invoke key update, closes #2278

[FloSch62]

Closes #2278

I have not found a better solution to keep the gpg keys updated/rotated automatically.
The gpg keys from the current release are valid until 2026, but with PR it ensures older Docker images of the clab-devcontainer can still function correctly even if the GPG key for the GitHub CLI repository has expired. The goal is to make the container update the GPG key as needed without requiring users to rebuild the image or manually intervene, allowing apt update to succeed seamlessly.

By configuring apt to run /usr/local/bin/update-github-cli-key.sh before any update operation, its ensure that the GPG key is refreshed every time apt update is invoked. This happens automatically and does not require any manual intervention from the user.
If the key installed in the image is expired, the script will fetch the latest key from the GitHub servers, updating the keyring so that apt can verify the repository signatures correctly.

[hellt]

@FloSch62 I am actually thinking "screw this gpg thingy". All the bad things come from security :D
Let's instead curl the latest binary from the releases instead and forget all that nonsense

something like

RUN bash -c 'VERSION=$(curl -s https://api.github.com/repos/cli/cli/releases/latest | grep -o "\"tag_name\": \".*\"" | sed -E "s/.*: \"(.*)\"/\1/") && \
    CLEAN_VERSION=${VERSION#v} && \
    DOWNLOAD_URL="https://github.com/cli/cli/releases/download/${VERSION}/gh_${CLEAN_VERSION}_linux_amd64.tar.gz" && \
    curl -L "$DOWNLOAD_URL" | tar xz -C /tmp && \
    mv /tmp/gh_${CLEAN_VERSION}_linux_amd64/bin/gh /usr/local/bin/ && \
    chmod +x /usr/local/bin/gh && \
    rm -rf /tmp/gh_${CLEAN_VERSION}_linux_amd64'

[FloSch62]

@hellt I think you are right, I applied your proposal and tested it.

[hellt]

thanks @FloSch62