feat(.envrc): only gcroot explicitly specified 3p/sources

Not all dependencies in //third_party/sources are equally important for
evaluation, some are never used (e.g. rustsec-advisory-db is re-fetched
using fetchFromGitHub). It seems to be a good idea to make it
configurable what to gcroot and thus unconditionally download as soon
as .envrc is loaded for the first time.

This frees //third_party/sources to be used more extensively, e.g. for
managing third_party dependencies that aren't used at eval time.

This commit is very conservative and only gcroots:

- nixpkgs, nixpgs-stable (obviously)
- rust-overlay (applied to our nixpkgs instance unconditionally)
- home-manager (used in //third_party/overlays/tvl)

I'm open to re-enabling gcrooting of the following other sources which
are only necessary to evaluate some targets:

- agenix (obvious candidate, widely used in depot)
- naersk (used for many targets)
- napalm (used in //users/Profpatsch and //users/sterni)
- impermanence (only used in //users/tazjin)

Change-Id: I39eef14d08bec6857499655e30ecf47d5fdd1260
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12965
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>

.envrc

@@ -1,10 +1,14 @@
 # Create a gcroot that keeps all third_party.sources alive
-nix-build --out-link .gcroots/sources -E '
+nix-build --show-trace --out-link .gcroots/sources -E '
 with import ./. {};
 third_party.nixpkgs.writeText "depot-3p-sources.txt" (
   toString (
     builtins.map (s: s.outPath or null) (
-      builtins.attrValues third_party.sources
+      # Only gcroot sources that are explicitly marked using
+      # niv modify --attribute gcroot=true <source>
+      builtins.filter (source: source.gcroot or false) (
+        builtins.attrValues third_party.sources
+      )
     )
   )
 )'