ci: migrate Nix cache from sunset magic-nix-cache to FlakeHub Cache

[theangelperalta]

Summary

Migrates the Nix CI workflow off DeterminateSystems/magic-nix-cache-action@v8, which was sunset on 2025-02-01, to its supported successor flakehub-cache-action.

Why

magic-nix-cache-action now rate-limits and returns HTTP 418, and logs FlakeHub cache is not enabled / Shutting down. When its local substituter (127.0.0.1:37515) is disabled mid-build, paths it was serving (the SBCL lisp closure — sbcl-micros, sbcl-queues, sbcl-sha3, …) become unfetchable, producing intermittent error: ... is required, but there is no substituter that can build it failures on the Linux jobs. It's flaky-but-usually-green today (falls back to cache.nixos.org), but it's a deprecated dependency and a recurring source of CI noise.

Change

• Swap the cache step to DeterminateSystems/flakehub-cache-action@main.
• Add permissions: { id-token: write, contents: read } to the build job (FlakeHub Cache authenticates via GitHub OIDC).

⚠️ Maintainer prerequisite

FlakeHub Cache authenticates via OIDC and requires the lem-project org to be enrolled in FlakeHub (free for public/OSS repos) at https://flakehub.com. This PR's own CI run is the test: if the cache step authenticates, we're good; if it errors with "create an organization at FlakeHub.com", the org needs enrolling first (or, as a fallback, we can simply drop the cache step and rely on cache.nixos.org).

Notes / out of scope

• The same workflow also triggers Node 20 deprecation warnings for actions/checkout@v4, nix-installer-action@v16, and the (now-removed) cache action. Bumping those is a separate cleanup.
• Unrelated to the terminal PRs (chore(terminal): remove committed terminal.so binaries, build from source #2204/chore(terminal): bundle static terminal.so into release artifacts #2205/feat(nix): build and bundle terminal.so in the flake #2207); raised on its own because the deprecation surfaced while debugging feat(nix): build and bundle terminal.so in the flake #2207's Linux jobs.