chore: prepare for v2.0.0 (#405)

## Summary

This PR prepares `supabase/setup-cli` for `v2.0.0`.

The main goal of this release is to simplify the action and modernize
the repo/tooling around a Bun-based implementation, while tightening
workflows, tests, and documentation.

## What Changed

### Action runtime
- switched the action from a Node/compiled `dist` runtime to a Bun-based
composite action
- removed the checked-in `dist/` output entirely
- simplified the action source down to a single runtime file in
`src/main.ts`
- kept the public action interface the same:
  - `with.version`
  - `outputs.version`

### Tooling
- switched package management and local tooling from npm to Bun
- removed Rollup and the build step
- replaced Jest with Bun’s native test runner
- replaced Prettier with `oxfmt`
- replaced ESLint with `oxlint`
- enabled type-aware/type-check linting with `oxlint-tsgolint`
- simplified TypeScript config to a single `tsconfig.json` extending
`@tsconfig/bun`

### Tests
- moved tests next to the runtime source
- rewrote tests to focus on meaningful user-facing action behavior
- added coverage for:
  - default entrypoint execution
  - latest version installs
  - legacy version installs
  - modern pinned version installs
  - failure when the installed CLI cannot report a version
- action code coverage is now `100%`

### Workflows
- renamed workflow files for clarity:
  - `test.yml` -> `ci.yml`
  - `start.yml` -> `e2e.yml`
- updated workflow/job naming so required checks are clean and stable:
  - `CI`
  - `E2E`
  - `CodeQL`
  - `Licensed`
- added aggregate PR-facing checks so branch protection does not need
matrix legs
- made CI and E2E skip heavy jobs on draft PRs
- made E2E run automatically on ready PRs and new commits
- simplified CodeQL config by removing the separate config file
- updated action pins to current releases using commit SHAs
- refined Dependabot for Bun-era updates and non-major auto-merge

### Docs
- refreshed `README.md` and `docs/index.md` for the new v2 behavior
- updated examples to use `@v2`
- added a practical example for exporting local Supabase env vars after
`supabase start`
- removed stale references to old local/dev flows

## Breaking / Notable Changes

- the action now runs as a Bun-based composite action instead of a
prebuilt JavaScript action
- no checked-in `dist/` artifacts anymore
- self-hosted runners now need the prerequisites expected by the
composite action path:
  - `bash`
- network access to install Bun/dependencies and download the Supabase
CLI

## Validation

Verified locally with:
- `bun run format:check`
- `bun run lint`
- `bun test`
- `bun run ci`

Also updated workflows and branch-protection-friendly check names so PR
validation is cleaner going forward.

## Follow-up

After merge, branch protection should require only:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`

---------

Co-authored-by: licensed-ci <licensed-ci@users.noreply.github.com>

src/main.ts

@@ -1,39 +1,208 @@
-import * as core from '@actions/core'
-import * as tc from '@actions/tool-cache'
-import { gte } from 'semver'
-import { getDownloadUrl, determineInstalledVersion } from './utils.js'
+import { $, semver } from "bun";
+import * as core from "@actions/core";
+import * as tc from "@actions/tool-cache";
+import { existsSync, readFileSync } from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
 
-export const CLI_CONFIG_REGISTRY = 'SUPABASE_INTERNAL_IMAGE_REGISTRY'
+export const CLI_CONFIG_REGISTRY = "SUPABASE_INTERNAL_IMAGE_REGISTRY";
+const REGISTRY_VERSION = "1.28.0";
+const DEFAULT_VERSION = "latest";
+
+type BunLock = {
+  workspaces?: {
+    "": {
+      dependencies?: Record<string, string>;
+      devDependencies?: Record<string, string>;
+    };
+  };
+  packages?: Record<string, unknown>;
+};
+
+type PnpmDependency =
+  | string
+  | {
+      version?: string;
+    };
+
+type PnpmLock = {
+  importers?: {
+    ".": {
+      dependencies?: Record<string, PnpmDependency>;
+      devDependencies?: Record<string, PnpmDependency>;
+    };
+  };
+};
+
+type PackageLock = {
+  packages?: Record<string, { version?: string }>;
+  dependencies?: Record<string, { version?: string }>;
+};
+
+function getArchivePlatform(platform: NodeJS.Platform): string {
+  return platform === "win32" ? "windows" : platform;
+}
+
+function getArchiveArch(arch: NodeJS.Architecture): string {
+  return arch === "x64" ? "amd64" : arch;
+}
+
+function extractConcreteVersion(raw: string | undefined): string | null {
+  if (!raw) {
+    return null;
+  }
+
+  const match = raw.match(/\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?/);
+  return match?.[0] ?? null;
+}
+
+function readWorkspaceLockfile(workspaceRoot: string, filename: string): string | null {
+  const filePath = path.join(workspaceRoot, filename);
+
+  if (!existsSync(filePath)) {
+    return null;
+  }
 
-/**
- * The main function for the action.
- *
- * @returns Resolves when the action is complete.
- */
-export async function run(): Promise<void> {
   try {
-    // Get version of tool to be installed
-    const version = core.getInput('version')
-
-    // Download the specific version of the tool, e.g. as a tarball/zipball
-    const download = await getDownloadUrl(version)
-    const pathToTarball = await tc.downloadTool(download)
-
-    // Extract the tarball/zipball onto host runner
-    const pathToCLI = await tc.extractTar(pathToTarball)
-
-    // Expose the tool by adding it to the PATH
-    core.addPath(pathToCLI)
-
-    // Expose installed tool version
-    const determinedVersion = await determineInstalledVersion()
-    core.setOutput('version', determinedVersion)
-
-    // Use GHCR mirror by default
-    if (version.toLowerCase() === 'latest' || gte(version, '1.28.0')) {
-      core.exportVariable(CLI_CONFIG_REGISTRY, 'ghcr.io')
-    }
-  } catch (error) {
-    if (error instanceof Error) core.setFailed(error.message)
+    return readFileSync(filePath, "utf8");
+  } catch {
+    return null;
   }
 }
+
+function detectVersionFromBunLock(workspaceRoot: string): string | null {
+  const text = readWorkspaceLockfile(workspaceRoot, "bun.lock");
+
+  if (!text) {
+    return null;
+  }
+
+  try {
+    const lockfile = JSON.parse(text.replace(/,\s*([}\]])/g, "$1")) as BunLock;
+    const rootWorkspace = lockfile.workspaces?.[""];
+    const declaredVersion =
+      rootWorkspace?.dependencies?.supabase ?? rootWorkspace?.devDependencies?.supabase;
+
+    if (!declaredVersion) {
+      return null;
+    }
+
+    const resolvedPackage = lockfile.packages?.supabase;
+    if (Array.isArray(resolvedPackage) && typeof resolvedPackage[0] === "string") {
+      return extractConcreteVersion(resolvedPackage[0]);
+    }
+
+    return extractConcreteVersion(declaredVersion);
+  } catch {
+    return null;
+  }
+}
+
+function detectVersionFromPnpmLock(workspaceRoot: string): string | null {
+  const text = readWorkspaceLockfile(workspaceRoot, "pnpm-lock.yaml");
+
+  if (!text) {
+    return null;
+  }
+
+  try {
+    const lockfile = Bun.YAML.parse(text) as PnpmLock;
+    const rootImporter = lockfile.importers?.["."];
+    const dependency =
+      rootImporter?.dependencies?.supabase ?? rootImporter?.devDependencies?.supabase;
+
+    if (typeof dependency === "string") {
+      return extractConcreteVersion(dependency);
+    }
+
+    return extractConcreteVersion(dependency?.version);
+  } catch {
+    return null;
+  }
+}
+
+function detectVersionFromPackageLock(workspaceRoot: string): string | null {
+  const text = readWorkspaceLockfile(workspaceRoot, "package-lock.json");
+
+  if (!text) {
+    return null;
+  }
+
+  try {
+    const lockfile = JSON.parse(text) as PackageLock;
+
+    return (
+      extractConcreteVersion(lockfile.packages?.["node_modules/supabase"]?.version) ??
+      extractConcreteVersion(lockfile.dependencies?.supabase?.version)
+    );
+  } catch {
+    return null;
+  }
+}
+
+function resolveVersion(inputVersion: string): string {
+  const requestedVersion = inputVersion.trim();
+
+  if (requestedVersion) {
+    return requestedVersion;
+  }
+
+  const workspaceRoot = process.env.GITHUB_WORKSPACE?.trim();
+
+  if (!workspaceRoot) {
+    return DEFAULT_VERSION;
+  }
+
+  return (
+    detectVersionFromBunLock(workspaceRoot) ??
+    detectVersionFromPnpmLock(workspaceRoot) ??
+    detectVersionFromPackageLock(workspaceRoot) ??
+    DEFAULT_VERSION
+  );
+}
+
+export function getDownloadUrl(version: string): string {
+  const platform = getArchivePlatform(process.platform);
+  const arch = getArchiveArch(process.arch);
+  const filename = `supabase_${platform}_${arch}.tar.gz`;
+
+  if (version.toLowerCase() === "latest") {
+    return `https://github.com/supabase/cli/releases/latest/download/${filename}`;
+  }
+
+  if (semver.order(version, REGISTRY_VERSION) === -1) {
+    return `https://github.com/supabase/cli/releases/download/v${version}/supabase_${version}_${platform}_${arch}.tar.gz`;
+  }
+
+  return `https://github.com/supabase/cli/releases/download/v${version}/${filename}`;
+}
+
+export async function determineInstalledVersion(cliPath: string): Promise<string> {
+  const version = (await $`${path.join(cliPath, "supabase")} --version`.text()).trim();
+  if (!version) {
+    throw new Error("Could not determine installed Supabase CLI version");
+  }
+
+  return version;
+}
+
+export async function run(): Promise<void> {
+  try {
+    const version = resolveVersion(core.getInput("version"));
+    const tarball = await tc.downloadTool(getDownloadUrl(version));
+    const cliPath = await tc.extractTar(tarball);
+    const installedVersion = await determineInstalledVersion(cliPath);
+    core.setOutput("version", installedVersion);
+    core.addPath(cliPath);
+
+    if (version.toLowerCase() === "latest" || semver.order(version, REGISTRY_VERSION) >= 0) {
+      core.exportVariable(CLI_CONFIG_REGISTRY, "ghcr.io");
+    }
+  } catch (error) {
+    core.setFailed(error instanceof Error ? error.message : String(error));
+  }
+}
+
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  void run();
+}