ci(actions): bump supabase/setup-cli from 1 to 2

[dependabot]

Bumps supabase/setup-cli from 1 to 2.

Release notes

Sourced from supabase/setup-cli's releases.

v2.0.0

This major release refreshes the action internals, CI coverage, and release pipeline while keeping usage straightforward with uses: supabase/setup-cli@v2.

Highlights

• Switched the action implementation to a composite action flow and modernized runtime/dependency setup.
• Improved CLI version resolution: when version is omitted, the action now detects it from root lockfiles (bun.lock, pnpm-lock.yaml, package-lock.json) and falls back to latest.
• Expanded validation with dedicated CI + E2E workflows and updated docs/examples around @v2.
• Hardened repository automation and supply-chain posture (pinned actions, Dependabot workflow/policy updates, licensed workflow fixes).
• Migrated away from old bundled distribution/test setup to a cleaner Bun-based project structure.

Maintenance updates

• Dependency refreshes across Bun/TypeScript and GitHub Actions tooling.
• Documentation and workflow cleanup for long-term maintainability.

Contributors

Thanks to everyone who contributed to this release:

• @​staaldraad
• @​martindonadieu

Full changelog

36 commits between v1.6.0 and v2.0.0
Compare changes

v1.6.0

What's Changed

• chore: update code owners by @​sweatybridge in supabase/setup-cli#327
• ci: explicit permissions on actions by @​doublethink in supabase/setup-cli#326
• chore(deps-dev): bump prettier from 2.8.8 to 3.6.2 by @​dependabot[bot] in supabase/setup-cli#331
• chore: migrate to esm by @​sweatybridge in supabase/setup-cli#334

New Contributors

• @​doublethink made their first contribution in supabase/setup-cli#326

Full Changelog: supabase/setup-cli@v1.5.0...v1.6.0

v1.5.0

What's Changed

• chore(deps): bump dependabot/fetch-metadata from 2.1.0 to 2.2.0 by @​dependabot in supabase/setup-cli#290
• chore(deps): bump actions/setup-node from 4.0.2 to 4.0.3 by @​dependabot in supabase/setup-cli#291
• chore(deps): bump semver from 7.6.2 to 7.6.3 by @​dependabot in supabase/setup-cli#293
• chore(deps-dev): bump eslint from 8.57.0 to 8.57.1 by @​dependabot in supabase/setup-cli#301
• chore(deps): bump actions/setup-node from 4.0.3 to 4.0.4 by @​dependabot in supabase/setup-cli#302
• chore(deps-dev): bump @​vercel/ncc from 0.38.1 to 0.38.2 by @​dependabot in supabase/setup-cli#303
• chore: update CODEOWNERS by @​soedirgo in supabase/setup-cli#321
• feat: bump default cli version to v2 by @​sweatybridge in supabase/setup-cli#324

... (truncated)

Commits

• df56b21 chore(deps-dev): bump the bun-minor-patch group with 2 updates (#419)
• 6c93bde chore(deps-dev): bump @​types/bun from 1.3.11 to 1.3.12 in the bun-minor-patch...
• 7fcab5b chore(deps-dev): bump @​typescript/native-preview from 7.0.0-dev.20260409.1 to...
• 6081904 [codex] fix dependabot actions cooldown config (#414)
• c099ad8 fix: auto-approval and refine dependabot policy (#412)
• afb0a59 fix: await main function (#411)
• 7fef86c fix: licensed workflow trigger (#413)
• 337fb0d chore(deps-dev): bump @​typescript/native-preview from 7.0.0-dev.20260401.1 to...
• 33d1b57 chore(deps-dev): bump the bun-development group with 3 updates (#408)
• 24d47d8 chore(deps): bump ruby/setup-ruby from 1.299.0 to 1.300.0 in the actions-mino...
• Additional commits viewable in compare view

Summary by CodeRabbit

Release Notes

• Chores
  • Atualização da versão do Supabase CLI nos fluxos de automação de implantação para garantir compatibilidade e melhorias de infraestrutura.

[dependabot]

Labels

The following labels could not be found: automated, ci. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
promo-gifts	Ready	Preview, Comment	May 12, 2026 5:50pm

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bf1af2f3-36a4-420b-965d-daa74d701680

📥 Commits

Reviewing files that changed from the base of the PR and between 0b989ab and 614ec14.

📒 Files selected for processing (2)

• .github/workflows/delete-orphan-edges.yml
• .github/workflows/deploy-edge-functions.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/deploy-edge-functions.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/delete-orphan-edges.yml

---

Walkthrough

O PR atualiza dois workflows do GitHub Actions para usar a versão 2 da action supabase/setup-cli, substituindo a versão 1 nos passos de configuração das funções de edge tanto para exclusão de órfãs quanto para deploy. Sem alterações de lógica ou comportamento.

Changes

Atualização de Ações do Supabase CLI

Layer / File(s)	Resumo
Upgrade de Versão do CLI .github/workflows/delete-orphan-edges.yml, .github/workflows/deploy-edge-functions.yml	Ambos os workflows passam a usar supabase/setup-cli@v2 nos passos de setup, substituindo @v1.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutos

Possibly related PRs

• adm01-debug/Promo_Gifts#133: Introduziu o passo de setup do Supabase CLI em delete-orphan-edges.yml que agora está sendo atualizado neste PR.

Suggested reviewers

• adm01-debug

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	A descrição fornecida é gerada automaticamente pelo Dependabot e desvia significativamente do template obrigatório do repositório em português, omitindo seções críticas como tipo de mudança, checklist de validação e notas para reviewer.	Preencha o template obrigatório com tipo de mudança (refatoração/atualização), checklist de testes (ESLint, TypeScript, testes), e qualquer nota relevante sobre compatibilidade com v2.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	O título descreve com clareza a mudança principal: bump da ação supabase/setup-cli de v1 para v2 em dois workflows de CI.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/github_actions/supabase/setup-cli-2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/delete-orphan-edges.yml:
- Around line 58-60: Substitua as referências flutuantes supabase/setup-cli@v2 e
o campo version: latest por valores imutáveis: troque supabase/setup-cli@v2 pelo
ref completo usando o commit SHA (40 chars) da tag v2 do repo supabase/setup-cli
e substitua version: latest pelo número de versão CLI desejado (por exemplo
2.98.1) obtido do release; isso garante que a step uses:
supabase/setup-cli@<full-sha> e version: <explicit-version> em vez de refs
flutuantes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b94f03fe-7849-4ca0-964e-56ac72d76018

📥 Commits

Reviewing files that changed from the base of the PR and between dfd0384 and 0b989ab.

📒 Files selected for processing (2)

• .github/workflows/delete-orphan-edges.yml
• .github/workflows/deploy-edge-functions.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== 1) Detectar refs flutuantes nos workflows =="
rg -n 'supabase/setup-cli@v2|version:\s*latest' .github/workflows

echo
echo "== 2) Resolver commit SHA real da tag v2 =="
REF_JSON="$(gh api repos/supabase/setup-cli/git/ref/tags/v2)"
OBJ_TYPE="$(jq -r '.object.type' <<<"$REF_JSON")"
OBJ_SHA="$(jq -r '.object.sha' <<<"$REF_JSON")"

if [[ "$OBJ_TYPE" == "tag" ]]; then
  COMMIT_SHA="$(gh api repos/supabase/setup-cli/git/tags/"$OBJ_SHA" --jq '.object.sha')"
else
  COMMIT_SHA="$OBJ_SHA"
fi

echo "commit_sha_v2=$COMMIT_SHA"

Repository: adm01-debug/Promo_Gifts

Length of output: 512

---

🌐 Web query:

GitHub Actions pinning version SHA security best practices

💡 Result:

Best practice: Pin GitHub Actions to a full-length (40-character) commit SHA in every uses: reference, and (where possible) enforce this via the GitHub “allowed actions” policy so workflows fail if an action isn’t pinned. 1) Why pin to commit SHA (not tags/branches) - GitHub security hardening guidance recommends pinning actions to a full-length commit SHA because it makes the action behave like an immutable release; this helps mitigate the risk of a bad actor adding a backdoor to an action repository by changing what a mutable ref points to. [1] - Pinning a short SHA is explicitly insecure; GitHub warns that short SHAs can collide because users can fork and craft commits, and workflows using shortened SHAs will fail. [2] 2) What GitHub expects your workflow to look like - Example pattern from GitHub action versioning guidance: use the long SHA form rather than @vX.Y.Z or @main. [3] - GitHub policy enforcement checks for a “full commit SHA”; if an action isn’t pinned, the workflow fails. [4] 3) How to operationalize it (enforcement) - GitHub’s “allowed actions” policy can enforce SHA pinning. When enabled, workflows that attempt to use an action that isn’t pinned to a full commit SHA will fail. [4] - At the enterprise level, GitHub also documents an option “Require actions to be pinned to a full-length commit SHA” (including GitHub-authored actions). [5] 4) Managing updates without losing security - GitHub recommends pinning to SHAs to prevent malicious code from being automatically used when branches/tags are updated. [4] - Dependabot can be used to update vulnerable actions and can work with SHA-pinned actions; GitHub notes that Dependabot only creates alerts for vulnerable actions that use semantic versioning and will not create alerts for actions pinned to SHA values. [1] - If you want automated updates for SHA pins specifically, you’ll typically use a dedicated workflow/tool approach (e.g., Dependabot/Renovate with support for SHA-pinned updates, or a “ensure SHA pinned actions” job) rather than relying on Dependabot vulnerability alerts alone. (Policy guidance around updating pinned actions is discussed in community-maintenance PRs and tooling, but the core official security recommendation is still the SHA pin + enforcement pattern.) [6][7] 5) Practical security hardening checklist (pinning is one part) - Alongside SHA pinning, GitHub’s security-hardening guidance also covers other controls (e.g., trusting tags only if you trust the creator; auditing action code; and governance via policies). [1] Example: SHA pinning in a workflow - Use: - uses: OWNER/REPO@<FULL_40_CHAR_SHA> # <optional human-readable version> - Avoid: - uses: OWNER/REPO@v4 (mutable to minor/patch updates) - uses: OWNER/REPO@main / @latest (branches/tags can move) If you tell me which actions you currently use (the uses: lines from your workflows), I can help you convert them to full-SHA pins and suggest an enforcement configuration consistent with your org/repo setup.

Citations:

• 1: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions?learn=getting_started&learnProduct=actions
• 2: https://docs.github.com/enterprise-server@3.0/actions/security-guides/security-hardening-for-github-actions
• 3: https://github.com/actions/toolkit/blob/main/docs/action-versioning.md
• 4: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 5: https://docs.github.com/en/enterprise-cloud@latest/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise
• 6: Pin all GitHub Actions to immutable SHA commits for supply chain security github/gh-aw#5691
• 7: https://github.com/step-security/github-actions-ensure-sha-pinned-actions

---

🌐 Web query:

supabase setup-cli latest version stable release

💡 Result:

Latest stable Supabase CLI release (as of 2026-05-11): v2.98.1 (published 2026-05-04). [1] Notes about “setup-cli” (GitHub Action) vs “Supabase CLI version”: - The GitHub Action supabase/setup-cli is a separate project from the Supabase CLI itself; the action accepts a version input and installs that CLI version (or latest if omitted). [2][3] - In the action’s action.yml, if version is omitted it “detect[s] from the root lockfile and otherwise use latest.” [3] How to pin the stable CLI in CI using supabase/setup-cli: - Use the stable CLI version explicitly: - uses: supabase/setup-cli@v2 - with: { version: "2.98.1" } [2][3] - Or let the action install the default latest (not necessarily “stable” if you later switch to a prerelease-aware workflow): - with: { version: "latest" } [2] Sources: [1] https://github.com/supabase/cli/releases [2] https://github.com/supabase/setup-cli/releases [3] https://github.com/supabase/setup-cli/blob/main/action.yml

Citations:

• 1: https://github.com/supabase/setup-cli/releases
• 2: https://github.com/supabase/setup-cli
• 3: https://supabase.com/docs/guides/cli/getting-started

---

🏁 Script executed:

#!/bin/bash
# Verificar contexto do workflow: o que exatamente faz, e se há outros lugares com mesmo padrão
echo "== Contexto do workflow delete-orphan-edges.yml =="
head -n 20 .github/workflows/delete-orphan-edges.yml

echo
echo "== Ocorrências de `@v2` em todo o repo =="
rg '@v2' --type yaml

echo
echo "== Ocorrências de version: latest em workflows =="
rg 'version:\s*latest' --type yaml

Repository: adm01-debug/Promo_Gifts

Length of output: 1085

---

Pin a action e versão explícita da CLI para evitar regressões não-determinísticas no CI.

Em linha 58 e linha 60: @v2 e version: latest são refs flutuantes. Isso causa risco de breaking changes silenciosas quando a tag v2 aponta para um novo commit (sem seu controle) ou quando o binário CLI é atualizado.

O workflow executa com SUPABASE_ACCESS_TOKEN, logo uma regressão aqui pode deletar edge functions inesperadas. Use:

-        uses: supabase/setup-cli@v2
+        uses: supabase/setup-cli@<COMMIT_SHA_COMPLETO_DA_TAG_v2>
         with:
-          version: latest
+          version: 2.98.1

Resolva o SHA completo (40 chars) da tag v2 no repositório supabase/setup-cli via GitHub UI ou CLI (gh api repos/supabase/setup-cli/commits/v2), e substitua 2.98.1 pela versão atual do CLI desejada. Isso garante reprodutibilidade entre execuções e bloqueia supply-chain drift.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/delete-orphan-edges.yml around lines 58 - 60, Substitua as
referências flutuantes supabase/setup-cli@v2 e o campo version: latest por
valores imutáveis: troque supabase/setup-cli@v2 pelo ref completo usando o
commit SHA (40 chars) da tag v2 do repo supabase/setup-cli e substitua version:
latest pelo número de versão CLI desejado (por exemplo 2.98.1) obtido do
release; isso garante que a step uses: supabase/setup-cli@<full-sha> e version:
<explicit-version> em vez de refs flutuantes.

[adm01-debug]

@dependabot rebase

(Edge Functions Deno typecheck falhou na execução anterior por 522 Bad Gateway no esm.sh — falha transitória de CDN externo, não relacionada com o upgrade da CLI. Re-executando.)