Fix reproducible image: switch to distroless/cc-debian11, copy libssl from builder

The previous final stage used distroless/cc-debian12 (Bookworm) which carries
no libssl and uses OpenSSL 3, making the Bullseye-built binary non-functional.

- Switch to distroless/cc-debian11:nonroot (pinned by index digest) — same
  Bullseye ABI as the builder, already includes libc and libgcc
- Copy libssl.so.1.1 and libcrypto.so.1.1 from the builder stage into /usr/lib/
  so no package manager is invoked in the final image (stays fully pinned)
- Normalise the arch-specific triplet lib path via a `find` into /libs/ so the
  COPY instructions work identically for both amd64 and arm64 builds

Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>

Dockerfile.reproducible

@@ -17,11 +17,21 @@ WORKDIR /app
 # Build the project with the reproducible settings
 RUN make build-reproducible
 
-# Move the binary to a standard location
+# Move the binary and runtime libs to fixed paths for arch-independent copying below.
 RUN mv /app/target/${RUST_TARGET}/release/lighthouse /lighthouse
+# libssl and libcrypto live under an arch-specific triplet dir; normalise to /libs/.
+RUN mkdir /libs \
+    && find /usr/lib -maxdepth 2 \( -name "libssl.so.1.1" -o -name "libcrypto.so.1.1" \) \
+       -exec cp {} /libs/ \;
 
-# Create a minimal final image with just the binary
-FROM gcr.io/distroless/cc-debian12:nonroot-6755e21ccd99ddead6edc8106ba03888cbeed41a
+# Final image: distroless/cc-debian11 (Bullseye) — matches builder OS for ABI compatibility.
+# The cc variant already includes libc + libgcc; we copy libssl/libcrypto from the builder
+# so the runtime layer is fully pinned with no package manager invocations.
+# gcr.io/distroless/cc-debian11:nonroot
+FROM gcr.io/distroless/cc-debian11:nonroot@sha256:f7fa4923556853754e9ff647df410d5711fc4d99a8dafa777ec617cf4a6700f6
+
+COPY --from=builder /libs/libssl.so.1.1    /usr/lib/
+COPY --from=builder /libs/libcrypto.so.1.1 /usr/lib/
 COPY --from=builder /lighthouse /lighthouse
 
 ENTRYPOINT [ "/lighthouse" ]