Install Supabase CLI from npm

2026-06-28 18:06:59 +00:00 · 2026-06-26 19:06:40 +02:00
10 changed files with 625 additions and 672 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -46,13 +46,12 @@ jobs:
      fail-fast: false
      matrix:
        os: [macos-latest, windows-latest, ubuntu-latest]
-        version: [1.0.0, latest]
+        version: [1.178.2, latest, beta]
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - uses: ./
        with:
          version: ${{ matrix.version }}
          github-token: ${{ github.token }}
      - run: supabase -h
  ci:
--- a/.licenses/npm/@actions/tool-cache.dep.yml
+++ b/.licenses/npm/@actions/tool-cache.dep.yml
@@ -1,20 +0,0 @@
 ---
 name: "@actions/tool-cache"
 version: 4.0.0
 type: npm
 summary: Actions tool-cache lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/tool-cache
 license: mit
 licenses:
  - sources: LICENSE.md
    text: |-
      The MIT License (MIT)
      Copyright 2019 GitHub
      Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
      The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
      THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 notices: []
--- a/.licenses/npm/semver.dep.yml
+++ b/.licenses/npm/semver.dep.yml
@@ -1,26 +0,0 @@
 ---
 name: semver
 version: 7.7.4
 type: npm
 summary: The semantic version parser used by npm.
 homepage:
 license: isc
 licenses:
  - sources: LICENSE
    text: |
      The ISC License
      Copyright (c) Isaac Z. Schlueter and Contributors
      Permission to use, copy, modify, and/or distribute this software for any
      purpose with or without fee is hereby granted, provided that the above
      copyright notice and this permission notice appear in all copies.
      THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
      WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
      MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
      ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
      WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
      ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
      IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 notices: []
--- a/README.md
+++ b/README.md
@@ -24,41 +24,43 @@ Setup the `supabase` CLI:
 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
 ```
 If `version` is omitted, the action checks the repository root for `bun.lock`,
-`pnpm-lock.yaml`, or `package-lock.json` and uses the declared `supabase`
+`pnpm-lock.yaml`, or `package-lock.json` and installs the declared `supabase`
-version. If no supported lockfile is present, it falls back to `latest`.
+package version through npm. If the lockfile includes package integrity
 metadata, the action verifies it against the npm registry before installing. If
 no supported lockfile is present, it falls back to `latest`.
-A specific version of the `supabase` CLI can be installed:
+The action provisions Node.js and npm internally, so runners do not need npm
 preinstalled. Runners must be able to reach the npm registry to install the CLI
 package.
 A fixed npm-published version, `latest`, or `beta` of the `supabase` CLI can be
 installed:
 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
    with:
      version: 2.84.2
 ```
 To always track the latest beta prerelease, set `version` to `beta`. This is
 useful for surfacing (and fixing) breakages early:
 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
    with:
      version: beta
      github-token: ${{ github.token }}
 ```
 Run `supabase db start` to execute all migrations on a fresh database:
 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
    with:
      version: latest
      github-token: ${{ github.token }}
  - run: supabase init
  - run: supabase db start
 ```
@@ -70,10 +72,9 @@ on Windows and macOS runners.
 The action supports the following inputs:
-| Name           | Type   | Description                                                                       | Default                           | Required |
+| Name      | Type   | Description                                                      | Default                           | Required |
-| -------------- | ------ | --------------------------------------------------------------------------------- | --------------------------------- | -------- |
+| --------- | ------ | ---------------------------------------------------------------- | --------------------------------- | -------- |
-| `version`      | String | Supabase CLI version (or `latest`, or `beta` for the latest beta release)         | Root lockfile version or `latest` | false    |
+| `version` | String | Supabase CLI `latest`, `beta`, or fixed version published to npm | Root lockfile version or `latest` | false    |
 | `github-token` | String | GitHub token used to resolve `latest`/`beta` without unauthenticated API limiting |                                   | false    |
 ## Advanced Usage
@@ -81,7 +82,7 @@ Check generated TypeScript types are up-to-date with Postgres schema:
 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
  - run: supabase init
  - run: supabase db start
  - name: Verify generated types match Postgres schema
@@ -104,7 +105,7 @@ env:
  PROJECT_ID: <project-id>
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
  - run: supabase link --project-ref $PROJECT_ID
  - run: supabase db push
 ```
@@ -113,7 +114,7 @@ Export local Supabase env vars for app tests:
 ```yaml
 steps:
-  - uses: supabase/setup-cli@v2
+  - uses: supabase/setup-cli@v3
  - run: supabase init
  - run: supabase start
  - name: Export local Supabase env vars
@@ -158,7 +159,7 @@ need to perform a few setup steps before you can work on the action.
 ## Publish
 1. Create a new GitHub release
-2. Rebase `v2` branch on `main`
+2. Rebase `v3` branch on `main`
 Your action is now published! :rocket:
@@ -175,7 +176,6 @@ steps:
  - uses: ./
    with:
      version: latest
      github-token: ${{ github.token }}
 ```
 The CI workflow provides fast smoke coverage across GitHub-hosted runners, and
--- a/action.yml
+++ b/action.yml
@@ -3,10 +3,7 @@ description: Setup Supabase CLI, supabase, on GitHub Actions runners
 author: Supabase
 inputs:
  version:
-    description: Version of Supabase CLI to install. Accepts a specific version, "latest", or "beta" (latest beta prerelease). If omitted, detect from the root lockfile and otherwise use latest.
+    description: Supabase CLI version to install. Supports latest, beta, or a fixed version published to npm. If omitted, detect from the root lockfile and otherwise use latest.
    required: false
  github-token:
    description: GitHub token used to resolve the latest Supabase CLI release without hitting unauthenticated API limits.
    required: false
 outputs:
  version:
@@ -95,6 +92,11 @@ runs:
        echo "::error::Linux musl containers need libstdc++ and libgcc to run Supabase CLI. Install them before supabase/setup-cli."
        exit 1
    - name: Setup Node
      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
      with:
        node-version: 24
    - name: Setup Bun
      uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
      with:
@@ -112,5 +114,4 @@ runs:
      working-directory: ${{ github.action_path }}
      env:
        INPUT_VERSION: ${{ inputs.version }}
        SUPABASE_CLI_GITHUB_TOKEN: ${{ inputs.github-token }}
      run: bun src/main.ts
--- a/bun.lock
+++ b/bun.lock
@@ -6,7 +6,6 @@
      "name": "setup-cli",
      "dependencies": {
        "@actions/core": "^3.0.1",
        "@actions/tool-cache": "^4.0.0",
      },
      "devDependencies": {
        "@tsconfig/bun": "^1.0.10",
@@ -27,8 +26,6 @@
    "@actions/io": ["@actions/io@3.0.2", "", {}, "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw=="],
    "@actions/tool-cache": ["@actions/tool-cache@4.0.0", "", { "dependencies": { "@actions/core": "^3.0.0", "@actions/exec": "^3.0.0", "@actions/http-client": "^4.0.0", "@actions/io": "^3.0.0", "semver": "^7.7.3" } }, "sha512-L8P9HbXvpvqjZDveb/fdsa55IVC0trfPgQ4ZwGo6r5af6YDVdM9vMGPZ7rgY2fAT9gGj4PSYd6bYlg3p3jD78A=="],
    "@oxfmt/binding-android-arm-eabi": ["@oxfmt/binding-android-arm-eabi@0.49.0", "", { "os": "android", "cpu": "arm" }, "sha512-HbifJ84prIh9+55CTPAU35JdRQrwg47y16cGerCC+iejSKOuHXYo2WDql6l7cQlzrYVtc3f4UWY+dBj2lRmOeA=="],
    "@oxfmt/binding-android-arm64": ["@oxfmt/binding-android-arm64@0.49.0", "", { "os": "android", "cpu": "arm64" }, "sha512-Ef7SKJqAaH2d7E6eXZZa2OffIShbhFMxnGK0zd93p4qiyTJr75B0qf7lrPD+qQOwcf04BrjYJ0JUxq8d5+yZwg=="],
@@ -147,8 +144,6 @@
    "oxlint-tsgolint": ["oxlint-tsgolint@0.22.1", "", { "optionalDependencies": { "@oxlint-tsgolint/darwin-arm64": "0.22.1", "@oxlint-tsgolint/darwin-x64": "0.22.1", "@oxlint-tsgolint/linux-arm64": "0.22.1", "@oxlint-tsgolint/linux-x64": "0.22.1", "@oxlint-tsgolint/win32-arm64": "0.22.1", "@oxlint-tsgolint/win32-x64": "0.22.1" }, "bin": { "tsgolint": "bin/tsgolint.js" } }, "sha512-YUSGSLUnoolsu8gxISEDio3q1rtsCozwfOzASUn3DT2mR2EeQ93uEEnen7s+6LpF+lyTQFln1pQfqwBh/fsVEg=="],
    "semver": ["semver@7.7.4", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA=="],
    "tinypool": ["tinypool@2.1.0", "", {}, "sha512-Pugqs6M0m7Lv1I7FtxN4aoyToKg1C4tu+/381vH35y8oENM/Ai7f7C4StcoK4/+BSw9ebcS8jRiVrORFKCALLw=="],
    "tunnel": ["tunnel@0.0.6", "", {}, "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg=="],
@@ -156,7 +151,5 @@
    "undici": ["undici@6.24.1", "", {}, "sha512-sC+b0tB1whOCzbtlx20fx3WgCXwkW627p4EA9uM+/tNNPkSS+eSEld6pAs9nDv7WbY1UUljBMYPtu9BCOrCWKA=="],
    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
    "@actions/tool-cache/@actions/core": ["@actions/core@3.0.0", "", { "dependencies": { "@actions/exec": "^3.0.0", "@actions/http-client": "^4.0.0" } }, "sha512-zYt6cz+ivnTmiT/ksRVriMBOiuoUpDCJJlZ5KPl2/FRdvwU3f7MPh9qftvbkXJThragzUZieit2nyHUyw53Seg=="],
  }
 }
--- a/docs/index.md
+++ b/docs/index.md
@@ -7,7 +7,11 @@ The action supports `ubuntu-latest`, `windows-latest`, and `macos-latest`, and
 adds the requested `supabase` version to `PATH` for the rest of the job.
 If `version` is omitted, the action checks the repository root for `bun.lock`,
-`pnpm-lock.yaml`, or `package-lock.json` and otherwise falls back to `latest`.
+`pnpm-lock.yaml`, or `package-lock.json` and otherwise falls back to npm
 `latest`.
 The action provisions Node.js and npm internally; runners only need network
 access to the npm registry.
 ## Quick Start
@@ -24,19 +28,27 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
-      - uses: supabase/setup-cli@v2
+      - uses: supabase/setup-cli@v3
      - run: supabase init
      - run: supabase db start
 ```
-To pin a specific CLI version:
+To pin a fixed npm-published CLI version:
 ```yaml
- uses: supabase/setup-cli@v2
+- uses: supabase/setup-cli@v3
  with:
    version: 2.84.2
 ```
 To test the current beta release:
 ```yaml
 - uses: supabase/setup-cli@v3
  with:
    version: beta
 ```
 ## Resources
 - **Source Code**: <https://github.com/supabase/setup-cli>
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "setup-cli",
-  "version": "2.0.0",
+  "version": "3.0.0",
  "private": true,
  "description": "Supabase CLI GitHub Action",
  "keywords": [
@@ -24,8 +24,7 @@
    "typecheck": "bun x tsgo -p tsconfig.json --noEmit"
  },
  "dependencies": {
-    "@actions/core": "^3.0.1",
+    "@actions/core": "^3.0.1"
    "@actions/tool-cache": "^4.0.0"
  },
  "devDependencies": {
    "@tsconfig/bun": "^1.0.10",
--- a/src/main.test.ts
+++ b/src/main.test.ts
@@ -1,31 +1,29 @@
-import { mkdirSync, mkdtempSync, rmSync, writeFileSync } from "node:fs";
+import { mkdirSync, mkdtempSync, readFileSync, rmSync, writeFileSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import process from "node:process";
 import { fileURLToPath } from "node:url";
 import { afterEach, expect, mock, spyOn, test } from "bun:test";
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
 const repo = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
 const defaultEntrypoint = fileURLToPath(new URL("./main.ts", import.meta.url));
 const CLI_CONFIG_REGISTRY = "SUPABASE_INTERNAL_IMAGE_REGISTRY";
-const GITHUB_RELEASES_API = "https://api.github.com/repos/supabase/cli/releases/latest";
+const originalPath = process.env.PATH;
-const GITHUB_RELEASES_LIST_API = "https://api.github.com/repos/supabase/cli/releases";
+const originalRunnerTemp = process.env.RUNNER_TEMP;
 const GITHUB_TOKEN_ENV = "SUPABASE_CLI_GITHUB_TOKEN";
 const originalWorkspace = process.env.GITHUB_WORKSPACE;
 const originalGithubToken = process.env[GITHUB_TOKEN_ENV];
 const tempDirs = new Set<string>();
 let mainModule: typeof import("./main.ts") | null = null;
 afterEach(() => {
  mock.restore();
  process.env.PATH = originalPath;
  process.env.RUNNER_TEMP = originalRunnerTemp;
  process.env.GITHUB_WORKSPACE = originalWorkspace;
-  if (originalGithubToken === undefined) {
+  delete process.env.FAKE_CLI_VERSION;
-    delete process.env[GITHUB_TOKEN_ENV];
+  delete process.env.FAKE_NPM_BIN;
-  } else {
+  delete process.env.FAKE_NPM_INTEGRITY;
-    process.env[GITHUB_TOKEN_ENV] = originalGithubToken;
+  delete process.env.FAKE_NPM_LOG;
-  }
+  delete process.env.FAKE_NPM_PACKAGE_VERSION;
  delete process.env.FAKE_NPM_POSTINSTALL;
  delete process.env.SUPABASE_SETUP_CLI_NPM;
  for (const dir of tempDirs) {
    rmSync(dir, { force: true, recursive: true });
@@ -33,32 +31,14 @@ afterEach(() => {
  tempDirs.clear();
 });
-function createFakeCli(versionOutput: string): string {
+function createTempDir(prefix: string): string {
-  const dir = mkdtempSync(path.join(os.tmpdir(), "setup-cli-"));
+  const dir = mkdtempSync(path.join(os.tmpdir(), prefix));
  tempDirs.add(dir);
  if (process.platform === "win32") {
    writeFileSync(
      path.join(dir, "supabase.cmd"),
      versionOutput ? `@echo off\r\necho ${versionOutput}\r\n` : "@echo off\r\n",
    );
    return dir;
  }
  const escapedOutput = versionOutput.replaceAll("'", "'\"'\"'");
  writeFileSync(
    path.join(dir, "supabase"),
    versionOutput
      ? `#!/usr/bin/env bash\nprintf '%s\\n' '${escapedOutput}'\n`
      : "#!/usr/bin/env bash\n",
  );
  Bun.spawnSync(["chmod", "+x", path.join(dir, "supabase")]);
  return dir;
 }
 function createWorkspace(files: Record<string, string>): string {
-  const dir = mkdtempSync(path.join(os.tmpdir(), "setup-cli-workspace-"));
+  const dir = createTempDir("setup-cli-workspace-");
  tempDirs.add(dir);
  for (const [relativePath, content] of Object.entries(files)) {
    const filePath = path.join(dir, relativePath);
@@ -74,6 +54,7 @@ function createBunLock(
  options: {
    includeDependency?: boolean;
    includePackageEntry?: boolean;
    integrity?: string;
    useDevDependency?: boolean;
  } = {},
 ): string {
@@ -99,7 +80,7 @@ ${
      "supabase@${version}",
      "",
      {},
-      "sha512-test"
+      "${options.integrity ?? "sha512-bun"}"
    ]`
    : ""
 }
@@ -110,7 +91,12 @@ ${
 function createPnpmLock(
  version: string,
-  options: { asString?: boolean; includeVersion?: boolean; useDevDependency?: boolean } = {},
+  options: {
    asString?: boolean;
    includeVersion?: boolean;
    integrity?: string;
    useDevDependency?: boolean;
  } = {},
 ): string {
  const dependencyKey = options.useDevDependency ? "devDependencies" : "dependencies";
@@ -128,11 +114,11 @@ ${options.includeVersion === false ? "" : `        version: ${version}`}`
 packages:
  supabase@${version}:
    resolution:
-      integrity: sha512-test
+      integrity: ${options.integrity ?? "sha512-pnpm"}
 `;
 }
-function createPackageLock(version: string): string {
+function createPackageLock(version: string, integrity = "sha512-package-lock"): string {
  return JSON.stringify(
    {
      name: "app",
@@ -144,6 +130,7 @@ function createPackageLock(version: string): string {
          },
        },
        "node_modules/supabase": {
          integrity,
          version,
        },
      },
@@ -153,46 +140,142 @@ function createPackageLock(version: string): string {
  );
 }
-function createActionSpies(inputVersion: string, cliDir: string, expectedUrlFragment: string) {
+function createFakeNpm(): string {
  const root = createTempDir("setup-cli-fake-npm-");
  const binDir = path.join(root, "bin");
  const scriptPath = path.join(root, "fake-npm.js");
  mkdirSync(binDir, { recursive: true });
  writeFileSync(
    scriptPath,
    `import { appendFileSync, mkdirSync, writeFileSync } from "node:fs";
 import path from "node:path";
 const args = process.argv.slice(2);
 appendFileSync(process.env.FAKE_NPM_LOG, JSON.stringify(args) + "\\n");
 if (args[0] === "view") {
  const bin =
    process.env.FAKE_NPM_BIN === "missing"
      ? undefined
      : { supabase: process.env.FAKE_NPM_BIN ?? "dist/supabase.js" };
  const scripts = process.env.FAKE_NPM_POSTINSTALL
    ? { postinstall: process.env.FAKE_NPM_POSTINSTALL }
    : {};
  console.log(
    JSON.stringify({
      version: process.env.FAKE_NPM_PACKAGE_VERSION ?? "2.101.0",
      bin,
      scripts,
      "dist.integrity": process.env.FAKE_NPM_INTEGRITY ?? "sha512-test",
    }),
  );
  process.exit(0);
 }
 if (args[0] !== "install") {
  console.error("Unexpected npm command: " + args.join(" "));
  process.exit(1);
 }
 const prefixIndex = args.indexOf("--prefix");
 const prefix = prefixIndex === -1 ? undefined : args[prefixIndex + 1];
 if (!prefix) {
  console.error("Missing --prefix");
  process.exit(1);
 }
 const binDir = path.join(prefix, "node_modules", ".bin");
 mkdirSync(binDir, { recursive: true });
 if (process.platform === "win32") {
  writeFileSync(
    path.join(binDir, "supabase.cmd"),
    process.env.FAKE_CLI_VERSION ? "@echo off\\r\\necho " + process.env.FAKE_CLI_VERSION + "\\r\\n" : "@echo off\\r\\n",
  );
 } else {
  writeFileSync(
    path.join(binDir, "supabase"),
    process.env.FAKE_CLI_VERSION
      ? "#!/usr/bin/env bash\\nprintf '%s\\\\n' '" + process.env.FAKE_CLI_VERSION.replaceAll("'", "'\\\\''") + "'\\n"
      : "#!/usr/bin/env bash\\n",
    { mode: 0o755 },
  );
 }
 `,
  );
  if (process.platform === "win32") {
    writeFileSync(
      path.join(binDir, "npm.cmd"),
      `@echo off\r\n"${process.execPath}" "${scriptPath}" %*\r\n`,
    );
  } else {
    writeFileSync(
      path.join(binDir, "npm"),
      `#!/usr/bin/env bash\nexec "${process.execPath}" "${scriptPath}" "$@"\n`,
      { mode: 0o755 },
    );
  }
  return binDir;
 }
 function installFakeNpm(
  versionOutput = "supabase 2.101.0",
  options: {
    bin?: string;
    integrity?: string;
    packageVersion?: string;
    postinstall?: string;
  } = {},
 ): string {
  const binDir = createFakeNpm();
  const logPath = path.join(createTempDir("setup-cli-fake-npm-log-"), "npm.log");
  writeFileSync(logPath, "");
  process.env.FAKE_CLI_VERSION = versionOutput;
  process.env.FAKE_NPM_BIN = options.bin ?? "dist/supabase.js";
  process.env.FAKE_NPM_INTEGRITY = options.integrity ?? "sha512-test";
  process.env.FAKE_NPM_LOG = logPath;
  process.env.FAKE_NPM_PACKAGE_VERSION =
    options.packageVersion ??
    versionOutput.match(/\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?/)?.[0] ??
    "2.101.0";
  if (options.postinstall) {
    process.env.FAKE_NPM_POSTINSTALL = options.postinstall;
  }
  process.env.PATH = `${binDir}${path.delimiter}${originalPath ?? ""}`;
  process.env.RUNNER_TEMP = createTempDir("setup-cli-runner-temp-");
  process.env.SUPABASE_SETUP_CLI_NPM = path.join(
    binDir,
    process.platform === "win32" ? "npm.cmd" : "npm",
  );
  return logPath;
 }
 function readNpmCalls(logPath: string): string[][] {
  return readFileSync(logPath, "utf8")
    .trim()
    .split("\n")
    .filter(Boolean)
    .map((line) => JSON.parse(line) as string[]);
 }
 function viewMetadataCall(spec: string): string[] {
  return ["view", spec, "version", "bin", "scripts", "dist.integrity", "--json"];
 }
 function createActionSpies(inputVersion: string) {
  return {
    getInput: spyOn(core, "getInput").mockReturnValue(inputVersion),
    setOutput: spyOn(core, "setOutput").mockImplementation(() => {}),
    addPath: spyOn(core, "addPath").mockImplementation(() => {}),
    exportVariable: spyOn(core, "exportVariable").mockImplementation(() => {}),
    getInput: spyOn(core, "getInput").mockReturnValue(inputVersion),
    setFailed: spyOn(core, "setFailed").mockImplementation(() => {}),
-    downloadTool: spyOn(tc, "downloadTool").mockImplementation(async (url: string) => {
+    setOutput: spyOn(core, "setOutput").mockImplementation(() => {}),
      expect(url).toContain(expectedUrlFragment);
      return path.join(os.tmpdir(), "supabase-cli.tar.gz");
    }),
    extractTar: spyOn(tc, "extractTar").mockImplementation(async () => cliDir),
    extractZip: spyOn(tc, "extractZip").mockImplementation(async () => cliDir),
  };
 }
 function mockLatestRelease(version = "v2.99.0") {
  return spyOn(globalThis, "fetch").mockResolvedValue(
    new Response(JSON.stringify({ tag_name: version }), {
      status: 200,
      statusText: "OK",
    }),
  );
 }
 function mockBetaReleases(
  releases: Array<{ tag_name: string; prerelease: boolean }> = [
    { tag_name: "v2.100.0-beta.2", prerelease: true },
    { tag_name: "v2.100.0-beta.1", prerelease: true },
    { tag_name: "v2.99.0", prerelease: false },
  ],
 ) {
  return spyOn(globalThis, "fetch").mockResolvedValue(
    new Response(JSON.stringify(releases), {
      status: 200,
      statusText: "OK",
    }),
  );
 }
 async function getMainModule(): Promise<typeof import("./main.ts")> {
  if (!mainModule) {
    mainModule = await import("./main.ts");
@@ -201,253 +284,69 @@ async function getMainModule(): Promise<typeof import("./main.ts")> {
  return mainModule;
 }
-test("uses versioned tar archives for Supabase CLI v2.99.0 and later", async () => {
+test("uses an explicit npm package version when provided", async () => {
-  const { getDownloadArchive } = await getMainModule();
+  const { resolvePackage } = await getMainModule();
-  const archive = await getDownloadArchive("2.99.0", "linux", "x64");
+  expect(resolvePackage("v2.101.0")).toEqual({
-
+    spec: "supabase@2.101.0",
-  expect(archive).toEqual({
+    version: "2.101.0",
    url: "https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_linux_amd64.tar.gz",
    format: "tar",
  });
 });
-test("uses apk archives for Supabase CLI v2.99.0 and later on Linux musl", async () => {
+test("uses an explicit npm dist-tag when provided", async () => {
-  const { getDownloadArchive } = await getMainModule();
+  const { resolvePackage } = await getMainModule();
-  const archive = await getDownloadArchive("2.100.1", "linux", "x64", true);
+  expect(resolvePackage("beta")).toEqual({
-
+    spec: "supabase@beta",
-  expect(archive).toEqual({
+    version: "beta",
    url: "https://github.com/supabase/cli/releases/download/v2.100.1/supabase_2.100.1_linux_amd64.apk",
    format: "apk",
  });
 });
-test("keeps tar archives before Supabase CLI v2.99.0 on Linux musl", async () => {
+test("rejects unsupported npm package selectors", async () => {
-  const { getDownloadArchive } = await getMainModule();
+  const { resolvePackage } = await getMainModule();
-  const archive = await getDownloadArchive("2.98.2", "linux", "x64", true);
+  expect(() => resolvePackage("hotfix")).toThrow(
-
+    'Unsupported Supabase CLI version "hotfix". Use latest, beta, or a fixed npm package version like 2.101.0.',
  expect(archive).toEqual({
    url: "https://github.com/supabase/cli/releases/download/v2.98.2/supabase_linux_amd64.tar.gz",
    format: "tar",
  });
 });
 test("uses usr/bin as the CLI path for apk archives", async () => {
  const { getCliPath } = await getMainModule();
  expect(getCliPath("/tmp/extracted", "apk")).toBe(path.join("/tmp/extracted", "usr", "bin"));
  expect(getCliPath("/tmp/extracted", "tar")).toBe("/tmp/extracted");
  expect(getCliPath("/tmp/extracted", "zip")).toBe("/tmp/extracted");
 });
 test("keeps the unversioned tar archive layout before Supabase CLI v2.99.0", async () => {
  const { getDownloadArchive } = await getMainModule();
  const archive = await getDownloadArchive("2.98.2", "linux", "x64");
  expect(archive).toEqual({
    url: "https://github.com/supabase/cli/releases/download/v2.98.2/supabase_linux_amd64.tar.gz",
    format: "tar",
  });
 });
 test("uses versioned zip archives for Windows Supabase CLI v2.99.0 and later", async () => {
  const { getDownloadArchive } = await getMainModule();
  const archive = await getDownloadArchive("2.99.0", "win32", "x64");
  expect(archive).toEqual({
    url: "https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_windows_amd64.zip",
    format: "zip",
  });
 });
 test("resolves latest before choosing a versioned Supabase CLI archive", async () => {
  mockLatestRelease("v2.99.0");
  const { getDownloadArchive } = await getMainModule();
  const archive = await getDownloadArchive("latest", "darwin", "arm64");
  expect(archive).toEqual({
    url: "https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_darwin_arm64.tar.gz",
    format: "tar",
  });
 });
 test("authenticates latest release lookup when a GitHub token is provided", async () => {
  process.env[GITHUB_TOKEN_ENV] = "ghs_test-token";
  const fetch = mockLatestRelease("v2.99.0");
  const { getDownloadArchive } = await getMainModule();
  await getDownloadArchive("latest", "darwin", "arm64");
  expect(fetch).toHaveBeenCalledWith(GITHUB_RELEASES_API, {
    headers: expect.objectContaining({
      Accept: "application/vnd.github+json",
      Authorization: "Bearer ghs_test-token",
      "X-GitHub-Api-Version": "2022-11-28",
    }),
  });
 });
 test("resolves the latest beta prerelease for the beta channel", async () => {
  mockBetaReleases();
  const { getDownloadArchive } = await getMainModule();
  const archive = await getDownloadArchive("beta", "darwin", "arm64");
  expect(archive).toEqual({
    url: "https://github.com/supabase/cli/releases/download/v2.100.0-beta.2/supabase_2.100.0-beta.2_darwin_arm64.tar.gz",
    format: "tar",
  });
 });
 test("treats the beta channel case-insensitively and skips stable releases", async () => {
  mockBetaReleases([
    { tag_name: "v2.99.0", prerelease: false },
    { tag_name: "v2.100.0-beta.5", prerelease: true },
  ]);
  const { getDownloadArchive } = await getMainModule();
  const archive = await getDownloadArchive("BETA", "linux", "x64");
  expect(archive.url).toContain("/download/v2.100.0-beta.5/supabase_2.100.0-beta.5_linux_amd64");
 });
 test("fails when no beta prerelease is available", async () => {
  mockBetaReleases([{ tag_name: "v2.99.0", prerelease: false }]);
  const { getDownloadArchive } = await getMainModule();
  expect(getDownloadArchive("beta", "linux", "x64")).rejects.toThrow(
    "Failed to resolve latest Supabase CLI beta release: no beta release found",
  );
 });
-test("queries the releases list when resolving the beta channel", async () => {
+test("uses the root bun.lock resolution when version is omitted", async () => {
  const fetch = mockBetaReleases();
  const { getDownloadArchive } = await getMainModule();
  await getDownloadArchive("beta", "darwin", "arm64");
  expect(fetch).toHaveBeenCalledWith(GITHUB_RELEASES_LIST_API, {
    headers: expect.objectContaining({
      Accept: "application/vnd.github+json",
      "X-GitHub-Api-Version": "2022-11-28",
    }),
  });
 });
 test("exports the internal registry when installing the beta channel", async () => {
  mockBetaReleases();
  const cliDir = createFakeCli("supabase 2.100.0-beta.2");
  const spies = createActionSpies("beta", cliDir, "/download/v2.100.0-beta.2/supabase_");
  const { run } = await getMainModule();
  await run();
  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.100.0-beta.2");
  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("awaits the action entrypoint with omitted version and latest fallback", async () => {
  process.env.GITHUB_WORKSPACE = repo;
  mockLatestRelease();
  const cliDir = createFakeCli("supabase 2.84.2");
  let startDownload!: () => void;
  let finishDownload!: () => void;
  const downloadStarted = new Promise<void>((resolve) => {
    startDownload = resolve;
  });
  const downloadFinished = new Promise<string>((resolve) => {
    finishDownload = () => resolve(path.join(os.tmpdir(), "supabase-cli.tar.gz"));
  });
  const spies = {
    getInput: spyOn(core, "getInput").mockReturnValue(""),
    setOutput: spyOn(core, "setOutput").mockImplementation(() => {}),
    addPath: spyOn(core, "addPath").mockImplementation(() => {}),
    exportVariable: spyOn(core, "exportVariable").mockImplementation(() => {}),
    setFailed: spyOn(core, "setFailed").mockImplementation(() => {}),
    downloadTool: spyOn(tc, "downloadTool").mockImplementation(async (url: string) => {
      expect(url).toContain("/download/v2.99.0/supabase_2.99.0_");
      startDownload();
      return downloadFinished;
    }),
    extractTar: spyOn(tc, "extractTar").mockImplementation(async () => cliDir),
    extractZip: spyOn(tc, "extractZip").mockImplementation(async () => cliDir),
  };
  const originalArgv1 = process.argv[1];
  process.argv[1] = defaultEntrypoint;
  try {
    let importSettled = false;
    const entrypoint = import(`./main.ts?entrypoint=${Date.now()}`).finally(() => {
      importSettled = true;
    });
    await downloadStarted;
    await Bun.sleep(0);
    expect(importSettled).toBe(false);
    finishDownload();
    await entrypoint;
  } finally {
    process.argv[1] = originalArgv1 ?? "";
  }
  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.84.2");
  expect(spies.addPath).toHaveBeenCalledWith(cliDir);
  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("uses the root bun.lock version when version is omitted", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
-    "bun.lock": createBunLock("2.41.0"),
+    "bun.lock": createBunLock("2.41.0", { integrity: "sha512-bun-lock" }),
  });
-  const cliDir = createFakeCli("supabase 2.41.0");
+  const { resolvePackage } = await getMainModule();
  const spies = createActionSpies("", cliDir, "/download/v2.41.0/supabase_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    integrity: "sha512-bun-lock",
-  expect(spies.downloadTool).not.toHaveBeenCalledWith(expect.stringContaining("/latest/download/"));
+    spec: "supabase@2.41.0",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.41.0");
+    version: "2.41.0",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+  });
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
-test("uses the root pnpm-lock.yaml version when version is omitted", async () => {
+test("uses the root pnpm-lock.yaml resolution when version is omitted", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
-    "pnpm-lock.yaml": createPnpmLock("2.42.0"),
+    "pnpm-lock.yaml": createPnpmLock("2.42.0", { integrity: "sha512-pnpm-lock" }),
  });
-  const cliDir = createFakeCli("supabase 2.42.0");
+  const { resolvePackage } = await getMainModule();
  const spies = createActionSpies("", cliDir, "/download/v2.42.0/supabase_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    integrity: "sha512-pnpm-lock",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.42.0");
+    spec: "supabase@2.42.0",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+    version: "2.42.0",
-  expect(spies.setFailed).not.toHaveBeenCalled();
+  });
 });
-test("uses the root package-lock.json version when version is omitted", async () => {
+test("uses the root package-lock.json resolution when version is omitted", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
-    "package-lock.json": createPackageLock("2.43.0"),
+    "package-lock.json": createPackageLock("2.43.0", "sha512-package-lock"),
  });
-  const cliDir = createFakeCli("supabase 2.43.0");
+  const { resolvePackage } = await getMainModule();
  const spies = createActionSpies("", cliDir, "/download/v2.43.0/supabase_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    integrity: "sha512-package-lock",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.43.0");
+    spec: "supabase@2.43.0",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+    version: "2.43.0",
-  expect(spies.setFailed).not.toHaveBeenCalled();
+  });
 });
 test("falls through malformed lockfiles and uses the next supported root lockfile", async () => {
@@ -455,60 +354,47 @@ test("falls through malformed lockfiles and uses the next supported root lockfil
    "bun.lock": "{ not valid",
    "package-lock.json": createPackageLock("2.44.0"),
  });
-  const cliDir = createFakeCli("supabase 2.44.0");
+  const { resolvePackage } = await getMainModule();
  const spies = createActionSpies("", cliDir, "/download/v2.44.0/supabase_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    integrity: "sha512-package-lock",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.44.0");
+    spec: "supabase@2.44.0",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+    version: "2.44.0",
-  expect(spies.setFailed).not.toHaveBeenCalled();
+  });
 });
 test("falls back to latest when version is omitted and no supported root lockfile is present", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "README.md": "# app\n",
  });
-  mockLatestRelease();
+  const { resolvePackage } = await getMainModule();
  const cliDir = createFakeCli("supabase 2.84.2");
  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    spec: "supabase@latest",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.84.2");
+    version: "latest",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+  });
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("falls back to latest when version is omitted and no workspace is available", async () => {
  delete process.env.GITHUB_WORKSPACE;
-  mockLatestRelease();
+  const { resolvePackage } = await getMainModule();
  const cliDir = createFakeCli("supabase 2.84.2");
  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    spec: "supabase@latest",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.84.2");
+    version: "latest",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+  });
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("uses the declared bun.lock version when the resolved package entry is missing", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "bun.lock": createBunLock("2.44.1", { includePackageEntry: false, useDevDependency: true }),
  });
-  const cliDir = createFakeCli("supabase 2.44.1");
+  const { resolvePackage } = await getMainModule();
  const spies = createActionSpies("", cliDir, "/download/v2.44.1/supabase_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    spec: "supabase@2.44.1",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.44.1");
+    version: "2.44.1",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+  });
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("falls through bun.lock without supabase and uses a pnpm string dependency version", async () => {
@@ -516,88 +402,183 @@ test("falls through bun.lock without supabase and uses a pnpm string dependency
    "bun.lock": createBunLock("2.47.0", { includeDependency: false }),
    "pnpm-lock.yaml": createPnpmLock("2.47.0", { asString: true }),
  });
-  const cliDir = createFakeCli("supabase 2.47.0");
+  const { resolvePackage } = await getMainModule();
  const spies = createActionSpies("", cliDir, "/download/v2.47.0/supabase_");
  const { run } = await getMainModule();
-  await run();
+  expect(resolvePackage("")).toEqual({
-
+    integrity: "sha512-pnpm",
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.47.0");
+    spec: "supabase@2.47.0",
-  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+    version: "2.47.0",
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("falls through malformed pnpm lockfiles and uses the next supported root lockfile", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "pnpm-lock.yaml": "not: [valid",
    "package-lock.json": createPackageLock("2.48.0"),
  });
  const cliDir = createFakeCli("supabase 2.48.0");
  const spies = createActionSpies("", cliDir, "/download/v2.48.0/supabase_");
  const { run } = await getMainModule();
  await run();
  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.48.0");
  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("falls through unreadable bun.lock paths and malformed package-lock files to latest", async () => {
  const workspace = createWorkspace({
    "package-lock.json": "{ invalid",
  });
  mkdirSync(path.join(workspace, "bun.lock"), { recursive: true });
  process.env.GITHUB_WORKSPACE = workspace;
  mockLatestRelease();
  const cliDir = createFakeCli("supabase 2.84.2");
  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
  const { run } = await getMainModule();
  await run();
  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.84.2");
  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("falls back to latest when a pnpm dependency entry has no concrete version", async () => {
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "pnpm-lock.yaml": createPnpmLock("2.49.0", { includeVersion: false }),
  });
-  mockLatestRelease();
+  const { resolvePackage } = await getMainModule();
-  const cliDir = createFakeCli("supabase 2.84.2");
+
-  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
+  expect(resolvePackage("")).toEqual({
    spec: "supabase@latest",
    version: "latest",
  });
 });
 test("installs the CLI with npm into an isolated prefix", async () => {
  const logPath = installFakeNpm();
  const { installCli } = await getMainModule();
  const cliPath = await installCli({
    spec: "supabase@2.101.0",
    version: "2.101.0",
  });
  expect(cliPath).toContain(`${path.sep}node_modules${path.sep}.bin`);
  expect(readNpmCalls(logPath)).toEqual([
    viewMetadataCall("supabase@2.101.0"),
    [
      "install",
      "--prefix",
      expect.any(String),
      "--omit=dev",
      "--include=optional",
      "--no-audit",
      "--no-fund",
      "--no-package-lock",
      "--ignore-scripts=true",
      "supabase@2.101.0",
    ],
  ]);
 });
 test("allows install scripts for legacy npm packages that declare a postinstall", async () => {
  const logPath = installFakeNpm("supabase 1.178.2", {
    bin: "bin/supabase",
    postinstall: "node scripts/postinstall.js",
  });
  const { installCli } = await getMainModule();
  await installCli({
    spec: "supabase@1.178.2",
    version: "1.178.2",
  });
  expect(readNpmCalls(logPath)).toEqual([
    viewMetadataCall("supabase@1.178.2"),
    [
      "install",
      "--prefix",
      expect.any(String),
      "--omit=dev",
      "--include=optional",
      "--no-audit",
      "--no-fund",
      "--no-package-lock",
      "--ignore-scripts=false",
      "supabase@1.178.2",
    ],
  ]);
 });
 test("verifies lockfile integrity before installing", async () => {
  const logPath = installFakeNpm("supabase 2.101.0", { integrity: "sha512-lock" });
  const { installCli } = await getMainModule();
  await installCli({
    integrity: "sha512-lock",
    spec: "supabase@2.101.0",
    version: "2.101.0",
  });
  expect(readNpmCalls(logPath)).toEqual([
    viewMetadataCall("supabase@2.101.0"),
    [
      "install",
      "--prefix",
      expect.any(String),
      "--omit=dev",
      "--include=optional",
      "--no-audit",
      "--no-fund",
      "--no-package-lock",
      "--ignore-scripts=true",
      "supabase@2.101.0",
    ],
  ]);
 });
 test("fails when lockfile integrity does not match the registry", async () => {
  installFakeNpm("supabase 2.101.0", { integrity: "sha512-registry" });
  const { installCli } = await getMainModule();
  try {
    await installCli({
      integrity: "sha512-lock",
      spec: "supabase@2.101.0",
      version: "2.101.0",
    });
    throw new Error("Expected installCli to reject");
  } catch (error) {
    expect(error).toEqual(
      new Error("Lockfile integrity for supabase@2.101.0 does not match the npm registry"),
    );
  }
 });
 test("fails when the npm package does not expose a Supabase CLI executable", async () => {
  installFakeNpm("supabase 2.101.0", { bin: "missing" });
  const { installCli } = await getMainModule();
  try {
    await installCli({
      spec: "supabase@2.101.0",
      version: "2.101.0",
    });
    throw new Error("Expected installCli to reject");
  } catch (error) {
    expect(error).toEqual(
      new Error("The npm package supabase@2.101.0 does not expose a supabase executable"),
    );
  }
 });
 test("runs the action with a package-lock resolution", async () => {
  const logPath = installFakeNpm("supabase 2.43.0", { integrity: "sha512-package-lock" });
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "package-lock.json": createPackageLock("2.43.0", "sha512-package-lock"),
  });
  const spies = createActionSpies("");
  const { run } = await getMainModule();
  await run();
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.84.2");
+  expect(readNpmCalls(logPath)[0]).toEqual(viewMetadataCall("supabase@2.43.0"));
  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.43.0");
  expect(spies.addPath).toHaveBeenCalledWith(expect.stringContaining("node_modules"));
  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("explicit version overrides detected root lockfiles", async () => {
  installFakeNpm("supabase 1.1.6");
  process.env.GITHUB_WORKSPACE = createWorkspace({
    "bun.lock": createBunLock("2.45.0"),
  });
-  const cliDir = createFakeCli("supabase 1.0.0");
+  const spies = createActionSpies("1.1.6");
  const spies = createActionSpies("1.0.0", cliDir, "/download/v1.0.0/supabase_1.0.0_");
  const { run } = await getMainModule();
  await run();
-  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 1.0.0");
+  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 1.1.6");
  expect(spies.exportVariable).not.toHaveBeenCalled();
  expect(spies.setFailed).not.toHaveBeenCalled();
 });
 test("fails when the installed CLI does not report a version", async () => {
  installFakeNpm("");
  process.env.GITHUB_WORKSPACE = createWorkspace({
-    "package-lock.json": createPackageLock("2.46.0"),
+    "package-lock.json": createPackageLock("2.46.0", "sha512-test"),
  });
-  const cliDir = createFakeCli("");
+  const spies = createActionSpies("");
  const spies = createActionSpies("", cliDir, "/download/v2.46.0/supabase_");
  const { run } = await getMainModule();
  await run();
--- a/src/main.ts
+++ b/src/main.ts
@@ -1,25 +1,30 @@
-import { $, semver } from "bun";
+import { semver } from "bun";
 import * as core from "@actions/core";
-import * as tc from "@actions/tool-cache";
+import { existsSync, mkdtempSync, readFileSync } from "node:fs";
-import { existsSync, readFileSync } from "node:fs";
+import os from "node:os";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 export const CLI_CONFIG_REGISTRY = "SUPABASE_INTERNAL_IMAGE_REGISTRY";
 const REGISTRY_VERSION = "1.28.0";
 const VERSIONED_ARCHIVE_VERSION = "2.99.0";
 const DEFAULT_VERSION = "latest";
-const LATEST_VERSION = "latest";
+const NPM_PACKAGE = "supabase";
-const BETA_VERSION = "beta";
+const NPM_EXECUTABLE_ENV = "SUPABASE_SETUP_CLI_NPM";
-const GITHUB_RELEASES_API = "https://api.github.com/repos/supabase/cli/releases/latest";
+const SUPPORTED_DIST_TAGS = new Set([DEFAULT_VERSION, "beta"]);
-const GITHUB_RELEASES_LIST_API = "https://api.github.com/repos/supabase/cli/releases";
+const CONCRETE_VERSION_PATTERN = /^\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?$/;
-const GITHUB_TOKEN_ENV = "SUPABASE_CLI_GITHUB_TOKEN";
+const CONCRETE_VERSION_EXTRACT_PATTERN = /\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?/;
-type ArchiveFormat = "apk" | "tar" | "zip";
+type PackageResolution = {
  spec: string;
  version: string;
  integrity?: string;
 };
-type DownloadArchive = {
+type PackageMetadata = {
-  url: string;
+  version?: unknown;
-  format: ArchiveFormat;
+  bin?: unknown;
  scripts?: unknown;
  "dist.integrity"?: unknown;
 };
 type BunLock = {
@@ -38,6 +43,12 @@ type PnpmDependency =
      version?: string;
    };
 type PnpmPackage = {
  resolution?: {
    integrity?: string;
  };
 };
 type PnpmLock = {
  importers?: {
    ".": {
@@ -45,19 +56,16 @@ type PnpmLock = {
      devDependencies?: Record<string, PnpmDependency>;
    };
  };
  packages?: Record<string, PnpmPackage>;
 };
 type PackageLock = {
-  packages?: Record<string, { version?: string }>;
+  packages?: Record<string, { integrity?: string; version?: string }>;
-  dependencies?: Record<string, { version?: string }>;
+  dependencies?: Record<string, { integrity?: string; version?: string }>;
 };
-function getArchivePlatform(platform: NodeJS.Platform): string {
+function isRecord(value: unknown): value is Record<string, unknown> {
-  return platform === "win32" ? "windows" : platform;
+  return typeof value === "object" && value !== null;
 }
 function getArchiveArch(arch: NodeJS.Architecture): string {
  return arch === "x64" ? "amd64" : arch;
 }
 function extractConcreteVersion(raw: string | undefined): string | null {
@@ -65,7 +73,7 @@ function extractConcreteVersion(raw: string | undefined): string | null {
    return null;
  }
-  const match = raw.match(/\d+\.\d+\.\d+(?:-[0-9A-Za-z.-]+)?(?:\+[0-9A-Za-z.-]+)?/);
+  const match = raw.match(CONCRETE_VERSION_EXTRACT_PATTERN);
  return match?.[0] ?? null;
 }
@@ -73,6 +81,33 @@ function normalizeVersion(version: string): string {
  return version.replace(/^v/i, "");
 }
 function normalizeSupportedVersion(version: string): string {
  const normalizedVersion = normalizeVersion(version.trim());
  const distTag = normalizedVersion.toLowerCase();
  if (SUPPORTED_DIST_TAGS.has(distTag)) {
    return distTag;
  }
  if (CONCRETE_VERSION_PATTERN.test(normalizedVersion)) {
    return normalizedVersion;
  }
  throw new Error(
    `Unsupported Supabase CLI version "${version}". Use latest, beta, or a fixed npm package version like 2.101.0.`,
  );
 }
 function toPackageResolution(version: string, integrity?: string): PackageResolution {
  const normalizedVersion = normalizeSupportedVersion(version);
  return {
    spec: `${NPM_PACKAGE}@${normalizedVersion}`,
    version: normalizedVersion,
    integrity,
  };
 }
 function readWorkspaceLockfile(workspaceRoot: string, filename: string): string | null {
  const filePath = path.join(workspaceRoot, filename);
@@ -87,7 +122,7 @@ function readWorkspaceLockfile(workspaceRoot: string, filename: string): string
  }
 }
-function detectVersionFromBunLock(workspaceRoot: string): string | null {
+function detectResolutionFromBunLock(workspaceRoot: string): PackageResolution | null {
  const text = readWorkspaceLockfile(workspaceRoot, "bun.lock");
  if (!text) {
@@ -98,24 +133,28 @@ function detectVersionFromBunLock(workspaceRoot: string): string | null {
    const lockfile = JSON.parse(text.replace(/,\s*([}\]])/g, "$1")) as BunLock;
    const rootWorkspace = lockfile.workspaces?.[""];
    const declaredVersion =
-      rootWorkspace?.dependencies?.supabase ?? rootWorkspace?.devDependencies?.supabase;
+      rootWorkspace?.dependencies?.[NPM_PACKAGE] ?? rootWorkspace?.devDependencies?.[NPM_PACKAGE];
    if (!declaredVersion) {
      return null;
    }
-    const resolvedPackage = lockfile.packages?.supabase;
+    const resolvedPackage = lockfile.packages?.[NPM_PACKAGE];
    if (Array.isArray(resolvedPackage) && typeof resolvedPackage[0] === "string") {
-      return extractConcreteVersion(resolvedPackage[0]);
+      const version = extractConcreteVersion(resolvedPackage[0]);
      const integrity = typeof resolvedPackage[3] === "string" ? resolvedPackage[3] : undefined;
      return version ? toPackageResolution(version, integrity) : null;
    }
-    return extractConcreteVersion(declaredVersion);
+    const version = extractConcreteVersion(declaredVersion);
    return version ? toPackageResolution(version) : null;
  } catch {
    return null;
  }
 }
-function detectVersionFromPnpmLock(workspaceRoot: string): string | null {
+function detectResolutionFromPnpmLock(workspaceRoot: string): PackageResolution | null {
  const text = readWorkspaceLockfile(workspaceRoot, "pnpm-lock.yaml");
  if (!text) {
@@ -126,19 +165,29 @@ function detectVersionFromPnpmLock(workspaceRoot: string): string | null {
    const lockfile = Bun.YAML.parse(text) as PnpmLock;
    const rootImporter = lockfile.importers?.["."];
    const dependency =
-      rootImporter?.dependencies?.supabase ?? rootImporter?.devDependencies?.supabase;
+      rootImporter?.dependencies?.[NPM_PACKAGE] ?? rootImporter?.devDependencies?.[NPM_PACKAGE];
    const version =
      typeof dependency === "string"
        ? extractConcreteVersion(dependency)
        : extractConcreteVersion(dependency?.version);
-    if (typeof dependency === "string") {
+    if (!version) {
-      return extractConcreteVersion(dependency);
+      return null;
    }
-    return extractConcreteVersion(dependency?.version);
+    const integrity = Object.entries(lockfile.packages ?? {}).find(
      ([packageKey]) =>
        packageKey === `${NPM_PACKAGE}@${version}` ||
        packageKey.startsWith(`/${NPM_PACKAGE}@${version}`),
    )?.[1].resolution?.integrity;
    return toPackageResolution(version, integrity);
  } catch {
    return null;
  }
 }
-function detectVersionFromPackageLock(workspaceRoot: string): string | null {
+function detectResolutionFromPackageLock(workspaceRoot: string): PackageResolution | null {
  const text = readWorkspaceLockfile(workspaceRoot, "package-lock.json");
  if (!text) {
@@ -147,183 +196,135 @@ function detectVersionFromPackageLock(workspaceRoot: string): string | null {
  try {
    const lockfile = JSON.parse(text) as PackageLock;
    const packageEntry = lockfile.packages?.[`node_modules/${NPM_PACKAGE}`];
    const dependencyEntry = lockfile.dependencies?.[NPM_PACKAGE];
    const version =
      extractConcreteVersion(packageEntry?.version) ??
      extractConcreteVersion(dependencyEntry?.version);
-    return (
+    return version
-      extractConcreteVersion(lockfile.packages?.["node_modules/supabase"]?.version) ??
+      ? toPackageResolution(version, packageEntry?.integrity ?? dependencyEntry?.integrity)
-      extractConcreteVersion(lockfile.dependencies?.supabase?.version)
+      : null;
    );
  } catch {
    return null;
  }
 }
-function resolveVersion(inputVersion: string): string {
+export function resolvePackage(inputVersion: string): PackageResolution {
  const requestedVersion = inputVersion.trim();
  if (requestedVersion) {
-    return requestedVersion;
+    return toPackageResolution(requestedVersion);
  }
  const workspaceRoot = process.env.GITHUB_WORKSPACE?.trim();
  if (!workspaceRoot) {
-    return DEFAULT_VERSION;
+    return toPackageResolution(DEFAULT_VERSION);
  }
  return (
-    detectVersionFromBunLock(workspaceRoot) ??
+    detectResolutionFromBunLock(workspaceRoot) ??
-    detectVersionFromPnpmLock(workspaceRoot) ??
+    detectResolutionFromPnpmLock(workspaceRoot) ??
-    detectVersionFromPackageLock(workspaceRoot) ??
+    detectResolutionFromPackageLock(workspaceRoot) ??
-    DEFAULT_VERSION
+    toPackageResolution(DEFAULT_VERSION)
  );
 }
-function buildGithubHeaders(): Record<string, string> {
+function verifyPackageIntegrity(resolution: PackageResolution, metadata: PackageMetadata): void {
-  const headers: Record<string, string> = {
+  if (!resolution.integrity) {
-    Accept: "application/vnd.github+json",
+    return;
    "X-GitHub-Api-Version": "2022-11-28",
  };
  const githubToken = process.env[GITHUB_TOKEN_ENV]?.trim();
  if (githubToken) {
    headers.Authorization = `Bearer ${githubToken}`;
  }
-  return headers;
+  const registryIntegrity = metadata["dist.integrity"];
-}
+  if (registryIntegrity !== resolution.integrity) {
-
+    throw new Error(`Lockfile integrity for ${resolution.spec} does not match the npm registry`);
 async function resolveLatestVersion(): Promise<string> {
  const response = await fetch(GITHUB_RELEASES_API, { headers: buildGithubHeaders() });
  if (!response.ok) {
    throw new Error(`Failed to resolve latest Supabase CLI release: ${response.statusText}`);
  }
  const release = (await response.json()) as { tag_name?: unknown };
  if (typeof release.tag_name !== "string") {
    throw new Error("Failed to resolve latest Supabase CLI release: missing tag name");
  }
  return normalizeVersion(release.tag_name);
 }
 async function resolveLatestBetaVersion(): Promise<string> {
  // The /releases/latest endpoint never returns prereleases, so list all
  // releases (sorted newest-first) and pick the most recent beta prerelease.
  const response = await fetch(GITHUB_RELEASES_LIST_API, { headers: buildGithubHeaders() });
  if (!response.ok) {
    throw new Error(`Failed to resolve latest Supabase CLI beta release: ${response.statusText}`);
  }
  const releases = (await response.json()) as Array<{ tag_name?: unknown; prerelease?: unknown }>;
  const beta = Array.isArray(releases)
    ? releases.find(
        (release) =>
          release.prerelease === true &&
          typeof release.tag_name === "string" &&
          /-beta/i.test(release.tag_name),
      )
    : undefined;
  if (!beta || typeof beta.tag_name !== "string") {
    throw new Error("Failed to resolve latest Supabase CLI beta release: no beta release found");
  }
  return normalizeVersion(beta.tag_name);
 }
 function getArchiveFormat(
  version: string,
  platform: NodeJS.Platform,
  isMuslLinux: boolean,
 ): ArchiveFormat {
  if (
    platform === "linux" &&
    isMuslLinux &&
    semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0
  ) {
    return "apk";
  }
  if (platform === "win32" && semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0) {
    return "zip";
  }
  return "tar";
 }
 function getArchiveFilename(
  version: string,
  platform: NodeJS.Platform,
  arch: NodeJS.Architecture,
  archiveFormat: ArchiveFormat,
 ): string {
  const archivePlatform = getArchivePlatform(platform);
  const archiveArch = getArchiveArch(arch);
  if (semver.order(version, REGISTRY_VERSION) === -1) {
    return `supabase_${version}_${archivePlatform}_${archiveArch}.tar.gz`;
  }
  if (platform === "linux" && archiveFormat === "apk") {
    return `supabase_${version}_${archivePlatform}_${archiveArch}.apk`;
  }
  if (semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0) {
    const extension = platform === "win32" ? "zip" : "tar.gz";
    return `supabase_${version}_${archivePlatform}_${archiveArch}.${extension}`;
  }
  return `supabase_${archivePlatform}_${archiveArch}.tar.gz`;
 }
 export async function getDownloadArchive(
  version: string,
  platform = process.platform,
  arch = process.arch,
  isMuslLinux?: boolean,
 ): Promise<DownloadArchive> {
  const channel = version.toLowerCase();
  let resolvedVersion: string;
  if (channel === LATEST_VERSION) {
    resolvedVersion = await resolveLatestVersion();
  } else if (channel === BETA_VERSION) {
    resolvedVersion = await resolveLatestBetaVersion();
  } else {
    resolvedVersion = normalizeVersion(version);
  }
  const format = getArchiveFormat(
    resolvedVersion,
    platform,
    isMuslLinux ?? (await detectMuslLinux(platform)),
  );
  const filename = getArchiveFilename(resolvedVersion, platform, arch, format);
  return {
    url: `https://github.com/supabase/cli/releases/download/v${resolvedVersion}/${filename}`,
    format,
  };
 }
 async function detectMuslLinux(platform = process.platform): Promise<boolean> {
  if (platform !== "linux") {
    return false;
  }
  if (existsSync("/etc/alpine-release")) {
    return true;
  }
  try {
    const output = await $`ldd --version`.quiet().text();
    return output.toLowerCase().includes("musl");
  } catch (error) {
    const output = error instanceof Error ? error.message : String(error);
    return output.toLowerCase().includes("musl");
  }
 }
-export function getCliPath(extractedPath: string, archiveFormat: ArchiveFormat): string {
+async function getPackageMetadata(resolution: PackageResolution): Promise<PackageMetadata> {
-  return archiveFormat === "apk" ? path.join(extractedPath, "usr", "bin") : extractedPath;
+  const output = await runNpm([
    "view",
    resolution.spec,
    "version",
    "bin",
    "scripts",
    "dist.integrity",
    "--json",
  ]);
  const metadata = JSON.parse(output) as unknown;
  if (!isRecord(metadata)) {
    throw new Error(`Could not read npm metadata for ${resolution.spec}`);
  }
  return metadata;
 }
 function verifyPackageMetadata(resolution: PackageResolution, metadata: PackageMetadata): void {
  if (typeof metadata.version !== "string" || !CONCRETE_VERSION_PATTERN.test(metadata.version)) {
    throw new Error(`Could not resolve a fixed npm version for ${resolution.spec}`);
  }
  const bin = metadata.bin;
  const hasSupabaseBin =
    typeof bin === "string" || (isRecord(bin) && typeof bin[NPM_PACKAGE] === "string");
  if (!hasSupabaseBin) {
    throw new Error(`The npm package ${resolution.spec} does not expose a supabase executable`);
  }
 }
 function shouldIgnoreInstallScripts(metadata: PackageMetadata): boolean {
  return !(isRecord(metadata.scripts) && typeof metadata.scripts.postinstall === "string");
 }
 function createInstallRoot(): string {
  const tempRoot = process.env.RUNNER_TEMP?.trim() || os.tmpdir();
  return mkdtempSync(path.join(tempRoot, "setup-cli-"));
 }
 async function runNpm(args: string[]): Promise<string> {
  const executable = process.env[NPM_EXECUTABLE_ENV]?.trim() || "npm";
  const proc = Bun.spawn([executable, ...args], {
    env: process.env,
    stderr: "pipe",
    stdout: "pipe",
  });
  const [stdout, stderr, exitCode] = await Promise.all([
    new Response(proc.stdout).text(),
    new Response(proc.stderr).text(),
    proc.exited,
  ]);
  if (exitCode !== 0) {
    throw new Error(stderr.trim() || `npm ${args.join(" ")} failed`);
  }
  return stdout;
 }
 export async function installCli(resolution: PackageResolution): Promise<string> {
  const metadata = await getPackageMetadata(resolution);
  verifyPackageMetadata(resolution, metadata);
  verifyPackageIntegrity(resolution, metadata);
  const installRoot = createInstallRoot();
  await runNpm([
    "install",
    "--prefix",
    installRoot,
    "--omit=dev",
    "--include=optional",
    "--no-audit",
    "--no-fund",
    "--no-package-lock",
    `--ignore-scripts=${shouldIgnoreInstallScripts(metadata)}`,
    resolution.spec,
  ]);
  return path.join(installRoot, "node_modules", ".bin");
 }
 function getCliExecutablePath(cliPath: string): string {
@@ -331,21 +332,36 @@ function getCliExecutablePath(cliPath: string): string {
    return path.join(cliPath, "supabase");
  }
  const exePath = path.join(cliPath, "supabase.exe");
  if (existsSync(exePath)) {
    return exePath;
  }
  const cmdPath = path.join(cliPath, "supabase.cmd");
  if (existsSync(cmdPath)) {
    return cmdPath;
  }
  const exePath = path.join(cliPath, "supabase.exe");
  if (existsSync(exePath)) {
    return exePath;
  }
  return path.join(cliPath, "supabase");
 }
 export async function determineInstalledVersion(cliPath: string): Promise<string> {
-  const version = (await $`${getCliExecutablePath(cliPath)} --version`.text()).trim();
+  const executable = getCliExecutablePath(cliPath);
  const proc = Bun.spawn([executable, "--version"], {
    stderr: "pipe",
    stdout: "pipe",
  });
  const [stdout, stderr, exitCode] = await Promise.all([
    new Response(proc.stdout).text(),
    new Response(proc.stderr).text(),
    proc.exited,
  ]);
  if (exitCode !== 0) {
    throw new Error(stderr.trim() || "Could not determine installed Supabase CLI version");
  }
  const version = stdout.trim();
  if (!version) {
    throw new Error("Could not determine installed Supabase CLI version");
  }
@@ -353,26 +369,24 @@ export async function determineInstalledVersion(cliPath: string): Promise<string
  return version;
 }
 function shouldUseGhcrRegistry(requestedVersion: string, installedVersion: string): boolean {
  if (requestedVersion.toLowerCase() === DEFAULT_VERSION) {
    return true;
  }
  const concreteVersion = extractConcreteVersion(installedVersion);
  return concreteVersion !== null && semver.order(concreteVersion, REGISTRY_VERSION) >= 0;
 }
 export async function run(): Promise<void> {
  try {
-    const version = resolveVersion(core.getInput("version"));
+    const resolution = resolvePackage(core.getInput("version"));
-    const archive = await getDownloadArchive(version);
+    const cliPath = await installCli(resolution);
    const archivePath = await tc.downloadTool(archive.url);
    const extractedPath =
      archive.format === "zip"
        ? await tc.extractZip(archivePath)
        : await tc.extractTar(archivePath);
    const cliPath = getCliPath(extractedPath, archive.format);
    const installedVersion = await determineInstalledVersion(cliPath);
    core.setOutput("version", installedVersion);
    core.addPath(cliPath);
-    const channel = version.toLowerCase();
+    if (shouldUseGhcrRegistry(resolution.version, installedVersion)) {
    if (
      channel === LATEST_VERSION ||
      channel === BETA_VERSION ||
      semver.order(version, REGISTRY_VERSION) >= 0
    ) {
      core.exportVariable(CLI_CONFIG_REGISTRY, "ghcr.io");
    }
  } catch (error) {