@kaikybrofc/omnizap-system 2.1.9 → 2.2.0

package/.env.example

@@ -521,6 +521,13 @@ DEPLOY_PACKAGE_SECONDARY_TOKEN_KEYS=
 # ==============================
 # Release (auto commit/push)
 # ==============================
+# Tipo de bump padrão no npm run release (patch/minor/major...)
+RELEASE_TYPE=patch
+# Opcional: força versão exata (ex: 2.2.0), ignorando RELEASE_TYPE
+RELEASE_FORCE_VERSION=
+# Rollover automático de patch: quando patch >= RELEASE_PATCH_ROLLOVER_AT, vira (major).(minor+1).0
+RELEASE_PATCH_ROLLOVER_ENABLED=1
+RELEASE_PATCH_ROLLOVER_AT=10
 # Faz commit automatico de alteracoes pendentes antes do release
 RELEASE_GIT_AUTO_COMMIT=1
 # Faz push automatico dos commits gerados no release
@@ -532,3 +539,27 @@ RELEASE_GIT_BRANCH=
 RELEASE_GIT_PRE_COMMIT_MESSAGE=chore(release): auto-commit before release
 RELEASE_GIT_COMMIT_VERSION=1
 RELEASE_GIT_VERSION_COMMIT_PREFIX=chore(release): v
+
+# Cria/atualiza GitHub Release (aba Releases) automaticamente no npm run release
+RELEASE_GITHUB_RELEASE=1
+# Se 1, falha o release caso GitHub Release esteja desativado
+RELEASE_REQUIRE_GITHUB_RELEASE=1
+RELEASE_GITHUB_REPO=kaikybrofc/omnizap-system
+RELEASE_GITHUB_TOKEN=
+RELEASE_GITHUB_TAG_PREFIX=v
+RELEASE_GITHUB_NAME_PREFIX=v
+RELEASE_GITHUB_GENERATE_NOTES=1
+# Opcional: 1 para prerelease, 0 para release normal, vazio = auto (detecta '-' na versao)
+RELEASE_GITHUB_PRERELEASE=
+RELEASE_GITHUB_DRAFT=0
+# Opcional: commit/tag alvo (vazio usa HEAD atual)
+RELEASE_GITHUB_TARGET=
+
+# Se 1, exige publish em ambos os registries no release (GitHub Packages + npmjs)
+RELEASE_REQUIRE_DUAL_PUBLISH=1
+# Verificação final: local + registries + GitHub Release na mesma versão
+RELEASE_VERIFY_UNIFIED_VERSION=1
+RELEASE_VERIFY_PRIMARY_REGISTRY=https://npm.pkg.github.com
+RELEASE_VERIFY_SECONDARY_REGISTRY=https://registry.npmjs.org
+RELEASE_VERIFY_PRIMARY_TOKEN_KEYS=DEPLOY_PACKAGE_TOKEN,DEPLOY_GITHUB_TOKEN,GITHUB_TOKEN,GH_TOKEN,NPM_TOKEN,NODE_AUTH_TOKEN
+RELEASE_VERIFY_SECONDARY_TOKEN_KEYS=DEPLOY_PACKAGE_SECONDARY_TOKEN,NPM_TOKEN,NODE_AUTH_TOKEN

package/README.md

@@ -132,7 +132,7 @@ Variáveis legadas foram mantidas por compatibilidade (`QUOTE_API_URL`, `WAIFU_A
 - `npm run pm2:prod`: sobe com PM2 usando `ecosystem.prod.config.cjs`.
 - `npm run deploy`: deploy automático de `public/` com cache-bust, backup, validação e reload do Nginx.
 - `npm run deploy:dry-run`: simula o deploy sem publicar/recarregar serviços.
-- `npm run release`: bump de versão `patch` + deploy + publish do package (com auto commit/push git).
+- `npm run release`: release completo com versão unificada (npmjs + GitHub Packages + GitHub Release) e verificação final.
 - `npm run release:minor`: bump `minor` + deploy + publish do package.
 - `npm run release:major`: bump `major` + deploy + publish do package.
 - `npm run test`: executa testes Node (`node --test`).
@@ -224,10 +224,14 @@ Comando único de release (patch + deploy + publish):
 npm run release
 ```
 
-`npm run release` agora executa publish primário + secundário por padrão (você pode desativar com `DEPLOY_PACKAGE_PUBLISH_SECONDARY=0`).
+`npm run release` executa publish primário + secundário por padrão e valida consistência final de versão.
 
 Variáveis do fluxo de release (git):
 
+- `RELEASE_TYPE` (default: `patch`)
+- `RELEASE_FORCE_VERSION` (opcional) - força versão exata (ex.: `2.2.0`)
+- `RELEASE_PATCH_ROLLOVER_ENABLED` (default: `1`) - rollover automático de patch
+- `RELEASE_PATCH_ROLLOVER_AT` (default: `10`) - quando patch atingir este valor, próximo release vira `major.(minor+1).0`
 - `RELEASE_GIT_AUTO_COMMIT` (default: `1`) - commit automático se houver alterações pendentes
 - `RELEASE_GIT_AUTO_PUSH` (default: `1`) - push automático dos commits gerados
 - `RELEASE_GIT_REMOTE` (default: `origin`)
@@ -235,6 +239,26 @@ Variáveis do fluxo de release (git):
 - `RELEASE_GIT_PRE_COMMIT_MESSAGE` (default: `chore(release): auto-commit before release`)
 - `RELEASE_GIT_COMMIT_VERSION` (default: `1`) - commita alteração da versão após sucesso
 - `RELEASE_GIT_VERSION_COMMIT_PREFIX` (default: `chore(release): v`)
+- `RELEASE_GITHUB_RELEASE` (default: `1`) - cria/atualiza GitHub Release na aba Releases
+- `RELEASE_REQUIRE_GITHUB_RELEASE` (default: `1`) - falha se GitHub Release estiver desativado
+- `RELEASE_GITHUB_REPO` (opcional; ex.: `kaikybrofc/omnizap-system`)
+- `RELEASE_GITHUB_TOKEN` (opcional; fallback: `DEPLOY_GITHUB_TOKEN`/`GITHUB_TOKEN`/`GH_TOKEN`)
+- `RELEASE_GITHUB_TAG_PREFIX` (default: `v`) - prefixo da tag (`v2.1.9`)
+- `RELEASE_GITHUB_NAME_PREFIX` (default: `v`) - prefixo do nome exibido na release
+- `RELEASE_GITHUB_GENERATE_NOTES` (default: `1`) - usa notas automáticas do GitHub
+- `RELEASE_GITHUB_PRERELEASE` (default: auto) - vazio detecta `-` na versão como prerelease
+- `RELEASE_GITHUB_DRAFT` (default: `0`)
+- `RELEASE_GITHUB_TARGET` (opcional; vazio usa `HEAD`)
+- `RELEASE_REQUIRE_DUAL_PUBLISH` (default: `1`) - exige publish em GitHub Packages e npmjs
+- `RELEASE_VERIFY_UNIFIED_VERSION` (default: `1`) - valida versão final em local + registries + GitHub Release
+- `RELEASE_VERIFY_PRIMARY_REGISTRY` (default: `https://npm.pkg.github.com`)
+- `RELEASE_VERIFY_SECONDARY_REGISTRY` (default: `https://registry.npmjs.org`)
+- `RELEASE_VERIFY_PRIMARY_TOKEN_KEYS` / `RELEASE_VERIFY_SECONDARY_TOKEN_KEYS` - ordem de fallback de tokens para verificação
+
+Exemplo de rollover automático:
+
+- `2.1.9` + `npm run release` -> `2.1.10`
+- `2.1.10` + `npm run release` -> `2.2.0`
 
 ## Execução com PM2
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kaikybrofc/omnizap-system",
-  "version": "2.1.9",
+  "version": "2.2.0",
   "description": "Sistema profissional de automação WhatsApp com tecnologia Baileys",
   "main": "index.js",
   "publishConfig": {

package/scripts/github-release-notify.mjs

@@ -0,0 +1,188 @@
+#!/usr/bin/env node
+
+import { execSync } from 'node:child_process';
+import path from 'node:path';
+import process from 'node:process';
+import { fileURLToPath } from 'node:url';
+import dotenv from 'dotenv';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+const projectRoot = path.resolve(__dirname, '..');
+
+dotenv.config({ path: path.join(projectRoot, '.env') });
+
+const args = process.argv.slice(2);
+const action = String(args[0] || '').trim();
+
+const getArg = (flag, fallback = '') => {
+  const index = args.indexOf(flag);
+  if (index === -1) return fallback;
+  return String(args[index + 1] || fallback).trim();
+};
+
+const env = (...keys) => {
+  for (const key of keys) {
+    const value = process.env[key];
+    if (value && String(value).trim()) return String(value).trim();
+  }
+  return '';
+};
+
+const toBool = (value, fallback = false) => {
+  if (value === undefined || value === null || value === '') return fallback;
+  const normalized = String(value).trim().toLowerCase();
+  return ['1', 'true', 'yes', 'on'].includes(normalized);
+};
+
+const parseRepoFromRemote = () => {
+  try {
+    const remoteUrl = execSync('git config --get remote.origin.url', {
+      cwd: projectRoot,
+      stdio: ['ignore', 'pipe', 'ignore'],
+    })
+      .toString('utf8')
+      .trim();
+    if (!remoteUrl) return '';
+
+    const httpsMatch = remoteUrl.match(/github\.com\/([^/]+\/[^/.]+)(?:\.git)?$/i);
+    if (httpsMatch?.[1]) return httpsMatch[1];
+
+    const sshMatch = remoteUrl.match(/github\.com:([^/]+\/[^/.]+)(?:\.git)?$/i);
+    if (sshMatch?.[1]) return sshMatch[1];
+  } catch {
+    return '';
+  }
+  return '';
+};
+
+const token = env('RELEASE_GITHUB_TOKEN', 'DEPLOY_GITHUB_TOKEN', 'GITHUB_TOKEN', 'GH_TOKEN');
+const repository = env('RELEASE_GITHUB_REPO', 'DEPLOY_GITHUB_REPO', 'GITHUB_REPOSITORY') || parseRepoFromRemote();
+
+if (!action || !['upsert', 'get'].includes(action)) {
+  console.error('Uso: node scripts/github-release-notify.mjs <upsert|get> --tag vX.Y.Z [opções]');
+  process.exit(1);
+}
+
+if (!token || !repository) {
+  console.error('GitHub release notify ignorado: token ou repositório não configurado.');
+  process.exit(2);
+}
+
+const [repoOwnerRaw, repoNameRaw] = repository.split('/', 2);
+const repoOwner = String(repoOwnerRaw || '').trim();
+const repoName = String(repoNameRaw || '').trim();
+if (!repoOwner || !repoName) {
+  console.error('GitHub release notify ignorado: formato de repositório inválido (esperado owner/repo).');
+  process.exit(2);
+}
+
+const tag = getArg('--tag');
+const target = getArg('--target');
+const name = getArg('--name', tag);
+const body = getArg('--body', '');
+const generateNotes = toBool(getArg('--generate-notes', 'true'), true);
+const prerelease = toBool(getArg('--prerelease', 'false'), false);
+const draft = toBool(getArg('--draft', 'false'), false);
+
+if (!tag) {
+  console.error('Parâmetro obrigatório ausente: --tag');
+  process.exit(1);
+}
+
+const headers = {
+  Accept: 'application/vnd.github+json',
+  Authorization: `Bearer ${token}`,
+  'X-GitHub-Api-Version': '2022-11-28',
+  'Content-Type': 'application/json',
+  'User-Agent': 'omnizap-release-script',
+};
+
+const request = async (url, method, payload) => {
+  const response = await fetch(url, {
+    method,
+    headers,
+    body: payload ? JSON.stringify(payload) : undefined,
+  });
+
+  const raw = await response.text();
+  let data = null;
+  try {
+    data = raw ? JSON.parse(raw) : null;
+  } catch {
+    data = null;
+  }
+
+  return {
+    ok: response.ok,
+    status: response.status,
+    data,
+    raw,
+  };
+};
+
+const failFromResponse = (response, fallbackPrefix = 'GitHub API') => {
+  const message = response?.data?.message || response?.raw || 'unknown error';
+  throw new Error(`${fallbackPrefix} ${response?.status ?? 'n/a'}: ${message}`);
+};
+
+const run = async () => {
+  const baseUrl = `https://api.github.com/repos/${encodeURIComponent(repoOwner)}/${encodeURIComponent(repoName)}`;
+
+  const byTag = await request(`${baseUrl}/releases/tags/${encodeURIComponent(tag)}`, 'GET');
+  let existingRelease = null;
+  if (byTag.ok) {
+    existingRelease = byTag.data;
+  } else if (byTag.status !== 404) {
+    failFromResponse(byTag, 'GitHub API');
+  }
+
+  if (action === 'get') {
+    if (!existingRelease) {
+      throw new Error(`GitHub release não encontrada para tag ${tag}`);
+    }
+    const url = existingRelease.html_url || '';
+    process.stdout.write(`found id=${existingRelease.id} tag=${tag} url=${url}`);
+    return;
+  }
+
+  const commonPayload = {
+    tag_name: tag,
+    target_commitish: target || undefined,
+    name: name || tag,
+    draft,
+    prerelease,
+  };
+
+  if (body) {
+    commonPayload.body = body;
+  }
+
+  if (existingRelease) {
+    const update = await request(`${baseUrl}/releases/${existingRelease.id}`, 'PATCH', commonPayload);
+    if (!update.ok) {
+      failFromResponse(update, 'GitHub API');
+    }
+    const url = update.data?.html_url || '';
+    process.stdout.write(`updated id=${update.data?.id} tag=${tag} url=${url}`);
+    return;
+  }
+
+  const createPayload = { ...commonPayload };
+  if (generateNotes) {
+    createPayload.generate_release_notes = true;
+  }
+
+  const created = await request(`${baseUrl}/releases`, 'POST', createPayload);
+  if (!created.ok) {
+    failFromResponse(created, 'GitHub API');
+  }
+
+  const url = created.data?.html_url || '';
+  process.stdout.write(`created id=${created.data?.id} tag=${tag} url=${url}`);
+};
+
+run().catch((error) => {
+  console.error(error?.message || error);
+  process.exit(1);
+});

package/scripts/release.sh

@@ -3,6 +3,9 @@ set -euo pipefail
 
 PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 RELEASE_TYPE="${RELEASE_TYPE:-patch}"
+RELEASE_FORCE_VERSION="${RELEASE_FORCE_VERSION:-}"
+RELEASE_PATCH_ROLLOVER_ENABLED="${RELEASE_PATCH_ROLLOVER_ENABLED:-1}"
+RELEASE_PATCH_ROLLOVER_AT="${RELEASE_PATCH_ROLLOVER_AT:-10}"
 RELEASE_GIT_AUTO_COMMIT="${RELEASE_GIT_AUTO_COMMIT:-1}"
 RELEASE_GIT_AUTO_PUSH="${RELEASE_GIT_AUTO_PUSH:-1}"
 RELEASE_GIT_REMOTE="${RELEASE_GIT_REMOTE:-origin}"
@@ -10,6 +13,21 @@ RELEASE_GIT_BRANCH="${RELEASE_GIT_BRANCH:-}"
 RELEASE_GIT_PRE_COMMIT_MESSAGE="${RELEASE_GIT_PRE_COMMIT_MESSAGE:-chore(release): auto-commit before release}"
 RELEASE_GIT_COMMIT_VERSION="${RELEASE_GIT_COMMIT_VERSION:-1}"
 RELEASE_GIT_VERSION_COMMIT_PREFIX="${RELEASE_GIT_VERSION_COMMIT_PREFIX:-chore(release): v}"
+RELEASE_GITHUB_RELEASE="${RELEASE_GITHUB_RELEASE:-1}"
+RELEASE_REQUIRE_GITHUB_RELEASE="${RELEASE_REQUIRE_GITHUB_RELEASE:-1}"
+RELEASE_GITHUB_TAG_PREFIX="${RELEASE_GITHUB_TAG_PREFIX:-v}"
+RELEASE_GITHUB_NAME_PREFIX="${RELEASE_GITHUB_NAME_PREFIX:-v}"
+RELEASE_GITHUB_GENERATE_NOTES="${RELEASE_GITHUB_GENERATE_NOTES:-1}"
+RELEASE_GITHUB_PRERELEASE="${RELEASE_GITHUB_PRERELEASE:-}"
+RELEASE_GITHUB_DRAFT="${RELEASE_GITHUB_DRAFT:-0}"
+RELEASE_GITHUB_TARGET="${RELEASE_GITHUB_TARGET:-}"
+RELEASE_REQUIRE_DUAL_PUBLISH="${RELEASE_REQUIRE_DUAL_PUBLISH:-1}"
+RELEASE_VERIFY_UNIFIED_VERSION="${RELEASE_VERIFY_UNIFIED_VERSION:-1}"
+RELEASE_VERIFY_PRIMARY_REGISTRY="${RELEASE_VERIFY_PRIMARY_REGISTRY:-${DEPLOY_PACKAGE_REGISTRY:-https://npm.pkg.github.com}}"
+RELEASE_VERIFY_SECONDARY_REGISTRY="${RELEASE_VERIFY_SECONDARY_REGISTRY:-${DEPLOY_PACKAGE_SECONDARY_REGISTRY:-https://registry.npmjs.org}}"
+RELEASE_VERIFY_PRIMARY_TOKEN_KEYS="${RELEASE_VERIFY_PRIMARY_TOKEN_KEYS:-DEPLOY_PACKAGE_TOKEN,DEPLOY_GITHUB_TOKEN,GITHUB_TOKEN,GH_TOKEN,NPM_TOKEN,NODE_AUTH_TOKEN}"
+RELEASE_VERIFY_SECONDARY_TOKEN_KEYS="${RELEASE_VERIFY_SECONDARY_TOKEN_KEYS:-DEPLOY_PACKAGE_SECONDARY_TOKEN,NPM_TOKEN,NODE_AUTH_TOKEN}"
+TMP_NPMRC_FILES=()
 
 case "$RELEASE_TYPE" in
   patch|minor|major|prepatch|preminor|premajor|prerelease)
@@ -25,6 +43,15 @@ log() {
   printf '[release] %s\n' "$*"
 }
 
+cleanup_tmp_npmrcs() {
+  for npmrc_tmp in "${TMP_NPMRC_FILES[@]:-}"; do
+    if [ -n "$npmrc_tmp" ] && [ -f "$npmrc_tmp" ]; then
+      rm -f "$npmrc_tmp"
+    fi
+  done
+}
+trap cleanup_tmp_npmrcs EXIT
+
 require_cmd() {
   if ! command -v "$1" >/dev/null 2>&1; then
     printf '[release] comando ausente: %s\n' "$1" >&2
@@ -32,6 +59,23 @@ require_cmd() {
   fi
 }
 
+to_bool() {
+  local value
+  value="$(printf '%s' "$1" | tr '[:upper:]' '[:lower:]')"
+  case "$value" in
+    1|true|yes|on)
+      printf 'true'
+      ;;
+    *)
+      printf 'false'
+      ;;
+  esac
+}
+
+sanitize_npm_output() {
+  printf '%s' "$1" | tr -d "\"'[:space:]"
+}
+
 resolve_branch() {
   if [ -n "$RELEASE_GIT_BRANCH" ]; then
     printf '%s' "$RELEASE_GIT_BRANCH"
@@ -49,6 +93,130 @@ resolve_branch() {
   printf '%s' "$branch"
 }
 
+resolve_token_from_dotenv() {
+  local token_keys="$1"
+  if [ -z "$token_keys" ]; then
+    return 0
+  fi
+
+  (
+    cd "$PROJECT_ROOT" && TOKEN_KEYS="$token_keys" node --input-type=module -e "
+      import dotenv from 'dotenv';
+      dotenv.config({ path: '.env' });
+      const keys = String(process.env.TOKEN_KEYS || '')
+        .split(',')
+        .map((item) => item.trim())
+        .filter(Boolean);
+      for (const key of keys) {
+        const value = process.env[key];
+        if (value && String(value).trim()) {
+          process.stdout.write(String(value).trim());
+          process.exit(0);
+        }
+      }
+    " 2>/dev/null || true
+  )
+}
+
+create_npmrc_for_registry() {
+  local registry="$1"
+  local token="$2"
+  local scope_owner="$3"
+  local registry_host=""
+  registry_host="$(printf '%s' "$registry" | sed -E 's#^https?://##; s#/*$##')"
+
+  local npmrc_tmp=""
+  npmrc_tmp="$(mktemp /tmp/omnizap-release-npmrc.XXXXXX)"
+  {
+    printf 'registry=%s\n' "$registry"
+    if [ -n "$scope_owner" ]; then
+      printf '@%s:registry=%s\n' "$scope_owner" "$registry"
+    fi
+    if [ -n "$token" ]; then
+      printf '//%s/:_authToken=%s\n' "$registry_host" "$token"
+      printf '//%s:_authToken=%s\n' "$registry_host" "$token"
+    fi
+  } > "$npmrc_tmp"
+  chmod 600 "$npmrc_tmp"
+  TMP_NPMRC_FILES+=("$npmrc_tmp")
+  printf '%s' "$npmrc_tmp"
+}
+
+verify_registry_version() {
+  local pkg_name="$1"
+  local pkg_version="$2"
+  local registry="$3"
+  local token_keys="$4"
+  local auth_required="$5"
+
+  local token=""
+  token="$(resolve_token_from_dotenv "$token_keys")"
+  if [ "$auth_required" = "1" ] && [ -z "$token" ]; then
+    printf '[release] Verificação em %s requer token (keys: %s).\n' "$registry" "$token_keys" >&2
+    exit 1
+  fi
+
+  local scope_owner=""
+  scope_owner="$(printf '%s' "$pkg_name" | sed -nE 's#^@([^/]+)/.*#\1#p')"
+  local npmrc_tmp=""
+  npmrc_tmp="$(create_npmrc_for_registry "$registry" "$token" "$scope_owner")"
+
+  local version_raw=""
+  if ! version_raw="$(
+    cd "$PROJECT_ROOT" &&
+    npm_config_userconfig="$npmrc_tmp" npm view "${pkg_name}@${pkg_version}" version --registry "$registry" --userconfig "$npmrc_tmp" 2>/dev/null
+  )"; then
+    printf '[release] Falha ao validar versão %s em %s.\n' "$pkg_version" "$registry" >&2
+    exit 1
+  fi
+  local version_value=""
+  version_value="$(sanitize_npm_output "$version_raw")"
+  if [ "$version_value" != "$pkg_version" ]; then
+    printf '[release] Versão divergente em %s: esperado=%s encontrado=%s\n' "$registry" "$pkg_version" "${version_value:-vazio}" >&2
+    exit 1
+  fi
+
+  local latest_raw=""
+  if ! latest_raw="$(
+    cd "$PROJECT_ROOT" &&
+    npm_config_userconfig="$npmrc_tmp" npm view "$pkg_name" dist-tags.latest --registry "$registry" --userconfig "$npmrc_tmp" 2>/dev/null
+  )"; then
+    printf '[release] Falha ao validar dist-tag latest em %s.\n' "$registry" >&2
+    exit 1
+  fi
+  local latest_value=""
+  latest_value="$(sanitize_npm_output "$latest_raw")"
+  if [ "$latest_value" != "$pkg_version" ]; then
+    printf '[release] Dist-tag latest divergente em %s: esperado=%s latest=%s\n' "$registry" "$pkg_version" "${latest_value:-vazio}" >&2
+    exit 1
+  fi
+
+  log "Verificado em $registry: versão=$pkg_version latest=$latest_value"
+}
+
+compute_target_version() {
+  local current="$1"
+
+  if [ -n "$RELEASE_FORCE_VERSION" ]; then
+    printf '%s' "$RELEASE_FORCE_VERSION"
+    return 0
+  fi
+
+  if [ "$RELEASE_TYPE" = "patch" ] && [ "$RELEASE_PATCH_ROLLOVER_ENABLED" = "1" ]; then
+    if [[ "$RELEASE_PATCH_ROLLOVER_AT" =~ ^[0-9]+$ ]] && [[ "$current" =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+      local major="${BASH_REMATCH[1]}"
+      local minor="${BASH_REMATCH[2]}"
+      local patch="${BASH_REMATCH[3]}"
+      if [ "$patch" -ge "$RELEASE_PATCH_ROLLOVER_AT" ]; then
+        printf '%s.%s.0' "$major" "$((minor + 1))"
+        return 0
+      fi
+    fi
+  fi
+
+  printf ''
+}
+
 commit_and_push_if_dirty() {
   local commit_message="$1"
 
@@ -86,30 +254,55 @@ commit_and_push_if_dirty() {
 
 require_cmd git
 require_cmd npm
+require_cmd node
 
 if ! (cd "$PROJECT_ROOT" && git rev-parse --is-inside-work-tree >/dev/null 2>&1); then
   printf '[release] este diretório não é um repositório git válido.\n' >&2
   exit 1
 fi
 
+if [ "$RELEASE_REQUIRE_GITHUB_RELEASE" = "1" ] && [ "$RELEASE_GITHUB_RELEASE" != "1" ]; then
+  printf '[release] RELEASE_REQUIRE_GITHUB_RELEASE=1 exige RELEASE_GITHUB_RELEASE=1.\n' >&2
+  exit 1
+fi
+
 commit_and_push_if_dirty "$RELEASE_GIT_PRE_COMMIT_MESSAGE"
 
 current_version="$(cd "$PROJECT_ROOT" && npm pkg get version | tr -d '"[:space:]')"
 log "Versão atual: $current_version"
-log "Aplicando bump: $RELEASE_TYPE"
+target_version="$(compute_target_version "$current_version")"
 
-(cd "$PROJECT_ROOT" && npm version "$RELEASE_TYPE" --no-git-tag-version >/dev/null)
+if [ -n "$target_version" ]; then
+  if [ "$target_version" = "$current_version" ]; then
+    printf '[release] versão alvo igual à versão atual (%s). Verifique regras de bump.\n' "$current_version" >&2
+    exit 1
+  fi
+  log "Aplicando versão alvo: $target_version"
+  (cd "$PROJECT_ROOT" && npm version "$target_version" --no-git-tag-version >/dev/null)
+else
+  log "Aplicando bump: $RELEASE_TYPE"
+  (cd "$PROJECT_ROOT" && npm version "$RELEASE_TYPE" --no-git-tag-version >/dev/null)
+fi
 
 new_version="$(cd "$PROJECT_ROOT" && npm pkg get version | tr -d '"[:space:]')"
 log "Nova versão: $new_version"
 
 log "Executando deploy com publish de package"
+deploy_publish_primary="${DEPLOY_PACKAGE_PUBLISH:-1}"
+deploy_publish_secondary="${DEPLOY_PACKAGE_PUBLISH_SECONDARY:-1}"
+
+if [ "$RELEASE_REQUIRE_DUAL_PUBLISH" = "1" ]; then
+  if [ "$deploy_publish_primary" != "1" ] || [ "$deploy_publish_secondary" != "1" ]; then
+    printf '[release] RELEASE_REQUIRE_DUAL_PUBLISH=1 exige DEPLOY_PACKAGE_PUBLISH=1 e DEPLOY_PACKAGE_PUBLISH_SECONDARY=1.\n' >&2
+    exit 1
+  fi
+fi
 
 if ! (
   cd "$PROJECT_ROOT"
   DEPLOY_PACKAGE_STEP="${DEPLOY_PACKAGE_STEP:-1}" \
-  DEPLOY_PACKAGE_PUBLISH="${DEPLOY_PACKAGE_PUBLISH:-1}" \
-  DEPLOY_PACKAGE_PUBLISH_SECONDARY="${DEPLOY_PACKAGE_PUBLISH_SECONDARY:-1}" \
+  DEPLOY_PACKAGE_PUBLISH="$deploy_publish_primary" \
+  DEPLOY_PACKAGE_PUBLISH_SECONDARY="$deploy_publish_secondary" \
   DEPLOY_PACKAGE_SECONDARY_REGISTRY="${DEPLOY_PACKAGE_SECONDARY_REGISTRY:-https://registry.npmjs.org}" \
   DEPLOY_PACKAGE_SECONDARY_ACCESS="${DEPLOY_PACKAGE_SECONDARY_ACCESS:-public}" \
   DEPLOY_PACKAGE_INSTALL="${DEPLOY_PACKAGE_INSTALL:-0}" \
@@ -126,4 +319,71 @@ if [ "$RELEASE_GIT_COMMIT_VERSION" = "1" ]; then
   commit_and_push_if_dirty "${RELEASE_GIT_VERSION_COMMIT_PREFIX}${new_version}"
 fi
 
+release_tag="${RELEASE_GITHUB_TAG_PREFIX}${new_version}"
+
+if [ "$RELEASE_GITHUB_RELEASE" = "1" ]; then
+  if [ "$RELEASE_GIT_AUTO_PUSH" != "1" ]; then
+    printf '[release] RELEASE_GITHUB_RELEASE=1 requer RELEASE_GIT_AUTO_PUSH=1 para garantir commit acessível no GitHub.\n' >&2
+    exit 1
+  fi
+
+  local_name="${RELEASE_GITHUB_NAME_PREFIX}${new_version}"
+  local_target="$RELEASE_GITHUB_TARGET"
+  if [ -z "$local_target" ]; then
+    local_target="$(cd "$PROJECT_ROOT" && git rev-parse HEAD)"
+  fi
+
+  local_prerelease="$RELEASE_GITHUB_PRERELEASE"
+  if [ -z "$local_prerelease" ]; then
+    if printf '%s' "$new_version" | grep -q '-'; then
+      local_prerelease="1"
+    else
+      local_prerelease="0"
+    fi
+  fi
+
+  local generate_notes_bool=""
+  generate_notes_bool="$(to_bool "$RELEASE_GITHUB_GENERATE_NOTES")"
+  local prerelease_bool=""
+  prerelease_bool="$(to_bool "$local_prerelease")"
+  local draft_bool=""
+  draft_bool="$(to_bool "$RELEASE_GITHUB_DRAFT")"
+
+  log "Criando/atualizando GitHub Release ($release_tag)"
+  release_output="$(
+    cd "$PROJECT_ROOT" && node ./scripts/github-release-notify.mjs upsert \
+      --tag "$release_tag" \
+      --target "$local_target" \
+      --name "$local_name" \
+      --generate-notes "$generate_notes_bool" \
+      --prerelease "$prerelease_bool" \
+      --draft "$draft_bool"
+  )"
+  log "GitHub Release atualizado: $release_output"
+fi
+
+if [ "$RELEASE_VERIFY_UNIFIED_VERSION" = "1" ]; then
+  pkg_name="$(cd "$PROJECT_ROOT" && npm pkg get name | tr -d '"[:space:]')"
+  if [ -z "$pkg_name" ]; then
+    printf '[release] Falha ao ler nome do pacote para verificação final.\n' >&2
+    exit 1
+  fi
+
+  local_version_now="$(cd "$PROJECT_ROOT" && npm pkg get version | tr -d '"[:space:]')"
+  if [ "$local_version_now" != "$new_version" ]; then
+    printf '[release] Versão local divergente após release: esperado=%s encontrado=%s\n' "$new_version" "$local_version_now" >&2
+    exit 1
+  fi
+  log "Verificado localmente: versão=$local_version_now"
+
+  verify_registry_version "$pkg_name" "$new_version" "$RELEASE_VERIFY_PRIMARY_REGISTRY" "$RELEASE_VERIFY_PRIMARY_TOKEN_KEYS" "1"
+  verify_registry_version "$pkg_name" "$new_version" "$RELEASE_VERIFY_SECONDARY_REGISTRY" "$RELEASE_VERIFY_SECONDARY_TOKEN_KEYS" "0"
+
+  gh_release_check="$(
+    cd "$PROJECT_ROOT" && node ./scripts/github-release-notify.mjs get --tag "$release_tag"
+  )"
+  log "Verificado GitHub Release: $gh_release_check"
+  log "Verificação final concluída: todas as versões estão em $new_version"
+fi
+
 log "Release concluída: $new_version"