ci: Validate lockfile

[robin-nitrokey]

This patch adds a step to the build-firmware CI job that ensures that the lockfile is up-to-date. See also: Nitrokey/nethsm-pkcs11#221

[nitrokey-ci]

No significant changes.

Insignifcant changes

metric	value		change
binary-size-nk3am	1,439,716	⚪	+0 (+0.00%)
binary-size-nk3am-test	2,047,493	⚪	+0 (+0.00%)
binary-size-nk3xn	516,404	⚪	+0 (+0.00%)
binary-size-nk3xn-test	590,424	⚪	+0 (+0.00%)
binary-size-nkpk	746,350	⚪	+0 (+0.00%)

[sosthene-nitrokey]

In nethsm-pkcs11 I also made the lints run with --frozen. That way the lints cannot be triggered for things that are not the result of the PR being checked.

Not sure when a lint could be triggered by a cargo update, but we never know.

[sosthene-nitrokey]

The release builds should probably use --frozen no?

[robin-nitrokey]

I omitted that to keep the Makefile simple (we would only want to set it in CI, not for development) while still catching the most common issues. In what cases would cargo fetch --locked succeed and cargo build --frozen fail?

[sosthene-nitrokey]

It's not to check for failure, but to ensure sure that the lockfile is the correct description of the version used for releases. (reproducible builds etc...). To be frank I don't have intuition for exactly when Cargo can fetch crates. So this idea was just based on the Rust packaging guidlines for Arch, which use cargo fetch --locked and then cargo build --release --frozen.