Fix race condition in concurrent artifact additions

This fixes a race condition where concurrent 'podman artifact add'
commands for different artifacts would result in only one artifact
being created, without any error messages.

The root cause was in the artifact store's Add() method, which
would:
1. Acquire lock
2. Read OCI layout index
3. Create ImageDestination (which snapshots the index)
4. RELEASE lock (optimization for blob copying)
5. Copy blobs (while unlocked)
6. Reacquire lock
7. Commit changes (write new index)

When two concurrent additions happened:
- Process A: Lock → Read index → Create dest A → Unlock → Copy blobs
- Process B: Lock → Read index (no artifact A!) → Create dest B → Unlock
- Process A: Lock → Commit (write index with A)
- Process B: Lock → Commit (write index with B, OVERWRITING A)

The fix keeps the lock held for the entire operation. While this
reduces concurrency for blob copying, it prevents the index file
corruption that caused artifacts to be lost.

Changes:
- Remove lock release/reacquire around blob copying in store.Add()
- Simplify lock management (no more conditional unlock)

Fixes: containers/podman#27569

Generated-with: Cursor AI
Signed-off-by: Daniel J Walsh <[email protected]>

Author: rhatdan

common/pkg/libartifact/store/store.go

@@ -225,13 +225,8 @@ func (as ArtifactStore) Add(ctx context.Context, dest string, artifactBlobs []li
 		return nil, fmt.Errorf("cannot override filename with %s annotation", specV1.AnnotationTitle)
 	}
 
-	locked := true
 	as.lock.Lock()
-	defer func() {
-		if locked {
-			as.lock.Unlock()
-		}
-	}()
+	defer as.lock.Unlock()
 
 	// Check if artifact already exists
 	artifacts, err := as.getArtifacts(ctx, nil)
@@ -304,10 +299,11 @@ func (as ArtifactStore) Add(ctx context.Context, dest string, artifactBlobs []li
 	}
 	defer imageDest.Close()
 
-	// Unlock around the actual pull of the blobs.
-	// This is ugly as hell, but should be safe.
-	locked = false
-	as.lock.Unlock()
+	// Keep the lock held during blob copying to prevent concurrent artifact adds
+	// from racing on the OCI layout index file. The lock was previously released
+	// here as an optimization, but this created a race condition where concurrent
+	// artifact additions could overwrite each other's index entries.
+	// See: https://github.com/containers/podman/issues/27569
 
 	// ImageDestination, in general, requires the caller to write a full image; here we may write only the added layers.
 	// This works for the oci/layout transport we hard-code.
@@ -353,8 +349,7 @@ func (as ArtifactStore) Add(ctx context.Context, dest string, artifactBlobs []li
 		artifactManifest.Layers = append(artifactManifest.Layers, newLayer)
 	}
 
-	as.lock.Lock()
-	locked = true
+	// Lock is still held from the beginning of the function
 
 	rawData, err := json.Marshal(artifactManifest)
 	if err != nil {