Cardano Updates

gh api --paginate returns multiple JSON objects (one per page).
The old jq heredoc processed each page separately, producing
multiple arrays (some empty []) which GitHub Actions rejected
as invalid output format. Use jq --slurp to merge all pages
into a single array before filtering.

Also fix the validate step: the devx wrapper sources $1 as a
file path, it doesn't support bash-style -c. Write smoke test
commands to a temp file instead.

The old code piped `nix-store --export` (binary NAR output containing
null bytes) through `tee store-paths.txt`, then used `tail -n 1` on
that binary file inside $() — bash on Ubuntu 24.04 errors out with
"command substitution: ignored null byte in input".

Fix: capture the text path list from `nix-store -qR` in a variable
first, then use grep to verify the -env.sh script is in the closure.

Source each -env.sh script in a sandbox and verify that ghc, cabal,
and pkg-config are functional. Optionally checks HLS for non-minimal,
non-JS, non-Windows shells with compiler < 9.11. Catches PATH
construction errors, missing packages, and broken shellHooks that
would produce unusable containers. Not yet in `required` aggregate.

The windows package set uses lib.makeScope which creates an internal
fixed-point. Using `prev.windows // { ... }` only replaces top-level
attributes but internal scope consumers (GCC bootstrap, haskell.nix)
still resolve to the original broken derivations via the scope's
internal newScope/callPackage mechanism.

Switch to prev.windows.overrideScope which properly threads changes
through the fixed-point, ensuring ALL references to mcfgthreads and
mingw_w64_pthreads within the windows scope resolve to our fixed
versions.

This explains why eval 429 had TWO mcfgthread derivations: the
overlayed one (SUCCESS) and the original scope one (FAILURE, referenced
by 32 builds).

tzdata: stdenv's unpackPhase runs `chmod -R u+w "$sourceRoot"` BEFORE
postUnpack, so the previous fix (creating tzdata-src in postUnpack)
failed because chmod ran on a nonexistent directory. Fix: set
dontMakeSourcesWritable=true and run chmod manually in postUnpack.

ngtcp2: examples include POSIX-only headers (sys/socket.h, sys/un.h)
that don't exist on Windows (same class of issue as nghttp3). Disable
examples with ENABLE_EXAMPLES=OFF.

The single-output postgresql (685d555) broke the eval because
downstream packages (haskell.nix libpq) depend on postgresql.lib
and postgresql.dev outputs which don't exist with outputs=["out"].

Revert to the standard 5-output postgresql with all the existing
fixes (jitSupport=false, perlSupport=false, fno-lto, etc) and add
a cache breaker v3 to force new derivation hashes. This ensures
the queue runner won't hit stale FailedPaths entries from previous
postgresql-musl orphaned store path failures.

Using isLinux also changed aarch64-linux gcc14, which cascades through
the entire IFD chain (gcc14 → stdenv → glibc → linux-headers → GHC →
nix-tools → plan-nix). This forces linux-headers to be rebuilt, but
linux-headers fails on darwin builders' case-insensitive APFS (netfilter
headers like xt_TCPMSS.h vs xt_tcpmss.h collide). The fixincludes issue
only affects x86_64-linux GCC builds on the Determinate Nix Linux VM.

GCC 14's fixincludes step bakes /usr/include into the Makefile via
@BUILD_SYSTEM_HEADER_DIR@ configure-time substitution. On NixOS-based
builders (Determinate Nix Linux VM), /usr/include doesn't exist,
failing all x86_64-linux GCC builds and cascading to 32 Windows
cross-builds. --disable-fixincludes is safe for Nix (store-managed
headers) and already used by nixpkgs' standalone libgcc build.

Also bumps postgresql musl cache breaker to v2 to force new drv hashes
after deploying sync-before-registering to darwin builders.