[checks_downloader] use CloudFront entrypoint for v2 wheels repo (DataDog#24084)

Switch the default V2_REPOSITORY_URL from the direct S3 REST endpoint to
the CloudFront entrypoint that fronts the agent-integration-wheels-prod
public bucket:

    https://agent-integration-wheels-prod.s3.amazonaws.com
  ->
    https://agent-integration-wheels-prod.datadoghq.com

The CloudFront distribution is defined in DataDog/cloud-inventory at
datacenters/us1.prod.dog/agent-integration-wheels/. It is a pass-through
in front of the same bucket, anonymous reads only, so the bucket's
existing public-access policy (scoped to wheels/*, attestations/*,
targets/*, metadata/*) is still the sole authorization boundary.

Behavior is unchanged from the caller's perspective:
- '--repository' continues to accept any HTTPS base URL, so users can
  still target the direct S3 endpoint or any other mirror.
- Pointer files keep their informational 'repository' field; the
  downloader always fetches wheels relative to the URL passed at
  construction time (covered by
  test_repository_flag_overrides_pointer_repository).

Updates the unit tests to use the corresponding CloudFront URLs so the
fixtures match the production defaults.

Deployment note: the CloudFront infra must be deployed and validated
from the cloud-inventory change before this default flip rolls out to
agents.

[checks_downloader] point at single agent-integration-wheels CDN URL

Update V2_REPOSITORY_URL to the single stable public hostname now
exposed by the cloud-inventory CloudFront distribution:

    https://agent-integration-wheels.datadoghq.com

This is the only public CDN entrypoint we maintain for the wheel
publishing pipeline. The staging bucket is no longer fronted by its
own CDN; if the prod bucket ever needs to be failed over (corruption,
rollback, etc.), the cloud-inventory operators can repoint this same
hostname at the staging bucket without requiring a downloader release.

The override regression test now uses the direct S3 endpoint as the
"different repository in the pointer" so it more obviously represents
a realistic break-glass override.

Trim redundant comments from downloader v2 URL change

Add changelog fragment for the v2 repository URL change

Co-authored-by: bits <bits@datadoghq.com>

Author: dkirov-dd

datadog_checks_downloader/changelog.d/24084.fixed

@@ -0,0 +1 @@
+Use ``https://agent-integration-wheels.datadoghq.com`` (CloudFront) as the default v2 repository URL, replacing the direct S3 URL. The ``--repository`` flag still accepts any HTTPS base URL.

datadog_checks_downloader/datadog_checks/downloader/download_v2.py

@@ -30,7 +30,7 @@
 
 logger = logging.getLogger(__name__)
 
-V2_REPOSITORY_URL = "https://agent-integration-wheels-prod.s3.amazonaws.com"
+V2_REPOSITORY_URL = "https://agent-integration-wheels.datadoghq.com"
 
 # tuf.ngclient sets its own fetcher timeout; this applies only to the raw wheel urlopen().
 WHEEL_FETCH_TIMEOUT_SECONDS = 60

datadog_checks_downloader/tests/test_v2_downloader.py

@@ -39,7 +39,7 @@
 WHEEL_CONTENT = b'fake wheel bytes for testing'
 WHEEL_DIGEST = hashlib.sha256(WHEEL_CONTENT).hexdigest()
 WHEEL_LENGTH = len(WHEEL_CONTENT)
-REPO_URL = 'https://agent-integration-wheels-staging.s3.amazonaws.com'
+REPO_URL = 'https://agent-integration-wheels.datadoghq.com'
 
 POINTER = {
     'digest': WHEEL_DIGEST,