releases: fallback to github api if github cdn fails

[crazy-max]

• follow-up #819

relates to https://github.com/docker/actions-toolkit/actions/runs/15138332709/job/42555459875?pr=696#step:3:3646

 #29 106.3 Summary of all failing tests
#29 106.3 FAIL __tests__/compose/install.test.ts (39.558 s)
#29 106.3   ● getRelease › returns v2.27.1-desktop.1 cloud GitHub release
#29 106.3 
#29 106.3     Failed to get Compose releases from https://raw.githubusercontent.com/docker/actions-toolkit/main/.github/compose-lab-releases.json with status code 429:
#29 106.3 
#29 106.3       211 |     const statusCode = resp.message.statusCode || 500;
#29 106.3       212 |     if (statusCode >= 400) {
#29 106.3     > 213 |       throw new Error(`Failed to get Compose releases from ${version.releasesURL} with status code ${statusCode}: ${body}`);
#29 106.3           |             ^
#29 106.3       214 |     }
#29 106.3       215 |     const releases = <Record<string, GitHubRelease>>JSON.parse(body);
#29 106.3       216 |     if (!releases[version.version]) {
#29 106.3 
#29 106.3       at Function.<anonymous> (src/compose/install.ts:213:13)
#29 106.3       at fulfilled (src/compose/install.ts:4468:24)

Seems related to recent changes in GitHub infra: https://github.blog/changelog/2025-05-08-updated-rate-limits-for-unauthenticated-requests/

and downloading files from raw.githubusercontent.com.

Didn't find any documentation for rate-limit of GitHub CDNs like raw.githubusercontent.com but I recall it was 5000 requests per hour per IP. Also nothing documented about authentication against their CDNs to avoid rate-limit. I tried with a bearer token but no dice.

So to avoid being rate-limited when fetching releases JSON payload we fallback to the GitHub API https://docs.github.com/en/rest/repos/contents?apiVersion=2022-11-28#get-repository-content if CDN fails.

[tonistiigi]

Why aren't we just including the token in the headers to the request to https://raw.githubusercontent.com ?