Normalize semaphore branch handling

We already had some protection for duplicate semaphore definitions:
we would simply ignore all but the first.

Normalize this to the recently changed behavior for secrets and nodes:
ignore duplicate definitions on different branches of the same project,
but otherwise, do not allow them.

This is more agressive configuration validation in some cases -- folks
with existing duplicate semaphore definitions will now encounter errors.

We also perform more validation of semaphores for proposed config updates.
We still don't use the new values, however, we do verify that the change
won't cause any config parse errors or duplicate errors.

Change-Id: I61b43fa1d1e67c35ab5653f35a7667138ed25aa2
diff --git a/tests/fixtures/config/semaphore-branches/main.yaml b/tests/fixtures/config/semaphore-branches/main.yaml
new file mode 100644
index 0000000..950b117
--- /dev/null
+++ b/tests/fixtures/config/semaphore-branches/main.yaml
@@ -0,0 +1,9 @@
+- tenant:
+    name: tenant-one
+    source:
+      gerrit:
+        config-projects:
+          - common-config
+        untrusted-projects:
+          - org/project1
+          - org/project2