## Summary
Fixes setup-cli in Alpine/Linux musl containers after the Supabase CLI
v2.99+ release layout introduced a Bun/TypeScript `supabase` shim
alongside `supabase-go`.
This keeps the v2 action on Bun, but makes the musl paths explicit:
- Detect Linux musl before running `oven-sh/setup-bun` and pass the
matching `bun-linux-*-musl.zip` via `bun-download-url`.
- Use POSIX `sh` for composite shell steps so the action can run in
minimal Alpine containers without `bash`.
- Detect Linux musl in the CLI installer and download the existing
`.apk` release asset for CLI v2.99+.
- Add the extracted APK `usr/bin` directory to PATH.
- Keep existing tar/zip behavior for glibc Linux, macOS, and Windows.
## Root Cause
`oven-sh/setup-bun` does not currently include libc detection in its
automatic release asset selection, so Alpine containers received a glibc
Bun binary. Separately, setup-cli downloaded the generic Linux `.tar.gz`
Supabase CLI asset, whose `supabase` shim is glibc-linked in v2.99+; the
`.apk` asset contains the musl-linked shim.
## Testing
- `bun run ci`
- Manual GitHub workflow in
https://github.com/jgoux/setup-cli-testing/actions/runs/2616196598653
## Summary
- Add an optional `github-token` input to authenticate the GitHub
release lookup used by `version: latest`.
- Pass the token through the composite action as
`SUPABASE_CLI_GITHUB_TOKEN` and use it as a bearer token for the
`/repos/supabase/cli/releases/latest` request.
- Update this repository's CI smoke test and README examples to pass
`${{ github.token }}` when testing or using `latest`.
## Root Cause
CI failed in `test (macos-latest, latest)` because the action resolved
`latest` through an unauthenticated GitHub REST API request and hit the
low unauthenticated rate limit. The dependency bump in #429 was not the
cause; the validate job passed and the failure happened inside the
release lookup path.
## Impact
Pinned versions continue to work without a token. For `version: latest`,
callers can now pass `${{ github.token }}` to avoid unauthenticated API
rate limiting while keeping the input optional for backward
compatibility.
## Validation
- `bun run ci`
## Summary
Supabase CLI v2.99.0 changed the release archive layout. The `latest`
release no longer exposes assets like `supabase_linux_amd64.tar.gz`; the
downloadable tarballs are now versioned, for example
`supabase_2.99.0_linux_amd64.tar.gz`. Windows archives also switched to
`.zip` for v2.99.0+.
This updates the setup action to:
- Resolve `latest` to the actual Supabase CLI release tag before
building the download URL.
- Keep the existing unversioned archive path for CLI versions before
v2.99.0.
- Use the new versioned archive path for v2.99.0 and later.
- Extract Windows v2.99.0+ archives with `extractZip`; keep tar
extraction for Linux and macOS.
- Continue executing the main `supabase` binary even though the archive
now also contains `supabase-go`.
This should fix the `latest` download failure reported in
supabase/cli#5257.
## Testing
- `bun test`
- `bun run ci`
- Local smoke test with `INPUT_VERSION=latest bun src/main.ts`, which
downloaded and executed `supabase_2.99.0_darwin_arm64.tar.gz`
successfully.
## Summary
This PR prepares `supabase/setup-cli` for `v2.0.0`.
The main goal of this release is to simplify the action and modernize
the repo/tooling around a Bun-based implementation, while tightening
workflows, tests, and documentation.
## What Changed
### Action runtime
- switched the action from a Node/compiled `dist` runtime to a Bun-based
composite action
- removed the checked-in `dist/` output entirely
- simplified the action source down to a single runtime file in
`src/main.ts`
- kept the public action interface the same:
- `with.version`
- `outputs.version`
### Tooling
- switched package management and local tooling from npm to Bun
- removed Rollup and the build step
- replaced Jest with Bun’s native test runner
- replaced Prettier with `oxfmt`
- replaced ESLint with `oxlint`
- enabled type-aware/type-check linting with `oxlint-tsgolint`
- simplified TypeScript config to a single `tsconfig.json` extending
`@tsconfig/bun`
### Tests
- moved tests next to the runtime source
- rewrote tests to focus on meaningful user-facing action behavior
- added coverage for:
- default entrypoint execution
- latest version installs
- legacy version installs
- modern pinned version installs
- failure when the installed CLI cannot report a version
- action code coverage is now `100%`
### Workflows
- renamed workflow files for clarity:
- `test.yml` -> `ci.yml`
- `start.yml` -> `e2e.yml`
- updated workflow/job naming so required checks are clean and stable:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`
- added aggregate PR-facing checks so branch protection does not need
matrix legs
- made CI and E2E skip heavy jobs on draft PRs
- made E2E run automatically on ready PRs and new commits
- simplified CodeQL config by removing the separate config file
- updated action pins to current releases using commit SHAs
- refined Dependabot for Bun-era updates and non-major auto-merge
### Docs
- refreshed `README.md` and `docs/index.md` for the new v2 behavior
- updated examples to use `@v2`
- added a practical example for exporting local Supabase env vars after
`supabase start`
- removed stale references to old local/dev flows
## Breaking / Notable Changes
- the action now runs as a Bun-based composite action instead of a
prebuilt JavaScript action
- no checked-in `dist/` artifacts anymore
- self-hosted runners now need the prerequisites expected by the
composite action path:
- `bash`
- network access to install Bun/dependencies and download the Supabase
CLI
## Validation
Verified locally with:
- `bun run format:check`
- `bun run lint`
- `bun test`
- `bun run ci`
Also updated workflows and branch-protection-friendly check names so PR
validation is cleaner going forward.
## Follow-up
After merge, branch protection should require only:
- `CI`
- `E2E`
- `CodeQL`
- `Licensed`
---------
Co-authored-by: licensed-ci <licensed-ci@users.noreply.github.com>
