ci: prevent github api rate limits using docker buildkit secrets

[Andrurachi]

closes #41

Context

The CI pipeline frequently fails due to GitHub API rate limits when downloading dependencies and SDKs during unauthenticated Docker builds.

Solution

This PR passes the repository's ${{ secrets.GITHUB_TOKEN }} into the Docker builds to allow authenticated fetching, increasing the rate limit.

Security Implementation

To prevent the token from leaking into the docker history or image metadata, this implementation avoids --build-arg. Instead, it uses Docker BuildKit secrets to mount the token as a temporary file during the build process, which leaves no trace in the final image.

Changes:

• Workflows: Enabled DOCKER_BUILDKIT=1 and passed the GITHUB_TOKEN secret to the build steps.
• Build Scripts: Updated build-image.sh topass --secret id=github_token if the environment variable is present.
• Dockerfiles: Updated all Dockerfile.base (and Zisk cluster) files to use RUN --mount=type=secret,id=github_token.
• SDK Installers: Updated the install_*_sdk.sh scripts to read the temporary secret mount. Implemented git config url...insteadOf for source-compiled SDKs, and injected HTTP Authorization headers for SDKs that curl precompiled binaries (SP1/Risc0).

[Andrurachi]

Hey @han0110 ,

It looks like the token fix successfully bypassed the rate limit, but it caused ziskup to fetch the latest unpinned version of ZisK (v0.16.1).

It looks like v0.16.1 broke the Docker builds for two reasons:

• ziskup now triggers an interactive prompt asking to select CPU vs GPU, which crashes the CI runner (/dev/tty: No such device or address).
• The binary structure seems to have changed, breaking the mv cargo-zisk-gpu command in the install script.

I see you just opened #351 to update ZisK to v0.17.0 (which I assume handles these changes). Once your PR is merged, I can rebase this branch on top of it. Let me know if you'd prefer me to handle this differently in the meantime :)