ghcr.io: List packages based on whether owner is an org or a user

[ribbybibby]

We were previously using releases to figure out tags for a Github package. I think this was wrong. Not all release tags will be pushed as package versions, and vice versa. Someone may choose to use GHCR without taking advantage of releases at all.

I've modified it so that the client will check if the owner is a user or an org and then make the appropriate PackageGetAllVersions function call to retrieve the tags.

I've also fixed a few other things I ran into while testing this:

1. Create the github client in New so that rate limiting and other goodness is reused across calls.
2. Fix RepoImageFromPath, so it will split the repository path into the 'owner' and 'repo' segments that Tags expects. Previously we would have got errors for subrepositories.
3. Update TestRepoImage to ensure it doesn't panic on unexpected inputs.
4. We don't need to use regex to match ghcr.io to ghcr.io.
5. If we're excluding .att tags then we should probably exclude .sig and .sbom too.

Fixes #179, #175

[hawksight]

Appreciate the contextual description at the top of the PR @ribbybibby. I've added issue / thoughts on the existing comments. I think it'd be good to merge and fix for users of ghcr.io.

@davidcollom I'll defer to you for approval. My Go isn't good enough to properly review. But from a "this is what the PR tackles" perspective I give it 👍