Move credentials after build dependencies, controlled by calibanconfig

[sritchie]

Dependencies are much more expensive to change than credentials. This PR moves the credential injection after dependency fetching.

This is a decent idea, I think, BUT it has a problem. If you have private dependencies in a google Source Cloud Repository, you need the credentials to come before the pip install so that git can use gcloud for authentication.

@ajslone , I'm going to vote that we:

• make this change here, but only after
• we add a setting in .calibanconfig.json that allows you to move this earlier if you need it there.

I am a little worried at configuration options starting to increase. What do you think?

[codecov]

Codecov Report

Attention: Patch coverage is 0% with 6 lines in your changes missing coverage. Please review.

Project coverage is 43.64%. Comparing base (4fbfe5f) to head (dfe6948).
Report is 89 commits behind head on main.

Files with missing lines	Patch %	Lines
caliban/docker.py	0.00%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #10      +/-   ##
==========================================
- Coverage   43.73%   43.64%   -0.10%     
==========================================
  Files          20       20              
  Lines        3114     3114              
==========================================
- Hits         1362     1359       -3     
- Misses       1752     1755       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ajslone]

This seems like the right thing to do, but I hear your concerns over over-configurability and its impact on usability. I'd say that as long as there are rational defaults, and there is some way to keep a persistent configuration then this should be ok.