ci: checkout playbooks and iac_modules from public repos

- Stop checking out the old private mono-repo `ai-workspace-infra`.
- Checkout the split public repositories `ai-workspace-infra/playbooks` and `ai-workspace-infra/iac_modules` separately.
- Remove `CODEX_GITHUB_PERSONAL_ACCESS_TOKEN` (`INFRA_REPO_TOKEN`) dependency from vault as it's no longer needed for public repos.

.github/workflows/deploy-ai-workspace-iac.yaml

@@ -20,7 +20,6 @@ name: Deploy AI Workspace (IaC + Ansible + Cloudflare)
 #   - KV 路径:      kv/data/CICD（共享 CICD 机密） + kv/data/openclaw（LLM keys）
 #   - 用到的键（详见 docs/operations/vault-github-actions.md）：
 #       [kv/CICD] VULTR_API_KEY                      → TF_VAR_vultr_api_key
-#       [kv/CICD] CODEX_GITHUB_PERSONAL_ACCESS_TOKEN → checkout ai-workspace-infra
 #       [kv/CICD] SSH_PRIVATE_DEPLOY_KEY[_B64]       → 连主机 SSH 私钥（B64 优先）
 #       [kv/CICD] CLOUDFLARE_DNS_API_TOKEN           → Cloudflare DNS 编辑
 #       [kv/openclaw] DEEPSEEK_API_KEY / NVIDIA_API_KEY / OLLAMA_API_KEY → LLM provider keys
@@ -73,7 +72,6 @@ env:
   VAULT_KV: kv/data/CICD
   # LLM provider keys 放在 openclaw 路径
   VAULT_KV_OPENCLAW: kv/data/openclaw
-  INFRA_REPO: ${{ github.repository_owner }}/ai-workspace-infra
   # vultr-vps 根（共享 scripts/ templates/ config/）；ENV_DIR 为 terraform 运行目录(workdir)
   VPS_ROOT: infra/iac_modules/terraform-hcl-standard/vultr-vps
   ENV_DIR: infra/iac_modules/terraform-hcl-standard/vultr-vps/envs/ai-workspace
@@ -99,7 +97,6 @@ jobs:
           ignoreNotFound: true
           secrets: |
             ${{ env.VAULT_KV }} VULTR_API_KEY | VULTR_API_KEY ;
-            ${{ env.VAULT_KV }} CODEX_GITHUB_PERSONAL_ACCESS_TOKEN | INFRA_REPO_TOKEN ;
             ${{ env.VAULT_KV }} TF_STATE_ENDPOINT | TF_STATE_ENDPOINT ;
             ${{ env.VAULT_KV }} TF_STATE_BUCKET | TF_STATE_BUCKET ;
             ${{ env.VAULT_KV }} TF_STATE_ACCESS_KEY | TF_STATE_ACCESS_KEY ;
@@ -120,13 +117,19 @@ jobs:
           fi
           [ "$missing" -eq 0 ] || { echo "::error::必需机密缺失，终止 provision"; exit 1; }
 
-      - name: Checkout infra (iac_modules + playbooks)
+      - name: Checkout iac_modules
         uses: actions/checkout@v4
         with:
-          repository: ${{ env.INFRA_REPO }}
+          repository: ai-workspace-infra/iac_modules
           ref: ${{ github.event.inputs.infra_ref || 'main' }}
-          token: ${{ steps.vault.outputs.INFRA_REPO_TOKEN || github.token }}
-          path: infra
+          path: infra/iac_modules
+
+      - name: Checkout playbooks
+        uses: actions/checkout@v4
+        with:
+          repository: ai-workspace-infra/playbooks
+          ref: ${{ github.event.inputs.infra_ref || 'main' }}
+          path: infra/playbooks
 
       - uses: hashicorp/setup-terraform@v3
         with:
@@ -357,7 +360,6 @@ jobs:
           jwtGithubAudience: vault
           ignoreNotFound: true
           secrets: |
-            ${{ env.VAULT_KV }} CODEX_GITHUB_PERSONAL_ACCESS_TOKEN | INFRA_REPO_TOKEN ;
             ${{ env.VAULT_KV }} CLOUDFLARE_DNS_API_TOKEN | CLOUDFLARE_DNS_API_TOKEN
 
       - name: Validate required secrets
@@ -373,13 +375,12 @@ jobs:
           fi
           [ "$missing" -eq 0 ] || { echo "::error::必需机密缺失，终止 dns"; exit 1; }
 
-      - name: Checkout infra (playbooks)
+      - name: Checkout playbooks
         uses: actions/checkout@v4
         with:
-          repository: ${{ env.INFRA_REPO }}
+          repository: ai-workspace-infra/playbooks
           ref: ${{ github.event.inputs.infra_ref || 'main' }}
-          token: ${{ steps.vault.outputs.INFRA_REPO_TOKEN || github.token }}
-          path: infra
+          path: infra/playbooks
 
       - name: Download CMDB + inventory
         uses: actions/download-artifact@v4

docs/operations/vault-github-actions.md

@@ -55,7 +55,6 @@ vault write auth/jwt/role/github-actions-xworkspace-console \
 | Vault 路径 | 键 | 映射到输出 | 用途 |
 | --- | --- | --- | --- |
 | `kv/data/CICD` | `VULTR_API_KEY` | `VULTR_API_KEY` | provision：`TF_VAR_vultr_api_key` |
-| `kv/data/CICD` | `CODEX_GITHUB_PERSONAL_ACCESS_TOKEN` | `INFRA_REPO_TOKEN` | checkout 私有 `ai-workspace-infra` |
 | `kv/data/CICD` | `CLOUDFLARE_DNS_API_TOKEN` | `CLOUDFLARE_DNS_API_TOKEN` | dns：Cloudflare DNS 编辑 |
 | `kv/data/CICD` | `SSH_PRIVATE_DEPLOY_KEY_B64` | `ANSIBLE_SSH_KEY_B64` | 连主机 SSH 私钥（**优先**，单行 base64） |
 | `kv/data/CICD` | `SSH_PRIVATE_DEPLOY_KEY` | `ANSIBLE_SSH_KEY` | 同上原始多行（回退） |