chore: prepare for v2.0.0

[jgoux]

Summary

This PR prepares supabase/setup-cli for v2.0.0.

The main goal of this release is to simplify the action and modernize the repo/tooling around a Bun-based implementation, while tightening workflows, tests, and documentation.

What Changed

Action runtime

• switched the action from a Node/compiled dist runtime to a Bun-based composite action
• removed the checked-in dist/ output entirely
• simplified the action source down to a single runtime file in src/main.ts
• kept the public action interface the same:
  • with.version
  • outputs.version

Tooling

• switched package management and local tooling from npm to Bun
• removed Rollup and the build step
• replaced Jest with Bun’s native test runner
• replaced Prettier with oxfmt
• replaced ESLint with oxlint
• enabled type-aware/type-check linting with oxlint-tsgolint
• simplified TypeScript config to a single tsconfig.json extending @tsconfig/bun

Tests

• moved tests next to the runtime source
• rewrote tests to focus on meaningful user-facing action behavior
• added coverage for:
  • default entrypoint execution
  • latest version installs
  • legacy version installs
  • modern pinned version installs
  • failure when the installed CLI cannot report a version
• action code coverage is now 100%

Workflows

• renamed workflow files for clarity:
  • test.yml -> ci.yml
  • start.yml -> e2e.yml
• updated workflow/job naming so required checks are clean and stable:
  • CI
  • E2E
  • CodeQL
  • Licensed
• added aggregate PR-facing checks so branch protection does not need matrix legs
• made CI and E2E skip heavy jobs on draft PRs
• made E2E run automatically on ready PRs and new commits
• simplified CodeQL config by removing the separate config file
• updated action pins to current releases using commit SHAs
• refined Dependabot for Bun-era updates and non-major auto-merge

Docs

• refreshed README.md and docs/index.md for the new v2 behavior
• updated examples to use @v2
• added a practical example for exporting local Supabase env vars after supabase start
• removed stale references to old local/dev flows

Breaking / Notable Changes

• the action now runs as a Bun-based composite action instead of a prebuilt JavaScript action
• no checked-in dist/ artifacts anymore
• self-hosted runners now need the prerequisites expected by the composite action path:
  • bash
  • network access to install Bun/dependencies and download the Supabase CLI

Validation

Verified locally with:

• bun run format:check
• bun run lint
• bun test
• bun run ci

Also updated workflows and branch-protection-friendly check names so PR validation is cleaner going forward.

Follow-up

After merge, branch protection should require only:

• CI
• E2E
• CodeQL
• Licensed

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[avallete]

LGTM

Only question I have is how the rollout will happen ? We do use the setup-cli in some of our own repos. Could we maybe try it there before a global v2 release tag ?

[jgoux]

Could we maybe try it there before a global v2 release tag ?

Yes we will try it for a week on the last commit before tagging v2. 👍