- Add aarch64-linux to supportedSystems
- Re-enable macOS and aarch64-linux in CI workflows
- Remove ghc810 from compiler list
- Update lints workflow to use ghc96

The old -env job generation used recursive-nix to run
`nix print-dev-env` inside a derivation, which is not supported
on remote builders. Replace with pure evaluation-time approach:

- Use devShellTools.unstructuredDerivationInputEnv to extract
  environment variables from mkShell derivations
- Construct PATH via lib.makeBinPath from flattened buildInputs
- Filter internal nix variables, keeping only user-defined ones
- Generate self-contained wrapper scripts at eval time
- Update ghcr-upload.sh to match new -env.sh naming

Source each -env.sh script in a sandbox and verify that ghc, cabal,
and pkg-config are functional. Optionally checks HLS for non-minimal,
non-JS, non-Windows shells with compiler < 9.11. Catches PATH
construction errors, missing packages, and broken shellHooks that
would produce unusable containers. Not yet in `required` aggregate.

The devShellTools approach only captured Nix-level derivation attributes,
missing hook-computed variables (NIX_CFLAGS_COMPILE, NIX_LDFLAGS,
PKG_CONFIG_PATH, etc.) that stdenv setup hooks produce at shell init
time. This caused downstream "Missing C library" errors.

Fix: export all drvAttrs (including stdenv, buildInputs, initialPath)
then source $stdenv/setup at runtime, exactly like `nix develop` does.
This runs cc-wrapper, pkg-config-wrapper, and all other setup hooks.

Also fix env-tests to save $out before sourcing (setup.sh resets it),
gate GHCR uploads to main branch (prevents PR pushes from overwriting
production images), gate hello.yml to main, and add pr-validate.yml
for PR closure validation via Hydra cache.

stdenv's setup.sh calls _assignFirst which requires $out to be set
for output variable assignment. Inside a Nix build the builder sets
$out automatically, but when running the devx wrapper directly
(containers, CI validation) $out is unset and setup.sh fails with:

  error: _assignFirst: could not find a non-empty variable whose
  name to assign to outputDev.

Fix in two places:
- mkEnvScript: wrapper sets $out to a temp dir when unset
- pr-validate.yml: set $out before invoking cached wrappers
  that don't yet include the mkEnvScript fix

Hydra posts check-runs at evaluation time before builds complete.
When flake.nix changes cause new derivation hashes, the discover
step would pick up store paths not yet available in any cache,
causing nix-store -r to fail on GH runners.

Filter for conclusion=="success" and valid /nix/store/ paths to
only validate closures that are actually built and cached.

setup.sh runs with set -eu and expects NIX_BUILD_TOP, TMPDIR, out,
and other variables that the Nix builder sets at runtime. The
previous fix only set $out; NIX_BUILD_TOP was the next failure.

Set all required builder runtime variables (NIX_BUILD_TOP, TMPDIR,
TMP, TEMP, TEMPDIR, NIX_STORE, out) in both mkEnvScript and the
CI validate step.

Verified locally on hydra: both static (ghc96-static-env) and
dynamic (ghc98-minimal-env) wrappers work correctly.