ci: Nix flake and devShell

[dougch]

Issues:

none

Description of changes:

Adds a Nix package flake and a development shell with the tooling needed to build and test aws-lc.

The flake allows other projects, such as s2n-tls, to directly pull aws-lc into a nix Ci environment. The devshell is a self-contained development shell, setup and managed by nix, focused on reproducible builds, and can be helpful for bootstrapping new folks.

Example devshell usage:

% nix develop                                                                                                                                                                                                                       
Entering a devShell...              
[awslc nix] dougch@devdesktop22:~/gitrepos/aws-lc$ clean;configure;build;unit                                                

Testing:

How is this change tested (unit tests, fuzz tests, etc.)? locally, new action on my fork
Sample output of the GitHub Action: https://github.com/dougch/aws-lc/actions/runs/13296817224/job/37130549429

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 79.06%. Comparing base (913af96) to head (89a9fca).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2189      +/-   ##
==========================================
+ Coverage   79.04%   79.06%   +0.02%     
==========================================
  Files         612      612              
  Lines      106510   106510              
  Branches    15053    15052       -1     
==========================================
+ Hits        84192    84217      +25     
+ Misses      21664    21639      -25     
  Partials      654      654              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[andrewhop]

Can you add a CI check that ensures this flake works as expected?

[andrewhop]

Will we have to keep this up to date? Is there an option for latest?

[dougch]

Latest is essentially a development branch and comes with the risk of breakage. There are only 2 releases a year (similar to Canonical's cadence), so the version bumps can be infrequent.

[hanno-becker]

This would also ease the integration of CBMC once mlkem-native is merged (#2176), as there's a flake specifying the CBMC tooling (https://github.com/pq-code-package/mlkem-native/tree/main/nix/cbmc).