@sentry/craft 2.22.0 → 2.23.0

package/dist/craft

@@ -125785,24 +125785,37 @@ var init_workspaces = __esm({
 });
 
 // src/targets/npm.ts
+function isOidcEnvironment() {
+  return !!(process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN || process.env.NPM_ID_TOKEN);
+}
 async function getLatestVersion(packageName, npmConfig, otp) {
   const args = ["info", packageName, "version"];
   const bin = NPM_BIN;
   try {
-    const response = await withTempFile((filePath) => {
+    let response;
+    if (npmConfig.token) {
+      response = await withTempFile((filePath) => {
+        const spawnOptions = {};
+        spawnOptions.env = { ...process.env };
+        if (otp) {
+          spawnOptions.env.NPM_CONFIG_OTP = otp;
+        }
+        spawnOptions.env[NPM_TOKEN_ENV_VAR] = npmConfig.token;
+        spawnOptions.env.npm_config_userconfig = filePath;
+        (0, import_fs14.writeFileSync)(
+          filePath,
+          `//registry.npmjs.org/:_authToken=\${${NPM_TOKEN_ENV_VAR}}`
+        );
+        return spawnProcess(bin, args, spawnOptions);
+      });
+    } else {
       const spawnOptions = {};
       spawnOptions.env = { ...process.env };
       if (otp) {
         spawnOptions.env.NPM_CONFIG_OTP = otp;
       }
-      spawnOptions.env[NPM_TOKEN_ENV_VAR] = npmConfig.token;
-      spawnOptions.env.npm_config_userconfig = filePath;
-      (0, import_fs14.writeFileSync)(
-        filePath,
-        `//registry.npmjs.org/:_authToken=\${${NPM_TOKEN_ENV_VAR}}`
-      );
-      return spawnProcess(bin, args, spawnOptions);
-    });
+      response = await spawnProcess(bin, args, spawnOptions);
+    }
     if (!response) {
       return void 0;
     }
@@ -125842,7 +125855,7 @@ async function getPublishTag(version2, checkPackageName, npmConfig, logger3, otp
   }
   return void 0;
 }
-var import_child_process3, import_fs13, import_path12, import_prompts2, import_fs14, NPM_CONFIG, YARN_CONFIG, NPM_BIN, YARN_BIN, NPM_MIN_MAJOR, NPM_MIN_MINOR, NPM_TOKEN_ENV_VAR, DEFAULT_PACKAGE_REGEX, NpmPackageAccess, NpmTarget;
+var import_child_process3, import_fs13, import_path12, import_prompts2, import_fs14, NPM_CONFIG, YARN_CONFIG, NPM_BIN, YARN_BIN, NPM_MIN_MAJOR, NPM_MIN_MINOR, NPM_OIDC_MIN_VERSION, NPM_TOKEN_ENV_VAR, DEFAULT_PACKAGE_REGEX, NpmPackageAccess, NpmTarget;
 var init_npm = __esm({
   "src/targets/npm.ts"() {
     "use strict";
@@ -125867,6 +125880,7 @@ var init_npm = __esm({
     YARN_BIN = process.env.YARN_BIN || "yarn";
     NPM_MIN_MAJOR = 5;
     NPM_MIN_MINOR = 6;
+    NPM_OIDC_MIN_VERSION = { major: 11, minor: 5, patch: 1 };
     NPM_TOKEN_ENV_VAR = "NPM_TOKEN";
     DEFAULT_PACKAGE_REGEX = /^.*\d\.\d.*\.tgz$/;
     NpmPackageAccess = /* @__PURE__ */ ((NpmPackageAccess2) => {
@@ -125879,6 +125893,8 @@ var init_npm = __esm({
       name = "npm";
       /** Target options */
       npmConfig;
+      /** Parsed npm version, set during checkRequirements() */
+      npmVersion = null;
       /**
        * Expand an npm target config into multiple targets if workspaces is enabled.
        * This static method is called during config loading to expand workspace targets.
@@ -125968,6 +125984,9 @@ var init_npm = __esm({
           if (config3.checkPackageName) {
             expandedTarget.checkPackageName = config3.checkPackageName;
           }
+          if (config3.oidc) {
+            expandedTarget.oidc = config3.oidc;
+          }
           return expandedTarget;
         });
       }
@@ -126061,26 +126080,34 @@ var init_npm = __esm({
         this.npmConfig = this.getNpmConfig();
       }
       /**
-       * Check that NPM executable exists and is not too old
+       * Check that NPM executable exists and is not too old.
+       * Stores the parsed npm version for later OIDC version validation in getNpmConfig().
        */
       checkRequirements() {
+        const config3 = this.config;
         if (hasExecutable(NPM_BIN)) {
           this.logger.debug("Checking that NPM has recent version...");
-          const npmVersion = (0, import_child_process3.spawnSync)(NPM_BIN, ["--version"]).stdout.toString().trim();
-          const parsedVersion = parseVersion(npmVersion);
+          const npmVersionStr = (0, import_child_process3.spawnSync)(NPM_BIN, ["--version"]).stdout.toString().trim();
+          const parsedVersion = parseVersion(npmVersionStr);
           if (!parsedVersion) {
-            reportError(`Cannot parse NPM version: "${npmVersion}"`);
+            reportError(`Cannot parse NPM version: "${npmVersionStr}"`);
           }
-          const { major: major2, minor } = parsedVersion || { major: 0, minor: 0 };
+          const { major: major2 = 0, minor = 0 } = parsedVersion ?? {};
           if (major2 < NPM_MIN_MAJOR || major2 === NPM_MIN_MAJOR && minor < NPM_MIN_MINOR) {
             reportError(
-              `NPM version is too old: ${npmVersion}. Please update your NodeJS`
+              `NPM version is too old: ${npmVersionStr}. Please update your NodeJS`
             );
           }
-          this.logger.debug(`Found NPM version ${npmVersion}`);
+          this.npmVersion = parsedVersion;
+          this.logger.debug(`Found NPM version ${npmVersionStr}`);
         } else if (hasExecutable(YARN_BIN)) {
           const yarnVersion = (0, import_child_process3.spawnSync)(YARN_BIN, ["--version"]).stdout.toString().trim();
           this.logger.debug(`Found Yarn version ${yarnVersion}`);
+          if (config3.oidc) {
+            throw new ConfigurationError(
+              "npm target: OIDC trusted publishing requires npm, but only yarn was found. Install npm >= 11.5.1 to use OIDC."
+            );
+          }
         } else {
           reportError('No "npm" or "yarn" found!');
         }
@@ -126098,17 +126125,69 @@ var init_npm = __esm({
         return otp;
       }
       /**
-       * Extracts NPM target options from the raw configuration
+       * Extracts NPM target options from the raw configuration.
+       *
+       * Auth strategy decision table:
+       *
+       * | oidc config | NPM_TOKEN set | OIDC env detected | Result              |
+       * |-------------|---------------|-------------------|---------------------|
+       * | true        | any           | any               | Force OIDC          |
+       * | unset/false | yes           | any               | Token auth          |
+       * | unset/false | no            | yes               | Auto-detect OIDC    |
+       * | unset/false | no            | no                | Error (no auth)     |
        */
       getNpmConfig() {
+        const config3 = this.config;
         const token = process.env.NPM_TOKEN;
-        if (!token) {
-          throw new Error("NPM target: NPM_TOKEN not found in the environment");
+        const oidcEnv = isOidcEnvironment();
+        let useOidc = false;
+        if (config3.oidc) {
+          if (!this.npmVersion) {
+            throw new ConfigurationError(
+              "npm target: OIDC trusted publishing requires npm, but only yarn was found. Install npm >= 11.5.1 to use OIDC."
+            );
+          }
+          const { major: major2, minor, patch } = this.npmVersion;
+          if (!versionGreaterOrEqualThan(this.npmVersion, NPM_OIDC_MIN_VERSION)) {
+            const {
+              major: minMaj,
+              minor: minMin,
+              patch: minPat
+            } = NPM_OIDC_MIN_VERSION;
+            throw new ConfigurationError(
+              `npm target: OIDC trusted publishing requires npm >= ${minMaj}.${minMin}.${minPat}, but found ${major2}.${minor}.${patch}. Update npm (or Node.js) to use OIDC.`
+            );
+          }
+          useOidc = true;
+        } else if (!token) {
+          if (oidcEnv) {
+            if (this.npmVersion) {
+              if (versionGreaterOrEqualThan(this.npmVersion, NPM_OIDC_MIN_VERSION)) {
+                this.logger.info(
+                  "NPM_TOKEN not set but OIDC environment detected \u2014 using trusted publishing."
+                );
+                useOidc = true;
+              } else {
+                const { major: major2, minor, patch } = this.npmVersion;
+                const {
+                  major: minMaj,
+                  minor: minMin,
+                  patch: minPat
+                } = NPM_OIDC_MIN_VERSION;
+                this.logger.warn(
+                  `OIDC environment detected but npm ${major2}.${minor}.${patch} is too old for trusted publishing (requires >= ${minMaj}.${minMin}.${minPat}). Falling through to token-based auth.`
+                );
+              }
+            }
+          }
+          if (!useOidc) {
+            throw new Error("NPM target: NPM_TOKEN not found in the environment");
+          }
         }
-        const config3 = this.config;
         const npmConfig = {
-          useYarn: !!process.env.USE_YARN || !hasExecutable(NPM_BIN),
-          token
+          useYarn: !useOidc && (!!process.env.USE_YARN || !hasExecutable(NPM_BIN)),
+          token: token || void 0,
+          useOidc
         };
         if (config3.access) {
           if (Object.values(NpmPackageAccess).includes(config3.access)) {
@@ -126147,6 +126226,15 @@ var init_npm = __esm({
         if (options.tag) {
           args.push(`--tag=${options.tag}`);
         }
+        args.push(path26);
+        if (this.npmConfig.useOidc) {
+          const spawnOptions = {};
+          spawnOptions.env = { ...process.env };
+          if (options.otp) {
+            spawnOptions.env.NPM_CONFIG_OTP = options.otp;
+          }
+          return spawnProcess(bin, args, spawnOptions, { showStdout: true });
+        }
         return withTempFile((filePath) => {
           const spawnOptions = {};
           spawnOptions.env = { ...process.env };
@@ -126159,7 +126247,6 @@ var init_npm = __esm({
             filePath,
             `//registry.npmjs.org/:_authToken=\${${NPM_TOKEN_ENV_VAR}}`
           );
-          args.push(path26);
           return spawnProcess(bin, args, spawnOptions, {
             showStdout: true
           });
@@ -160085,7 +160172,7 @@ var require_package6 = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "@sentry/craft",
-      version: "2.22.0",
+      version: "2.23.0",
       description: "The universal sentry workflow CLI",
       main: "dist/craft",
       repository: "https://github.com/getsentry/craft",
@@ -160252,7 +160339,7 @@ function getPackage() {
 }
 function getPackageVersion() {
   const { version: version2 } = getPackage();
-  const buildInfo = "1db39410d293a253e6affbe98c8c6f29db6e218d";
+  const buildInfo = "ce288193e2ac7976b0ffd1d5733527605e6fd63b";
   return buildInfo ? `${version2} (${buildInfo})` : version2;
 }
 function semVerToString(s4) {
@@ -160662,7 +160749,7 @@ var require_semver2 = __commonJS({
     var { safeRe: re3, t: t4 } = require_re();
     var parseOptions = require_parse_options();
     var { compareIdentifiers } = require_identifiers();
-    var SemVer3 = class _SemVer {
+    var SemVer4 = class _SemVer {
       constructor(version2, options) {
         options = parseOptions(options);
         if (version2 instanceof _SemVer) {
@@ -160928,7 +161015,7 @@ var require_semver2 = __commonJS({
         return this;
       }
     };
-    module2.exports = SemVer3;
+    module2.exports = SemVer4;
   }
 });
 
@@ -160937,13 +161024,13 @@ var require_parse2 = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/parse.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var parse8 = (version2, options, throwErrors = false) => {
-      if (version2 instanceof SemVer3) {
+      if (version2 instanceof SemVer4) {
         return version2;
       }
       try {
-        return new SemVer3(version2, options);
+        return new SemVer4(version2, options);
       } catch (er) {
         if (!throwErrors) {
           return null;
@@ -160988,7 +161075,7 @@ var require_inc = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/inc.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var inc2 = (version2, release3, options, identifier, identifierBase) => {
       if (typeof options === "string") {
         identifierBase = identifier;
@@ -160996,8 +161083,8 @@ var require_inc = __commonJS({
         options = void 0;
       }
       try {
-        return new SemVer3(
-          version2 instanceof SemVer3 ? version2.version : version2,
+        return new SemVer4(
+          version2 instanceof SemVer4 ? version2.version : version2,
           options
         ).inc(release3, identifier, identifierBase).version;
       } catch (er) {
@@ -161058,8 +161145,8 @@ var require_major = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/major.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
-    var major2 = (a4, loose) => new SemVer3(a4, loose).major;
+    var SemVer4 = require_semver2();
+    var major2 = (a4, loose) => new SemVer4(a4, loose).major;
     module2.exports = major2;
   }
 });
@@ -161069,8 +161156,8 @@ var require_minor = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/minor.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
-    var minor = (a4, loose) => new SemVer3(a4, loose).minor;
+    var SemVer4 = require_semver2();
+    var minor = (a4, loose) => new SemVer4(a4, loose).minor;
     module2.exports = minor;
   }
 });
@@ -161080,8 +161167,8 @@ var require_patch = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/patch.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
-    var patch = (a4, loose) => new SemVer3(a4, loose).patch;
+    var SemVer4 = require_semver2();
+    var patch = (a4, loose) => new SemVer4(a4, loose).patch;
     module2.exports = patch;
   }
 });
@@ -161105,8 +161192,8 @@ var require_compare = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/compare.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
-    var compare = (a4, b5, loose) => new SemVer3(a4, loose).compare(new SemVer3(b5, loose));
+    var SemVer4 = require_semver2();
+    var compare = (a4, b5, loose) => new SemVer4(a4, loose).compare(new SemVer4(b5, loose));
     module2.exports = compare;
   }
 });
@@ -161138,10 +161225,10 @@ var require_compare_build = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/compare-build.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var compareBuild = (a4, b5, loose) => {
-      const versionA = new SemVer3(a4, loose);
-      const versionB = new SemVer3(b5, loose);
+      const versionA = new SemVer4(a4, loose);
+      const versionB = new SemVer4(b5, loose);
       return versionA.compare(versionB) || versionA.compareBuild(versionB);
     };
     module2.exports = compareBuild;
@@ -161292,11 +161379,11 @@ var require_coerce = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/functions/coerce.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var parse8 = require_parse2();
     var { safeRe: re3, t: t4 } = require_re();
     var coerce2 = (version2, options) => {
-      if (version2 instanceof SemVer3) {
+      if (version2 instanceof SemVer4) {
         return version2;
       }
       if (typeof version2 === "number") {
@@ -161504,7 +161591,7 @@ var require_range = __commonJS({
         }
         if (typeof version2 === "string") {
           try {
-            version2 = new SemVer3(version2, this.options);
+            version2 = new SemVer4(version2, this.options);
           } catch (er) {
             return false;
           }
@@ -161523,7 +161610,7 @@ var require_range = __commonJS({
     var parseOptions = require_parse_options();
     var Comparator = require_comparator();
     var debug3 = require_debug();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var {
       safeRe: re3,
       t: t4,
@@ -161795,7 +161882,7 @@ var require_comparator = __commonJS({
         if (!m5[2]) {
           this.semver = ANY;
         } else {
-          this.semver = new SemVer3(m5[2], this.options.loose);
+          this.semver = new SemVer4(m5[2], this.options.loose);
         }
       }
       toString() {
@@ -161808,7 +161895,7 @@ var require_comparator = __commonJS({
         }
         if (typeof version2 === "string") {
           try {
-            version2 = new SemVer3(version2, this.options);
+            version2 = new SemVer4(version2, this.options);
           } catch (er) {
             return false;
           }
@@ -161860,7 +161947,7 @@ var require_comparator = __commonJS({
     var { safeRe: re3, t: t4 } = require_re();
     var cmp = require_cmp();
     var debug3 = require_debug();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var Range = require_range();
   }
 });
@@ -161899,7 +161986,7 @@ var require_max_satisfying = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/ranges/max-satisfying.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var Range = require_range();
     var maxSatisfying = (versions, range3, options) => {
       let max = null;
@@ -161914,7 +162001,7 @@ var require_max_satisfying = __commonJS({
         if (rangeObj.test(v8)) {
           if (!max || maxSV.compare(v8) === -1) {
             max = v8;
-            maxSV = new SemVer3(max, options);
+            maxSV = new SemVer4(max, options);
           }
         }
       });
@@ -161929,7 +162016,7 @@ var require_min_satisfying = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/ranges/min-satisfying.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var Range = require_range();
     var minSatisfying = (versions, range3, options) => {
       let min = null;
@@ -161944,7 +162031,7 @@ var require_min_satisfying = __commonJS({
         if (rangeObj.test(v8)) {
           if (!min || minSV.compare(v8) === 1) {
             min = v8;
-            minSV = new SemVer3(min, options);
+            minSV = new SemVer4(min, options);
           }
         }
       });
@@ -161959,16 +162046,16 @@ var require_min_version = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/ranges/min-version.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var Range = require_range();
     var gt = require_gt();
     var minVersion = (range3, loose) => {
       range3 = new Range(range3, loose);
-      let minver = new SemVer3("0.0.0");
+      let minver = new SemVer4("0.0.0");
       if (range3.test(minver)) {
         return minver;
       }
-      minver = new SemVer3("0.0.0-0");
+      minver = new SemVer4("0.0.0-0");
       if (range3.test(minver)) {
         return minver;
       }
@@ -161977,7 +162064,7 @@ var require_min_version = __commonJS({
         const comparators = range3.set[i4];
         let setMin = null;
         comparators.forEach((comparator) => {
-          const compver = new SemVer3(comparator.semver.version);
+          const compver = new SemVer4(comparator.semver.version);
           switch (comparator.operator) {
             case ">":
               if (compver.prerelease.length === 0) {
@@ -162036,7 +162123,7 @@ var require_outside = __commonJS({
   "node_modules/.pnpm/semver@7.7.3/node_modules/semver/ranges/outside.js"(exports2, module2) {
     "use strict";
     init_import_meta_url();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var Comparator = require_comparator();
     var { ANY } = Comparator;
     var Range = require_range();
@@ -162046,7 +162133,7 @@ var require_outside = __commonJS({
     var lte2 = require_lte();
     var gte2 = require_gte();
     var outside = (version2, range3, hilo, options) => {
-      version2 = new SemVer3(version2, options);
+      version2 = new SemVer4(version2, options);
       range3 = new Range(range3, options);
       let gtfn, ltefn, ltfn, comp, ecomp;
       switch (hilo) {
@@ -162359,7 +162446,7 @@ var require_semver3 = __commonJS({
     init_import_meta_url();
     var internalRe = require_re();
     var constants4 = require_constants2();
-    var SemVer3 = require_semver2();
+    var SemVer4 = require_semver2();
     var identifiers = require_identifiers();
     var parse8 = require_parse2();
     var valid = require_valid();
@@ -162436,7 +162523,7 @@ var require_semver3 = __commonJS({
       intersects,
       simplifyRange,
       subset,
-      SemVer: SemVer3,
+      SemVer: SemVer4,
       re: internalRe.re,
       src: internalRe.src,
       tokens: internalRe.t,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@sentry/craft",
-  "version": "2.22.0",
+  "version": "2.23.0",
   "description": "The universal sentry workflow CLI",
   "main": "dist/craft",
   "repository": "https://github.com/getsentry/craft",