Quote remote release-tool command arguments

[e-q]

Summary

• Quote environment values and remote paths before building release upload command strings.
• Preserve intended glob expansion for staged release artifact copies.
• Quote URL-derived Windows upload paths before passing them to SSH/SCP helpers.
• Add mocked regression tests for the generated SSH and upload command strings.

Closes #397 (release tooling remote command arguments)
Closes #401 (Windows upload URL-derived remote paths)

Testing

• Focused tox regression tests for generated remote command quoting: passed.
• tox -q -e mypy: passed.
• Ruff lint and whitespace checks on touched files: passed.

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[sethmlarson]

@e-q Overall comment: Instead of introducing shlex.quote() everywhere is there value instead in changing functions to accept a list of parameters instead of a str and calling shlex.join before sending the command? Then we don't have to rely on remembering to call shlex.quote() everywhere.

[e-q]

Gotcha, I refactored this so the SSH helpers now accept command argument lists and call shlex.join() at the execution boundary instead of requiring each call site to remember shlex.quote().

For the two places that intentionally need remote shell glob expansion, the updated version uses static sh -c snippets and passes the dynamic paths as positional arguments. That keeps the wildcard behavior explicit while still joining the dynamic values centrally.

[hugovk]

This now has a conflict after the merge of #406.

[e-q]

Rebased onto current main and resolved the conflict from #406 by preserving its -maxdepth 1 / current-user permission narrowing in the list-based command form.
Local tests, mypy, and lint pass.

[sethmlarson]

Only had one small comment, otherwise LGTM.

[e-q]

CI failures not related to this PR, addressed in #411

[hugovk]

@e-q Overall comment: Instead of introducing shlex.quote() everywhere is there value instead in changing functions to accept a list of parameters instead of a str and calling shlex.join before sending the command? Then we don't have to rely on remembering to call shlex.quote() everywhere.

Hmm, sometimes when needing to debug stuff, it's easier to have a command as a string like "chgrp -R docs {destination}" that can be copied and pasted with less modification, than something like ["chgrp", "-R", "docs", destination].

Is it possible to safely have them as strings as a starting point?

[e-q]

@hugovk What do you think of a static shell template + quoted substitutions helper:

  from string import Template
  from typing import LiteralString

  def join_remote_template(template: LiteralString, **values: object) -> str:
      quoted = {name: shlex.quote(str(value)) for name, value in values.items()}
      return Template(template).substitute(quoted)

Then call sites can stay copy/pasteable:

  execute_command("chgrp -R docs $destination", destination=destination)
  execute_command("chmod -R 775 $destination", destination=destination)
  execute_command(
      "find $destination -type f -exec chmod 664 {} \\;",
      destination=destination,
  )
  execute_command("cp $source/* $destination", source=source, destination=destination)

This way you can copy-paste shell-looking strings, while dynamic values are still quoted centrally. I’d use string.Template rather than .format() because these commands contain literal {} for find -exec.

[hugovk]

@e-q Looks good.

@sethmlarson ok for you?