@npmcli/template-oss 3.7.1 → 3.8.0

package/bin/release-please.js

@@ -0,0 +1,31 @@
+#!/usr/bin/env node
+
+const core = require('@actions/core')
+const main = require('../lib/release-please/index.js')
+
+const dryRun = !process.env.CI
+const [branch] = process.argv.slice(2)
+
+const setOutput = (key, val) => {
+  if (val && (!Array.isArray(val) || val.length)) {
+    if (dryRun) {
+      console.log(key, JSON.stringify(val, null, 2))
+    } else {
+      core.setOutput(key, JSON.stringify(val))
+    }
+  }
+}
+
+main({
+  token: process.env.GITHUB_TOKEN,
+  repo: process.env.GITHUB_REPOSITORY,
+  dryRun,
+  branch,
+}).then(({ pr, releases, release }) => {
+  setOutput('pr', pr)
+  setOutput('releases', releases)
+  setOutput('release', release)
+  return null
+}).catch(err => {
+  core.setFailed(`failed: ${err}`)
+})

package/lib/config.js

@@ -101,6 +101,12 @@ const getConfig = async ({
   const derived = {
     isRoot,
     isWorkspace: !isRoot,
+    // Some files are written to the base of a repo but will
+    // include configuration for all packages within a monorepo
+    // For these cases it is helpful to know if we are in a
+    // monorepo since template-oss might be used only for
+    // workspaces and not the root or vice versa.
+    isMono: (isRoot && workspaces.length > 0) || !isRoot,
     // repo
     repoDir: root,
     repoFiles,

package/lib/content/audit.yml

@@ -12,5 +12,5 @@ jobs:
     steps:
       {{> setupGit}}
       {{> setupNode}}
-      - run: npm i --ignore-scripts --no-audit --no-fund --package-lock
+      {{> setupDeps flags="--package-lock"}}
       - run: npm audit

package/lib/content/ci.yml

@@ -28,7 +28,7 @@ jobs:
     steps:
       {{> setupGit}}
       {{> setupNode}}
-      - run: npm i --ignore-scripts --no-audit --no-fund
+      {{> setupDeps}}
       - run: npm run lint {{~#if isWorkspace}} -w {{pkgName}}{{/if}}
 
   test:
@@ -55,7 +55,7 @@ jobs:
     steps:
       {{> setupGit}}
       {{> setupNode useMatrix=true}}
+      {{> setupDeps}}
       - name: add tap problem matcher
         run: echo "::add-matcher::.github/matchers/tap.json"
-      - run: npm i --ignore-scripts --no-audit --no-fund
       - run: npm test --ignore-scripts {{~#if isWorkspace}} -w {{pkgName}}{{/if}}

package/lib/content/index.js

@@ -5,6 +5,10 @@ const releasePlease = () => ({
     file: 'release-please.yml',
     filter: (o) => !o.pkg.private,
   },
+  '.github/workflows/release-test.yml': {
+    file: 'release-test.yml',
+    filter: (o) => !o.pkg.private && o.config.releaseTest === 'release-test.yml',
+  },
   '.release-please-manifest.json': {
     file: 'release-please-manifest.json',
     filter: (o) => !o.pkg.private,
@@ -92,6 +96,11 @@ module.exports = {
   workspaceModule,
   windowsCI: true,
   branches: ['main', 'latest'],
+  defaultBranch: 'main',
+  // Escape hatch since we write a release test file but the
+  // CLI has a very custom one we dont want to overwrite. This
+  // setting allows us to call a workflow by any name during release
+  releaseTest: 'release-test.yml',
   distPaths: ['bin/', 'lib/'],
   ciVersions: ['12.13.0', '12.x', '14.15.0', '14.x', '16.0.0', '16.x'],
   lockfile: false,

package/lib/content/post-dependabot.yml

@@ -12,22 +12,20 @@ jobs:
     runs-on: ubuntu-latest
     if: github.actor == 'dependabot[bot]'
     steps:
-      {{> setupGit}}
+      {{> setupGit with=(obj ref="${{ github.event.pull_request.head_ref }}")}}
       {{> setupNode}}
+      {{> setupDeps}}
       - name: Dependabot metadata
         id: metadata
         uses: dependabot/fetch-metadata@v1.1.1
         with:
           github-token: "$\{{ secrets.GITHUB_TOKEN }}"
-      - name: npm install and commit
+      - name: Apply {{__NAME__}} changes and lint
         if: contains(steps.metadata.outputs.dependency-names, '{{__NAME__}}')
         env:
           GITHUB_TOKEN: $\{{ secrets.GITHUB_TOKEN }}
         run: |
-          gh pr checkout $\{{ github.event.pull_request.number }}
-          npm install --ignore-scripts --no-audit --no-fund
           npm run template-oss-apply
-          git add .
           git commit -am "chore: postinstall for dependabot template-oss PR"
           git push
           npm run lint

package/lib/content/pull-request.yml

@@ -15,11 +15,10 @@ jobs:
     steps:
       {{> setupGit with=(obj fetch-depth=0)}}
       {{> setupNode}}
-      - name: Install deps
-        run: npm i -D @commitlint/cli @commitlint/config-conventional
-      - name: Check commits OR PR title
+      {{> setupDeps}}
+      - name: Check commits or PR title
         env:
           PR_TITLE: $\{{ github.event.pull_request.title }}
         run: |
-          npx --offline commitlint -V --from origin/main --to $\{{ github.event.pull_request.head.sha }} \
+          npx --offline commitlint -V --from origin/{{defaultBranch}} --to $\{{ github.event.pull_request.head.sha }} \
             || echo $PR_TITLE | npx --offline commitlint -V

package/lib/content/release-please-config.json

@@ -1,12 +1,10 @@
 {
-  "separate-pull-requests": true,
-  "changelog-sections":             [
-    {"type":"feat","section":"Features","hidden":false},
-    {"type":"fix","section":"Bug Fixes","hidden":false},
-    {"type":"docs","section":"Documentation","hidden":false},
-    {"type":"deps","section":"Dependencies","hidden":false},
-    {"type":"chore","hidden":true}
-  ],
+  "separate-pull-requests": {{{del}}},
+  "plugins": {{#if isMono}}["node-workspace", "workspace-deps"]{{else}}{{{del}}}{{/if}},
+  "exclude-packages-from-root": true,
+  "group-pull-request-title-pattern": "chore: release ${version}",
+  "pull-request-title-pattern": "chore: release${component} ${version}",
+  "changelog-sections": {{{json changelogTypes}}},
   "packages": {
     "{{#unless pkgRelPath}}.{{/unless}}{{pkgRelPath}}": {
       {{#unless pkgRelPath}}"package-name": ""{{/unless}}

package/lib/content/release-please.yml

@@ -15,32 +15,56 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     outputs:
-      prs: $\{{ steps.release.outputs.prs }}
+      pr: $\{{ steps.release.outputs.pr }}
+      release: $\{{ steps.release.outputs.release }}
     steps:
-      - uses: google-github-actions/release-please-action@v3
+      {{> setupGit}}
+      {{> setupNode}}
+      {{> setupDeps}}
+      - name: Release Please
         id: release
-        with:
-          command: manifest
+        run: npx --offline template-oss-release-please
+        env:
+          GITHUB_TOKEN: $\{{ secrets.GITHUB_TOKEN }}
 
-  update-prs:
+  post-pr:
     needs: release-please
-    if: needs.release-please.outputs.prs
+    if: needs.release-please.outputs.pr
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        pr: $\{{ fromJSON(needs.release-please.outputs.prs) }}
+    outputs:
+      ref: $\{{ steps.ref.outputs.branch }}
     steps:
-      {{> setupGit}}
+      - name: Output ref
+        id: ref
+        run: echo "::set-output name=branch::$\{{ fromJSON(needs.release-please.outputs.pr).headBranchName }}"
+      {{> setupGit with=(obj ref="${{ steps.ref.outputs.branch }}")}}
       {{> setupNode}}
-      - name: Update PR $\{{ matrix.pr.number }} dependencies and commit
+      {{> setupDeps}}
+      - name: Post pull request actions
         env:
           GITHUB_TOKEN: $\{{ secrets.GITHUB_TOKEN }}
         run: |
-          gh pr checkout $\{{ matrix.pr.number }}
-          npm run resetdeps
-          title="$\{{ matrix.pr.title }}"
-          # get the dependency spec from the pr title
-          # get everything after ': release ' + replace space with @
-          dep_spec=$(echo "${title##*: release }" | tr ' ' @)
-          git commit -am "deps: $dep_spec"
+          npm run rp-pull-request --ignore-scripts --if-present -ws -iwr
+          git commit -am "chore: post pull request" || true
           git push
+  
+  release-test:
+    needs: post-pr
+    if: needs.post-pr.outputs.ref
+    uses: ./.github/workflows/{{releaseTest}}
+    with:
+      ref: $\{{ needs.post-pr.outputs.ref }}
+
+  post-release:
+    needs: release-please
+    if: needs.release-please.outputs.release
+    runs-on: ubuntu-latest
+    steps:
+      {{> setupGit}}
+      {{> setupNode}}
+      {{> setupDeps}}
+      - name: Post release actions
+        env:
+          GITHUB_TOKEN: $\{{ secrets.GITHUB_TOKEN }}
+        run: |
+          npm run rp-release --ignore-scripts --if-present -ws -iwr

package/lib/content/release-test.yml

@@ -0,0 +1,46 @@
+name: Release
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        required: true
+        type: string
+
+jobs:
+  lint-all:
+    runs-on: ubuntu-latest
+    steps:
+      {{> setupGit with=(obj ref="${{ inputs.ref }}")}}
+      {{> setupNode}}
+      {{> setupDeps}}
+      - run: npm run lint --if-present --workspaces --include-workspace-root
+
+  test-all:
+    strategy:
+      fail-fast: false
+      matrix:
+        node-version:
+          {{#each ciVersions}}
+          - {{.}}
+          {{/each}}
+        platform:
+          - os: ubuntu-latest
+            shell: bash
+          - os: macos-latest
+            shell: bash
+          {{#if windowsCI}}
+          - os: windows-latest
+            shell: cmd
+          {{/if}}
+    runs-on: $\{{ matrix.platform.os }}
+    defaults:
+      run:
+        shell: $\{{ matrix.platform.shell }}
+    steps:
+      {{> setupGit with=(obj ref="${{ inputs.ref }}")}}
+      {{> setupNode useMatrix=true}}
+      {{> setupDeps}}
+      - name: add tap problem matcher
+        run: echo "::add-matcher::.github/matchers/tap.json"
+      - run: npm run test --if-present --workspaces --include-workspace-root

package/lib/content/setup-deps.yml

@@ -0,0 +1 @@
+- run: npm i --ignore-scripts --no-audit --no-fund {{~#if flags}} {{flags}}{{/if}}

package/lib/release-please/changelog.js

@@ -0,0 +1,225 @@
+const RP = require('release-please/build/src/changelog-notes/default')
+
+module.exports = class DefaultChangelogNotes extends RP.DefaultChangelogNotes {
+  constructor (options) {
+    super(options)
+    this.github = options.github
+  }
+
+  async buildDefaultNotes (commits, options) {
+    // The default generator has a title with the version and date
+    // and a link to the diff between the last two versions
+    const notes = await super.buildNotes(commits, options)
+    const lines = notes.split('\n')
+
+    let foundBreakingHeader = false
+    let foundNextHeader = false
+    const breaking = lines.reduce((acc, line) => {
+      if (line.match(/^### .* BREAKING CHANGES$/)) {
+        foundBreakingHeader = true
+      } else if (!foundNextHeader && foundBreakingHeader && line.match(/^### /)) {
+        foundNextHeader = true
+      }
+      if (foundBreakingHeader && !foundNextHeader) {
+        acc.push(line)
+      }
+      return acc
+    }, []).join('\n')
+
+    return {
+      title: lines[0],
+      breaking: breaking.trim(),
+    }
+  }
+
+  async buildNotes (commits, options) {
+    const { title, breaking } = await this.buildDefaultNotes(commits, options)
+    const body = await generateChangelogBody(commits, { github: this.github, ...options })
+    return [title, breaking, body].filter(Boolean).join('\n\n')
+  }
+}
+
+// a naive implementation of console.log/group for indenting console
+// output but keeping it in a buffer to be output to a file or console
+const logger = (init) => {
+  let indent = 0
+  const step = 2
+  const buffer = [init]
+  return {
+    toString () {
+      return buffer.join('\n').trim()
+    },
+    group (s) {
+      this.log(s)
+      indent += step
+    },
+    groupEnd () {
+      indent -= step
+    },
+    log (s) {
+      if (!s) {
+        buffer.push('')
+      } else {
+        buffer.push(s.split('\n').map((l) => ' '.repeat(indent) + l).join('\n'))
+      }
+    },
+  }
+}
+
+const generateChangelogBody = async (_commits, { github, changelogSections }) => {
+  const changelogMap = new Map(
+    changelogSections.filter(c => !c.hidden).map((c) => [c.type, c.section])
+  )
+
+  const { repository } = await github.graphql(
+    `fragment commitCredit on GitObject {
+      ... on Commit {
+        message
+        url
+        abbreviatedOid
+        authors (first:10) {
+          nodes {
+            user {
+              login
+              url
+            }
+            email
+            name
+          }
+        }
+        associatedPullRequests (first:10) {
+          nodes {
+            number
+            url
+            merged
+          }
+        }
+      }
+    }
+
+    query {
+      repository (owner:"${github.repository.owner}", name:"${github.repository.repo}") {
+        ${_commits.map(({ sha: s }) => `_${s}: object (expression: "${s}") { ...commitCredit }`)}
+      }
+    }`
+  )
+
+  // collect commits by valid changelog type
+  const commits = [...changelogMap.values()].reduce((acc, type) => {
+    acc[type] = []
+    return acc
+  }, {})
+
+  const allCommits = Object.values(repository)
+
+  for (const commit of allCommits) {
+    // get changelog type of commit or bail if there is not a valid one
+    const [, type] = /(^\w+)[\s(:]?/.exec(commit.message) || []
+    const changelogType = changelogMap.get(type)
+    if (!changelogType) {
+      continue
+    }
+
+    const message = commit.message
+      .trim() // remove leading/trailing spaces
+      .replace(/(\r?\n)+/gm, '\n') // replace multiple newlines with one
+      .replace(/([^\s]+@\d+\.\d+\.\d+.*)/gm, '`$1`') // wrap package@version in backticks
+
+    // the title is the first line of the commit, 'let' because we change it later
+    let [title, ...body] = message.split('\n')
+
+    const prs = commit.associatedPullRequests.nodes.filter((pull) => pull.merged)
+
+    // external squashed PRs dont get the associated pr node set
+    // so we try to grab it from the end of the commit title
+    // since thats where it goes by default
+    const [, titleNumber] = title.match(/\s+\(#(\d+)\)$/) || []
+    if (titleNumber && !prs.find((pr) => pr.number === +titleNumber)) {
+      try {
+        // it could also reference an issue so we do one extra check
+        // to make sure it is really a pr that has been merged
+        const { data: realPr } = await github.octokit.pulls.get({
+          owner: github.repository.owner,
+          repo: github.repository.repo,
+          pull_number: titleNumber,
+        })
+        if (realPr.state === 'MERGED') {
+          prs.push(realPr)
+        }
+      } catch {
+        // maybe an issue or something else went wrong
+        // not super important so keep going
+      }
+    }
+
+    for (const pr of prs) {
+      title = title.replace(new RegExp(`\\s*\\(#${pr.number}\\)`, 'g'), '')
+    }
+
+    body = body
+      .map((line) => line.trim()) // remove artificial line breaks
+      .filter(Boolean) // remove blank lines
+      .join('\n') // rejoin on new lines
+      .split(/^[*-]/gm) // split on lines starting with bullets
+      .map((line) => line.trim()) // remove spaces around bullets
+      .filter((line) => !title.includes(line)) // rm lines that exist in the title
+      // replace new lines for this bullet with spaces and re-bullet it
+      .map((line) => `* ${line.trim().replace(/\n/gm, ' ')}`)
+      .join('\n') // re-join with new lines
+
+    commits[changelogType].push({
+      hash: commit.abbreviatedOid,
+      url: commit.url,
+      title,
+      type: changelogType,
+      body,
+      prs,
+      credit: commit.authors.nodes.map((author) => {
+        if (author.user && author.user.login) {
+          return {
+            name: `@${author.user.login}`,
+            url: author.user.url,
+          }
+        }
+        // if the commit used an email that's not associated with a github account
+        // then the user field will be empty, so we fall back to using the committer's
+        // name and email as specified by git
+        return {
+          name: author.name,
+          url: `mailto:${author.email}`,
+        }
+      }),
+    })
+  }
+
+  const output = logger()
+
+  for (const key of Object.keys(commits)) {
+    if (commits[key].length > 0) {
+      output.group(`### ${key}\n`)
+
+      for (const commit of commits[key]) {
+        let groupCommit = `* [\`${commit.hash}\`](${commit.url})`
+
+        for (const pr of commit.prs) {
+          groupCommit += ` [#${pr.number}](${pr.url})`
+        }
+
+        groupCommit += ` ${commit.title}`
+        if (key !== 'Dependencies') {
+          for (const user of commit.credit) {
+            groupCommit += ` (${user.name})`
+          }
+        }
+
+        output.group(groupCommit)
+        output.groupEnd()
+      }
+
+      output.log()
+      output.groupEnd()
+    }
+  }
+
+  return output.toString()
+}

package/lib/release-please/index.js

@@ -0,0 +1,39 @@
+const RP = require('release-please')
+const logger = require('./logger.js')
+const ChangelogNotes = require('./changelog.js')
+const Version = require('./version.js')
+const WorkspaceDeps = require('./workspace-deps.js')
+
+RP.setLogger(logger)
+RP.registerChangelogNotes('default', (options) => new ChangelogNotes(options))
+RP.registerVersioningStrategy('default', (options) => new Version(options))
+RP.registerPlugin('workspace-deps', (options) => new WorkspaceDeps(options))
+
+const main = async ({ repo: fullRepo, token, dryRun, branch }) => {
+  if (!token) {
+    throw new Error('Token is required')
+  }
+
+  if (!fullRepo) {
+    throw new Error('Repo is required')
+  }
+
+  const [owner, repo] = fullRepo.split('/')
+  const github = await RP.GitHub.create({ owner, repo, token })
+  const manifest = await RP.Manifest.fromManifest(
+    github,
+    branch ?? github.repository.defaultBranch
+  )
+
+  const pullRequests = await (dryRun ? manifest.buildPullRequests() : manifest.createPullRequests())
+  const releases = await (dryRun ? manifest.buildReleases() : manifest.createReleases())
+
+  return {
+    // We only ever get a single pull request with our current release-please settings
+    pr: pullRequests.filter(Boolean)[0],
+    releases: releases.filter(Boolean),
+    release: releases.find(r => r.path === '.'),
+  }
+}
+
+module.exports = main

package/lib/release-please/logger.js

@@ -0,0 +1,3 @@
+const { CheckpointLogger } = require('release-please/build/src/util/logger')
+
+module.exports = new CheckpointLogger(true, true)

package/lib/release-please/version.js

@@ -0,0 +1,76 @@
+const semver = require('semver')
+const RP = require('release-please/build/src/version.js')
+
+// A way to compare the "level" of a release since we ignore some things during prereleases
+const LEVELS = new Map([['prerelease', 4], ['major', 3], ['minor', 2], ['patch', 1]]
+  .flatMap((kv) => [kv, kv.slice().reverse()]))
+
+const parseVersion = (v) => {
+  const { prerelease, minor, patch, version } = semver.parse(v)
+  const hasPre = prerelease.length > 0
+  const preId = prerelease.filter(p => typeof p === 'string').join('.')
+  const release = !patch ? (minor ? LEVELS.get('minor') : LEVELS.get('major')) : LEVELS.get('patch')
+  return { version, release, prerelease: hasPre, preId }
+}
+
+const parseCommits = (commits, prerelease) => {
+  let release = LEVELS.get('patch')
+  for (const commit of commits) {
+    if (commit.breaking) {
+      release = LEVELS.get('major')
+      break
+    } else if (['feat', 'feature'].includes(commit.type)) {
+      release = LEVELS.get('minor')
+    }
+  }
+  return { release, prerelease: !!prerelease }
+}
+
+const preInc = ({ version, prerelease, preId }, release) => {
+  if (!release.startsWith('pre')) {
+    release = `pre${release}`
+  }
+  // `pre` is the default prerelease identifier when creating a new
+  // prerelease version
+  return semver.inc(version, release, prerelease ? preId : 'pre')
+}
+
+const releasePleaseVersion = (v) => {
+  const { major, minor, patch, prerelease } = semver.parse(v)
+  return new RP.Version(major, minor, patch, prerelease.join('.'))
+}
+
+// This does not account for pre v1 semantics since we don't publish those
+// Always 1.0.0 your initial versions!
+module.exports = class DefaultVersioningStrategy {
+  constructor (options) {
+    this.prerelease = options.prerelease
+  }
+
+  bump (currentVersion, commits) {
+    const next = parseCommits(commits, this.prerelease)
+    // Release please passes in a version class with a toString() method
+    const current = parseVersion(currentVersion.toString())
+
+    // This is a special case where semver doesn't align exactly with what we want.
+    // We are currently at a prerelease and our next is also a prerelease.
+    // In this case we want to ignore the release type we got from our conventional
+    // commits if the "level" of the next release is <= the level of the current one.
+    //
+    // This has the effect of only bumping the prerelease identifier and nothing else
+    // when we are actively working (and breaking) a prerelease. For example:
+    //
+    // `9.0.0-pre.4` + breaking changes = `9.0.0-pre.5`
+    // `8.5.0-pre.4` + breaking changes = `9.0.0-pre.0`
+    // `8.5.0-pre.4` + feature or patch changes = `8.5.0-pre.5`
+    if (current.prerelease && next.prerelease && next.release <= current.release) {
+      next.release = LEVELS.get('prerelease')
+    }
+
+    const release = LEVELS.get(next.release)
+    const releaseVersion = next.prerelease
+      ? preInc(current, release)
+      : semver.inc(current.version, release)
+    return releasePleaseVersion(releaseVersion)
+  }
+}

package/lib/release-please/workspace-deps.js

@@ -0,0 +1,72 @@
+const { ManifestPlugin } = require('release-please/build/src/plugin')
+
+const matchLine = (line, re) => {
+  const trimmed = line.trim().replace(/^[*\s]+/, '')
+  if (typeof re === 'string') {
+    return trimmed === re
+  }
+  return trimmed.match(re)
+}
+
+module.exports = class WorkspaceDeps extends ManifestPlugin {
+  run (pullRequests) {
+    for (const { pullRequest } of pullRequests) {
+      const depLinks = pullRequest.body.releaseData.reduce((acc, release) => {
+        if (release.component) {
+          const url = matchLine(release.notes.split('\n')[0], /\[[^\]]+\]\((.*?)\)/)
+          if (url) {
+            acc[release.component] = url[1]
+          }
+        }
+        return acc
+      }, {})
+
+      for (const release of pullRequest.body.releaseData) {
+        const lines = release.notes.split('\n')
+        const newLines = []
+
+        let inWorkspaceDeps = false
+        let collectWorkspaceDeps = false
+
+        for (const line of lines) {
+          if (matchLine(line, 'The following workspace dependencies were updated')) {
+            // We are in the section with our workspace deps
+            // Set the flag and discard this line since we dont want it in the final output
+            inWorkspaceDeps = true
+          } else if (inWorkspaceDeps) {
+            if (collectWorkspaceDeps) {
+              const depMatch = matchLine(line, /^(\S+) bumped from \S+ to (\S+)$/)
+              if (depMatch) {
+                // If we have a line that is a workspace dep update, then reformat
+                // it and save it to the new lines
+                const [, depName, newVersion] = depMatch
+                const depSpec = `\`${depName}@${newVersion}\``
+                const url = depLinks[depName]
+                newLines.push(`  * ${url ? `[${depSpec}](${url})` : depSpec}`)
+              } else {
+                // Anything else means we are done with dependencies so ignore
+                // this line and dont look for any more
+                collectWorkspaceDeps = false
+              }
+            } else if (matchLine(line, 'dependencies')) {
+              // Only collect dependencies discard dev deps and everything else
+              collectWorkspaceDeps = true
+            } else if (matchLine(line, '') || matchLine(line, /^#/)) {
+              inWorkspaceDeps = false
+              newLines.push(line)
+            }
+          } else {
+            newLines.push(line)
+          }
+        }
+
+        const newNotes = newLines.join('\n').trim()
+        const emptyDeps = newNotes.match(/### Dependencies[\n]+(### .*)/m)
+
+        release.notes = emptyDeps ? newNotes.replace(emptyDeps[0], emptyDeps[1]) : newNotes
+      }
+    }
+
+    return pullRequests
+  }
+}

package/lib/util/has-package.js

@@ -2,6 +2,7 @@ const semver = require('semver')
 const npa = require('npm-package-arg')
 const { has } = require('lodash')
 const { join } = require('path')
+const { name: NAME } = require('../../package.json')
 
 const installLocations = [
   'dependencies',
@@ -30,6 +31,10 @@ const getSpecVersion = (spec, where) => {
       const pkg = require(join(arg.fetchSpec, 'package.json'))
       return new semver.SemVer(pkg.version)
     }
+    case 'git': {
+      // allow installing only this project from git to test in other projects
+      return arg.name === NAME
+    }
   }
   return null
 }
@@ -58,6 +63,9 @@ const hasPackage = (
     .filter(Boolean)
 
   return existingByLocation.some((existing) => {
+    if (existing === true) {
+      return true
+    }
     switch ([existing, requested].map((t) => isVersion(t) ? 'VER' : 'RNG').join('-')) {
       case `VER-VER`:
         // two versions, use semver.eq to check equality

package/package.json

@@ -1,11 +1,12 @@
 {
   "name": "@npmcli/template-oss",
-  "version": "3.7.1",
+  "version": "3.8.0",
   "description": "templated files used in npm CLI team oss projects",
   "main": "lib/content/index.js",
   "bin": {
     "template-oss-apply": "bin/apply.js",
-    "template-oss-check": "bin/check.js"
+    "template-oss-check": "bin/check.js",
+    "template-oss-release-please": "bin/release-please.js"
   },
   "scripts": {
     "lint": "eslint \"**/*.js\"",
@@ -31,6 +32,9 @@
   "author": "GitHub Inc.",
   "license": "ISC",
   "dependencies": {
+    "@actions/core": "^1.9.1",
+    "@commitlint/cli": "^17.1.1",
+    "@commitlint/config-conventional": "^17.1.0",
     "@npmcli/fs": "^2.0.1",
     "@npmcli/git": "^3.0.0",
     "@npmcli/map-workspaces": "^2.0.2",
@@ -44,6 +48,7 @@
     "lodash": "^4.17.21",
     "npm-package-arg": "^9.0.1",
     "proc-log": "^2.0.0",
+    "release-please": "npm:@npmcli/release-please@^14.2.4",
     "semver": "^7.3.5",
     "yaml": "2.0.0-11"
   },
@@ -56,6 +61,9 @@
     "@npmcli/template-oss": "file:./",
     "tap": "^16.0.0"
   },
+  "tap": {
+    "timeout": 600
+  },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten."
   },