workflows/eval: run trusted code in process step

We don't really need to run the combine and comparison steps from the
untrusted merge commit. By switching to the trusted target commit, we
can avoid adding another worktree - and lay the foundation to later do
those steps in the tag job, which has access to secrets.

.github/workflows/eval.yml

@@ -98,11 +98,11 @@ jobs:
           path: merged
           merge-multiple: true
 
-      - name: Check out the PR at the test merge commit
+      - name: Check out the PR at the target commit
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          ref: ${{ needs.prepare.outputs.mergedSha }}
-          path: untrusted
+          ref: ${{ needs.prepare.outputs.targetSha }}
+          path: trusted
 
       - name: Install Nix
         uses: cachix/install-nix-action@526118121621777ccd86f79b04685a9319637641 # v31
@@ -111,7 +111,7 @@ jobs:
 
       - name: Combine all output paths and eval stats
         run: |
-          nix-build untrusted/ci -A eval.combine \
+          nix-build trusted/ci -A eval.combine \
             --arg evalDir ./merged \
             --out-link combined
 
@@ -168,9 +168,8 @@ jobs:
         env:
           AUTHOR_ID: ${{ github.event.pull_request.user.id }}
         run: |
-          git -C untrusted fetch --depth 1 origin ${{ needs.prepare.outputs.targetSha }}
-          git -C untrusted worktree add ../trusted ${{ needs.prepare.outputs.targetSha }}
-          git -C untrusted diff --name-only ${{ needs.prepare.outputs.targetSha }} \
+          git -C trusted fetch --depth 1 origin ${{ needs.prepare.outputs.mergedSha }}
+          git -C trusted diff --name-only ${{ needs.prepare.outputs.mergedSha }} \
             | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
 
           # Use the target branch to get accurate maintainer info