npm - @oorabona/release-it-preset - Versions diffs - 1.3.0 → 1.4.1 - Mend

@oorabona/release-it-preset 1.3.0 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +8 -0
package/dist/scripts/annotate-changelog.js +47 -11
package/dist/scripts/check-pr-status.js +5 -2
package/dist/types/annotate-changelog.d.ts +4 -1
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -7,6 +7,7 @@ Shareable [release-it](https://github.com/release-it/release-it) configuration a
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 [![Node](https://img.shields.io/node/v/@oorabona/release-it-preset.svg)](https://nodejs.org/)
 [![OIDC trusted publishing](https://img.shields.io/badge/npm-OIDC%20trusted%20publishing-green.svg)](https://docs.npmjs.com/trusted-publishers)
+[![SLSA Level 3](https://slsa.dev/images/gh-badge-level3.svg)](docs/VERIFY.md)
 [![CI](https://github.com/oorabona/release-it-preset/actions/workflows/ci.yml/badge.svg)](https://github.com/oorabona/release-it-preset/actions/workflows/ci.yml)
 [![Audit](https://github.com/oorabona/release-it-preset/actions/workflows/audit.yml/badge.svg)](https://github.com/oorabona/release-it-preset/actions/workflows/audit.yml)
 [![codecov](https://codecov.io/github/oorabona/release-it-preset/graph/badge.svg?token=6RMN34Z7TX)](https://codecov.io/github/oorabona/release-it-preset)
@@ -37,6 +38,13 @@ pnpm release:minor                 # bump + commit + tag + push (CI publishes)
 → Full reference: [docs/USAGE.md](docs/USAGE.md) · [Migration v0→v1](docs/MIGRATION.md) · [Public API](docs/PUBLIC_API.md)
+## Supply chain verification
+Releases use npm OIDC provenance and, starting with v1.4.0, attach the npm
+registry tarball, SLSA L3 provenance, and a cosign keyless bundle to the GitHub
+release. See [docs/VERIFY.md](docs/VERIFY.md) for copy-paste verification
+commands.
 ## Why this preset?
 Most release workflows fall into one of three traps: too much manual work (plain release-it, you assemble everything), too much ceremony (changesets, great for 5+ maintainers, heavy for one), or too much automation with too little control (semantic-release, hands-off by design and format).

package/dist/scripts/annotate-changelog.js CHANGED Viewed

@@ -357,20 +357,55 @@ function normalizeBlockText(value) {
         .replace(/[ \t]+/g, ' ')
         .trim();
 }
+// Replaces fenced code regions (``` / ~~~) with spaces of identical length so
+// marker scanning never sees them while every index still maps back to the
+// original text. Grammar examples in PR bodies stay inert this way.
+function maskFencedRegions(value) {
+    let openFence = null;
+    return value
+        .split('\n')
+        .map(line => {
+        // Any indentation is accepted on purpose: fences nested under list
+        // items are indented beyond CommonMark's top-level 3-space cap, and a
+        // safety mask must over-mask rather than import a fenced example.
+        const delimiter = line.match(/^\s*(`{3,}|~{3,})/);
+        if (openFence === null) {
+            if (delimiter) {
+                openFence = { char: delimiter[1][0], length: delimiter[1].length };
+                return ' '.repeat(line.length);
+            }
+            return line;
+        }
+        // CommonMark: the closing fence must use the same character and be at
+        // least as long as the opener — a ```` fence is NOT closed by an inner
+        // ``` example, which is precisely how docs show fenced code.
+        if (delimiter &&
+            delimiter[1][0] === openFence.char &&
+            delimiter[1].length >= openFence.length &&
+            /^\s*(`{3,}|~{3,})\s*$/.test(line)) {
+            openFence = null;
+        }
+        return ' '.repeat(line.length);
+    })
+        .join('\n');
+}
 export function extractStructuredChangelogNotes(body, options = {}) {
     if (!body) {
         return [];
     }
     const notes = [];
     const normalizedBody = body.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+    // Markers are matched against the masked text (fenced regions blanked, all
+    // indices preserved); the block TEXT is sliced from the real body.
+    const scanBody = maskFencedRegions(normalizedBody);
     const openMarker = /<!--\s*changelog\s*:\s*([a-z]+)\s*-->/gi;
     const closeMarker = /<!--\s*\/changelog\s*-->/i;
     const prNumber = options.prNumber ?? 0;
-    for (const match of normalizedBody.matchAll(openMarker)) {
+    for (const match of scanBody.matchAll(openMarker)) {
         const type = match[1].toLowerCase();
         const contentStart = match.index + match[0].length;
-        const rest = normalizedBody.slice(contentStart);
-        const closeMatch = closeMarker.exec(rest);
+        const scanRest = scanBody.slice(contentStart);
+        const closeMatch = closeMarker.exec(scanRest);
         if (!closeMatch) {
             warnForPr(prNumber, options, 'unclosed marker');
             continue;
@@ -380,12 +415,13 @@ export function extractStructuredChangelogNotes(body, options = {}) {
             warnForPr(prNumber, options, `unknown changelog type "${type}"`);
             continue;
         }
-        const rawContent = rest.slice(0, closeMatch.index);
+        const rawContent = normalizedBody.slice(contentStart, contentStart + closeMatch.index);
         // A second open marker before the close means overlapping blocks: the
         // outer region is malformed and must never leak a raw marker (or
         // duplicated text) into the changelog. The inner block, if well-formed,
-        // is still picked up by its own matchAll iteration.
-        if (/<!--\s*changelog\s*:/i.test(rawContent)) {
+        // is still picked up by its own matchAll iteration. (Checked on the
+        // masked region too, so fenced examples inside a block stay inert.)
+        if (/<!--\s*changelog\s*:/i.test(scanRest.slice(0, closeMatch.index))) {
             warnForPr(prNumber, options, `nested changelog marker inside ${type} block`);
             continue;
         }
@@ -497,7 +533,7 @@ export function renderAnnotatedBody(parsed, resolvedGroups, repoUrl, deps) {
     for (const heading of orderedPending) {
         emitSection(heading, [], additionsBySection.get(heading) ?? []);
     }
-    return `\n${lines.join('\n').trim()}\n\n`;
+    return { body: `\n${lines.join('\n').trim()}\n\n`, appliedPrCount: annotatedGroups };
 }
 function readChangelog(changelogPath, deps) {
     try {
@@ -524,13 +560,13 @@ export function annotateChangelog(deps) {
     }
     const { repoUrl, ownerRepo } = getRequiredGitHubContext(deps);
     const resolved = resolvePullRequestGroups(groups, ownerRepo, deps);
-    const nextBody = renderAnnotatedBody(parsed, resolved.resolved, repoUrl, deps);
-    if (nextBody === null) {
+    const rendered = renderAnnotatedBody(parsed, resolved.resolved, repoUrl, deps);
+    if (rendered === null) {
         deps.log('No changelog blocks found in the resolved pull requests — nothing to annotate');
         return;
     }
-    deps.writeFileSync(changelogPath, `${block.prefix}${nextBody}${block.suffix}`);
-    deps.log(`Annotated ${resolved.resolved.length} pull request(s)`);
+    deps.writeFileSync(changelogPath, `${block.prefix}${rendered.body}${block.suffix}`);
+    deps.log(`Annotated ${rendered.appliedPrCount} pull request(s)`);
 }
 /* c8 ignore start */
 if (import.meta.url === `file://${process.argv[1]}`) {

package/dist/scripts/check-pr-status.js CHANGED Viewed

@@ -12,10 +12,10 @@
  */
 import { execSync } from 'node:child_process';
 import { appendFileSync, readFileSync } from 'node:fs';
+import { extractStructuredChangelogNotes } from './annotate-changelog.js';
 import { STRICT_CONVENTIONAL_COMMIT_REGEX } from './lib/commit-parser.js';
 import { runScript } from './lib/run-script.js';
 const SKIP_CHANGELOG_REGEX = /\[skip-changelog]/i;
-const CHANGELOG_BLOCK_REGEX = /<!--\s*changelog\s*:\s*(added|changed|deprecated|removed|fixed|security)\s*-->[\s\S]*?<!--\s*\/changelog\s*-->/i;
 export function safeExec(command, deps) {
     try {
         return deps.execSync(command, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'pipe'] }).trim();
@@ -96,7 +96,10 @@ export function evaluateChangelogBlockStatus(deps) {
         if (typeof body !== 'string') {
             return 'unknown';
         }
-        return CHANGELOG_BLOCK_REGEX.test(body) ? 'present' : 'absent';
+        // Same parser as annotate (typed markers, fence masking): a fenced
+        // documentation example must not count as present here while annotate
+        // would ignore it.
+        return extractStructuredChangelogNotes(body).length > 0 ? 'present' : 'absent';
     }
     catch {
         return 'unknown';

package/dist/types/annotate-changelog.d.ts CHANGED Viewed

@@ -81,6 +81,9 @@ export declare function extractStructuredChangelogNotes(body: string | null | un
     prNumber?: number;
     warn?: (message: string) => void;
 }): ChangelogNote[];
-export declare function renderAnnotatedBody(parsed: ParsedUnreleased, resolvedGroups: ResolvedGroup[], repoUrl: string, deps: AnnotateChangelogDeps): string | null;
+export declare function renderAnnotatedBody(parsed: ParsedUnreleased, resolvedGroups: ResolvedGroup[], repoUrl: string, deps: AnnotateChangelogDeps): {
+    body: string;
+    appliedPrCount: number;
+} | null;
 export declare function annotateChangelog(deps: AnnotateChangelogDeps): void;
 export {};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@oorabona/release-it-preset",
-  "version": "1.3.0",
+  "version": "1.4.1",
   "description": "Release tooling for solo and small-team JS maintainers: human-curated changelogs, OIDC zero-config publishing, recovery presets, monorepo support, pre-release diagnostics.",
   "type": "module",
   "keywords": [