Bump oras.land/oras-go/v2 from 2.3.0 to 2.4.0

[dependabot]

Bumps oras.land/oras-go/v2 from 2.3.0 to 2.4.0.

Release notes

Sourced from oras.land/oras-go/v2's releases.

v2.4.0

Breaking Changes

• Upgrade to image-spec v1.1.0-rc6 and distribution-spec v1.1.0-rc4
  • Validate the Content-type header of the response when accessing the Referrers API
  • When pushing manifests with a subject field, if the OCI-Subject header is not set in the response, the registry is considered as not supporting the Referrers API

[!WARNING] There are no API changes in oras-go. However, when pushing and deleting manifests with a subject field, as well as querying the Referrers API, registries that implement older versions of distribution-spec may be considered as not supporting the Referrers API. In such cases, the Referrers tag schema will be used instead.

Known compatible registries:

• Zot v2.0.0-rc5 and later versions
• Harbor v2.10.0 and later versions

New Features

• Move package credentials from github.com/oras-project/oras-credentials-go to oras.land/oras-go/v2/registry/remote/credentials, which supports reading, saving, and removing credentials from Docker configuration files and external credential stores that follow the Docker credential helper protocol
• Support deletion and garbage collection in oci package
• Add registry.Referrers for listing referrers on any ReadOnlyGraphStorage
• Introduce SkipNode for CopyGraphOptions.PreCopy to signal oras.CopyGraph to stop copying a node
• Introduce SkipUnpack option on file.Store to skip unpacking compressed directories

Performance Improvements

• Improve authorization token caching
  • Support per-host scope hints, fixing #581
  • Introduce auth.NewSingleContextCache that creates a host-based cache for optimizing the auth flow for non-compliant registries
• Optimize Copy efficiency
  • Add MountFrom and OnMounted to oras.CopyGraphOptions to support mounting on copy

Bug Fixes

• Fix #692: index or manifest list without the OPTIONAL field platform cause panic (#695)

Other Changes

• Improve error messages and examples
• Include changes in v2.3.1

Detailed Commits

• feat: merge package credentials back from oras-credentials-go by @​Wwwsylvia in oras-project/oras-go#589
• feat: Add 'MemoryStore' by @​Uanid in oras-project/oras-go#602
• refactor: make credentials.NewMemoryStore return an interface by @​Wwwsylvia in oras-project/oras-go#605
• feat: support per-host scope hints by @​Wwwsylvia in oras-project/oras-go#604
• feat: support deletion for memory resolver by @​wangxiaoxuan273 in oras-project/oras-go#607
• feat: support deletion for OCI storage by @​wangxiaoxuan273 in oras-project/oras-go#608
• fix: package credentials to support legacy auth keys in docker config by @​Wwwsylvia in oras-project/oras-go#617
• feat: support deletion for memory graph by @​wangxiaoxuan273 in oras-project/oras-go#606

... (truncated)

Commits

• 850a247 refactor: remove AutoRemoveReferrers flag (#683)
• fa548ab fix: fix the potential panic error if there is no platform in the index or ma...
• 66ea3df refactor: upgrade to distribution-spec v1.1.0-rc4 (#690)
• 64fedf4 feat: mark untagged manifests as garbage during GC and delete (#680)
• 82cc505 feat: allow skip unpack on push to file store (#679)
• acd6276 build(deps): use image-spec v1.1.0-rc6 instead of rc.6 (#687)
• baba4db build(deps): bump github.com/opencontainers/image-spec from 1.1.0-rc5 to 1.1....
• d8783fe feat: error type for not finding basic auth creds and export config path (#674)
• 3b1dd0e feat: Public GC function of oci.Store (#656)
• c34d275 docs: add example to parse reference with digest (#675)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.