fix: authenticate latest release lookup

[Rul1an]

Summary

• pass the workflow token into the Assay CLI version resolver
• send an Authorization header for the GitHub releases/latest API call when a token is available

Why

After moving the floating v2/v3 tags to #30, the published-tag canary proved v3 and v2 Linux are fixed, but v2 macOS hit a GitHub API 403 while resolving latest. The resolver should use the available GitHub token instead of relying on anonymous API quota/edge behavior.

Verification

• git diff --check
• actionlint .github/workflows/published-tag-canary.yml
• Ruby YAML parse for action.yml and the canary workflow
• local tokenless latest-resolution smoke returns v3.26.0

Summary by CodeRabbit

• Improvements
  • Enhanced reliability of version resolution by adding GitHub token authentication to API requests, improving rate limit handling and request success rates.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f9a50db6-7d0b-40aa-9913-fd229c69cda6

📥 Commits

Reviewing files that changed from the base of the PR and between 2e49812 and e20fb1e.

📒 Files selected for processing (1)

• action.yml

---

📝 Walkthrough

Walkthrough

The Resolve Assay CLI version step in action.yml is refactored to build curl arguments via a CURL_ARGS array with retry and header flags, conditionally appending an Authorization: Bearer header when GITHUB_TOKEN is present. The step's env block now injects GITHUB_TOKEN: ${{ github.token }}.

Changes

Authenticated curl for CLI version resolution

Layer / File(s)	Summary
CURL_ARGS array with conditional auth header action.yml	Replaces inline curl invocation with a CURL_ARGS array containing retry and header flags; appends Authorization: Bearer $GITHUB_TOKEN when the env var is non-empty; the latest-release tag lookup uses curl "${CURL_ARGS[@]}". The step's env block adds GITHUB_TOKEN: ${{ github.token }}.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Possibly related PRs

• Rul1an/assay-action#30: Modifies the same Resolve Assay CLI version step in action.yml, adding early "latest" resolution logic that this PR then refactors by replacing the inline curl call with the array-based invocation.

Poem

🐇 A token tucked in, a header appears,
The curl array grows, dispelling API fears.
Bearer auth hops in when the env var's set,
The latest release tag — no rate-limit threat!
This rabbit curls safely, with retries to spare~ 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: authenticate latest release lookup' directly and clearly identifies the main change: adding authentication to the release lookup process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/auth-latest-release-api

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}