## What changed
Remove the unsupported `cooldown.semver-minor-days` and
`cooldown.semver-patch-days` settings from the `github-actions`
Dependabot ecosystem.
The Bun ecosystem keeps its cooldown settings, and GitHub Actions
updates keep the weekly Tuesday schedule, PR limit, and minor/patch
grouping.
## Why
Dependabot rejects semver-specific cooldown properties for the
`github-actions` ecosystem with:
```
The property `#/updates/0/cooldown/semver-minor-days` is not supported for the package ecosystem `github-actions`.
The property `#/updates/0/cooldown/semver-patch-days` is not supported for the package ecosystem `github-actions`.
```
Removing those keys restores a valid Dependabot config while preserving
the grouped weekly update policy.
## Validation
- Parsed `.github/dependabot.yml` successfully as YAML
## What changed
This updates our Dependabot policy to reduce routine dependency-update
noise while keeping minor and patch updates moving automatically.
- Configure Dependabot to run weekly on Tuesday at 09:00 Europe/Paris
for both `github-actions` and `bun`
- Group all minor and patch updates per ecosystem:
- one GitHub Actions update PR
- one Bun dependency update PR
- Keep major updates ungrouped so Dependabot opens individual PRs for
manual review
- Reduce routine open Dependabot PRs to one per ecosystem
- Add cooldown windows so Dependabot avoids immediately chasing fresh
releases:
- 7 days for minor updates
- 2 days for patch updates
- Update the Dependabot automerge workflow to generate a GitHub App
token before approving PRs
- Auto-approve and enable automerge only for patch and minor updates,
including `0.x` minors
- Leave major update PRs for human review and merge
## Why
Dependabot was not able to approve/automerge PRs using the default
token. This follows the GitHub App token pattern recommended by
security, while also tuning Dependabot for a better signal-to-noise
ratio.
The resulting behavior is:
- minor/patch updates are batched weekly and can merge after CI passes
- major updates still appear, but individually and without automerge
- security updates remain handled by Dependabot/GitHub outside the
routine grouping policy
Bumps the actions-minor group with 1 update:
[ruby/setup-ruby](https://github.com/ruby/setup-ruby).
Updates `ruby/setup-ruby` from 1.299.0 to 1.300.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ruby/setup-ruby/releases">ruby/setup-ruby's
releases</a>.</em></p>
<blockquote>
<h2>v1.300.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Refactor matrix script by <a
href="https://github.com/ntkme"><code>@ntkme</code></a> in <a
href="https://redirect.github.com/ruby/setup-ruby/pull/897">ruby/setup-ruby#897</a></li>
<li>Add jruby-10.0.5.0 by <a
href="https://github.com/ruby-builder-bot"><code>@ruby-builder-bot</code></a>
in <a
href="https://redirect.github.com/ruby/setup-ruby/pull/900">ruby/setup-ruby#900</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/ruby/setup-ruby/compare/v1.299.0...v1.300.0">https://github.com/ruby/setup-ruby/compare/v1.299.0...v1.300.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e65c17d16e"><code>e65c17d</code></a>
Add jruby-10.0.5.0</li>
<li><a
href="ba696adf55"><code>ba696ad</code></a>
Refactor matrix script</li>
<li><a
href="2327de0bdc"><code>2327de0</code></a>
TruffleRuby 34+ does not support macOS Intel</li>
<li>See full diff in <a
href="3ff19f5e2b...e65c17d16e">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
## Summary
This PR prepares `supabase/setup-cli` for `v2.0.0`.
The main goal of this release is to simplify the action and modernize
the repo/tooling around a Bun-based implementation, while tightening
workflows, tests, and documentation.
## What Changed
### Action runtime
- switched the action from a Node/compiled `dist` runtime to a Bun-based
composite action
- removed the checked-in `dist/` output entirely
- simplified the action source down to a single runtime file in
`src/main.ts`
- kept the public action interface the same:
- `with.version`
- `outputs.version`
### Tooling
- switched package management and local tooling from npm to Bun
- removed Rollup and the build step
- replaced Jest with Bun’s native test runner
- replaced Prettier with `oxfmt`
- replaced ESLint with `oxlint`
- enabled type-aware/type-check linting with `oxlint-tsgolint`
- simplified TypeScript config to a single `tsconfig.json` extending
`@tsconfig/bun`
### Tests
- moved tests next to the runtime source
- rewrote tests to focus on meaningful user-facing action behavior
- added coverage for:
- default entrypoint execution
- latest version installs
- legacy version installs
- modern pinned version installs
- failure when the installed CLI cannot report a version
- action code coverage is now `100%`
### Workflows
- renamed workflow files for clarity:
- `test.yml` -> `ci.yml`
- `start.yml` -> `e2e.yml`
- updated workflow/job naming so required checks are clean and stable:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`
- added aggregate PR-facing checks so branch protection does not need
matrix legs
- made CI and E2E skip heavy jobs on draft PRs
- made E2E run automatically on ready PRs and new commits
- simplified CodeQL config by removing the separate config file
- updated action pins to current releases using commit SHAs
- refined Dependabot for Bun-era updates and non-major auto-merge
### Docs
- refreshed `README.md` and `docs/index.md` for the new v2 behavior
- updated examples to use `@v2`
- added a practical example for exporting local Supabase env vars after
`supabase start`
- removed stale references to old local/dev flows
## Breaking / Notable Changes
- the action now runs as a Bun-based composite action instead of a
prebuilt JavaScript action
- no checked-in `dist/` artifacts anymore
- self-hosted runners now need the prerequisites expected by the
composite action path:
- `bash`
- network access to install Bun/dependencies and download the Supabase
CLI
## Validation
Verified locally with:
- `bun run format:check`
- `bun run lint`
- `bun test`
- `bun run ci`
Also updated workflows and branch-protection-friendly check names so PR
validation is cleaner going forward.
## Follow-up
After merge, branch protection should require only:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`
---------
Co-authored-by: licensed-ci <licensed-ci@users.noreply.github.com>
* fix: only test on latest
Should help with GitHub API rate limiting
* Update .github/workflows/test.yml
* fix: add github token to workflow
* fix: authenticate with github api
* chore: remove token env
* chore: update dist files
* Revert "chore: remove token env"
This reverts commit 913c7a8e6f.
* chore: use gh token env var
* chore: update user agent string
* chore: organize imports
Co-authored-by: Han Qiao <qiao@supabase.io>
The original sample hides the result of `git diff`. So if `git diff` returns an
error(e.g. invalid file name specified), the result will be success.
We can use `--exit-code ` option if we only want to know whether differences
exist without depending on other commands.
Ref: https://git-scm.com/docs/git-diff#Documentation/git-diff.txt---exit-code
