quadlet: support tarball extraction for install command

[Veector40]

Currently, podman quadlet install only supports individual files or directories. This PR implements support for installing Quadlet applications packaged as tar archives, satisfying a recent feature request.

Changes:

• Archive Detection: Automatically detects .tar, .tar.gz, and .tgz files for both local paths and remote HTTP/HTTPS URLs.
• Secure Extraction: Implements a dedicated extraction utility with path-traversal protection (Zip Slip prevention) to ensure files are only written within a controlled temporary directory.
• Application Grouping: Extracted tarballs are treated as a Quadlet "App," meaning all units inside the archive are tracked together via a .app asset file for easy management and removal.
• BATS Integration: Added a comprehensive system test in 253-podman-quadlet.bats that verifies both standard and compressed tarball installation, listing, and clean removal.

Fixes: #28117

Checklist

• Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all commits.
• Referenced issues using Fixes: #28117 in commit message.
• Tests have been added/updated.
• Documentation has been updated (feature matches existing description of URL support).
• All commits pass make validatepr (format/lint checks).
• [Release note] entered in the section below.

Does this PR introduce a user-facing change?

The `podman quadlet install` command now supports installing Quadlet files packaged inside `.tar`, `.tar.gz`, and `.tgz` archives from local paths or remote URLs.

[Honny1]

Thanks for the contribution! I have a few suggestions for improvement. We might want to consider avoiding staging everything in a temporary directory. Instead, we could stream entries from the tarball directly to a reader based variant of installQuadlet. This is a bit outside the scope of the original issue, but it's worth considering during this refactor.

[Veector40]

Thanks for the great feedback, @Honny1! I've updated the PR to address your suggestions:

• Refactored extraction: I dropped the manual extractTarball function and switched to using go.podman.io/storage/pkg/archive for robust archive manipulation as you rightfully suggested.

• Code deduplication:I unified the logic for URL and local path handling to reduce redundancy. The extraction and installation flow is now wrapped in an anonymous function to ensure defer cleanups happen reliably per loop iteration.

• Simplified tests: I trimmed down the BATS test to a single standard .tar test, since the archive package natively handles compression detection and we don't need to reinvent the wheel by testing .tar.gz and .tgz separately at this layer.

Let me know if you'd like anything else to be amended

[Honny1]

Before I do a second round of review, please ensure the CI passes.

[axel7083]

Hey @Veector40 I'm the author of the issue you are trying to solve (#28117).

It has been a week, and I was wondering if you are still planning to work on this issue? Otherwise I'm interested in taking over the issue 👍

[victorrobotxt]

Ofc, it's all yours. In case you need a review or anything, let me know

[github-actions]

A friendly reminder that this PR had no activity for 30 days.