docs: note latest release rate limit

.github/workflows/licensed.yml

@@ -71,7 +71,7 @@ jobs:
       - name: Setup Ruby
         id: setup-ruby
         if: steps.license-inputs.outputs.changed == 'true'
-        uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: ruby
 
@@ -116,7 +116,7 @@ jobs:
 
       - name: Setup Ruby
         id: setup-ruby
-        uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1.314.0
+        uses: ruby/setup-ruby@97ecb7b512899eb71ab1bf2310a624c6f1589ac6 # v1.308.0
         with:
           ruby-version: ruby
 

README.md

@@ -31,6 +31,11 @@ If `version` is omitted, the action checks the repository root for `bun.lock`,
 `pnpm-lock.yaml`, or `package-lock.json` and uses the declared `supabase`
 version. If no supported lockfile is present, it falls back to `latest`.
 
+When the action resolves `latest`, it queries the GitHub releases API. In CI,
+pass `github-token: ${{ github.token }}` to avoid unauthenticated API rate
+limits. Pinning `version` to a specific Supabase CLI release avoids that lookup
+entirely.
+
 A specific version of the `supabase` CLI can be installed:
 
 ```yaml