entrypoint: skip chown -R on /actions-runner/{bin,externals}

The Dockerfile (and the actions-runner tarball it extracts) ships
/actions-runner/ fully runner-owned, including ~50 MB of bin/ and
~330 MB of externals/ that contain node / .NET runtime libs used by
actions like setup-node and setup-python. Verify on a pristine image:

    docker run --rm --entrypoint sh myoung34/github-runner:ubuntu-noble \
        -c 'find /actions-runner -not -user runner'
    # => prints nothing

Yet `chown -R runner "${_RUNNER_WORKDIR}" /actions-runner` in
entrypoint.sh walks 9100+ files on every start. On overlayfs each chown
triggers copy-up regardless of whether ownership actually changes, so
the walk costs real disk I/O to flip exactly nothing. Under parallel
starts (e.g. 12 containers on one host) the resulting storage-driver
contention dominates time-to-healthy.

The files that do need flipping are the ones config.sh writes as root
earlier in this same entrypoint (.runner, .credentials,
.credentials_rsaparams, .env, .path, svc.sh, and eventually _diag/).
Enumerating them is fragile if config.sh ever adds an output, so instead
blacklist the two known-heavy dirs and chown everything else under
/actions-runner at depth 1:

- chown runner /actions-runner "${_RUNNER_WORKDIR}"  (non-recursive)
- find /actions-runner -mindepth 1 -maxdepth 1 \
      ! -name bin ! -name externals -exec chown -R runner {} +

This catches every top-level config-written file/dir (plus anything new
that may appear), skips the two bulk runtime dirs, and leaves -R on the
small subtrees that may legitimately need it (e.g. _diag/).

Unchanged:
- _CONFIGURED_ACTIONS_RUNNER_FILES_DIR chown on the preceding line
- toolcache flat-chown on the following line
- the RUN_AS_ROOT=true and non-root branches

Observed impact on a host running 12 parallel runners (ZFS-backed LXC
on Proxmox): time-to-all-healthy dropped from ~5 minutes to ~25 seconds;
per-container `docker compose up -d` returns in ~1 s instead of racing
11 peers for overlay copy-up I/O.

Author: bitranox

entrypoint.sh

@@ -290,7 +290,14 @@ if [[ ${_RUN_AS_ROOT} == "true" ]]; then
 else
   if [[ $(id -u) -eq 0 ]]; then
     [[ -n "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}" ]] && chown -R runner "${_CONFIGURED_ACTIONS_RUNNER_FILES_DIR}"
-    chown -R runner "${_RUNNER_WORKDIR}" /actions-runner
+    # /actions-runner/{bin,externals} ship runner-owned from the image
+    # (~380 MB / 9k+ files). Recursing over them triggers overlay copy-up
+    # per file even when ownership already matches, which dominates startup
+    # under parallel runners. Only config.sh (run as root earlier) may have
+    # written new root-owned files at the top level — chown those plus
+    # /actions-runner itself and ${_RUNNER_WORKDIR}, but not the big dirs.
+    chown runner /actions-runner "${_RUNNER_WORKDIR}"
+    find /actions-runner -mindepth 1 -maxdepth 1 ! -name bin ! -name externals -exec chown -R runner {} + 2>/dev/null || true
     # The toolcache is not recursively chowned to avoid recursing over prepulated tooling in derived docker images
     chown runner /opt/hostedtoolcache/
     if [[ ${_DEBUG_ONLY} == "true" ]] || [[ ${_DEBUG_OUTPUT} == "true" ]] ; then