@oorabona/release-it-preset 1.0.0 → 1.2.0

package/README.md

@@ -575,6 +575,12 @@ pnpm release-it-preset init
 
 # Non-interactive mode (skip prompts, use defaults)
 pnpm release-it-preset init --yes
+
+# Also scaffold a GitHub Actions publish workflow
+pnpm release-it-preset init --yes --with-workflows
+
+# Use a custom workflow filename (default: release.yml)
+pnpm release-it-preset init --yes --with-workflows --workflow-name=publish.yml
 ```
 
 **What it does:**
@@ -654,7 +660,7 @@ pnpm release-it-preset doctor --json
 |----------|--------|
 | Environment | Known env vars, source (env / default / unset), publish-mode consistency |
 | Repository | Git repo presence, branch vs `GIT_REQUIRE_BRANCH`, latest tag, commit count, dirty WD, upstream tracking, remote URL |
-| Configuration | `CHANGELOG.md` exists + Keep a Changelog format + `[Unreleased]` content, `.release-it.json` parseable + `extends` field, `package.json` valid semver version |
+| Configuration | `CHANGELOG.md` exists + Keep a Changelog format + `[Unreleased]` content, `.release-it.json` parseable + `extends` field, `package.json` valid semver version, `release-it` peer range satisfied, `release-it` major version advisor |
 | Readiness Summary | `PASS`/`WARN`/`FAIL` counts, score `N/M checks passing`, status (`READY`/`WARNINGS`/`BLOCKED`), actionable recommendations |
 
 **Exit codes:**
@@ -896,7 +902,7 @@ pnpm release-it-preset default
 - The `extends` field loads the preset
 - release-it merges your overrides on top via c12
 - **Your values take precedence** over preset defaults
-- CLI validates that `extends` matches the command
+- CLI validates that `extends` is present; mismatched preset name warns and uses the invoked preset's config for that run
 
 **Pros:**
 - ✅ **Recommended for customization**
@@ -951,7 +957,7 @@ pnpm release-it-preset default
 
 **Why `extends` is required:** Without it, release-it only loads your config file and uses release-it's own defaults. The preset is never loaded, so you lose important defaults like `npm.publish: false`.
 
-#### Error 2: Preset mismatch
+#### Note: Preset mismatch (warning, not error)
 
 ```bash
 # .release-it.json extends "default":
@@ -962,15 +968,14 @@ pnpm release-it-preset default
 # But you run:
 pnpm release-it-preset hotfix
 
-# ❌ Configuration mismatch error!
-#    CLI preset:               hotfix
-#    .release-it.json extends: default
-#
-#    Either:
-#      1. Run: release-it-preset default
-#      2. Update .release-it.json extends to: "@oorabona/release-it-preset/config/hotfix"
+# ⚠️  Note: your .release-it.json extends "default"
+#    but you invoked the "hotfix" preset.
+#    Using "hotfix" config directly; .release-it.json customizations are ignored for this run.
+#    To use your customizations, run: release-it-preset default
 ```
 
+> **Note**: invoking a preset different from your `.release-it.json` extends value now warns and uses the invoked preset's config (was: hard error). Use the matching name to keep your customizations.
+
 ---
 
 ### Which Mode Should I Use?

package/bin/cli.js

@@ -160,21 +160,19 @@ function handleReleaseCommand(configName, args) {
       const extendsPreset = extendsMatch?.[1];
 
       if (extendsPreset && extendsPreset !== configName) {
-        console.error(`\n❌ Configuration mismatch error!`);
-        console.error(`   CLI preset:               ${configName}`);
-        console.error(`   .release-it.json extends: ${extendsPreset}`);
-        console.error(``);
-        console.error(`Either:`);
-        console.error(`  1. Run: release-it-preset ${extendsPreset}`);
-        console.error(`     → Use the preset specified in your config file`);
-        console.error(``);
-        console.error(`  2. Update .release-it.json extends to: "${expectedExtends}"`);
-        console.error(`     → Match your config file to the CLI command\n`);
-        process.exit(1);
+        console.warn(`⚠️  Note: your .release-it.json extends "${extendsPreset}"`);
+        console.warn(`   but you invoked the "${configName}" preset.`);
+        console.warn(`   Using "${configName}" config directly; .release-it.json customizations are ignored for this run.`);
+        console.warn(`   To use your customizations, run: release-it-preset ${extendsPreset}`);
+        console.warn(``);
+        // Force --config flag to use OUR preset, ignore user's .release-it.json
+        fullArgs = ['--config', configPath, ...args];
+      } else {
+        console.log(`✅ Config validated: preset "${configName}"`);
+        console.log(`📝 Using: ${userConfigPath}\n`);
+        // Let release-it discover .release-it.json and merge via extends
+        fullArgs = [...args];
       }
-
-      console.log(`✅ Config validated: preset "${configName}"`);
-      console.log(`📝 Using: ${userConfigPath}\n`);
     } catch (error) {
       if (error instanceof SyntaxError) {
         console.error(`❌ Failed to parse .release-it.json: ${error.message}`);
@@ -183,9 +181,6 @@ function handleReleaseCommand(configName, args) {
       }
       process.exit(1);
     }
-
-    // Let release-it discover .release-it.json and merge via extends
-    fullArgs = [...args];
   } else {
     // No user config - use preset directly
     console.log(`📝 Using preset config directly: ${configPath}`);

package/bin/validators.js

@@ -117,6 +117,40 @@ export function sanitizeArgs(args) {
  * @throws {Error} If validation fails (invalid extension, too deep, missing file, etc.)
  * @returns {string} Absolute path to validated config file
  */
+
+/**
+ * Validates a workflow filename for use with `init --workflow-name`.
+ *
+ * Allowed: simple filenames matching ^[A-Za-z0-9._-]+\.ya?ml$
+ * Rejected: path components (subdir/), traversal (../), wrong extension.
+ *
+ * @param {string} name - The workflow filename to validate
+ * @throws {Error} If the name contains path separators, traversal, or wrong extension
+ * @returns {string} The validated filename
+ */
+export function validateWorkflowName(name) {
+  if (!name || name.length === 0) {
+    throw new Error(
+      `Workflow name cannot be empty.\n` +
+      `Expected a simple filename like "release.yml" or "publish.yml".`
+    );
+  }
+
+  // Reject any path separators or traversal — name must be a single filename component
+  const WORKFLOW_NAME_RE = /^[A-Za-z0-9._-]+\.ya?ml$/;
+  if (!WORKFLOW_NAME_RE.test(name)) {
+    throw new Error(
+      `Invalid workflow name: "${name}"\n` +
+      `Workflow name must be a simple filename matching ^[A-Za-z0-9._-]+\\.ya?ml$\n` +
+      `Examples: release.yml, publish.yml, release_it.yml\n` +
+      `Path components (subdir/foo.yml) and traversal (../etc.yml) are not allowed.`
+    );
+  }
+
+  return name;
+}
+
+
 export function validateConfigPath(configPath) {
   // 1. Whitelist config file extensions (defense in depth)
   const allowedExtensions = ['.json', '.js', '.cjs', '.mjs', '.yaml', '.yml', '.toml'];

package/dist/scripts/doctor.js

@@ -396,11 +396,149 @@ export function validateConfiguration(deps) {
         }
     }
     checks.push(detectWorkspaceIntegration(deps));
+    for (const result of validateReleaseItPeer(deps)) {
+        checks.push(result);
+    }
     return { checks, status: worstStatus(checks.map((c) => c.status)) };
 }
 // ---------------------------------------------------------------------------
 // 4. Summary
 // ---------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// 3b. Release-it peer-dependency checks
+// ---------------------------------------------------------------------------
+/**
+ * Reads the preset's declared peerDependencies.release-it range.
+ * Looks in node_modules/@oorabona/release-it-preset/package.json first
+ * (installed package context), then ./package.json (source repo / dev),
+ * then falls back to a hardcoded constant.
+ */
+function readPresetPeerRange(deps) {
+    const FALLBACK = '^19.0.0 || ^20.0.0';
+    const candidates = [
+        'node_modules/@oorabona/release-it-preset/package.json',
+        'package.json',
+    ];
+    for (const candidate of candidates) {
+        try {
+            if (!deps.existsSync(candidate))
+                continue;
+            const raw = deps.readFileSync(candidate, 'utf8');
+            const pkg = JSON.parse(raw);
+            const peers = pkg.peerDependencies;
+            if (peers?.['release-it']) {
+                return peers['release-it'];
+            }
+        }
+        catch {
+            // continue to next candidate
+        }
+    }
+    return FALLBACK;
+}
+/**
+ * Extracts the highest major version number from a semver range string.
+ * Handles OR-joined ranges like "^19.0.0 || ^20.0.0" → 20.
+ */
+function highestMajorFromRange(range) {
+    const matches = range.match(/(\d+)\.\d+\.\d+/g) ?? [];
+    let max = 0;
+    for (const m of matches) {
+        const major = parseInt(m.split('.')[0], 10);
+        if (major > max)
+            max = major;
+    }
+    return max;
+}
+/**
+ * Checks whether an installed version satisfies a simplified peer range.
+ * Supports "^X.Y.Z || ^A.B.C" — checks that the installed major matches
+ * any major present in the range.
+ */
+function satisfiesPeerRange(version, range) {
+    const installedMajor = parseInt(version.replace(/^v/, '').split('.')[0], 10);
+    const allowedMajors = Array.from(range.matchAll(/[~^]?(\d+)\.\d+\.\d+/g), (m) => parseInt(m[1], 10));
+    return allowedMajors.includes(installedMajor);
+}
+/**
+ * Runs Check A (peer range satisfaction) and Check B (major version advisor).
+ * Returns an array of CheckResult to be appended into validateConfiguration.
+ * Check B is silently skipped when the npm registry is unreachable.
+ */
+export function validateReleaseItPeer(deps) {
+    const results = [];
+    const peerRange = readPresetPeerRange(deps);
+    // --- Check A: release-it in supported peer range ---
+    const lsOutput = safeExec('npm ls release-it --depth=0 --json', deps);
+    if (!lsOutput) {
+        results.push({
+            name: 'release-it peer dependency',
+            status: 'FAIL',
+            value: 'not found',
+            detail: 'release-it is not installed. Run: pnpm add -D release-it@^20',
+        });
+    }
+    else {
+        let installedVersion;
+        try {
+            const parsed = JSON.parse(lsOutput);
+            installedVersion = parsed.dependencies?.['release-it']?.version;
+        }
+        catch {
+            // parse failure treated as not found
+        }
+        if (!installedVersion) {
+            results.push({
+                name: 'release-it peer dependency',
+                status: 'FAIL',
+                value: 'not found',
+                detail: 'release-it is not installed. Run: pnpm add -D release-it@^20',
+            });
+        }
+        else if (!satisfiesPeerRange(installedVersion, peerRange)) {
+            results.push({
+                name: 'release-it peer dependency',
+                status: 'FAIL',
+                value: installedVersion,
+                detail: `Installed release-it ${installedVersion} is outside the supported range (${peerRange}). Run: pnpm add -D release-it@^20`,
+            });
+        }
+        else {
+            results.push({
+                name: 'release-it peer dependency',
+                status: 'PASS',
+                value: installedVersion,
+            });
+        }
+    }
+    // --- Check B: release-it major version advisor ---
+    // On network failure (null), skip the check entirely — no FAIL on outage.
+    const latestOutput = safeExec('npm view release-it version', deps);
+    if (latestOutput) {
+        const latestVersion = latestOutput.trim();
+        const latestMajor = parseInt(latestVersion.replace(/^v/, '').split('.')[0], 10);
+        const supportedMaxMajor = highestMajorFromRange(peerRange);
+        if (!Number.isNaN(latestMajor) && !Number.isNaN(supportedMaxMajor)) {
+            if (latestMajor > supportedMaxMajor) {
+                results.push({
+                    name: 'release-it major version',
+                    status: 'WARN',
+                    value: latestVersion,
+                    detail: `release-it ${latestMajor}.x available; preset's peer range max is ${supportedMaxMajor}.x. Coordinate with the preset maintainer before upgrading.`,
+                });
+            }
+            else {
+                results.push({
+                    name: 'release-it major version',
+                    status: 'PASS',
+                    value: latestVersion,
+                });
+            }
+        }
+    }
+    // If latestOutput is null (network failure), push nothing for Check B.
+    return results;
+}
 export function summarize(report) {
     const allChecks = [
         ...report.environment.checks,

package/dist/scripts/init-project.js

@@ -13,9 +13,27 @@
  * Options:
  *   --yes    Skip prompts and use defaults
  */
-import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { createInterface } from 'node:readline';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { runScript } from './lib/run-script.js';
+import { parsePnpmWorkspaceYaml, parseWorkspacesFromPackageJson, resolvePackagePaths, } from './lib/workspace-detect.js';
+import { ValidationError } from './lib/errors.js';
+// Single source of truth for workflow name validation within this file.
+// NOTE: bin/validators.js cannot be imported here — TypeScript compiles scripts/ to
+// dist/scripts/ so a relative '../bin/' import resolves to 'dist/bin/' at runtime
+// (wrong). The canonical regex lives in bin/validators.js:validateWorkflowName and
+// is kept in sync here manually (same pattern: ^[A-Za-z0-9._-]+\.ya?ml$).
+const WORKFLOW_NAME_REGEX = /^[A-Za-z0-9._-]+\.ya?ml$/;
+function assertValidWorkflowName(name) {
+    if (!WORKFLOW_NAME_REGEX.test(name)) {
+        throw new ValidationError(`Invalid workflow name: "${name}"\n` +
+            `Workflow name must match [A-Za-z0-9._-]+\\.ya?ml (no path components, no traversal).\n` +
+            `Examples: release.yml, publish.yml\n` +
+            `Path components and traversal (../etc.yml) are not allowed.`);
+    }
+}
 const CHANGELOG_TEMPLATE = `# Changelog
 
 All notable changes to this project will be documented in this file.
@@ -34,6 +52,9 @@ const RELEASE_IT_CONFIG = `{
 `;
 const SUGGESTED_SCRIPTS = {
     'release': 'release-it-preset default',
+    'release:patch': 'release-it-preset default patch',
+    'release:minor': 'release-it-preset default minor',
+    'release:major': 'release-it-preset default major',
     'release:hotfix': 'release-it-preset hotfix',
     'release:dry': 'release-it-preset default --dry-run',
     'changelog:update': 'release-it-preset update',
@@ -41,8 +62,13 @@ const SUGGESTED_SCRIPTS = {
 export function parseArgs(args) {
     /* c8 ignore next */
     const argv = args || process.argv.slice(2);
+    // Extract --workflow-name=<value>
+    const workflowNameArg = argv.find(a => a.startsWith('--workflow-name='));
+    const workflowName = workflowNameArg ? workflowNameArg.slice('--workflow-name='.length) : 'release.yml';
     return {
         yes: argv.includes('--yes') || argv.includes('-y'),
+        withWorkflows: argv.includes('--with-workflows'),
+        workflowName,
     };
 }
 export async function createChangelog(options, deps) {
@@ -132,27 +158,144 @@ export async function updatePackageJson(options, deps) {
         return false;
     }
 }
+/**
+ * Write the GitHub Actions workflow file to .github/workflows/<name>.
+ * Skips silently if the file already exists (existing skip-on-conflict policy).
+ */
+export async function writeWorkflow(options, deps) {
+    // Defense-in-depth: validate workflow name before any path computation.
+    // The CLI entry point also validates, but programmatic callers (tests, library use) bypass it.
+    assertValidWorkflowName(options.workflowName);
+    const workflowDir = join('.github', 'workflows');
+    const workflowPath = join(workflowDir, options.workflowName);
+    if (deps.existsSync(workflowPath)) {
+        deps.log(`ℹ️  ${workflowPath} already exists — skipping.`);
+        deps.log(`   To integrate manually, review the template and merge into your existing workflow.`);
+        return false;
+    }
+    // Resolve template path: try compiled position first, fall back to source position.
+    //   compiled: dist/scripts/init-project.js → ../../scripts/templates/... (2 hops up)
+    //   source:   scripts/init-project.ts     → ./templates/...             (sibling dir)
+    const __filename = fileURLToPath(import.meta.url);
+    const __dirname = dirname(__filename);
+    const compiledPath = join(__dirname, '..', '..', 'scripts', 'templates', 'workflows', 'release.yml.template');
+    const sourcePath = join(__dirname, 'templates', 'workflows', 'release.yml.template');
+    const templatePath = deps.existsSync(compiledPath) ? compiledPath : sourcePath;
+    let templateContent;
+    try {
+        templateContent = deps.readFileSync(templatePath, 'utf8');
+    }
+    catch (error) {
+        throw new ValidationError(`Failed to read workflow template at "${templatePath}".\n` +
+            `The template ships in scripts/templates/ — if it is missing, reinstall the package.\n` +
+            `Original error: ${error}`);
+    }
+    // Ensure .github/workflows/ exists
+    if (!deps.existsSync(workflowDir)) {
+        deps.mkdirSync(workflowDir, { recursive: true });
+    }
+    deps.writeFileSync(workflowPath, templateContent);
+    deps.log(`✅ Created ${workflowPath}`);
+    return true;
+}
+/**
+ * Detect workspaces from pnpm-workspace.yaml or package.json#workspaces.
+ * Returns resolved absolute package directory paths.
+ * Returns empty array if no workspace config found.
+ * Throws ValidationError if workspace patterns escape the project root.
+ */
+export function detectWorkspaces(projectRoot, deps) {
+    const pnpmWorkspaceFile = join(projectRoot, 'pnpm-workspace.yaml');
+    const packageJsonFile = join(projectRoot, 'package.json');
+    let patterns = [];
+    let workspaceConfigExists = false;
+    if (deps.existsSync(pnpmWorkspaceFile)) {
+        workspaceConfigExists = true;
+        const content = deps.readFileSync(pnpmWorkspaceFile, 'utf8');
+        patterns = parsePnpmWorkspaceYaml(content);
+    }
+    else if (deps.existsSync(packageJsonFile)) {
+        const content = deps.readFileSync(packageJsonFile, 'utf8');
+        patterns = parseWorkspacesFromPackageJson(content);
+        if (patterns.length > 0) {
+            workspaceConfigExists = true;
+        }
+    }
+    if (patterns.length === 0) {
+        if (workspaceConfigExists) {
+            deps.warn(`ℹ️  Workspace config file found but no packages declared/resolved — ` +
+                `treating as single-package init.`);
+        }
+        return [];
+    }
+    return resolvePackagePaths(patterns, projectRoot, deps);
+}
+/**
+ * Scaffold per-package .release-it.json for each detected workspace package.
+ * Skips packages that already have .release-it.json (skip-on-conflict policy).
+ * Does NOT write a root .release-it.json (would conflict with per-package configs).
+ */
+export async function scaffoldWorkspacePackages(packageDirs, deps) {
+    let created = 0;
+    for (const pkgDir of packageDirs) {
+        const configPath = join(pkgDir, '.release-it.json');
+        if (deps.existsSync(configPath)) {
+            deps.log(`ℹ️  ${configPath} already exists — skipping`);
+            continue;
+        }
+        deps.writeFileSync(configPath, RELEASE_IT_CONFIG);
+        deps.log(`✅ Created ${configPath}`);
+        created++;
+    }
+    return created;
+}
 export async function initProject(options, deps) {
     deps.log('🚀 Initializing project with release-it-preset\n');
     if (options.yes) {
         deps.log('ℹ️  Running in --yes mode (non-interactive)\n');
     }
+    // Detect monorepo workspaces before deciding what to scaffold
+    const projectRoot = process.cwd();
+    const workspaceDirs = detectWorkspaces(projectRoot, deps);
+    const isMonorepo = workspaceDirs.length > 0;
     const results = {
         changelog: await createChangelog(options, deps),
-        releaseIt: await createReleaseItConfig(options, deps),
-        packageJson: await updatePackageJson(options, deps),
+        // In monorepo mode: per-package configs, NO root .release-it.json
+        releaseIt: isMonorepo ? false : await createReleaseItConfig(options, deps),
+        packageJson: isMonorepo ? false : await updatePackageJson(options, deps),
+        workflow: options.withWorkflows ? await writeWorkflow(options, deps) : false,
+        monorepoPackages: isMonorepo ? await scaffoldWorkspacePackages(workspaceDirs, deps) : 0,
     };
     deps.log('\n📊 Summary:');
     deps.log(`   CHANGELOG.md: ${results.changelog ? '✅ Created' : '⏭️  Skipped'}`);
-    deps.log(`   .release-it.json: ${results.releaseIt ? '✅ Created' : '⏭️  Skipped'}`);
-    deps.log(`   package.json: ${results.packageJson ? '✅ Updated' : '⏭️  Skipped'}`);
-    const anyCreated = Object.values(results).some((v) => v);
+    if (isMonorepo) {
+        deps.log(`   workspace packages: ${results.monorepoPackages} .release-it.json created`);
+    }
+    else {
+        deps.log(`   .release-it.json: ${results.releaseIt ? '✅ Created' : '⏭️  Skipped'}`);
+        deps.log(`   package.json: ${results.packageJson ? '✅ Updated' : '⏭️  Skipped'}`);
+    }
+    if (options.withWorkflows) {
+        deps.log(`   workflow: ${results.workflow ? '✅ Created' : '⏭️  Skipped'}`);
+    }
+    const anyCreated = results.changelog ||
+        results.releaseIt ||
+        results.packageJson ||
+        results.workflow ||
+        results.monorepoPackages > 0;
     if (anyCreated) {
         deps.log('\n🎉 Initialization complete!');
         deps.log('\nNext steps:');
         deps.log('   1. Review the generated files');
         deps.log('   2. Update CHANGELOG.md [Unreleased] section');
-        deps.log('   3. Run: pnpm release-it-preset default --dry-run');
+        if (isMonorepo) {
+            deps.log('   3. Release a package: pnpm -F <package-name> exec release-it-preset default --dry-run');
+            deps.log('      (use `pnpm -F <package-name> exec release-it-preset default` to release)');
+            deps.log('   Note: per-package CHANGELOG.md is not auto-created — set CHANGELOG_FILE=../CHANGELOG.md per package, or run `release-it-preset update` from the root and copy entries manually.');
+        }
+        else {
+            deps.log('   3. Run: pnpm release-it-preset default --dry-run');
+        }
     }
     else {
         deps.log('\n✨ All files already exist, nothing to do!');
@@ -178,10 +321,18 @@ if (import.meta.url === `file://${process.argv[1]}`) {
             });
         }
         const options = parseArgs();
+        // Validate workflow name whenever explicitly provided (even without --with-workflows).
+        const argv = process.argv.slice(2);
+        const workflowNameExplicit = argv.some(a => a.startsWith('--workflow-name='));
+        if (workflowNameExplicit || options.withWorkflows) {
+            assertValidWorkflowName(options.workflowName);
+        }
         await initProject(options, {
             existsSync,
             readFileSync,
             writeFileSync,
+            mkdirSync,
+            readdirSync,
             prompt: realPrompt,
             log: console.log,
             warn: console.warn,

package/dist/scripts/lib/workspace-detect.js

@@ -0,0 +1,173 @@
+/**
+ * Workspace detection utilities for pnpm-workspace.yaml and package.json#workspaces.
+ *
+ * Scope: block-list `packages:` in pnpm-workspace.yaml only.
+ * Flow-style arrays ( packages: [...] ) are rejected with a clear error.
+ * Block-list of strings supported. Flow-style arrays AND alias references (`*alias`) are
+ * rejected with `ValidationError`. Anchors (`&name`) on entries are silently treated as
+ * opaque pattern strings.
+ *
+ * All functions are pure (no direct FS access) — dependencies are injected for testability.
+ */
+import { isAbsolute, join, relative, resolve, sep } from 'node:path';
+import { ValidationError } from './errors.js';
+/**
+ * Parse the `packages:` block-list section of a pnpm-workspace.yaml file.
+ *
+ * Only block-sequence form is supported:
+ *   packages:
+ *     - 'packages/*'
+ *     - 'apps/*'
+ *
+ * Flow-style arrays ( packages: ['a', 'b'] ) are rejected with a ValidationError
+ * pointing users toward the block-list form.
+ *
+ * @param content - Raw YAML file content
+ * @returns Array of glob patterns from the packages: block-list, or empty array if no packages: key found
+ * @throws ValidationError if flow-style array syntax is detected
+ */
+export function parsePnpmWorkspaceYaml(content) {
+    const lines = content.split('\n');
+    // Find the `packages:` key
+    const packagesLineIdx = lines.findIndex(l => /^packages\s*:/.test(l));
+    if (packagesLineIdx === -1) {
+        return [];
+    }
+    // Check for unsupported syntax on the same line
+    const packagesLine = lines[packagesLineIdx];
+    // Flow-style arrays: packages: ['a', 'b'] or packages: [a, b]
+    if (/^packages\s*:\s*\[/.test(packagesLine)) {
+        throw new ValidationError(`pnpm-workspace.yaml uses flow-style array for "packages:" which is not supported.\n` +
+            `Please convert to block-list form:\n` +
+            `  packages:\n` +
+            `    - 'packages/*'\n` +
+            `    - 'apps/*'\n` +
+            `If you need flow-style support, open an issue at https://github.com/oorabona/release-it-preset/issues`);
+    }
+    // YAML alias reference: packages: *anchorName
+    if (/^packages\s*:\s*\*\S+/.test(packagesLine)) {
+        throw new ValidationError(`pnpm-workspace.yaml uses a YAML alias reference for "packages:" which is not supported.\n` +
+            `Please convert to block-list form:\n` +
+            `  packages:\n` +
+            `    - 'packages/*'\n` +
+            `    - 'apps/*'\n` +
+            `Anchor/alias support is not planned; if you need it, open an issue at https://github.com/oorabona/release-it-preset/issues`);
+    }
+    // Collect subsequent indented list items (- '...' or - "..." or - bare)
+    const patterns = [];
+    for (let i = packagesLineIdx + 1; i < lines.length; i++) {
+        const line = lines[i];
+        // Stop if we hit a non-indented, non-empty line (new top-level key)
+        if (line.length > 0 && !/^\s/.test(line)) {
+            break;
+        }
+        // Match a block-sequence item
+        const match = line.match(/^\s+-\s+['"]?([^'"#\n]+?)['"]?\s*(?:#.*)?$/);
+        if (match) {
+            patterns.push(match[1].trim());
+        }
+    }
+    return patterns;
+}
+/**
+ * Parse the `workspaces` field from a package.json content string.
+ *
+ * Supports:
+ *   "workspaces": ["packages/*"]           — array form
+ *   "workspaces": {"packages": [...]}      — object form (Yarn-style)
+ *
+ * @param content - Raw package.json content
+ * @returns Array of glob patterns, or empty array if workspaces not present
+ */
+export function parseWorkspacesFromPackageJson(content) {
+    let pkg;
+    try {
+        pkg = JSON.parse(content);
+    }
+    catch {
+        return [];
+    }
+    if (typeof pkg !== 'object' || pkg === null || !('workspaces' in pkg)) {
+        return [];
+    }
+    const ws = pkg.workspaces;
+    if (Array.isArray(ws)) {
+        return ws.filter((v) => typeof v === 'string');
+    }
+    if (typeof ws === 'object' && ws !== null && 'packages' in ws) {
+        const pkgs = ws.packages;
+        if (Array.isArray(pkgs)) {
+            return pkgs.filter((v) => typeof v === 'string');
+        }
+    }
+    return [];
+}
+/**
+ * Expand glob patterns to resolved package directories that contain a package.json.
+ *
+ * Only supports single-level glob expansion: `packages/*` expands to immediate
+ * children of `packages/`. Nested globs (`packages/*\/src`) are not supported
+ * and are returned as-is only if the literal path has a package.json.
+ *
+ * Each resolved path is validated to be contained within projectRoot using
+ * path.resolve + path.relative containment check. Paths escaping the root
+ * (e.g. `../etc`) throw a ValidationError.
+ *
+ * @param patterns - Glob patterns from workspace config
+ * @param projectRoot - Absolute path to the project root
+ * @param deps - Injected FS dependencies
+ * @returns Array of absolute paths to valid package directories
+ */
+export function resolvePackagePaths(patterns, projectRoot, deps) {
+    const result = [];
+    for (const pattern of patterns) {
+        const resolved = resolve(projectRoot, pattern);
+        // Containment check: relative path must NOT start with '..' or be absolute
+        // (isAbsolute guard handles Windows cross-drive paths where relative() returns
+        //  an absolute path that doesn't start with '..', bypassing the startsWith check)
+        const rel = relative(projectRoot, resolved);
+        if (isAbsolute(rel) || rel === '..' || rel.startsWith(`..${sep}`)) {
+            throw new ValidationError(`Workspace pattern "${pattern}" resolves outside the project root.\n` +
+                `Resolved: ${resolved}\n` +
+                `Project root: ${projectRoot}\n` +
+                `Each workspace package must live under the project root.`);
+        }
+        // Single-level glob expansion: path ends with /*
+        if (pattern.endsWith('/*')) {
+            const parentDir = resolve(projectRoot, pattern.slice(0, -2));
+            // Containment check on the parent dir too (same isAbsolute guard)
+            const parentRel = relative(projectRoot, parentDir);
+            if (isAbsolute(parentRel) || parentRel === '..' || parentRel.startsWith(`..${sep}`)) {
+                throw new ValidationError(`Workspace pattern "${pattern}" resolves outside the project root.\n` +
+                    `Resolved parent: ${parentDir}\n` +
+                    `Project root: ${projectRoot}\n` +
+                    `Each workspace package must live under the project root.`);
+            }
+            if (!deps.existsSync(parentDir)) {
+                continue;
+            }
+            let entries;
+            try {
+                entries = deps.readdirSync(parentDir);
+            }
+            catch {
+                continue;
+            }
+            for (const entry of entries) {
+                const pkgDir = join(parentDir, entry);
+                const pkgJson = join(pkgDir, 'package.json');
+                if (deps.existsSync(pkgJson)) {
+                    result.push(pkgDir);
+                }
+            }
+        }
+        else {
+            // Non-glob: treat as literal directory path
+            const pkgJson = join(resolved, 'package.json');
+            if (deps.existsSync(pkgJson)) {
+                result.push(resolved);
+            }
+        }
+    }
+    return result;
+}

package/dist/types/doctor.d.ts

@@ -65,6 +65,12 @@ export declare function safeExec(command: string, deps: DoctorDeps): string | nu
 export declare function collectEnvironment(deps: DoctorDeps): EnvironmentSection;
 export declare function inspectRepository(deps: DoctorDeps): RepositorySection;
 export declare function validateConfiguration(deps: DoctorDeps): ConfigurationSection;
+/**
+ * Runs Check A (peer range satisfaction) and Check B (major version advisor).
+ * Returns an array of CheckResult to be appended into validateConfiguration.
+ * Check B is silently skipped when the npm registry is unreachable.
+ */
+export declare function validateReleaseItPeer(deps: DoctorDeps): CheckResult[];
 export declare function summarize(report: Omit<DoctorReport, 'summary'>): DoctorSummary;
 export declare function runDoctor(deps: DoctorDeps): DoctorReport;
 export declare function formatHuman(report: DoctorReport): string;

package/dist/types/init-project.d.ts

@@ -13,14 +13,18 @@
  * Options:
  *   --yes    Skip prompts and use defaults
  */
-import { existsSync, readFileSync, writeFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readdirSync, readFileSync, writeFileSync } from 'node:fs';
 interface Options {
     yes: boolean;
+    withWorkflows: boolean;
+    workflowName: string;
 }
 export interface InitProjectDeps {
     existsSync: typeof existsSync;
     readFileSync: typeof readFileSync;
     writeFileSync: typeof writeFileSync;
+    mkdirSync: typeof mkdirSync;
+    readdirSync: typeof readdirSync;
     prompt: (question: string) => Promise<boolean>;
     log: (message: string) => void;
     warn: (message: string) => void;
@@ -29,9 +33,29 @@ export declare function parseArgs(args?: string[]): Options;
 export declare function createChangelog(options: Options, deps: InitProjectDeps): Promise<boolean>;
 export declare function createReleaseItConfig(options: Options, deps: InitProjectDeps): Promise<boolean>;
 export declare function updatePackageJson(options: Options, deps: InitProjectDeps): Promise<boolean>;
+/**
+ * Write the GitHub Actions workflow file to .github/workflows/<name>.
+ * Skips silently if the file already exists (existing skip-on-conflict policy).
+ */
+export declare function writeWorkflow(options: Options, deps: InitProjectDeps): Promise<boolean>;
+/**
+ * Detect workspaces from pnpm-workspace.yaml or package.json#workspaces.
+ * Returns resolved absolute package directory paths.
+ * Returns empty array if no workspace config found.
+ * Throws ValidationError if workspace patterns escape the project root.
+ */
+export declare function detectWorkspaces(projectRoot: string, deps: InitProjectDeps): string[];
+/**
+ * Scaffold per-package .release-it.json for each detected workspace package.
+ * Skips packages that already have .release-it.json (skip-on-conflict policy).
+ * Does NOT write a root .release-it.json (would conflict with per-package configs).
+ */
+export declare function scaffoldWorkspacePackages(packageDirs: string[], deps: InitProjectDeps): Promise<number>;
 export declare function initProject(options: Options, deps: InitProjectDeps): Promise<{
     changelog: boolean;
     releaseIt: boolean;
     packageJson: boolean;
+    workflow: boolean;
+    monorepoPackages: number;
 }>;
 export {};

package/dist/types/lib/workspace-detect.d.ts

@@ -0,0 +1,59 @@
+/**
+ * Workspace detection utilities for pnpm-workspace.yaml and package.json#workspaces.
+ *
+ * Scope: block-list `packages:` in pnpm-workspace.yaml only.
+ * Flow-style arrays ( packages: [...] ) are rejected with a clear error.
+ * Block-list of strings supported. Flow-style arrays AND alias references (`*alias`) are
+ * rejected with `ValidationError`. Anchors (`&name`) on entries are silently treated as
+ * opaque pattern strings.
+ *
+ * All functions are pure (no direct FS access) — dependencies are injected for testability.
+ */
+export interface WorkspaceDetectDeps {
+    existsSync: (path: string) => boolean;
+    readdirSync: (path: string) => string[];
+}
+/**
+ * Parse the `packages:` block-list section of a pnpm-workspace.yaml file.
+ *
+ * Only block-sequence form is supported:
+ *   packages:
+ *     - 'packages/*'
+ *     - 'apps/*'
+ *
+ * Flow-style arrays ( packages: ['a', 'b'] ) are rejected with a ValidationError
+ * pointing users toward the block-list form.
+ *
+ * @param content - Raw YAML file content
+ * @returns Array of glob patterns from the packages: block-list, or empty array if no packages: key found
+ * @throws ValidationError if flow-style array syntax is detected
+ */
+export declare function parsePnpmWorkspaceYaml(content: string): string[];
+/**
+ * Parse the `workspaces` field from a package.json content string.
+ *
+ * Supports:
+ *   "workspaces": ["packages/*"]           — array form
+ *   "workspaces": {"packages": [...]}      — object form (Yarn-style)
+ *
+ * @param content - Raw package.json content
+ * @returns Array of glob patterns, or empty array if workspaces not present
+ */
+export declare function parseWorkspacesFromPackageJson(content: string): string[];
+/**
+ * Expand glob patterns to resolved package directories that contain a package.json.
+ *
+ * Only supports single-level glob expansion: `packages/*` expands to immediate
+ * children of `packages/`. Nested globs (`packages/*\/src`) are not supported
+ * and are returned as-is only if the literal path has a package.json.
+ *
+ * Each resolved path is validated to be contained within projectRoot using
+ * path.resolve + path.relative containment check. Paths escaping the root
+ * (e.g. `../etc`) throw a ValidationError.
+ *
+ * @param patterns - Glob patterns from workspace config
+ * @param projectRoot - Absolute path to the project root
+ * @param deps - Injected FS dependencies
+ * @returns Array of absolute paths to valid package directories
+ */
+export declare function resolvePackagePaths(patterns: string[], projectRoot: string, deps: WorkspaceDetectDeps): string[];

package/package.json

@@ -1,12 +1,11 @@
 {
   "name": "@oorabona/release-it-preset",
-  "version": "1.0.0",
-  "description": "Shared release-it preset with OIDC trusted publishing, smart npm dist-tag selection, and monorepo per-package changelog support",
+  "version": "1.2.0",
+  "description": "Release tooling for solo and small-team JS maintainers: human-curated changelogs, OIDC zero-config publishing, recovery presets, monorepo support, pre-release diagnostics.",
   "type": "module",
   "keywords": [
     "release-it",
     "release",
-    "version",
     "changelog",
     "conventional-commits",
     "keep-a-changelog",
@@ -16,9 +15,12 @@
     "oidc",
     "trusted-publishing",
     "github-actions",
-    "automation",
     "typescript",
-    "semver"
+    "semver",
+    "cli",
+    "developer-tools",
+    "pnpm",
+    "slsa"
   ],
   "author": "Olivier Orabona",
   "license": "MIT",
@@ -51,6 +53,7 @@
     "config",
     "dist/scripts",
     "dist/types",
+    "scripts/templates",
     "README.md",
     "LICENSE"
   ],
@@ -59,13 +62,13 @@
     "release": "pnpm run release:default",
     "release:default": "node ./bin/cli.js default",
     "release:default:dry-run": "node ./bin/cli.js default --dry-run",
-    "release:no-changelog": "node ./bin/cli.js no-changelog",
-    "release:changelog-only": "node ./bin/cli.js changelog-only",
-    "release:manual-changelog": "node ./bin/cli.js manual-changelog",
+    "release:dev:no-changelog": "node ./bin/cli.js no-changelog",
+    "release:dev:changelog-only": "node ./bin/cli.js changelog-only",
+    "release:dev:manual-changelog": "node ./bin/cli.js manual-changelog",
     "release:hotfix": "node ./bin/cli.js hotfix",
-    "release:republish": "node ./bin/cli.js republish",
-    "release:retry-preflight": "node ./bin/cli.js retry-publish-preflight",
-    "release:retry-publish": "node ./bin/cli.js retry-publish",
+    "release:dev:republish": "node ./bin/cli.js republish",
+    "release:dev:retry-preflight": "node ./bin/cli.js retry-publish-preflight",
+    "release:dev:retry-publish": "node ./bin/cli.js retry-publish",
     "release:update": "node ./bin/cli.js update",
     "release:validate": "node ./bin/cli.js validate",
     "release:validate:allow-dirty": "node ./bin/cli.js validate --allow-dirty",
@@ -82,7 +85,12 @@
     "test:watch": "vitest",
     "test:coverage": "vitest run --coverage",
     "test:ui": "vitest --ui",
-    "prepublishOnly": "pnpm build && echo 'Running prepublish checks...' && test -f README.md && test -f LICENSE"
+    "prepublishOnly": "pnpm build && echo 'Running prepublish checks...' && test -f README.md && test -f LICENSE",
+    "release:patch": "node ./bin/cli.js default patch",
+    "release:minor": "node ./bin/cli.js default minor",
+    "release:major": "node ./bin/cli.js default major",
+    "release:dry": "node ./bin/cli.js default --dry-run",
+    "changelog:update": "node ./bin/cli.js update"
   },
   "peerDependencies": {
     "release-it": "^19.0.0 || ^20.0.0"

package/scripts/templates/workflows/release.yml.template

@@ -0,0 +1,63 @@
+# GitHub Actions workflow for npm + GitHub release publishing.
+# Generated by: release-it-preset init --with-workflows
+#
+# PREREQUISITE: Configure OIDC trusted publishing for this workflow file at
+# https://www.npmjs.com/settings/<your-org>/packages — select "GitHub Actions"
+# and set the workflow path to match this file's location in the repository.
+# Without OIDC enrollment the publish step will fail with a 401 on first tag push.
+# Troubleshooting: https://docs.npmjs.com/trusted-publishers
+
+name: Publish Package
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to publish (e.g. v1.2.3). Required when triggered from a branch.'
+        type: string
+        required: false
+
+permissions:
+  contents: write
+  id-token: write  # Required for npm OIDC trusted publishing
+
+env:
+  NODE_VERSION: '24'  # npm >= 11.5.1 ships with Node 24, required for OIDC trusted publishing
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          ref: ${{ inputs.tag || github.ref }}
+          fetch-tags: true
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'pnpm'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Run pre-flight checks
+        run: pnpm exec release-it-preset retry-publish-preflight
+
+      - name: Publish (npm + GitHub release)
+        env:
+          NPM_PUBLISH: 'true'
+          GITHUB_RELEASE: 'true'
+          NPM_SKIP_CHECKS: 'true'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: pnpm exec release-it-preset retry-publish --ci