@releasekit/publish 0.2.0-next.8 → 0.2.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Sam Maister
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -82,13 +82,21 @@ releasekit-publish --input version-output.json
 ### In CI (GitHub Actions)
 
 ```yaml
+- name: Configure permissions (OIDC + git pushes)
+  # at job level:
+  # permissions:
+  #   id-token: write
+  #   contents: write
+
 - name: Version
   run: releasekit-version --json > version-output.json
 
 - name: Publish
   run: releasekit-publish --input version-output.json
+  # For OIDC trusted publishing: no npm token needed (recommended).
+  # For token-based publishing: set NPM_TOKEN (or NODE_AUTH_TOKEN).
   env:
-    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
 ## Configuration
@@ -105,6 +113,10 @@ Configure via `releasekit.config.json`:
       "access": "public",
       "copyFiles": ["LICENSE"]
     },
+    "git": {
+      "pushMethod": "auto",
+      "httpsTokenEnv": "GITHUB_TOKEN"
+    },
     "cargo": {
       "enabled": false,
       "noVerify": false

package/dist/{chunk-Y7Y6GQ6R.js → chunk-H7AKSLZP.js}

@@ -23,7 +23,9 @@ function getDefaultConfig() {
       push: true,
       pushMethod: "auto",
       remote: "origin",
-      branch: "main"
+      branch: "main",
+      httpsTokenEnv: void 0,
+      skipHooks: false
     },
     githubRelease: {
       enabled: true,
@@ -71,7 +73,9 @@ function toPublishConfig(config) {
       push: config.git.push ?? defaults.git.push,
       pushMethod: config.git.pushMethod ?? defaults.git.pushMethod,
       remote: config.git.remote ?? defaults.git.remote,
-      branch: config.git.branch ?? defaults.git.branch
+      branch: config.git.branch ?? defaults.git.branch,
+      httpsTokenEnv: config.git.httpsTokenEnv ?? defaults.git.httpsTokenEnv,
+      skipHooks: config.git.skipHooks ?? defaults.git.skipHooks
     } : defaults.git,
     githubRelease: {
       enabled: config.githubRelease?.enabled ?? defaults.githubRelease.enabled,
@@ -248,8 +252,20 @@ function createPublishError(code, details) {
 // src/utils/exec.ts
 import { execFile } from "child_process";
 import { debug, info } from "@releasekit/core";
+function redactArg(arg) {
+  try {
+    const url = new URL(arg);
+    if (url.username || url.password) {
+      url.username = url.username ? "***" : "";
+      url.password = url.password ? "***" : "";
+      return url.toString();
+    }
+  } catch {
+  }
+  return arg;
+}
 async function execCommand(file, args, options = {}) {
-  const displayCommand = options.label ?? [file, ...args].join(" ");
+  const displayCommand = options.label ?? [file, ...args.map(redactArg)].join(" ");
   if (options.dryRun) {
     info(`[DRY RUN] Would execute: ${displayCommand}`);
     return { stdout: "", stderr: "", exitCode: 0 };
@@ -305,7 +321,7 @@ function detectNpmAuth() {
   if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
     return "oidc";
   }
-  if (process.env.NPM_TOKEN) {
+  if (process.env.NPM_TOKEN || process.env.NODE_AUTH_TOKEN) {
     return "token";
   }
   return null;
@@ -560,8 +576,9 @@ function topologicalSort(crates) {
 import * as path3 from "path";
 import { info as info2, success as success2 } from "@releasekit/core";
 async function runGitCommitStage(ctx) {
-  const { input, cliOptions, cwd } = ctx;
+  const { input, config, cliOptions, cwd } = ctx;
   const dryRun = cliOptions.dryRun;
+  const skipHooks = config.git.skipHooks ?? false;
   if (!input.commitMessage) {
     info2("No commit message provided, skipping git commit");
     return;
@@ -583,8 +600,13 @@ async function runGitCommitStage(ctx) {
       `git add failed: ${error instanceof Error ? error.message : String(error)}`
     );
   }
+  const commitArgs = ["commit"];
+  if (skipHooks) {
+    commitArgs.push("--no-verify");
+  }
+  commitArgs.push("-m", input.commitMessage);
   try {
-    await execCommand("git", ["commit", "-m", input.commitMessage], {
+    await execCommand("git", commitArgs, {
       cwd,
       dryRun,
       label: `git commit -m "${input.commitMessage}"`
@@ -622,6 +644,18 @@ async function runGitCommitStage(ctx) {
 
 // src/stages/git-push.ts
 import { info as info3, success as success3 } from "@releasekit/core";
+function toGithubAuthedUrl(remoteUrl, token) {
+  try {
+    const url = new URL(remoteUrl);
+    if (url.protocol !== "https:") return void 0;
+    if (url.host !== "github.com") return void 0;
+    url.username = "x-access-token";
+    url.password = token;
+    return url.toString();
+  } catch {
+    return void 0;
+  }
+}
 async function runGitPushStage(ctx) {
   const { config, cliOptions, cwd, output } = ctx;
   const dryRun = cliOptions.dryRun;
@@ -642,16 +676,26 @@ async function runGitPushStage(ctx) {
       pushMethod = "https";
     }
   }
+  const httpsTokenEnv = config.git.httpsTokenEnv;
+  const httpsToken = httpsTokenEnv ? process.env[httpsTokenEnv] : void 0;
   try {
+    let pushRemote = remote;
+    if (pushMethod === "https" && httpsToken) {
+      const remoteUrlResult = await execCommand("git", ["remote", "get-url", remote], { cwd, dryRun: false });
+      const authed = toGithubAuthedUrl(remoteUrlResult.stdout.trim(), httpsToken);
+      if (authed) {
+        pushRemote = authed;
+      }
+    }
     if (output.git.committed) {
-      await execCommand("git", ["push", remote, branch], {
+      await execCommand("git", ["push", pushRemote, branch], {
         cwd,
         dryRun,
         label: `git push ${remote} ${branch}`
       });
     }
     if (output.git.tags.length > 0) {
-      await execCommand("git", ["push", remote, "--tags"], {
+      await execCommand("git", ["push", pushRemote, "--tags"], {
         cwd,
         dryRun,
         label: `git push ${remote} --tags`
@@ -696,7 +740,9 @@ async function runGithubReleaseStage(ctx) {
   if (!firstTag) return;
   const tagsToRelease = config.githubRelease.perPackage ? tags : [firstTag];
   for (const tag of tagsToRelease) {
-    const versionMatch = tag.match(/(\d+\.\d+\.\d+.*)$/);
+    const MAX_TAG_LENGTH = 1e3;
+    const truncatedTag = tag.length > MAX_TAG_LENGTH ? tag.slice(0, MAX_TAG_LENGTH) : tag;
+    const versionMatch = truncatedTag.match(/(\d{1,20}\.\d{1,20}\.\d{1,20}(?:[-+.]?[a-zA-Z0-9.-]{0,100})?)$/);
     const version = versionMatch?.[1] ?? "";
     const isPreRel = config.githubRelease.prerelease === "auto" ? version ? isPrerelease(version) : false : config.githubRelease.prerelease;
     const result = {
@@ -738,9 +784,77 @@ async function runGithubReleaseStage(ctx) {
 }
 
 // src/stages/npm-publish.ts
+import * as fs6 from "fs";
+import * as path5 from "path";
+import { debug as debug5, info as info5, success as success5, warn as warn3 } from "@releasekit/core";
+
+// src/utils/npm-env.ts
 import * as fs5 from "fs";
+import * as os from "os";
 import * as path4 from "path";
-import { debug as debug4, info as info5, success as success5, warn as warn3 } from "@releasekit/core";
+import { debug as debug4 } from "@releasekit/core";
+function writeTempNpmrc(contents) {
+  const dir = fs5.mkdtempSync(path4.join(os.tmpdir(), "releasekit-npmrc-"));
+  const npmrcPath = path4.join(dir, ".npmrc");
+  fs5.writeFileSync(npmrcPath, contents, "utf-8");
+  return {
+    npmrcPath,
+    cleanup: () => {
+      try {
+        fs5.rmSync(dir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+  };
+}
+function createNpmSubprocessIsolation(options) {
+  const { authMethod, registryUrl } = options;
+  const baseEnv = {};
+  if (!authMethod) return { env: baseEnv, cleanup: () => {
+  } };
+  const token = process.env.NPM_TOKEN ?? process.env.NODE_AUTH_TOKEN;
+  const registryHost = (() => {
+    try {
+      return new URL(registryUrl).host;
+    } catch {
+      return "registry.npmjs.org";
+    }
+  })();
+  const lines = [`registry=${registryUrl}`];
+  if (authMethod === "oidc") {
+    lines.push("always-auth=false");
+  }
+  if (authMethod === "token" && token) {
+    lines.push(`//${registryHost}/:_authToken=${token}`);
+  }
+  lines.push("");
+  const { npmrcPath, cleanup } = writeTempNpmrc(lines.join("\n"));
+  debug4(`Using isolated npm userconfig: ${npmrcPath}`);
+  const isOidc = authMethod === "oidc";
+  return {
+    env: {
+      ...baseEnv,
+      // Ensure npm and tools that read npm_config_* pick up our temp file
+      NPM_CONFIG_USERCONFIG: npmrcPath,
+      npm_config_userconfig: npmrcPath,
+      // Auth-specific hardening
+      ...isOidc ? {
+        // Prevent setup-node's always-auth from forcing token lookups
+        NPM_CONFIG_ALWAYS_AUTH: "false",
+        npm_config_always_auth: "false",
+        // Explicitly prevent token-based publishing from being selected implicitly
+        NODE_AUTH_TOKEN: void 0,
+        NPM_TOKEN: void 0
+      } : {
+        // Ensure CLIs that expect NODE_AUTH_TOKEN can still work
+        NODE_AUTH_TOKEN: token
+      }
+    },
+    cleanup
+  };
+}
+
+// src/stages/npm-publish.ts
 async function runNpmPublishStage(ctx) {
   const { input, config, cliOptions, cwd } = ctx;
   const dryRun = cliOptions.dryRun;
@@ -753,98 +867,108 @@ async function runNpmPublishStage(ctx) {
     throw createPublishError("NPM_AUTH_ERROR" /* NPM_AUTH_ERROR */, "No NPM authentication method detected");
   }
   const useProvenance = config.npm.provenance && authMethod === "oidc";
-  for (const update of input.updates) {
-    const result = {
-      packageName: update.packageName,
-      version: update.newVersion,
-      registry: "npm",
-      success: false,
-      skipped: false
-    };
-    const pkgJsonPath = path4.resolve(cwd, update.filePath);
-    try {
-      const pkgContent = fs5.readFileSync(pkgJsonPath, "utf-8");
-      const pkgJson = JSON.parse(pkgContent);
-      if (pkgJson.private) {
-        result.skipped = true;
-        result.success = true;
-        result.reason = "Package is private";
-        ctx.output.npm.push(result);
-        debug4(`Skipping private package: ${update.packageName}`);
-        continue;
+  const npmIsolation = createNpmSubprocessIsolation({
+    authMethod,
+    registryUrl: config.npm.registry
+  });
+  try {
+    for (const update of input.updates) {
+      const result = {
+        packageName: update.packageName,
+        version: update.newVersion,
+        registry: "npm",
+        success: false,
+        skipped: false
+      };
+      const pkgJsonPath = path5.resolve(cwd, update.filePath);
+      try {
+        const pkgContent = fs6.readFileSync(pkgJsonPath, "utf-8");
+        const pkgJson = JSON.parse(pkgContent);
+        if (pkgJson.private) {
+          result.skipped = true;
+          result.success = true;
+          result.reason = "Package is private";
+          ctx.output.npm.push(result);
+          debug5(`Skipping private package: ${update.packageName}`);
+          continue;
+        }
+      } catch {
+        if (update.filePath.endsWith("Cargo.toml")) {
+          result.skipped = true;
+          result.success = true;
+          result.reason = "Not an npm package";
+          ctx.output.npm.push(result);
+          continue;
+        }
       }
-    } catch {
-      if (update.filePath.endsWith("Cargo.toml")) {
+      const { file: viewFile, args: viewArgs } = buildViewCommand(
+        ctx.packageManager,
+        update.packageName,
+        update.newVersion
+      );
+      const viewResult = await execCommandSafe(viewFile, viewArgs, {
+        cwd,
+        dryRun: false,
+        // Always check, even in dry-run
+        env: npmIsolation.env
+      });
+      if (viewResult.exitCode === 0 && viewResult.stdout.trim()) {
+        result.alreadyPublished = true;
         result.skipped = true;
         result.success = true;
-        result.reason = "Not an npm package";
+        result.reason = "Already published";
         ctx.output.npm.push(result);
+        warn3(`${update.packageName}@${update.newVersion} is already published, skipping`);
         continue;
       }
-    }
-    const { file: viewFile, args: viewArgs } = buildViewCommand(
-      ctx.packageManager,
-      update.packageName,
-      update.newVersion
-    );
-    const viewResult = await execCommandSafe(viewFile, viewArgs, {
-      cwd,
-      dryRun: false
-      // Always check, even in dry-run
-    });
-    if (viewResult.exitCode === 0 && viewResult.stdout.trim()) {
-      result.alreadyPublished = true;
-      result.skipped = true;
-      result.success = true;
-      result.reason = "Already published";
-      ctx.output.npm.push(result);
-      warn3(`${update.packageName}@${update.newVersion} is already published, skipping`);
-      continue;
-    }
-    const distTag = getDistTag(update.newVersion, config.npm.tag);
-    const pkgDir = path4.dirname(path4.resolve(cwd, update.filePath));
-    const { file: pubFile, args: pubArgs } = buildPublishCommand(ctx.packageManager, update.packageName, pkgDir, {
-      access: config.npm.access,
-      tag: distTag,
-      provenance: useProvenance,
-      noGitChecks: true
-    });
-    try {
-      await execCommand(pubFile, pubArgs, {
-        cwd,
-        dryRun,
-        label: `npm publish ${update.packageName}@${update.newVersion}`
+      const distTag = getDistTag(update.newVersion, config.npm.tag);
+      const pkgDir = path5.dirname(path5.resolve(cwd, update.filePath));
+      const { file: pubFile, args: pubArgs } = buildPublishCommand(ctx.packageManager, update.packageName, pkgDir, {
+        access: config.npm.access,
+        tag: distTag,
+        provenance: useProvenance,
+        noGitChecks: true
       });
-      result.success = true;
-      if (!dryRun) {
-        success5(`Published ${update.packageName}@${update.newVersion} to npm`);
+      try {
+        await execCommand(pubFile, pubArgs, {
+          cwd,
+          dryRun,
+          label: `npm publish ${update.packageName}@${update.newVersion}`,
+          env: npmIsolation.env
+        });
+        result.success = true;
+        if (!dryRun) {
+          success5(`Published ${update.packageName}@${update.newVersion} to npm`);
+        }
+      } catch (error) {
+        result.reason = error instanceof Error ? error.message : String(error);
+        warn3(`Failed to publish ${update.packageName}: ${result.reason}`);
       }
-    } catch (error) {
-      result.reason = error instanceof Error ? error.message : String(error);
-      warn3(`Failed to publish ${update.packageName}: ${result.reason}`);
+      ctx.output.npm.push(result);
     }
-    ctx.output.npm.push(result);
+  } finally {
+    npmIsolation.cleanup();
   }
 }
 
 // src/stages/prepare.ts
-import * as fs6 from "fs";
-import * as path5 from "path";
-import { debug as debug5, info as info6 } from "@releasekit/core";
+import * as fs7 from "fs";
+import * as path6 from "path";
+import { debug as debug6, info as info6 } from "@releasekit/core";
 async function runPrepareStage(ctx) {
   const { input, config, cliOptions, cwd } = ctx;
   if (config.npm.enabled && config.npm.copyFiles.length > 0) {
     for (const update of input.updates) {
-      const pkgDir = path5.dirname(path5.resolve(cwd, update.filePath));
+      const pkgDir = path6.dirname(path6.resolve(cwd, update.filePath));
       for (const file of config.npm.copyFiles) {
-        const src = path5.resolve(cwd, file);
-        const dest = path5.join(pkgDir, file);
-        if (!fs6.existsSync(src)) {
-          debug5(`Source file not found, skipping copy: ${src}`);
+        const src = path6.resolve(cwd, file);
+        const dest = path6.join(pkgDir, file);
+        if (!fs7.existsSync(src)) {
+          debug6(`Source file not found, skipping copy: ${src}`);
           continue;
         }
-        if (path5.resolve(path5.dirname(src)) === path5.resolve(pkgDir)) {
-          debug5(`Skipping copy of ${file} - same directory as source`);
+        if (path6.resolve(path6.dirname(src)) === path6.resolve(pkgDir)) {
+          debug6(`Skipping copy of ${file} - same directory as source`);
           continue;
         }
         if (cliOptions.dryRun) {
@@ -852,8 +976,8 @@ async function runPrepareStage(ctx) {
           continue;
         }
         try {
-          fs6.copyFileSync(src, dest);
-          debug5(`Copied ${file} \u2192 ${pkgDir}`);
+          fs7.copyFileSync(src, dest);
+          debug6(`Copied ${file} \u2192 ${pkgDir}`);
         } catch (error) {
           throw createPublishError(
             "FILE_COPY_ERROR" /* FILE_COPY_ERROR */,
@@ -865,9 +989,9 @@ async function runPrepareStage(ctx) {
   }
   if (config.cargo.enabled) {
     for (const update of input.updates) {
-      const pkgDir = path5.dirname(path5.resolve(cwd, update.filePath));
-      const cargoPath = path5.join(pkgDir, "Cargo.toml");
-      if (!fs6.existsSync(cargoPath)) {
+      const pkgDir = path6.dirname(path6.resolve(cwd, update.filePath));
+      const cargoPath = path6.join(pkgDir, "Cargo.toml");
+      if (!fs7.existsSync(cargoPath)) {
         continue;
       }
       if (cliOptions.dryRun) {
@@ -875,16 +999,16 @@ async function runPrepareStage(ctx) {
         continue;
       }
       updateCargoVersion(cargoPath, update.newVersion);
-      debug5(`Updated ${cargoPath} to version ${update.newVersion}`);
+      debug6(`Updated ${cargoPath} to version ${update.newVersion}`);
     }
   }
 }
 
 // src/stages/verify.ts
-import { debug as debug7, info as info7, success as success6, warn as warn4 } from "@releasekit/core";
+import { debug as debug8, info as info7, success as success6, warn as warn4 } from "@releasekit/core";
 
 // src/utils/retry.ts
-import { debug as debug6 } from "@releasekit/core";
+import { debug as debug7 } from "@releasekit/core";
 async function withRetry(fn, options, shouldRetry) {
   let lastError;
   let delay = options.initialDelay;
@@ -897,7 +1021,7 @@ async function withRetry(fn, options, shouldRetry) {
         throw error;
       }
       if (attempt < options.maxAttempts) {
-        debug6(`Attempt ${attempt}/${options.maxAttempts} failed, retrying in ${delay}ms...`);
+        debug7(`Attempt ${attempt}/${options.maxAttempts} failed, retrying in ${delay}ms...`);
         await sleep(delay);
         delay = Math.floor(delay * options.backoffMultiplier);
       }
@@ -939,7 +1063,7 @@ async function runVerifyStage(ctx) {
           if (viewResult.exitCode !== 0 || !viewResult.stdout.trim()) {
             throw new Error(`${pkg.packageName}@${pkg.version} not yet available on npm`);
           }
-          debug7(`Verified ${pkg.packageName}@${pkg.version} on npm`);
+          debug8(`Verified ${pkg.packageName}@${pkg.version} on npm`);
         }, config.verify.npm);
         result.verified = true;
         success6(`Verified ${pkg.packageName}@${pkg.version} on npm`);
@@ -972,7 +1096,7 @@ async function runVerifyStage(ctx) {
           if (!response.ok) {
             throw new Error(`${crate.packageName}@${crate.version} not yet available on crates.io`);
           }
-          debug7(`Verified ${crate.packageName}@${crate.version} on crates.io`);
+          debug8(`Verified ${crate.packageName}@${crate.version} on crates.io`);
         }, config.verify.cargo);
         result.verified = true;
         success6(`Verified ${crate.packageName}@${crate.version} on crates.io`);
@@ -1023,7 +1147,10 @@ async function runPipeline(input, config, options) {
   };
   try {
     await runPrepareStage(ctx);
-    if (!options.skipGit) {
+    if (options.skipGitCommit && !options.skipGit) {
+      ctx.output.git.committed = !!input.commitMessage;
+      ctx.output.git.tags = [...input.tags];
+    } else if (!options.skipGit) {
       await runGitCommitStage(ctx);
     }
     if (!options.skipPublish) {
@@ -1052,7 +1179,7 @@ async function runPipeline(input, config, options) {
 }
 
 // src/stages/input.ts
-import * as fs7 from "fs";
+import * as fs8 from "fs";
 import { info as info8 } from "@releasekit/core";
 import { z } from "zod";
 var VersionChangelogEntrySchema = z.object({
@@ -1086,7 +1213,7 @@ async function parseInput(inputPath) {
   let raw;
   if (inputPath) {
     try {
-      raw = fs7.readFileSync(inputPath, "utf-8");
+      raw = fs8.readFileSync(inputPath, "utf-8");
     } catch {
       throw createPublishError("INPUT_PARSE_ERROR" /* INPUT_PARSE_ERROR */, `Could not read file: ${inputPath}`);
     }