chainguard-dev
Pass pkg pins from meta package to installable package
This fixes a problem introduced after v0.22.1 installing local packages. The local package index is now a pin (specified using the @ syntax). When a meta-package is specified with a pin, the resolved package that provides the meta-package does not specify the pin. This leads to apko only checking non-local indexes when the providing packages are also in the local index.
This PR passes the pin specified on the meta-package to the providing package to be installed.
Fixes #1541
we also have a different regression fix for which was merged just now. Would want to get that out first, before investigating this.
@xnox I tried the latest commit in main and still get the same error. I also tried my unit test in main and it also failed.
For reference, I simply tried a clone of the py3-requests.yaml file from wolfi-os with the following patch applied:
--- py3-requests.yaml 2025-07-07 17:57:33
+++ py3-requests-foo.yaml 2025-07-07 17:58:04
@@ -1,6 +1,6 @@
# Generated from https://pypi.org/project/requests/
package:
- name: py3-requests
+ name: py3-requests-foo
version: "2.32.4"
epoch: 0
description: Python HTTP for Humans.
@@ -21,7 +21,7 @@
- py3-supported-wheel
vars:
- pypi-package: requests
+ pypi-package: requests-foo
data:
- name: py-versions
mkdir -p key mkdir -p packages/build melange keygen key/mykey.rsa
PKG_OUT_DIR=packages/build SIGNING_KEY_PRIV=key/mykey.rsa SIGNING_KEY_PUB=key/mykey.rsa.pub PKG_FILE="py3-requests-foo.yaml" ARCH=arm64
docker run --privileged -v "$PWD":"$PWD" -w "$PWD"
"ghcr.io/wolfi-dev/sdk:latest" -c "melange build --arch $ARCH
--out-dir '$PKG_OUT_DIR'
--pipeline-dir 'pipelines'
--signing-key '$SIGNING_KEY_PRIV'
--repository-append 'https://packages.wolfi.dev/os'
--keyring-append 'https://packages.wolfi.dev/os/wolfi-signing.rsa.pub'
'$PKG_FILE'"
Then with this test image file, I tried to build:
contents:
repositories:
- https://packages.wolfi.dev/os
- "@local packages/build/"
keyring:
- https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
- key/mykey.rsa.pub
packages:
- py3-requests-foo@local
archs:
- arm64
Resulting in the same failure.
% go install chainguard.dev/apko@ec7cd6819940c4069cc5f56edb416db9c1450fa9
% apko version
_ ____ _ __ ___
/ \ | _ \ | |/ / / _ \
/ _ \ | |_) | | ' / | | | |
/ ___ \ | __/ | . \ | |_| |
/_/ \_\ |_| |_|\_\ \___/
apko
GitVersion: v0.29.2
GitCommit: unknown
GitTreeState: unknown
BuildDate: unknown
GoVersion: go1.24.3
Compiler: gc
Platform: darwin/arm64
% apko build test.yaml image test.tar
Error: building "arm64" layer: installing apk packages: error getting package dependencies: solving "py3.13-requests-foo=2.32.4-r0" constraint: not in indexes
2025/07/07 18:36:09 INFO error during command execution: building "arm64" layer: installing apk packages: error getting package dependencies: solving "py3.13-requests-foo=2.32.4-r0" constraint: not in indexes
I also noticed that prior to 0.22.1, if a package a was a dependency of a package that was marked @local, then the dependency too could be resolved from the local packages without specifying them. While my patch handles the provides directive, it doesn't allow dependencies to also support local packages.
That's a bigger behavior change, and I might need some feedback on if it should resolve dependencies when the local pin is specified. Its also more complex to track dependencies that way.