Dockerfile: recursive chown /actions-runner after tarball extract

Harden the invariant that entrypoint.sh #583 now relies on: every file
under /actions-runner is runner-owned in the image.

Previously this was true only because GitHub's actions-runner release
tarball happens to encode UIDs that coincide with this image's runner
user (UID 1001). The non-recursive chown in this RUN step only touched
the three top-level directories; ownership of the ~9 000 files extracted
from the tarball was inherited verbatim from the archive metadata.

Making the chown recursive establishes the invariant in this repo
instead of inheriting it by coincidence:

- entrypoint.sh #583 skips chown -R over bin/ and externals/ on every
  container start; that optimisation now has a locally-enforced
  precondition rather than one that depends on upstream tarball
  packaging conventions.
- Derived images (FROM myoung34/github-runner:...) no longer depend on
  the tarball's happen-to-be-runner-owned ownership either.
- Forks that rebuild the base image with a different runner UID get
  correct ownership without having to remember to re-chown.

Cost is paid once at image build time, inside the same RUN that
extracts the tarball, so it does not add a new layer or inflate image
size beyond the chown metadata in the existing layer.

Author: bitranox

Dockerfile

@@ -17,7 +17,7 @@ COPY install_actions.sh /actions-runner
 RUN chmod +x /actions-runner/install_actions.sh \
   && /actions-runner/install_actions.sh ${GH_RUNNER_VERSION} ${TARGETPLATFORM} \
   && rm /actions-runner/install_actions.sh \
-  && chown runner /_work /actions-runner /opt/hostedtoolcache
+  && chown -R runner /_work /actions-runner /opt/hostedtoolcache
 
 COPY token.sh entrypoint.sh app_token.sh /
 RUN chmod +x /token.sh /entrypoint.sh /app_token.sh