diff --git a/.github/actions/get-merge-commit/action.yml b/.github/actions/get-merge-commit/action.yml
index 51f8a00286b5..a16d289cc6e0 100644
--- a/.github/actions/get-merge-commit/action.yml
+++ b/.github/actions/get-merge-commit/action.yml
@@ -1,19 +1,27 @@
 name: Get merge commit
 
-description: 'Checks whether the Pull Request is mergeable and returns two commit hashes: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
+description: 'Checks whether the Pull Request is mergeable and checks out the repo at up to two commits: The result of a temporary merge of the head branch into the target branch ("merged"), and the parent of that commit on the target branch ("target"). Handles push events and merge conflicts gracefully.'
+
+inputs:
+  merged-as-untrusted:
+    description: "Whether to checkout the merge commit in the ./untrusted folder."
+    type: boolean
+  target-as-trusted:
+    description: "Whether to checkout the target commit in the ./trusted folder."
+    type: boolean
 
 outputs:
   mergedSha:
     description: "The merge commit SHA"
-    value: ${{ steps.merged.outputs.mergedSha }}
+    value: ${{ steps.commits.outputs.mergedSha }}
   targetSha:
     description: "The target commit SHA"
-    value: ${{ steps.merged.outputs.targetSha }}
+    value: ${{ steps.commits.outputs.targetSha }}
 
 runs:
   using: composite
   steps:
-    - id: merged
+    - id: commits
       uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
       with:
         script: |
@@ -63,3 +71,18 @@ runs:
             return
           }
           throw new Error("Not retrying anymore. It's likely that GitHub is having internal issues: check https://www.githubstatus.com.")
+
+      # Would be great to do the checkouts in git worktrees of the existing spare checkout instead,
+      # but Nix is broken with them:
+      # https://github.com/NixOS/nix/issues/6073
+    - if: inputs.merged-as-untrusted && steps.commits.outputs.mergedSha
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ steps.commits.outputs.mergedSha }}
+        path: untrusted
+
+    - if: inputs.target-as-trusted && steps.commits.outputs.targetSha
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ steps.commits.outputs.targetSha }}
+        path: trusted
diff --git a/.github/workflows/check-format.yml b/.github/workflows/check-format.yml
index ec83ffcce07c..4216c6bd1c70 100644
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -16,14 +16,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
+          merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
diff --git a/.github/workflows/check-shell.yml b/.github/workflows/check-shell.yml
index 39fb722ae87a..014b60a492fa 100644
--- a/.github/workflows/check-shell.yml
+++ b/.github/workflows/check-shell.yml
@@ -33,14 +33,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
+          merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
 
diff --git a/.github/workflows/codeowners-v2.yml b/.github/workflows/codeowners-v2.yml
index 085abced061c..e858615c0828 100644
--- a/.github/workflows/codeowners-v2.yml
+++ b/.github/workflows/codeowners-v2.yml
@@ -46,9 +46,11 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge and target commits
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
+        with:
+          merged-as-untrusted: true
+          target-as-trusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
 
@@ -58,14 +60,6 @@ jobs:
           name: nixpkgs-ci
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
-      # Important: Because we use pull_request_target, this checks out the base branch of the PR, not the PR itself.
-      # We later build and run code from the base branch with access to secrets,
-      # so it's important this is not the PRs code.
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ steps.get-merge-commit.outputs.targetSha }}
-          path: trusted
-
       - name: Build codeowners validator
         run: nix-build trusted/ci -A codeownersValidator
 
@@ -78,11 +72,6 @@ jobs:
           permission-administration: read
           permission-members: read
 
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
-
       - name: Validate codeowners
         if: steps.app-token.outputs.token
         env:
diff --git a/.github/workflows/eval-aliases.yml b/.github/workflows/eval-aliases.yml
index dc5bad6572fb..892dfe79907b 100644
--- a/.github/workflows/eval-aliases.yml
+++ b/.github/workflows/eval-aliases.yml
@@ -16,15 +16,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - name: Check out the PR at the test merge commit
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
+          merged-as-untrusted: true
 
       - name: Install Nix
         uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
diff --git a/.github/workflows/lib-tests.yml b/.github/workflows/lib-tests.yml
index 5e3a7a5cba66..c147d0084123 100644
--- a/.github/workflows/lib-tests.yml
+++ b/.github/workflows/lib-tests.yml
@@ -19,14 +19,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
+          merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
diff --git a/.github/workflows/manual-nixos-v2.yml b/.github/workflows/manual-nixos-v2.yml
index ce5313c8135f..653a5a92fbfd 100644
--- a/.github/workflows/manual-nixos-v2.yml
+++ b/.github/workflows/manual-nixos-v2.yml
@@ -35,14 +35,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
+          merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
diff --git a/.github/workflows/manual-nixpkgs-v2.yml b/.github/workflows/manual-nixpkgs-v2.yml
index 5cb63a2c88bd..13949dd3c36e 100644
--- a/.github/workflows/manual-nixpkgs-v2.yml
+++ b/.github/workflows/manual-nixpkgs-v2.yml
@@ -22,14 +22,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
+          merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
diff --git a/.github/workflows/nix-parse-v2.yml b/.github/workflows/nix-parse-v2.yml
index ecbb9c843389..f75a46957f5a 100644
--- a/.github/workflows/nix-parse-v2.yml
+++ b/.github/workflows/nix-parse-v2.yml
@@ -17,14 +17,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout the merge commit
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          path: untrusted
+          merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
         with:
diff --git a/.github/workflows/nixpkgs-vet.yml b/.github/workflows/nixpkgs-vet.yml
index dffa9b63dd89..e4fd7aa06c92 100644
--- a/.github/workflows/nixpkgs-vet.yml
+++ b/.github/workflows/nixpkgs-vet.yml
@@ -26,20 +26,11 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/actions
-      - name: Check if the PR can be merged and get the test merge commit
+      - name: Check if the PR can be merged and checkout merged and target commits
         uses: ./.github/actions/get-merge-commit
-        id: get-merge-commit
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ steps.get-merge-commit.outputs.mergedSha }}
-          # Fetches the merge commit and its parents
-          fetch-depth: 2
-          path: untrusted
-
-      - name: Checking out target branch
-        run: |
-          git -C untrusted worktree add ../trusted ${{ steps.get-merge-commit.outputs.targetSha }}
+          merged-as-untrusted: true
+          target-as-trusted: true
 
       - uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31