ci: rotate ec2-github-runner SHA to Phase 4 retry tip (non-root + --ephemeral)

[kurok]

Dogfood rotation for namecheap/ec2-github-runner#26. Pins both refs to 0fdd401 — Phase 4 retry with the .sha256 404 bug fixed via a hardcoded checksum table.

High-stakes rotation — Phase 4 failed twice before on the provider (see #182, #183 in the closed list). This time:

1. The actual failing line (curl .sha256 | awk under set -e) is gone; replaced with a table lookup in-JS + shell sha256sum -c against a baked-in expected hash.
2. The checksum table is cross-checked against upstream's release body on every PR to ec2-github-runner via an overhauled verify-runner-url job.
3. If something new breaks, I have the aws ec2 get-console-output --latest diagnostic recipe ready.

Everything else from the original Phase 4 ships here: non-root runner user (no more RUNNER_ALLOW_RUNASROOT=1), --ephemeral / --unattended / --disableupdate on config.sh, new optional runner-version input, set -euo pipefail.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.76%. Comparing base (0d8dde5) to head (4a5a654).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #188   +/-   ##
=======================================
  Coverage   87.76%   87.76%           
=======================================
  Files           4        4           
  Lines         711      711           
=======================================
  Hits          624      624           
  Misses         52       52           
  Partials       35       35           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.