fix: setup-cli on Linux musl containers (#431)

## Summary

Fixes setup-cli in Alpine/Linux musl containers after the Supabase CLI
v2.99+ release layout introduced a Bun/TypeScript `supabase` shim
alongside `supabase-go`.

This keeps the v2 action on Bun, but makes the musl paths explicit:

- Detect Linux musl before running `oven-sh/setup-bun` and pass the
matching `bun-linux-*-musl.zip` via `bun-download-url`.
- Use POSIX `sh` for composite shell steps so the action can run in
minimal Alpine containers without `bash`.
- Detect Linux musl in the CLI installer and download the existing
`.apk` release asset for CLI v2.99+.
- Add the extracted APK `usr/bin` directory to PATH.
- Keep existing tar/zip behavior for glibc Linux, macOS, and Windows.

## Root Cause

`oven-sh/setup-bun` does not currently include libc detection in its
automatic release asset selection, so Alpine containers received a glibc
Bun binary. Separately, setup-cli downloaded the generic Linux `.tar.gz`
Supabase CLI asset, whose `supabase` shim is glibc-linked in v2.99+; the
`.apk` asset contains the musl-linked shim.

## Testing

- `bun run ci`
- Manual GitHub workflow in
https://github.com/jgoux/setup-cli-testing/actions/runs/2616196598653

.github/workflows/ci.yml

@@ -52,6 +52,7 @@ jobs:
       - uses: ./
         with:
           version: ${{ matrix.version }}
+          github-token: ${{ github.token }}
       - run: supabase -h
 
   ci:

README.md

@@ -47,6 +47,7 @@ steps:
   - uses: supabase/setup-cli@v2
     with:
       version: latest
+      github-token: ${{ github.token }}
   - run: supabase init
   - run: supabase db start
 ```
@@ -58,9 +59,10 @@ on Windows and macOS runners.
 
 The action supports the following inputs:
 
-| Name      | Type   | Description                        | Default                           | Required |
-| --------- | ------ | ---------------------------------- | --------------------------------- | -------- |
-| `version` | String | Supabase CLI version (or `latest`) | Root lockfile version or `latest` | false    |
+| Name           | Type   | Description                                                                | Default                           | Required |
+| -------------- | ------ | -------------------------------------------------------------------------- | --------------------------------- | -------- |
+| `version`      | String | Supabase CLI version (or `latest`)                                         | Root lockfile version or `latest` | false    |
+| `github-token` | String | GitHub token used to resolve `latest` without unauthenticated API limiting |                                   | false    |
 
 ## Advanced Usage
 
@@ -162,6 +164,7 @@ steps:
   - uses: ./
     with:
       version: latest
+      github-token: ${{ github.token }}
 ```
 
 The CI workflow provides fast smoke coverage across GitHub-hosted runners, and

action.yml

@@ -5,6 +5,9 @@ inputs:
   version:
     description: Version of Supabase CLI to install. If omitted, detect from the root lockfile and otherwise use latest.
     required: false
+  github-token:
+    description: GitHub token used to resolve the latest Supabase CLI release without hitting unauthenticated API limits.
+    required: false
 outputs:
   version:
     description: Version of installed Supabase CLI
@@ -12,20 +15,57 @@ outputs:
 runs:
   using: composite
   steps:
+    - id: bun-download
+      name: Resolve Bun Download URL
+      shell: sh
+      working-directory: ${{ github.action_path }}
+      run: |
+        set -eu
+
+        if [ "${RUNNER_OS}" != "Linux" ]; then
+          exit 0
+        fi
+
+        # setup-bun does not detect Linux musl yet, so Alpine-like containers need the musl asset explicitly.
+        is_musl=false
+        if [ -f /etc/alpine-release ]; then
+          is_musl=true
+        elif command -v ldd >/dev/null 2>&1 && ldd --version 2>&1 | grep -qi musl; then
+          is_musl=true
+        fi
+
+        if [ "${is_musl}" != "true" ]; then
+          exit 0
+        fi
+
+        version="$(cat .bun-version)"
+        case "$(uname -m)" in
+          x86_64) arch="x64" ;;
+          aarch64|arm64) arch="aarch64" ;;
+          *)
+            echo "Unsupported Linux musl architecture: $(uname -m)" >&2
+            exit 1
+            ;;
+        esac
+
+        echo "url=https://github.com/oven-sh/bun/releases/download/bun-v${version}/bun-linux-${arch}-musl.zip" >> "$GITHUB_OUTPUT"
+
     - name: Setup Bun
       uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       with:
         bun-version-file: ${{ github.action_path }}/.bun-version
+        bun-download-url: ${{ steps.bun-download.outputs.url }}
 
     - name: Install Action Dependencies
-      shell: bash
+      shell: sh
       working-directory: ${{ github.action_path }}
       run: bun install --frozen-lockfile --production
 
     - id: setup-cli
       name: Setup Supabase CLI
-      shell: bash
+      shell: sh
       working-directory: ${{ github.action_path }}
       env:
         INPUT_VERSION: ${{ inputs.version }}
+        SUPABASE_CLI_GITHUB_TOKEN: ${{ inputs.github-token }}
       run: bun src/main.ts

src/main.test.ts

@@ -10,13 +10,21 @@ import * as tc from "@actions/tool-cache";
 const repo = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
 const defaultEntrypoint = fileURLToPath(new URL("./main.ts", import.meta.url));
 const CLI_CONFIG_REGISTRY = "SUPABASE_INTERNAL_IMAGE_REGISTRY";
+const GITHUB_RELEASES_API = "https://api.github.com/repos/supabase/cli/releases/latest";
+const GITHUB_TOKEN_ENV = "SUPABASE_CLI_GITHUB_TOKEN";
 const originalWorkspace = process.env.GITHUB_WORKSPACE;
+const originalGithubToken = process.env[GITHUB_TOKEN_ENV];
 const tempDirs = new Set<string>();
 let mainModule: typeof import("./main.ts") | null = null;
 
 afterEach(() => {
   mock.restore();
   process.env.GITHUB_WORKSPACE = originalWorkspace;
+  if (originalGithubToken === undefined) {
+    delete process.env[GITHUB_TOKEN_ENV];
+  } else {
+    process.env[GITHUB_TOKEN_ENV] = originalGithubToken;
+  }
 
   for (const dir of tempDirs) {
     rmSync(dir, { force: true, recursive: true });
@@ -188,6 +196,36 @@ test("uses versioned tar archives for Supabase CLI v2.99.0 and later", async ()
   });
 });
 
+test("uses apk archives for Supabase CLI v2.99.0 and later on Linux musl", async () => {
+  const { getDownloadArchive } = await getMainModule();
+
+  const archive = await getDownloadArchive("2.100.1", "linux", "x64", true);
+
+  expect(archive).toEqual({
+    url: "https://github.com/supabase/cli/releases/download/v2.100.1/supabase_2.100.1_linux_amd64.apk",
+    format: "apk",
+  });
+});
+
+test("keeps tar archives before Supabase CLI v2.99.0 on Linux musl", async () => {
+  const { getDownloadArchive } = await getMainModule();
+
+  const archive = await getDownloadArchive("2.98.2", "linux", "x64", true);
+
+  expect(archive).toEqual({
+    url: "https://github.com/supabase/cli/releases/download/v2.98.2/supabase_linux_amd64.tar.gz",
+    format: "tar",
+  });
+});
+
+test("uses usr/bin as the CLI path for apk archives", async () => {
+  const { getCliPath } = await getMainModule();
+
+  expect(getCliPath("/tmp/extracted", "apk")).toBe(path.join("/tmp/extracted", "usr", "bin"));
+  expect(getCliPath("/tmp/extracted", "tar")).toBe("/tmp/extracted");
+  expect(getCliPath("/tmp/extracted", "zip")).toBe("/tmp/extracted");
+});
+
 test("keeps the unversioned tar archive layout before Supabase CLI v2.99.0", async () => {
   const { getDownloadArchive } = await getMainModule();
 
@@ -222,6 +260,22 @@ test("resolves latest before choosing a versioned Supabase CLI archive", async (
   });
 });
 
+test("authenticates latest release lookup when a GitHub token is provided", async () => {
+  process.env[GITHUB_TOKEN_ENV] = "ghs_test-token";
+  const fetch = mockLatestRelease("v2.99.0");
+  const { getDownloadArchive } = await getMainModule();
+
+  await getDownloadArchive("latest", "darwin", "arm64");
+
+  expect(fetch).toHaveBeenCalledWith(GITHUB_RELEASES_API, {
+    headers: expect.objectContaining({
+      Accept: "application/vnd.github+json",
+      Authorization: "Bearer ghs_test-token",
+      "X-GitHub-Api-Version": "2022-11-28",
+    }),
+  });
+});
+
 test("awaits the action entrypoint with omitted version and latest fallback", async () => {
   process.env.GITHUB_WORKSPACE = repo;
   mockLatestRelease();

src/main.ts

@@ -10,8 +10,9 @@ const REGISTRY_VERSION = "1.28.0";
 const VERSIONED_ARCHIVE_VERSION = "2.99.0";
 const DEFAULT_VERSION = "latest";
 const GITHUB_RELEASES_API = "https://api.github.com/repos/supabase/cli/releases/latest";
+const GITHUB_TOKEN_ENV = "SUPABASE_CLI_GITHUB_TOKEN";
 
-type ArchiveFormat = "tar" | "zip";
+type ArchiveFormat = "apk" | "tar" | "zip";
 
 type DownloadArchive = {
   url: string;
@@ -175,7 +176,17 @@ function resolveVersion(inputVersion: string): string {
 }
 
 async function resolveLatestVersion(): Promise<string> {
-  const response = await fetch(GITHUB_RELEASES_API);
+  const headers: Record<string, string> = {
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28",
+  };
+  const githubToken = process.env[GITHUB_TOKEN_ENV]?.trim();
+
+  if (githubToken) {
+    headers.Authorization = `Bearer ${githubToken}`;
+  }
+
+  const response = await fetch(GITHUB_RELEASES_API, { headers });
   if (!response.ok) {
     throw new Error(`Failed to resolve latest Supabase CLI release: ${response.statusText}`);
   }
@@ -188,7 +199,19 @@ async function resolveLatestVersion(): Promise<string> {
   return normalizeVersion(release.tag_name);
 }
 
-function getArchiveFormat(version: string, platform: NodeJS.Platform): ArchiveFormat {
+function getArchiveFormat(
+  version: string,
+  platform: NodeJS.Platform,
+  isMuslLinux: boolean,
+): ArchiveFormat {
+  if (
+    platform === "linux" &&
+    isMuslLinux &&
+    semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0
+  ) {
+    return "apk";
+  }
+
   if (platform === "win32" && semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0) {
     return "zip";
   }
@@ -200,6 +223,7 @@ function getArchiveFilename(
   version: string,
   platform: NodeJS.Platform,
   arch: NodeJS.Architecture,
+  archiveFormat: ArchiveFormat,
 ): string {
   const archivePlatform = getArchivePlatform(platform);
   const archiveArch = getArchiveArch(arch);
@@ -208,6 +232,10 @@ function getArchiveFilename(
     return `supabase_${version}_${archivePlatform}_${archiveArch}.tar.gz`;
   }
 
+  if (platform === "linux" && archiveFormat === "apk") {
+    return `supabase_${version}_${archivePlatform}_${archiveArch}.apk`;
+  }
+
   if (semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0) {
     const extension = platform === "win32" ? "zip" : "tar.gz";
     return `supabase_${version}_${archivePlatform}_${archiveArch}.${extension}`;
@@ -220,17 +248,45 @@ export async function getDownloadArchive(
   version: string,
   platform = process.platform,
   arch = process.arch,
+  isMuslLinux?: boolean,
 ): Promise<DownloadArchive> {
   const resolvedVersion =
     version.toLowerCase() === "latest" ? await resolveLatestVersion() : normalizeVersion(version);
-  const filename = getArchiveFilename(resolvedVersion, platform, arch);
+  const format = getArchiveFormat(
+    resolvedVersion,
+    platform,
+    isMuslLinux ?? (await detectMuslLinux(platform)),
+  );
+  const filename = getArchiveFilename(resolvedVersion, platform, arch, format);
 
   return {
     url: `https://github.com/supabase/cli/releases/download/v${resolvedVersion}/${filename}`,
-    format: getArchiveFormat(resolvedVersion, platform),
+    format,
   };
 }
 
+async function detectMuslLinux(platform = process.platform): Promise<boolean> {
+  if (platform !== "linux") {
+    return false;
+  }
+
+  if (existsSync("/etc/alpine-release")) {
+    return true;
+  }
+
+  try {
+    const output = await $`ldd --version`.quiet().text();
+    return output.toLowerCase().includes("musl");
+  } catch (error) {
+    const output = error instanceof Error ? error.message : String(error);
+    return output.toLowerCase().includes("musl");
+  }
+}
+
+export function getCliPath(extractedPath: string, archiveFormat: ArchiveFormat): string {
+  return archiveFormat === "apk" ? path.join(extractedPath, "usr", "bin") : extractedPath;
+}
+
 function getCliExecutablePath(cliPath: string): string {
   if (process.platform !== "win32") {
     return path.join(cliPath, "supabase");
@@ -263,10 +319,11 @@ export async function run(): Promise<void> {
     const version = resolveVersion(core.getInput("version"));
     const archive = await getDownloadArchive(version);
     const archivePath = await tc.downloadTool(archive.url);
-    const cliPath =
+    const extractedPath =
       archive.format === "zip"
         ? await tc.extractZip(archivePath)
         : await tc.extractTar(archivePath);
+    const cliPath = getCliPath(extractedPath, archive.format);
     const installedVersion = await determineInstalledVersion(cliPath);
     core.setOutput("version", installedVersion);
     core.addPath(cliPath);