chore(ci): make isolated package builds optional

[poroh]

Move isolated package build checks out of required CI/pre-build checks and document them as an optional maintenance workflow.

Related issues

Closes #2984

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

Walkthrough

check-isolated-package-builds is removed from the pre-commit-verify-workspace dependency list in Makefile.toml and from the lint-police CI job in .github/workflows/ci.yaml. It is re-exposed as an optional core/check-isolated-package-builds Make target in the root Makefile, with AGENTS.md updated to reflect its voluntary, non-gating status.

Changes

Demote isolated-package-builds check to optional

Layer / File(s)	Summary
Remove from required pre-commit and CI gates Makefile.toml, .github/workflows/ci.yaml	check-isolated-package-builds is dropped from the pre-commit-verify-workspace dependencies and from the lint-police job step sequence.
Expose as optional Make target Makefile	Header comment broadened from rest-api-only; help output extended with a Core (Rust) section; new .PHONY target core/check-isolated-package-builds delegates to cargo make --no-workspace check-isolated-package-builds.
Update AGENTS.md documentation AGENTS.md	Documents the check as an optional maintenance command, rewrites the Top-level Makefile entrypoints section, and removes the outdated note that Core tasks are absent from the root Makefile.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• NVIDIA/infra-controller#2971: Modifies .github/workflows/ci.yaml around the same lint-police job, specifically adjusting which downstream jobs depend on it.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly matches the main change: moving isolated package build checks out of required CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The description accurately matches the changes: isolated build checks move out of required CI and are documented as optional maintenance.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	288	6	26	105	7	144
machine-validation-runner	751	30	190	274	36	221
machine_validation	751	30	190	274	36	221
machine_validation-aarch64	751	30	190	274	36	221
nvmetal-carbide	751	30	190	274	36	221
TOTAL	3298	126	786	1207	151	1028

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.