Add three deliverables to make unregistered Gitea runners impossible to miss:
1. scripts/provision-runner.sh
- Downloads and installs act_runner binary at a pinned version
- Registers the runner with Gitea (fails non-zero if registration fails)
- Creates and enables act_runner systemd service
- Installs runner-health-probe timer as part of the same provisioning pass
- Prints a poka-yoke checklist summary at the end
2. scripts/runner-health-probe.sh
- Queries Gitea admin API for active runner count every run
- Reports count to systemd journal (visible via journalctl)
- On zero runners: writes P1 alert marker to /var/lib/act_runner/alerts/,
attempts to restart act_runner service, re-queries to verify recovery,
logs recovery or continued failure with actionable next steps
- Cooldown (10 min) prevents restart storm
3. scripts/systemd/runner-health-probe.{service,timer}
- Systemd oneshot service wrapping the probe script
- Timer fires 2 min after boot then every 5 min (OnUnitActiveSec=5min)
- Persistent=true so missed runs fire on recovery from downtime
Fixes#1097
