Fix CVE-2025-62518 by migrating to astral-tokio-tar

[niklaskorz]

tokio-tar is abandoned and has a high severity CVE that is addressed by astral-tokio-tar 0.5.6

astral-tokio-tar can be used as an actively maintained drop-in replacement

[github-actions]

Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

---

I have read the CLA Document and I hereby sign the CLA

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.}

[niklaskorz]

A simple change like this is certainly not subject to copyright protection, so I will not sign the CLA. Feel free to close this and manually migrate to astral-tokio-tar yourselves if this check can't be skipped.

[rubenfiszel]

Thanks a lot @niklaskorz

I understand why not wanting to sign the CLA. I am not a lawyer myself and are not too interested in legalese but just need your confirmation that you understand that while you will keep authorship of that change, you're giving up ownership of the change/code in our codebase to Windmill Labs, Inc.

[niklaskorz]

I confirm that I'm giving Windmill Labs, Inc. permission to do whatever they want with the changes in this PR, which is the tokio-tar -> astral-tokio-tar dependency change.

[rubenfiszel]

Thank you!