- Build each arch natively (bare `make installer/iso` resolves to the
  runner's currentSystem) inside the nixos/nix container.
- Bring in gnumake + git through nix-shell.
- Correct ISO path to out/installer-iso/iso/coder-box-installer-<arch>-linux.iso.

The nixos/nix image has no standard glibc loader, so GitHub's bundled
Node fails (exec /__e/node24/bin/node: no such file or directory) when
the whole job uses container:. Instead run checkout/upload on the host
runner and execute only `make installer/iso` inside the nixos/nix
container via docker run, copying the ISO out of the ephemeral
container store into the mounted workspace before upload.

- Build both installer/iso and appliance/iso per arch (matrix target).
- Bump checkout/upload/download actions to v5 (Node 24; clears the
  Node 20 deprecation warning).
- Rename workflows: 'Build ISO' and 'Build and release ISO'.
- PR builds only on ready-for-review (opened/reopened/ready_for_review,
  no synchronize) + draft guard; still manually dispatchable for an
  arbitrary ref/commit.
- Upload ISOs from a host mktemp dir bind-mounted into the container
  instead of a tracked dist/ folder.
- build.yml artifact retention dropped to 1 day.

…ommit/PR

Runs on every push and pull_request (cheap, unlike the gated full image
builds). Evaluates the flake and instantiates the installer ISO
derivation for both arches via 'nix eval ... .drvPath' (writes the .drv,
no realisation), catching Nix typos/type errors in seconds without
building the multi-GB ISO. Both arches instantiate on one x86_64 runner
since evaluation needs no native builder; eval runs in the nixos/nix
container via docker run, checkout stays on the host.

Bare pull_request already defaults to opened/synchronize/reopened;
list the types explicitly so per-commit re-eval intent is clear.

Add a box_instantiate helper (box_build's sibling) that evaluates the
image derivation's .drvPath — fully evaluating the Nix and writing the
.drv to the store without realising the multi-GB image. Expose it as
installer/drv and appliance/drv (bare + arch-suffixed).

Eval Nix workflow now just calls these make targets for both arches
instead of an inline nix eval expression.

box_build and box_instantiate duplicated the entire
'let f = builtins.getFlake ... config.system.build' expression. Extract
it into a box_cfg $(call) function so the two can't drift; box_build
appends the build attr, box_instantiate appends .drvPath. Verified the
expanded recipes are byte-identical to before via make --dry-run.

Eval Nix now does two no-build checks: nix flake check
--no-build --all-systems (evaluates every flake output for all declared
systems) followed by the */drv ISO derivation instantiation. Reworded a
comment to drop an apostrophe that would break the single-quoted
docker-run shell block.

Replace the explicit two-arg 'cp /out/coder-box-<kind>-<arch>.iso' with
a /dist volume (host mktemp dir) bind-mounted into the container; the
build dereferences its store symlink into /dist via 'cp -L $outlink/*.iso
/dist/'. This drops the hardcoded filename (and the now-unused kind/SYSTEM
shell vars + env), and uploads from /dist. Release computes per-file
sha256 over /dist/*.iso.

Add a box_iso helper that runs box_build then writes out/<name>.iso.sha256
(bare basename, so 'sha256sum -c' verifies against the ISO beside it).
installer/iso and appliance/iso now use it. Both workflows drop their
inline sha256sum and just copy the make-produced sidecar from out/ into
the /dist volume.

- Rename Build ISO matrix jobs to 'Installer (<arch>)' / 'Appliance
  (<arch>)' (check shows as 'Build ISO / Installer (...)'); same for the
  release build jobs. Restructured the matrix to explicit include entries
  carrying kind/target/label.
- On PRs the full ISO for a kind builds only when its label is applied
  (test-installer-iso / test-appliance-iso); otherwise the job just
  instantiates the .drv (no image, no artifact). Added the 'labeled' PR
  trigger so applying a label starts the build. push/main and manual
  dispatch still always build the full ISO.
- Use bare make <kind>/iso (native arch per runner) so the out-link path
  stays out/<kind>-iso/iso.

Replace the runtime 'plan' shell step + single combined build with a
job-level FULL env (label check) and two if:-gated steps: 'Build full
ISO' (if env.FULL == true) and 'Instantiate ISO derivation' (if
env.FULL != true). Upload also keys off env.FULL.

Restructure Build ISO from a kind×arch matrix into one job per arch that
builds BOTH kinds in the SAME container (installer first, appliance
later). Each kind is full-built or drv-instantiated independently based
on its label. The job title reflects which kinds get a full build:
'Installer + Appliance', 'Installer', 'Appliance', or 'Derivations'.
Per-kind ISO + sha256 artifacts uploaded only for full-built kinds.

New commits on a labelled PR were only producing derivations: Build ISO
omitted 'synchronize', so pushes never re-triggered it (only eval.yml,
which builds drv only, ran). Add synchronize so each commit re-runs the
build and re-evaluates labels, rebuilding the full ISO for labelled
kinds.