Use chef image clone to ghcr to workaround docker hub limits

[Firefishy]

I created https://github.com/Firefishy/chef-docker-image which uses github actions to clone the official Chef docker image and push it to GHCR.

This is to avoid the extremely low docker hub download limits which are breaking our tests.

[Firefishy]

There is an upstream bug asking Chef to push an image to GHCR: chef/chef#13907

[Firefishy]

Also added a fix for the chef ruby HTTPClient certificate chain of trust issue. Pushed HTTPClient fix to master.

[tomhughes]

I mean I don't really have the knowledge to review the docker side of this.

Looking at the other repo it looks like you're actually rebuilding the image from scratch rather than just copying it? If the result is supposed to be the same same why does it apparently have a different root CA bundle that necessitates patching our cookbooks?

The only other obvious thing is that this changes all users to use the ghcr version not just the actions.

[Firefishy]

I use a Dockerfile with only a single FROM docker.io/chef/chef:latest to enable me to use docker build-push-action GHA caching instead of full pulling, re-tagging, and pushing to GHCR on each scheduled run. The images does have different IDs (due to different label), but contain exactly the same filesystem layers.

The CA bundle issue is due to chef's bundled ruby seemingly using an old CA cert bundle. It is unrelated to Docker.

grant@faffy:~$ /opt/chef/bin/irb
irb(main):001:0> require "httpclient"
=> true
irb(main):002:0> http_client = ::HTTPClient.new
=>
#<HTTPClient:0x00007fdefb295018
...
irb(main):003:0> http_client.get_content("https://api.wordpress.org/core/version-check/1.7")
/opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/ssl_socket.rb:103:in `connect': SSL_connect returned=1 errno=0 peeraddr=198.143.164.251:443 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/ssl_socket.rb:103:in `ssl_connect'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/ssl_socket.rb:41:in `initialize'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/ssl_socket.rb:26:in `new'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/ssl_socket.rb:26:in `create_socket'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:752:in `block in connect'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/timeout-0.3.2/lib/timeout.rb:189:in `block in timeout'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/timeout-0.3.2/lib/timeout.rb:196:in `timeout'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:748:in `connect'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:511:in `query'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient/session.rb:177:in `query'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient.rb:1242:in `do_get_block'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient.rb:1019:in `block in do_request'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient.rb:1133:in `protect_keep_alive_disconnected'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient.rb:1014:in `do_request'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient.rb:1104:in `follow_redirect'
	from /opt/chef/embedded/lib/ruby/gems/3.1.0/gems/httpclient-2.8.3/lib/httpclient.rb:655:in `get_content'
	... 4 levels...
irb(main):004:0> http_client.ssl_config.set_trust_ca("/etc/ssl/certs/ca-certificates.crt")
=> nil
irb(main):005:0> http_client.get_content("https://api.wordpress.org/core/version-check/1.7")
=> "{\"offer...