fix: backport Go 1.24.13 CVE fix and signed pipeline to release/v1.6
Cherry-picked from commit 2fb956fc3 (PR #4289) with adaptations for v1.6:
CVE Fix (Go 1.24.13):
- azure-ipam/Dockerfile: Go 1.23.2 → 1.24.13 (cbl-mariner2.0)
- cni/Dockerfile: Go 1.23 → 1.24.13 (cbl-mariner2.0)
- cns/Dockerfile: Go 1.23 → 1.24.13 (cbl-mariner2.0)
- bpf-prog/ipv6-hp-bpf/linux.Dockerfile: Go 1.23.2 → 1.24.13 (Debian)
- build/images.mk: GO_IMG tag 1.23 → 1.24
Signed Binary Pipeline:
- binary.steps.yaml: Replace GoTool@0 with install-go.sh
- images.jobs.yaml: Add install-crane.sh + install-go.sh tasks
- install-crane.sh: New script to install crane for image extraction
- install-go.sh: New script to extract Go from msft-go container
(Uses cbl-mariner2.0 SHA: b05a9bbf50a8ccfdd0ebe9f673ef29dca7c1d5e209434b35a560a4e8ae5f72b2)
CVE Impact:
- Fixes 5 stdlib CVEs including CRITICAL CVE-2025-68121 (crypto/tls)
Note: v1.6 uses direct Dockerfiles (no template system), so cni/cns
Dockerfiles were updated directly instead of via .tmpl files.