FIX enforce immutability in CI

[hannahwestra25]

Problem

The enforce_alembic_revision_immutability pre-commit hook is meant to keep versions append-only, but it silently passes in two CI scenarios:

• Merge-queue / push-to-main — merge-base origin/main HEAD == HEAD, so the diff is empty.
• Shallow CI checkouts — git merge-base returns nothing and the hook falls through to "no violations" (fails open).

Changes

enforce_alembic_revision_immutability.py:

• Added a HEAD~1..HEAD check so violations introduced by merge commits on main are caught.
• Fail closed in CI (CI / GITHUB_ACTIONS) when merge-base or HEAD~1 is unavailable; stay permissive locally.
• Print the offending git diff --name-status lines instead of just a generic message.
  build_and_test.yml:
• Set fetch-depth: 0 on actions/checkout so the hook has the history it needs.

[behnam-o]

looks good to me, but I think we can just replace the whole git process (fetch, merge-base, diff locally) with a direct comparison? left it in a comment, if you were able to test that, that might be cleaner, otherwise this looks great. Thank you!