cmd-build: only copy allowed files into final build dir

[jlebon]

Over time we seem to have accumulated all sorts of crud in the build dir that were never meant to be uploaded:

$ aws s3 ls s3://.../$buildid/x86_64/
...
2024-10-26 10:49:16       1027 cmd.sh
2024-10-26 10:49:15        540 image.json
2024-10-26 10:49:15       8436 manifest.json
2024-10-26 10:49:15       2267 platforms.json
2024-10-26 10:49:15       2621 platforms.json.all
2024-10-26 10:49:16          2 rc
2024-10-26 10:49:16      97896 runvm-console.txt

There are no secrets in there, but still we should be more conscious of what we upload and keep artifacts in public build dirs to strictly what we intend.

Historically, $tmp_builddir was meant to be the staging area for the final contents of the build dir we would move into place and $TMPDIR was the truly temporary directory for that build. Over time, that distinction has been lost a bit and things that shouldn't have been placed there were.

In the end, I think it's cleaner to instead operate on an allowlist of files we know belong in the build dir, so let's do that.

[dustymabe]

I'm guessing builds/.build-commit never became useful?

[jlebon]

I'm guessing builds/.build-commit never became useful?

Yeah, exactly. We never did anything more with it so I just nuked it.