test, tools: init bundle cert chain tests

[tnytown]

Resolves #66.

[tnytown]

69 introduced a flake that we didn't catch because the self-tests ran against the base branch w/ pull_request_target. It should be safe to run PR code now that we've dropped the ambient credential, so I've adjusted our self-test to run against the PR branch with pull_request.