ensure OCI artifacts are handled strictly by digest

[errordeveloper]

Currently artifact revision (i.e. digest) is obtain here:

https://github.com/fluxcd/source-controller/blob/53ee3a3db056b4c024d30a735607b3bccbcde54b/internal/controller/ocirepository_controller.go#L392-L393

It is also observed as a condition here:

https://github.com/fluxcd/source-controller/blob/53ee3a3db056b4c024d30a735607b3bccbcde54b/internal/controller/ocirepository_controller.go#L408-L417

However, verification and fetching is only done by URL, and it's possible there is an update in registry in between all of these calls:

https://github.com/fluxcd/source-controller/blob/53ee3a3db056b4c024d30a735607b3bccbcde54b/internal/controller/ocirepository_controller.go#L431

https://github.com/fluxcd/source-controller/blob/53ee3a3db056b4c024d30a735607b3bccbcde54b/internal/controller/ocirepository_controller.go#L455-L456

There maybe other race coditions. It will be easy enough to address this and reinfoce use of the same digest for all of the registry API calls.

[stefanprodan]

We could make getRevision return also the digestURL and pass that to all sequential functions.

[errordeveloper]

https://github.com/fluxcd/source-controller/pull/1244 will changed some of the underlying code, but this flow remains intact.

[errordeveloper]

We could make getRevision return also the digestURL and pass that to all sequential functions.

Exactly! I would also want to check how artifacts are stored as well, as I'm not familiar with that part yet.

[stefanprodan]

Flux has an internal artifact format common to all source types which is a gzip tarball with stripped file header info. The digest of a Flux artifact is advertised in .status.artifact.digest and all consumers (kustomize-controller, helm-controller, tf-controller, etc) verify the integrity of the artifact before the contents is extracted. The internal artifacts acquisition and verification is handled by https://github.com/fluxcd/pkg/blob/main/http/fetch/archive_fetcher.go.