feat(setup-pack): add pack-version-file input and verify download checksum

[somaz94]

The setup-pack action only accepted an explicit pack-version, and it piped the downloaded archive straight into tar with no integrity check. This adds two things:

1. A pack-version-file input that reads the version from a .tool-versions file (the pack entry) or a plain version file like .pack-version. When set it takes precedence over pack-version. The existing pack-version default line is left untouched so the update-pack-version automation keeps working.
2. Default-on SHA256 verification. Each pack release publishes a sibling <asset>.sha256, so the action now downloads the archive to a temp file, verifies it against that checksum, and only then extracts. If the checksum cannot be fetched it warns and proceeds, so mirror / air-gapped setups are not broken.

Both changes are backward compatible: with neither input changed, behavior is identical except the download is now checksum verified.

Validation

Done locally (the repo has no composite-action test harness, only the Go unit tests):

• Version resolution covered: default (no file), .tool-versions with a pack entry (including tab separated + trailing comment), plain version file (including a leading v and comment lines), missing-file error, and .tool-versions without a pack entry error.
• Checksum path verified end to end against the real v0.40.6 linux asset: a matching sum passes, a corrupted archive is rejected, and tar member extraction still yields the pack binary.
• shellcheck clean on both inline scripts.

[dmikusa]

This sounds great! A couple of notes/questions:

1. Question about precedence of the operators:

When set it takes precedence over pack-version.

This sounds backwards to me. As I read this, my understanding is that pack-version-file would take precedent over pack-version. Typically, the inline version takes precedent so pack-version would override pack-version-file. As an example, see the setup-go action docs:

If both the go-version and the go-version-file inputs are provided then the go-version input is used.

https://github.com/actions/setup-go/blob/main/docs/advanced-usage.md#using-the-go-version-file-input

2. Question about sha256 checksum validation. I gather that you've added this for the pack-version-file case, did you also add sha256 validation for the pack-version path? As a user, I'd expect both paths to work the same way.