ci: rotate ec2-github-runner SHA + opt into EBS encryption (Phase 6.b)

[kurok]

Dogfood rotation for namecheap/ec2-github-runner#27 (EBS encryption opt-in). Rotates both pins 0fdd401 → 7c6a9a7 and sets encrypt-ebs: 'true' on the start-runner step.

Risk: if this CI account can't use the default alias/aws/ebs KMS key, or if the shared AMI's snapshot is encrypted under a customer-managed key lacking a cross-account grant, Start EC2 runner will fail with a KMS/IAM error. The action throws early (doesn't time out), so diagnostics are quick via the console-output recipe if needed.

If it fails, the fix is a 1-line revert of the encrypt-ebs input — the SHA rotation itself is orthogonal and stays correct.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.76%. Comparing base (9a21817) to head (f439e99).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #192   +/-   ##
=======================================
  Coverage   87.76%   87.76%           
=======================================
  Files           4        4           
  Lines         711      711           
=======================================
  Hits          624      624           
  Misses         52       52           
  Partials       35       35           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.