github-actions: bump imjasonh/setup-crane from 0.4 to 0.6

[dependabot]

Bumps imjasonh/setup-crane from 0.4 to 0.6.

Release notes

Sourced from imjasonh/setup-crane's releases.

v0.6

What's Changed

• Pass action inputs via env to prevent script injection by @​amouat in imjasonh/setup-crane#18

New Contributors

• @​amouat made their first contribution in imjasonh/setup-crane#18

Full Changelog: imjasonh/setup-crane@v0.5...v0.6

v0.5

What's Changed

• Skip release lookup and retry download errors by @​markusthoemmes in imjasonh/setup-crane#17

New Contributors

• @​markusthoemmes made their first contribution in imjasonh/setup-crane#17

Full Changelog: imjasonh/setup-crane@v0.4...v0.5

Commits

• 59c71e9 Merge pull request #18 from amouat/harden-action-env
• 67f282d Update use-action.yaml
• 9feaf12 Pass action inputs via env to prevent script injection
• 6da1ae0 Merge pull request #17 from markusthoemmes/reliability
• a224f66 Skip release lookup and retry download errors
• 7b22c9e Update README.md
• See full diff in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

Labels

The following labels could not be found: github-actions. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[bgentry]

@dependabot rebase

[bgentry]

🤖 Codex review: Security review looks good to me.

I reviewed this as a dependency-upgrade supply-chain/security pass for the imjasonh/setup-crane update from v0.4 to v0.6 at PR head 0333031c5522183c0e08eebbb65c8a29fbec9b00.

Scope reviewed:

• Confirmed the rebased PR only updates the two imjasonh/setup-crane references in the pro Docker workflow.
• Compared upstream action metadata and the v0.4...v0.6 source diff. The action remains a composite bash action.
• Reviewed the v0.5 behavior change from an authenticated GitHub release API lookup to the GitHub releases/latest/download URL with retry for the crane tarball.
• Reviewed the v0.6 hardening change that moves inputs.version, runner.os, and github.token into step-level environment variables before shell use, reducing composite-action script-injection exposure while preserving behavior.
• Checked the expected sensitive behavior: it still downloads the selected go-containerregistry crane release tarball and logs github.token into ghcr.io with crane auth login.

Local validation completed on the rebased head:

• npm run lint
• npm run test:once
• npm run build
• make lint
• make test

No blocking findings. Residual risk is that River UI uses the action's default latest-release crane selection, so the downloaded go-containerregistry binary remains a moving runtime dependency; the unused version: tip path still installs from main, but this workflow does not select it.