[stable-2.19] Fix direct S3 link in integration tests (#86464) (#86466)

Also add a sanity test to prevent similar issues in the future.

(cherry picked from commit b1bc1e2513)

test/integration/targets/win_app_control/setup.yml

@@ -82,7 +82,7 @@
 - name: install OpenAuthenticode
   shell: |
     if (-not (Get-Module -Name OpenAuthenticode -ListAvailable | Where-Object Version -ge '0.5.0')) {
-        $url = 'https://ansible-ci-files.s3.us-east-1.amazonaws.com/test/integration/targets/win_app_control/openauthenticode.0.6.1.nupkg'
+        $url = 'https://ci-files.testing.ansible.com/test/integration/targets/win_app_control/openauthenticode.0.6.1.nupkg'
         Invoke-WebRequest -Uri $url -OutFile '{{ local_tmp_dir }}/openauthenticode.0.6.1.nupkg'
 
         Register-PSResourceRepository -Name AnsibleTemp -Trusted -Uri '{{ local_tmp_dir }}'

test/sanity/code-smell/no-s3.json

@@ -0,0 +1,4 @@
+{
+    "text": true,
+    "output": "path-line-column-message"
+}

test/sanity/code-smell/no-s3.py

@@ -0,0 +1,27 @@
+"""
+Disallow direct linking to S3 buckets.
+S3 buckets should be accessed through a CloudFront distribution.
+"""
+
+from __future__ import annotations
+
+import re
+import sys
+
+
+def main():
+    """Main entry point."""
+    for path in sys.argv[1:] or sys.stdin.read().splitlines():
+        with open(path, 'rb') as path_fd:
+            for line, b_text in enumerate(path_fd.readlines()):
+                try:
+                    text = b_text.decode()
+                except UnicodeDecodeError:
+                    continue
+
+                if match := re.search(r'(http.*?s3\..*?amazonaws\.com)', text):
+                    print(f'{path}:{line + 1}:{match.start(1) + 1}: use a CloudFront distribution instead of an S3 bucket: {match.group(1)}')
+
+
+if __name__ == '__main__':
+    main()