Cross-scope artifact requests fail

We allow workspaces to inherit from public workspaces in different scopes (#978 (closed)). This is useful for using environments and suites from Debian (or other public distributions) within other scopes.

The worker is given artifact IDs, but it has no way of knowing which scope they come from, it makes the request with the work request's scope.

However our artifact API endpoints will not allow requests from a foreign scope.

I went down the road of trying to serve artifacts for both a workspace and the any public workspaces it inherits from, but the artifact API endpoints are not workspace-scoped. So if we pursue this, the artifact endpoints need to serve all artifacts from all public workspaces in all workspaces. And that seems like rather a violation of scope separation.

Other ways I can think of that can solve this:

1. Provide the worker with (scope, artifact ID) for each artifact.
2. Add Workspace-scoped artifact endpoints that can serve inherited artifacts.
3. Add an optional workspace parameter to the artifact endpoints, achieving the same effect as 2.