Use aws:RequestedRegion to scope the EC2 policy

The previous condition keyed off `ec2:Region`, which AWS only populates
in the request context for actions that operate on a region-scoped
resource. Service-level `Describe*` calls (e.g.
`DescribeAvailabilityZones`) don't have it set, and despite the
`StringEqualsIfExists` semantics, IAM evaluated the condition as a
non-match — denying the call even though `ec2:*` covered the action.

Switch to `aws:RequestedRegion`, which IAM itself populates on every
authenticated API call from the endpoint region. Always present, no
need for the `IfExists` qualifier. This is AWS's recommended pattern
for region-scoping inline policies and works uniformly across services.

The role's actual deployed policy is updated by re-running
.github/aws/setup.sh against the account; this commit only refreshes
the source-of-truth file.

.github/aws/permissions-policy.json

@@ -7,8 +7,8 @@
       "Action": "ec2:*",
       "Resource": "*",
       "Condition": {
-        "StringEqualsIfExists": {
-          "ec2:Region": "us-east-1"
+        "StringEquals": {
+          "aws:RequestedRegion": "us-east-1"
         }
       }
     },