Restrict CI to require put-if-none-match #669
Description
For the cases where we expect writers to only write once -- probably at least:
- rust-lang/rust CI uploads
- mirror bucket (maybe, not sure about this one)
- crates.io crate uploads (maybe)
We should update the CI code and then update the AWS policies to enforce CI is only creating new objects, not overwriting old ones. See docs here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/conditional-writes-enforce.html
That would deliver part of the security benefit from #355 (comment), where we prevent accidental or intentional overwrites of already created objects -- making it noisy if someone e.g. queues up writes from a try build to a different try build or similar, rather than silently succeeding in both builds (as would happen today). It's not a complete fix since it's time dependent, but for auto merges it's already fully sufficient (those never run concurrently) and for try builds it at least helps somewhat.