## What changed
Remove the unsupported `cooldown.semver-minor-days` and
`cooldown.semver-patch-days` settings from the `github-actions`
Dependabot ecosystem.
The Bun ecosystem keeps its cooldown settings, and GitHub Actions
updates keep the weekly Tuesday schedule, PR limit, and minor/patch
grouping.
## Why
Dependabot rejects semver-specific cooldown properties for the
`github-actions` ecosystem with:
```
The property `#/updates/0/cooldown/semver-minor-days` is not supported for the package ecosystem `github-actions`.
The property `#/updates/0/cooldown/semver-patch-days` is not supported for the package ecosystem `github-actions`.
```
Removing those keys restores a valid Dependabot config while preserving
the grouped weekly update policy.
## Validation
- Parsed `.github/dependabot.yml` successfully as YAML
## What changed
This updates our Dependabot policy to reduce routine dependency-update
noise while keeping minor and patch updates moving automatically.
- Configure Dependabot to run weekly on Tuesday at 09:00 Europe/Paris
for both `github-actions` and `bun`
- Group all minor and patch updates per ecosystem:
- one GitHub Actions update PR
- one Bun dependency update PR
- Keep major updates ungrouped so Dependabot opens individual PRs for
manual review
- Reduce routine open Dependabot PRs to one per ecosystem
- Add cooldown windows so Dependabot avoids immediately chasing fresh
releases:
- 7 days for minor updates
- 2 days for patch updates
- Update the Dependabot automerge workflow to generate a GitHub App
token before approving PRs
- Auto-approve and enable automerge only for patch and minor updates,
including `0.x` minors
- Leave major update PRs for human review and merge
## Why
Dependabot was not able to approve/automerge PRs using the default
token. This follows the GitHub App token pattern recommended by
security, while also tuning Dependabot for a better signal-to-noise
ratio.
The resulting behavior is:
- minor/patch updates are batched weekly and can merge after CI passes
- major updates still appear, but individually and without automerge
- security updates remain handled by Dependabot/GitHub outside the
routine grouping policy
## Summary
This PR prepares `supabase/setup-cli` for `v2.0.0`.
The main goal of this release is to simplify the action and modernize
the repo/tooling around a Bun-based implementation, while tightening
workflows, tests, and documentation.
## What Changed
### Action runtime
- switched the action from a Node/compiled `dist` runtime to a Bun-based
composite action
- removed the checked-in `dist/` output entirely
- simplified the action source down to a single runtime file in
`src/main.ts`
- kept the public action interface the same:
- `with.version`
- `outputs.version`
### Tooling
- switched package management and local tooling from npm to Bun
- removed Rollup and the build step
- replaced Jest with Bun’s native test runner
- replaced Prettier with `oxfmt`
- replaced ESLint with `oxlint`
- enabled type-aware/type-check linting with `oxlint-tsgolint`
- simplified TypeScript config to a single `tsconfig.json` extending
`@tsconfig/bun`
### Tests
- moved tests next to the runtime source
- rewrote tests to focus on meaningful user-facing action behavior
- added coverage for:
- default entrypoint execution
- latest version installs
- legacy version installs
- modern pinned version installs
- failure when the installed CLI cannot report a version
- action code coverage is now `100%`
### Workflows
- renamed workflow files for clarity:
- `test.yml` -> `ci.yml`
- `start.yml` -> `e2e.yml`
- updated workflow/job naming so required checks are clean and stable:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`
- added aggregate PR-facing checks so branch protection does not need
matrix legs
- made CI and E2E skip heavy jobs on draft PRs
- made E2E run automatically on ready PRs and new commits
- simplified CodeQL config by removing the separate config file
- updated action pins to current releases using commit SHAs
- refined Dependabot for Bun-era updates and non-major auto-merge
### Docs
- refreshed `README.md` and `docs/index.md` for the new v2 behavior
- updated examples to use `@v2`
- added a practical example for exporting local Supabase env vars after
`supabase start`
- removed stale references to old local/dev flows
## Breaking / Notable Changes
- the action now runs as a Bun-based composite action instead of a
prebuilt JavaScript action
- no checked-in `dist/` artifacts anymore
- self-hosted runners now need the prerequisites expected by the
composite action path:
- `bash`
- network access to install Bun/dependencies and download the Supabase
CLI
## Validation
Verified locally with:
- `bun run format:check`
- `bun run lint`
- `bun test`
- `bun run ci`
Also updated workflows and branch-protection-friendly check names so PR
validation is cleaner going forward.
## Follow-up
After merge, branch protection should require only:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`
---------
Co-authored-by: licensed-ci <licensed-ci@users.noreply.github.com>
