fix: use GITEA_TOKEN for git clone authentication in workflows

- Add GITEA_TOKEN secret support for HTTPS git clone
- Fallback to public access if token not available
- Fixes checkout failures when runner has no git credentials
- Required for native workflows without actions/checkout

.gitea/workflows/security-scan.yml

@@ -24,15 +24,21 @@ jobs:
             REF_NAME="main"
           fi
           
-          git clone --depth 1 --branch "$REF_NAME" \
-            "https://git.michaelschiemer.de/${REPO}.git" \
-            /workspace/repo || \
-          git clone --depth 1 --branch "$REF_NAME" \
-            "git@git.michaelschiemer.de:${REPO}.git" \
-            /workspace/repo || \
-          git clone --depth 1 \
-            "https://git.michaelschiemer.de/${REPO}.git" \
-            /workspace/repo
+          # Use Gitea token if available, otherwise try public access
+          if [ -n "${{ secrets.GITEA_TOKEN }}" ]; then
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://${{ secrets.GITEA_TOKEN }}@git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          else
+            # Try public HTTPS (works if repository is public)
+            git clone --depth 1 --branch "$REF_NAME" \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo || \
+            # Fallback: Try to use Gitea's internal runner access
+            git clone --depth 1 \
+              "https://git.michaelschiemer.de/${REPO}.git" \
+              /workspace/repo
+          fi
           
           cd /workspace/repo