Test them before moving them to the final location.
This makes the download fial of there is some file corruption etc.
This adds a dependency on the zstd exectuable for the fetch-assets
command.
Motivated by https://github.com/msys2/msys2-main-server/issues/42
It now has its own default retry logic that fits the GH API,
so no longer pass our own and assume it handles things better.
The datetimes are now timezone aware, so we no longer have to fix
them.
We currently allow some users to manually upload packages (in case
they take too long for CI, or to bootstrap things).
In case of an account takeover this would allow an attacker to upload/replace
files in staging. To reduce the risk a bit ask for confirmation when downloading
the manually uploaded files.
Also add a "--noconfirm" option so we can avoid the questions in the staging
download script.
Ideally we would require users to sign their files, but this helps a bit at least.
Before uploading the status file we make a cached request for the old status
content and if there is no difference we don't upload anything.
This reduces the amount of write API calls and the amount of useless
packages.msys2.org refreshes a bit.
git fails to delete files we have uploaded, and I'm wondering if
upload_asset() is somehow keeping a handle open. While I can't find
anything suspicious in pygithub let's make the file handling explicit
and open/close ourselves.
This was required to avoid running multiple builds at the same time.
But GHA now has concurrency groups which solves the same problem,
so drop that code
