diff --git a/.github/workflows/publish-workspace-server-image.yml b/.github/workflows/publish-workspace-server-image.yml
index b76681c4..5f7d6bd4 100644
--- a/.github/workflows/publish-workspace-server-image.yml
+++ b/.github/workflows/publish-workspace-server-image.yml
@@ -29,6 +29,25 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Checkout sibling plugin repo
+        # workspace-server/Dockerfile expects
+        # ./molecule-ai-plugin-github-app-auth at build-context root because
+        # the Go module has a `replace` directive pointing at /plugin inside
+        # the image. Pre-repo-split the plugin lived in the monorepo; the
+        # 2026-04-18 restructure moved it out but didn't add this clone step
+        # — which is why publish has been failing since then.
+        #
+        # Uses a fine-grained PAT (PLUGIN_REPO_PAT) because the plugin repo
+        # is private and the default GITHUB_TOKEN is scoped to THIS repo.
+        # The PAT needs Contents:Read on Molecule-AI/molecule-ai-plugin-
+        # github-app-auth. Falls back to the default token for the (rare)
+        # case where an operator made the plugin repo public.
+        uses: actions/checkout@v4
+        with:
+          repository: Molecule-AI/molecule-ai-plugin-github-app-auth
+          path: molecule-ai-plugin-github-app-auth
+          token: ${{ secrets.PLUGIN_REPO_PAT || secrets.GITHUB_TOKEN }}
+
       - name: Configure GHCR auth
         shell: bash
         env:
diff --git a/.gitignore b/.gitignore
index 0230afcd..bb612ab1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -120,3 +120,6 @@ backups/
 /org-templates/
 /plugins/
 /workspace-configs-templates/
+# Cloned by publish-workspace-server-image.yml so the Dockerfile's
+# replace-directive path resolves. Lives in its own repo.
+/molecule-ai-plugin-github-app-auth/