workflows/check: run codeowners validator from trusted checkout (#457527)

.github/workflows/README.md

@@ -64,7 +64,7 @@ This results in a key with the following semantics:
 
 ## Required Status Checks
 
-The "Required Status Checks" branch ruleset is implemented in two top-level workflows: `pr.yml` and `merge-group.yml`.
+The "Required Status Checks" branch ruleset is implemented in two top-level workflows: `pull-request-target.yml` and `merge-group.yml`.
 
 The PR workflow defines all checks that need to succeed to add a Pull Request to the Merge Queue.
 If no Merge Queue is set up for a branch, the PR workflow defines the checks required to merge into the target branch.

.github/workflows/check.yml

@@ -80,6 +80,7 @@ jobs:
         uses: ./.github/actions/checkout
         with:
           merged-as-untrusted-at: ${{ inputs.mergedSha }}
+          target-as-trusted-at: ${{ inputs.targetSha }}
 
       - uses: cachix/install-nix-action@fd24c48048070c1be9acd18c9d369a83f0fe94d7 # v31
 
@@ -92,7 +93,7 @@ jobs:
           pushFilter: -source$
 
       - name: Build codeowners validator
-        run: nix-build nixpkgs/untrusted/ci --arg nixpkgs ./nixpkgs/untrusted-pinned -A codeownersValidator
+        run: nix-build nixpkgs/trusted/ci --arg nixpkgs ./nixpkgs/trusted-pinned -A codeownersValidator
 
       - name: Validate codeowners
         env:

.github/workflows/reviewers.yml

@@ -102,7 +102,7 @@ jobs:
             const run_id = (await github.rest.actions.listWorkflowRuns({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              workflow_id: context.eventName === 'pull_request' ? 'test.yml' : 'pr.yml',
+              workflow_id: context.eventName === 'pull_request' ? 'test.yml' : 'pull-request-target.yml',
               event: context.eventName,
               head_sha: context.payload.pull_request.head.sha
             })).data.workflow_runs[0].id

.github/workflows/test.yml

@@ -63,7 +63,7 @@ jobs:
               '.github/workflows/eval.yml',
               '.github/workflows/labels.yml',
               '.github/workflows/lint.yml',
-              '.github/workflows/pr.yml',
+              '.github/workflows/pull-request-target.yml',
               '.github/workflows/reviewers.yml',
               '.github/workflows/test.yml',
             ].includes(file))) core.setOutput('pr', true)
@@ -87,7 +87,7 @@ jobs:
     if: needs.prepare.outputs.pr
     name: PR
     needs: [prepare]
-    uses: ./.github/workflows/pr.yml
+    uses: ./.github/workflows/pull-request-target.yml
     # Those are actually only used on the pull_request_target event, but will throw an error if not set.
     permissions:
       issues: write

ci/github-script/labels.js

@@ -199,12 +199,24 @@ module.exports = async ({ github, context, core, dry }) => {
       (
         await github.rest.actions.listWorkflowRuns({
           ...context.repo,
+          workflow_id: 'pull-request-target.yml',
+          event: 'pull_request_target',
+          exclude_pull_requests: true,
+          head_sha: pull_request.head.sha,
+        })
+      ).data.workflow_runs[0] ??
+      // TODO: Remove this after 2026-02-01, at which point all pr.yml artifacts will have expired.
+      (
+        await github.rest.actions.listWorkflowRuns({
+          ...context.repo,
+          // In older PRs, we need pr.yml instead of pull-request-target.yml.
           workflow_id: 'pr.yml',
           event: 'pull_request_target',
           exclude_pull_requests: true,
           head_sha: pull_request.head.sha,
         })
-      ).data.workflow_runs[0] ?? {}
+      ).data.workflow_runs[0] ??
+      {}
 
     // Newer PRs might not have run Eval to completion, yet.
     // Older PRs might not have an eval.yml workflow, yet.