Remove activity page links for third-party open groups

Activity pages are currently only supported for open groups belonging to
the h service's first party authority.

The team has agreed that the best way to resolve this would be to only
include the "activity page" link in the `/api/groups` response for
groups where that is supported. However to give us more time to hammer
out the API details, we are committing a small change to the client in
the interim.

Specify npm package version to publish to S3

Sometimes the "Publish" step has ended up publishing version N-1 to the
CDN when building the tag for version N. I believe this happens due to
npm's package publishing API not guaranteeing immediate visiblity of the
latest version when it returns. If the publish task runs before the
update has propagated inside their network, then the publish step
re-uploads the previous version to the CDN.

This commit attempts to resolve the issue by specifying a package
version explicitly. We might find that this is not enough and that the
publish step either has to wait until the update has propagated or we
have to use a locally-built tarball.

Fixes #602

Pass "authority" query param when fetching groups list

Without this argument, the "h" service does not know which authority's
groups should be returned if the user is not logged in.

Show a list of groups for logged out users.

At the moment we only show one group i.e Public for logged out users.
we should also show those groups to logged out users.
See https://github.com/hypothesis/product-backlog/issues/417

Only wait for document URI before fetching groups in sidebar

Fixes a regression after 36c46608 where the stream and single
annotation page views failed to load.

36c46608 made the groups service wait for the host page's document URI
to be determined before making a call to the `/api/groups` endpoint
passing that URI as a parameter. In the stream (`/stream`) and single
annotation page routes, there is no host page and so
the promise returned by `getDocumentUriForGroupSearch` never resolved.
Avoid waiting for this URI in that case and avoid passing the
`document_uri` parameter to the `/api/groups` endpoint.

This commit introduces a new `isSidebar` test rather than using
`annotationUI.isSidebar` because that piece of app state is not yet
initialized at the point when `groups.load()` is called in the route's
`resolve` function in src/sidebar/index.js.

Get the list of groups from the new endpoint and update it where applicable

Fetch the list of groups from the new `/api/groups` endpoint instead of
using the groups list returned in the `/api/profile` result. This
supports providing the current document URI as a parameter, which
enables the server to change the list of open groups returned depending
on the current URL.

In order to update the groups list correctly, taking into account the
current document URI, when the user joins or leaves a group, the
`streamer` service now handles "session change" notifications by
triggering a re-fetch of groups from the `/api/groups` endpoint instead
of updating the groups directly from the payload of the WebSocket
message.
Co-authored-by: Robert Knight <robertknight@gmail.com>

Update to Angular 1.6.9

Fix spinner animation

Fix a test failure due to a subtle issue with the interaction between
the `$q` service, `AnnotationController#delete` and `$timeout.flush` in
tests.

Instantiating the rejected promise _before_ calling `$timeout.flush`
resulted in Angular's unhandled promise checking code being triggered
in the test.

Fix occurrences of a "multilink" [1] error during test for the
annotation save button.

Replace calls to the link function with direct assignments to controller
properties.

[1] https://code.angularjs.org/1.6.9/docs/error/$compile/multilink

The main change that affects us is that component inputs/bindings are no
longer available as controller properties in the constructor by default.
Instead this logic should go in a controller's `$onInit` method.

In this commit use the `$compileProvider.preAssignBindingsEnabled`
compatibility helper which preserves the Angular <= 1.5 behavior. This
is being removed in Angular 1.7.

`@keyframes($name)` is not legal syntax. I'm unsure if this ever worked
in the past in older browsers or if it was previously converted by a
post-processor to valid syntax.

Refactor export of bound selectors from Redux store

Group the selectors in each Redux module together in a `selectors`
object so they can be re-exported as methods on the Redux store without
having to list each of them manually.

This also just makes it easier to visually see which exported functions
from a Redux module are selectors.

Hide the direct-link CTA for third party accounts

The CTA message shown when an anonymous user visits a direct link
contains links to the Hypothesis site and makes other assumptions, such
as the user being able to create accounts and those accounts being free,
which may not be applicable on sites that use third party accounts.

For now, just hide this CTA if the page uses third party accounts.

Fixes #656
Fixes #657

Add script to initiate a client release