ci: add final job to aggregate build-test results (#438)

## Summary
- Add a `final` job to the build-test workflow that depends on all other
jobs
- Fails if any upstream job failed or was skipped
- Provides a single required status check for branch protection

## Test plan
- [ ] `final` job passes when all other jobs pass
- [ ] `final` job fails when any upstream job fails

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk: workflow-only change that adds a single aggregator job and
doesn’t affect production code paths. Main risk is misconfiguring branch
protection expectations if the `final` job logic/conditions are wrong.
> 
> **Overview**
> Adds a `final` GitHub Actions job to the `build-test` workflow that
depends on all other jobs and runs with `if: always()`.
> 
> The `final` job fails the workflow if any upstream job result is
`failure`, `cancelled`, or `skipped`, enabling a single required status
check for branch protection.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
45ecee53a1. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/test.yml

@@ -146,3 +146,19 @@ jobs:
       - run: mise x jq -- jq --version
       - run: which jq
       - run: jq --version
+
+  final:
+    needs:
+      - build
+      - test
+      - specific_version
+      - checksum_failure
+      - custom_cache_key
+      - fetch_from_github
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    if: always()
+    steps:
+      - name: Check CI job results
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')
+        run: exit 1