ci: upgrade base images to latest versions with digest pins

[levleontiev]

PR #62 (supply chain hardening) was based on the pre-dependabot state and overwrote two upgrades that had already been merged:

• PR ci: bump openresty/openresty from 1.25.3.2-jammy to 1.29.2.1-jammy in /docker #60: openresty 1.25.3.2-jammy → 1.29.2.1-jammy
• PR ci: bump ubuntu from 22.04 to 24.04 in /docker #59: ubuntu 22.04 → 24.04

This issue tracks restoring both upgrades with correct digest pins.

Changes needed

• docker/Dockerfile — openresty 1.29.2.1-jammy@sha256:01ae8007b5a26967ad8158554591c889345be3ffe51424fe475beb38ed923692
• docker/Dockerfile.cli — same
• docker/Dockerfile.test — ubuntu 24.04@sha256:67efaecc0031a612cf7bb3c863407018dbbef0a971f62032b77aa542ac8ac0d2
• spec/unit/supply_chain_pins_spec.lua — update expected openresty digest