CI: break up "CI" workflow

Break the single job into four stages: `nix flake update`, checks,
cachix, push to main.

The benefit is that checks and cachix can use a matrix strategy in the
future (to test / build for different OSes and nixpkgs releases). Also,
the cachix build can run in parallel with checks.

The downside is that we need to push to a temporary branch before we can
run checks. Do that the simplest possible way (just hardcode the branch
name).

.github/workflows/push-flake-update.yml

@@ -0,0 +1,40 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Push flake-update
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  commit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: "write"
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+        with:
+          ref: flake-update
+      - name: Push changes
+        run: git push origin HEAD:main
+        # `git push` only works because branch protection is not enabled.
+        #
+        # Currently branch protection is not effective anyway, since the only
+        # contributor (marienz) has admin permissions, and applying branch
+        # protection to administrators seems to be an "organization" feature.
+        #
+        # The supported path seems to be "create a PR and use the API to merge
+        # it", but that's more work to implement: revisit later if needed.