fix(ci): replace cross-repo actions/checkout with direct git clone

molecule-ci#2 attempted token: '' to force anonymous on the cross-repo
checkout. CI on plugin-molecule-careful-bash@663bf72 (post-merge of #2)
revealed actions/checkout@v4 errors with:

  ::error::Input required and not supplied: token

Even though token's input definition is required:false with a default,
the action's runtime auth-helper calls getInput('token', {required: true})
internally — empty string fails that check.

Fix: replace the cross-repo actions/checkout with a direct git clone
shell step. molecule-ci is public; anonymous git clone has neither the
auth-trips-Gitea-404 problem (#2's target) nor the empty-token-input-
required problem (#2's actual failure shape).

3 files updated, 4 sites total:
  * validate-plugin.yml (1 site)
  * validate-workspace-template.yml (2 sites)
  * validate-org-template.yml (1 site)

Refs: internal#46. Closes the third root cause uncovered by the
verification cycle on plugin-molecule-careful-bash.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/validate-org-template.yml

@@ -15,12 +15,10 @@ jobs:
       # 5 org-template repos as the validator evolved. Single source of
       # truth eliminates that drift class entirely. Mirrors the same
       # pattern already used by validate-workspace-template.yml.
-      - uses: actions/checkout@v4
+      # Direct git-clone — see validate-plugin.yml for the rationale.
-        with:
+      # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
-          repository: molecule-ai/molecule-ci
+      - name: Fetch molecule-ci canonical scripts
-          path: .molecule-ci-canonical
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
-          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
-          token: ''
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"

.github/workflows/validate-plugin.yml

@@ -15,18 +15,19 @@ jobs:
       # 20+ plugin repos as the validator evolved. Single source of
       # truth eliminates that drift class entirely. Mirrors the same
       # pattern already used by validate-workspace-template.yml.
-      - uses: actions/checkout@v4
+      # Direct git-clone instead of actions/checkout@v4 because:
-        with:
+      # (a) actions/checkout@v4 sends Authorization: basic <github.token> by default,
-          repository: molecule-ai/molecule-ci
+      #     and Gitea 404s the cross-repo authenticated request (different from
-          path: .molecule-ci-canonical
+      #     GitHub which falls back to anon-public-read).
-          # Force anonymous fetch. molecule-ci is a public repo. On Gitea,
+      # (b) Passing token: '' triggers actions/checkout's runtime "Input required
-          # actions/checkout@v4 sends the per-job ${{ github.token }} which
+      #     and not supplied: token" error — the input is documented as
-          # is scoped to the calling repo only — Gitea 404s the cross-repo
+      #     required:false but the action's runtime calls getInput with
-          # request instead of falling back to anon-public-read (different
+      #     required:true on its auth-helper path.
-          # from GitHub's behaviour). Empty token bypasses auth entirely.
+      # Anonymous git clone of public molecule-ci has neither problem.
-          # See molecule-ci#1 commit + the post-public-flip CI run on
+      # See molecule-ci#1 (lowercase fix) + #2 (token:'' attempt) +
-          # plugin-molecule-careful-bash@663bf72 for the exact failure shape.
+      # the post-merge CI run on plugin-molecule-careful-bash@663bf72.
-          token: ''
+      - name: Fetch molecule-ci canonical scripts
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"

.github/workflows/validate-workspace-template.yml

@@ -54,12 +54,10 @@ jobs:
       # template repos as the validator evolved. Single source of truth
       # eliminates that drift class entirely — every template runs the
       # same canonical contract check on every CI run.
-      - uses: actions/checkout@v4
+      # Direct git-clone — see validate-plugin.yml for the rationale.
-        with:
+      # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
-          repository: molecule-ai/molecule-ci
+      - name: Fetch molecule-ci canonical scripts
-          path: .molecule-ci-canonical
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
-          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
-          token: ''
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
@@ -135,12 +133,10 @@ jobs:
     if: github.event.pull_request.head.repo.fork != true
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/checkout@v4
+      # Direct git-clone — see validate-plugin.yml for the rationale.
-        with:
+      # Anonymous fetch of public molecule-ci, no actions/checkout idiosyncrasies.
-          repository: molecule-ai/molecule-ci
+      - name: Fetch molecule-ci canonical scripts
-          path: .molecule-ci-canonical
+        run: git clone --depth 1 https://git.moleculesai.app/molecule-ai/molecule-ci.git .molecule-ci-canonical
-          # Force anonymous; see validate-plugin.yml note. molecule-ci is public.
-          token: ''
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"