ci: pin QEMU binfmt image to stabilize arm64 docker builds

The multi-platform `docker-build (websocket)` job on master has been
flaking ~13% with `exit code: 132` (SIGILL) during `npm ci && npm run build`
on the `linux/arm64` leg. The `linux/amd64` leg always succeeds on the
same host, so the trigger is QEMU's user-mode x86_64→aarch64 translator
mis-executing one of the instructions a newer Node native module
postinstall emits.

`docker/setup-qemu-action@v3.6.0` is itself pinned, but it pulls
`tonistiigi/binfmt:latest` by default — a moving target. Pin the binfmt
image to `tonistiigi/binfmt:qemu-v8.1.5` (a recent, broadly-used QEMU
release) so the emulator binaries stop drifting under us.

This is a CI-only change. Output image bytes are unchanged: cross-built
amd64/arm64 artifacts are identical regardless of which QEMU version
emulates the build. Affects all four workflows that consume
`./.github/actions/setup-docker` (docker.yml, tag-release.yml,
showtime-trigger.yml, ephemeral-env.yml) — same emulator gets registered
for all of them; for amd64-only workflows the registration is a no-op.

.github/actions/setup-docker/action.yml

@@ -27,6 +27,15 @@ runs:
     - name: Set up QEMU
       if: ${{ inputs.build == 'true' }}
       uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+      with:
+        # Pin the binfmt image to a specific QEMU release. The default
+        # (`tonistiigi/binfmt:latest`) is a moving target, and drift across
+        # QEMU's x86_64→aarch64 translator has been the proximate cause of
+        # intermittent `exit code: 132` (SIGILL) failures during the arm64
+        # leg of the multi-platform docker build — newer Node native modules
+        # emit instructions QEMU's user-mode emulation occasionally drops on
+        # the floor. Pinning a known-good release stabilises that path.
+        image: tonistiigi/binfmt:qemu-v8.1.5
 
     - name: Set up Docker Buildx
       if: ${{ inputs.build == 'true' }}