build: migrate base-image mirror to anonymous-pull fluidmirror (eastus2)

[ChumpChief]

Description

Switches the server-* base-image mirror from fluidpublicmirror (westus2, AcrPull
service connections) to a new ACR fluidmirror (eastus2, anonymous pull). This:

• Restores cross-fork PR support for the server-* pipelines. Cross-fork PRs are
  blocked from accessing service-connection secrets, which silently caused the Docker
  build step to fall back to anonymous pull and 401 against the previously-locked-down
  ACR. PR chore(server-gitssh): bump base image to alpine 3.23.4 #27445 (and any future server-* PR from a fork) will pass CI again.
• Removes per-pipeline 'Fluid Public Mirror Container Registry' service-connection
  wiring from templates/build-docker-service.yml. The push-side service connection
  ($(containerRegistryConnection)) is unchanged.
• Aligns mirror region with the 1ES build pools (all in eastus2) so legitimate CI
  egress is free same-region transfer instead of westus2-to-eastus2 cross-region. A
  Cost Management budget on the new resource group provides an abuse tripwire.

Operational details (anonymous-pull approval from OpSec, ACR config, Cost Management
budget) are tracked in AB#74558. No Dockerfile changes — base-image digest pins are
preserved byte-for-byte in the new mirror.

The old fluidpublicmirror ACR will be torn down in a follow-up after this soaks on
main.

Reviewer Guidance

The review process is outlined on this wiki page.

End-to-end verification is the server-* pipeline runs on this PR — they exercise
the exact same Docker build step that's been failing under network isolation.

[github-actions]

Hi! Thank you for opening this PR. Want me to review it?

Based on the diff (26 lines, 2 files), I've queued these reviewers:

• Correctness — logic errors, race conditions, lifecycle issues
• Security — vulnerabilities, secret exposure, injection
• API Compatibility — breaking changes, release tags, type design
• Performance — algorithmic regressions, memory leaks
• Testing — coverage gaps, hollow tests

How this works

• Adjust the reviewer set by ticking/unticking boxes above. Reviewer toggles alone don't trigger anything.

• Tick Start review below to dispatch the review fleet.

• After review finishes, tick Start review again to request another run — it auto-resets after each dispatch.

• This comment updates as new commits land; your reviewer selections are preserved.

• Start review

[Copilot]

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

[github-actions]

Fleet Review — Clean

No issues found across the reviewer fleet for this run.

View run

[github-actions]

🔗 No broken links found! ✅

Your attention to detail is admirable.

linkcheck output

> fluid-framework-docs-site@0.0.0 ci:check-links /home/runner/work/FluidFramework/FluidFramework/docs
> start-server-and-test "npm run serve -- --no-open" 3000 check-links

1: starting server using command "npm run serve -- --no-open"
and when url "[ 'http://127.0.0.1:3000' ]" is responding with HTTP status code 200
running tests using command "npm run check-links"


> fluid-framework-docs-site@0.0.0 serve
> docusaurus serve --no-open

[SUCCESS] Serving "build" directory at: http://localhost:3000/

> fluid-framework-docs-site@0.0.0 check-links
> linkcheck http://localhost:3000 --skip-file skipped-urls.txt

Crawling...

Stats:
  290871 links
    1933 destination URLs
    2183 URLs ignored
       0 warnings
       0 errors