fix(ci): publish-workspace-server-image — remove mandatory AUTO_SYNC_TOKEN check

The `Pre-clone manifest deps` step exits with error if
AUTO_SYNC_TOKEN is not set. This was a safety belt added during initial
development, but it is wrong: manifest.json explicitly records all listed
repos as public on git.moleculesai.app (OSS surface contract). The token
is only needed for private repos, which are handled at provision-time
via the per-tenant credential resolver.

Removing the hard exit lets the workflow succeed when:
- AUTO_SYNC_TOKEN is absent (anonymous clone works for public repos)
- AUTO_SYNC_TOKEN is set (authenticated clone still works)

No functional change to the clone-manifest.sh call itself.

Part of internal#327 / #561.

.gitea/workflows/publish-workspace-server-image.yml

@@ -92,10 +92,9 @@ jobs:
           MOLECULE_GITEA_TOKEN: ${{ secrets.AUTO_SYNC_TOKEN }}
         run: |
           set -euo pipefail
-          if [ -z "${MOLECULE_GITEA_TOKEN}" ]; then
-            echo "::error::AUTO_SYNC_TOKEN secret is empty"
-            exit 1
-          fi
+          # clone-manifest.sh supports anonymous cloning for public repos (post-
+          # 2026-05-08 migration). The token is only needed for private repos.
+          # Do NOT require it — a missing secret would fail the build unnecessarily.
           mkdir -p .tenant-bundle-deps
           bash scripts/clone-manifest.sh \
             manifest.json \