Mutlicell rolling replace

[breardon2011]

Multi-cell worker-image rollout

Today a new worker image only reaches one cell: the gallery version replicates
to the build region only, and the build writes worker-image-id to a single
KV. Other cells never see the new image, so they never roll.

This makes one build roll every cell.

Changes

• packer (worker-ami.pkr.hcl): new replication_regions var; the gallery
  version now replicates to [build region] + replication_regions, so each cell
  region gets a local replica (a cell can't boot an image not replicated to its
  region).
• build workflow: passes the region list, and publishes
  worker-image-id / worker-image-version / golden-version to Infisical
  /shared instead of a single Azure KV. Infisical is push-authoritative and
  fans /shared out to every cell KV → every cell's scaler rolls.

No Go/code changes — build + infra only.

Required config (set before merging / next build)

Repo variables

Name	Value
AZURE_REPLICATION_REGIONS	JSON list of cell regions, e.g. ["westus2","westus3"]
INFISICAL_PROJECT_ID	the Infisical project id
INFISICAL_ENV	env slug (e.g. prod)

Repo secrets

Name	Value
INFISICAL_UA_CLIENT_ID	universal-auth machine identity (write to /shared)
INFISICAL_UA_CLIENT_SECRET	its secret

Infisical /shared must hold worker-image-id, worker-image-version,
golden-version (seed once from current opencomputer-prod-kv), and any
per-cell copies of these keys under /cells/* should be removed so they don't
shadow /shared.

Note

Full cutover to Infisical — no direct-KV fallback. Relies on the Infisical→KV
sync being live.