@releasekit/publish 0.2.0-next.9 → 0.2.1

package/dist/{chunk-Y7Y6GQ6R.js → chunk-PJUNQA6B.js}

@@ -1,5 +1,456 @@
-// src/config.ts
-import { loadPublishConfig } from "@releasekit/config";
+// ../core/dist/index.js
+import chalk from "chalk";
+var LOG_LEVELS = {
+  error: 0,
+  warn: 1,
+  info: 2,
+  debug: 3,
+  trace: 4
+};
+var PREFIXES = {
+  error: "[ERROR]",
+  warn: "[WARN]",
+  info: "[INFO]",
+  debug: "[DEBUG]",
+  trace: "[TRACE]"
+};
+var COLORS = {
+  error: chalk.red,
+  warn: chalk.yellow,
+  info: chalk.blue,
+  debug: chalk.gray,
+  trace: chalk.dim
+};
+var currentLevel = "info";
+var quietMode = false;
+function setLogLevel(level) {
+  currentLevel = level;
+}
+function setJsonMode(_json) {
+}
+function shouldLog(level) {
+  if (quietMode && level !== "error") return false;
+  return LOG_LEVELS[level] <= LOG_LEVELS[currentLevel];
+}
+function log(message, level = "info") {
+  if (!shouldLog(level)) return;
+  const formatted = COLORS[level](`${PREFIXES[level]} ${message}`);
+  console.error(formatted);
+}
+function warn(message) {
+  log(message, "warn");
+}
+function info(message) {
+  log(message, "info");
+}
+function success(message) {
+  if (!shouldLog("info")) return;
+  console.error(chalk.green(`[SUCCESS] ${message}`));
+}
+function debug(message) {
+  log(message, "debug");
+}
+var ReleaseKitError = class _ReleaseKitError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = this.constructor.name;
+  }
+  logError() {
+    log(this.message, "error");
+    if (this.suggestions.length > 0) {
+      log("\nSuggested solutions:", "info");
+      for (const [i, suggestion] of this.suggestions.entries()) {
+        log(`${i + 1}. ${suggestion}`, "info");
+      }
+    }
+  }
+  static isReleaseKitError(error2) {
+    return error2 instanceof _ReleaseKitError;
+  }
+};
+var EXIT_CODES = {
+  SUCCESS: 0,
+  GENERAL_ERROR: 1,
+  CONFIG_ERROR: 2,
+  INPUT_ERROR: 3,
+  TEMPLATE_ERROR: 4,
+  LLM_ERROR: 5,
+  GITHUB_ERROR: 6,
+  GIT_ERROR: 7,
+  VERSION_ERROR: 8,
+  PUBLISH_ERROR: 9
+};
+
+// ../config/dist/index.js
+import * as fs from "fs";
+import * as path from "path";
+import * as TOML from "smol-toml";
+import * as fs3 from "fs";
+import * as path3 from "path";
+import { z as z2 } from "zod";
+import { z } from "zod";
+import * as fs2 from "fs";
+import * as os from "os";
+import * as path2 from "path";
+function parseCargoToml(cargoPath) {
+  const content = fs.readFileSync(cargoPath, "utf-8");
+  return TOML.parse(content);
+}
+var ConfigError = class extends ReleaseKitError {
+  code = "CONFIG_ERROR";
+  suggestions;
+  constructor(message, suggestions) {
+    super(message);
+    this.suggestions = suggestions ?? [
+      "Check that releasekit.config.json exists and is valid JSON",
+      "Run with --verbose for more details"
+    ];
+  }
+};
+function mergeGitConfig(topLevel, packageLevel) {
+  if (!topLevel && !packageLevel) return void 0;
+  const base = topLevel ?? {
+    remote: "origin",
+    branch: "main",
+    pushMethod: "auto"
+  };
+  if (!packageLevel) return base;
+  return {
+    remote: packageLevel.remote ?? base.remote,
+    branch: packageLevel.branch ?? base.branch,
+    pushMethod: packageLevel.pushMethod ?? base.pushMethod,
+    httpsTokenEnv: packageLevel.httpsTokenEnv ?? base.httpsTokenEnv,
+    push: packageLevel.push,
+    skipHooks: packageLevel.skipHooks ?? base.skipHooks
+  };
+}
+var MAX_JSONC_LENGTH = 1e5;
+function parseJsonc(content) {
+  if (content.length > MAX_JSONC_LENGTH) {
+    throw new Error(`JSONC content too long: ${content.length} characters (max ${MAX_JSONC_LENGTH})`);
+  }
+  try {
+    return JSON.parse(content);
+  } catch {
+    const cleaned = content.replace(/\/\/[^\r\n]{0,10000}$/gm, "").replace(/\/\*[\s\S]{0,50000}?\*\//g, "").trim();
+    return JSON.parse(cleaned);
+  }
+}
+var GitConfigSchema = z.object({
+  remote: z.string().default("origin"),
+  branch: z.string().default("main"),
+  pushMethod: z.enum(["auto", "ssh", "https"]).default("auto"),
+  /**
+   * Optional env var name containing a GitHub token for HTTPS pushes.
+   * When set, publish steps can use this token without mutating git remotes.
+   */
+  httpsTokenEnv: z.string().optional(),
+  push: z.boolean().optional(),
+  skipHooks: z.boolean().optional()
+});
+var MonorepoConfigSchema = z.object({
+  mode: z.enum(["root", "packages", "both"]).optional(),
+  rootPath: z.string().optional(),
+  packagesPath: z.string().optional(),
+  mainPackage: z.string().optional()
+});
+var BranchPatternSchema = z.object({
+  pattern: z.string(),
+  releaseType: z.enum(["major", "minor", "patch", "prerelease"])
+});
+var VersionCargoConfigSchema = z.object({
+  enabled: z.boolean().default(true),
+  paths: z.array(z.string()).optional()
+});
+var VersionConfigSchema = z.object({
+  tagTemplate: z.string().default("v{version}"),
+  packageSpecificTags: z.boolean().default(false),
+  preset: z.string().default("conventional"),
+  sync: z.boolean().default(true),
+  packages: z.array(z.string()).default([]),
+  mainPackage: z.string().optional(),
+  updateInternalDependencies: z.enum(["major", "minor", "patch", "no-internal-update"]).default("minor"),
+  skip: z.array(z.string()).optional(),
+  commitMessage: z.string().optional(),
+  versionStrategy: z.enum(["branchPattern", "commitMessage"]).default("commitMessage"),
+  branchPatterns: z.array(BranchPatternSchema).optional(),
+  defaultReleaseType: z.enum(["major", "minor", "patch", "prerelease"]).optional(),
+  mismatchStrategy: z.enum(["error", "warn", "ignore", "prefer-package", "prefer-git"]).default("warn"),
+  versionPrefix: z.string().default(""),
+  prereleaseIdentifier: z.string().optional(),
+  strictReachable: z.boolean().default(false),
+  cargo: VersionCargoConfigSchema.optional()
+});
+var NpmConfigSchema = z.object({
+  enabled: z.boolean().default(true),
+  auth: z.enum(["auto", "oidc", "token"]).default("auto"),
+  provenance: z.boolean().default(true),
+  access: z.enum(["public", "restricted"]).default("public"),
+  registry: z.string().default("https://registry.npmjs.org"),
+  copyFiles: z.array(z.string()).default(["LICENSE"]),
+  tag: z.string().default("latest")
+});
+var CargoPublishConfigSchema = z.object({
+  enabled: z.boolean().default(false),
+  noVerify: z.boolean().default(false),
+  publishOrder: z.array(z.string()).default([]),
+  clean: z.boolean().default(false)
+});
+var PublishGitConfigSchema = z.object({
+  push: z.boolean().default(true),
+  pushMethod: z.enum(["auto", "ssh", "https"]).optional(),
+  remote: z.string().optional(),
+  branch: z.string().optional(),
+  httpsTokenEnv: z.string().optional(),
+  skipHooks: z.boolean().optional()
+});
+var GitHubReleaseConfigSchema = z.object({
+  enabled: z.boolean().default(true),
+  draft: z.boolean().default(true),
+  perPackage: z.boolean().default(true),
+  prerelease: z.union([z.literal("auto"), z.boolean()]).default("auto"),
+  /**
+   * Controls how release notes are sourced for GitHub releases.
+   * - 'auto': Use RELEASE_NOTES.md if it exists, then per-package changelog
+   *   data from the version output, then GitHub's auto-generated notes.
+   * - 'github': Always use GitHub's auto-generated notes.
+   * - 'none': No notes body.
+   * - Any other string: Treated as a file path to read notes from.
+   */
+  releaseNotes: z.union([z.literal("auto"), z.literal("github"), z.literal("none"), z.string()]).default("auto")
+});
+var VerifyRegistryConfigSchema = z.object({
+  enabled: z.boolean().default(true),
+  maxAttempts: z.number().int().positive().default(5),
+  initialDelay: z.number().int().positive().default(15e3),
+  backoffMultiplier: z.number().positive().default(2)
+});
+var VerifyConfigSchema = z.object({
+  npm: VerifyRegistryConfigSchema.default({
+    enabled: true,
+    maxAttempts: 5,
+    initialDelay: 15e3,
+    backoffMultiplier: 2
+  }),
+  cargo: VerifyRegistryConfigSchema.default({
+    enabled: true,
+    maxAttempts: 10,
+    initialDelay: 3e4,
+    backoffMultiplier: 2
+  })
+});
+var PublishConfigSchema = z.object({
+  git: PublishGitConfigSchema.optional(),
+  npm: NpmConfigSchema.default({
+    enabled: true,
+    auth: "auto",
+    provenance: true,
+    access: "public",
+    registry: "https://registry.npmjs.org",
+    copyFiles: ["LICENSE"],
+    tag: "latest"
+  }),
+  cargo: CargoPublishConfigSchema.default({
+    enabled: false,
+    noVerify: false,
+    publishOrder: [],
+    clean: false
+  }),
+  githubRelease: GitHubReleaseConfigSchema.default({
+    enabled: true,
+    draft: true,
+    perPackage: true,
+    prerelease: "auto",
+    releaseNotes: "auto"
+  }),
+  verify: VerifyConfigSchema.default({
+    npm: {
+      enabled: true,
+      maxAttempts: 5,
+      initialDelay: 15e3,
+      backoffMultiplier: 2
+    },
+    cargo: {
+      enabled: true,
+      maxAttempts: 10,
+      initialDelay: 3e4,
+      backoffMultiplier: 2
+    }
+  })
+});
+var TemplateConfigSchema = z.object({
+  path: z.string().optional(),
+  engine: z.enum(["handlebars", "liquid", "ejs"]).optional()
+});
+var OutputConfigSchema = z.object({
+  format: z.enum(["markdown", "github-release", "json"]),
+  file: z.string().optional(),
+  options: z.record(z.string(), z.unknown()).optional(),
+  templates: TemplateConfigSchema.optional()
+});
+var LLMOptionsSchema = z.object({
+  timeout: z.number().optional(),
+  maxTokens: z.number().optional(),
+  temperature: z.number().optional()
+});
+var LLMRetryConfigSchema = z.object({
+  maxAttempts: z.number().int().positive().optional(),
+  initialDelay: z.number().nonnegative().optional(),
+  maxDelay: z.number().positive().optional(),
+  backoffFactor: z.number().positive().optional()
+});
+var LLMTasksConfigSchema = z.object({
+  summarize: z.boolean().optional(),
+  enhance: z.boolean().optional(),
+  categorize: z.boolean().optional(),
+  releaseNotes: z.boolean().optional()
+});
+var LLMCategorySchema = z.object({
+  name: z.string(),
+  description: z.string(),
+  scopes: z.array(z.string()).optional()
+});
+var ScopeRulesSchema = z.object({
+  allowed: z.array(z.string()).optional(),
+  caseSensitive: z.boolean().default(false),
+  invalidScopeAction: z.enum(["remove", "keep", "fallback"]).default("remove"),
+  fallbackScope: z.string().optional()
+});
+var ScopeConfigSchema = z.object({
+  mode: z.enum(["restricted", "packages", "none", "unrestricted"]).default("unrestricted"),
+  rules: ScopeRulesSchema.optional()
+});
+var LLMPromptOverridesSchema = z.object({
+  enhance: z.string().optional(),
+  categorize: z.string().optional(),
+  enhanceAndCategorize: z.string().optional(),
+  summarize: z.string().optional(),
+  releaseNotes: z.string().optional()
+});
+var LLMPromptsConfigSchema = z.object({
+  instructions: LLMPromptOverridesSchema.optional(),
+  templates: LLMPromptOverridesSchema.optional()
+});
+var LLMConfigSchema = z.object({
+  provider: z.string(),
+  model: z.string(),
+  baseURL: z.string().optional(),
+  apiKey: z.string().optional(),
+  options: LLMOptionsSchema.optional(),
+  concurrency: z.number().int().positive().optional(),
+  retry: LLMRetryConfigSchema.optional(),
+  tasks: LLMTasksConfigSchema.optional(),
+  categories: z.array(LLMCategorySchema).optional(),
+  style: z.string().optional(),
+  scopes: ScopeConfigSchema.optional(),
+  prompts: LLMPromptsConfigSchema.optional()
+});
+var NotesInputConfigSchema = z.object({
+  source: z.string().optional(),
+  file: z.string().optional()
+});
+var NotesConfigSchema = z.object({
+  input: NotesInputConfigSchema.optional(),
+  output: z.array(OutputConfigSchema).default([{ format: "markdown", file: "CHANGELOG.md" }]),
+  monorepo: MonorepoConfigSchema.optional(),
+  templates: TemplateConfigSchema.optional(),
+  llm: LLMConfigSchema.optional(),
+  updateStrategy: z.enum(["prepend", "regenerate"]).default("prepend")
+});
+var ReleaseKitConfigSchema = z.object({
+  git: GitConfigSchema.optional(),
+  monorepo: MonorepoConfigSchema.optional(),
+  version: VersionConfigSchema.optional(),
+  publish: PublishConfigSchema.optional(),
+  notes: NotesConfigSchema.optional()
+});
+var MAX_INPUT_LENGTH = 1e4;
+function substituteVariables(value) {
+  if (value.length > MAX_INPUT_LENGTH) {
+    throw new Error(`Input too long: ${value.length} characters (max ${MAX_INPUT_LENGTH})`);
+  }
+  const envPattern = /\{env:([^}]{1,1000})\}/g;
+  const filePattern = /\{file:([^}]{1,1000})\}/g;
+  let result = value;
+  result = result.replace(envPattern, (_, varName) => {
+    return process.env[varName] ?? "";
+  });
+  result = result.replace(filePattern, (_, filePath) => {
+    const expandedPath = filePath.startsWith("~") ? path2.join(os.homedir(), filePath.slice(1)) : filePath;
+    try {
+      return fs2.readFileSync(expandedPath, "utf-8").trim();
+    } catch {
+      return "";
+    }
+  });
+  return result;
+}
+var SOLE_REFERENCE_PATTERN = /^\{(?:env|file):[^}]+\}$/;
+function substituteInObject(obj) {
+  if (typeof obj === "string") {
+    const result = substituteVariables(obj);
+    if (result === "" && SOLE_REFERENCE_PATTERN.test(obj)) {
+      return void 0;
+    }
+    return result;
+  }
+  if (Array.isArray(obj)) {
+    return obj.map((item) => substituteInObject(item));
+  }
+  if (obj && typeof obj === "object") {
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+      result[key] = substituteInObject(value);
+    }
+    return result;
+  }
+  return obj;
+}
+var AUTH_DIR = path2.join(os.homedir(), ".config", "releasekit");
+var AUTH_FILE = path2.join(AUTH_DIR, "auth.json");
+var CONFIG_FILE = "releasekit.config.json";
+function loadConfigFile(configPath) {
+  if (!fs3.existsSync(configPath)) {
+    return {};
+  }
+  try {
+    const content = fs3.readFileSync(configPath, "utf-8");
+    const parsed = parseJsonc(content);
+    const substituted = substituteInObject(parsed);
+    return ReleaseKitConfigSchema.parse(substituted);
+  } catch (error) {
+    if (error instanceof z2.ZodError) {
+      const issues = error.issues.map((i) => `  ${i.path.join(".")}: ${i.message}`).join("\n");
+      throw new ConfigError(`Config validation errors:
+${issues}`);
+    }
+    if (error instanceof SyntaxError) {
+      throw new ConfigError(`Invalid JSON in config file: ${error.message}`);
+    }
+    throw error;
+  }
+}
+function loadConfig(options) {
+  const cwd = options?.cwd ?? process.cwd();
+  const configPath = options?.configPath ?? path3.join(cwd, CONFIG_FILE);
+  return loadConfigFile(configPath);
+}
+function loadPublishConfig(options) {
+  const config = loadConfig(options);
+  if (!config.publish) return void 0;
+  const mergedGit = mergeGitConfig(config.git, config.publish.git);
+  return {
+    ...config.publish,
+    git: mergedGit ? {
+      push: mergedGit.push ?? true,
+      pushMethod: mergedGit.pushMethod,
+      remote: mergedGit.remote,
+      branch: mergedGit.branch,
+      httpsTokenEnv: mergedGit.httpsTokenEnv,
+      skipHooks: mergedGit.skipHooks
+    } : void 0
+  };
+}
 
 // src/types.ts
 function getDefaultConfig() {
@@ -23,14 +474,16 @@ function getDefaultConfig() {
       push: true,
       pushMethod: "auto",
       remote: "origin",
-      branch: "main"
+      branch: "main",
+      httpsTokenEnv: void 0,
+      skipHooks: false
     },
     githubRelease: {
       enabled: true,
       draft: true,
-      generateNotes: true,
-      perPackage: false,
-      prerelease: "auto"
+      perPackage: true,
+      prerelease: "auto",
+      releaseNotes: "auto"
     },
     verify: {
       npm: {
@@ -71,15 +524,16 @@ function toPublishConfig(config) {
       push: config.git.push ?? defaults.git.push,
       pushMethod: config.git.pushMethod ?? defaults.git.pushMethod,
       remote: config.git.remote ?? defaults.git.remote,
-      branch: config.git.branch ?? defaults.git.branch
+      branch: config.git.branch ?? defaults.git.branch,
+      httpsTokenEnv: config.git.httpsTokenEnv ?? defaults.git.httpsTokenEnv,
+      skipHooks: config.git.skipHooks ?? defaults.git.skipHooks
     } : defaults.git,
     githubRelease: {
       enabled: config.githubRelease?.enabled ?? defaults.githubRelease.enabled,
       draft: config.githubRelease?.draft ?? defaults.githubRelease.draft,
-      generateNotes: config.githubRelease?.generateNotes ?? defaults.githubRelease.generateNotes,
       perPackage: config.githubRelease?.perPackage ?? defaults.githubRelease.perPackage,
       prerelease: config.githubRelease?.prerelease ?? defaults.githubRelease.prerelease,
-      notesFile: config.githubRelease?.notesFile
+      releaseNotes: config.githubRelease?.releaseNotes ?? defaults.githubRelease.releaseNotes
     },
     verify: {
       npm: {
@@ -99,7 +553,7 @@ function toPublishConfig(config) {
 }
 
 // src/config.ts
-function loadConfig(options) {
+function loadConfig2(options) {
   const baseConfig = loadPublishConfig(options);
   return toPublishConfig(baseConfig);
 }
@@ -108,7 +562,6 @@ function getDefaultConfig2() {
 }
 
 // src/errors/index.ts
-import { ReleaseKitError } from "@releasekit/core";
 var BasePublishError = class _BasePublishError extends ReleaseKitError {
   code;
   suggestions;
@@ -247,9 +700,20 @@ function createPublishError(code, details) {
 
 // src/utils/exec.ts
 import { execFile } from "child_process";
-import { debug, info } from "@releasekit/core";
+function redactArg(arg) {
+  try {
+    const url = new URL(arg);
+    if (url.username || url.password) {
+      url.username = url.username ? "***" : "";
+      url.password = url.password ? "***" : "";
+      return url.toString();
+    }
+  } catch {
+  }
+  return arg;
+}
 async function execCommand(file, args, options = {}) {
-  const displayCommand = options.label ?? [file, ...args].join(" ");
+  const displayCommand = options.label ?? [file, ...args.map(redactArg)].join(" ");
   if (options.dryRun) {
     info(`[DRY RUN] Would execute: ${displayCommand}`);
     return { stdout: "", stderr: "", exitCode: 0 };
@@ -305,7 +769,7 @@ function detectNpmAuth() {
   if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) {
     return "oidc";
   }
-  if (process.env.NPM_TOKEN) {
+  if (process.env.NPM_TOKEN || process.env.NODE_AUTH_TOKEN) {
     return "token";
   }
   return null;
@@ -323,15 +787,14 @@ async function detectGitPushMethod(remote, cwd) {
 }
 
 // src/utils/cargo.ts
-import * as fs from "fs";
-import { parseCargoToml } from "@releasekit/config";
-import * as TOML from "smol-toml";
+import * as fs4 from "fs";
+import * as TOML2 from "smol-toml";
 function updateCargoVersion(cargoPath, newVersion) {
   try {
     const cargo = parseCargoToml(cargoPath);
     if (cargo.package) {
       cargo.package.version = newVersion;
-      fs.writeFileSync(cargoPath, TOML.stringify(cargo));
+      fs4.writeFileSync(cargoPath, TOML2.stringify(cargo));
     }
   } catch (error) {
     throw createPublishError(
@@ -368,11 +831,11 @@ function getDistTag(version, defaultTag = "latest") {
 }
 
 // src/utils/package-manager.ts
-import * as fs2 from "fs";
-import * as path from "path";
+import * as fs5 from "fs";
+import * as path4 from "path";
 function detectPackageManager(cwd) {
-  if (fs2.existsSync(path.join(cwd, "pnpm-lock.yaml"))) return "pnpm";
-  if (fs2.existsSync(path.join(cwd, "yarn.lock"))) return "yarn";
+  if (fs5.existsSync(path4.join(cwd, "pnpm-lock.yaml"))) return "pnpm";
+  if (fs5.existsSync(path4.join(cwd, "yarn.lock"))) return "yarn";
   return "npm";
 }
 function buildPublishCommand(pm, packageName, _packageDir, options) {
@@ -397,25 +860,24 @@ function buildViewCommand(pm, packageName, version) {
 }
 
 // src/stages/cargo-publish.ts
-import * as fs3 from "fs";
-import * as path2 from "path";
-import { debug as debug2, success, warn } from "@releasekit/core";
+import * as fs6 from "fs";
+import * as path5 from "path";
 async function runCargoPublishStage(ctx) {
   const { input, config, cliOptions, cwd } = ctx;
   const dryRun = cliOptions.dryRun;
   if (!config.cargo.enabled) {
-    debug2("Cargo publishing disabled in config");
+    debug("Cargo publishing disabled in config");
     return;
   }
   if (!hasCargoAuth() && !dryRun) {
     throw createPublishError("CARGO_AUTH_ERROR" /* CARGO_AUTH_ERROR */, "CARGO_REGISTRY_TOKEN not set");
   }
   const crates = findCrates(
-    input.updates.map((u) => ({ dir: path2.dirname(path2.resolve(cwd, u.filePath)), ...u })),
+    input.updates.map((u) => ({ dir: path5.dirname(path5.resolve(cwd, u.filePath)), ...u })),
     cwd
   );
   if (crates.length === 0) {
-    debug2("No Cargo crates found to publish");
+    debug("No Cargo crates found to publish");
     return;
   }
   const ordered = orderCrates(crates, config.cargo.publishOrder);
@@ -464,8 +926,8 @@ async function runCargoPublishStage(ctx) {
 function findCrates(updates, _cwd) {
   const crates = [];
   for (const update of updates) {
-    const cargoPath = path2.join(update.dir, "Cargo.toml");
-    if (!fs3.existsSync(cargoPath)) {
+    const cargoPath = path5.join(update.dir, "Cargo.toml");
+    if (!fs6.existsSync(cargoPath)) {
       continue;
     }
     try {
@@ -513,9 +975,9 @@ function topologicalSort(crates) {
   }
   for (const crate of crates) {
     for (const depPath of crate.pathDeps) {
-      const resolvedDir = path2.resolve(crate.dir, depPath);
+      const resolvedDir = path5.resolve(crate.dir, depPath);
       for (const other of crates) {
-        if (path2.resolve(other.dir) === resolvedDir && nameSet.has(other.name)) {
+        if (path5.resolve(other.dir) === resolvedDir && nameSet.has(other.name)) {
           graph.get(crate.name)?.push(other.name);
         }
       }
@@ -557,18 +1019,21 @@ function topologicalSort(crates) {
 }
 
 // src/stages/git-commit.ts
-import * as path3 from "path";
-import { info as info2, success as success2 } from "@releasekit/core";
+import * as path6 from "path";
 async function runGitCommitStage(ctx) {
-  const { input, cliOptions, cwd } = ctx;
+  const { input, config, cliOptions, cwd } = ctx;
   const dryRun = cliOptions.dryRun;
+  const skipHooks = config.git.skipHooks ?? false;
   if (!input.commitMessage) {
-    info2("No commit message provided, skipping git commit");
+    info("No commit message provided, skipping git commit");
     return;
   }
-  const filePaths = input.updates.map((u) => path3.resolve(cwd, u.filePath));
+  const filePaths = input.updates.map((u) => path6.resolve(cwd, u.filePath));
+  if (ctx.additionalFiles) {
+    filePaths.push(...ctx.additionalFiles.map((f) => path6.resolve(cwd, f)));
+  }
   if (filePaths.length === 0) {
-    info2("No files to commit");
+    info("No files to commit");
     return;
   }
   try {
@@ -583,15 +1048,20 @@ async function runGitCommitStage(ctx) {
       `git add failed: ${error instanceof Error ? error.message : String(error)}`
     );
   }
+  const commitArgs = ["commit"];
+  if (skipHooks) {
+    commitArgs.push("--no-verify");
+  }
+  commitArgs.push("-m", input.commitMessage);
   try {
-    await execCommand("git", ["commit", "-m", input.commitMessage], {
+    await execCommand("git", commitArgs, {
       cwd,
       dryRun,
       label: `git commit -m "${input.commitMessage}"`
     });
     ctx.output.git.committed = true;
     if (!dryRun) {
-      success2("Created git commit");
+      success("Created git commit");
     }
   } catch (error) {
     throw createPublishError(
@@ -609,7 +1079,7 @@ async function runGitCommitStage(ctx) {
       });
       ctx.output.git.tags.push(tag);
       if (!dryRun) {
-        success2(`Created tag: ${tag}`);
+        success(`Created tag: ${tag}`);
       }
     } catch (error) {
       throw createPublishError(
@@ -621,16 +1091,27 @@ async function runGitCommitStage(ctx) {
 }
 
 // src/stages/git-push.ts
-import { info as info3, success as success3 } from "@releasekit/core";
+function toGithubAuthedUrl(remoteUrl, token) {
+  try {
+    const url = new URL(remoteUrl);
+    if (url.protocol !== "https:") return void 0;
+    if (url.host !== "github.com") return void 0;
+    url.username = "x-access-token";
+    url.password = token;
+    return url.toString();
+  } catch {
+    return void 0;
+  }
+}
 async function runGitPushStage(ctx) {
   const { config, cliOptions, cwd, output } = ctx;
   const dryRun = cliOptions.dryRun;
   if (!config.git.push) {
-    info3("Git push disabled in config, skipping");
+    info("Git push disabled in config, skipping");
     return;
   }
   if (!output.git.committed && output.git.tags.length === 0) {
-    info3("Nothing to push (no commits or tags created)");
+    info("Nothing to push (no commits or tags created)");
     return;
   }
   const { remote, branch } = config.git;
@@ -642,16 +1123,26 @@ async function runGitPushStage(ctx) {
       pushMethod = "https";
     }
   }
+  const httpsTokenEnv = config.git.httpsTokenEnv;
+  const httpsToken = httpsTokenEnv ? process.env[httpsTokenEnv] : void 0;
   try {
+    let pushRemote = remote;
+    if (pushMethod === "https" && httpsToken) {
+      const remoteUrlResult = await execCommand("git", ["remote", "get-url", remote], { cwd, dryRun: false });
+      const authed = toGithubAuthedUrl(remoteUrlResult.stdout.trim(), httpsToken);
+      if (authed) {
+        pushRemote = authed;
+      }
+    }
     if (output.git.committed) {
-      await execCommand("git", ["push", remote, branch], {
+      await execCommand("git", ["push", pushRemote, branch], {
         cwd,
         dryRun,
         label: `git push ${remote} ${branch}`
       });
     }
     if (output.git.tags.length > 0) {
-      await execCommand("git", ["push", remote, "--tags"], {
+      await execCommand("git", ["push", pushRemote, "--tags"], {
         cwd,
         dryRun,
         label: `git push ${remote} --tags`
@@ -659,7 +1150,7 @@ async function runGitPushStage(ctx) {
     }
     ctx.output.git.pushed = true;
     if (!dryRun) {
-      success3(`Pushed to ${remote}/${branch}`);
+      success(`Pushed to ${remote}/${branch}`);
     }
   } catch (error) {
     throw createPublishError(
@@ -670,33 +1161,82 @@ async function runGitPushStage(ctx) {
 }
 
 // src/stages/github-release.ts
-import * as fs4 from "fs";
-import { debug as debug3, info as info4, success as success4, warn as warn2 } from "@releasekit/core";
+import * as fs7 from "fs";
+function resolveNotes(notesSetting, tag, changelogs, pipelineNotes) {
+  if (notesSetting === "none") {
+    return { useGithubNotes: false };
+  }
+  if (notesSetting === "github") {
+    return { useGithubNotes: true };
+  }
+  if (notesSetting !== "auto") {
+    const body = readFileIfExists(notesSetting);
+    if (body) return { body, useGithubNotes: false };
+    debug(`Notes file not found: ${notesSetting}, falling back to GitHub auto-notes`);
+    return { useGithubNotes: true };
+  }
+  if (pipelineNotes) {
+    const body = findNotesForTag(tag, pipelineNotes);
+    if (body) return { body, useGithubNotes: false };
+  }
+  const packageBody = formatChangelogForTag(tag, changelogs);
+  if (packageBody) {
+    return { body: packageBody, useGithubNotes: false };
+  }
+  return { useGithubNotes: true };
+}
+function isVersionOnlyTag(tag) {
+  return /^v?\d+\.\d+\.\d+/.test(tag);
+}
+function findNotesForTag(tag, notes) {
+  for (const [packageName, body] of Object.entries(notes)) {
+    if (tag.startsWith(`${packageName}@`) && body.trim()) {
+      return body;
+    }
+  }
+  const entries = Object.values(notes).filter((b) => b.trim());
+  if (entries.length === 1 && isVersionOnlyTag(tag)) return entries[0];
+  return void 0;
+}
+function readFileIfExists(filePath) {
+  try {
+    const content = fs7.readFileSync(filePath, "utf-8").trim();
+    return content || void 0;
+  } catch {
+    return void 0;
+  }
+}
+function formatChangelogForTag(tag, changelogs) {
+  if (changelogs.length === 0) return void 0;
+  const changelog = changelogs.find((c) => tag.startsWith(`${c.packageName}@`));
+  const target = changelog ?? (changelogs.length === 1 && isVersionOnlyTag(tag) ? changelogs[0] : void 0);
+  if (!target || target.entries.length === 0) return void 0;
+  const lines = [];
+  for (const entry of target.entries) {
+    const scope = entry.scope ? `**${entry.scope}:** ` : "";
+    lines.push(`- ${scope}${entry.description}`);
+  }
+  return lines.join("\n");
+}
 async function runGithubReleaseStage(ctx) {
   const { config, cliOptions, output } = ctx;
   const dryRun = cliOptions.dryRun;
   if (!config.githubRelease.enabled) {
-    debug3("GitHub releases disabled in config");
+    debug("GitHub releases disabled in config");
     return;
   }
   const tags = output.git.tags.length > 0 ? output.git.tags : ctx.input.tags;
   if (tags.length === 0) {
-    info4("No tags available for GitHub release");
+    info("No tags available for GitHub release");
     return;
   }
-  let notesBody;
-  if (config.githubRelease.notesFile) {
-    try {
-      notesBody = fs4.readFileSync(config.githubRelease.notesFile, "utf-8");
-    } catch {
-      debug3(`Could not read notes file: ${config.githubRelease.notesFile}`);
-    }
-  }
   const firstTag = tags[0];
   if (!firstTag) return;
   const tagsToRelease = config.githubRelease.perPackage ? tags : [firstTag];
   for (const tag of tagsToRelease) {
-    const versionMatch = tag.match(/(\d+\.\d+\.\d+.*)$/);
+    const MAX_TAG_LENGTH = 1e3;
+    const truncatedTag = tag.length > MAX_TAG_LENGTH ? tag.slice(0, MAX_TAG_LENGTH) : tag;
+    const versionMatch = truncatedTag.match(/(\d{1,20}\.\d{1,20}\.\d{1,20}(?:[-+.]?[a-zA-Z0-9.-]{0,100})?)$/);
     const version = versionMatch?.[1] ?? "";
     const isPreRel = config.githubRelease.prerelease === "auto" ? version ? isPrerelease(version) : false : config.githubRelease.prerelease;
     const result = {
@@ -712,9 +1252,15 @@ async function runGithubReleaseStage(ctx) {
     if (isPreRel) {
       ghArgs.push("--prerelease");
     }
-    if (notesBody) {
-      ghArgs.push("--notes", notesBody);
-    } else if (config.githubRelease.generateNotes) {
+    const { body, useGithubNotes } = resolveNotes(
+      config.githubRelease.releaseNotes,
+      tag,
+      ctx.input.changelogs,
+      ctx.releaseNotes
+    );
+    if (body) {
+      ghArgs.push("--notes", body);
+    } else if (useGithubNotes) {
       ghArgs.push("--generate-notes");
     }
     try {
@@ -727,25 +1273,91 @@ async function runGithubReleaseStage(ctx) {
         result.url = execResult.stdout.trim();
       }
       if (!dryRun) {
-        success4(`Created GitHub release for ${tag}`);
+        success(`Created GitHub release for ${tag}`);
       }
     } catch (error) {
       result.reason = error instanceof Error ? error.message : String(error);
-      warn2(`Failed to create GitHub release for ${tag}: ${result.reason}`);
+      warn(`Failed to create GitHub release for ${tag}: ${result.reason}`);
     }
     ctx.output.githubReleases.push(result);
   }
 }
 
 // src/stages/npm-publish.ts
-import * as fs5 from "fs";
-import * as path4 from "path";
-import { debug as debug4, info as info5, success as success5, warn as warn3 } from "@releasekit/core";
+import * as fs9 from "fs";
+import * as path8 from "path";
+
+// src/utils/npm-env.ts
+import * as fs8 from "fs";
+import * as os2 from "os";
+import * as path7 from "path";
+function writeTempNpmrc(contents) {
+  const dir = fs8.mkdtempSync(path7.join(os2.tmpdir(), "releasekit-npmrc-"));
+  const npmrcPath = path7.join(dir, ".npmrc");
+  fs8.writeFileSync(npmrcPath, contents, "utf-8");
+  return {
+    npmrcPath,
+    cleanup: () => {
+      try {
+        fs8.rmSync(dir, { recursive: true, force: true });
+      } catch {
+      }
+    }
+  };
+}
+function createNpmSubprocessIsolation(options) {
+  const { authMethod, registryUrl } = options;
+  const baseEnv = {};
+  if (!authMethod) return { env: baseEnv, cleanup: () => {
+  } };
+  const token = process.env.NPM_TOKEN ?? process.env.NODE_AUTH_TOKEN;
+  const registryHost = (() => {
+    try {
+      return new URL(registryUrl).host;
+    } catch {
+      return "registry.npmjs.org";
+    }
+  })();
+  const lines = [`registry=${registryUrl}`];
+  if (authMethod === "oidc") {
+    lines.push("always-auth=false");
+  }
+  if (authMethod === "token" && token) {
+    lines.push(`//${registryHost}/:_authToken=${token}`);
+  }
+  lines.push("");
+  const { npmrcPath, cleanup } = writeTempNpmrc(lines.join("\n"));
+  debug(`Using isolated npm userconfig: ${npmrcPath}`);
+  const isOidc = authMethod === "oidc";
+  return {
+    env: {
+      ...baseEnv,
+      // Ensure npm and tools that read npm_config_* pick up our temp file
+      NPM_CONFIG_USERCONFIG: npmrcPath,
+      npm_config_userconfig: npmrcPath,
+      // Auth-specific hardening
+      ...isOidc ? {
+        // Prevent setup-node's always-auth from forcing token lookups
+        NPM_CONFIG_ALWAYS_AUTH: "false",
+        npm_config_always_auth: "false",
+        // Explicitly prevent token-based publishing from being selected implicitly
+        NODE_AUTH_TOKEN: void 0,
+        NPM_TOKEN: void 0
+      } : {
+        // Ensure CLIs that expect NODE_AUTH_TOKEN can still work
+        NODE_AUTH_TOKEN: token
+      }
+    },
+    cleanup
+  };
+}
+
+// src/stages/npm-publish.ts
 async function runNpmPublishStage(ctx) {
   const { input, config, cliOptions, cwd } = ctx;
   const dryRun = cliOptions.dryRun;
   if (!config.npm.enabled) {
-    info5("NPM publishing disabled in config");
+    info("NPM publishing disabled in config");
     return;
   }
   const authMethod = config.npm.auth === "auto" ? detectNpmAuth() : config.npm.auth;
@@ -753,107 +1365,116 @@ async function runNpmPublishStage(ctx) {
     throw createPublishError("NPM_AUTH_ERROR" /* NPM_AUTH_ERROR */, "No NPM authentication method detected");
   }
   const useProvenance = config.npm.provenance && authMethod === "oidc";
-  for (const update of input.updates) {
-    const result = {
-      packageName: update.packageName,
-      version: update.newVersion,
-      registry: "npm",
-      success: false,
-      skipped: false
-    };
-    const pkgJsonPath = path4.resolve(cwd, update.filePath);
-    try {
-      const pkgContent = fs5.readFileSync(pkgJsonPath, "utf-8");
-      const pkgJson = JSON.parse(pkgContent);
-      if (pkgJson.private) {
-        result.skipped = true;
-        result.success = true;
-        result.reason = "Package is private";
-        ctx.output.npm.push(result);
-        debug4(`Skipping private package: ${update.packageName}`);
-        continue;
+  const npmIsolation = createNpmSubprocessIsolation({
+    authMethod,
+    registryUrl: config.npm.registry
+  });
+  try {
+    for (const update of input.updates) {
+      const result = {
+        packageName: update.packageName,
+        version: update.newVersion,
+        registry: "npm",
+        success: false,
+        skipped: false
+      };
+      const pkgJsonPath = path8.resolve(cwd, update.filePath);
+      try {
+        const pkgContent = fs9.readFileSync(pkgJsonPath, "utf-8");
+        const pkgJson = JSON.parse(pkgContent);
+        if (pkgJson.private) {
+          result.skipped = true;
+          result.success = true;
+          result.reason = "Package is private";
+          ctx.output.npm.push(result);
+          debug(`Skipping private package: ${update.packageName}`);
+          continue;
+        }
+      } catch {
+        if (update.filePath.endsWith("Cargo.toml")) {
+          result.skipped = true;
+          result.success = true;
+          result.reason = "Not an npm package";
+          ctx.output.npm.push(result);
+          continue;
+        }
       }
-    } catch {
-      if (update.filePath.endsWith("Cargo.toml")) {
+      const { file: viewFile, args: viewArgs } = buildViewCommand(
+        ctx.packageManager,
+        update.packageName,
+        update.newVersion
+      );
+      const viewResult = await execCommandSafe(viewFile, viewArgs, {
+        cwd,
+        dryRun: false,
+        // Always check, even in dry-run
+        env: npmIsolation.env
+      });
+      if (viewResult.exitCode === 0 && viewResult.stdout.trim()) {
+        result.alreadyPublished = true;
         result.skipped = true;
         result.success = true;
-        result.reason = "Not an npm package";
+        result.reason = "Already published";
         ctx.output.npm.push(result);
+        warn(`${update.packageName}@${update.newVersion} is already published, skipping`);
         continue;
       }
-    }
-    const { file: viewFile, args: viewArgs } = buildViewCommand(
-      ctx.packageManager,
-      update.packageName,
-      update.newVersion
-    );
-    const viewResult = await execCommandSafe(viewFile, viewArgs, {
-      cwd,
-      dryRun: false
-      // Always check, even in dry-run
-    });
-    if (viewResult.exitCode === 0 && viewResult.stdout.trim()) {
-      result.alreadyPublished = true;
-      result.skipped = true;
-      result.success = true;
-      result.reason = "Already published";
-      ctx.output.npm.push(result);
-      warn3(`${update.packageName}@${update.newVersion} is already published, skipping`);
-      continue;
-    }
-    const distTag = getDistTag(update.newVersion, config.npm.tag);
-    const pkgDir = path4.dirname(path4.resolve(cwd, update.filePath));
-    const { file: pubFile, args: pubArgs } = buildPublishCommand(ctx.packageManager, update.packageName, pkgDir, {
-      access: config.npm.access,
-      tag: distTag,
-      provenance: useProvenance,
-      noGitChecks: true
-    });
-    try {
-      await execCommand(pubFile, pubArgs, {
-        cwd,
-        dryRun,
-        label: `npm publish ${update.packageName}@${update.newVersion}`
+      const distTag = getDistTag(update.newVersion, config.npm.tag);
+      const pkgDir = path8.dirname(path8.resolve(cwd, update.filePath));
+      const { file: pubFile, args: pubArgs } = buildPublishCommand(ctx.packageManager, update.packageName, pkgDir, {
+        access: config.npm.access,
+        tag: distTag,
+        provenance: useProvenance,
+        noGitChecks: true
       });
-      result.success = true;
-      if (!dryRun) {
-        success5(`Published ${update.packageName}@${update.newVersion} to npm`);
+      try {
+        await execCommand(pubFile, pubArgs, {
+          cwd,
+          dryRun,
+          label: `npm publish ${update.packageName}@${update.newVersion}`,
+          env: npmIsolation.env
+        });
+        result.success = true;
+        if (!dryRun) {
+          success(`Published ${update.packageName}@${update.newVersion} to npm`);
+        }
+      } catch (error) {
+        result.reason = error instanceof Error ? error.message : String(error);
+        warn(`Failed to publish ${update.packageName}: ${result.reason}`);
       }
-    } catch (error) {
-      result.reason = error instanceof Error ? error.message : String(error);
-      warn3(`Failed to publish ${update.packageName}: ${result.reason}`);
+      ctx.output.npm.push(result);
     }
-    ctx.output.npm.push(result);
+  } finally {
+    npmIsolation.cleanup();
   }
 }
 
 // src/stages/prepare.ts
-import * as fs6 from "fs";
-import * as path5 from "path";
-import { debug as debug5, info as info6 } from "@releasekit/core";
+import * as fs10 from "fs";
+import * as path9 from "path";
 async function runPrepareStage(ctx) {
   const { input, config, cliOptions, cwd } = ctx;
   if (config.npm.enabled && config.npm.copyFiles.length > 0) {
     for (const update of input.updates) {
-      const pkgDir = path5.dirname(path5.resolve(cwd, update.filePath));
+      const pkgDir = path9.dirname(path9.resolve(cwd, update.filePath));
       for (const file of config.npm.copyFiles) {
-        const src = path5.resolve(cwd, file);
-        const dest = path5.join(pkgDir, file);
-        if (!fs6.existsSync(src)) {
-          debug5(`Source file not found, skipping copy: ${src}`);
+        const src = path9.resolve(cwd, file);
+        const dest = path9.join(pkgDir, file);
+        if (!fs10.existsSync(src)) {
+          debug(`Source file not found, skipping copy: ${src}`);
           continue;
         }
-        if (path5.resolve(path5.dirname(src)) === path5.resolve(pkgDir)) {
-          debug5(`Skipping copy of ${file} - same directory as source`);
+        if (path9.resolve(path9.dirname(src)) === path9.resolve(pkgDir)) {
+          debug(`Skipping copy of ${file} - same directory as source`);
           continue;
         }
         if (cliOptions.dryRun) {
-          info6(`[DRY RUN] Would copy ${src} \u2192 ${dest}`);
+          info(`[DRY RUN] Would copy ${src} \u2192 ${dest}`);
           continue;
         }
         try {
-          fs6.copyFileSync(src, dest);
-          debug5(`Copied ${file} \u2192 ${pkgDir}`);
+          fs10.copyFileSync(src, dest);
+          debug(`Copied ${file} \u2192 ${pkgDir}`);
         } catch (error) {
           throw createPublishError(
             "FILE_COPY_ERROR" /* FILE_COPY_ERROR */,
@@ -865,26 +1486,22 @@ async function runPrepareStage(ctx) {
   }
   if (config.cargo.enabled) {
     for (const update of input.updates) {
-      const pkgDir = path5.dirname(path5.resolve(cwd, update.filePath));
-      const cargoPath = path5.join(pkgDir, "Cargo.toml");
-      if (!fs6.existsSync(cargoPath)) {
+      const pkgDir = path9.dirname(path9.resolve(cwd, update.filePath));
+      const cargoPath = path9.join(pkgDir, "Cargo.toml");
+      if (!fs10.existsSync(cargoPath)) {
         continue;
       }
       if (cliOptions.dryRun) {
-        info6(`[DRY RUN] Would update ${cargoPath} to version ${update.newVersion}`);
+        info(`[DRY RUN] Would update ${cargoPath} to version ${update.newVersion}`);
         continue;
       }
       updateCargoVersion(cargoPath, update.newVersion);
-      debug5(`Updated ${cargoPath} to version ${update.newVersion}`);
+      debug(`Updated ${cargoPath} to version ${update.newVersion}`);
     }
   }
 }
 
-// src/stages/verify.ts
-import { debug as debug7, info as info7, success as success6, warn as warn4 } from "@releasekit/core";
-
 // src/utils/retry.ts
-import { debug as debug6 } from "@releasekit/core";
 async function withRetry(fn, options, shouldRetry) {
   let lastError;
   let delay = options.initialDelay;
@@ -897,7 +1514,7 @@ async function withRetry(fn, options, shouldRetry) {
         throw error;
       }
       if (attempt < options.maxAttempts) {
-        debug6(`Attempt ${attempt}/${options.maxAttempts} failed, retrying in ${delay}ms...`);
+        debug(`Attempt ${attempt}/${options.maxAttempts} failed, retrying in ${delay}ms...`);
         await sleep(delay);
         delay = Math.floor(delay * options.backoffMultiplier);
       }
@@ -923,7 +1540,7 @@ async function runVerifyStage(ctx) {
         attempts: 0
       };
       if (cliOptions.dryRun) {
-        info7(`[DRY RUN] Would verify ${pkg.packageName}@${pkg.version} on npm`);
+        info(`[DRY RUN] Would verify ${pkg.packageName}@${pkg.version} on npm`);
         result.verified = true;
         ctx.output.verification.push(result);
         continue;
@@ -939,12 +1556,12 @@ async function runVerifyStage(ctx) {
           if (viewResult.exitCode !== 0 || !viewResult.stdout.trim()) {
             throw new Error(`${pkg.packageName}@${pkg.version} not yet available on npm`);
           }
-          debug7(`Verified ${pkg.packageName}@${pkg.version} on npm`);
+          debug(`Verified ${pkg.packageName}@${pkg.version} on npm`);
         }, config.verify.npm);
         result.verified = true;
-        success6(`Verified ${pkg.packageName}@${pkg.version} on npm`);
+        success(`Verified ${pkg.packageName}@${pkg.version} on npm`);
       } catch {
-        warn4(`Failed to verify ${pkg.packageName}@${pkg.version} on npm after ${result.attempts} attempts`);
+        warn(`Failed to verify ${pkg.packageName}@${pkg.version} on npm after ${result.attempts} attempts`);
       }
       ctx.output.verification.push(result);
     }
@@ -960,7 +1577,7 @@ async function runVerifyStage(ctx) {
         attempts: 0
       };
       if (cliOptions.dryRun) {
-        info7(`[DRY RUN] Would verify ${crate.packageName}@${crate.version} on crates.io`);
+        info(`[DRY RUN] Would verify ${crate.packageName}@${crate.version} on crates.io`);
         result.verified = true;
         ctx.output.verification.push(result);
         continue;
@@ -972,12 +1589,12 @@ async function runVerifyStage(ctx) {
           if (!response.ok) {
             throw new Error(`${crate.packageName}@${crate.version} not yet available on crates.io`);
           }
-          debug7(`Verified ${crate.packageName}@${crate.version} on crates.io`);
+          debug(`Verified ${crate.packageName}@${crate.version} on crates.io`);
         }, config.verify.cargo);
         result.verified = true;
-        success6(`Verified ${crate.packageName}@${crate.version} on crates.io`);
+        success(`Verified ${crate.packageName}@${crate.version} on crates.io`);
       } catch {
-        warn4(`Failed to verify ${crate.packageName}@${crate.version} on crates.io after ${result.attempts} attempts`);
+        warn(`Failed to verify ${crate.packageName}@${crate.version} on crates.io after ${result.attempts} attempts`);
       }
       ctx.output.verification.push(result);
     }
@@ -1012,6 +1629,8 @@ async function runPipeline(input, config, options) {
     cliOptions: options,
     packageManager: detectPackageManager(cwd),
     cwd,
+    releaseNotes: options.releaseNotes,
+    additionalFiles: options.additionalFiles,
     output: {
       dryRun: options.dryRun,
       git: { committed: false, tags: [], pushed: false },
@@ -1023,7 +1642,10 @@ async function runPipeline(input, config, options) {
   };
   try {
     await runPrepareStage(ctx);
-    if (!options.skipGit) {
+    if (options.skipGitCommit && !options.skipGit) {
+      ctx.output.git.committed = !!input.commitMessage;
+      ctx.output.git.tags = [...input.tags];
+    } else if (!options.skipGit) {
       await runGitCommitStage(ctx);
     }
     if (!options.skipPublish) {
@@ -1052,41 +1674,40 @@ async function runPipeline(input, config, options) {
 }
 
 // src/stages/input.ts
-import * as fs7 from "fs";
-import { info as info8 } from "@releasekit/core";
-import { z } from "zod";
-var VersionChangelogEntrySchema = z.object({
-  type: z.string(),
-  description: z.string(),
-  issueIds: z.array(z.string()).optional(),
-  scope: z.string().optional(),
-  originalType: z.string().optional()
+import * as fs11 from "fs";
+import { z as z3 } from "zod";
+var VersionChangelogEntrySchema = z3.object({
+  type: z3.string(),
+  description: z3.string(),
+  issueIds: z3.array(z3.string()).optional(),
+  scope: z3.string().optional(),
+  originalType: z3.string().optional()
 });
-var VersionPackageChangelogSchema = z.object({
-  packageName: z.string(),
-  version: z.string(),
-  previousVersion: z.string().nullable(),
-  revisionRange: z.string(),
-  repoUrl: z.string().nullable(),
-  entries: z.array(VersionChangelogEntrySchema)
+var VersionPackageChangelogSchema = z3.object({
+  packageName: z3.string(),
+  version: z3.string(),
+  previousVersion: z3.string().nullable(),
+  revisionRange: z3.string(),
+  repoUrl: z3.string().nullable(),
+  entries: z3.array(VersionChangelogEntrySchema)
 });
-var VersionPackageUpdateSchema = z.object({
-  packageName: z.string(),
-  newVersion: z.string(),
-  filePath: z.string()
+var VersionPackageUpdateSchema = z3.object({
+  packageName: z3.string(),
+  newVersion: z3.string(),
+  filePath: z3.string()
 });
-var VersionOutputSchema = z.object({
-  dryRun: z.boolean(),
-  updates: z.array(VersionPackageUpdateSchema),
-  changelogs: z.array(VersionPackageChangelogSchema),
-  commitMessage: z.string().optional(),
-  tags: z.array(z.string())
+var VersionOutputSchema = z3.object({
+  dryRun: z3.boolean(),
+  updates: z3.array(VersionPackageUpdateSchema),
+  changelogs: z3.array(VersionPackageChangelogSchema),
+  commitMessage: z3.string().optional(),
+  tags: z3.array(z3.string())
 });
 async function parseInput(inputPath) {
   let raw;
   if (inputPath) {
     try {
-      raw = fs7.readFileSync(inputPath, "utf-8");
+      raw = fs11.readFileSync(inputPath, "utf-8");
     } catch {
       throw createPublishError("INPUT_PARSE_ERROR" /* INPUT_PARSE_ERROR */, `Could not read file: ${inputPath}`);
     }
@@ -1106,7 +1727,7 @@ async function parseInput(inputPath) {
 ${issues}`);
   }
   if (result.data.updates.length === 0) {
-    info8("No package updates in version output \u2014 pipeline will be a no-op");
+    info("No package updates in version output \u2014 pipeline will be a no-op");
   }
   return result.data;
 }
@@ -1119,7 +1740,11 @@ async function readStdin() {
 }
 
 export {
-  loadConfig,
+  setLogLevel,
+  setJsonMode,
+  EXIT_CODES,
+  parseCargoToml,
+  loadConfig2 as loadConfig,
   getDefaultConfig2 as getDefaultConfig,
   BasePublishError,
   PublishError,
@@ -1128,7 +1753,6 @@ export {
   createPublishError,
   detectNpmAuth,
   hasCargoAuth,
-  parseCargoToml,
   updateCargoVersion,
   extractPathDeps,
   isPrerelease,