client: do not modify user-provided HTTP client

[corhere]

- What I did
Fixed constructing two Engine API clients from the same http.Client so that the second behaves the same as the first.

- How I did it
The http.Client passed into client.WithHTTPClient() is modified by the constructor in-place: the value of its Transport field is mutated and wrapped in an OpenTelemetry decorator. This can lead to very surprising behaviour when a second client is constructed reusing the same http.Client value. If the http.Client is configured for TLS, the second client will fail to detect that and will incorrectly dial the Engine API socket as cleartext HTTP. Copy the provided http.Client so our modifications don't leak out to unexpected places.

- How to verify it
New unit test.

- Human readable description for the release notes

- The http.Client value passed to client.WithHTTPClient() is now copied rather than mutated in-place.

- A picture of a cute animal (not mandatory but encouraged)

[thaJeztah]

Heh. Nice find! Looks like it has been like this since .. forever.

Validate is failing; looks like you need to run hack/vendor.sh @corhere

[thaJeztah]

🙈 sigh.. GOSEC linting failure now (sorry!) 🫶

client/client_options_test.go:382:54: G402: TLS InsecureSkipVerify set true. (gosec)
				TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
				                                                 ^
client/client_options_test.go:390:46: G402: TLS MinVersion too low. (gosec)
		cmpopts.IgnoreUnexported(http.Transport{}, tls.Config{}),
		                                           ^

[thaJeztah]

LGTM, thanks!