Archiver: preserve symlinks and explicit build-context entries

[mazdak]

Type of Change

• Bug fix

Motivation and Context

While building out a Docker Compose-style plugin and validating it against our own real development stack, we ran into two classes of problems in the build-context path:

• Correctness issues in archive generation, especially around symlinks
• Very high client-side overhead while preparing and streaming build contexts.

This PR fixes build-context archiving in container so symlinks are preserved correctly, digest calculation reflects symlink target changes, and fssync archives the exact selected file set in the already-computed order.

Before this change, build-context archiving could mis-handle symlinks, archive a broader tree walk than necessary, and produce a digest that did not change when symlink targets changed.

Part of the fix was also more generally related to the Containerization framework. This PR intentionally stays independently mergeable against the current released containerization dependency, so it keeps the local archiver implementation needed for these fixes today. The Containerization PR is: apple/containerization#652

Validation

This is an example of the problem the PR actually fixes.

Build context:

ctx="$(mktemp -d /private/tmp/container-retest-rel.XXXXXX)/ctx"
mkdir -p "$ctx"
printf 'hello\n' > "$ctx/target.txt"
ln -s target.txt "$ctx/link.txt"

cat > "$ctx/Dockerfile" <<'EOF'
FROM alpine:3.20
COPY . /ctx
RUN echo "link target: $(readlink /ctx/link.txt)" && \
      test "$(readlink /ctx/link.txt)" = "target.txt" && \
      test "$(cat /ctx/link.txt)" = "hello"
EOF

Build command:

  container build -t rel-patch-retest -f Dockerfile .

Observed results:

• main branch: failed
  • link target: came back empty
  • exit code 1
• patched branch: passed
  • link target: target.txt
  • Successfully built rel-patch-retest:latest
  • exit code 0
• Before this fix, container build could lose symlink metadata in the archived build context.
• A relative symlink like link.txt -> target.txt arrived broken inside the build.
• After this fix, the same build context preserves the symlink correctly and the build succeeds.

Testing

• Tested locally
• Added/updated tests

[jglogan]

I removed this in #1372 because it's insecure and should not be used. See ArchiveReader.extractContents() in containerization in this commit: apple/containerization@3e93416

[mazdak]

Fixed

[jglogan]

Can you provide a simple container build command, Dockerfile and build context that fails and is addressed by the fix(es) you propose? Thanks!

[mazdak]

Can you provide a simple container build command, Dockerfile and build context that fails and is addressed by the fix(es) you propose? Thanks!

Please see PR description