fix(evals): build /run.sh with printf so legacy builder works

[hamza-jeddad]

Summary

pkg/evaluation/Dockerfile.template used a BuildKit heredoc to write /run.sh:

RUN cat <<-'EOF' >/run.sh
#!/usr/bin/env sh
set -euo pipefail
exec "$@"
EOF

Heredocs require BuildKit. When the build runs against the legacy builder, this is parsed as just RUN cat >/run.sh — cat reads from empty stdin and produces a zero-byte /run.sh. The subsequent heredoc body lines are treated as standalone Dockerfile instructions; Docker is lenient and the build "succeeds" with /run.sh empty but executable.

Replaced with a single printf that works on both legacy and BuildKit builders:

RUN printf '#!/usr/bin/env sh\nset -euo pipefail\nexec "$@"\n' > /run.sh && chmod +x /run.sh

Resulting /run.sh is byte-identical to what the heredoc produces under BuildKit.

exec /run.sh: exec format error

[docker-agent]

Assessment: 🟢 APPROVE

This is a clean, well-scoped fix. The heredoc → printf replacement correctly addresses the legacy builder compatibility issue described in the PR. No bugs were found in the changed code.

Summary of changes reviewed:

• pkg/evaluation/Dockerfile.template: Replaces a BuildKit-only heredoc with a POSIX-compatible printf command to write /run.sh, ensuring the file is populated correctly when the legacy builder is used.

The fix is byte-identical in output to the original heredoc under BuildKit, and the added chmod +x is a safe no-op on a file that was already executable under the heredoc approach.