Pass pkg pins from meta package to installable package

[mbrancato]

This fixes a problem introduced after v0.22.1 installing local packages. The local package index is now a pin (specified using the @ syntax). When a meta-package is specified with a pin, the resolved package that provides the meta-package does not specify the pin. This leads to apko only checking non-local indexes when the providing packages are also in the local index.

This PR passes the pin specified on the meta-package to the providing package to be installed.

Fixes #1541

[xnox]

we also have a different regression fix for which was merged just now. Would want to get that out first, before investigating this.

[sanmai-NL]

@xnox Which PR/merged commit is that, please?

[mbrancato]

@xnox I tried the latest commit in main and still get the same error. I also tried my unit test in main and it also failed.

For reference, I simply tried a clone of the py3-requests.yaml file from wolfi-os with the following patch applied:

--- py3-requests.yaml   2025-07-07 17:57:33
+++ py3-requests-foo.yaml       2025-07-07 17:58:04
@@ -1,6 +1,6 @@
 # Generated from https://pypi.org/project/requests/
 package:
-  name: py3-requests
+  name: py3-requests-foo
   version: "2.32.4"
   epoch: 0
   description: Python HTTP for Humans.
@@ -21,7 +21,7 @@
       - py3-supported-wheel
 
 vars:
-  pypi-package: requests
+  pypi-package: requests-foo
 
 data:
   - name: py-versions

mkdir -p key
mkdir -p packages/build
melange keygen key/mykey.rsa

PKG_OUT_DIR=packages/build
SIGNING_KEY_PRIV=key/mykey.rsa
SIGNING_KEY_PUB=key/mykey.rsa.pub
PKG_FILE="py3-requests-foo.yaml"
ARCH=arm64

docker run --privileged -v "$PWD":"$PWD" -w "$PWD"
"ghcr.io/wolfi-dev/sdk:latest" -c "melange build --arch $ARCH
--out-dir '$PKG_OUT_DIR'
--pipeline-dir 'pipelines'
--signing-key '$SIGNING_KEY_PRIV'
--repository-append 'https://packages.wolfi.dev/os'
--keyring-append 'https://packages.wolfi.dev/os/wolfi-signing.rsa.pub'
'$PKG_FILE'"

Then with this test image file, I tried to build:

contents:
  repositories:
    - https://packages.wolfi.dev/os
    - "@local packages/build/"
  keyring:
    - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub
    - key/mykey.rsa.pub

  packages:
    - py3-requests-foo@local
archs:
  - arm64

Resulting in the same failure.

% go install chainguard.dev/apko@ec7cd6819940c4069cc5f56edb416db9c1450fa9
% apko version                                                           
     _      ____    _  __   ___
    / \    |  _ \  | |/ /  / _ \
   / _ \   | |_) | | ' /  | | | |
  / ___ \  |  __/  | . \  | |_| |
 /_/   \_\ |_|     |_|\_\  \___/
apko

GitVersion:    v0.29.2
GitCommit:     unknown
GitTreeState:  unknown
BuildDate:     unknown
GoVersion:     go1.24.3
Compiler:      gc
Platform:      darwin/arm64

% apko build test.yaml image test.tar                                    
Error: building "arm64" layer: installing apk packages: error getting package dependencies: solving "py3.13-requests-foo=2.32.4-r0" constraint: not in indexes
2025/07/07 18:36:09 INFO error during command execution: building "arm64" layer: installing apk packages: error getting package dependencies: solving "py3.13-requests-foo=2.32.4-r0" constraint: not in indexes

[mbrancato]

I also noticed that prior to 0.22.1, if a package a was a dependency of a package that was marked @local, then the dependency too could be resolved from the local packages without specifying them. While my patch handles the provides directive, it doesn't allow dependencies to also support local packages.

That's a bigger behavior change, and I might need some feedback on if it should resolve dependencies when the local pin is specified. Its also more complex to track dependencies that way.