Improve docs or behavior of Docker auth_soft_fail

[schmichael]

The existing behavior is to hard fail if Docker auth helpers are used but auth fails or the image isn't found. Users may set auth_soft_fail to fallback to the public Docker Hub on a per-job basis.

This creates a confusing scenario where users mixing public and private images have to set auth_soft_fail=true for every job using a public image iff Docker auth helpers are used.

Original comment: #2744 (comment)

this doesnt seem to be a global config option. setting this in every job configuration is fine but very confusing. A user would still have no idea what to do if an image simply doesn't download from dockerhub, and has no way to figure out that its from a global auth plugin. the docs don't say anything like "if you want to use public images in the same way as docker swarm or kubernetes, set auth_soft_fail".
maybe the config option should be "allow_dockerhub"

[github-actions]

I'm going to lock this issue because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.