fix(ci): pass GITHUB_TOKEN to Build CLI step to bypass anonymous quota

scripts/download-assets.mts (via packages/build-infra/lib/github-releases.mts)
queries the GitHub releases API for binject / node-smol / iocraft
during the cli build. The script reads GH_TOKEN / GITHUB_TOKEN to
authenticate, but the Build CLI step in both unit-tests and e2e jobs
never set either, so calls went out anonymously, hit the 60-req/hr
public quota, and returned 403 ("Failed to fetch releases: 403").

Expose secrets.GITHUB_TOKEN to both Build CLI steps. Authenticated
calls share a 1000-req/hr per-job bucket. permissions: contents: read
is already declared on both jobs, which is what the asset reads need.

Author: jdalton

.github/workflows/ci.yml

@@ -242,6 +242,13 @@ jobs:
       - name: Build CLI
         working-directory: packages/cli
         shell: bash
+        env:
+          # download-assets.mts hits the GitHub releases API for
+          # binject / node-smol / iocraft. Anonymous calls share the
+          # 60-req/hr public quota and get 403 once exhausted; the
+          # auto-provided GITHUB_TOKEN gives this job its own 1000/hr
+          # bucket.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           pnpm run build
 
@@ -318,6 +325,13 @@ jobs:
       - name: Build CLI
         working-directory: packages/cli
         shell: bash
+        env:
+          # download-assets.mts hits the GitHub releases API for
+          # binject / node-smol / iocraft. Anonymous calls share the
+          # 60-req/hr public quota and get 403 once exhausted; the
+          # auto-provided GITHUB_TOKEN gives this job its own 1000/hr
+          # bucket.
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           pnpm run build