rewrite build-guide with real build experience

Previous guide documented a QEMU command that does not actually
work on q35 + OVMF + Win11 25H2. Replace it with the exact command
from the working CI workflow plus a 'Quirks worth knowing upfront'
section explaining the four non-obvious pitfalls I hit during the
GCP test build:

1. -cdrom shorthand puts the ISO where OVMF BdsDxe reports
   Not Found; must use explicit -drive id=cdN + -device ide-cd
   bus=ide.N on separate SATA ports
2. q35 has no working floppy for Windows PE, so autounattend.xml
   has to be delivered as a third CD-ROM via genisoimage
3. Win11 25H2 Setup aborts with 'The PC must support Secure Boot'
   if you use non-secboot OVMF; must use OVMF_CODE_4M.secboot.fd
   + smm=on + the cfi.pflash01 secure flag
4. Windows bootmgfw.efi always shows 'Press any key to boot from
   CD' on first boot -- it is not a firmware prompt, it's baked
   into the Windows Boot Manager. In headless mode this means
   bootmgr times out, OVMF marks Boot0001 failed, and the install
   never starts. Fix: -monitor tcp:127.0.0.1:4444 + spray
   'sendkey ret' via nc during the 5s window

Also add:
- Manual build steps that match the CI flow exactly (same QEMU
  args, same verify/remediate loop)
- CI build section covering the ubuntu-latest runner, disk
  cleanup, and ORAS push to GHCR
- OCI artifact layout (1.9 GiB parts + SHA256SUMS, pulled via
  'oras pull' and reassembled with 'cat ... > qcow2')
- Updated autounattend.xml explanation: locale is InputLocale
  only (image default wins), EMS-SAC wrapped in Start-Job
  timeout, verify.ps1 covers the EMS-SAC capability row

Author: CMGS