@varlock/bumpy 0.0.0 → 0.0.1

package/dist/publish-pipeline-1M5GmbdP.mjs

@@ -0,0 +1,291 @@
+import { n as log, t as colorize } from "./logger-ZqggsyGZ.mjs";
+import { a as readJson, c as writeJson } from "./fs-DbNNEyzq.mjs";
+import { i as resolveCatalogDep } from "./workspace-mVjawG8g.mjs";
+import { r as stripProtocol } from "./semver-DWO6NFKN.mjs";
+import { i as tryRun, n as runAsync, t as run } from "./shell-DPlltpzb.mjs";
+import { resolve } from "node:path";
+import { unlink } from "node:fs/promises";
+import { appendFileSync, existsSync, readFileSync, writeFileSync } from "node:fs";
+//#region src/core/git.ts
+/** Create a git tag */
+function createTag(tag, opts) {
+	run(`git tag ${tag}`, opts);
+}
+/** Push commits and tags to remote */
+function pushWithTags(opts) {
+	run("git push --follow-tags", opts);
+}
+/** Check if there are uncommitted changes */
+function hasUncommittedChanges(opts) {
+	const result = tryRun("git status --porcelain", opts);
+	return result !== null && result.length > 0;
+}
+/** Check if a tag already exists */
+function tagExists(tag, opts) {
+	return tryRun(`git tag -l "${tag}"`, opts) === tag;
+}
+//#endregion
+//#region src/core/publish-pipeline.ts
+/**
+* Detect which CI OIDC provider is available for npm trusted publishing.
+* Returns the provider name or null if none detected.
+*
+* Supported providers:
+* - GitHub Actions: `ACTIONS_ID_TOKEN_REQUEST_URL` (set when `id-token: write` permission is granted)
+* - GitLab CI: `GITLAB_CI` + `NPM_ID_TOKEN`
+* - CircleCI: `CIRCLECI` + `NPM_ID_TOKEN`
+*/
+function detectOidcProvider() {
+	if (process.env.ACTIONS_ID_TOKEN_REQUEST_URL) return "github-actions";
+	if (process.env.GITLAB_CI && process.env.NPM_ID_TOKEN) return "gitlab";
+	if (process.env.CIRCLECI && process.env.NPM_ID_TOKEN) return "circleci";
+	return null;
+}
+const OIDC_NPM_UPGRADE_HINTS = {
+	"github-actions": "Add `actions/setup-node@v4` with `node-version: lts/*` to your workflow",
+	gitlab: "Use a Node.js image with npm >= 11.5.1 or run `npm install -g npm@latest`",
+	circleci: "Use a Node.js image with npm >= 11.5.1 or run `sudo npm install -g npm@latest`"
+};
+/**
+* Set up npm authentication for publishing.
+*
+* Handles three scenarios:
+* 1. **Trusted publishing (OIDC)** — GitHub Actions, GitLab CI, or CircleCI with OIDC configured.
+*    npm >= 11.5.1 authenticates automatically via OIDC token exchange.
+*    No secret needed, but we check the npm version and warn if too old.
+* 2. **Token-based auth** — `NPM_TOKEN` or `NODE_AUTH_TOKEN` env var.
+*    Writes a project-level `.npmrc` so npm can authenticate.
+* 3. **Pre-configured** — user already has `.npmrc` with auth (e.g. via `actions/setup-node`).
+*/
+function setupNpmAuth(rootDir, publishManager) {
+	if (publishManager !== "npm") return;
+	const npmrcPath = resolve(rootDir, ".npmrc");
+	const existingNpmrc = existsSync(npmrcPath) ? readFileSync(npmrcPath, "utf-8") : "";
+	if (existingNpmrc.includes(":_authToken=")) {
+		log.dim("  Using existing .npmrc auth configuration");
+		return;
+	}
+	const oidcProvider = detectOidcProvider();
+	if (oidcProvider) {
+		const npmVersion = tryRun("npm --version");
+		if (npmVersion) {
+			const [major, minor, patch] = npmVersion.split(".").map(Number);
+			if (!(major > 11 || major === 11 && (minor > 5 || minor === 5 && patch >= 1))) {
+				log.warn(`  npm ${npmVersion} detected — trusted publishing (OIDC) requires npm >= 11.5.1`);
+				log.warn(`  ${OIDC_NPM_UPGRADE_HINTS[oidcProvider]}`);
+			} else log.dim(`  OIDC detected (${oidcProvider}) — npm ${npmVersion} will authenticate via trusted publishing`);
+		}
+		return;
+	}
+	const token = process.env.NODE_AUTH_TOKEN || process.env.NPM_TOKEN;
+	if (token) {
+		if (process.env.NPM_TOKEN && !process.env.NODE_AUTH_TOKEN) process.env.NODE_AUTH_TOKEN = token;
+		const authLine = "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}";
+		if (existingNpmrc) appendFileSync(npmrcPath, `\n${authLine}\n`);
+		else writeFileSync(npmrcPath, `${authLine}\n`);
+		log.dim("  Configured .npmrc with auth token");
+		return;
+	}
+	if (process.env.CI) {
+		log.warn("  No npm authentication detected. Publishing will likely fail.");
+		log.warn("  Options:");
+		log.warn("    • Trusted publishing (OIDC): add `id-token: write` permission + npm >= 11.5.1");
+		log.warn("    • Token auth: set NPM_TOKEN or NODE_AUTH_TOKEN environment variable");
+		log.warn("    • Manual: add `actions/setup-node` with `registry-url` to your workflow");
+	}
+}
+/**
+* Publish all packages in the release plan.
+* Order: topological (dependencies published before dependents).
+*/
+async function publishPackages(releasePlan, packages, depGraph, config, rootDir, opts = {}, catalogs = /* @__PURE__ */ new Map(), detectedPm = "npm") {
+	const result = {
+		published: [],
+		skipped: [],
+		failed: []
+	};
+	const publishConfig = config.publish;
+	setupNpmAuth(rootDir, publishConfig.publishManager);
+	const packManager = publishConfig.packManager === "auto" ? detectedPm : publishConfig.packManager;
+	const topoOrder = depGraph.topologicalSort(packages);
+	const releaseMap = new Map(releasePlan.releases.map((r) => [r.name, r]));
+	const ordered = [];
+	for (const name of topoOrder) {
+		const release = releaseMap.get(name);
+		if (release) ordered.push(release);
+	}
+	for (const release of ordered) {
+		const pkg = packages.get(release.name);
+		const pkgConfig = pkg.bumpy || {};
+		if (pkg.private && !pkgConfig.publishCommand) {
+			if (config.privatePackages.tag) createGitTag(release, rootDir, opts);
+			result.skipped.push({
+				name: release.name,
+				reason: "private"
+			});
+			continue;
+		}
+		log.step(`Publishing ${colorize(release.name, "cyan")}@${release.newVersion}`);
+		try {
+			if (pkgConfig.buildCommand) {
+				log.dim(`  Building...`);
+				if (!opts.dryRun) await runAsync(pkgConfig.buildCommand, { cwd: pkg.dir });
+			}
+			if (pkgConfig.publishCommand || publishConfig.protocolResolution === "in-place") await resolveProtocolsInPlace(pkg, packages, releasePlan, catalogs);
+			if (pkgConfig.publishCommand) {
+				const commands = Array.isArray(pkgConfig.publishCommand) ? pkgConfig.publishCommand : [pkgConfig.publishCommand];
+				for (const cmd of commands) {
+					const expanded = cmd.replace(/\{\{version\}\}/g, release.newVersion).replace(/\{\{name\}\}/g, release.name);
+					log.dim(`  Running: ${expanded}`);
+					if (!opts.dryRun) await runAsync(expanded, { cwd: pkg.dir });
+				}
+			} else if (!pkgConfig.skipNpmPublish) if (publishConfig.protocolResolution === "pack") await packThenPublish(pkg, pkgConfig, config, packManager, opts);
+			else await npmPublishDirect(pkg, pkgConfig, config, opts);
+			else {
+				result.skipped.push({
+					name: release.name,
+					reason: "skipNpmPublish"
+				});
+				createGitTag(release, rootDir, opts);
+				continue;
+			}
+			createGitTag(release, rootDir, opts);
+			result.published.push({
+				name: release.name,
+				version: release.newVersion
+			});
+			log.success(`  Published ${release.name}@${release.newVersion}`);
+		} catch (err) {
+			const errMsg = err instanceof Error ? err.message : String(err);
+			log.error(`  Failed to publish ${release.name}: ${errMsg}`);
+			result.failed.push({
+				name: release.name,
+				error: errMsg
+			});
+		}
+	}
+	return result;
+}
+/**
+* Pack with the PM (which resolves workspace:/catalog: protocols into the tarball),
+* then publish the tarball with npm (which supports OIDC/provenance).
+*/
+async function packThenPublish(pkg, pkgConfig, config, packManager, opts) {
+	const packCmd = getPackCommand(packManager);
+	log.dim(`  Packing with: ${packCmd}`);
+	if (opts.dryRun) {
+		const publishCmd = buildPublishCommand(pkg, pkgConfig, config, opts, "<tarball>");
+		log.dim(`  Would publish with: ${publishCmd}`);
+		return;
+	}
+	const tarball = parseTarballPath(await runAsync(packCmd, { cwd: pkg.dir }), pkg.dir);
+	try {
+		const publishCmd = buildPublishCommand(pkg, pkgConfig, config, opts, tarball);
+		log.dim(`  Publishing: ${publishCmd}`);
+		await runAsync(publishCmd, { cwd: pkg.dir });
+	} finally {
+		try {
+			await unlink(tarball);
+		} catch {}
+	}
+}
+/** Publish directly from the package directory (no tarball) */
+async function npmPublishDirect(pkg, pkgConfig, config, opts) {
+	const cmd = buildPublishCommand(pkg, pkgConfig, config, opts);
+	log.dim(`  Running: ${cmd}`);
+	if (!opts.dryRun) await runAsync(cmd, { cwd: pkg.dir });
+}
+function getPackCommand(pm) {
+	switch (pm) {
+		case "pnpm": return "pnpm pack";
+		case "bun": return "bun pm pack";
+		case "yarn": return "yarn pack";
+		default: return "npm pack";
+	}
+}
+function buildPublishCommand(pkg, pkgConfig, config, opts, tarball) {
+	const publishManager = config.publish.publishManager;
+	const parts = [];
+	if (publishManager === "yarn") parts.push("yarn npm publish");
+	else parts.push(`${publishManager} publish`);
+	if (tarball) parts.push(tarball);
+	const access = pkgConfig?.access || config.access;
+	parts.push(`--access ${access}`);
+	if (pkgConfig?.registry) parts.push(`--registry ${pkgConfig.registry}`);
+	if (opts.tag) parts.push(`--tag ${opts.tag}`);
+	if (config.publish.publishArgs.length > 0) parts.push(...config.publish.publishArgs);
+	return parts.join(" ");
+}
+/**
+* Parse the tarball path from pack command output.
+* Each PM has different output formats:
+*   npm/pnpm: tarball filename on the last line
+*   bun:      tarball filename mid-output, summary lines after
+*   yarn:     'success Wrote tarball to "/path/to/foo.tgz".'
+*/
+function parseTarballPath(output, cwd) {
+	const tgzMatch = output.match(/(?:^|["'\s])([^\s"']*\.tgz)/m);
+	if (tgzMatch) {
+		const tarball = tgzMatch[1];
+		return tarball.startsWith("/") ? tarball : resolve(cwd, tarball);
+	}
+	const lines = output.trim().split("\n").filter(Boolean);
+	const lastLine = lines[lines.length - 1]?.trim() || "";
+	return lastLine.startsWith("/") ? lastLine : resolve(cwd, lastLine);
+}
+function createGitTag(release, rootDir, opts) {
+	const tag = `${release.name}@${release.newVersion}`;
+	if (opts.dryRun) {
+		log.dim(`  Would create tag: ${tag}`);
+		return;
+	}
+	if (tagExists(tag, { cwd: rootDir })) {
+		log.dim(`  Tag ${tag} already exists, skipping`);
+		return;
+	}
+	createTag(tag, { cwd: rootDir });
+	log.dim(`  Tagged: ${tag}`);
+}
+/**
+* Resolve workspace:/catalog: protocols by rewriting package.json in-place.
+* Used for custom publish commands and "in-place" protocolResolution mode.
+*/
+async function resolveProtocolsInPlace(pkg, packages, releasePlan, catalogs) {
+	const pkgJsonPath = resolve(pkg.dir, "package.json");
+	const pkgJson = await readJson(pkgJsonPath);
+	let modified = false;
+	const releaseMap = new Map(releasePlan.releases.map((r) => [r.name, r]));
+	for (const depField of [
+		"dependencies",
+		"devDependencies",
+		"peerDependencies",
+		"optionalDependencies"
+	]) {
+		const deps = pkgJson[depField];
+		if (!deps) continue;
+		for (const [depName, range] of Object.entries(deps)) {
+			let resolved = null;
+			if (range.startsWith("catalog:")) {
+				resolved = resolveCatalogDep(depName, range, catalogs);
+				if (!resolved) {
+					log.warn(`  Could not resolve ${depName}: "${range}" — catalog entry not found`);
+					continue;
+				}
+			} else if (range.startsWith("workspace:")) {
+				const cleanRange = stripProtocol(range);
+				if (cleanRange === "*" || cleanRange === "^" || cleanRange === "~") {
+					const depPkg = packages.get(depName);
+					const version = releaseMap.get(depName)?.newVersion || depPkg?.version || "0.0.0";
+					resolved = `${cleanRange === "*" ? "^" : cleanRange}${version}`;
+				} else resolved = cleanRange;
+			}
+			if (resolved) {
+				deps[depName] = resolved;
+				modified = true;
+			}
+		}
+	}
+	if (modified) await writeJson(pkgJsonPath, pkgJson);
+}
+//#endregion
+export { hasUncommittedChanges as n, pushWithTags as r, publishPackages as t };

package/dist/release-plan-CFnutSHD.mjs

@@ -0,0 +1,173 @@
+import { g as parseIsolatedBump, h as maxBump, l as DEFAULT_BUMP_RULES, m as hasCascade, p as bumpLevel, s as matchGlob } from "./config-CJ2orhTL.mjs";
+import { n as satisfies, r as stripProtocol, t as bumpVersion } from "./semver-DWO6NFKN.mjs";
+//#region src/core/release-plan.ts
+/**
+* Build a release plan from pending changesets, the dependency graph, and config.
+* This is the core algorithm of bumpy.
+*/
+function assembleReleasePlan(changesets, packages, depGraph, config) {
+	if (changesets.length === 0) return {
+		changesets: [],
+		releases: []
+	};
+	const planned = /* @__PURE__ */ new Map();
+	const cascadeOverrides = /* @__PURE__ */ new Map();
+	for (const cs of changesets) for (const release of cs.releases) {
+		if (!packages.has(release.name)) continue;
+		const { bump, isolated } = parseIsolatedBump(release.type);
+		const existing = planned.get(release.name);
+		if (existing) {
+			existing.type = maxBump(existing.type, bump);
+			if (!isolated) existing.isolated = false;
+			existing.changesets.add(cs.id);
+		} else planned.set(release.name, {
+			type: bump,
+			isolated,
+			isDependencyBump: false,
+			isCascadeBump: false,
+			changesets: new Set([cs.id])
+		});
+		if (hasCascade(release)) {
+			if (!cascadeOverrides.has(release.name)) cascadeOverrides.set(release.name, /* @__PURE__ */ new Map());
+			const overrides = cascadeOverrides.get(release.name);
+			for (const [pattern, bumpType] of Object.entries(release.cascade)) {
+				const existing = overrides.get(pattern);
+				overrides.set(pattern, maxBump(existing, bumpType));
+			}
+		}
+	}
+	for (const group of config.fixed) {
+		let groupBump;
+		let groupIsolated = true;
+		for (const nameOrGlob of group) for (const [name, bump] of planned) if (matchGlob(name, nameOrGlob)) {
+			groupBump = maxBump(groupBump, bump.type);
+			if (!bump.isolated) groupIsolated = false;
+		}
+		if (!groupBump) continue;
+		for (const nameOrGlob of group) for (const [name] of packages) {
+			if (!matchGlob(name, nameOrGlob)) continue;
+			const existing = planned.get(name);
+			if (existing) {
+				existing.type = groupBump;
+				existing.isolated = groupIsolated;
+			} else planned.set(name, {
+				type: groupBump,
+				isolated: groupIsolated,
+				isDependencyBump: false,
+				isCascadeBump: false,
+				changesets: /* @__PURE__ */ new Set()
+			});
+		}
+	}
+	for (const group of config.linked) {
+		let groupBump;
+		for (const nameOrGlob of group) for (const [name, bump] of planned) if (matchGlob(name, nameOrGlob)) groupBump = maxBump(groupBump, bump.type);
+		if (!groupBump) continue;
+		for (const nameOrGlob of group) for (const [name] of packages) {
+			if (!matchGlob(name, nameOrGlob)) continue;
+			const existing = planned.get(name);
+			if (existing) existing.type = groupBump;
+		}
+	}
+	let changed = true;
+	let iterations = 0;
+	const MAX_ITERATIONS = 100;
+	while (changed && iterations < MAX_ITERATIONS) {
+		changed = false;
+		iterations++;
+		for (const [pkgName, bump] of planned) {
+			if (bump.isolated) continue;
+			const csOverrides = cascadeOverrides.get(pkgName);
+			if (csOverrides) for (const [pattern, cascadeBumpType] of csOverrides) for (const [targetName] of packages) {
+				if (!matchGlob(targetName, pattern)) continue;
+				if (applyBump(planned, targetName, cascadeBumpType, false, true, bump.changesets)) changed = true;
+			}
+			const cascadeTo = packages.get(pkgName)?.bumpy?.cascadeTo;
+			if (cascadeTo) for (const [pattern, rule] of Object.entries(cascadeTo)) {
+				if (!shouldTrigger(bump.type, rule.trigger)) continue;
+				const cascadeBump = rule.bumpAs === "match" ? bump.type : rule.bumpAs;
+				for (const [targetName] of packages) {
+					if (!matchGlob(targetName, pattern)) continue;
+					if (applyBump(planned, targetName, cascadeBump, false, true, bump.changesets)) changed = true;
+				}
+			}
+			const dependents = depGraph.getDependents(pkgName);
+			for (const dep of dependents) {
+				const rule = resolveRule(dep.name, pkgName, dep.depType, packages, config);
+				if (!shouldTrigger(bump.type, rule.trigger)) continue;
+				if (config.updateInternalDependencies === "out-of-range") {
+					if (satisfies(bumpVersion(packages.get(pkgName).version, bump.type), stripProtocol(dep.versionRange))) continue;
+				}
+				if (config.updateInternalDependencies === "none") continue;
+				if (config.updateInternalDependencies === "minor" && bumpLevel(bump.type) < bumpLevel("minor")) continue;
+				const depBump = rule.bumpAs === "match" ? bump.type : rule.bumpAs;
+				if (applyBump(planned, dep.name, depBump, true, false, bump.changesets)) changed = true;
+			}
+		}
+	}
+	const releases = [];
+	for (const [name, bump] of planned) {
+		const pkg = packages.get(name);
+		if (!pkg) continue;
+		const newVersion = bumpVersion(pkg.version, bump.type);
+		releases.push({
+			name,
+			type: bump.type,
+			oldVersion: pkg.version,
+			newVersion,
+			changesets: [...bump.changesets],
+			isDependencyBump: bump.isDependencyBump,
+			isCascadeBump: bump.isCascadeBump
+		});
+	}
+	releases.sort((a, b) => a.name.localeCompare(b.name));
+	return {
+		changesets,
+		releases
+	};
+}
+/** Apply a bump to a package, upgrading if already planned. Returns true if anything changed. */
+function applyBump(planned, name, type, isDependencyBump, isCascadeBump, sourceChangesets) {
+	const existing = planned.get(name);
+	if (existing) {
+		const newType = maxBump(existing.type, type);
+		if (newType === existing.type) return false;
+		existing.type = newType;
+		if (isDependencyBump) existing.isDependencyBump = true;
+		if (isCascadeBump) existing.isCascadeBump = true;
+		for (const cs of sourceChangesets) existing.changesets.add(cs);
+		return true;
+	}
+	planned.set(name, {
+		type,
+		isolated: false,
+		isDependencyBump,
+		isCascadeBump,
+		changesets: new Set(sourceChangesets)
+	});
+	return true;
+}
+/** Check if a bump level meets the trigger threshold */
+function shouldTrigger(bumpType, trigger) {
+	if (trigger === "none") return false;
+	return bumpLevel(bumpType) >= bumpLevel(trigger);
+}
+/**
+* Resolve the dependency bump rule for a specific dependent/dependency pair.
+* Priority: specificDependencyRules > per-package depType rules > global depType rules > defaults
+*/
+function resolveRule(dependentName, dependencyName, depType, packages, config) {
+	const dependent = packages.get(dependentName);
+	if (dependent?.bumpy?.specificDependencyRules?.[dependencyName]) return dependent.bumpy.specificDependencyRules[dependencyName];
+	if (dependent?.bumpy?.specificDependencyRules) {
+		for (const [pattern, rule] of Object.entries(dependent.bumpy.specificDependencyRules)) if (matchGlob(dependencyName, pattern)) return rule;
+	}
+	if (dependent?.bumpy?.dependencyBumpRules?.[depType]) return dependent.bumpy.dependencyBumpRules[depType];
+	if (config.dependencyBumpRules[depType]) return config.dependencyBumpRules[depType];
+	return DEFAULT_BUMP_RULES[depType] || {
+		trigger: "patch",
+		bumpAs: "patch"
+	};
+}
+//#endregion
+export { assembleReleasePlan as t };