can simply not run the go mod tidy in more cases. Right now, during a develop the ex...

What is the issue?

Dagger v0.20.4+ fails to load any Go-based Dagger module whose go.mod has a private transitive Go dependency (github.com/org/private/libs).

The failure happens during SDK codegen

Might have been introduced in #11826

Works on v0.20.3

Dagger version

v0.20.4

Steps to reproduce

Create a dagger module using go with a dependency on a private go library

{
"name": "test-module",
"engineVersion": "v0.20.4",
"sdk": {
"source": "go",
"config": {
...

fix test breakage introduced in 13048

Summary

Adds a statically generated __dagger.entrypoint.ts for the TypeScript SDK,
mirroring Go's dagger.gen.go. The file is emitted at the module root by
dagger develop and imports the user's classes directly — replacing the
runtime AST + reflection dispatch path with a flat switch(parentName) → switch(fnName) that the engine can jump straight into.

Design doc: design/typescript-module-entrypoint.md.

What changes

• New emitter `sdk/typescript/src/module/i...

Summary

dagger toolchain uninstall fails if the registered toolchain points at a local source path that no longer exists. In that state, uninstall should still be able to remove the toolchain registration instead of trying to resolve/load the missing source first.

Reproduction

From a Dagger repo with a local helm toolchain registered at ./toolchains/helm-dev:

1. Remove the local source directory:

   rm -rf ./toolchains/helm-dev
   

2. Try to uninstall the toolch...

Short version

This used to work on v0.20.6. On current main, it does not: a service with a PRIVATE cache mount can resolve to different hostnames through Service.Endpoint and WithServiceBinding.

Theseus made this visible: some checks start a local/dev engine or an SDK runtime, then connect a client to it.

The concrete bug is this: a lazy service graph with a CacheSharingModePrivate cache volume can get a fresh dagql privateNonce on each evaluation. Since service runtime id...

Fixes #13060

Why

PRIVATE cache mounts are supposed to isolate cache contents. They should not make the same lazy graph resolve to different service identities each time it is evaluated.

After the dagql cache migration, service hostnames are derived from the resolved graph. That made the old privateNonce behavior visible: every evaluation of a PRIVATE cache volume injected fresh identity into the graph.

So a service like this could split:

srv := dag.Containe...

Thanks both! Just wanted to also point out that my initial speculation for go mod tidy causing dependencies to be upgraded was incorrect, it's actually a go get -u that runs within the Dagger develop that is causing those. Is there any intention in keeping this behaviour when running develop?

That to say what your doing will be the default way to deal with modules.

Glad to hear that this will become a natively supported pattern though! It will simplify a lot of our existing ...

Summary

• remove Changie .changes/.next from version computation

• compute dev versions from latest stable v* git tag with a patch bump

• split release target-version regeneration into individual @generate functions

• update release checklist to run plain dagger generate

Verification

• dagger --progress=plain generate -l
• dagger --progress=plain call -m version next-patch-version
• dagger --progress=plain call -m version version
• go test . in version, toolchains/cli-dev, toolchains...

Bumps the engine group with 29 updates in the / directory:

Problem

Workspace-aware modules often need local git facts about the workspace they are operating on: HEAD, commit metadata, semver tags, and whether the worktree has uncommitted changes. Today there is no small workspace-scoped API for that.

The available option is GitRepository, which is a broad, remote-oriented git API. Using it for local workspace state leaks more model than callers need and can bring along extra behavior and perf risk. Some callers work around this by passing sepa...

[!WARNING]

To be merged only when this change will land as the CI engine. Before that we might lose the generated check.

this was only used to check generated files, but it's now built-in

What are you trying to do?

Run multiple Dagger engines in parallel in Kubernetes using StatefulSet, such as multiple across nodes

https://github.com/dagger/dagger/blob/82a4227c793d25566029a27676e8fa7abff80e68/helm/dagger/templates/engine-statefulset.yaml#L11-L14

Want to have some setting in the Helm chart to override this. For example:

engine:
  statefulSet:
    replicas: 1

Why is this important to you?

Parallelizing execution by selecting a different statefulset pod...

Summary

Moves the docs-dev reference generation breakout proposals onto a clean branch based on latest main.

This PR contains planning docs for:

• CLI reference generation via an importable Cobra command tree and a reusable Cobra docs generator
• GraphQL reference generation via live engine service introspection and a reusable SpectaQL module
• JSON schema reference generation via source-adjacent go:generate declarations

Notes

This is documentation only. It does not change gene...

Currently argument default values for arguments that are enums do not have the default value loaded in the schema, and therefore also not show in the --help text.

The dagql cache migration exposed a bad interaction between PRIVATE cache mounts and lazy service identity. PRIVATE currently injects a fresh dagql cache key input, so a service can resolve one hostname through Endpoint and another through WithServiceBinding.

This change does not remove or redesign PRIVATE. It is a small internal unblocker for the dev runtime paths that hit the issue today.

I verified this in a temporary worktree by building the engine with ./hack/dev and ru...

Noticed a handful of low-hanging cleanup fruit while catching back up. I'm sure there's more than this but sending out this batch of what I've noticed so far today.

All low-risk, mostly deleting functionally dead code. See each commit for details.

Been working on better support for tests in the Cloud UI - this PR adds the TUI equivalent, pulling logic down into dagui where it'll be shared between them.

TODO:

• [ ] Automatically enter tests UI when tests are detected?
• [ ] Integrate with dagger check - what happens when multiple checks produce tests?

Along the way:

• Prevent zeroing out ChildCount; fixes incremental loading for traces with >100k spans. With this zeroing out you could get a trace that only had the top...

Summary

• add Workspace.git and the new WorkspaceGit object for workspace-local git state
• add GitRef.committedAt
• expose head, uncommitted, latestSemverTag, and currentSemverTag
• explicitly reject git worktrees for the first pass instead of expanding the workspace boundary
• regenerate GraphQL docs and SDK bindings

Fixes #13064.

Tests

• git diff --check
• GOCACHE=/tmp/go-build go test ./core/workspace
• `GOOS=linux GOARCH=amd64 GOCACHE=/tmp/go-build go test -c ...

The change in #13071 removed a comment line, changing the line numbers in go-based dagger runtimes prompting a regeneration.

Nested Dagger commands can run with their own process-level presentation settings even when they inherit OpenTelemetry baggage from a parent command. In particular, TestDaggerUp starts an inner dagger CLI with NO_COLOR=true and DAGGER_PROGRESS=logs so it can parse the tunnel log line that contains the random host port.

telemetry.Init extracts trace context and baggage from the environment. When inherited baggage is present, OpenTelemetry baggage extraction replaces the baggage already on t...

The Vault secret provider helper starts hashicorp/vault:1.18 as a Dagger service and then talks to it on port 8200. That image has OCI EXPOSE metadata for 8200/tcp, but Dagger does not currently promote image EXPOSE metadata into Container.Ports for service healthchecks or service port introspection.

This matches the existing note in core/integration/container_test.go around line 4831: after Import or container.From, ports can show up under image config, but do not actually get set up as D...

We have been investigating rare CI hangs where engine work appeared to stall behind container execution. The strongest captured evidence was not a dagql cache or Directory.Entries deadlock: the goroutine dump showed Dagger blocked inside go-runc's monitor wait for a runc run, while ps output showed the corresponding runc process still alive and its .init child stuck as a zombie.

That zombie process was the key breadcrumb. It pointed the investigation away from Dagger dependency trave...

Bumps the sdk-java group in /sdk/java with 4 updates: com.fasterxml.jackson:jackson-bom, io.smallrye:smallrye-graphql-client-api, io.smallrye:smallrye-graphql-client-implementation-vertx and com.palantir.javapoet:javapoet.

Updates com.fasterxml.jackson:jackson-bom from 2.21.2 to 2.21.3

Commits

374fbd0 [maven-release-plugin] prepare release jackson-bom-2.21.3
7059df7 Prep for 2.21.3 release
2fd60bd Merge b...

Bumps the sdk-typescript group in /sdk/typescript with 9 updates:

Bumps the engine group with 28 updates in the / directory:

I don't have the data right now, but i've been monitoring dagger engine v0.20.6 last week and it was OOMing despite having 64GB of RAM.

Need to identify what's leaking and see if a fix can be backported to 0.20.

This simplifies our CI by removing a special case. Specifically, 'go generate' works as expected, its output can always be checked in git, and CI can check for an empty diff when calling it post-push.

The price to pay is that we track 4 small binary objects in git. This pattern is officially recommended by upstream ebpf tooling: per https://ebpf-go.dev/guides/portable-ebpf/ :

We recommend building eBPF C code from within a container with a stable LLVM toolchain, as well as checking all ge...

Problem

The core Git API currently models branches, tags, HEAD, and commit IDs through GitRef. That works well for ref lookup and tree checkout, because a commit ID can be used as a ref-like revision.

But commit metadata does not belong directly on GitRef. A ref is a pointer or name that resolves to a commit; the commit itself is the immutable object that has author, committer, message, parent, and tree metadata.

Today this leaves no clean place to expose commit details such as comm...

Summary

This PR fixes the missing shared result failure mode that could show up after an earlier failed module SDK/type-def generation attempt. The root cause was that execution metadata persisted encoded dagql object/call IDs such as module IDs, function calls, and other loadable graph handles. If the first attempt failed at the wrong point, a later retry could read stale execution metadata from cache and try to reload graph state that was no longer valid, producing errors like `failed...

Summary

• add a new GitCommit core type with commit metadata fields and tree checkout support
• add GitRef.asCommit and make GitRepository.commit(id:) return GitCommit for v0.21.0+ while preserving the legacy GitRef return for older schema views
• regenerate the Go SDK and add focused parser/integration coverage

Fixes #13086

Verification

• GOOS=linux GOARCH=amd64 go test -c ./core -o /tmp/core.test
• GOOS=linux GOARCH=amd64 go test -c ./core/schema -o /tmp/schema.test
• GOOS=linux GOA...

What is the issue?

Description

Since Dagger v0.20.7, @function-decorated methods inherited from parent classes are no longer visible in dagger functions output or dagger call --help. They were working correctly in v0.20.6.

Root Cause

PR #11803 ("feat(sdk/python): AST based analysis to introspect"), backported into v0.20.7, replaced the runtime-based introspection with a static AST parser.
Before (v0.20.6): The SDK used inspect.getmembers(cls) which traverses the Python ...

Summary

• Fixes #13089. Inherited @function methods stopped showing up in dagger functions / dagger call --help when the Python SDK switched from runtime introspection to a static AST analyzer in v0.20.7 (#11803). The new analyzer iterated only over a class's own node.body and never walked base classes for @function methods, while inspect.getmembers() previously discovered them via Python's MRO.
• The fix mirrors the existing _find_inherited_constructor pattern: a new `_find...

Summary

The AST analyzer used by dagger develop for the Python SDK didn't handle relative imports correctly:

• from . import x raised ValueError because importlib.import_module was called with an empty module name.
• from .x import y (and other dotted relative forms) fell through to importlib, where they either errored or silently resolved to the wrong top-level module.

This meant a Dagger module split across multiple files using ordinary Python relative imports could fail t...

This PR allows us to switch off the new Python module AST analyzer (introduced at commit d3a8152) using an environment variable "DAGGER_PYTHON_SDK_LEGACY". This is a temporary solution to prevent widespread breakage.

Summary

The AST analyzer used by dagger develop for the Python SDK silently mishandled module-level type aliases such as:

Source = Annotated[dagger.Directory, dagger.DefaultPath(".")]

@dagger.object_type
class Foo:
    @dagger.function
    def build(self, src: Source) -> dagger.Container: ...

Two things went wrong:

• Type resolution: Source was never registered in the analyzer's namespace, so _resolve_name fell through to its catch-all path and warn-assumed `So...

Running dagger lock update, when the file doesn't exist, should create an empty file rather than return an error.

Why

The Python SDK's static AST analyzer (introduced in #11803) replaced the
runtime typing.get_type_hints() introspection that used to back
dagger develop / dagger functions. The runtime path quietly handled
a lot of Python's surface area — aliases, MRO walks, type-alias
re-exports, optional wrappings, cross-file imports — because Python
itself does that work for you. The AST analyzer does it from scratch
against the parse tree, so each Python idiom that the analyzer doesn't
expl...

This reverts commit bcb2193d97ae78e6f404979fe6b278d19d739be7.

Despite the welcome speed gains, it is not ready for general availability due to gaps in feature coverage.

What happened

In v0.20.7 (#11803) we changed how the Python SDK reads your module to register it with the engine. The old way ran your code; the new way reads it as text only. Reading text instead of running code is the right long-term move — it unlocks a feature called "self calls" — but the new reader doesn't yet recognise everything Python can express.

That means modules that worked fine in v0.20.6 may now register the wrong types or skip parts of the schema in v0.20.7 and later.

...

Summary

• cancel withExec calls when a bound service exits so the service failure is surfaced
• propagate bound-service exits through container-backed services
• suppress service-exit propagation for interactive terminals so the user's shell stays open

Tests

• dagger call --progress=dots engine-dev test --run 'TestServices/TestServiceDependencyExitShortCircuits' --pkg ./core/integration/
• `dagger call --progress=dots engine-dev test --run 'TestModule/TestDaggerTerminal/bound ser...

Bumps the engine group with 30 updates in the / directory:

The Dagger example linked also linked to OpenMeter, now it points to the correct repo.

Also removed OpenMeter from the list of examples as they no longer use Dagger, could alternatively link to an older revision of OpenMeter.

What are you trying to do?

Coming from the Go SDK, I'm really used to the With function on types, because it allows using the builder pattern without breaking it up into different parts.

For example:

container.
    WithEnvVar("FOO", "BAR").
    With(cacheMounts)

I think this should already be possible to implement using blocks?

Why is this important to you?

Nicer code :)

How are you currently working around this?

I don't :(

Follow-up to #13098 which only partially addressed parallel initialization races.

Bumps the engine group with 30 updates in the / directory:

Fix nested client session resolution

Main goal here is to fix a regression introduced by fix: builtin dang dependency module loading (#13007).

• It resulted in occasional errors like Error: failed to load module source dependencies: loading workspace: workspace detection: failed to stat path: failed to get requester session: session for "v51anobcgxoitkmvey93jzs6z" not found

The first commit is the direct fix: it separates exact clie...

Hit a failed run in CI due to race detector going off during test: https://dagger.cloud/dagger/checks/github.com/dagger/dagger@a1fb6be1af1460b4470021e69ba126463cd0fcb6?check=test-split:test-base&span=59440d44c1f434db&viewMode=trace

TestUserDefaults/TestSimple runs table cases under the integration suite's parallel middleware. The test built one shared base container in the outer function scope and then one table case reassigned that shared variable from inside its parallel subtest when app...

Summary

Replaces the Go SDK's packages.Load-based source analysis with a pure AST scan and folds type discovery into the same generate-module codegen call that produces the bindings. The standalone generate-typedefs codegen path and the Go SDK's moduleTypes engine entrypoint are both removed.

What changes

• New cmd/codegen/generator/go/astscan package — go/parser + go/ast walker that extracts a module's declared types and resolves references against the introspection sc...

What does this look like in practice?

What is the issue?

We're seeing some layer-cache misses where we'd expect hits since the buildkit removal. Two parallel checks resolving to an identical withExec() chain each run the the underlying exec. Pre PR-#11856, the same chain was deduped and only ran one exec.

Dagger version

dagger v0.20.6 (but running hack/dev from main)

Steps to reproduce

# src/dedupe/main.py
import dagger
from dagger import dag, check, function, object_type

CACHE_KEY = "dedupe_probe"
...

This was causing log telemetry to be dropped when running Dagger's Vitest integration in dagger check, while working fine in dagger run.

Not sure if there was a good reason for this check - it's valid to not have a schema URL. Maybe it mattered at an earlier revision?

In https://github.com/dagger/dagger/pull/13049#pullrequestreview-4248120719 we realized that new files needed to be added.

That prompts the question: when upgrading dagger versions, but keeping an old version specified in dagger.json, the generated bindings should honor the version in the dagger.json.

Closes #13066.

Tiny fix, but useful imo: StatefulSet.spec.replicas was hardcoded to 1, so the chart could not scale StatefulSet engines even when users passed a replicas value.

Repro before this patch:

helm template repro helm/dagger \
  --set engine.kind=StatefulSet \
  --set engine.statefulSet.replicas=3

Expected spec.replicas: 3, got spec.replicas: 1 because the template had the value baked in.

This adds engine.statefulSet.replicas with the same default of 1, so ...

Use the session ID as the default DagQL concurrency key so equivalent in-flight calls can be single-flighted across clients in the same session.

Add same-session fallback for secret and socket session resources when the original client attachable is no longer available. This intentionally does not cover host services or mid-stream SSH forwarding retry.

Fix for https://github.com/dagger/dagger/issues/13112, but requires some more validation; deduping inflight requests is good but ...

Background

Module type generation currently has SDKs construct a container that writes a module ID to a file, then the server reads that ID back. That path is being reworked separately, but the current implementation is flaky: the written ID can be handle-based, and if that handle goes stale before the dependency wiring catches up, module type generation can fail intermittently.

This change is a narrower fix for that race while the larger module types rework is still in progress.

Cha...

Summary

• Re-enable TestConnectOption in the Go SDK test suite
• Replace io.Pipe log capture with a thread-safe buffer because io.Pipe was hanging at Connect
• Update the assertions to match the current connection and log output more reliably

What I changed

This updates sdk/go/client_test.go to make TestConnectOption work again.

The previous version of the test was skipped because it was broken and producing empty output. In practice, the io.Pipe approach was hanging at ...

Summary

• Disable Git auto-maintenance and auto-gc for ephemeral changeset merge repositories.
• Add context to temporary .git cleanup errors in the changeset merge paths.
• Rename engine snapshotter temp mount directories from buildkit-mount to dagger-mount.

Why

CI has seen flaky unlinkat failures while removing the temporary .git directory used during generated changeset checks. This is still a hypothesis rather than a proven root cause, but the current evidence points at...

Summary

dagger check dagger-dev:generated spends a lot of time in go:generate-dagger-runtimes, but the Go runtime generation work was being forced serially across modules.

This changes GenerateDaggerRuntimes to generate per-module runtime layers in parallel, using the existing Go toolchain limit setting. The default limit is bumped to 10, and generated layers are applied back in module order so the final changeset remains deterministic.

The generated Go bindings were updated for...

Summary

• Replace eager per-operation containerd lease creation with a lazy operation lease scope.
• Ensure the lazy lease at snapshot/content boundaries that actually need containerd lease membership, with existing explicit fallback leases still available outside DAGQL operation scopes.
• Add focused coverage for lazy lease behavior, DAGQL lease acquisition, and snapshot manager create boundaries.

Root Cause

The e-graph-era operation lease provider eagerly called leaseutil.WithLease b...

Summary

• Flatten lazy Directory.withDirectory chains so evaluating the final directory only materializes the base and each source once, then applies the chain in a single pass.
• Reuse that directory chain replay for Container.withDirectory chains, including mounted directory targets, while conservatively falling back for named owner resolution that requires parent filesystem lookup.
• Add integration coverage for layered chained directory/container semantics, mounted container direc...

Bumps the sdk-java group with 7 updates in the /sdk/java directory:

Bumps the sdk-typescript group with 13 updates in the /sdk/typescript directory:

Bumps the sdk-elixir group in /sdk/elixir with 2 updates: ex_doc and jason.

Updates ex_doc from 0.40.1 to 0.40.2

Changelog
Sourced from ex_doc's changelog.

v0.40.2 (2026-05-08)

Bug fixes

Add rel="nofollow" to external links in HTML output
Use blockquote in llms.txt description
Void elements in epub, such wbr, must be terminated by the matching end-tag
Fix content container scrolling in older ve...

Bumps the engine group with 31 updates in the / directory:

Summary

• Adds dagger module-checks @ — an experimental Cloud-discovery subcommand that fetches the recorded checks for a given commit and renders a colored progress bar + grouped per-check table.
• Two flags for non-interactive consumers:
  • --json emits a stable JSON document (matched commit, refs, summary counts, per-check status/duration/traceId/traceUrl).
  • --watch refetches and redraws every 5 seconds until interrupted; works for both human and JSON output.
• Factors a reus...

Thanks both! Just wanted to also point out that my initial speculation for go mod tidy causing dependencies to be upgraded was incorrect, it's actually a go get -u that runs within the Dagger develop that is causing those. Is there any intention in keeping this behaviour when running develop?

We might be able to get the dagger package without dynamically add it to the module's code if we don't codegen at runtime because we would assume the go.mod of that module is right.
We could just a...

test

What changed

This fixes the Helm e2e package under the filtered golang:check workspace.

• Include e2e/helm/dagger.json in the Helm test workspace inputs so the runtime module config matches the generated Go client.
• Harden version.New so it only stores a Git repository when the provided .git directory can actually resolve HEAD; otherwise it uses the existing fallback version path.

Why

TestInstallK3S mounts dag.DaggerCli().Binary() into the Helm/kubectl container. The ...

This PR adds first-class Incus runtime support to Dagger and hardens the image loading/extraction path so it correctly handles modern Linux rootfs layouts.

The user-facing runtime name is now consistently Incus, not LXC. The implementation aligns with the incus CLI/daemon and image+incus://... engine config format, which matches how users actually install and operate the runtime.

This PR also improves the Incus image conversion path to be safer and more compatible with real-worl...

Recently the bitbucket public repo seems to have been cleaned up by Atlassian. We believe this is due to inactivity, as reported by other Reddit members.

No warning emails seem to have been sent on their end. Instead of re-enabling until they wipe it out again, let's commit and re-enable in the future if needed

Problem

Runtime modules are still handled like normal module sources. That makes engine-bundled SDK runtimes harder to expose, list, and cache as first-class sources.

Solution

Add a built-in module catalog and a BUILTIN_SOURCE module kind. Add GraphQL fields to resolve one built-in source or list the catalog. Load bundled runtimes from their embedded rootfs when a manifest digest is available. Keep git-backed fallbacks for other runtimes. Regenerate SDKs and API docs.

Problem

SDK runtime modules need stable names. Today, callers must know where each runtime module lives. That makes module references harder to use and harder to move.

Solution

Add built-in module sources backed by an engine catalog. Dagger can now resolve names like python-runtime and typescript-runtime through the GraphQL API. The change also exposes catalog listing, persists built-in source metadata, resolves built-in dependencies, and regenerates SDK and API references.

NixOS and Nix-built distroless images expose the system CA bundle as a symlink into a read-only /nix/store target, so commonInstaller's append path can't write through it. Add a nixosLike installer that detects NixOS via /etc/NIXOS or ID=nixos/ID_LIKE=nixos, locates the bundle via $SSL_CERT_FILE (falling back to /etc/ssl/certs/ca-certificates.crt), materializes the symlink as a writable regular file for the duration of the exec, and restores the symlink on uninstall.

Also adds a small Cont...

Problem

@tiborvass reported a false-positive cache hit around inline module dependencies and contextual directory defaults. The important shape is: module A calls module B, B loads a host directory through an annotated/defaultPath argument, A returns a value derived from B, and a later session can reuse the cached result for A after the contextual directory used by B changed.

Reproduction

This adds TestCrossSessionInlineDependencyContextualDirChange, a focused Go-only cross-session...

Summary

When Directory.asModuleSource is called from inside a Dagger module, resolving a local module dependency can fail while loading user defaults.

It looks like DIR_SOURCE user-default loading calls Host.findUp(".env") with the module client context instead of the original caller/workspace context, so host cwd/session lookup times out.

Repro

type DirModsourceRepro {
  pub direct(ws: Workspace!): ModuleSource! {
    ws
      .directory("/", include: ["main/**", "dep...

test was broken, should have been using dagger install rather than dagger module install, which was previously changed in 338692fbd54b358b86417fcdd3ca8133b22ac67a

Summary

• Add an integration repro for a remote git tree failing after explicit local cache prune.
• Remove the separate git-snapshot metadata fast path from core RemoteGitRef.Tree.
• Rely on the persistable dagql GitRef.tree result as the persistent cache authority for remote git trees.

Details

@vito found and reported a failure where a remote git tree could be fetched successfully, pruned, and then fail on the next fetch with a raw snapshot key not found error.

The repro s...

Summary

• Fixes #13059.
• Allow local toolchains to be uninstalled after their source path is deleted.
• Preserve other toolchain resolution errors.
• Add integration coverage for toolchain uninstall behavior.

Testing

• dagger call engine-dev tests
• Specific test added for this fix: dagger call -m ./toolchains/engine-dev test --pkg=./core/integration --run='TestToolchain/TestToolchainUninstall' --test-verbose -d
• dag checks 'go:lint'

Summary

• route ordinary execs with the default dagger hostname through the existing CNI namespace pool
• keep explicit hostnames and insecure execs on the fresh namespace path
• fix --oci-cni-config-path so it reads the correct flag value
• remove the stale inherited BuildKit bridge-provider mode, including networkMode=bridge, BUILDKIT_NETWORK_BRIDGE_AUTO, and the unused bridge config fields

Details

Dagger already configures a CNI namespace pool, but normal execs were not us...

Problem

When running Dagger on a headless Linux machine, such as a VPS over SSH, `dagger` may try to open a Dagger Cloud trace URL with `xdg-open`.

If no browser is available, this currently warns with output like:

```text
04:59:45 WRN failed to open URL url=https://dagger.cloud/paulvinueza30/traces/40467b9c069ba80a7977f6c45ae36c73#58fe4c21d79fc856 err="exit status 3" output="/usr/bin/xdg-open: line 881: www-browser: command not found\n/usr/bin/xdg-open: line 881: links2: command...

Change our CI to run Go linting through github.com/dagger/go.

This shifts our own Dagger usage toward the practices we advocate: reusable modules, faster checks, and less project-specific code and configuration.

This does not change Dagger runtime behavior.

What is the issue?

Reported by @danielgafni here: #typesafe message

According to him, this did not happen in v0.20.7.

Dagger version

v0.20.8

Steps to reproduce

@function
async def test_secret_override(self) -> str:
    """Reproduce with_secret_variable override regression in Dagger 0.20.8."""
    short = dag.set_secret("short", "AA")
    long = dag.set_secret("long", "BBBBBBBBB")
 ...

This reverts commit 25be7a162ff2ff8541869ab0645b39b238701582.

_expand_alias only walked bare ast.Name nodes via a while loop, so compound annotations like Name | None passed through with the alias unexpanded. The resolver then saw "Name" as an unknown type and assumed it was an object, which the engine rejected with "find mod type for function … arg … type: "Name"".

After the top-level name-expansion loop, recurse into ast.BinOp BitOr nodes and expand aliases in both operands. An identity check ensures a new node is only allocated when something ...

for https://github.com/vito/dang/pull/48

What

Make the Java codegen Maven plugin preserve and report failures from dagger query -s -M instead of suppressing stderr and handing empty stdout to schema parsing.

Why

The current Java SDK CI failure is a NullPointerException that masks the real nested Dagger query error. This diagnostic change should let CI show the underlying query stderr/stdout and exit status.

Validation

• dagger -m toolchains/java-sdk-dev call lint --progress=plain
• `dagger -m toolchains/java-sdk-...

Summary

ModuleSource.withDependencies fails when the target module source is created with Directory.asModuleSource.

This is not specific to module execution. It reproduces from a normal Dagger client. A nested helper does not avoid the bug if it constructs module sources with Directory.asModuleSource, because the resulting source kind is DIR_SOURCE.

Repro

Requirements: Go and the Dagger CLI.

tmp="$(mktemp -d)"
cd "$tmp"

mkdir -p app lib

cat > app/dagger.json < app/m...

Problem

dagger trace replayed recorded progress through the frontend, but it constructed fresh frontend options instead of using the global CLI options. That meant replay ignored verbosity and debug flags such as -v, -vvvv, and --debug.

Fix

Copy the global frontend options for trace replay and override only NoExit, preserving the existing behavior of keeping the trace UI open.

Test

• `dagger --progress=plain call engine-dev test --pkg ./cmd/dagger --run TestTraceUsesGl...

What is the issue?

As discussed with @marcosnils, I am opening this issue. Here's my original message in #help on the Discord:

Is there native Dagger support for checking out repos using Git LFS with dag.git() and having it do the full pull operation? I noticed one of my builds was failing, and when I peeked inside the container, it appears that some of the files stored in Git LFS had Git metadata in place of the actual file contents. I see some hits on this Discord about how to po...

Add an experimental CLI selection path for testing Dagger builds from a github.com/dagger/dagger git ref.

Users can pass either --x-release= or DAGGER_X_RELEASE= to run a specific unreleased CLI build. Flags take precedence over the environment when both are present. If the ref is not already a full commit SHA, the CLI resolves it through GitHub, prints the resolved SHA, and tells the user how to pin that exact build for repeatable testing.

The selected CLI is downloaded and re-exec...

Problem

A module can receive a Workspace, but it cannot load another Dagger module from that workspace.

For example, a module should be able to say: "load the module at ./foo in this workspace" and get back a ModuleSource.

Today there is no direct core API for that. The only option is to implement a module-side shim for Workspace.moduleSource().

That shim is difficult and unreliable for several reasons:

1. Low-level module loading logic must be reimplemented: walking dependenc...

Problem

When the engine pulls a container image, the TUI shows a stream of raw HTTP GET log lines. From a user on Discord:

This is still very confusing. Is it pulling an image? Is Docker having issues? Even a simple progress bar to tell me that it's trying to pull an image would be helpful.

Solution

Replace the raw log output with a proper progress display. From @vito on Discord:

We used to have a slick 2-dimensional progress bar in the TUI (X axis = layers, Y axis = per-laye...

Fixes #13147

avoids double expanding envfile values when using a Namespace.

fixes #12855
closes #12014

Remove the private cache nonce so PRIVATE cache volumes keep a stable cache key. As a stop-gap, serialize writes for PRIVATE caches the same way as LOCKED caches so behavior remains correct while avoiding the performance regression from always-unique cache volumes.

Stopgap for #13060

Summary

This PR tightens the Python SDK module analyzer around type annotations, especially type aliases, quoted annotations, and Annotated[...] metadata.

The analyzer runs during the Python SDK module-types registration path. When the engine asks the SDK runtime for a module's type definitions, the runtime discovers the module's Python source files and analyzes them without importing the user module. The analyzer produces internal ModuleMetadata, which the SDK converts into Dag...

Summary

• derive provider-secret handles for zero-length plaintext instead of treating them as missing
• add an integration repro for an empty env-backed Secret used through constructor user defaults

Root Cause

Provider-backed secrets without an explicit cache key derive their session resource handle from plaintext. Empty plaintext previously returned an empty handle, so user defaults like password=env://PASSWORD failed during object decoding when PASSWORD was set to an empty str...

I am trying to optimize my local development workflow and ensure that running a dagger call for the second time hits the cache completely (no code changes have occurred).

However, I am currently experiencing unexpected cache-misses on the second run, and certain steps are executing all over again.

I want to inspect exactly why Dagger/BuildKit is invalidating the cache for these specific steps.

• How can I see which input data, arguments, environment variables, or directory snapsh...

cache invalidation could happen because of several things like actual invalidatoins because of inputs changing, garbage collection, non-deterministic steps and of course Dagger bugs.

Is there any chance you can provide here a snippet that reproduces consistently what you're seeing? This would be the fastest way for us to provide feedback.

On top of that, if you have a https://dagger.cloud (free for single users) trace we could take a look at, that's also super useful.

Overview

This PR introduces a new --fail-on-cache-miss flag for the dagger command that allows users to enforce cache-only execution mode.

Motivation for the --fail-on-cache-miss Argument

The --fail-on-cache-miss flag serves several important purposes:

1. Cache Validation and Testing: During development and CI/CD pipelines, developers need to verify that their builds are being properly cached and served from cache. This flag enables strict cache validation by failing the ex...

I am not in a hurry. First I want to solve the issue in general before I dive into solving the particular cache-miss.

With the help of some smart tool, I create a PR which adds a new flag: --fail-on-cache-miss. My goal is to execute dagger call always twice. The second time with --fail-on-cache-miss. For my use case the overhead of the second call is fine, as long as it terminates immediatly when the second call terminate on cache-miss.

PR:

[feat: add --fail-on-cache-miss fla...

Thx for taking the time to send a PR for this. Getting something like this merged is a bit more complex than just looking at the call spans from the telemetry. Dagger has different caching layers and sometimes even when a specific step is cached, it might not appear as so in the telemetry because of different reasons

We're constantly improving this so caching is more robust and observability more consistent. As mentioned above, my advise to proceed here would be to share some traces from...

Thx for taking the time to send a PR for this. Getting something like this merged is a bit more complex than just looking at the call spans from the telemetry. Dagger has different caching layers and sometimes even when a specific step is cached, it might not appear as so in the telemetry because of different reasons

We're constantly improving this so caching is more robust and observability more consistent. As mentioned above, my advise to proceed here would be to share some traces ...

Closes #13040

Summary

Bumps the four replace directives (and matching require lines) in both go.mod and sdk/go/go.mod for the OpenTelemetry log packages from v0.16.0/v0.17.0 to v0.19.0:

• go.opentelemetry.io/otel/log
• go.opentelemetry.io/otel/sdk/log
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp
• go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc

Why

1. CVE-2026-39882 ([GHSA-w8rr-5gcm-pp58](https://github.com/advisories/GHSA-w8rr-5gcm...

FAQ: How do RTC bounty payments work?
#723
@Scottcjn
Scottcjn
on Mar 7 · 14 comments
Return to top

Scottcjn
on Mar 7
Maintainer
Common questions about the RustChain bounty payment process:

Q: How ...

Hey everyone! I just created a high-speed asynchronous compute core in C++ and Python. Check it out, running tests now! The GitHub view counter is live: https://github.com/nlozkina19-crypto/vector-zero-compute

Thx for taking the time to send a PR for this. Getting something like this merged is a bit more complex than just looking at the call spans from the telemetry. Dagger has different caching layers and sometimes even when a specific step is cached, it might not appear as so in the telemetry because of different reasons

Is that an issue of Dagger or buildKit LLB, that --fail-on-cache-miss can't be easily implemented?

Bumps the sdk-java group with 9 updates in the /sdk/java directory:

Bumps the sdk-typescript group in /sdk/typescript with 10 updates:

What is the issue?

When a consumer container has any WithServiceBinding(alias, svc) and is then evaluated with WithExec(...).Stdout(ctx) (or .Sync(ctx)), the exec fails immediately at host-alias setup time with:

lookup  for hosts file: lookup  on 10.87.0.1:53: no such host
lookup ..dagger.local on 10.87.0.1:53: no such host

This happens before the consumer's command runs at all — the consumer's command can be a harmless echo, never referencing the bound alias, and i...

Disclaimer: SORRY THIS IS AI SLOPPED. I however think, the analysis makes sense and the suggested fix is reasonable.

Summary

In the TypeScript SDK, marking a primitive boolean argument or class field as optional (either with ? or with a default value) breaks module introspection. The introspector tries to resolve "boolean | undefined" as a type reference and fails:

IntrospectionError: could not resolve type reference for boolean | undefined.
    at DaggerModule.resolveReferenc...

I wouldn't say it's an issue. It's just that the executor solver and the caching layer has been changed a lot recently and it wasn't so straightforward to implement a way to perform this. Now that Dagger doesn't rely on buildkit anymore, it shouldn't be as complicated.

What this fixes

The Python SDK's static module analyzer derives a module's API from its source code, without importing it. When a module is split across files, it only followed relative imports (from .params import Foo) to find names defined in sibling files.

Modules that import their own siblings absolutely (from my_pkg.params import Foo) — a common style — left those names unresolved. A type alias imported that way collapsed to an unresolved custom type instead of its real ...

Summary

Lock the TypeScript SDK Yarn cache volume so concurrent lint checks do not mutate Yarn v1 global cache at the same time.

Root Cause

ci:bootstrap can run typescript-sdk:lint-typescript and typescript-sdk:lint-docs-snippets concurrently. Both construct the same Node dev container and run yarn --cwd sdk/typescript install against the same Yarn cache volume. With the default SHARED cache mode, those installs can overlap and leave partial Yarn v1 cache entries, producing...

Testing only

This draft PR intentionally makes a tiny docs-only change so we can trigger CI and reproduce/cache-capture an intermittent Namespace outer-engine shutdown issue.

We are specifically investigating errors while the Namespace-backed outer engine writes the dagql cache persistence snapshot to disk during engine shutdown. The expected signal is in the outer engine logs near shutdown, around dagql cache close / persistence / clean-shutdown metadata handling.

This is not intended ...

The Java SDK runtime's moduleRuntime function runs mvn versions:set against the SDK parent POM. This command only modifies version strings in the POM XML, but Maven still resolves the full dependency tree (including BOM imports like jackson-bom and junit-bom and others from Maven Central).

The problem is that Maven Central started rate limiting (HTTP 429) and as a result, module loading has become flaky, sometimes completely failing. This seems to have been more common (complete failures o...

Bumps protobufjs from 7.5.4 to 7.6.0.

Release notes
Sourced from protobufjs's releases.

protobufjs: v7.6.0
7.6.0 (2026-05-18)
Features

Support BigInt conversions (7.x) (#2258) (f769242)

protobufjs: v7.5.9
7.5.9 (2026-05-17)
Bug Fixes

Backport bundler-safe optional module lookups (#2254) (0853a62)

protobufjs: v7.5.8
7.5.8 (2026-05-12)
Bug Fixes

Backport parser hardening to 7.x (#2245) (54b593f)

protobufjs: v7.5.7
7.5.7 (2026-05-09)
Bug Fixes...

If a toolchain function is called from a module function, it should forward any applicable toolchain customizations.

Treat schemeless .env values for Secret user defaults as plaintext secrets instead of address-style secret provider URIs.

This routes those values through setSecret so they resolve as Dagger Secrets without exposing the raw value in the user default console output. URI-style values such as env:// and op:// keep the existing provider behavior.

Adds regression coverage for a plaintext Secret default to ensure the displayed default is scrubbed while the secret still resolves correctly.

What changed

This fixes persisted container lazy hit reloads for Container.withNewFile.

withNewFile builds a File and stores the container using the same ContainerWithFileLazy persisted payload shape as withFile, but the persisted lazy decoder only accepted the withFile GraphQL field. After an engine restart, loading an unevaluated persisted withNewFile hit failed with unsupported field "withNewFile".

The decoder now accepts both withFile and withNewFile for that pay...

Summary

Remove stale wording from the cache-expert skill that claimed the reference docs were very old / unavailable. Keep the existing pointer to references/debugging.md for test-running and debugging workflow.

Validation

• git diff --check upstream/main...HEAD
• confirmed stale wording is absent from skills/cache-expert/SKILL.md

Summary

This PR adds a focused integration repro for a persisted source-backed cache volume mount failure, then fixes the persisted cache volume decode path.

After a persisted engine restart, CacheVolume reopened its mutable snapshot by snapshot ID without restoring the exec.cachemount record type that fresh cache-volume initialization sets. That record type is required for mutable cache mounts to use the existing shareable mount wrapper. Without it, concurrent execs mounting the sam...

Summary

Draft PR for CI-only testing. The diff is intentionally inert; it exists only to trigger CI so we can investigate intermittent disk-full failures on Namespace-backed outer engines.

The suspected failure mode is not caused by this README marker. We are trying to observe jobs where the outer engine restarts from previously used disk state, then collect failing traces, Namespace instance details, outer-engine logs, pruning logs, and engine metrics around disk usage.

Validation

...

Great, can you give me some hints how to implement a way how to debug cache misses automatically?

Current idea: run dagger twice. The second call should fail if there is a cache miss. But if you have better ideas how to implement it, then please tell me!

Allow to install Wolfi packages in the playground

$ dagger call engine-dev playground --extra-packages openssh

What is the issue?

We're seeing secrets print to the TUI console (withMountedSecret step) since 0.20.8 on main. This seems to be related to dagql caching introduced in PR #11856.

Eg,

9   : ReproCacheIssueDagger.test: String!
10  : ┆ Container.from(address: "alpine:latest"): Container!
10  : ┆ Container.from DONE [0.1s]
11  : ┆ Container.withMountedSecret(
11  : ┆ ┆ path: "/123"
11  : ┆ ┆ source: setSecret(name: "toast", plaintext: "<>"): Secret!
11  : ┆ ): Container!
11  : ┆ Contain...

Summary

• use Dang binding origins to distinguish local types from imported Dagger core types
• avoid exporting imported bindings as Dang module definitions
• add integration coverage for local Container/Directory shadowing and explicit Dagger.Container
• bump Dang to the version containing the language-side shadowing fixes

Tests

• dagger call --progress=dots engine-dev test --pkg ./core/sdk/
• `dagger call --progress=dots engine-dev test --run 'TestDang/TestCoreTypeShadowing...

ResultCall.callPB / resultCallArgPB encodes the call protobuf used for the
DagCall telemetry span attribute (core/telemetry.go). It emitted arg values
verbatim and ignored ResultCallArg.IsSensitive, so sensitive arguments such
as setSecret(plaintext:) were sent to telemetry and rendered unredacted in
the CLI --progress output (e.g. as the embedded source: of withMountedSecret).

This regressed in #11856 ("migrate all caching to dagql"): the old call.ID
path redacts sensitive args via r...

Rewrite the fail-multi viztest helper so the two failing child spans are created, executed, and ended sequentially instead of through nested function arguments passed to errors.Join.

The test is meant to verify how multiple failed child spans are rendered, not to depend on evaluation or span-end ordering. Making the two failing effects explicitly ordered keeps the golden output stable while preserving the same joined-error behavior.

Summary

• harden TestEnvFile/TestSecretFile output parsing so combined stderr diagnostics cannot be decoded as scalar output
• add a stdout-only host Dagger helper and use it for socket ID scalar output passed between calls

Details

The flaky env-file test captured combined CLI output and decoded the last raw line as base64. The CLI can still emit user-default diagnostics to stderr despite -s, and combined stdout/stderr can leave those diagnostics after a trailing newline or interle...

Summary

• pin TestSecretProvider/TestVaultTTL to hashicorp/vault:1.18
• reuse that pinned image for the Vault service, copied CLI binary, and nested module Vault clients

Details

TestSecretProvider/TestVaultTTL was pulling the untagged hashicorp/vault image in several places. That tag now resolves to Vault 2.0.1, created on 2026-05-19. In this environment, the new image fails before any Dagger-specific secret-provider behavior is exercised:

sh: vault: Operation not perm...

We've been seeing issues with yarl 1.24.1:
https://dagger.cloud/dagger/traces/033d4d3ec42819ba3e721733671f69d8?listen=aeec109729c3c6ad&listen=ff30275ebbf1b697&test=TestPython/TestVersion/.python-version_takes_precedence&viewMode=tests#aeec109729c3c6ad:L131

This commit is a stopgap

Summary

• The generator scale-out path returned a Changeset whose Directory fields reference objects that only exist on the remote engine, so the local engine cannot materialize the generated files — it could never work in practice.
• Drop tryRunGeneratorScaleOut and the scale-out branch in RunGenerator; dagger generate always runs locally.
• Scale-out is preserved for dagger check and the generate-as-check flow, where only a boolean/error result crosses engines.

Test plan...

This draft PR exists to reproduce the intermittent unknown command failure in TestModule/TestFunctionCacheControl under CI.

It intentionally contains no tree changes; the branch has an empty signed-off commit so the normal CI checks run against the current code.

Plan:

• Watch test-split:test-modules for this PR.
• Rerun that Dagger Cloud check up to 30 times.
• Stop if a failure contains the unexpected unknown command signature.

Summary

This is a no-diff draft PR for validating reused cache mounts in CI.

The branch contains only an empty commit so it can produce PR CI runs. After creation, this PR number can be shared so the CI info feature can be selectively enabled for this PR, letting us observe and debug whether cache mounts on CI runners are reused across runs.

Testing

Not run locally; this PR is intended to exercise CI.

Summary

• treat SDK-only dagger.json as legacy compat state for install mutation tests
• document compat detection expectations for SDK-only root and child configs
• extend migration coverage so SDK-only config is migrated before install mutates workspace config

Tests

• go test ./core/integration -run '^$'
• `dagger --progress=logs call engine-dev test --pkg=./core/integration --run='^TestWorkspaceModules/TestWorkspaceModuleInstall/install_initializes_empty_workspace$|^TestWorkspac...

The Python SDK property-based differential test generated a module where a Dagger field was named bool:

    @dagger.object_type
    class Foo:
        bool: str = dagger.field(default="")

        @dagger.function
        def a(self) -> bool:
            ...

That source is legal Python syntax, but it is outside the supported Dagger schema grammar.

That source is outside the supported Dagger grammar: generated Dagger members should not shadow the finite set of ...

Summary

• add versions plugin flags to skip dependency and plugin processing when updating the Java SDK parent POM version
• relies on the existing mavenCommand wrapper for --no-transfer-progress

Fixes #13174

Test

• go test ./... (in sdk/java/runtime)

Summary

• fix workspace docs terminology around module settings and Cloud Checks
• expand migration, first-run recovery, CI install, security, configuration, and module author guidance
• pin script install examples and remove stale workspace-era command references

Validation

• dagger check -l
• dagger check markdown-lint:lint docs:references python-sdk:lint-docs-snippets typescript-sdk:lint-docs-snippets

The selected docs checks exited 0. Trace: https://dagger.cloud/dagger/traces/...

Summary

• Persist SearchResult, SearchSubmatch, and DiffStat values so cache-persisted list results round-trip after engine restart.
• Reject object-like values without explicit persisted-object encoding instead of silently storing them as scalar_json.
• Add dagql codec tests and disk-persistence integration coverage for Directory.search, search submatches, and Changeset.diffStats.

Validation

• `dagger --progress=plain call go test --pkgs ./dagql --run 'TestPersistedSelfC...

:robot:

The deferred EndWithCause for the lazy-evaluation resume span fired only when the goroutine returned, which was after close(waitCh). Callers awaiting Evaluate could observe completion, flush, and read exported spans before the span was ended, racing the deferred End. Wrap the eval body in an inner function so the defer fires on its return, before close(waitCh). This also ensures the resume span is ended on the operation-lease error path, where it was previously created but never en...

Summary

Restarted engines can import persisted dagql object results lazily because object payload decode needs a dagql server context. Before this change, those lazy imported results retained snapshot-owner links and leases, but local-cache usage accounting ignored them until a later cache hit materialized the object value.

This makes lazy imported snapshot-owner links participate in local-cache usage and max-used prune before payload decode. The snapshot manager now exposes direct snaps...

Summary

• update generated Go module files for golang.org/x/sys v0.45.0
• refresh generated go.mod/go.sum files across module, SDK runtime, testdata, and toolchain fixtures

Tests

• dagger --progress=plain call generated
• git diff --check

• https://github.com/vito/dang/pull/58
• contains some internal refactors

I think it would be good to assume that the go.mod is correct as is, seems like didn't cause many issues (that I'm aware of) in previous Dagger versions, but I could be wrong :)

Summary

This is a test-only change for TestLocalCachePruneReclaimsStoppedServiceSnapshots.

The underlying engine behavior is fine: stopped service snapshots are being pruned. The previous assertion measured global filesystem free space with df, which is inherently noisy under parallel integration tests and could hide the local cache reclaim signal.

This updates the test to run against an isolated nested dev engine and assert via Engine().LocalCache().EntrySet().DiskSpaceBytes(ctx)...

Summary

This PR collects a few related cache pruning and disk-pressure improvements for the engine and the engine-heavy integration checks.

Commits

• core: use available disk space for min-free pruning
  • Fixes the min-free-space pruning decision to use filesystem available bytes instead of raw free bytes, so reserved blocks do not make the engine overestimate space users can actually consume.
  • Updates the cache and server GC plumbing/tests to carry available space through the ...

What are you trying to do?

A user building a Python Dagger module creates a non-root user in a container, for example python with uid/gid 1234, and wants every directory mounted into that container to be owned by that user. Today each call has to pass the owner explicitly:

container.with_directory(path, source, owner="1234:1234")

When this logic is shared across modules, callers either need to plumb uid/gid through their own APIs, which adds boilerplate, or resolve ui...

Bumps the engine group with 31 updates in the / directory:

Draft for discussion. Stacked on the workspace branch.

What this does

Reworks the Go SDK codegen path so that:

1. A module can opt out of codegen at runtime. With
   codegen.legacyCodegenAtRuntime=false in dagger.json, the Go SDK trusts
   the committed dagger.gen.go + internal/dagger files and skips the
   in-container codegen pass at runtime (it errors with an actionable message
   if the committed files are missing).
2. **generate-module runs once for Go modules, in...

Summary

• add API-backed Dagger Cloud git source inspection/configuration commands
• add repo-first commands for info, link, unlink, transfer, and autocheck status
• project linked repos from enabled git sources, with autocheck as a read-only repo setting
• add dagger integration add github, dagger repo enable autocheck, and a post-login setup hint when a local GitHub repo needs Cloud setup

Verification

• go test ./internal/cloud ./cmd/dagger -run '^$'
• `go build -o /tmp/dagge...

Fixes a few migration issues found while dogfooding module repos.

• remove dagger workspace init and the matching schema field
• seed migrated workspace configs without verbose starter comments
• map the dang runtime to github.com/dagger/dang-sdk
• report skipped SDK installs in migrated configs and migration reports

Tests:

• go test ./cmd/dagger -run 'TestRemovedWorkspaceCommands|TestWorkspaceInitCommandRemoved|TestRootHelpShowsWorkspaceCommandGroup|TestWorkspaceFlagPolicy'\n- `go ...

Summary

• make dagger migrate include planned .dagger/lock writes in the returned changeset instead of staging lock entries during planning
• merge refreshed migrated lock data into the correct per-plan workspace lock, so nested migrations write nested .dagger/lock files
• add regression coverage for preview/discard not writing lockfiles and nested pinned refs staying out of the root lock
• update the workspace upgrade docs from config to settings terminology

Tests

• `go test...

Bumps the sdk-elixir group with 3 updates in the /sdk/elixir directory: ex_doc, jason and req.

Updates ex_doc from 0.40.1 to 0.40.3

Changelog
Sourced from ex_doc's changelog.

v0.40.3 (2026-05-21)

Enhancements

Add autolinking for Erlang/OTP 29 native records

v0.40.2 (2026-05-08)

Bug fixes

Add rel="nofollow" to external links in HTML output
Use blockquote...

What are you trying to do?

Check if a file exists in ${HOME}/foo

Why is this important to you?

No response

How are you currently working around this?

container.envVariable("HOME")

Summary

• add Query.workspace(directory:) for Directory-backed synthetic workspaces
• support file, directory, and findUp on rootfs-backed workspaces without host client metadata
• return explicit errors for unsupported synthetic workspace features and gitignore: true
• add Go SDK dag.Workspace(dir) plus synthetic workspace coverage

Tests

• go test ./core/schema
• go test ./core/integration -run '^$'\n- (cd sdk/go && go test . -run TestWithWorkspace)\n- `go build -o /...

Bumps the sdk-java group with 10 updates in the /sdk/java directory:

Bumps the sdk-typescript group in /sdk/typescript with 7 updates:

Bumps the docs group with 12 updates in the /docs directory:

Now that we have dagger query, we don’t need to print the contents of the config every time we re-up it.

Fixes #240

• split integration tests into small manageable files
• add SUITE=llb make integration support (suite can be compute, llb, stdlib, cli, examples)
• fixed test for examples/react

Currently in main dagger creates an actual directory called ’$HOME’ instead of expanding the value of $HOME.

Also changing the location of the default store to follow the xdg spec. This will cause all deployment to be “forgotten”, better do it now before anyone is using it seriously.

Just got the issue using input dir:

$ dagger input dir source ../../

This is what we store:

  "inputs": [
    {
      "key": "source",
      "value": {
        "type": "dir",
        "dir": {
          "path": "../../"
        }
      }
    }
  ]

It's not limited to input dir -- dagger plan dir has the same issue, and I suspect dagger new --plan-dir too.

To fix this once for all, I suggest we resolve the absolute path directly inside `dagger....

Bumps golang from 1.16.2-alpine to 1.16.3-alpine.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also tri...

The API was a bit confusing with code mixing the usage of Deployment and
DeploymentState.

This change marks a clear separation:

• Client is the only piece of code manipulating *Deployment
• CLI commands can manipulate DeploymentState objects and pass them to
  Client

// Apply a Kubernetes configuration
#Apply: {
	// Kubernetes config to deploy
	source: string | dagger.#Artifact
         
      ...
		if (source & string) != _|_ {
                  ...
		},

			if (source & dagger.#Artifact) != _|_ {
                           ...
			}
}

The ifs are not working anymore

/cc @samalba @TomChv

In preparation of support dagger down.

Also matches the dagger up command.

Previously dagger eval always returned the cue output. This makes sense for cue debugging, but not to get quick information about the current state.

The previous behavior is still available with dagger query -f cue. All cue flags have been preserved.

Running dagger up produces output values, but they are not stored in the deployment state by the client. As a result, dagger query will not include outputs.

• Add support for multiple deployments per path in the Store
• Add a bunch of tests
• Change the Lookup deployment API
• Add disambiguation in the CLI commands

Fixes #231

Signed-off-by: Andrea Luzzardi

Implemented tests for:

• plan dir / git
• input dir / git
• new --plan-git

Restored JSON output for up

Fixed absolute path for dir path

Signed-off-by: Frederick F. Kautz IV

Fixes a build break in test.

--- FAIL: TestInputDir (0.00s)
    input_test.go:20: 
        	Error Trace:	input_test.go:20
        	Error:      	"map[/Users/fkautz/dagger/dagger:/Users/fkautz/dagger/dagger /tmp/source:/tmp/source]" does not contain "."
        	Test:       	TestInputDir

currently, integration tests run first then unit tests.

This patch should swap the order.

Bumps github.com/stretchr/testify from 1.5.1 to 1.7.0.

Release notes
Sourced from github.com/stretchr/testify's releases.

Minor improvements and bug fixes
Minor feature improvements and bug fixes
Fixes breaking change with HTTPBodyContains
A breaking change was accidentally released in v1.6.0 which breaks the API for the HTTPBodyContains and HTTPBodyNotContains, this release reverts that change.
v1.6.0
Latest release of testify. This includes many fixe...

It appears multiple deployments can have the same name, which is confusing.

$ dagger up
7:50PM FTL system | multiple deployments match the current directory, select one with `--deployment`    deploymentPath=/home/shykes/dagger deployments=[
    "dagger",
    "dagger-dev",
    "dagger-dev"
]

$ ls ~/.dagger/store/
dagger      dagger-dev  react

Sometimes one wants to embed a Dagger deployment plan directly in an application repository, in the same way one might embed a Dockerfile or docker-compose.yaml.

This is currently possible but not seamless. It requires several redundant steps:

1. The deployment plan declares an input of type artifact. For example source: dagger.#Artifact
2. Each new deployment must explicitly load the current directory into that input: dagger input dir source .

With embedding, that second step w...

When running make integration, I saw a message error sops: command not found, but it did not interrupt test execution. It was not clear if it should be treated as an error or a warning.

A deployment with multiple times the same path would appear repeated in
LookupDeploymentByPath.

This change indexes paths as a map rather than a list, thus avoiding the
issue altogether.

Fixes #276