feat(ci): build and push cameleer-runtime-loader image

Move the init-container loader image build from cameleer-server CI into
this repo so all sidecar/infra image builds (runtime-base, postgres,
clickhouse, traefik, logto, and now runtime-loader) live in one place.

The loader is consumed by cameleer-server's DockerRuntimeOrchestrator as
a per-replica init container that fetches the tenant JAR from a signed
URL into a named volume before the main container starts. Source +
Dockerfile copied verbatim from cameleer-server@c2efb7fb (the image with
the volume-permission fix). The published tag path is unchanged
(gitea.siegeln.net/cameleer/cameleer-runtime-loader:latest), so running
tenant servers continue pulling the same image.

Build step matches the runtime-base/postgres/clickhouse/traefik pattern
(unconditional rebuild on every push, sha + branch tags, --provenance=false
for Gitea). cameleer-server will follow up with a commit removing its
loader-build step and switching its LoaderHardeningIT to pull the
published image instead of building from a local Dockerfile.

docker/runtime-loader/Dockerfile

@@ -0,0 +1,17 @@
+# Tiny init-container image. No app code, no shell-injection surface — script
+# only sees env vars set by the orchestrator.
+FROM busybox:1.37-musl
+
+# Run as non-root (UID 1000 inside the container; with userns_mode this is
+# remapped to host UID ~101000 — fully unprivileged on the host).
+# Pre-create /app/jars owned by `loader` so the orchestrator's named-volume
+# mount inherits that ownership at first init — without it the empty named
+# volume comes up as root:root 0755 and wget can't write app.jar.
+RUN adduser -D -u 1000 loader && mkdir -p /app/jars && chown -R loader:loader /app
+
+COPY entrypoint.sh /usr/local/bin/loader
+RUN chmod +x /usr/local/bin/loader
+
+USER loader
+WORKDIR /app
+ENTRYPOINT ["/usr/local/bin/loader"]