Enable off-line builds with auto-discovered keys (#241)

- **automated: Update to new apko release**

- **Update for new key cashing structure**
  
See:
- chainguard-dev/apko#1968
- chainguard-dev/apko#1985

---------

Signed-off-by: octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com>
Co-authored-by: octo-sts[bot] <157150467+octo-sts[bot]@users.noreply.github.com>

Author: xnox

MODULE.bazel

@@ -17,7 +17,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "8.2.0.2", dev_dependency = Tr
 bazel_dep(name = "stardoc", version = "0.8.0", dev_dependency = True, repo_name = "io_bazel_stardoc")
 
 toolchain = use_extension("//apko:extensions.bzl", "apko")
-toolchain.toolchain(apko_version = "v0.30.22")
+toolchain.toolchain(apko_version = "v0.30.32")
 use_repo(toolchain, "apko_toolchains")
 
 register_toolchains("@apko_toolchains//:all")

apko/private/apk.bzl

@@ -189,8 +189,10 @@ def _cachePathFromURL(url):
     Mimicks https://github.com/chainguard-dev/go-apk/blob/7b08e8f3b0fcaa0f0a44757aedf23f6778cd8e4f/pkg/apk/cache.go#L326C6-L326C22
     Is interprets URL as following path: {repo}/{arch}/{file} [but also used for keyring files that don't obey {arch} part].
 
+    For RSA public key files (*.rsa.pub), the file is stored in a directory named after the full filename.
+
     Examples:
-      https://packages.wolfi.dev/os/wolfi-signing.rsa.pub              -> https%3A%2F%2Fpackages.wolfi.dev%2F/os/wolfi-signing.rsa.pub
+      https://packages.wolfi.dev/os/wolfi-signing.rsa.pub              -> https%3A%2F%2Fpackages.wolfi.dev%2F/os/wolfi-signing.rsa.pub/wolfi-signing.rsa.pub
       https://packages.wolfi.dev/os/aarch64/sqlite-libs-3.44.0-r0.apk  -> https%3A%2F%2Fpackages.wolfi.dev%2Fos/arch64/sqlite-libs-3.44.0-r0.apk
     """
     url_split = url.rsplit("/", 2)
@@ -199,7 +201,13 @@ def _cachePathFromURL(url):
         # Seems the Apko adds additional "/" if the URL is short.
         repo += "/"
     repo_escaped = util.url_escape(repo)
-    return "{}/{}/{}".format(repo_escaped, url_split[1], url_split[2])
+    filename = url_split[2]
+
+    # For RSA public key files, store them in a directory named after the full filename
+    if filename.endswith(".rsa.pub"):
+        return "{}/{}/{}/{}".format(repo_escaped, url_split[1], filename, filename)
+
+    return "{}/{}/{}".format(repo_escaped, url_split[1], filename)
 
 def _apk_keyring_impl(rctx):
     public_key = _cachePathFromURL(rctx.attr.url)

apko/private/versions.bzl

@@ -3,11 +3,11 @@
 # Add new versions by running
 # ./scripts/mirror_apko.sh
 APKO_VERSIONS = {
-    "v0.30.22": {
-        "darwin_amd64": "sha256-g7rbw7G/eRKq7N76dUl9Tr+449JQ92b2MCG4W9J6YJA=",
-        "darwin_arm64": "sha256-L2Bgc0rUZzvNmqj0zjsO0EBwJWzuKWYt2LD2w+bj4fw=",
-        "linux_386": "sha256-Nh+P8TXmb0OE5dDhvJBJ7jGgKqas4OSxnFjiE5A+aQE=",
-        "linux_amd64": "sha256-2H2ToTuuOHQSD/hGux3FZ5C6R9swk65aX4+QS8vQK1Q=",
-        "linux_arm64": "sha256-81H7VSHQuqn5WtJWICTHzgDvm/ynxE2gRbu0OHTRqK0=",
+    "v0.30.32": {
+        "darwin_amd64": "sha256-jt1VJHkF9JiExvzjgzLg0xmOVF92SsKLlmuKcUVOV3c=",
+        "darwin_arm64": "sha256-h5cMiTzvwaW+ynwDivmOSQdHq+meSgkJ60AfD9fcg1A=",
+        "linux_386": "sha256-cW1EQNcKCFYrWTd91NSXA6v5VbYzb4VblqROHhBerq8=",
+        "linux_amd64": "sha256-zygC0MGD5zA1iwTLtA9Eh8NS1N38Mnrnn81mSbYGTy4=",
+        "linux_arm64": "sha256-7Z+g+m7vXpnrRP4Uepar2M5iuKykbByE5S3olM0ZxSI=",
     },
 }

apko/tests/versions_test.bzl

@@ -7,7 +7,7 @@ load("//apko/private:versions.bzl", "APKO_VERSIONS")
 
 def _smoke_test_impl(ctx):
     env = unittest.begin(ctx)
-    asserts.equals(env, "v0.30.22", APKO_VERSIONS.keys()[0])
+    asserts.equals(env, "v0.30.32", APKO_VERSIONS.keys()[0])
     return unittest.end(env)
 
 # The unittest library requires that we export the test cases as named test rules,