From 0d2757302c75375dffe4dfec347d014559f7fcff Mon Sep 17 00:00:00 2001
From: Ryan Mulligan <ryan@ryantm.com>
Date: Thu, 27 May 2021 06:49:11 -0700
Subject: [PATCH] .github/workflows/nixos-manual.yml: add permisssions so
 action runs don't require approval

---
 .github/workflows/nixos-manual.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/nixos-manual.yml b/.github/workflows/nixos-manual.yml
index 80ffc9c12be..2a1c1c29738 100644
--- a/.github/workflows/nixos-manual.yml
+++ b/.github/workflows/nixos-manual.yml
@@ -1,7 +1,9 @@
 name: NixOS manual checks
 
+permissions: read-all
+
 on:
-  pull_request:
+  pull_request_target:
     branches-ignore:
       - 'release-**'
     paths:
@@ -14,6 +16,9 @@ jobs:
     if: github.repository_owner == 'NixOS'
     steps:
     - uses: actions/checkout@v2
+      with:
+        # pull_request_target checks out the base branch by default
+        ref: refs/pull/${{ github.event.pull_request.number }}/merge
     - uses: cachix/install-nix-action@v12
     - name: Check DocBook files generated from Markdown are consistent
       run: |