Checking out when Actions are restricted to org

If the actions are restricted to in-org only; you can’t use the checkout action.
So how do you pull a private repository within a workflow without the action  (urls etc fall foul of issues around host name and ssh key etc / I’m hoping theres an “obvious” way to do this that doesnt involve heredoc’ing in deploy keys from secrets