fix(ci): nix workflow hardening

[cachebag]

Following changes were made to try and fix this issue with our nix updating workflow

Trigger: pull_request_target instead of pull_request + push

• Runs in the context of the base repo, so GITHUB_TOKEN has write access to the PR branch even for fork PRs
• Only fires when Cargo.lock, package.nix, or the workflow itself changes; no more wasted runs
• Removed the push trigger entirely since auto-fixing hashes only makes sense on PRs

Commit via GitHub API instead of git push

• Uses gh api repos/.../contents/package.nix --method PUT to commit the updated file directly through the API
• GitHub treats this as a normal commit on the branch; no rebase, no force-push, no "base branch was modified" errors
• No git commit --amend, no git rebase, no git push --force

Fork PR handling

• For same-repo PRs: commits the fix directly via the API
• For fork PRs: the bot can't push to forks, so instead it leaves a PR comment with the correct hash value for the contributor to update themselves

Deprecated action replaced

• actions-rs/toolchain@v1 swapped for dtolnay/rust-toolchain@stable

Additionally, we now conditionally run our CI based on what folders/files were edited.

I had Opus 4.6 via Cursor complete this entire change for me.