Break the single job into four stages: `nix flake update`, checks,
cachix, push to main.
The benefit is that checks and cachix can use a matrix strategy in the
future (to test / build for different OSes and nixpkgs releases). Also,
the cachix build can run in parallel with checks.
The downside is that we need to push to a temporary branch before we can
run checks. Do that the simplest possible way (just hardcode the branch
name).
I want to use a matrix strategy for the check and cachix workflows, so I
need to not just commit but also push the updated flake.lock somewhere
other than `main`, so multiple workers can check out the pending change.
Try the simplest possible thing first, expecting it to fail with
permission issues.
