feat: pin the Kosli CLI to a major or minor version

[AlexKantor87]

What

setup-cli-action could only install an exact CLI version or latest. This adds a third option: pin the CLI to a major (or minor) line and pick up every update within it, without ever rolling onto the next breaking major.

• version: "2" resolves to the newest stable 2.x release
• version: "2.11" resolves to the newest stable 2.11.z release

- uses: kosli-dev/setup-cli-action@v5
  with:
    version: "2"   # newest stable 2.x, never 3.x

How

• src/download.js: a partial spec lists kosli-dev/cli releases, drops drafts and pre-releases, and picks the highest match numerically (so 2.27.3 beats 2.9.0), never crossing into a higher major.
• latest and exact pins are unchanged. Exact pins stay API-free; a partial pin uses the GitHub API like latest already does, through the existing retry wrapper.
• Purely additive, so it ships as a v5 minor and every @v5 consumer picks it up automatically.

Heads up for users

Quote partial versions in YAML: version: 2.10 unquoted is parsed as the float 2.1. Documented in the README.

Tests

• New ava cases cover major and major.minor resolution, pre-release/draft exclusion, numeric ordering, and the no-match error. Full suite green (33 tests).
• CI matrix now exercises "2" and "2.11" end to end; the pinned-version check fails if an install ever crosses a major.

Tracking: kosli-dev/server#5996

[AlexKantor87]

Ran a detailed multi-agent review over this before merging: seven dimensions (resolution correctness, input edge cases, tests, the CI workflow, packaging/release, docs, and security), with every finding independently re-checked by a second pass to weed out false positives. Short version: the resolution logic holds up really well and it's correctly shipped as a v5 minor. No blocker or major issues, just three small consistency nits, all now fixed.

Fixed in c223b65

• action.yml: the version input description only mentioned latest, so I've documented the "2" and "2.11" partial-pin forms to match the README.
• action.yml: the github-token description still said it was only used for latest. Partial pins hit the API too now, so I've aligned the wording.
• test/download.test.js: the "never cross a major" test only asserted !startsWith("3."), which a regression to a lower wrong major would have slipped past. It now asserts the resolved major is 2, and I've added a higher major (v10.0.0) to the fixture so the property is genuinely exercised rather than coincidentally satisfied.

Considered, deliberately left alone

• The downloaded CLI tarball still isn't checksum or signature verified. That's pre-existing and out of scope here, but worth its own hardening ticket given our supply-chain focus.
• The "Capture kosli version installed" step has some pre-existing cruft (an unused export and an echo "\n" that writes a literal \n). It's harmless because the verify step reads .splitlines()[0], so I've left it for a separate tidy-up rather than widening this diff.
• A few other things came up and were ruled out as non-issues. The partial-pin path lists the full release history rather than making a single call, but that's a handful of requests against a 1000/hr quota and the version is author-controlled, so there's no real rate-limit or abuse concern. The YAML float trap (2.10 parsed as 2.1) is already mitigated by the README warning and the quoted examples, and it can't be fixed in code anyway.

Tests are green locally (33) and CI's re-running on the new head. Happy to merge once it's green.