Migrate off of crane for pulling and pushing OCI images

[AustinAbro321]

Describe what should be investigated or refactored

Crane has been an instrumental library to Zarf. It is responsible one of the most core features of our product, pulling and pushing images. However, we've had several issues while using crane. In particular, not accepting context, concurrent pulls and caching of non container OCI images tend to cause trouble. See:

• crane: incorrectly uses compressed layer of a cosign .sig file to write OCI image from cache google/go-containerregistry#1955
• ggcr: Image write concurrency errors google/go-containerregistry#1941
• Unable to use OCI artefacts that are not all image layers #3113
• Context needs to be better passed through to several parts of Zarf so that interrupts can be implemented properly #2594

Alternatives

We should consider alternatives to fix these issues, and open ourselves up to further improvements.

• ORAS (OCI registry as storage) is a project that has become popular in the past few years or so. It is a go library for interacting with OCI registries. We use ORAS already to publish and pull Zarf packages.
• https://github.com/containers/image - this is the library that skopeo uses for image pulls. I have not looked deeply into the code, but it is worth looking at how another successful tool with a similar mission does pulls and pushes

Additional context

Moving off Crane will present challenges. Crane also supports the oci-dir format, which syft uses to scan images local, this is how SBOMs are created during zarf package create. The Crane CLI is embedded directly into Zarf, removing it entirely will no doubt cause a breaking change in the workflow of some users. The Crane CLI has functionality to pull images from the local Docker daemon, I am not aware of another tool that has this functionality.