#18765: ci: avoid Bun setup GitHub tag API rate-limit failures

## Summary - Identified the Bun resolution paths triggering GitHub API tag lookups in CI: - `.github/actions/setup-node-env/action.yml` (composite action used by multiple CI jobs) - `.github/workflows/ci.yml` (Windows checks job direct Bun setup) - Replaced `bun-version: latest` with pinned `1.3.9` so setup-bun does not need to resolve latest via `GET /repos/oven-sh/bun/git/refs/tags` on every run. - Passed `token: ${{ github.token }}` explicitly to `oven-sh/setup-bun@v2` to keep API calls authenticated when version resolution is needed. ## Failure mode addressed CI intermittently fails with 403 while resolving Bun tags from the GitHub API (`/repos/oven-sh/bun/git/refs/tags`). Using `latest` forces tag-resolution requests per job, which can hit API limits under CI concurrency. ## Why this fix - Smallest safe diff, scoped only to Bun setup in CI. - Pinned Bun version avoids tag API lookups entirely in normal runs. - Explicit token keeps fallback/resolution requests authenticated. ## Validation - YAML parse check passed for changed files: - `.github/actions/setup-node-env/action.yml` - `.github/workflows/ci.yml`