feat(workspace): add /configs/.github-token static-token fallback

When platform /github-installation-token returns 500 (GitHub App unconfigured
or token expired), operators can place a PAT in /configs/.github-token
to keep git/ gh ops running. This is a pure additive step-4 fallback —
cache is NEVER written for static tokens so recovery always reads fresh.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

workspace/scripts/molecule-git-token-helper.sh

@@ -46,8 +46,10 @@
 # 2. Fetch fresh token from platform API.
 # 3. If platform is unreachable, fall back to GITHUB_TOKEN / GH_TOKEN
 #    env var (set at container start, valid for up to 60 min).
-# 4. If all fail, exit 1 so git falls through to the next credential
-#    helper in the chain (if any).
+# 4. If all fail, fall back to a static PAT written by the infra operator
+#    at ${CONFIGS_DIR}/.github-token (helps when platform
+#    /github-installation-token returns 500 due to GitHub App misconfiguration).
+#    Cache is NEVER written for static tokens — recovery is always fresh.
 #
 # # gh CLI integration
 #
@@ -222,6 +224,17 @@ _fetch_token() {
         return 0
     fi
 
+    # 4. Fall back to static token file (written by infra operator).
+    static_token_file="${CONFIGS_DIR:-/configs}/.github-token"
+    if [ -f "${static_token_file}" ]; then
+        static_token=$(cat "${static_token_file}" | tr -d '[:space:]')
+        if [ -n "${static_token}" ]; then
+            echo "[molecule-git-token-helper] API unreachable, falling back to static token file" >&2
+            echo "${static_token}"
+            return 0
+        fi
+    fi
+
     echo "[molecule-git-token-helper] all token sources exhausted" >&2
     return 1
 }