ci: authenticate GitHub API call for latest release lookup

The unauthenticated curl was being rate-limited on shared runner IPs,
causing jq to parse the error response and emit "null" as the tag. Use
the existing app token and fail loudly if the tag can't be resolved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: brendan-kellam

.github/workflows/update-sourcebot-version.yaml

@@ -37,8 +37,20 @@ jobs:
 
       - name: Get latest Sourcebot release
         id: latest-version
+        env:
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
         run: |
-          LATEST_VERSION=$(curl -s https://api.github.com/repos/sourcebot-dev/sourcebot/releases/latest | jq -r '.tag_name')
+          LATEST_VERSION=$(curl -sSf \
+            -H "Authorization: Bearer $GH_TOKEN" \
+            -H "Accept: application/vnd.github+json" \
+            https://api.github.com/repos/sourcebot-dev/sourcebot/releases/latest \
+            | jq -r '.tag_name')
+
+          if [ -z "$LATEST_VERSION" ] || [ "$LATEST_VERSION" = "null" ]; then
+            echo "Failed to fetch latest release tag" >&2
+            exit 1
+          fi
+
           echo "latest=$LATEST_VERSION" >> $GITHUB_OUTPUT
           echo "Latest Sourcebot version: $LATEST_VERSION"