fix: ensure /home/runner/.copilot directory has correct ownership before Copilot CLI install

[Mossaka]

Problem

When running smoke tests (e.g., smoke-chroot.lock.yml), the "Install GitHub Copilot CLI" step intermittently fails with:

Error creating package directory: /home/runner/.copilot/pkg/linux-x64/0.0.402
Failed to extract bundled package: Error: EACCES: permission denied, mkdir '/home/runner/.copilot/pkg'

This happens because a previous AWF run on the same runner used sudo -E awf --enable-chroot ..., which may have created /home/runner/.copilot with root ownership. A subsequent job on the same runner then fails when the Copilot CLI (running as the runner user) tries to create subdirectories.

Evidence

• PR: fix: mount /etc/hosts in chroot mode and handle missing resolv.conf gh-aw-firewall#522
• Failed job (first push): https://github.com/github/gh-aw-firewall/actions/runs/21725304228/job/62665698175
• Failed job (second push): https://github.com/github/gh-aw-firewall/actions/runs/21725387805/job/62665989429
• Frequency: ~1 out of 12 parallel agent jobs per push (non-deterministic, depends on runner reuse)

Proposed Fix

Add a directory ownership fix before the install_copilot_cli.sh step in the Copilot engine compiler output:

mkdir -p /home/runner/.copilot && chown -R runner:runner /home/runner/.copilot

This should be added to install_copilot_cli.sh or emitted by the Copilot engine in the compiled workflow, before the Copilot CLI installation step.

Context

This was discovered while working on github/gh-aw-firewall#522 (mounting /etc/hosts in chroot mode). The failure is in the runner-level Copilot CLI installation, not inside the AWF container.