build(deps): bump oras.land/oras-go/v2 from 2.6.0 to 2.6.1

[dependabot]

Bumps oras.land/oras-go/v2 from 2.6.0 to 2.6.1.

Release notes

Sourced from oras.land/oras-go/v2's releases.

v2.6.1

This is a security patch release addressing five advisories in the authentication, remote, and content layers, plus accumulated bug fixes and maintenance since v2.6.0.

Security Fixes

• Drop the Authorization header on cross-origin redirects to prevent origin credentials leaking to a redirect target on a different scheme/port of the same host (GHSA-vh4v-2xq2-g5cg)
• Validate the bearer realm host before sending credentials to prevent credential exfiltration to an attacker-controlled token service, including TLS downgrades and IP-literal metadata endpoints; adds TrustedRealmHosts (GHSA-28r5-37g7-p6mp, GHSA-xf85-363p-868w)
• Validate the Location host before blob upload to prevent credentials being forwarded to a cross-host upload endpoint (SSRF / CWE-918) (#1152, GHSA-jxpm-75mh-9fp7)
• Reject descriptor sizes exceeding 32 MiB in content.ReadAll to prevent a crafted OCI layout from triggering a makeslice panic and crashing the process (#1153, GHSA-f36w-mj3v-6jqv)
• Resolve symlinks when enforcing the workingDir write boundary in content/file, blocking writes that escape the boundary via a symlinked path component when AllowPathTraversalOnWrite=false

Bug Fixes

• graph.Memory should use digest as map key (#1095)
• Fix credentials key for the Docker registry-1 host (#966)
• Support an empty credentials file (#959)

Other Changes

• Add GitOps release workflow with goreleaser (#1161)
• Shift the Go support window to [1.24, 1.25] (#991)
• Run go modernize (#1005)
• Sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
• Remove scripts reference from the Makefile (#960)
• Bump golang.org/x/sync 0.14.0 → 0.20.0 (#971, #978, #1001, #1037, #1078, #1121)
• Bump GitHub Actions: actions/checkout 4→5 (#989), actions/setup-go 5→6 (#998), actions/stale 9→10 (#997), github/codeql-action 3→4 (#1016)

Commits

• 47b7c80 release: v2.6.1 (#1195)
• 3c2e884 Merge commit from fork
• cc323e5 Merge commit from fork
• 7a9f4b0 Merge commit from fork
• d593d50 feat: add gitops release workflow with goreleaser (#1161)
• 5fd67f9 fix(content): reject descriptor sizes exceeding 32 MiB in ReadAll (#1153)
• 4683c46 fix: validate Location host before blob upload to prevent credential leak (#1...
• 4a3e611 build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#1121)
• 00de1f0 chore: sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
• d7b6f8e fix: graph.Memory should use digest as map key (#1095)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)