fix: replace actions/checkout with git clone in container jobs

actions/checkout@v4 requires node, which isn't available in
alpine or gitleaks images. Use plain git clone instead for
containerized jobs; keep actions/checkout for the host build job.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/ci.yml

@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [master]
 
+env:
+  REPO_URL: ${{ github.server_url }}/${{ github.repository }}
+
 jobs:
   gitleaks:
     runs-on: linux
@@ -12,9 +15,11 @@ jobs:
       image: ghcr.io/gitleaks/gitleaks:latest
       options: --entrypoint ""
     steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth=0 "$REPO_URL" .
+          git checkout "${{ github.sha }}"
       - name: Scan for secrets
         run: gitleaks detect --source . --verbose
 
@@ -23,7 +28,11 @@ jobs:
     container:
       image: python:3.13-alpine
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth=1 "$REPO_URL" .
+          git checkout "${{ github.sha }}"
       - name: Install deps
         run: pip install -q -r requirements-dev.txt
       - name: Lint
@@ -38,7 +47,11 @@ jobs:
     container:
       image: python:${{ matrix.python-version }}-alpine
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        run: |
+          apk add --no-cache git
+          git clone --depth=1 "$REPO_URL" .
+          git checkout "${{ github.sha }}"
       - name: Install system deps
         run: apk add --no-cache opus-dev
       - name: Install Python deps