fix: deterministic package repo tie-break

[epipav]

Note

Low Risk
Narrow query-ordering change; may shift which repo is shown when ties exist, but does not alter auth, writes, or broader business logic.

Overview
When a package maps to multiple repos with the same confidence, which repo wins was undefined, so scorecard-driven health, filters, and detail views could flip between runs.

Postgres (osspckgs/api.ts): Every lateral that picks one package_repos row for scorecard (status counts, package list, scatter) now sorts by confidence DESC then repo_id DESC. Package detail keeps its existing declared preference and adds repo_id DESC after that.

Tinybird (ossPackages_enriched.pipe): The per-package argMax(repoId, …) tie-break tuple now includes repoId after confidence and verifiedAt, matching the same deterministic rule for enriched health scores.

^{Reviewed by Cursor Bugbot for commit ecab2d3. Bugbot is set up for automated code reviews on this repo. Configure here.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

• feat: add user authentication (CM-123)
• feat: add user authentication (IN-123)

Projects:

• CM: Community Data Platform
• IN: Insights

Please add a Jira issue key to your PR title.

[Copilot]

Pull request overview

This PR aims to make “winner repo” selection deterministic when a package maps to multiple repositories with tied confidence, so Postgres-derived API responses and Tinybird-enriched health/scorecard data don’t fluctuate run-to-run.

Changes:

• Postgres: adds repo_id DESC as a deterministic tie-breaker to several LIMIT 1 repo-selection laterals in services/libs/data-access-layer/src/osspckgs/api.ts.
• Tinybird: adds repoId as a final component in the argMax tuple for per-package repo selection in ossPackages_enriched.pipe.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
services/libs/data-access-layer/src/osspckgs/api.ts	Adds deterministic ordering for selecting a single repo per package in multiple Postgres queries.
services/libs/tinybird/pipes/ossPackages_enriched.pipe	Adds a final tie-break key to Tinybird argMax selection to make repo choice deterministic under ties.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.