toil(pkg managers:pip): refactor and unify sdist & wheel handling

[ben-alkov]

Refactor and unify pip sdist & wheel handling (STONEBLD-1705), to wit:

• wheels are enumerated, saved, and downloaded all at once asynchronously; sdists are downloaded one by one
• wheels are ignored if they already exist; sdists are re-downloaded
• wheels respect the hashes reported by PyPI; sdists do not
• sdists are recorded in the SBOM; wheels are not

Eliminate the differences as much as possible

Maintainers will complete the following section

• [ ] Commit messages are descriptive enough
• [x] Code coverage from testing does not decrease and new code is covered
• [ ] Docs updated (if applicable)
• [n/a] Docs links in the code are still valid (if docs were updated)

Note: if the contribution is external (not from an organization member), the CI pipeline will not run automatically. After verifying that the CI is safe to run:

• approve GitHub Actions workflows by clicking a button
• approve the Red Hat Trusted App Pipeline container build by commenting /ok-to-test (as is the standard for Pipelines as Code)

[ben-alkov]

Note that tests haven't been touched yet (also the reason for the mypy fail).

IDK what CodeQL's issue is...

[ben-alkov]

~I've identified an issue where existing artifacts (i.e. things which have already been downloaded) are not being hashed (if required). I haven't resolved this yet.~

Fixed

[ben-alkov]

you can fix one failing test by: mock_distributions.side_effect = [[pypi_package1], [pypi_package2]]

I've got that locally, but then my comment in Slack becomes the problem:

test_download_from_requirement_files is failing in async_download_files() with 'cachi2.core.errors.FetchError: exception_name: InvalidURL, details: ""' It was failing in '.pip.download_binary_file' (same error), so I changed the mock to '.general.async_download_files'... there isn't anything "lower level" than that to mock

[eskultety]

Uhm, what's wrong with that bit of code CodeQL complains about it? I don't see a problem, it's proper instantiation, can we dismiss the error as false positive?