ci(deploy): use REPO_ACCESS_TOKEN for sibling-repo checkouts

The first auto-deploy run on 2026-05-15T06:28Z failed because
GITHUB_TOKEN is auto-scoped to the current repo only — fetching
the private sibling repos (common, proto) returned 404 from the
GH API. Swap both Checkout steps to use REPO_ACCESS_TOKEN, a
fine-grained PAT with read access to those siblings.

Operator action that made this work: `gh secret set
REPO_ACCESS_TOKEN --repo InstaNode-dev/<this-repo>`.

The ghcr.io docker login step still uses GITHUB_TOKEN — packages:write
is implicit on the current repo's token, no PAT needed there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mastermanas805

.github/workflows/deploy.yml

@@ -56,14 +56,18 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: ${{ vars.COMMON_REPO || format('{0}/common', github.repository_owner) }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          # 2026-05-15: GITHUB_TOKEN is scoped to THIS repo only and 404s
+          # on private sibling repos in the same org. REPO_ACCESS_TOKEN
+          # is a fine-grained PAT with read access to
+          # InstaNode-dev/{common,proto}.
+          token: ${{ secrets.REPO_ACCESS_TOKEN }}
           path: common
 
       - name: Checkout proto sibling into ./proto
         uses: actions/checkout@v4
         with:
           repository: ${{ vars.PROTO_REPO || format('{0}/proto', github.repository_owner) }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.REPO_ACCESS_TOKEN }}
           path: proto
 
       - name: Compute build metadata