fix(linux/build): re-pin BUILDER_IMAGE to amd64 registry digest

Two corrections to f9e606d:

1. Registry hostname: docker-registry:5000 isn't DNS-resolvable on the
   SLAB docker host (verified). The fleet-wide convention is the canonical
   docker-registry.silverlabs.uk URL, registered as an insecure-registry
   in /etc/docker/daemon.json on every docker host.

2. Architecture: the original push from WSL2-on-aarch64 produced an arm64
   image that won't run on the amd64 runner. Rebuilt natively on the docker
   host. New manifest digest (amd64-only):
     sha256:9e7161f9f180483f434074d7f32c27c907955232bd0c44efe6dc0ee1d9e56ae0

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

linux/build/scripts/build.sh

@@ -28,11 +28,11 @@ cd "${REPO_ROOT}"
 # Bumped together with linux/build/docker/Dockerfile.builder. The digest form
 # is required; refusing the tag-only form is what stops a silent host drift.
 #
-# Default points at the internal registry hostname used by CI runners. The
-# external endpoint (docker-registry.silverlabs.uk) serves the same registry
-# and the same content-addressed digest, so external dev can override with:
-#   BUILDER_IMAGE=docker-registry.silverlabs.uk/silvermetal-builder@sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85
-BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry:5000/silvermetal-builder@sha256:cedef039425e0b0f5901c1023eda820c7aa38ab4b81c2bb1e12d64cadb3d6c85}"
+# docker-registry.silverlabs.uk is the canonical hostname both inside and
+# outside the LAN — it's the entry that fleet-wide /etc/docker/daemon.json
+# registers as an insecure-registry. The host-style "docker-registry:5000"
+# is *not* DNS-resolvable; do not use it.
+BUILDER_IMAGE="${BUILDER_IMAGE:-docker-registry.silverlabs.uk/silvermetal-builder@sha256:9e7161f9f180483f434074d7f32c27c907955232bd0c44efe6dc0ee1d9e56ae0}"
 
 if [[ "${BUILDER_IMAGE}" != *"@sha256:"* ]]; then
     echo "build.sh: BUILDER_IMAGE must be pinned by digest, got: ${BUILDER_IMAGE}" >&2