Add a feature flag to disable resolving of TLS chain

In the past, the runner needed to resolve a full TLS certificate chain, including the self-signed root, in order for Git clones to work over HTTPS. Go 1.9 changed the behavior to present a partial certificate chain if a trusted intermediate certificate were placed in the system certificate directory (https://github.com/golang/go/issues/24685). !1581 (merged) worked around that change by restoring the Go 1.8 behavior of presenting the full chain in CI_SERVER_TLS_CA_FILE.

libcurl v7.68 has since fixed the behavior to trust a certificate authority that is not self-signed (https://github.com/curl/curl/commit/94f1f771586913addf5c68f9219e176036c50115). As a result, the need to resolve the full chain is no longer necessary. As long as there is a trusted certificate authority in the chain, the TLS connection can proceed.

Go 1.18 modified Certificate.Verify to use the macOS and Windows-specific platform APIs. As a result, a root certificate signed with a SHA-1 certificate will be rejected, which prevents the runner from generating CI_SERVER_TLS_CA_FILE. This may cause Git clones to fail.

This commit adds a feature flag, FF_RESOLVE_FULL_TLS_CHAIN, that is enabled by default. This flag makes it possible to disable this resolving of the full certificate chain. On most platforms, this can be disabled safely, assuming Git and other clients are compiled with an updated libcurl version.

Relates to #29373 (closed)