workflows: use checkout-merge-commit action everywhere

Those were left out of NixOS#364338, probably because they were not failing
so far. It's unclear to me why that is and I don't think it hurts to use
the same action everywhere for consistency.

.github/actions/checkout-merge-commit/action.yml

@@ -8,6 +8,9 @@ inputs:
   path:
     description: Relative path under $GITHUB_WORKSPACE to place the repository.
     default: ''
+  sparse-checkout:
+    description: Do a sparse checkout on given patterns. Each pattern should be separated with new lines.
+    default: ''
 
 outputs:
   done:
@@ -52,3 +55,4 @@ runs:
         ref: ${{ steps.merged.outputs.mergedSha }}
         fetch-depth: ${{ inputs.fetch-depth }}
         path: ${{ inputs.path }}
+        sparse-checkout: ${{ inputs.sparse-checkout }}

.github/workflows/check-maintainers-sorted.yml

@@ -13,19 +13,21 @@ jobs:
     name: maintainer-list-check
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # pull_request_target checks out the base branch by default
+      - uses: ./.github/actions/checkout-merge-commit
+        id: checkout
         with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
           # Only these directories to perform the check
           sparse-checkout: |
             lib
             maintainers
 
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        if: steps.checkout.outputs.done
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
 
       - name: Check that maintainer-list.nix is sorted
+        if: steps.checkout.outputs.done
         run: nix-instantiate --eval maintainers/scripts/check-maintainers-sorted.nix

.github/workflows/check-nixf-tidy.yml

@@ -13,14 +13,15 @@ jobs:
     runs-on: ubuntu-24.04
     if: "!contains(github.event.pull_request.title, '[skip treewide]')"
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      # pull_request_target checks out the base branch by default
+      - uses: ./.github/actions/checkout-merge-commit
+        id: checkout
         with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
           # Fetches the merge commit and its parents
           fetch-depth: 2
 
       - name: Checking out base branch
+        if: steps.checkout.outputs.done
         run: |
           base=$(mktemp -d)
           baseRev=$(git rev-parse HEAD^1)
@@ -29,6 +30,7 @@ jobs:
           echo "base=$base" >> "$GITHUB_ENV"
 
       - name: Get Nixpkgs revision for nixf
+        if: steps.checkout.outputs.done
         run: |
           # pin to a commit from nixpkgs-unstable to avoid e.g. building nixf
           # from staging
@@ -37,16 +39,19 @@ jobs:
           echo "url=https://github.com/NixOS/nixpkgs/archive/$rev.tar.gz" >> "$GITHUB_ENV"
 
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        if: steps.checkout.outputs.done
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
           nix_path: nixpkgs=${{ env.url }}
 
       - name: Install nixf and jq
+        if: steps.checkout.outputs.done
         # provided jq is incompatible with our expression
         run: "nix-env -f '<nixpkgs>' -iAP nixf jq"
 
       - name: Check that Nix files pass nixf-tidy
+        if: steps.checkout.outputs.done
         run: |
           # Filtering error messages we don't like
           nixf_wrapper(){

.github/workflows/check-shell.yml

@@ -23,12 +23,13 @@ jobs:
     runs-on: ${{ matrix.runner }}
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      # pull_request_target checks out the base branch by default
+      - uses: ./.github/actions/checkout-merge-commit
+        id: checkout
 
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        if: steps.checkout.outputs.done
 
       - name: Build shell
+        if: steps.checkout.outputs.done
         run: nix-build shell.nix

.github/workflows/manual-nixos-v2.yml

@@ -15,22 +15,23 @@ jobs:
     name: nixos-manual-build
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      # pull_request_target checks out the base branch by default
+      - uses: ./.github/actions/checkout-merge-commit
+        id: checkout
 
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        if: steps.checkout.outputs.done
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
 
       - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
-        if: github.repository_owner == 'NixOS'
+        if: steps.checkout.outputs.done && github.repository_owner == 'NixOS'
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
       - name: Building NixOS manual
+        if: steps.checkout.outputs.done
         run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

.github/workflows/manual-nixpkgs-v2.yml

@@ -17,22 +17,23 @@ jobs:
     name: nixpkgs-manual-build
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          # pull_request_target checks out the base branch by default
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      # pull_request_target checks out the base branch by default
+      - uses: ./.github/actions/checkout-merge-commit
+        id: checkout
 
       - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        if: steps.checkout.outputs.done
         with:
           # explicitly enable sandbox
           extra_nix_config: sandbox = true
 
       - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
-        if: github.repository_owner == 'NixOS'
+        if: steps.checkout.outputs.done && github.repository_owner == 'NixOS'
         with:
           # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
           name: nixpkgs-ci
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
 
       - name: Building Nixpkgs manual
+        if: steps.checkout.outputs.done
         run: NIX_PATH=nixpkgs=$(pwd) nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual -A manual.tests