`shellcheck` complains of two places in `rocketfuel-setup`:
SC2012 (info): Use find instead of ls to better handle
non-alphanumeric filenames.
I don't think its proposed solution is best in this case, but it has a
point about the problem: parsing the output of `ls -l` is pretty clunky.
We know exactly what we expect these two symlinks to point to, so test
them directly using `readlink` instead.
`urllib.request` defines an `__all__` list that doesn't include
`parse_http_list` or `parse_keqv_list`, so we get import pedant warnings
once we start importing these directly from `urllib.request` rather than
via `six`. Use the equivalent (and slightly simpler to use)
`requests.utils.parse_dict_header` instead.
Fix git authorization for CI builds in private distributions
CI builds in private distributions fail with `fatal: repository
'https://git.launchpad.net/...' not found`. This is because they
authenticate using the special `+launchpad-services` user and a
macaroon, and in that mode methods of `GitAPI` run with an anonymous
principal and are expected to use `removeSecurityProxy` rather than
doing normal security checks (see the comment near the top of
`run_with_login`).
The lookup infrastructure in `lp.code.model.gitlookup` mostly doesn't do
much in the way of permission checks, normally relying on the returned
repository's security adapter to check access grants. However, there
are some exceptions: if the repository is in a source package or an OCI
project inside a private pillar, then the pillar is security-proxied
during traversal and so it implicitly performs permission checks.
Allow passing `check_permissions=False` to the lookup infrastructure to
suppress these checks, and pass this when performing a lookup as
`+launchpad-services`. This is safe because it's only possible to use
that user in conjunction with a macaroon issued for a specific
repository.