Bazel: allow LFS rules to use cached downloads without internet

[redsun82]

If the cache is prefilled, LFS rules were still trying to query for LFS urls.

Now the strategy is to first try to fetch the files from the repository cache (which is possible by providing an empty url list and allow_fail to repository_ctx.download), and only run the LFS protocol if that fails. Technically this is made possible by enhancing git_lfs_probe.py with a --hash-only flag.

This is also an optimization where no uneeded internet access is done (including the slightly slow SSH call) if the repository cache is warm.

Additionally, -oStrictHostKeyChecking=accept-new is now passed to the SSH call for LFS authentication. This makes a difference in the case the build is executed within a container on an already checked-out repository.