Asset integrity testing

[calebhailey]

Fetch and verify every asset URL+SHA512 pair. Fail if any URL is unreachable, or if a SHA512 doesn't match.

[jspaleta]

pretty straight forward... but potentially expensive. Do we want to separate flag to disable this, instead of just the global DISABLE_SANITY_CHECKS flag?

I can see wanting to skip this on merge, but having it on for pull requests, but checking this for every merge is a lot of download churn.

[calebhailey]

Yes, I'd say we'll want somewhat granular toggles for enabling/disabling various tests; and some defaults around which tests are run on PRs vs commits to main, etc.