Only automatically include validations when enabled

This is a follow up to #16024.

activemodel/lib/active_model/secure_password.rb

 module ActiveModel
   module SecurePassword
     extend ActiveSupport::Concern
-    include ActiveModel::Validations
 
     # BCrypt hash function can handle maximum 72 characters, and if we pass
     # password of length more than 72 characters it ignores extra characters.
@@ -65,6 +64,8 @@ def has_secure_password(options = {})
         include InstanceMethodsOnActivation
 
         if options.fetch(:validations, true)
+          include ActiveModel::Validations
+
           # This ensures the model has a password by checking whether the password_digest
           # is present, so that this works with both new and existing records. However,
           # when there is an error, the message is added to the password attribute instead

activemodel/test/cases/secure_password_test.rb

@@ -20,20 +20,12 @@ class SecurePasswordTest < ActiveModel::TestCase
     ActiveModel::SecurePassword.min_cost = @original_min_cost
   end
 
-  test "user object should respond to valid?" do
-    assert_respond_to @visitor, :valid?
+  test "automatically include ActiveModel::Validations when validations are enabled" do
     assert_respond_to @user, :valid?
   end
 
-  test "create/update without validations" do
-    assert @visitor.valid?(:create), 'visitor should be valid'
-    assert @visitor.valid?(:update), 'visitor should be valid'
-
-    @visitor.password = '123'
-    @visitor.password_confirmation = '456'
-
-    assert @visitor.valid?(:create), 'visitor should be valid'
-    assert @visitor.valid?(:update), 'visitor should be valid'
+  test "don't include ActiveModel::Validations when validations are disabled" do
+    assert_not_respond_to @visitor, :valid?
   end
 
   test "create a new user with validations and valid password/confirmation" do