fix: authenticate latest release lookup (#430)

## Summary

- Add an optional `github-token` input to authenticate the GitHub
release lookup used by `version: latest`.
- Pass the token through the composite action as
`SUPABASE_CLI_GITHUB_TOKEN` and use it as a bearer token for the
`/repos/supabase/cli/releases/latest` request.
- Update this repository's CI smoke test and README examples to pass
`${{ github.token }}` when testing or using `latest`.

## Root Cause

CI failed in `test (macos-latest, latest)` because the action resolved
`latest` through an unauthenticated GitHub REST API request and hit the
low unauthenticated rate limit. The dependency bump in #429 was not the
cause; the validate job passed and the failure happened inside the
release lookup path.

## Impact

Pinned versions continue to work without a token. For `version: latest`,
callers can now pass `${{ github.token }}` to avoid unauthenticated API
rate limiting while keeping the input optional for backward
compatibility.

## Validation

- `bun run ci`

action.yml

@@ -5,6 +5,9 @@ inputs:
   version:
     description: Version of Supabase CLI to install. If omitted, detect from the root lockfile and otherwise use latest.
     required: false
+  github-token:
+    description: GitHub token used to resolve the latest Supabase CLI release without hitting unauthenticated API limits.
+    required: false
 outputs:
   version:
     description: Version of installed Supabase CLI
@@ -28,4 +31,5 @@ runs:
       working-directory: ${{ github.action_path }}
       env:
         INPUT_VERSION: ${{ inputs.version }}
+        SUPABASE_CLI_GITHUB_TOKEN: ${{ inputs.github-token }}
       run: bun src/main.ts