pass token to actions/checkout for private submodules

Currently, if a plugin has a submodule that is a private repository, the generated github action will fail when trying to checkout the repository. This is due to the action trying to init/update submodules without a valid token.

This could be fixed by supplying a `token:` parameter to `actions/checkout` like so:

```
token: ${{ secrets.TESTS_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}
```