fix(shell.nix): let gh own its config.yml so auth login works

home-manager renders ~/.config/gh/config.yml as a read-only /nix/store
symlink whenever programs.gh is enabled (unconditionally, not gated on
settings). gh rewrites that file on 'gh auth login' and 'gh config set',
which then fail with a permission error.

Suppress the managed config.yml via xdg.configFile and drop the
settings.git_protocol declaration that created it; gh now owns the file.
The token lives in hosts.yml, which home-manager never manages. Set the
SSH protocol at runtime with 'gh config set git_protocol ssh'.

lyrathorpe/home/shell.nix

@@ -203,12 +203,15 @@ in
     flake = "$HOME/code/nixfiles";
   };
 
-  # GitHub CLI. Prefer SSH for any git operations it drives, matching the
-  # ssh-based remotes used elsewhere.
-  programs.gh = {
-    enable = true;
-    settings.git_protocol = "ssh";
-  };
+  # GitHub CLI. `programs.gh.settings` is deliberately unset: home-manager renders
+  # ~/.config/gh/config.yml as a read-only /nix/store symlink whenever the module
+  # is enabled, but gh must rewrite that file on `gh auth login` and `gh config
+  # set`, which then fail with a permission error. Suppress the managed config.yml
+  # (below) and let gh own it. The token lives in hosts.yml, which is never
+  # Nix-managed. Set the SSH protocol once at runtime: `gh config set git_protocol
+  # ssh` (it can't be declarative here without recreating the immutable file).
+  programs.gh.enable = true;
+  xdg.configFile."gh/config.yml".enable = lib.mkForce false;
 
   programs.tmux = {
     enable = true;