fix(github-runner): switch RUNNER_TOKEN -> ACCESS_TOKEN; set RUN_AS_ROOT=false

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

apps/github-runner/github-runner.yaml

@@ -163,12 +163,24 @@ spec:
             # Labels used by workflow files: runs-on: [self-hosted, linux, fc-build-linux]
             - name: LABELS
               value: "self-hosted,linux,fc-build-linux"
-            # Registration token injected from 1Password via OnePasswordItem CRD.
+            # PAT (not pre-minted registration token) — myoung34/github-runner
-            - name: RUNNER_TOKEN
+            # mints registration tokens itself via GitHub API when ACCESS_TOKEN
+            # is set. Switched from RUNNER_TOKEN -> ACCESS_TOKEN on 2026-05-16
+            # because the 1P "GitHub PAT (Runner Registration)" item stores a
+            # fine-grained PAT, not a short-lived registration token.
+            - name: ACCESS_TOKEN
               valueFrom:
                 secretKeyRef:
                   name: github-runner-token
                   key: credential
+            # myoung34/github-runner default entrypoint expects root for some
+            # setup steps. With securityContext.runAsUser=1001 the entrypoint
+            # short-circuits with "RUN_AS_ROOT env var is set to true but the
+            # user has been overridden and is not running as root". Tell the
+            # entrypoint we're explicitly NOT root so it skips the root-only
+            # setup steps (cache prewarm + apt updates — both already baked).
+            - name: RUN_AS_ROOT
+              value: "false"
           resources:
             requests:
               cpu: "500m"