@aspruyt/xfg 3.9.14 → 3.10.1

package/dist/config/index.d.ts

@@ -1,4 +1,4 @@
-export type { MergeMode, MergeStrategy, PRMergeOptions, RulesetTarget, RulesetEnforcement, BypassActorType, BypassMode, PatternOperator, MergeMethod, AlertsThreshold, SecurityAlertsThreshold, BypassActor, RefNameCondition, RulesetConditions, StatusCheckConfig, RequiredReviewer, CodeScanningTool, WorkflowConfig, PullRequestRuleParameters, RequiredStatusChecksParameters, UpdateRuleParameters, RequiredDeploymentsParameters, CodeScanningParameters, CodeQualityParameters, WorkflowsParameters, PatternRuleParameters, FilePathRestrictionParameters, FileExtensionRestrictionParameters, MaxFilePathLengthParameters, MaxFileSizeParameters, PullRequestRule, RequiredStatusChecksRule, RequiredSignaturesRule, RequiredLinearHistoryRule, NonFastForwardRule, CreationRule, UpdateRule, DeletionRule, RequiredDeploymentsRule, CodeScanningRule, CodeQualityRule, WorkflowsRule, CommitAuthorEmailPatternRule, CommitMessagePatternRule, CommitterEmailPatternRule, BranchNamePatternRule, TagNamePatternRule, FilePathRestrictionRule, FileExtensionRestrictionRule, MaxFilePathLengthRule, MaxFileSizeRule, RulesetRule, Ruleset, SquashMergeCommitTitle, SquashMergeCommitMessage, MergeCommitTitle, MergeCommitMessage, RepoVisibility, GitHubRepoSettings, Label, RepoSettings, ContentValue, RawFileConfig, RawRepoFileOverride, RawRepoSettings, RawRepoConfig, RawConfig, FileContent, RepoConfig, Config, } from "./types.js";
+export type { MergeMode, MergeStrategy, PRMergeOptions, RulesetTarget, RulesetEnforcement, BypassActorType, BypassMode, PatternOperator, MergeMethod, AlertsThreshold, SecurityAlertsThreshold, BypassActor, RefNameCondition, RulesetConditions, StatusCheckConfig, RequiredReviewer, CodeScanningTool, WorkflowConfig, PullRequestRuleParameters, RequiredStatusChecksParameters, UpdateRuleParameters, RequiredDeploymentsParameters, CodeScanningParameters, CodeQualityParameters, WorkflowsParameters, PatternRuleParameters, FilePathRestrictionParameters, FileExtensionRestrictionParameters, MaxFilePathLengthParameters, MaxFileSizeParameters, PullRequestRule, RequiredStatusChecksRule, RequiredSignaturesRule, RequiredLinearHistoryRule, NonFastForwardRule, CreationRule, UpdateRule, DeletionRule, RequiredDeploymentsRule, CodeScanningRule, CodeQualityRule, WorkflowsRule, CommitAuthorEmailPatternRule, CommitMessagePatternRule, CommitterEmailPatternRule, BranchNamePatternRule, TagNamePatternRule, FilePathRestrictionRule, FileExtensionRestrictionRule, MaxFilePathLengthRule, MaxFileSizeRule, RulesetRule, Ruleset, SquashMergeCommitTitle, SquashMergeCommitMessage, MergeCommitTitle, MergeCommitMessage, RepoVisibility, GitHubRepoSettings, Label, RepoSettings, ContentValue, RawFileConfig, RawRepoFileOverride, RawRootSettings, RawRepoSettings, RawRepoConfig, RawConfig, FileContent, RepoConfig, Config, } from "./types.js";
 export { RULESET_FIELD_MAP, RULESET_COMPARABLE_FIELDS } from "./types.js";
 export { loadRawConfig, loadConfig, normalizeConfig } from "./loader.js";
 export { convertContentToString, detectOutputFormat, type OutputFormat, type ConvertOptions, } from "./formatter.js";

package/dist/config/normalizer.d.ts

@@ -1,5 +1,5 @@
-import type { RawConfig, Config, RepoSettings, RawRepoSettings } from "./types.js";
-export declare function mergeSettings(root: RawRepoSettings | undefined, perRepo: RawRepoSettings | undefined): RepoSettings | undefined;
+import type { RawConfig, Config, RepoSettings, RawRootSettings, RawRepoSettings } from "./types.js";
+export declare function mergeSettings(root: RawRootSettings | undefined, perRepo: RawRepoSettings | undefined): RepoSettings | undefined;
 /**
  * Normalizes raw config into expanded, merged config.
  * Pipeline: expand git arrays -> merge content -> interpolate env vars

package/dist/config/normalizer.js

@@ -26,6 +26,7 @@ function mergePROptions(global, perRepo) {
     const mergeStrategy = perRepo.mergeStrategy ?? global.mergeStrategy;
     const deleteBranch = perRepo.deleteBranch ?? global.deleteBranch;
     const bypassReason = perRepo.bypassReason ?? global.bypassReason;
+    const labels = perRepo.labels ?? global.labels;
     if (merge !== undefined)
         result.merge = merge;
     if (mergeStrategy !== undefined)
@@ -34,6 +35,8 @@ function mergePROptions(global, perRepo) {
         result.deleteBranch = deleteBranch;
     if (bypassReason !== undefined)
         result.bypassReason = bypassReason;
+    if (labels !== undefined)
+        result.labels = labels;
     return Object.keys(result).length > 0 ? result : undefined;
 }
 /**

package/dist/config/types.d.ts

@@ -6,6 +6,7 @@ export interface PRMergeOptions {
     mergeStrategy?: MergeStrategy;
     deleteBranch?: boolean;
     bypassReason?: string;
+    labels?: string[];
 }
 /** Ruleset target type */
 export type RulesetTarget = "branch" | "tag";
@@ -304,6 +305,12 @@ export interface RawRepoFileOverride {
     vars?: Record<string, string>;
     deleteOrphaned?: boolean;
 }
+export interface RawRootSettings {
+    rulesets?: Record<string, Ruleset | false>;
+    repo?: GitHubRepoSettings | false;
+    labels?: Record<string, Label | false>;
+    deleteOrphaned?: boolean;
+}
 export interface RawRepoSettings {
     rulesets?: Record<string, Ruleset | false> & {
         inherit?: boolean;
@@ -334,7 +341,7 @@ export interface RawConfig {
     prTemplate?: string;
     githubHosts?: string[];
     deleteOrphaned?: boolean;
-    settings?: RawRepoSettings;
+    settings?: RawRootSettings;
 }
 export interface FileContent {
     fileName: string;

package/dist/config/validator.d.ts

@@ -1,4 +1,4 @@
-import type { RawConfig, RawRepoSettings } from "./types.js";
+import type { RawConfig, RawRepoSettings, RawRootSettings } from "./types.js";
 /**
  * Validates settings object containing rulesets, labels, and repo settings.
  */
@@ -16,7 +16,7 @@ export declare function validateForSync(config: RawConfig): void;
 /**
  * Checks if settings contain actionable configuration.
  */
-export declare function hasActionableSettings(settings: RawRepoSettings | undefined): boolean;
+export declare function hasActionableSettings(settings: RawRootSettings | RawRepoSettings | undefined): boolean;
 /**
  * Validates that config is suitable for the settings command.
  * @throws Error if no settings are defined or no actionable settings exist

package/dist/config/validator.js

@@ -274,6 +274,17 @@ export function validateRawConfig(config) {
             }
         }
     }
+    // Validate prOptions.labels if present
+    if (config.prOptions?.labels !== undefined) {
+        if (!Array.isArray(config.prOptions.labels)) {
+            throw new Error("prOptions.labels must be an array of strings");
+        }
+        for (const label of config.prOptions.labels) {
+            if (typeof label !== "string" || label.length === 0) {
+                throw new Error("prOptions.labels entries must be non-empty strings");
+            }
+        }
+    }
     // Validate each repo
     for (let i = 0; i < config.repos.length; i++) {
         const repo = config.repos[i];

package/dist/lifecycle/github-lifecycle-provider.js

@@ -1,6 +1,6 @@
 import { escapeShellArg } from "../shared/shell-utils.js";
 import { defaultExecutor, } from "../shared/command-executor.js";
-import { withRetry } from "../shared/retry-utils.js";
+import { withRetry, DEFAULT_PERMANENT_ERROR_PATTERNS, } from "../shared/retry-utils.js";
 import { isGitHubRepo, } from "../shared/repo-detector.js";
 import { logger } from "../shared/logger.js";
 /**
@@ -304,11 +304,20 @@ export class GitHubLifecycleProvider {
         const hostnameFlag = getHostnameFlag(repoInfo);
         const hostnamePart = hostnameFlag ? `${hostnameFlag} ` : "";
         const apiPath = `repos/${escapeShellArg(repoInfo.owner)}/${escapeShellArg(repoInfo.repo)}`;
+        // After repo creation, GitHub may return 404 due to eventual consistency.
+        // Exclude 404/not-found from permanent errors so withRetry retries them.
+        const postCreatePermanentPatterns = DEFAULT_PERMANENT_ERROR_PATTERNS.filter((p) => !p.test("404 Not Found"));
         // Get the SHA of the README.md created by --add-readme
-        const fileInfo = await withRetry(() => this.executor.exec(`${tokenPrefix}gh api ${hostnamePart}${apiPath}/contents/README.md --jq '.sha'`, this.cwd), { retries: this.retries });
+        const fileInfo = await withRetry(() => this.executor.exec(`${tokenPrefix}gh api ${hostnamePart}${apiPath}/contents/README.md --jq '.sha'`, this.cwd), {
+            retries: this.retries,
+            permanentErrorPatterns: postCreatePermanentPatterns,
+        });
         const sha = fileInfo.trim();
         // Delete the README.md to leave the repo clean
         await withRetry(() => this.executor.exec(`${tokenPrefix}gh api ${hostnamePart}${apiPath}/contents/README.md ` +
-            `--method DELETE -f message='Remove initialization file' -f sha=${escapeShellArg(sha)}`, this.cwd), { retries: this.retries });
+            `--method DELETE -f message='Remove initialization file' -f sha=${escapeShellArg(sha)}`, this.cwd), {
+            retries: this.retries,
+            permanentErrorPatterns: postCreatePermanentPatterns,
+        });
     }
 }

package/dist/shared/logger.d.ts

@@ -1,6 +1,7 @@
 import { FileStatus } from "../sync/diff-utils.js";
 export interface ILogger {
     info(message: string): void;
+    warn(message: string): void;
     debug(message: string): void;
     fileDiff(fileName: string, status: FileStatus, diffLines: string[]): void;
     diffSummary(newCount: number, modifiedCount: number, unchangedCount: number, deletedCount?: number): void;
@@ -21,6 +22,7 @@ export declare class Logger implements ILogger {
     setTotal(total: number): void;
     progress(current: number, repoName: string, message: string): void;
     info(message: string): void;
+    warn(message: string): void;
     debug(message: string): void;
     success(current: number, repoName: string, message: string): void;
     skip(current: number, repoName: string, reason: string): void;

package/dist/shared/logger.js

@@ -17,6 +17,9 @@ export class Logger {
     info(message) {
         console.log(chalk.gray(`    ${message}`));
     }
+    warn(message) {
+        console.log(chalk.yellow(`    ⚠ ${message}`));
+    }
     debug(message) {
         if (process.env.DEBUG || process.env.XFG_DEBUG) {
             console.log(chalk.dim(`    [debug] ${message}`));

package/dist/shared/retry-utils.js

@@ -8,6 +8,7 @@ import { sanitizeCredentials } from "./sanitize-utils.js";
  */
 export const DEFAULT_PERMANENT_ERROR_PATTERNS = [
     /permission\s*denied/i,
+    /not\s*accessible\s*by\s*integration/i,
     /authentication\s*failed/i,
     /bad\s*credentials/i,
     /invalid\s*(token|credentials)/i,

package/dist/sync/file-writer.js

@@ -3,6 +3,7 @@ import { join } from "node:path";
 import { convertContentToString } from "../config/formatter.js";
 import { interpolateXfgContent } from "./xfg-template.js";
 import { getFileStatus, generateDiff, createDiffStats, incrementDiffStats, } from "./diff-utils.js";
+import { hasGitHubAppCredentials } from "../vcs/commit-strategy-selector.js";
 /**
  * Determines if a file should be marked as executable.
  * .sh files are auto-executable unless explicit executable: false is set.
@@ -92,6 +93,11 @@ export class FileWriter {
                 continue;
             }
             if (shouldBeExecutable(file)) {
+                if (tracked?.action === "create" && hasGitHubAppCredentials()) {
+                    log.warn(`${file.fileName}: GitHub App commits cannot set executable mode on new files. ` +
+                        `The file will be created as non-executable (100644). ` +
+                        `See: https://anthony-spruyt.github.io/xfg/examples/executable-files/`);
+                }
                 log.info(`Setting executable: ${file.fileName}`);
                 await gitOps.setExecutable(file.fileName);
             }

package/dist/sync/pr-merge-handler.js

@@ -17,6 +17,7 @@ export class PRMergeHandler {
             prTemplate: options.prTemplate,
             executor: options.executor,
             token: options.token,
+            labels: repoConfig.prOptions?.labels,
         });
         const mergeMode = repoConfig.prOptions?.merge ?? "auto";
         let mergeResult;

package/dist/vcs/github-pr-strategy.js

@@ -114,7 +114,7 @@ export class GitHubPRStrategy extends BasePRStrategy {
         }
     }
     async create(options) {
-        const { repoInfo, title, body, branchName, baseBranch, workDir, retries = 3, token, } = options;
+        const { repoInfo, title, body, branchName, baseBranch, workDir, retries = 3, token, labels, } = options;
         if (!isGitHubRepo(repoInfo)) {
             throw new Error("Expected GitHub repository");
         }
@@ -123,7 +123,13 @@ export class GitHubPRStrategy extends BasePRStrategy {
         writeFileSync(bodyFile, body, "utf-8");
         // Token is passed via env var to avoid shell injection
         const tokenEnv = buildTokenEnv(token);
-        const command = `gh pr create --title ${escapeShellArg(title)} --body-file ${escapeShellArg(bodyFile)} --base ${escapeShellArg(baseBranch)} --head ${escapeShellArg(branchName)}`;
+        let command = `gh pr create --title ${escapeShellArg(title)} --body-file ${escapeShellArg(bodyFile)} --base ${escapeShellArg(baseBranch)} --head ${escapeShellArg(branchName)}`;
+        // Append label flags
+        if (labels && labels.length > 0) {
+            for (const label of labels) {
+                command += ` --label ${escapeShellArg(label)}`;
+            }
+        }
         try {
             const result = await withRetry(() => this.executor.exec(command, workDir, { env: tokenEnv }), { retries });
             // Extract URL from output - use strict regex for valid PR URLs only

package/dist/vcs/graphql-commit-strategy.d.ts

@@ -30,6 +30,13 @@ export declare function validateBranchName(branchName: string): void;
  * This strategy is GitHub-only and requires the `gh` CLI to be authenticated.
  */
 export declare class GraphQLCommitStrategy implements ICommitStrategy {
+    /**
+     * GraphQL permanent error patterns for ref operations.
+     * Differs from DEFAULT_PERMANENT_ERROR_PATTERNS which has
+     * git-CLI-specific patterns (/remote\s*rejected/i) that don't
+     * apply to GraphQL responses.
+     */
+    private static readonly GRAPHQL_PERMANENT_ERROR_PATTERNS;
     private executor;
     constructor(executor?: ICommandExecutor);
     /**
@@ -48,6 +55,9 @@ export declare class GraphQLCommitStrategy implements ICommitStrategy {
      * Ensure the branch exists on the remote and matches local HEAD.
      * createCommitOnBranch requires the branch to already exist.
      *
+     * Uses GraphQL ref mutations instead of git push to support repos
+     * with required_signatures on all branches.
+     *
      * For PR branches (force=true): delete existing remote branch and recreate
      * from local HEAD to ensure a fresh start from main.
      *
@@ -66,4 +76,23 @@ export declare class GraphQLCommitStrategy implements ICommitStrategy {
      * This happens when the branch was updated between getting HEAD and making the commit.
      */
     private isHeadOidMismatchError;
+    /**
+     * Execute a GraphQL query or mutation for ref operations.
+     * Handles command construction, retry, error sanitization, and response parsing.
+     * Uses gh CLI's --input flag to pass GraphQL via stdin (same pattern as executeGraphQLMutation).
+     */
+    private executeGraphQLRefOp;
+    /**
+     * Query the remote for a repository's Node ID and a ref's Node ID.
+     * Returns repositoryId (always) and refId (null if branch doesn't exist).
+     */
+    private queryRemoteRef;
+    /**
+     * Create a branch ref on the remote via GraphQL createRef mutation.
+     */
+    private createRemoteRef;
+    /**
+     * Delete a branch ref on the remote via GraphQL deleteRef mutation.
+     */
+    private deleteRemoteRef;
 }

package/dist/vcs/graphql-commit-strategy.js

@@ -48,6 +48,24 @@ const OID_MISMATCH_PATTERNS = [
  * This strategy is GitHub-only and requires the `gh` CLI to be authenticated.
  */
 export class GraphQLCommitStrategy {
+    /**
+     * GraphQL permanent error patterns for ref operations.
+     * Differs from DEFAULT_PERMANENT_ERROR_PATTERNS which has
+     * git-CLI-specific patterns (/remote\s*rejected/i) that don't
+     * apply to GraphQL responses.
+     */
+    static GRAPHQL_PERMANENT_ERROR_PATTERNS = [
+        /not\s*found/i,
+        /unauthorized/i,
+        /permission\s*denied/i,
+        /not\s*accessible\s*by\s*integration/i,
+        /bad\s*credentials/i,
+        /invalid\s*(token|credentials)/i,
+        /401\b/,
+        /403\b/,
+        /does\s*not\s*exist/i,
+        /could\s*not\s*resolve/i,
+    ];
     executor;
     constructor(executor) {
         this.executor = executor ?? defaultExecutor;
@@ -85,7 +103,7 @@ export class GraphQLCommitStrategy {
         // Ensure the branch exists on remote and is up-to-date with local HEAD
         // createCommitOnBranch requires the branch to already exist
         // For PR branches (force=true), we force-update to ensure fresh start from main
-        await this.ensureBranchExistsOnRemote(branchName, workDir, options.force, gitOps);
+        await this.ensureBranchExistsOnRemote(branchName, workDir, options.force, githubInfo, token);
         // Retry loop for expectedHeadOid mismatch
         let lastError = null;
         for (let attempt = 0; attempt <= retries; attempt++) {
@@ -204,47 +222,31 @@ export class GraphQLCommitStrategy {
      * Ensure the branch exists on the remote and matches local HEAD.
      * createCommitOnBranch requires the branch to already exist.
      *
+     * Uses GraphQL ref mutations instead of git push to support repos
+     * with required_signatures on all branches.
+     *
      * For PR branches (force=true): delete existing remote branch and recreate
      * from local HEAD to ensure a fresh start from main.
      *
      * For direct mode (force=false): just ensure branch exists.
      */
-    async ensureBranchExistsOnRemote(branchName, workDir, force, gitOps) {
-        // Branch name was validated in commit(), safe for shell use
-        try {
-            // Check if the branch exists on remote
-            // Use skipRetry because failure is expected for new branches
-            if (gitOps) {
-                await gitOps.lsRemote(branchName, { skipRetry: true });
-            }
-            else {
-                await this.executor.exec(`git ls-remote --exit-code --heads origin ${escapeShellArg(branchName)}`, workDir);
-            }
-            // Branch exists - for PR branches, delete and recreate to ensure fresh from main
-            if (force) {
-                if (gitOps) {
-                    await gitOps.pushRefspec(branchName, { delete: true });
-                    // Now push fresh branch from local HEAD
-                    await gitOps.pushRefspec(`HEAD:${branchName}`);
-                }
-                else {
-                    await this.executor.exec(`git push origin --delete ${escapeShellArg(branchName)}`, workDir);
-                    // Now push fresh branch from local HEAD
-                    await this.executor.exec(`git push -u origin HEAD:${escapeShellArg(branchName)}`, workDir);
-                }
-            }
-            // For direct mode (force=false), leave existing branch as-is
+    async ensureBranchExistsOnRemote(branchName, workDir, force, repoInfo, token) {
+        if (!repoInfo) {
+            throw new Error("repoInfo is required for GraphQL ref operations");
         }
-        catch {
-            // Branch doesn't exist on remote, push it
-            // This pushes the current local branch to create it on remote
-            if (gitOps) {
-                await gitOps.pushRefspec(`HEAD:${branchName}`);
-            }
-            else {
-                await this.executor.exec(`git push -u origin HEAD:${escapeShellArg(branchName)}`, workDir);
-            }
+        const { repositoryId, refId } = await this.queryRemoteRef(repoInfo, branchName, workDir, token);
+        if (refId && force) {
+            // Branch exists + force: delete then recreate from local HEAD
+            await this.deleteRemoteRef(refId, workDir, repoInfo, token);
+            const sha = (await this.executor.exec("git rev-parse HEAD", workDir)).trim();
+            await this.createRemoteRef(repositoryId, branchName, sha, workDir, repoInfo, token);
+        }
+        else if (!refId) {
+            // Branch doesn't exist: create from local HEAD
+            const sha = (await this.executor.exec("git rev-parse HEAD", workDir)).trim();
+            await this.createRemoteRef(repositoryId, branchName, sha, workDir, repoInfo, token);
         }
+        // refId exists + !force: no-op (branch already exists)
     }
     /**
      * Sanitize command execution errors to remove the GraphQL payload.
@@ -284,4 +286,59 @@ export class GraphQLCommitStrategy {
             // GitHub may return this generic error for OID mismatches
             message.includes("was provided invalid value"));
     }
+    /**
+     * Execute a GraphQL query or mutation for ref operations.
+     * Handles command construction, retry, error sanitization, and response parsing.
+     * Uses gh CLI's --input flag to pass GraphQL via stdin (same pattern as executeGraphQLMutation).
+     */
+    async executeGraphQLRefOp(queryOrMutation, repoInfo, workDir, token) {
+        const requestBody = JSON.stringify({ query: queryOrMutation });
+        const hostnameArg = repoInfo.host !== "github.com"
+            ? `--hostname ${escapeShellArg(repoInfo.host)}`
+            : "";
+        const tokenPrefix = token ? `GH_TOKEN=${token} ` : "";
+        const command = `echo ${escapeShellArg(requestBody)} | ${tokenPrefix}gh api graphql ${hostnameArg} --input -`;
+        let response;
+        try {
+            response = await withRetry(() => this.executor.exec(command, workDir), {
+                permanentErrorPatterns: GraphQLCommitStrategy.GRAPHQL_PERMANENT_ERROR_PATTERNS,
+            });
+        }
+        catch (error) {
+            throw this.sanitizeCommandError(error, `${repoInfo.owner}/${repoInfo.repo}`);
+        }
+        const parsed = JSON.parse(response);
+        if (parsed.errors) {
+            throw new Error(`GraphQL error: ${parsed.errors.map((e) => e.message).join(", ")}`);
+        }
+        return parsed;
+    }
+    /**
+     * Query the remote for a repository's Node ID and a ref's Node ID.
+     * Returns repositoryId (always) and refId (null if branch doesn't exist).
+     */
+    async queryRemoteRef(repoInfo, branchName, workDir, token) {
+        const query = `{ repository(owner: ${JSON.stringify(repoInfo.owner)}, name: ${JSON.stringify(repoInfo.repo)}) { id ref(qualifiedName: ${JSON.stringify(`refs/heads/${branchName}`)}) { id } } }`;
+        const parsed = await this.executeGraphQLRefOp(query, repoInfo, workDir, token);
+        const repo = parsed.data?.repository;
+        const repositoryId = repo?.id;
+        if (!repositoryId) {
+            throw new Error(`GraphQL response missing repository ID for ${repoInfo.owner}/${repoInfo.repo}`);
+        }
+        return { repositoryId, refId: repo?.ref?.id ?? null };
+    }
+    /**
+     * Create a branch ref on the remote via GraphQL createRef mutation.
+     */
+    async createRemoteRef(repositoryId, branchName, oid, workDir, repoInfo, token) {
+        const mutation = `mutation { createRef(input: { repositoryId: ${JSON.stringify(repositoryId)}, name: ${JSON.stringify(`refs/heads/${branchName}`)}, oid: ${JSON.stringify(oid)} }) { clientMutationId } }`;
+        await this.executeGraphQLRefOp(mutation, repoInfo, workDir, token);
+    }
+    /**
+     * Delete a branch ref on the remote via GraphQL deleteRef mutation.
+     */
+    async deleteRemoteRef(refId, workDir, repoInfo, token) {
+        const mutation = `mutation { deleteRef(input: { refId: ${JSON.stringify(refId)} }) { clientMutationId } }`;
+        await this.executeGraphQLRefOp(mutation, repoInfo, workDir, token);
+    }
 }

package/dist/vcs/pr-creator.d.ts

@@ -21,6 +21,8 @@ export interface PROptions {
     executor?: ICommandExecutor;
     /** GitHub App installation token for authentication */
     token?: string;
+    /** Labels to apply to the created PR */
+    labels?: string[];
 }
 export interface PRResult {
     url?: string;

package/dist/vcs/pr-creator.js

@@ -97,7 +97,7 @@ export function formatPRTitle(files) {
     return `chore: sync ${changedFiles.length} config files`;
 }
 export async function createPR(options) {
-    const { repoInfo, branchName, baseBranch, files, workDir, dryRun, retries, prTemplate, executor, token, } = options;
+    const { repoInfo, branchName, baseBranch, files, workDir, dryRun, retries, prTemplate, executor, token, labels, } = options;
     const title = formatPRTitle(files);
     const body = formatPRBody(files, repoInfo, prTemplate);
     if (dryRun) {
@@ -117,6 +117,7 @@ export async function createPR(options) {
         workDir,
         retries,
         token,
+        labels,
     });
 }
 export async function mergePR(options) {

package/dist/vcs/types.d.ts

@@ -25,6 +25,8 @@ export interface PRStrategyOptions {
     retries?: number;
     /** GitHub App installation token for authentication */
     token?: string;
+    /** Labels to apply to the created PR */
+    labels?: string[];
 }
 export interface MergeOptions {
     prUrl: string;
@@ -94,7 +96,7 @@ export interface CommitOptions {
     force?: boolean;
     /** GitHub App installation token for authentication (used by GraphQLCommitStrategy) */
     token?: string;
-    /** Authenticated git operations wrapper (used by GraphQLCommitStrategy for network ops) */
+    /** Authenticated git operations wrapper (used by GraphQLCommitStrategy for fetchBranch() during OID mismatch retries) */
     gitOps?: IAuthenticatedGitOps;
 }
 export interface CommitResult {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aspruyt/xfg",
-  "version": "3.9.14",
+  "version": "3.10.1",
   "description": "Manage files, settings, and repositories across GitHub, Azure DevOps, and GitLab — declaratively, from a single YAML config",
   "type": "module",
   "main": "dist/index.js",