@varlock/bumpy 0.0.1 → 1.0.0

package/dist/ci-setup-qz4Y3v7T.mjs

@@ -0,0 +1,211 @@
+import { n as log, o as __toESM, r as require_picocolors } from "./logger-C2dEe5Su.mjs";
+import { t as detectPackageManager } from "./package-manager-VCe10bjc.mjs";
+import { o as tryRunArgs } from "./shell-Dj7JRD_q.mjs";
+import { a as fe, c as ot, i as _t, n as O, o as gt, r as Ot, s as mt, t as unwrap, u as wt } from "./clack-CDRCHrC-.mjs";
+//#region src/commands/ci-setup.ts
+var import_picocolors = /* @__PURE__ */ __toESM(require_picocolors(), 1);
+const PAT_PERMISSIONS = [
+	"contents: read & write",
+	"pull requests: read & write",
+	"metadata: read (selected automatically)"
+];
+async function ciSetupCommand(rootDir) {
+	mt(import_picocolors.default.bgCyan(import_picocolors.default.black(" bumpy ci setup ")));
+	const repo = detectRepo(rootDir);
+	if (!repo) {
+		log.error("Could not detect a GitHub repository.\n  This command currently only supports GitHub-hosted repos.\n  Make sure you have a GitHub remote (git remote -v).");
+		process.exit(1);
+	}
+	const pm = await detectPackageManager(rootDir);
+	O.info(`Detected repository: ${import_picocolors.default.cyan(repo)}`);
+	O.info("");
+	O.info("To trigger CI checks on the version PR, bumpy needs a token\nthat bypasses GitHub's default anti-recursion guard.\nYou can use a fine-grained PAT or a GitHub App installation token.");
+	if (unwrap(await _t({
+		message: "How would you like to authenticate?",
+		options: [{
+			label: "Fine-grained Personal Access Token (PAT)",
+			value: "pat",
+			hint: "recommended — quick and simple"
+		}, {
+			label: "GitHub App installation token",
+			value: "app",
+			hint: "advanced — not tied to a personal account"
+		}]
+	})) === "pat") await setupPat(rootDir, repo, pm);
+	else await setupApp(rootDir, repo, pm);
+}
+async function setupPat(rootDir, repo, pm) {
+	const patUrl = "https://github.com/settings/personal-access-tokens/new";
+	O.info("");
+	wt([
+		`1. Open: ${import_picocolors.default.cyan(patUrl)}`,
+		"",
+		`2. Set a name, e.g. ${import_picocolors.default.dim("\"bumpy-ci\"")}`,
+		"",
+		`3. Under ${import_picocolors.default.bold("Resource owner")}, select the org or account that owns ${import_picocolors.default.cyan(repo)}`,
+		"",
+		`4. Set ${import_picocolors.default.bold("Expiration")} — choose a longer duration to avoid frequent rotation`,
+		`   (you'll need to regenerate and update the secret when it expires)`,
+		"",
+		`5. Under ${import_picocolors.default.bold("Repository access")}, select ${import_picocolors.default.bold("\"Only select repositories\"")}`,
+		`   and choose ${import_picocolors.default.cyan(repo)}`,
+		"",
+		`6. Under ${import_picocolors.default.bold("Permissions → Repository permissions")}, grant:`,
+		...PAT_PERMISSIONS.map((perm) => `   • ${import_picocolors.default.bold(perm)}`),
+		"",
+		"7. Click \"Generate token\" and copy the value",
+		"",
+		import_picocolors.default.dim("Note: if the resource owner is an org, an admin may need to approve"),
+		import_picocolors.default.dim("the token request before it can be used."),
+		"",
+		import_picocolors.default.dim("Tip: enable branch protection rules on your main branch to prevent"),
+		import_picocolors.default.dim("direct pushes — the PAT will only be used to push the version branch.")
+	].join("\n"), "Create a fine-grained PAT");
+	if (unwrap(await ot({ message: "Open the token creation page in your browser?" }))) openBrowser(patUrl);
+	await storeSecret(rootDir, repo, unwrap(await Ot({
+		message: "Paste your token:",
+		placeholder: "github_pat_...",
+		validate: (value) => {
+			if (!value?.trim()) return "Token is required";
+			if (!value?.startsWith("github_pat_")) return "Expected a fine-grained PAT (starts with github_pat_)";
+		}
+	})), pm);
+}
+async function setupApp(rootDir, repo, pm) {
+	const owner = repo.split("/")[0];
+	const appUrl = `https://github.com/organizations/${owner}/settings/apps/new`;
+	const createUrl = unwrap(await ot({
+		message: `Is ${import_picocolors.default.cyan(owner)} a GitHub organization?`,
+		initialValue: true
+	})) ? appUrl : `https://github.com/settings/apps/new`;
+	O.info("");
+	wt([
+		"If you already have a GitHub App, skip to step 2.",
+		"",
+		import_picocolors.default.bold("Step 1: Create a GitHub App"),
+		"",
+		`1. Open: ${import_picocolors.default.cyan(createUrl)}`,
+		`2. Set the name, e.g. ${import_picocolors.default.dim(`"${owner}-bumpy-ci"`)}`,
+		"3. Uncheck \"Active\" under Webhooks (not needed)",
+		"4. Under Permissions → Repository permissions, grant:",
+		...PAT_PERMISSIONS.map((perm) => `   • ${import_picocolors.default.bold(perm)}`),
+		"5. Under \"Where can this app be installed?\" select \"Only on this account\"",
+		"6. Click \"Create GitHub App\"",
+		"7. Note the App ID shown on the settings page",
+		"8. Generate a private key and download the .pem file",
+		"",
+		import_picocolors.default.bold("Step 2: Install the App"),
+		"",
+		`Install the app on ${import_picocolors.default.cyan(repo)} from the app's "Install App" tab.`,
+		"",
+		import_picocolors.default.bold("Step 3: Add secrets"),
+		"",
+		"You'll need to add two repository secrets:",
+		`  • ${import_picocolors.default.bold("BUMPY_APP_ID")} — the App ID`,
+		`  • ${import_picocolors.default.bold("BUMPY_APP_PRIVATE_KEY")} — contents of the .pem file`
+	].join("\n"), "GitHub App setup");
+	if (unwrap(await ot({ message: "Open the app creation page in your browser?" }))) openBrowser(createUrl);
+	if (unwrap(await ot({ message: "Have you added the BUMPY_APP_ID and BUMPY_APP_PRIVATE_KEY secrets?" }))) printAppWorkflowSnippet(pm);
+	else {
+		O.info("You can add them later. Once ready, update your release workflow:");
+		printAppWorkflowSnippet(pm);
+	}
+	gt(import_picocolors.default.green("GitHub App setup complete!"));
+}
+async function storeSecret(rootDir, repo, token, pm) {
+	if (!tryRunArgs(["gh", "--version"])) {
+		O.warn("`gh` CLI not found — you'll need to add the secret manually.");
+		wt(`Go to: https://github.com/${repo}/settings/secrets/actions/new\nName: ${import_picocolors.default.bold("BUMPY_GH_TOKEN")}\nValue: (the token you just created)`, "Add repository secret manually");
+		printPatWorkflowSnippet(pm);
+		gt(import_picocolors.default.green("Setup complete!"));
+		return;
+	}
+	const isReplacing = tryRunArgs([
+		"gh",
+		"secret",
+		"list",
+		"--repo",
+		repo
+	], { cwd: rootDir })?.includes("BUMPY_GH_TOKEN") ?? false;
+	const spin = fe();
+	spin.start(isReplacing ? "Replacing BUMPY_GH_TOKEN repository secret..." : "Storing BUMPY_GH_TOKEN as a repository secret...");
+	try {
+		tryRunArgs([
+			"gh",
+			"secret",
+			"set",
+			"BUMPY_GH_TOKEN",
+			"--repo",
+			repo
+		], {
+			cwd: rootDir,
+			input: token
+		});
+		spin.stop(isReplacing ? "Secret replaced!" : "Secret stored!");
+	} catch {
+		spin.stop("Failed to store secret");
+		O.warn("Could not store the secret automatically.");
+		wt(`Go to: https://github.com/${repo}/settings/secrets/actions/new\nName: ${import_picocolors.default.bold("BUMPY_GH_TOKEN")}\nValue: (the token you just created)`, "Add repository secret manually");
+	}
+	printPatWorkflowSnippet(pm);
+	gt(import_picocolors.default.green("Setup complete!"));
+}
+function printPatWorkflowSnippet(pm) {
+	const runCmd = pmxCommand(pm);
+	wt([
+		"In your release workflow, pass the token to bumpy:",
+		"",
+		import_picocolors.default.dim("# .github/workflows/release.yaml"),
+		import_picocolors.default.dim(`- run: ${runCmd} ci release`),
+		import_picocolors.default.dim("  env:"),
+		import_picocolors.default.dim("    GH_TOKEN: ${{ github.token }}"),
+		import_picocolors.default.green("    BUMPY_GH_TOKEN: ${{ secrets.BUMPY_GH_TOKEN }}")
+	].join("\n"), "Update your workflow");
+}
+function printAppWorkflowSnippet(pm) {
+	const runCmd = pmxCommand(pm);
+	wt([
+		"In your release workflow, generate a token and pass it to bumpy:",
+		"",
+		import_picocolors.default.dim("# .github/workflows/release.yaml"),
+		import_picocolors.default.green("- uses: actions/create-github-app-token@v2"),
+		import_picocolors.default.green("  id: app-token"),
+		import_picocolors.default.green("  with:"),
+		import_picocolors.default.green("    app-id: ${{ secrets.BUMPY_APP_ID }}"),
+		import_picocolors.default.green("    private-key: ${{ secrets.BUMPY_APP_PRIVATE_KEY }}"),
+		"",
+		import_picocolors.default.dim(`- run: ${runCmd} ci release`),
+		import_picocolors.default.dim("  env:"),
+		import_picocolors.default.dim("    GH_TOKEN: ${{ github.token }}"),
+		import_picocolors.default.green("    BUMPY_GH_TOKEN: ${{ steps.app-token.outputs.token }}")
+	].join("\n"), "Update your workflow");
+}
+/** Package-manager-appropriate command for running bumpy in CI workflows */
+function pmxCommand(pm) {
+	if (pm === "bun") return "bunx @varlock/bumpy";
+	if (pm === "pnpm") return "pnpm exec bumpy";
+	if (pm === "yarn") return "yarn bumpy";
+	return "npx @varlock/bumpy";
+}
+function detectRepo(rootDir) {
+	if (process.env.GITHUB_REPOSITORY) return process.env.GITHUB_REPOSITORY;
+	const remote = tryRunArgs([
+		"git",
+		"remote",
+		"get-url",
+		"origin"
+	], { cwd: rootDir });
+	if (!remote) return null;
+	const sshMatch = remote.match(/github\.com[:/](.+?)(?:\.git)?$/);
+	if (sshMatch) return sshMatch[1];
+	const httpsMatch = remote.match(/github\.com\/(.+?)(?:\.git)?$/);
+	if (httpsMatch) return httpsMatch[1];
+	return null;
+}
+function openBrowser(url) {
+	try {
+		tryRunArgs([process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open", url]);
+	} catch {}
+}
+//#endregion
+export { ciSetupCommand };