fix: install Alpine runtime dependencies (#434)

## Summary
- Install `libstdc++` and `libgcc` before verifying CLI versions from
apk archives
- Keep non-apk archive installs unchanged
- Rebuild the v1 bundled action artifact

## Testing
- `npm run package`
- `npm run format:check`
- `npm run lint`
- `npm run test`
- Verified `supabase_2.100.0_linux_arm64.apk` fails on plain Alpine
without `libstdc++`/`libgcc` and reports `2.100.0` after installing them

.github/workflows/codeql-analysis.yml

@@ -1,7 +1,6 @@
 name: CodeQL
 
 on:
-  pull_request:
   push:
     branches:
       - main

.github/workflows/linter.yml

@@ -48,9 +48,11 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           LINTER_RULES_PATH: ${{ github.workspace }}
           VALIDATE_ALL_CODEBASE: true
+          VALIDATE_BIOME_FORMAT: false
           VALIDATE_JAVASCRIPT_ES: false
           VALIDATE_JAVASCRIPT_STANDARD: false
           VALIDATE_JSCPD: false
           VALIDATE_TYPESCRIPT_ES: false
           VALIDATE_JSON: false
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_TYPESCRIPT_STANDARD: false

.github/workflows/start.yml

@@ -38,6 +38,7 @@ jobs:
       - uses: ./
         with:
           version: ${{ matrix.version }}
+          github-token: ${{ github.token }}
       - run: supabase init
       - run:
           sed -i -E "s|^(major_version) .*|\1 = ${{ matrix.pg_major }}|"

.github/workflows/test.yml

@@ -56,6 +56,7 @@ jobs:
       - uses: ./
         with:
           version: ${{ matrix.version }}
+          github-token: ${{ github.token }}
       - run: supabase -h
 
   check:

.licenses/npm/@actions/core.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/core"
-version: 1.11.1
+version: 3.0.1
 type: npm
 summary: Actions core lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/core

.licenses/npm/@actions/exec.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/exec"
-version: 1.1.1
+version: 3.0.0
 type: npm
 summary: Actions exec lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/exec

.licenses/npm/@actions/http-client.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/http-client"
-version: 2.2.3
+version: 4.0.1
 type: npm
 summary: Actions Http Client
 homepage: https://github.com/actions/toolkit/tree/main/packages/http-client

.licenses/npm/@actions/io.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/io"
-version: 1.1.3
+version: 3.0.2
 type: npm
 summary: Actions io lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/io

.licenses/npm/@actions/tool-cache.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: "@actions/tool-cache"
-version: 2.0.2
+version: 4.0.0
 type: npm
 summary: Actions tool-cache lib
 homepage: https://github.com/actions/toolkit/tree/main/packages/tool-cache

.licenses/npm/@fastify/busboy.dep.yml

@@ -1,30 +0,0 @@
----
-name: "@fastify/busboy"
-version: 2.1.1
-type: npm
-summary: A streaming parser for HTML form data for node.js
-homepage:
-license: mit
-licenses:
-- sources: LICENSE
-  text: |-
-    Copyright Brian White. All rights reserved.
-
-    Permission is hereby granted, free of charge, to any person obtaining a copy
-    of this software and associated documentation files (the "Software"), to
-    deal in the Software without restriction, including without limitation the
-    rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
-    sell copies of the Software, and to permit persons to whom the Software is
-    furnished to do so, subject to the following conditions:
-
-    The above copyright notice and this permission notice shall be included in
-    all copies or substantial portions of the Software.
-
-    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
-    FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
-    IN THE SOFTWARE.
-notices: []

.licenses/npm/semver-7.7.2.dep.yml

@@ -1,26 +0,0 @@
----
-name: semver
-version: 7.7.2
-type: npm
-summary: The semantic version parser used by npm.
-homepage:
-license: isc
-licenses:
-- sources: LICENSE
-  text: |
-    The ISC License
-
-    Copyright (c) Isaac Z. Schlueter and Contributors
-
-    Permission to use, copy, modify, and/or distribute this software for any
-    purpose with or without fee is hereby granted, provided that the above
-    copyright notice and this permission notice appear in all copies.
-
-    THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-    WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-    ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
-    IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-notices: []

.licenses/npm/semver.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: semver
-version: 6.3.1
+version: 7.8.0
 type: npm
 summary: The semantic version parser used by npm.
 homepage:

.licenses/npm/undici.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: undici
-version: 5.29.0
+version: 6.25.0
 type: npm
 summary: An HTTP/1.1 client, written from scratch for Node.js
 homepage: https://undici.nodejs.org

README.md

@@ -44,6 +44,7 @@ steps:
   - uses: supabase/setup-cli@v1
     with:
       version: latest
+      github-token: ${{ github.token }}
   - run: supabase init
   - run: supabase db start
 ```
@@ -55,9 +56,10 @@ on Windows and macOS runners.
 
 The actions supports the following inputs:
 
-| Name      | Type   | Description                        | Default  | Required |
-| --------- | ------ | ---------------------------------- | -------- | -------- |
-| `version` | String | Supabase CLI version (or `latest`) | `2.20.3` | false    |
+| Name           | Type   | Description                                                                | Default  | Required |
+| -------------- | ------ | -------------------------------------------------------------------------- | -------- | -------- |
+| `version`      | String | Supabase CLI version (or `latest`)                                         | `2.20.3` | false    |
+| `github-token` | String | GitHub token used to resolve `latest` without unauthenticated API limiting |          | false    |
 
 ## Advanced Usage
 
@@ -135,8 +137,8 @@ need to perform some initial setup steps before you can develop your action.
 
 ## Publish to a distribution branch
 
-Actions are run from this GitHub repository so we will checkin the packed `dist`
-folder.
+Actions are run from this GitHub repository so we will check in the packed
+`dist` folder.
 
 1. Create a new GitHub release
 2. Rebase `v1` branch on `main`
@@ -155,6 +157,7 @@ repository (see [test.yml](.github/workflows/test.yml))
 uses: ./
 with:
   version: latest
+  github-token: ${{ github.token }}
 ```
 
 See the [actions tab](https://github.com/supabase/setup-cli/actions) for runs of

__tests__/main.test.ts

@@ -1,4 +1,4 @@
-import { getDownloadUrl } from '../src/utils'
+import { getCliPath, getDownloadArchive, getDownloadUrl } from '../src/utils'
 import { CLI_CONFIG_REGISTRY } from '../src/main'
 import * as os from 'os'
 import * as process from 'process'
@@ -7,7 +7,11 @@ import * as path from 'path'
 import * as fs from 'fs'
 import * as yaml from 'js-yaml'
 import * as url from 'url'
-import { expect, test } from '@jest/globals'
+import { afterEach, expect, jest, test } from '@jest/globals'
+
+afterEach(() => {
+  jest.restoreAllMocks()
+})
 
 test('gets download url to binary', async () => {
   const url = await getDownloadUrl('1.28.0')
@@ -31,10 +35,108 @@ test('gets legacy download url to binary', async () => {
 })
 
 test('gets download url to latest version', async () => {
-  const url = await getDownloadUrl('latest')
-  expect(url).toMatch(
-    'https://github.com/supabase/cli/releases/latest/download/'
+  jest.spyOn(globalThis, 'fetch').mockResolvedValue(
+    new Response(JSON.stringify({ tag_name: 'v2.99.0' }), {
+      status: 200,
+      statusText: 'OK'
+    })
   )
+
+  const url = await getDownloadUrl('latest')
+  expect(url).toContain('/download/v2.99.0/supabase_2.99.0_')
+  expect(url).toMatch(/\.tar\.gz$|\.zip$/)
+})
+
+test('authenticates latest version lookup when a GitHub token is provided', async () => {
+  const fetchMock = jest.spyOn(globalThis, 'fetch').mockResolvedValue(
+    new Response(JSON.stringify({ tag_name: 'v2.99.0' }), {
+      status: 200,
+      statusText: 'OK'
+    })
+  )
+
+  await getDownloadUrl('latest', 'github-token')
+
+  expect(fetchMock).toHaveBeenCalledWith(
+    'https://api.github.com/repos/supabase/cli/releases/latest',
+    expect.objectContaining({
+      headers: expect.objectContaining({
+        Accept: 'application/vnd.github+json',
+        Authorization: 'Bearer github-token',
+        'X-GitHub-Api-Version': '2022-11-28'
+      })
+    })
+  )
+})
+
+test('omits authorization from latest version lookup without a GitHub token', async () => {
+  const fetchMock = jest.spyOn(globalThis, 'fetch').mockResolvedValue(
+    new Response(JSON.stringify({ tag_name: 'v2.99.0' }), {
+      status: 200,
+      statusText: 'OK'
+    })
+  )
+
+  await getDownloadUrl('latest')
+
+  expect(fetchMock).toHaveBeenCalledWith(
+    'https://api.github.com/repos/supabase/cli/releases/latest',
+    expect.objectContaining({
+      headers: expect.not.objectContaining({
+        Authorization: expect.any(String)
+      })
+    })
+  )
+})
+
+test('gets versioned archive url to binary from Supabase CLI v2.99.0', async () => {
+  const archive = await getDownloadArchive('2.99.0', 'linux', 'x64')
+
+  expect(archive).toEqual({
+    url: 'https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_linux_amd64.tar.gz',
+    format: 'tar'
+  })
+})
+
+test('gets apk archive url on Linux musl from Supabase CLI v2.99.0', async () => {
+  const archive = await getDownloadArchive('2.99.0', 'linux', 'x64', true)
+
+  expect(archive).toEqual({
+    url: 'https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_linux_amd64.apk',
+    format: 'apk'
+  })
+})
+
+test('keeps tar archives before Supabase CLI v2.99.0 on Linux musl', async () => {
+  const archive = await getDownloadArchive('2.98.2', 'linux', 'x64', true)
+
+  expect(archive).toEqual({
+    url: 'https://github.com/supabase/cli/releases/download/v2.98.2/supabase_linux_amd64.tar.gz',
+    format: 'tar'
+  })
+})
+
+test('uses usr/bin as the CLI path for apk archives', () => {
+  expect(getCliPath('/tmp/extracted', 'apk')).toBe('/tmp/extracted/usr/bin')
+  expect(getCliPath('/tmp/extracted', 'tar')).toBe('/tmp/extracted')
+  expect(getCliPath('/tmp/extracted', 'zip')).toBe('/tmp/extracted')
+})
+
+test('gets versioned zip archive url on Windows from Supabase CLI v2.99.0', async () => {
+  const archive = await getDownloadArchive('2.99.0', 'win32', 'x64')
+
+  expect(archive).toEqual({
+    url: 'https://github.com/supabase/cli/releases/download/v2.99.0/supabase_2.99.0_windows_amd64.zip',
+    format: 'zip'
+  })
+})
+
+test('keeps unversioned archive url to binary before Supabase CLI v2.99.0', async () => {
+  const url = await getDownloadUrl('2.98.2')
+
+  expect(url).toContain('/download/v2.98.2/supabase_')
+  expect(url).not.toContain('supabase_2.98.2_')
+  expect(url).toMatch(/\.tar\.gz$/)
 })
 
 // shows how the runner will run a javascript action with env / stdout protocol

action.yml

@@ -6,6 +6,11 @@ inputs:
     description: Version of Supabase CLI to install
     required: false
     default: 2.20.3
+  github-token:
+    description:
+      GitHub token used to resolve the latest Supabase CLI release without
+      hitting unauthenticated API limits.
+    required: false
 outputs:
   version:
     description: Version of installed Supabase CLI

package-lock.json

@@ -9,8 +9,8 @@
       "version": "1.6.0",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.11.1",
-        "@actions/tool-cache": "^2.0.2",
+        "@actions/core": "^3.0.1",
+        "@actions/tool-cache": "^4.0.0",
         "semver": "^7.7.2"
       },
       "devDependencies": {
@@ -70,6 +70,17 @@
         "unzip-stream": "^0.3.1"
       }
     },
+    "node_modules/@actions/artifact/node_modules/@actions/core": {
+      "version": "1.11.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
+      "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@actions/exec": "^1.1.1",
+        "@actions/http-client": "^2.0.1"
+      }
+    },
     "node_modules/@actions/artifact/node_modules/@actions/github": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/@actions/github/-/github-5.1.1.tgz",
@@ -252,19 +263,54 @@
       "license": "ISC"
     },
     "node_modules/@actions/core": {
-      "version": "1.11.1",
-      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
-      "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-3.0.1.tgz",
+      "integrity": "sha512-a6d/Nwahm9fliVGRhdhofo40HjHQasUPusmc7vBfyky+7Z+P2A1J68zyFVaNcEclc/Se+eO595oAr5nwEIoIUA==",
       "license": "MIT",
       "dependencies": {
-        "@actions/exec": "^1.1.1",
-        "@actions/http-client": "^2.0.1"
+        "@actions/exec": "^3.0.0",
+        "@actions/http-client": "^4.0.0"
+      }
+    },
+    "node_modules/@actions/core/node_modules/@actions/exec": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
+      "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/io": "^3.0.2"
+      }
+    },
+    "node_modules/@actions/core/node_modules/@actions/http-client": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.1.tgz",
+      "integrity": "sha512-+Nvd1ImaOZBSoPbsUtEhv+1z99H12xzncCkz0a3RuehINE81FZSe2QTj3uvAPTcJX/SCzUQHQ0D1GrPMbrPitg==",
+      "license": "MIT",
+      "dependencies": {
+        "tunnel": "^0.0.6",
+        "undici": "^6.23.0"
+      }
+    },
+    "node_modules/@actions/core/node_modules/@actions/io": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
+      "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/core/node_modules/undici": {
+      "version": "6.25.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
+      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.17"
       }
     },
     "node_modules/@actions/exec": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
       "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@actions/io": "^1.0.1"
@@ -431,6 +477,7 @@
       "version": "2.2.3",
       "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-2.2.3.tgz",
       "integrity": "sha512-mx8hyJi/hjFvbPokCg4uRd4ZX78t+YyRPtnKWwIl+RzNaVuFpQHfmlGVfsKEJN8LwTCvL+DfVgAM04XaHkm6bA==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "tunnel": "^0.0.6",
@@ -441,28 +488,54 @@
       "version": "1.1.3",
       "resolved": "https://registry.npmjs.org/@actions/io/-/io-1.1.3.tgz",
       "integrity": "sha512-wi9JjgKLYS7U/z8PPbco+PvTb/nRWjeoFlJ1Qer83k/3C5PHQi28hiVdeE2kHXmIL99mQFawx8qt/JPjZilJ8Q==",
+      "dev": true,
       "license": "MIT"
     },
     "node_modules/@actions/tool-cache": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-2.0.2.tgz",
-      "integrity": "sha512-fBhNNOWxuoLxztQebpOaWu6WeVmuwa77Z+DxIZ1B+OYvGkGQon6kTVg6Z32Cb13WCuw0szqonK+hh03mJV7Z6w==",
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-4.0.0.tgz",
+      "integrity": "sha512-L8P9HbXvpvqjZDveb/fdsa55IVC0trfPgQ4ZwGo6r5af6YDVdM9vMGPZ7rgY2fAT9gGj4PSYd6bYlg3p3jD78A==",
       "license": "MIT",
       "dependencies": {
-        "@actions/core": "^1.11.1",
-        "@actions/exec": "^1.0.0",
-        "@actions/http-client": "^2.0.1",
-        "@actions/io": "^1.1.1",
-        "semver": "^6.1.0"
+        "@actions/core": "^3.0.0",
+        "@actions/exec": "^3.0.0",
+        "@actions/http-client": "^4.0.0",
+        "@actions/io": "^3.0.0",
+        "semver": "^7.7.3"
       }
     },
-    "node_modules/@actions/tool-cache/node_modules/semver": {
-      "version": "6.3.1",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.1.tgz",
-      "integrity": "sha512-BR7VvDCVHO+q2xBEWskxS6DJE1qRnb7DxzUrogb71CWoSficBxYsiAGd+Kl0mmq/MprG9yArRkyrQxTO6XjMzA==",
-      "license": "ISC",
-      "bin": {
-        "semver": "bin/semver.js"
+    "node_modules/@actions/tool-cache/node_modules/@actions/exec": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
+      "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+      "license": "MIT",
+      "dependencies": {
+        "@actions/io": "^3.0.2"
+      }
+    },
+    "node_modules/@actions/tool-cache/node_modules/@actions/http-client": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-4.0.1.tgz",
+      "integrity": "sha512-+Nvd1ImaOZBSoPbsUtEhv+1z99H12xzncCkz0a3RuehINE81FZSe2QTj3uvAPTcJX/SCzUQHQ0D1GrPMbrPitg==",
+      "license": "MIT",
+      "dependencies": {
+        "tunnel": "^0.0.6",
+        "undici": "^6.23.0"
+      }
+    },
+    "node_modules/@actions/tool-cache/node_modules/@actions/io": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
+      "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==",
+      "license": "MIT"
+    },
+    "node_modules/@actions/tool-cache/node_modules/undici": {
+      "version": "6.25.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.25.0.tgz",
+      "integrity": "sha512-ZgpWDC5gmNiuY9CnLVXEH8rl50xhRCuLNA97fAUnKi8RRuV4E6KG31pDTsLVUKnohJE0I3XDrTeEydAXRw47xg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.17"
       }
     },
     "node_modules/@ampproject/remapping": {
@@ -1903,6 +1976,7 @@
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
       "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
+      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">=14"
@@ -1948,6 +2022,17 @@
         "node": "^20 || ^22"
       }
     },
+    "node_modules/@github/local-action/node_modules/@actions/core": {
+      "version": "1.11.1",
+      "resolved": "https://registry.npmjs.org/@actions/core/-/core-1.11.1.tgz",
+      "integrity": "sha512-hXJCSrkwfA46Vd9Z3q4cpEpHB1rL5NG04+/rbqW9d3+CSvtB1tYe8UTpAlixa1vj0m/ULglfEK2UKxMGxCxv5A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@actions/exec": "^1.1.1",
+        "@actions/http-client": "^2.0.1"
+      }
+    },
     "node_modules/@github/local-action/node_modules/undici": {
       "version": "7.12.0",
       "resolved": "https://registry.npmjs.org/undici/-/undici-7.12.0.tgz",
@@ -11316,9 +11401,9 @@
       }
     },
     "node_modules/semver": {
-      "version": "7.7.2",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
-      "integrity": "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==",
+      "version": "7.8.0",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.8.0.tgz",
+      "integrity": "sha512-AcM7dV/5ul4EekoQ29Agm5vri8JNqRyj39o0qpX6vDF2GZrtutZl5RwgD1XnZjiTAfncsJhMI48QQH3sN87YNA==",
       "license": "ISC",
       "bin": {
         "semver": "bin/semver.js"
@@ -12596,6 +12681,7 @@
       "version": "5.29.0",
       "resolved": "https://registry.npmjs.org/undici/-/undici-5.29.0.tgz",
       "integrity": "sha512-raqeBD6NQK4SkWhQzeYKd1KmIG6dllBOTt55Rmkt4HtI9mwdWtJljnrXjAFUBLTSN67HWrOIZ3EPF4kjUw80Bg==",
+      "dev": true,
       "license": "MIT",
       "dependencies": {
         "@fastify/busboy": "^2.0.0"

package.json

@@ -33,8 +33,8 @@
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/core": "^1.11.1",
-    "@actions/tool-cache": "^2.0.2",
+    "@actions/core": "^3.0.1",
+    "@actions/tool-cache": "^4.0.0",
     "semver": "^7.7.2"
   },
   "devDependencies": {

src/main.ts

@@ -1,7 +1,12 @@
 import * as core from '@actions/core'
 import * as tc from '@actions/tool-cache'
 import { gte } from 'semver'
-import { getDownloadUrl, determineInstalledVersion } from './utils.js'
+import {
+  getDownloadArchive,
+  determineInstalledVersion,
+  getCliPath,
+  installAlpineRuntimeDependencies
+} from './utils.js'
 
 export const CLI_CONFIG_REGISTRY = 'SUPABASE_INTERNAL_IMAGE_REGISTRY'
 
@@ -14,13 +19,26 @@ export async function run(): Promise<void> {
   try {
     // Get version of tool to be installed
     const version = core.getInput('version')
+    const githubToken = core.getInput('github-token')
 
     // Download the specific version of the tool, e.g. as a tarball/zipball
-    const download = await getDownloadUrl(version)
-    const pathToTarball = await tc.downloadTool(download)
+    const download = await getDownloadArchive(
+      version,
+      undefined,
+      undefined,
+      undefined,
+      githubToken
+    )
+    const pathToArchive = await tc.downloadTool(download.url)
 
     // Extract the tarball/zipball onto host runner
-    const pathToCLI = await tc.extractTar(pathToTarball)
+    const extractedPath =
+      download.format === 'zip'
+        ? await tc.extractZip(pathToArchive)
+        : await tc.extractTar(pathToArchive)
+    const pathToCLI = getCliPath(extractedPath, download.format)
+
+    await installAlpineRuntimeDependencies(download.format)
 
     // Expose the tool by adding it to the PATH
     core.addPath(pathToCLI)

src/utils.ts

@@ -1,9 +1,20 @@
 import { exec } from 'child_process'
+import { existsSync } from 'fs'
 import os from 'os'
-import { lt } from 'semver'
+import { gte, lt } from 'semver'
 import { promisify } from 'util'
 
 const doExec = promisify(exec)
+const VERSIONED_ARCHIVE_VERSION = '2.99.0'
+const LATEST_RELEASE_URL =
+  'https://api.github.com/repos/supabase/cli/releases/latest'
+
+export type ArchiveFormat = 'apk' | 'tar' | 'zip'
+
+export type DownloadArchive = {
+  url: string
+  format: ArchiveFormat
+}
 
 // arch in [arm, arm64, x64...] (https://nodejs.org/docs/latest-v16.x/api/os.html#osarch)
 // return value in [amd64, arm64, arm]
@@ -23,17 +34,172 @@ const mapOS = (platform: string): string => {
   return mappings[platform] || platform
 }
 
-export const getDownloadUrl = async (version: string): Promise<string> => {
-  const platform = mapOS(os.platform())
-  const arch = mapArch(os.arch())
-  const filename = `supabase_${platform}_${arch}.tar.gz`
-  if (version.toLowerCase() === 'latest') {
-    return `https://github.com/supabase/cli/releases/latest/download/${filename}`
+const normalizeVersion = (version: string): string => version.replace(/^v/i, '')
+
+const resolveLatestVersion = async (githubToken?: string): Promise<string> => {
+  const headers: Record<string, string> = {
+    Accept: 'application/vnd.github+json',
+    'X-GitHub-Api-Version': '2022-11-28'
   }
+  const token = githubToken?.trim()
+
+  if (token) {
+    headers.Authorization = `Bearer ${token}`
+  }
+
+  const response = await fetch(LATEST_RELEASE_URL, { headers })
+  if (!response.ok) {
+    throw new Error(
+      `Failed to resolve latest Supabase CLI release: ${response.statusText}`
+    )
+  }
+
+  const release = (await response.json()) as { tag_name?: unknown }
+  if (typeof release.tag_name !== 'string') {
+    throw new Error(
+      'Failed to resolve latest Supabase CLI release: missing tag name'
+    )
+  }
+
+  return normalizeVersion(release.tag_name)
+}
+
+const detectMuslLinux = async (platform = os.platform()): Promise<boolean> => {
+  if (platform !== 'linux') {
+    return false
+  }
+
+  if (existsSync('/etc/alpine-release')) {
+    return true
+  }
+
+  try {
+    const { stdout, stderr } = await doExec('ldd --version')
+    return `${stdout}\n${stderr}`.toLowerCase().includes('musl')
+  } catch (error) {
+    const output = error instanceof Error ? error.message : String(error)
+    return output.toLowerCase().includes('musl')
+  }
+}
+
+const getArchiveFormat = (
+  version: string,
+  platform: string,
+  isMuslLinux: boolean
+): ArchiveFormat => {
+  if (
+    platform === 'linux' &&
+    isMuslLinux &&
+    gte(version, VERSIONED_ARCHIVE_VERSION)
+  ) {
+    return 'apk'
+  }
+
+  if (platform === 'win32' && gte(version, VERSIONED_ARCHIVE_VERSION)) {
+    return 'zip'
+  }
+
+  return 'tar'
+}
+
+const getArchiveFilename = (
+  version: string,
+  platform: string,
+  arch: string,
+  format: ArchiveFormat
+): string => {
+  const archivePlatform = mapOS(platform)
+  const archiveArch = mapArch(arch)
   if (lt(version, '1.28.0')) {
-    return `https://github.com/supabase/cli/releases/download/v${version}/supabase_${version}_${platform}_${arch}.tar.gz`
+    return `supabase_${version}_${archivePlatform}_${archiveArch}.tar.gz`
   }
-  return `https://github.com/supabase/cli/releases/download/v${version}/${filename}`
+
+  if (platform === 'linux' && format === 'apk') {
+    return `supabase_${version}_${archivePlatform}_${archiveArch}.apk`
+  }
+
+  if (gte(version, VERSIONED_ARCHIVE_VERSION)) {
+    const extension = platform === 'win32' ? 'zip' : 'tar.gz'
+    return `supabase_${version}_${archivePlatform}_${archiveArch}.${extension}`
+  }
+
+  return `supabase_${archivePlatform}_${archiveArch}.tar.gz`
+}
+
+export const getDownloadArchive = async (
+  version: string,
+  platform = os.platform(),
+  arch = os.arch(),
+  isMuslLinux?: boolean,
+  githubToken?: string
+): Promise<DownloadArchive> => {
+  const resolvedVersion =
+    version.toLowerCase() === 'latest'
+      ? await resolveLatestVersion(githubToken)
+      : normalizeVersion(version)
+  const format = getArchiveFormat(
+    resolvedVersion,
+    platform,
+    isMuslLinux ?? (await detectMuslLinux(platform))
+  )
+  const filename = getArchiveFilename(resolvedVersion, platform, arch, format)
+
+  return {
+    url: `https://github.com/supabase/cli/releases/download/v${resolvedVersion}/${filename}`,
+    format
+  }
+}
+
+export const getCliPath = (
+  extractedPath: string,
+  archiveFormat: ArchiveFormat
+): string => {
+  return archiveFormat === 'apk' ? `${extractedPath}/usr/bin` : extractedPath
+}
+
+export const installAlpineRuntimeDependencies = async (
+  archiveFormat: ArchiveFormat
+): Promise<void> => {
+  if (archiveFormat !== 'apk') {
+    return
+  }
+
+  try {
+    await doExec('command -v apk')
+  } catch {
+    throw new Error(
+      'Linux musl containers need libstdc++ and libgcc to run Supabase CLI. Install them before supabase/setup-cli.'
+    )
+  }
+
+  try {
+    await doExec('apk info -e libstdc++ libgcc')
+    return
+  } catch {
+    const { stdout } = await doExec('id -u')
+    if (stdout.trim() !== '0') {
+      throw new Error(
+        "Alpine/musl containers need libstdc++ and libgcc to run Supabase CLI. Add 'apk add --no-cache libstdc++ libgcc' before supabase/setup-cli, or run this job container as root."
+      )
+    }
+  }
+
+  // The Supabase CLI shim in the apk dynamically links these Alpine runtime libraries.
+  await doExec('apk add --no-cache libstdc++ libgcc')
+}
+
+export const getDownloadUrl = async (
+  version: string,
+  githubToken?: string
+): Promise<string> => {
+  const archive = await getDownloadArchive(
+    version,
+    os.platform(),
+    os.arch(),
+    undefined,
+    githubToken
+  )
+  return archive.url
 }
 
 export const determineInstalledVersion = async (): Promise<string> => {