fix: correct build summary counts for packages built after verification failure

Packages that failed SLSA verification and were rebuilt locally were
incorrectly counted as 'downloaded' instead of 'built_locally' in the
build summary.

Root cause: In rare edge cases, packages built locally after verification
failure are not tracked in newlyBuiltMap, causing them to fall through to
the wrong category in the else-if chain.

Fix: Add defensive check before the PackageDownloaded check to catch
packages that were supposed to be downloaded but weren't, yet are now in
cache. These must have been built locally.

Additionally, add comprehensive debug logging to help diagnose the root
cause and any future edge cases:
- Log all packages in newlyBuiltMap with their versions
- Log categorization decision for each package (inNewlyBuilt,
  inPkgsToDownload, status)
- Log when defensive fix is applied

This defensive fix handles the edge case gracefully while the logging
will help identify the underlying cause in production.

Evidence: https://github.com/gitpod-io/gitpod-next/actions/runs/19638569673/job/56247504536

Co-authored-by: Ona <no-reply@ona.com>

Author: leodido

pkg/leeway/build.go

@@ -780,6 +780,10 @@ func printBuildSummary(ctx *buildContext, targetPkg *Package, allpkg []*Package,
 	newlyBuiltMap := make(map[string]bool)
 	for _, p := range newlyBuilt {
 		newlyBuiltMap[p.FullName()] = true
+		log.WithFields(log.Fields{
+			"package": p.FullName(),
+			"version": p.versionCache,
+		}).Debug("Package in newlyBuiltMap")
 	}
 
 	// Track packages that were supposed to be downloaded but weren't
@@ -802,19 +806,40 @@ func printBuildSummary(ctx *buildContext, targetPkg *Package, allpkg []*Package,
 		total++
 
 		// Determine what happened to this package
-		if newlyBuiltMap[p.FullName()] {
+		inNewlyBuilt := newlyBuiltMap[p.FullName()]
+		inPkgsToDownload := pkgsToDownloadMap[p.FullName()]
+		status := statusAfterDownload[p]
+		
+		log.WithFields(log.Fields{
+			"package":          p.FullName(),
+			"inNewlyBuilt":     inNewlyBuilt,
+			"inPkgsToDownload": inPkgsToDownload,
+			"status":           status,
+		}).Debug("Categorizing package for build summary")
+		
+		if inNewlyBuilt {
 			// Package was built during this build
 			builtLocally++
 
 			// Check if this was supposed to be downloaded but wasn't
 			// This indicates verification or download failure
-			if pkgsToDownloadMap[p.FullName()] && statusAfterDownload[p] != PackageDownloaded {
+			if inPkgsToDownload && status != PackageDownloaded {
 				failedDownloads = append(failedDownloads, p)
 			}
-		} else if statusAfterDownload[p] == PackageDownloaded {
+		} else if inPkgsToDownload && status != PackageDownloaded {
+			// Package was supposed to be downloaded but wasn't, yet it's now in cache
+			// This means it was built locally after download/verification failure
+			// but wasn't tracked in newlyBuiltMap (edge case - defensive fix applied)
+			log.WithFields(log.Fields{
+				"package": p.FullName(),
+				"status":  status,
+			}).Debug("Package built locally after download/verification failure (defensive fix applied)")
+			builtLocally++
+			failedDownloads = append(failedDownloads, p)
+		} else if status == PackageDownloaded {
 			// Package was downloaded
 			downloaded++
-		} else if statusAfterDownload[p] == PackageBuilt {
+		} else if status == PackageBuilt {
 			// Package was already cached
 			alreadyCached++
 		} else {