fix(aws): demote prior releases' public AMIs before publishing to stay under quota

[passcod]

🤖 AWS caps public images at 5 per region. Each release publishes 4 public AMIs per region (arch × suite for register-ami in ap-southeast-2, and arch × suite per satellite region for copy-amis). The previous release's 4 stay public, so the next release's publish trips ResourceLimitExceeded on ModifyImageAttribute.

This makes prior releases' public AMIs private right before publishing the new ones, in both the home region and every mirror region.

New helper scripts/demote-public-amis.sh <region> <keep-version> revokes Group=all launch permission (and the backing snapshot's create-volume permission) from every self-owned public AMI in the region whose Version tag isn't the release being published. register-ami-for-release.sh and copy-ami-to-region.sh both call it immediately before their publish step.

Notes:

• Safe under the parallel matrix: every leg of a release shares one version and only demotes AMIs from other versions, so no leg demotes an AMI a sibling is about to publish. Revokes are idempotent.
• Untagged public AMIs are treated as stale and demoted too — this is the dedicated publishing account, so anything public that isn't the current release should come down.
• The sweep loops revoke-then-recheck (bounded) to ride out describe-images eventual consistency rather than hard-failing on the first read.
• No new IAM permissions: the upload role already uses ModifyImageAttribute, ModifySnapshotAttribute, and DescribeImages.

Spec-first: documents the public/mirror lifecycle (previously unspecified) and the per-region cap requirement as r[image.output.aws-ami-public].

🤖 Generated with Claude Code