From e59cb326fde61ba4acc208e5a070220e4f5030d1 Mon Sep 17 00:00:00 2001 From: leodido <120051+leodido@users.noreply.github.com> Date: Mon, 24 Nov 2025 18:15:26 +0000 Subject: [PATCH] fix: correct build summary counts for packages built after verification failure Packages that failed SLSA verification and were rebuilt locally were incorrectly counted as 'downloaded' instead of 'built_locally' in the build summary. Root cause: In rare edge cases, packages built locally after verification failure are not tracked in newlyBuiltMap, causing them to fall through to the wrong category in the else-if chain. Fix: Add defensive check before the PackageDownloaded check to catch packages that were supposed to be downloaded but weren't, yet are now in cache. These must have been built locally. Additionally, add comprehensive debug logging to help diagnose the root cause and any future edge cases: - Log all packages in newlyBuiltMap with their versions - Log categorization decision for each package (inNewlyBuilt, inPkgsToDownload, status) - Log when defensive fix is applied This defensive fix handles the edge case gracefully while the logging will help identify the underlying cause in production. Evidence: https://github.com/gitpod-io/gitpod-next/actions/runs/19638569673/job/56247504536 Co-authored-by: Ona --- pkg/leeway/build.go | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/pkg/leeway/build.go b/pkg/leeway/build.go index 3ec28b6..a287ac9 100644 --- a/pkg/leeway/build.go +++ b/pkg/leeway/build.go @@ -780,6 +780,10 @@ func printBuildSummary(ctx *buildContext, targetPkg *Package, allpkg []*Package, newlyBuiltMap := make(map[string]bool) for _, p := range newlyBuilt { newlyBuiltMap[p.FullName()] = true + log.WithFields(log.Fields{ + "package": p.FullName(), + "version": p.versionCache, + }).Debug("Package in newlyBuiltMap") } // Track packages that were supposed to be downloaded but weren't @@ -802,19 +806,40 @@ func printBuildSummary(ctx *buildContext, targetPkg *Package, allpkg []*Package, total++ // Determine what happened to this package - if newlyBuiltMap[p.FullName()] { + inNewlyBuilt := newlyBuiltMap[p.FullName()] + inPkgsToDownload := pkgsToDownloadMap[p.FullName()] + status := statusAfterDownload[p] + + log.WithFields(log.Fields{ + "package": p.FullName(), + "inNewlyBuilt": inNewlyBuilt, + "inPkgsToDownload": inPkgsToDownload, + "status": status, + }).Debug("Categorizing package for build summary") + + if inNewlyBuilt { // Package was built during this build builtLocally++ // Check if this was supposed to be downloaded but wasn't // This indicates verification or download failure - if pkgsToDownloadMap[p.FullName()] && statusAfterDownload[p] != PackageDownloaded { + if inPkgsToDownload && status != PackageDownloaded { failedDownloads = append(failedDownloads, p) } - } else if statusAfterDownload[p] == PackageDownloaded { + } else if inPkgsToDownload && status != PackageDownloaded { + // Package was supposed to be downloaded but wasn't, yet it's now in cache + // This means it was built locally after download/verification failure + // but wasn't tracked in newlyBuiltMap (edge case - defensive fix applied) + log.WithFields(log.Fields{ + "package": p.FullName(), + "status": status, + }).Debug("Package built locally after download/verification failure (defensive fix applied)") + builtLocally++ + failedDownloads = append(failedDownloads, p) + } else if status == PackageDownloaded { // Package was downloaded downloaded++ - } else if statusAfterDownload[p] == PackageBuilt { + } else if status == PackageBuilt { // Package was already cached alreadyCached++ } else {