Improve time-to-fail when a task group doesn't pass CoT

[mitchhentges]

In mobile, we often have a task group workflow of:

decision task -> build (takes a long time) -> sign -> push

If the decision task isn't valid for CoT, we don't realize until the sign task runs. Since the build task takes so long (upwards of an hour, in some cases), this can consume a lot of time. If decision task CoT checking happened sooner, this could improve productivity.

end-to-end CoT verification may help with this?

[escapewindow]

I think having a check in taskgraph that prevents trusted scriptworkers from downloading from non-trusted worker pools may help most or all of the root cause of this issue. Also, once the decision task with unknown validity runs, we can run verify_cot against it, without waiting for the build to finish. If the decision task itself is invalid, we can find that out quickly.

Also,

• worker identity, once implemented, will allow us to remove cot keypairs from worker pools, and
• the artifact metadata rfc, once implemented, will allow us to use platform-supported artifact guarantees, rather than rely on CoT layers on top of the platform.

End-to-end CoT verification would allow us to find out automatically during the decision task and/or build, and is my preferred solution here.

More discussion here. I think these are valid concerns, with plans to address. Since they're being tracked elsewhere, I'm going to close this issue.