Apko.lock contains duplicated repositories when combined from multiple files

Open sfc-gh-ptabor opened this issue 1 year ago • 0 comments

In https://github.com/chainguard-dev/rules_apko/pull/64/files/78c551af671b24f2b5c80a404005761b90147bbe#diff-9912b6950a30993bc94f913745c42a5d3b00be7b99eb96fe6f4b6342886a5420 we observed lock files to be generated with duplicates like:

    {
        "name": "dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64",
        "url": "https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz",
        "architecture": "x86_64"
      },
      {
        "name": "dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64",
        "url": "https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz",
        "architecture": "x86_64"
      },
      {
        "name": "dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64",
        "url": "https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz",
        "architecture": "x86_64"
      },

It would be better if only unique entries were placed (especially if all (name, url, arch) matches:

The code to fix is here: https://github.com/chainguard-dev/apko/blob/95412200ebe139d324ef0de8ee7d56f615ba90d2/pkg/build/types/image_configuration.go#L88

In theory dups can be also created here (but are less likely to happen, but just for sale of consistency we can call unique here as well:

https://github.com/chainguard-dev/apko/blob/95412200ebe139d324ef0de8ee7d56f615ba90d2/internal/cli/lock.go#L188C45-L188C57
https://github.com/chainguard-dev/apko/blob/95412200ebe139d324ef0de8ee7d56f615ba90d2/pkg/build/apk.go#L34

May 09 '24 16:05 sfc-gh-ptabor