fix: resolve latest tag and use versioned tarball for v2.99.0+

From v2.99.0, the CLI release publishes only version-prefixed tarballs
(supabase_<version>_<platform>_<arch>.tar.gz); the unversioned aliases
this action used to hit at releases/latest/download/ are gone, so all
'latest' (and lockfile-less) installs were 404-ing.

Resolve 'latest' to a concrete version by following the
github.com/supabase/cli/releases/latest redirect, then pick the
versioned or unversioned filename based on the resolved version.

Fixes supabase/cli#5257.

.github/workflows/ci.yml

@@ -52,7 +52,6 @@ jobs:
       - uses: ./
         with:
           version: ${{ matrix.version }}
-          github-token: ${{ github.token }}
       - run: supabase -h
 
   ci:

README.md

@@ -47,7 +47,6 @@ steps:
   - uses: supabase/setup-cli@v2
     with:
       version: latest
-      github-token: ${{ github.token }}
   - run: supabase init
   - run: supabase db start
 ```
@@ -59,10 +58,9 @@ on Windows and macOS runners.
 
 The action supports the following inputs:
 
-| Name           | Type   | Description                                                                | Default                           | Required |
-| -------------- | ------ | -------------------------------------------------------------------------- | --------------------------------- | -------- |
-| `version`      | String | Supabase CLI version (or `latest`)                                         | Root lockfile version or `latest` | false    |
-| `github-token` | String | GitHub token used to resolve `latest` without unauthenticated API limiting |                                   | false    |
+| Name      | Type   | Description                        | Default                           | Required |
+| --------- | ------ | ---------------------------------- | --------------------------------- | -------- |
+| `version` | String | Supabase CLI version (or `latest`) | Root lockfile version or `latest` | false    |
 
 ## Advanced Usage
 
@@ -164,7 +162,6 @@ steps:
   - uses: ./
     with:
       version: latest
-      github-token: ${{ github.token }}
 ```
 
 The CI workflow provides fast smoke coverage across GitHub-hosted runners, and

action.yml

@@ -5,9 +5,6 @@ inputs:
   version:
     description: Version of Supabase CLI to install. If omitted, detect from the root lockfile and otherwise use latest.
     required: false
-  github-token:
-    description: GitHub token used to resolve the latest Supabase CLI release without hitting unauthenticated API limits.
-    required: false
 outputs:
   version:
     description: Version of installed Supabase CLI
@@ -15,57 +12,20 @@ outputs:
 runs:
   using: composite
   steps:
-    - id: bun-download
-      name: Resolve Bun Download URL
-      shell: sh
-      working-directory: ${{ github.action_path }}
-      run: |
-        set -eu
-
-        if [ "${RUNNER_OS}" != "Linux" ]; then
-          exit 0
-        fi
-
-        # setup-bun does not detect Linux musl yet, so Alpine-like containers need the musl asset explicitly.
-        is_musl=false
-        if [ -f /etc/alpine-release ]; then
-          is_musl=true
-        elif command -v ldd >/dev/null 2>&1 && ldd --version 2>&1 | grep -qi musl; then
-          is_musl=true
-        fi
-
-        if [ "${is_musl}" != "true" ]; then
-          exit 0
-        fi
-
-        version="$(cat .bun-version)"
-        case "$(uname -m)" in
-          x86_64) arch="x64" ;;
-          aarch64|arm64) arch="aarch64" ;;
-          *)
-            echo "Unsupported Linux musl architecture: $(uname -m)" >&2
-            exit 1
-            ;;
-        esac
-
-        echo "url=https://github.com/oven-sh/bun/releases/download/bun-v${version}/bun-linux-${arch}-musl.zip" >> "$GITHUB_OUTPUT"
-
     - name: Setup Bun
       uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
       with:
         bun-version-file: ${{ github.action_path }}/.bun-version
-        bun-download-url: ${{ steps.bun-download.outputs.url }}
 
     - name: Install Action Dependencies
-      shell: sh
+      shell: bash
       working-directory: ${{ github.action_path }}
       run: bun install --frozen-lockfile --production
 
     - id: setup-cli
       name: Setup Supabase CLI
-      shell: sh
+      shell: bash
       working-directory: ${{ github.action_path }}
       env:
         INPUT_VERSION: ${{ inputs.version }}
-        SUPABASE_CLI_GITHUB_TOKEN: ${{ inputs.github-token }}
       run: bun src/main.ts

src/main.test.ts

@@ -10,21 +10,13 @@ import * as tc from "@actions/tool-cache";
 const repo = path.dirname(path.dirname(fileURLToPath(import.meta.url)));
 const defaultEntrypoint = fileURLToPath(new URL("./main.ts", import.meta.url));
 const CLI_CONFIG_REGISTRY = "SUPABASE_INTERNAL_IMAGE_REGISTRY";
-const GITHUB_RELEASES_API = "https://api.github.com/repos/supabase/cli/releases/latest";
-const GITHUB_TOKEN_ENV = "SUPABASE_CLI_GITHUB_TOKEN";
 const originalWorkspace = process.env.GITHUB_WORKSPACE;
-const originalGithubToken = process.env[GITHUB_TOKEN_ENV];
 const tempDirs = new Set<string>();
 let mainModule: typeof import("./main.ts") | null = null;
 
 afterEach(() => {
   mock.restore();
   process.env.GITHUB_WORKSPACE = originalWorkspace;
-  if (originalGithubToken === undefined) {
-    delete process.env[GITHUB_TOKEN_ENV];
-  } else {
-    process.env[GITHUB_TOKEN_ENV] = originalGithubToken;
-  }
 
   for (const dir of tempDirs) {
     rmSync(dir, { force: true, recursive: true });
@@ -164,16 +156,16 @@ function createActionSpies(inputVersion: string, cliDir: string, expectedUrlFrag
       return path.join(os.tmpdir(), "supabase-cli.tar.gz");
     }),
     extractTar: spyOn(tc, "extractTar").mockImplementation(async () => cliDir),
-    extractZip: spyOn(tc, "extractZip").mockImplementation(async () => cliDir),
   };
 }
 
-function mockLatestRelease(version = "v2.99.0") {
-  return spyOn(globalThis, "fetch").mockResolvedValue(
-    new Response(JSON.stringify({ tag_name: version }), {
-      status: 200,
-      statusText: "OK",
-    }),
+function mockLatestRelease(version: string) {
+  const response = new Response(null, {
+    status: 302,
+    headers: { location: `https://github.com/supabase/cli/releases/tag/v${version}` },
+  });
+  return spyOn(globalThis, "fetch").mockImplementation(
+    (async () => response) as unknown as typeof fetch,
   );
 }
 
@@ -185,101 +177,10 @@ async function getMainModule(): Promise<typeof import("./main.ts")> {
   return mainModule;
 }
 
-test("uses versioned tar archives for Supabase CLI v2.99.0 and later", async () => {
-  const { getDownloadArchive } = await getMainModule();
-
-  const archive = await getDownloadArchive("2.99.0", "linux", "x64");
-
-  expect(archive).toEqual({
-    url: "https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_linux_amd64.tar.gz",
-    format: "tar",
-  });
-});
-
-test("uses apk archives for Supabase CLI v2.99.0 and later on Linux musl", async () => {
-  const { getDownloadArchive } = await getMainModule();
-
-  const archive = await getDownloadArchive("2.100.1", "linux", "x64", true);
-
-  expect(archive).toEqual({
-    url: "https://github.com/supabase/cli/releases/download/v2.100.1/supabase_2.100.1_linux_amd64.apk",
-    format: "apk",
-  });
-});
-
-test("keeps tar archives before Supabase CLI v2.99.0 on Linux musl", async () => {
-  const { getDownloadArchive } = await getMainModule();
-
-  const archive = await getDownloadArchive("2.98.2", "linux", "x64", true);
-
-  expect(archive).toEqual({
-    url: "https://github.com/supabase/cli/releases/download/v2.98.2/supabase_linux_amd64.tar.gz",
-    format: "tar",
-  });
-});
-
-test("uses usr/bin as the CLI path for apk archives", async () => {
-  const { getCliPath } = await getMainModule();
-
-  expect(getCliPath("/tmp/extracted", "apk")).toBe(path.join("/tmp/extracted", "usr", "bin"));
-  expect(getCliPath("/tmp/extracted", "tar")).toBe("/tmp/extracted");
-  expect(getCliPath("/tmp/extracted", "zip")).toBe("/tmp/extracted");
-});
-
-test("keeps the unversioned tar archive layout before Supabase CLI v2.99.0", async () => {
-  const { getDownloadArchive } = await getMainModule();
-
-  const archive = await getDownloadArchive("2.98.2", "linux", "x64");
-
-  expect(archive).toEqual({
-    url: "https://github.com/supabase/cli/releases/download/v2.98.2/supabase_linux_amd64.tar.gz",
-    format: "tar",
-  });
-});
-
-test("uses versioned zip archives for Windows Supabase CLI v2.99.0 and later", async () => {
-  const { getDownloadArchive } = await getMainModule();
-
-  const archive = await getDownloadArchive("2.99.0", "win32", "x64");
-
-  expect(archive).toEqual({
-    url: "https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_windows_amd64.zip",
-    format: "zip",
-  });
-});
-
-test("resolves latest before choosing a versioned Supabase CLI archive", async () => {
-  mockLatestRelease("v2.99.0");
-  const { getDownloadArchive } = await getMainModule();
-
-  const archive = await getDownloadArchive("latest", "darwin", "arm64");
-
-  expect(archive).toEqual({
-    url: "https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_darwin_arm64.tar.gz",
-    format: "tar",
-  });
-});
-
-test("authenticates latest release lookup when a GitHub token is provided", async () => {
-  process.env[GITHUB_TOKEN_ENV] = "ghs_test-token";
-  const fetch = mockLatestRelease("v2.99.0");
-  const { getDownloadArchive } = await getMainModule();
-
-  await getDownloadArchive("latest", "darwin", "arm64");
-
-  expect(fetch).toHaveBeenCalledWith(GITHUB_RELEASES_API, {
-    headers: expect.objectContaining({
-      Accept: "application/vnd.github+json",
-      Authorization: "Bearer ghs_test-token",
-      "X-GitHub-Api-Version": "2022-11-28",
-    }),
-  });
-});
-
 test("awaits the action entrypoint with omitted version and latest fallback", async () => {
   process.env.GITHUB_WORKSPACE = repo;
-  mockLatestRelease();
   const cliDir = createFakeCli("supabase 2.84.2");
+  mockLatestRelease("2.84.2");
   let startDownload!: () => void;
   let finishDownload!: () => void;
   const downloadStarted = new Promise<void>((resolve) => {
@@ -295,12 +196,11 @@ test("awaits the action entrypoint with omitted version and latest fallback", as
     exportVariable: spyOn(core, "exportVariable").mockImplementation(() => {}),
     setFailed: spyOn(core, "setFailed").mockImplementation(() => {}),
     downloadTool: spyOn(tc, "downloadTool").mockImplementation(async (url: string) => {
-      expect(url).toContain("/download/v2.99.0/supabase_2.99.0_");
+      expect(url).toContain("/download/v2.84.2/supabase_");
       startDownload();
       return downloadFinished;
     }),
     extractTar: spyOn(tc, "extractTar").mockImplementation(async () => cliDir),
-    extractZip: spyOn(tc, "extractZip").mockImplementation(async () => cliDir),
   };
   const originalArgv1 = process.argv[1];
   process.argv[1] = defaultEntrypoint;
@@ -394,9 +294,9 @@ test("falls back to latest when version is omitted and no supported root lockfil
   process.env.GITHUB_WORKSPACE = createWorkspace({
     "README.md": "# app\n",
   });
-  mockLatestRelease();
   const cliDir = createFakeCli("supabase 2.84.2");
-  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
+  mockLatestRelease("2.84.2");
+  const spies = createActionSpies("", cliDir, "/download/v2.84.2/supabase_");
   const { run } = await getMainModule();
 
   await run();
@@ -408,9 +308,9 @@ test("falls back to latest when version is omitted and no supported root lockfil
 
 test("falls back to latest when version is omitted and no workspace is available", async () => {
   delete process.env.GITHUB_WORKSPACE;
-  mockLatestRelease();
   const cliDir = createFakeCli("supabase 2.84.2");
-  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
+  mockLatestRelease("2.84.2");
+  const spies = createActionSpies("", cliDir, "/download/v2.84.2/supabase_");
   const { run } = await getMainModule();
 
   await run();
@@ -473,9 +373,9 @@ test("falls through unreadable bun.lock paths and malformed package-lock files t
   });
   mkdirSync(path.join(workspace, "bun.lock"), { recursive: true });
   process.env.GITHUB_WORKSPACE = workspace;
-  mockLatestRelease();
   const cliDir = createFakeCli("supabase 2.84.2");
-  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
+  mockLatestRelease("2.84.2");
+  const spies = createActionSpies("", cliDir, "/download/v2.84.2/supabase_");
   const { run } = await getMainModule();
 
   await run();
@@ -489,9 +389,9 @@ test("falls back to latest when a pnpm dependency entry has no concrete version"
   process.env.GITHUB_WORKSPACE = createWorkspace({
     "pnpm-lock.yaml": createPnpmLock("2.49.0", { includeVersion: false }),
   });
-  mockLatestRelease();
   const cliDir = createFakeCli("supabase 2.84.2");
-  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
+  mockLatestRelease("2.84.2");
+  const spies = createActionSpies("", cliDir, "/download/v2.84.2/supabase_");
   const { run } = await getMainModule();
 
   await run();
@@ -516,6 +416,52 @@ test("explicit version overrides detected root lockfiles", async () => {
   expect(spies.setFailed).not.toHaveBeenCalled();
 });
 
+test("downloads the version-prefixed tarball for releases >= 2.99.0", async () => {
+  // Regression for supabase/cli#5257: from v2.99.0 onward the CLI only
+  // publishes supabase_<version>_<platform>_<arch>.tar.gz; the unversioned
+  // alias is gone.
+  delete process.env.GITHUB_WORKSPACE;
+  const cliDir = createFakeCli("supabase 2.99.0");
+  mockLatestRelease("2.99.0");
+  const spies = createActionSpies("", cliDir, "/download/v2.99.0/supabase_2.99.0_");
+  const { run } = await getMainModule();
+
+  await run();
+
+  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.99.0");
+  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+  expect(spies.setFailed).not.toHaveBeenCalled();
+});
+
+test("downloads the version-prefixed tarball when explicit version >= 2.99.0 is requested", async () => {
+  delete process.env.GITHUB_WORKSPACE;
+  const cliDir = createFakeCli("supabase 2.99.0");
+  const fetchSpy = spyOn(globalThis, "fetch");
+  const spies = createActionSpies("2.99.0", cliDir, "/download/v2.99.0/supabase_2.99.0_");
+  const { run } = await getMainModule();
+
+  await run();
+
+  expect(fetchSpy).not.toHaveBeenCalled();
+  expect(spies.setOutput).toHaveBeenCalledWith("version", "supabase 2.99.0");
+  expect(spies.exportVariable).toHaveBeenCalledWith(CLI_CONFIG_REGISTRY, "ghcr.io");
+  expect(spies.setFailed).not.toHaveBeenCalled();
+});
+
+test("fails when the latest release redirect does not include a version tag", async () => {
+  delete process.env.GITHUB_WORKSPACE;
+  const cliDir = createFakeCli("supabase 2.99.0");
+  const response = new Response(null, { status: 302, headers: { location: "/releases" } });
+  spyOn(globalThis, "fetch").mockImplementation((async () => response) as unknown as typeof fetch);
+  const spies = createActionSpies("", cliDir, "/download/");
+  const { run } = await getMainModule();
+
+  await run();
+
+  expect(spies.downloadTool).not.toHaveBeenCalled();
+  expect(spies.setFailed).toHaveBeenCalled();
+});
+
 test("fails when the installed CLI does not report a version", async () => {
   process.env.GITHUB_WORKSPACE = createWorkspace({
     "package-lock.json": createPackageLock("2.46.0"),

src/main.ts

@@ -7,17 +7,12 @@ import { fileURLToPath } from "node:url";
 
 export const CLI_CONFIG_REGISTRY = "SUPABASE_INTERNAL_IMAGE_REGISTRY";
 const REGISTRY_VERSION = "1.28.0";
+// Starting with this release, the CLI publishes only version-prefixed tarballs
+// (e.g. supabase_2.99.0_linux_amd64.tar.gz); the unversioned aliases that used
+// to live alongside them are no longer uploaded. See supabase/cli#5257.
 const VERSIONED_ARCHIVE_VERSION = "2.99.0";
 const DEFAULT_VERSION = "latest";
-const GITHUB_RELEASES_API = "https://api.github.com/repos/supabase/cli/releases/latest";
-const GITHUB_TOKEN_ENV = "SUPABASE_CLI_GITHUB_TOKEN";
-
-type ArchiveFormat = "apk" | "tar" | "zip";
-
-type DownloadArchive = {
-  url: string;
-  format: ArchiveFormat;
-};
+const LATEST_RELEASE_URL = "https://github.com/supabase/cli/releases/latest";
 
 type BunLock = {
   workspaces?: {
@@ -66,10 +61,6 @@ function extractConcreteVersion(raw: string | undefined): string | null {
   return match?.[0] ?? null;
 }
 
-function normalizeVersion(version: string): string {
-  return version.replace(/^v/i, "");
-}
-
 function readWorkspaceLockfile(workspaceRoot: string, filename: string): string | null {
   const filePath = path.join(workspaceRoot, filename);
 
@@ -175,138 +166,40 @@ function resolveVersion(inputVersion: string): string {
   );
 }
 
-async function resolveLatestVersion(): Promise<string> {
-  const headers: Record<string, string> = {
-    Accept: "application/vnd.github+json",
-    "X-GitHub-Api-Version": "2022-11-28",
-  };
-  const githubToken = process.env[GITHUB_TOKEN_ENV]?.trim();
+export async function resolveLatestVersion(): Promise<string> {
+  const response = await fetch(LATEST_RELEASE_URL, { method: "HEAD", redirect: "manual" });
+  const location = response.headers.get("location");
+  const version = extractConcreteVersion(location ?? undefined);
 
-  if (githubToken) {
-    headers.Authorization = `Bearer ${githubToken}`;
+  if (!version) {
+    throw new Error(
+      `Could not resolve latest Supabase CLI version (status ${response.status}, location ${location ?? "<none>"})`,
+    );
   }
 
-  const response = await fetch(GITHUB_RELEASES_API, { headers });
-  if (!response.ok) {
-    throw new Error(`Failed to resolve latest Supabase CLI release: ${response.statusText}`);
-  }
-
-  const release = (await response.json()) as { tag_name?: unknown };
-  if (typeof release.tag_name !== "string") {
-    throw new Error("Failed to resolve latest Supabase CLI release: missing tag name");
-  }
-
-  return normalizeVersion(release.tag_name);
+  return version;
 }
 
-function getArchiveFormat(
-  version: string,
-  platform: NodeJS.Platform,
-  isMuslLinux: boolean,
-): ArchiveFormat {
+export function getDownloadUrl(version: string): string {
+  const platform = getArchivePlatform(process.platform);
+  const arch = getArchiveArch(process.arch);
+  const versionedFilename = `supabase_${version}_${platform}_${arch}.tar.gz`;
+  const unversionedFilename = `supabase_${platform}_${arch}.tar.gz`;
+
+  // v2.99.0+ and the earliest releases (pre-v1.28.0) only publish version-prefixed
+  // tarballs; the intermediate releases publish unversioned aliases.
   if (
-    platform === "linux" &&
-    isMuslLinux &&
+    semver.order(version, REGISTRY_VERSION) === -1 ||
     semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0
   ) {
-    return "apk";
+    return `https://github.com/supabase/cli/releases/download/v${version}/${versionedFilename}`;
   }
 
-  if (platform === "win32" && semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0) {
-    return "zip";
-  }
-
-  return "tar";
-}
-
-function getArchiveFilename(
-  version: string,
-  platform: NodeJS.Platform,
-  arch: NodeJS.Architecture,
-  archiveFormat: ArchiveFormat,
-): string {
-  const archivePlatform = getArchivePlatform(platform);
-  const archiveArch = getArchiveArch(arch);
-
-  if (semver.order(version, REGISTRY_VERSION) === -1) {
-    return `supabase_${version}_${archivePlatform}_${archiveArch}.tar.gz`;
-  }
-
-  if (platform === "linux" && archiveFormat === "apk") {
-    return `supabase_${version}_${archivePlatform}_${archiveArch}.apk`;
-  }
-
-  if (semver.order(version, VERSIONED_ARCHIVE_VERSION) >= 0) {
-    const extension = platform === "win32" ? "zip" : "tar.gz";
-    return `supabase_${version}_${archivePlatform}_${archiveArch}.${extension}`;
-  }
-
-  return `supabase_${archivePlatform}_${archiveArch}.tar.gz`;
-}
-
-export async function getDownloadArchive(
-  version: string,
-  platform = process.platform,
-  arch = process.arch,
-  isMuslLinux?: boolean,
-): Promise<DownloadArchive> {
-  const resolvedVersion =
-    version.toLowerCase() === "latest" ? await resolveLatestVersion() : normalizeVersion(version);
-  const format = getArchiveFormat(
-    resolvedVersion,
-    platform,
-    isMuslLinux ?? (await detectMuslLinux(platform)),
-  );
-  const filename = getArchiveFilename(resolvedVersion, platform, arch, format);
-
-  return {
-    url: `https://github.com/supabase/cli/releases/download/v${resolvedVersion}/${filename}`,
-    format,
-  };
-}
-
-async function detectMuslLinux(platform = process.platform): Promise<boolean> {
-  if (platform !== "linux") {
-    return false;
-  }
-
-  if (existsSync("/etc/alpine-release")) {
-    return true;
-  }
-
-  try {
-    const output = await $`ldd --version`.quiet().text();
-    return output.toLowerCase().includes("musl");
-  } catch (error) {
-    const output = error instanceof Error ? error.message : String(error);
-    return output.toLowerCase().includes("musl");
-  }
-}
-
-export function getCliPath(extractedPath: string, archiveFormat: ArchiveFormat): string {
-  return archiveFormat === "apk" ? path.join(extractedPath, "usr", "bin") : extractedPath;
-}
-
-function getCliExecutablePath(cliPath: string): string {
-  if (process.platform !== "win32") {
-    return path.join(cliPath, "supabase");
-  }
-
-  const exePath = path.join(cliPath, "supabase.exe");
-  if (existsSync(exePath)) {
-    return exePath;
-  }
-
-  const cmdPath = path.join(cliPath, "supabase.cmd");
-  if (existsSync(cmdPath)) {
-    return cmdPath;
-  }
-
-  return path.join(cliPath, "supabase");
+  return `https://github.com/supabase/cli/releases/download/v${version}/${unversionedFilename}`;
 }
 
 export async function determineInstalledVersion(cliPath: string): Promise<string> {
-  const version = (await $`${getCliExecutablePath(cliPath)} --version`.text()).trim();
+  const version = (await $`${path.join(cliPath, "supabase")} --version`.text()).trim();
   if (!version) {
     throw new Error("Could not determine installed Supabase CLI version");
   }
@@ -316,19 +209,16 @@ export async function determineInstalledVersion(cliPath: string): Promise<string
 
 export async function run(): Promise<void> {
   try {
-    const version = resolveVersion(core.getInput("version"));
-    const archive = await getDownloadArchive(version);
-    const archivePath = await tc.downloadTool(archive.url);
-    const extractedPath =
-      archive.format === "zip"
-        ? await tc.extractZip(archivePath)
-        : await tc.extractTar(archivePath);
-    const cliPath = getCliPath(extractedPath, archive.format);
+    const requestedVersion = resolveVersion(core.getInput("version"));
+    const version =
+      requestedVersion.toLowerCase() === "latest" ? await resolveLatestVersion() : requestedVersion;
+    const tarball = await tc.downloadTool(getDownloadUrl(version));
+    const cliPath = await tc.extractTar(tarball);
     const installedVersion = await determineInstalledVersion(cliPath);
     core.setOutput("version", installedVersion);
     core.addPath(cliPath);
 
-    if (version.toLowerCase() === "latest" || semver.order(version, REGISTRY_VERSION) >= 0) {
+    if (semver.order(version, REGISTRY_VERSION) >= 0) {
       core.exportVariable(CLI_CONFIG_REGISTRY, "ghcr.io");
     }
   } catch (error) {