.github/workflows: build NixOS/Nixpkgs manuals with PR ref, restrict-eval and sandbox

.github/workflows/manual-nixos.yml

@@ -0,0 +1,28 @@
+name: "Build NixOS manual"
+
+on:
+  pull_request_target:
+    branches:
+      - master
+    paths:
+      - 'nixos/**'
+
+jobs:
+  nixos:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@v12
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - uses: cachix/cachix-action@v8
+        with:
+          # This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+      - name: Building NixOS manual
+        run: nix-build --option restrict-eval true nixos/release.nix -A manual.x86_64-linux

.github/workflows/manual-nixpkgs.yml

@@ -0,0 +1,28 @@
+name: "Build Nixpkgs manual"
+
+on:
+  pull_request_target:
+    branches:
+      - master
+    paths:
+      - 'doc/**'
+
+jobs:
+  nixpkgs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          # pull_request_target checks out the base branch by default
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+      - uses: cachix/install-nix-action@v12
+        with:
+          # explicitly enable sandbox
+          extra_nix_config: sandbox = true
+      - uses: cachix/cachix-action@v8
+        with:
+          # This cache is for the nixos/nixpkgs manual builds and should not be trusted or used elsewhere.
+          name: nixpkgs-ci
+          signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+      - name: Building Nixpkgs manual
+        run: nix-build --option restrict-eval true pkgs/top-level/release.nix -A manual