chore: prepare for v2.0.0 (#405)

## Summary

This PR prepares `supabase/setup-cli` for `v2.0.0`.

The main goal of this release is to simplify the action and modernize
the repo/tooling around a Bun-based implementation, while tightening
workflows, tests, and documentation.

## What Changed

### Action runtime
- switched the action from a Node/compiled `dist` runtime to a Bun-based
composite action
- removed the checked-in `dist/` output entirely
- simplified the action source down to a single runtime file in
`src/main.ts`
- kept the public action interface the same:
  - `with.version`
  - `outputs.version`

### Tooling
- switched package management and local tooling from npm to Bun
- removed Rollup and the build step
- replaced Jest with Bun’s native test runner
- replaced Prettier with `oxfmt`
- replaced ESLint with `oxlint`
- enabled type-aware/type-check linting with `oxlint-tsgolint`
- simplified TypeScript config to a single `tsconfig.json` extending
`@tsconfig/bun`

### Tests
- moved tests next to the runtime source
- rewrote tests to focus on meaningful user-facing action behavior
- added coverage for:
  - default entrypoint execution
  - latest version installs
  - legacy version installs
  - modern pinned version installs
  - failure when the installed CLI cannot report a version
- action code coverage is now `100%`

### Workflows
- renamed workflow files for clarity:
  - `test.yml` -> `ci.yml`
  - `start.yml` -> `e2e.yml`
- updated workflow/job naming so required checks are clean and stable:
  - `CI`
  - `E2E`
  - `CodeQL`
  - `Licensed`
- added aggregate PR-facing checks so branch protection does not need
matrix legs
- made CI and E2E skip heavy jobs on draft PRs
- made E2E run automatically on ready PRs and new commits
- simplified CodeQL config by removing the separate config file
- updated action pins to current releases using commit SHAs
- refined Dependabot for Bun-era updates and non-major auto-merge

### Docs
- refreshed `README.md` and `docs/index.md` for the new v2 behavior
- updated examples to use `@v2`
- added a practical example for exporting local Supabase env vars after
`supabase start`
- removed stale references to old local/dev flows

## Breaking / Notable Changes

- the action now runs as a Bun-based composite action instead of a
prebuilt JavaScript action
- no checked-in `dist/` artifacts anymore
- self-hosted runners now need the prerequisites expected by the
composite action path:
  - `bash`
- network access to install Bun/dependencies and download the Supabase
CLI

## Validation

Verified locally with:
- `bun run format:check`
- `bun run lint`
- `bun test`
- `bun run ci`

Also updated workflows and branch-protection-friendly check names so PR
validation is cleaner going forward.

## Follow-up

After merge, branch protection should require only:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`

---------

Co-authored-by: licensed-ci <licensed-ci@users.noreply.github.com>

.licenses/npm/semver.dep.yml

@@ -0,0 +1,26 @@
+---
+name: semver
+version: 7.7.4
+type: npm
+summary: The semantic version parser used by npm.
+homepage:
+license: isc
+licenses:
+  - sources: LICENSE
+    text: |
+      The ISC License
+
+      Copyright (c) Isaac Z. Schlueter and Contributors
+
+      Permission to use, copy, modify, and/or distribute this software for any
+      purpose with or without fee is hereby granted, provided that the above
+      copyright notice and this permission notice appear in all copies.
+
+      THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+      WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+      MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+      ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+      WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+      ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+      IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+notices: []