When support for Pip 23.3.1 was added in #2276 a latent bug in artifact
URL recording was exposed in cases where the index being used issued
re-directs. Fix up artifact URL recording to grab the primary index URL
and not subsequent re-directs.
Implementing the fix above led to a test failure that revealed another
bug whereby lock file artifact downloads were not respecting the locked
resolve target when it was a foreign platform, which is now fixed.
Finally, fixing the un-patched foreign platform target issue in lock
file artifact downloads revealed that artifact URLs with hashes were not
being taken advantage of in all cases. Now, when there is a version of
an artifact URL seen that contains hashes - the best of those is always
used to prevent needless post-processing to download and hash the
artifact at lock creation time.
When support for Pip 23.3.1 was added in #2276 a latent bug in artifact URL recording was exposed in cases where the index being used issued re-directs. Fix up artifact URL recording to grab the primary index URL and not subsequent re-directs.
Implementing the fix above led to a test failure that revealed another bug whereby lock file artifact downloads were not respecting the locked resolve target when it was a foreign platform, which is now fixed.
Finally, fixing the un-patched foreign platform target issue in lock file artifact downloads revealed that artifact URLs with hashes were not being taken advantage of in all cases. Now, when there is a version of an artifact URL seen that contains hashes - the best of those is always used to prevent needless post-processing to download and hash the artifact at lock creation time.
Fixes #2414