Allow cross-region EC2 reads in the role policy

`test_zones` iterates over every AWS region and calls
`describe_availability_zones` against each region's endpoint
(via cloudbridge.providers.aws.resources.AWSRegion.zones, which spins
up a per-region EC2 client). For all calls outside us-east-1,
`aws:RequestedRegion` is the target region, so the existing
`aws:RequestedRegion == us-east-1` condition rejected them with
`UnauthorizedOperation` even though `ec2:*` covered the action.

Add a separate `EC2ReadAnyRegion` statement allowing `ec2:Describe*`,
`ec2:Get*`, `ec2:List*` without a region condition. Mutations
(`RunInstances`, `CreateVpc`, etc.) remain pinned to us-east-1 via
the existing `EC2FullAccessUsEast1` statement, so the safety
boundary against accidentally provisioning in other regions is
preserved.

The deployed inline policy is updated by re-running
.github/aws/setup.sh; this commit only refreshes the source-of-truth.

.github/aws/permissions-policy.json

@@ -1,6 +1,16 @@
 {
   "Version": "2012-10-17",
   "Statement": [
+    {
+      "Sid": "EC2ReadAnyRegion",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:Describe*",
+        "ec2:Get*",
+        "ec2:List*"
+      ],
+      "Resource": "*"
+    },
     {
       "Sid": "EC2FullAccessUsEast1",
       "Effect": "Allow",