diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8fdafa59..a21b6406 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,6 +3,9 @@ name: Build
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   evaluate:
     name: List packages
@@ -19,13 +22,10 @@ jobs:
       - name: Set up cache
         uses: DeterminateSystems/magic-nix-cache-action@main
 
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: List packages
         id: list-packages
         run: |
-          nix flake show . --json | jq -rc 'to_entries | map(.key as $type | select($type == "checks" or $type == "packages") | .value | to_entries | map(.key as $arch | select($arch == "x86_64-linux" or $arch == "x86_64-darwin") | .value | to_entries | map({type: $type, arch: $arch, os: (if $arch == "x86_64-linux" then "ubuntu-latest" else "macos-latest" end), key: .key})) | flatten) | flatten | "packages=\(.)"' >> $GITHUB_OUTPUT
+          nix flake show github:${{ github.repository }}/${{ github.event.pull_request.head.sha || github.sha }} --json | jq -rc 'to_entries | map(.key as $type | select($type == "checks" or $type == "packages") | .value | to_entries | map(.key as $arch | select($arch == "x86_64-linux" or $arch == "x86_64-darwin") | .value | to_entries | map({type: $type, arch: $arch, os: (if $arch == "x86_64-linux" then "ubuntu-latest" else "macos-latest" end), key: .key})) | flatten) | flatten | "packages=\(.)"' >> $GITHUB_OUTPUT
 
     outputs:
       packages: ${{ steps.list-packages.outputs.packages }}
@@ -53,8 +53,5 @@ jobs:
       - name: Set up cache
         uses: DeterminateSystems/magic-nix-cache-action@main
 
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: Build ${{ matrix.build.key }}
-        run: nix -L build .#${{ matrix.build.type }}.${{ matrix.build.arch }}.${{ matrix.build.key }}
+        run: nix -L build github:${{ github.repository }}/${{ github.event.pull_request.head.sha || github.sha }}#${{ matrix.build.type }}.${{ matrix.build.arch }}.${{ matrix.build.key }}
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 0fe811b9..f211050a 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -25,11 +25,8 @@ jobs:
       - name: Set up cache
         uses: DeterminateSystems/magic-nix-cache-action@main
 
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
       - name: Build docs
-        run: nix -L build .#docs
+        run: nix -L build github:${{ github.repository }}/${{ github.sha }}#docs
 
       - name: Prepare docs for upload
         run: cp -r --dereference --no-preserve=mode,ownership result/ public/