diff --git a/.gitea/workflows/deploy-to-phoenix.yml b/.gitea/workflows/deploy-to-phoenix.yml
index f058145f..74aea6f7 100644
--- a/.gitea/workflows/deploy-to-phoenix.yml
+++ b/.gitea/workflows/deploy-to-phoenix.yml
@@ -12,20 +12,19 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      # The cw* mesh matrix and deployment-status validators read
+      # cross-chain-pmm-lps/config/*.json. That repo is private and
+      # .gitmodules mixes Gitea HTTPS with git@github.com: SSH URLs,
+      # so `submodules: recursive` on the parent checkout isn't safe.
+      # Pull only the pmm-lps repo into a sibling path using the
+      # built-in Actions token (scoped to the same org).
       - name: Materialize cross-chain-pmm-lps (config only)
-        run: |
-          set -euo pipefail
-          # The cw* mesh matrix and deployment-status validators read
-          # cross-chain-pmm-lps/config/*.json. That submodule uses mixed
-          # SSH/HTTPS remotes, so instead of recursing submodules (which
-          # would fail on git@github.com: URLs without a deploy key),
-          # we shallow-clone the Gitea mirror for config reads only.
-          if [ ! -f cross-chain-pmm-lps/config/deployment-status.json ]; then
-            rm -rf cross-chain-pmm-lps
-            git clone --depth=1 \
-              https://gitea.d-bis.org/d-bis/cross-chain-pmm-lps.git \
-              cross-chain-pmm-lps
-          fi
+        uses: actions/checkout@v4
+        with:
+          repository: d-bis/cross-chain-pmm-lps
+          path: cross-chain-pmm-lps
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 1
 
       - name: Run repo validation gate
         run: |
diff --git a/.gitea/workflows/validate-on-pr.yml b/.gitea/workflows/validate-on-pr.yml
index cc5ba463..03791c45 100644
--- a/.gitea/workflows/validate-on-pr.yml
+++ b/.gitea/workflows/validate-on-pr.yml
@@ -13,13 +13,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Materialize cross-chain-pmm-lps (config only)
-        run: |
-          set -euo pipefail
-          if [ ! -f cross-chain-pmm-lps/config/deployment-status.json ]; then
-            rm -rf cross-chain-pmm-lps
-            git clone --depth=1 \
-              https://gitea.d-bis.org/d-bis/cross-chain-pmm-lps.git \
-              cross-chain-pmm-lps
-          fi
+        uses: actions/checkout@v4
+        with:
+          repository: d-bis/cross-chain-pmm-lps
+          path: cross-chain-pmm-lps
+          token: ${{ secrets.GITHUB_TOKEN }}
+          fetch-depth: 1
       - name: run-all-validation (no LAN, no genesis)
         run: bash scripts/verify/run-all-validation.sh --skip-genesis