Add policy checks job to GitHub Actions workflow

Integrates OPA policy enforcement into the CI/CD pipeline:

- Adds policy-checks job that runs in parallel with fmt and execute jobs
- Uses overmindtech/policy-signals-action@v1 for automated policy enforcement
- Generates Terraform plan JSON specifically for policy evaluation
- Runs on all pull request events (opened, synchronize, reopened)
- Posts policy violation results as PR comments

The policy checks will now automatically validate:
- Security group configurations (SSH/RDP exposure)
- S3 security settings (encryption, tags, public access)
- Cost control measures (expensive instances, required tags)

Policy violations will be reported as failures in the GitHub Actions run
and detailed results will be posted as pull request comments.

Author: jameslaneovermind

.github/workflows/automatic.yml

@@ -16,6 +16,34 @@ jobs:
         id: fmt
         run: terraform fmt -check -diff
 
+  # NEW: Policy checks job running in parallel
+  policy-checks:
+    runs-on: ubuntu-latest
+    if: github.event.action != 'closed'
+    permissions:
+      contents: read
+      id-token: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Terraform Init (for policies)
+        uses: ./.github/actions/terraform_init/
+        with:
+          terraform_deploy_role: ${{ vars.TERRAFORM_DEPLOY_ROLE }}
+
+      - name: Generate Plan for Policies
+        id: policy-plan
+        run: |
+          terraform plan -no-color -input=false -out tfplan.policies
+          terraform show -json tfplan.policies > tfplan.json
+
+      - uses: overmindtech/policy-signals-action@v1
+        with:
+          policies-path: './policies'
+          overmind-api-key: ${{ secrets.OVM_API_KEY }}
+          terraform-plan-json: './tfplan.json'
+
   execute:
     runs-on: ubuntu-latest
     permissions: