fix(ci): tolerate upstream DMG rollout in PR Nix checks

[mkaoudis]

Summary

• keep Nix package CI strict for main-branch and non-DMG failures
• allow pull-request CI to skip package-output builds when upstream Codex.dmg metadata or fixed-output hash drift is detected during rollout
• serialize Nix package-output builds and collect garbage between outputs to reduce runner store pressure

Review order

This is the first PR in the small CI-fix stack and is ready for maintainer review from my side. Follow-up #323 depends on this behavior to get its otherwise unrelated Nix check green during the current upstream DMG rollout.

User-visible behavior

No shipped package behavior changes. This only changes GitHub Actions behavior for PR-only upstream DMG rollout windows.

Source of truth

• .github/workflows/ci.yml

Validation

Local validation:

• python3 workflow YAML parse for .github/workflows/*.yml
• bash -n scripts/ci/validate-nix-pins.sh
• git diff --check origin/main...HEAD

GitHub validation on this PR:

• Rust and Smoke Tests: pass
• Build Debian Package: pass
• Build RPM Package: pass
• Build Pacman Package: pass
• Nix Package Builds: pass

Known scope

This intentionally does not refresh committed Nix pins. Main-branch validation still fails on drift so the scheduled hash-refresh workflow remains responsible for updating pins.

[ilysenko]

Reviewed the updated head. CI is green and the rollout skip is now guarded so pin-file PRs stay strict.