workflows/check: run codeowners validator from trusted checkout

In f7d6d11e8e8e046faaa6fbc55c2c1312e967cf04 I wrongly assumed that
running from the untrusted checkout should be fine for the codeowners
validator, because we removed all the logic for privileged tokens.
However, this job also contains access to the cachix secret, which could
be used to push malicious code to cachix, which would then be pulled by
a more privileged workflow like reviewers.yml later.

0 files changed, 0 insertions, 0 deletions