This change refactors all tooling to use stable nix to build the
project's packages (the git-bug binary and web ui). Support for the
experimental features of nix that were previously in use were removed:
`flakes` and `nix-command`. This requires updating many different parts
of the development toolchain, namely: CI, internal tools, and
documentation.

As a result of this, onboarding has been simplified (as users no longer
need to add support for the experimental features), nix is now
exclusively being used to build in CI, and is the recommended golden
path outside of CI (for correctness guarantees, at least). A
`release-binaries` drv has been added that builds git-bug for a variety
of platforms to support moving away from gox (and add support for
`darwin/arm64`).

When evaluating the treefmt configuration, optimizations were realized:

- zizmor is being used instead of pinact for performing analysis of
  pipelines defined in //.github/workflows. as a result of this, changes
  were made to improve pipeline security
- codespell configuration has been updated to include hidden files by
  default, and to skip over additional generated fileas
- treefmt verbosity was changed so that additional information is shown
  during its execution
- treefmt will no longer emit messages about unmatched files by default
  (but will if debug logging is enabled)

This is one of the rare cases in which I'll submit a change that crosses
multiple logical boundaries and closes several issues at once, but the
nature of this change opened up the possibility to do so fairly neatly.
I hope that this brings about a simpler experience for contributors to
this project, and for downstream consumers (packagers and
source-builders).

Closes: #1491
Closes: #1418
Closes: #1508

Change-Id: I3fb65c84c9c1a98b045548802d5710de9b117b2e