[ENG-2673] Add Copybara and publishing pipeline for Terraform provider and module (#3958)

## Summary

- Add Copybara workflows, GoReleaser config, GPG signing, and GitHub
Actions release pipelines to publish the Terraform provider and HCL
module to public repos and registries
- Provision per-repo GitHub Actions secrets (`OP_RO_TOKEN`,
`RELEASE_PAT`) via Terraform, following the existing
`homebrew-overmind`/`actions` pattern
- Public repos
([terraform-provider-overmind](https://github.com/overmindtech/terraform-provider-overmind),
[terraform-overmind-aws-source](https://github.com/overmindtech/terraform-overmind-aws-source))
have been created and seeded with workflow files

## Linear Ticket

- **Ticket**:
[ENG-2673](https://linear.app/overmind/issue/ENG-2673/phase-5-copybara-and-publishing-for-terraform-provider-and-module)
— Phase 5: Copybara and Publishing for Terraform Provider & Module
- **Purpose**: Set up the full automated release pipeline from monorepo
tags to Terraform/OpenTofu registries
- **Plan approval**:
[ENG-2674](https://linear.app/overmind/issue/ENG-2674/approve-plan-phase-5-copybara-and-publishing-for-terraform-provider)
assigned to Lionel Wilson

## Changes

### Copybara (`copy.bara.sky`)
Two new workflows: `terraform-provider` (syncs provider + Go libs with
import rewriting) and `terraform-aws-source-module` (syncs HCL module
with directory flattening).

### Monorepo sync workflows (`.github/workflows/`)
- `terraform-provider-sync.yml` — triggers on `terraform-provider/v*`
tags
- `terraform-aws-source-module-sync.yml` — triggers on
`terraform-aws-source-module/v*` tags

### Provider release files (`aws-source/module/provider/`)
- `.goreleaser.yml` — cross-platform builds, zip archives, SHA256
checksums, GPG signing
- `terraform-registry-manifest.json` — protocol version 6.0
- `.github/workflows/release.yml` — loads GPG key from 1Password, runs
GoReleaser
- `.github/workflows/finalize-copybara-sync.yml` — runs `go mod tidy`,
creates PR
- `.github/workflows/tag-on-merge.yml` — creates version tag on merge

### Module release files (`aws-source/module/terraform/`)
- `.github/workflows/finalize-copybara-sync.yml` — creates PR (no `go
mod tidy`)
- `.github/workflows/tag-on-merge.yml` — creates version tag on merge

### Terraform / secrets
- `deploy/1password.tf` — 4 new `github_actions_secret` resources for
both public repos
- `deploy/variables.tf` — new `terraform_provider_release_pat` and
`terraform_module_release_pat` variables
- `deploy/.env.op`, `deploy/.github/env/op.local.secret`,
`.devcontainer/devcontainer.json` — wire new PAT variables through
1Password and devcontainer

### Provider code
- `aws-source/module/provider/main.go` — `const version` changed to `var
version = "dev"` for GoReleaser ldflags injection

## Before first release

The following manual steps remain (documented in the plan):
1. Create 1Password items: `Terraform Provider Release Github Token`,
`Terraform Module Release Github Token`, `Terraform Provider GPG Key`
2. Register GPG public key at registry.terraform.io/settings/gpg-keys
3. After merge, `terraform apply` provisions the repo secrets
4. Push monorepo tags to trigger first automated release
5. Enroll in Terraform Registry and OpenTofu Registry

Made with [Cursor](https://cursor.com)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Mostly CI/release automation and secret provisioning changes, but
misconfiguration could leak or break release/tagging flows for the
public Terraform repos.
>
> **Overview**
> Adds end-to-end **Copybara-based publishing pipelines** for the
Terraform provider and AWS source Terraform module, driven by new
tag-triggered GitHub Actions workflows (`terraform-provider/v*`,
`terraform-aws-source-module/v*`) that sync code to public repos on
`copybara/vX.Y.Z` branches.
>
> Introduces release automation in the provider/module repos: Copybara
finalization workflows that open PRs from `copybara/v*`, `tag-on-merge`
workflows that create version tags using a `RELEASE_PAT`, and (for the
provider) a GoReleaser-based release with GPG-signed checksums plus a
Terraform registry manifest; provider `main.go` now uses an
ldflags-injected `version` variable.
>
> Updates `copy.bara.sky` with two new workflows (`terraform-provider`,
`terraform-aws-source-module`) and wires new Terraform-managed GitHub
Actions secrets/inputs (including new PAT variables) through `deploy/`
and the devcontainer to support the public repo automation; ADR index is
updated to include newly accepted ADRs.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d3a131760eadca87088922bf8eca86de2c1be730. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: 800dbd7acd6e954106b6a2f1125fc7526c0b2634

Author: DavidS-ovm

.github/workflows/finalize-copybara-sync.yml

@@ -0,0 +1,84 @@
+name: Finalize Copybara Sync
+
+on:
+  push:
+    branches:
+      - 'copybara/v*'
+
+concurrency:
+  group: copybara-sync-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  finalize:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Extract version from branch name
+        id: version
+        run: |
+          VERSION=$(echo "$GITHUB_REF" | sed 's|refs/heads/copybara/||')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.ref }}
+          fetch-depth: 0
+
+      - name: Extract original commit author
+        id: author
+        run: |
+          AUTHOR_EMAIL=$(git log -1 --format='%ae' --author='^(?!.*actions@github.com)' --perl-regexp 2>/dev/null || git log -1 --format='%ae')
+          AUTHOR_NAME=$(git log -1 --format='%an' --author='^(?!.*actions@github.com)' --perl-regexp 2>/dev/null || git log -1 --format='%an')
+          echo "email=$AUTHOR_EMAIL" >> $GITHUB_OUTPUT
+          echo "name=$AUTHOR_NAME" >> $GITHUB_OUTPUT
+
+          if [[ "$AUTHOR_EMAIL" =~ ^([^@]+)@users\.noreply\.github\.com$ ]]; then
+            GITHUB_USER=$(echo "${BASH_REMATCH[1]}" | sed 's/^[0-9]*+//')
+            echo "github_user=$GITHUB_USER" >> $GITHUB_OUTPUT
+          else
+            echo "github_user=" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create Pull Request
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.version }}
+          AUTHOR_NAME: ${{ steps.author.outputs.name }}
+          AUTHOR_EMAIL: ${{ steps.author.outputs.email }}
+          GITHUB_USER: ${{ steps.author.outputs.github_user }}
+        run: |
+          PR_BODY="## Copybara Sync - Release ${VERSION}
+
+          This PR was automatically created by Copybara, syncing changes from the [overmindtech/workspace](https://github.com/overmindtech/workspace) monorepo.
+
+          **Original author:** ${AUTHOR_NAME} (${AUTHOR_EMAIL})
+
+          ### What happens when this PR is merged?
+
+          1. The \`tag-on-merge\` workflow will automatically create the \`${VERSION}\` tag on main
+          2. Terraform Registry will detect the tag via webhook and publish the module
+
+          ### Review Checklist
+
+          - [ ] Changes look correct and match the expected monorepo sync
+          "
+
+          PR_URL=$(gh pr create \
+            --base main \
+            --head "${{ github.ref_name }}" \
+            --title "Release ${VERSION}" \
+            --body "$PR_BODY")
+
+          echo "Created PR: $PR_URL"
+
+          if [ -n "$GITHUB_USER" ]; then
+            echo "Requesting review from original author: $GITHUB_USER"
+            gh pr edit "$PR_URL" --add-reviewer "$GITHUB_USER" || true
+          fi
+
+          echo "Requesting review from Engineering team"
+          gh pr edit "$PR_URL" --add-reviewer "overmindtech/Engineering" || true

.github/workflows/tag-on-merge.yml

@@ -0,0 +1,52 @@
+name: Tag Release on Merge
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+
+jobs:
+  tag-release:
+    if: github.event.pull_request.merged == true && startsWith(github.event.pull_request.head.ref, 'copybara/v')
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - name: Extract version from branch name
+        id: version
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          VERSION=$(echo "$BRANCH" | sed 's|copybara/||')
+          echo "version=$VERSION" >> $GITHUB_OUTPUT
+          echo "Extracted version: $VERSION"
+
+      - uses: actions/checkout@v6
+        with:
+          ref: main
+          fetch-depth: 0
+          token: ${{ secrets.RELEASE_PAT }}
+
+      - name: Configure Git
+        run: |
+          git config user.name "GitHub Actions Bot"
+          git config user.email "actions@github.com"
+
+      - name: Create and push tag
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
+        run: |
+          echo "Creating tag: $VERSION"
+          git tag "$VERSION"
+          git push origin "$VERSION"
+          echo "Successfully pushed tag $VERSION"
+
+      - name: Delete copybara branch
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH="${{ github.event.pull_request.head.ref }}"
+          echo "Deleting branch: $BRANCH"
+          git push origin --delete "$BRANCH" || echo "Branch may have already been deleted"