Avoid pull_request_target in Nix workflow, always use upstream Nix (#4167)

.github/workflows/nix.yml

@@ -33,7 +33,7 @@ on:
 
       # Workflows
       - ".github/workflows/nix.yml"
-  pull_request_target:
+  pull_request:
     paths:
       # File types
       - "**.cpp"
@@ -67,7 +67,6 @@ permissions:
 
 env:
   DEBUG: ${{ github.ref_type != 'tag' }}
-  USE_DETERMINATE: ${{ github.event_name == 'pull_request' }}
 
 jobs:
   build:
@@ -91,33 +90,20 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
-    permissions:
-      id-token: write
-
     steps:
-      - name: Get merge commit
-        if: ${{ github.event_name == 'pull_request_target' }}
-        id: merge-commit
-        uses: PrismLauncher/PrismLauncher/.github/actions/get-merge-commit@develop
-        with:
-          pull-request-id: ${{ github.event.number }}
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Checkout repository
         uses: actions/checkout@v5
-        with:
-          ref: ${{ steps.merge-commit.outputs.merge-commit-sha || github.sha }}
 
       - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@v19
-        with:
-          determinate: ${{ env.USE_DETERMINATE }}
+        uses: cachix/install-nix-action@v31
 
         # For PRs
       - name: Setup Nix Magic Cache
-        if: ${{ env.USE_DETERMINATE == 'true' }}
-        uses: DeterminateSystems/flakehub-cache-action@v2
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: DeterminateSystems/magic-nix-cache-action@v13
+        with:
+          diagnostic-endpoint: ""
+          use-flakehub: false
 
         # For in-tree builds
       - name: Setup Cachix