diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ef3c71ca4fbe..60aed67cea03 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -61,9 +61,10 @@ jobs:
 
       - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
         with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - run: nix-env --install -f pinned -A nix-build-uncached
 
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
index c06729fa7f5d..d58358e23aa7 100644
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@@ -112,9 +112,10 @@ jobs:
 
       - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
         with:
-          # This cache is for the nixpkgs repo checks and should not be trusted or used elsewhere.
-          name: nixpkgs-ci
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          # The nixpkgs-ci cache should not be trusted or used outside of Nixpkgs and its forks' CI.
+          name: ${{ vars.CACHIX_NAME || 'nixpkgs-ci' }}
+          extraPullNames: nixpkgs-ci
+          authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Build codeowners validator
         run: nix-build trusted/ci --arg nixpkgs ./pinned -A codeownersValidator