Fix Ubuntu 24.04 NO_PUBKEY: per-repo GPG keyring provisioning

[Copilot]

On Ubuntu 24.04 (noble), all APT repositories were pointing signed-by= at a single shared keyring containing only one key, but each repository (tools, release, etc.) is signed with a distinct GPG key — causing NO_PUBKEY failures for every repo whose key wasn't in that file.

Changes

osfamily_map.yaml

• repo_keyfile for Ubuntu ≥24 changed from the static zoomdata-archive-keyring.gpg to a per-repo template: /usr/share/keyrings/zoomdata-%(repo)s-keyring.gpg

repo.sls

• Removed the single pre-loop zoomdata-gpg-key-download / zoomdata-gpg-key states (Ubuntu 24.04+ path); the legacy file.managed state for pre-24.04 Debian is unchanged
• Per-repo zoomdata-gpg-key-download-{{ repo }} + zoomdata-gpg-key-{{ repo }} states are now emitted inside the loop — each repo downloads, dearmors, and owns its own keyring file
• Key URL resolved as (gpgkeys|default({}, true)).get(repo, gpgkey) — per-repo override if set, global key as fallback

defaults.yaml

• Added gpgkeys: {} with a doc comment explaining per-repo key overrides, fallback behaviour, and the requirement to quote numeric-looking repo names in YAML

pillar.example

• Documented gpgkeys with example syntax for repos that use different signing keys

Usage (for repos with distinct per-repo signing keys)

zoomdata:
  base_url: 'http://dev-repo.zoomdata.com'
  gpgkey:  'http://dev-repo.zoomdata.com/GPG-KEY.pub'   # release repo key (fallback)
  gpgkeys:
    tools: 'http://dev-repo.zoomdata.com/tools-GPG-KEY.pub'
    '26.1': 'http://dev-repo.zoomdata.com/26.1-GPG-KEY.pub'

Repos not listed in gpgkeys automatically fall back to the global gpgkey, so setups where all repos share a single signing key require no pillar changes.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.