fix(ci): make buildkitd-config opt-in for setup-buildx

[jtoelke2]

Summary

Hotfix for #966, which broke shadow-docker-build.yml on main. That PR hard-coded buildkitd-config: /etc/buildkit/buildkitd.toml inside the driver: local branch of the setup-buildx composite action. The only caller using that driver is shadow-docker-build.yml, which runs inside the ghcr.io/nvidia/openshell/ci:latest container — so the host-side TOML was invisible to docker/setup-buildx-action and every matrix job failed at "Set up buildx" (e.g. run 24911395318).

Remote-driver callers (docker-build, release-dev, release-tag, release-vm-dev, ci-image) were unaffected because the hard-coded line was only inside the local-driver branch.

Changes

• .github/actions/setup-buildx/action.yml
  • Add buildkitd-config input (empty default).
  • Revert the hard-coded path; pass the input through to docker/setup-buildx-action in both the remote and local branches. Empty input is a no-op.
• .github/workflows/shadow-docker-build.yml
  • Bind-mount /etc/buildkit:/etc/buildkit:ro into the ci container so the action running inside it can read the TOML.
  • Pass buildkitd-config: /etc/buildkit/buildkitd.toml through the new input.

Testing

• Diff reviewed; minimal surface area (20 added / 5 removed).
• Remote-driver callers: no behavior change (new input defaults empty → docker/setup-buildx-action receives an empty buildkitd-config, treated as no config).
• Local-driver caller (shadow-docker-build): verified the action will now be able to read /etc/buildkit/buildkitd.toml from inside the container via the bind mount; will confirm on the first push-to-main dispatch after merge.

Related

• Reverts the behavioral breakage introduced by fix(ci): use nv-gha-runners buildkit mirror to avoid Docker Hub rate limit #966.
• Follow-up to OS-127 (Phase 3 shadow docker build).