diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 87b52bce531c..1acfc105b98a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -56,6 +56,7 @@ jobs:
 
       - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
         with:
+          # Sandbox is disabled on MacOS by default.
           extra_nix_config: sandbox = true
 
       - uses: cachix/cachix-action@0fc020193b5a1fa3ac4575aa3a7d3aa6a35435ad # v16
diff --git a/.github/workflows/eval.yml b/.github/workflows/eval.yml
index aa0b2a304e2a..57e456fbfd37 100644
--- a/.github/workflows/eval.yml
+++ b/.github/workflows/eval.yml
@@ -52,8 +52,6 @@ jobs:
 
       - name: Install Nix
         uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-        with:
-          extra_nix_config: sandbox = true
 
       - name: Evaluate the ${{ matrix.system }} output paths for all derivation attributes
         env:
@@ -173,8 +171,6 @@ jobs:
 
       - name: Install Nix
         uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-        with:
-          extra_nix_config: sandbox = true
 
       - name: Combine all output paths and eval stats
         run: |
@@ -251,8 +247,6 @@ jobs:
 
       - name: Install Nix
         uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-        with:
-          extra_nix_config: sandbox = true
 
       - name: Ensure flake outputs on all systems still evaluate
         run: nix flake check --all-systems --no-build ./untrusted
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index feb7c2e196b4..62ff9832f3fb 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -31,8 +31,6 @@ jobs:
           merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-        with:
-          extra_nix_config: sandbox = true
 
       - name: Check that files are formatted
         run: |
@@ -64,8 +62,6 @@ jobs:
           merged-as-untrusted: true
 
       - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-        with:
-          extra_nix_config: sandbox = true
 
       - name: Parse all nix files
         run: |
@@ -88,8 +84,6 @@ jobs:
           target-as-trusted: true
 
       - uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-        with:
-          extra_nix_config: sandbox = true
 
       - name: Running nixpkgs-vet
         env:
diff --git a/.github/workflows/reviewers.yml b/.github/workflows/reviewers.yml
index 43c009cdf3de..2cddb17a1018 100644
--- a/.github/workflows/reviewers.yml
+++ b/.github/workflows/reviewers.yml
@@ -37,8 +37,6 @@ jobs:
 
       - name: Install Nix
         uses: cachix/install-nix-action@fc6e360bedc9ee72d75e701397f0bb30dce77568 # v31
-        with:
-          extra_nix_config: sandbox = true
 
       - name: Build the requestReviews derivation
         run: nix-build trusted/ci -A requestReviews