@varlock/bumpy 1.10.1 → 1.11.0

package/README.md

@@ -171,8 +171,6 @@ jobs:
 
 </details>
 
-You can also use `bumpy ci release --auto-publish` to version + publish directly on merge without the intermediate PR.
-
 ### Token setup
 
 The default `github.token` works for basic functionality, but GitHub's anti-recursion guard means PRs created by the default token won't trigger other workflows - so your regular CI (tests, linting, etc.) won't run automatically on the Version Packages PR. To fix this, provide a `BUMPY_GH_TOKEN` secret using either a **fine-grained PAT** or a **GitHub App token**. See the [full token setup guide](https://github.com/dmno-dev/bumpy/blob/main/docs/github-actions.md#token-setup) for details.

package/config-schema.json

@@ -143,7 +143,7 @@
         "publishArgs": {
           "type": "array",
           "items": { "type": "string" },
-          "description": "Extra args appended to the publish command (e.g., \"--provenance\")",
+          "description": "Extra args appended to the publish command (e.g., \"--tag next\")",
           "default": []
         },
         "protocolResolution": {
@@ -151,6 +151,16 @@
           "enum": ["pack", "in-place", "none"],
           "description": "How to handle workspace:/catalog: protocol resolution. \"pack\" = use PM's pack to build a clean tarball, \"in-place\" = rewrite package.json before publish, \"none\" = don't resolve.",
           "default": "pack"
+        },
+        "provenance": {
+          "type": "boolean",
+          "description": "Attach provenance attestation when publishing via npm. Requires a supported CI environment with OIDC (GitHub Actions, GitLab CI, etc.). Only works with publishManager \"npm\".",
+          "default": false
+        },
+        "npmStaged": {
+          "type": "boolean",
+          "description": "Use npm staged publishing (`npm stage publish`). Stages the publish on npmjs.com, requiring manual 2FA approval before going live. Only works with publishManager \"npm\" and requires npm >= 11.15.0.",
+          "default": false
         }
       },
       "additionalProperties": false

package/dist/{apply-release-plan-CmjqYo0t.mjs → apply-release-plan-DD2R7SL2.mjs}

@@ -1,6 +1,6 @@
 import { a as readJson, c as removeFile, f as writeText, i as listFiles, l as updateJsonFields, n as exists, s as readText, u as updateJsonNestedField } from "./fs-CBXKZhoU.mjs";
 import { r as getBumpyDir } from "./config-D_4GYDJi.mjs";
-import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry } from "./changelog-A-EwWggW.mjs";
+import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry } from "./changelog-CbaET5V6.mjs";
 import { resolve } from "node:path";
 //#region src/core/apply-release-plan.ts
 /** Apply the release plan: bump versions, update changelogs, delete bump files */

package/dist/{changelog-A-EwWggW.mjs → changelog-CbaET5V6.mjs}

@@ -26,26 +26,25 @@ const defaultFormatter = (ctx) => {
 	for (const bf of sorted) {
 		if (!bf.summary) continue;
 		const type = getBumpTypeForPackage(bf, release.name);
-		const tag = type !== release.type ? `*(${type})* ` : "";
 		const summaryLines = bf.summary.split("\n");
-		lines.push(`- ${tag}${summaryLines[0]}`);
+		lines.push(`- *(${type})* ${summaryLines[0]}`);
 		for (let i = 1; i < summaryLines.length; i++) if (summaryLines[i].trim()) lines.push(`  ${summaryLines[i]}`);
 	}
 	const sourceList = release.bumpSources.length > 0 ? release.bumpSources.map((s) => `\`${s.name}\` v${s.newVersion}`).join(", ") : "";
 	if (release.isDependencyBump) {
 		const depBumpType = release.bumpSources.reduce((max, s) => maxBump(max, s.bumpType), void 0);
-		const tag = depBumpType && depBumpType !== release.type ? `*(${depBumpType})* ` : "";
-		lines.push(`- ${tag}Updated dependency ${sourceList || "(internal)"}`);
+		const depBumpTag = depBumpType ? `*(${depBumpType})* ` : "";
+		lines.push(`- ${depBumpTag}Updated dependency ${sourceList || "(internal)"}`);
 	}
-	if (release.isGroupBump) lines.push(sourceList ? `- Version bump from group with ${sourceList}` : "- Version bump from group");
-	if (release.isCascadeBump && !release.isDependencyBump && !release.isGroupBump) lines.push(sourceList ? `- Version bump from ${sourceList}` : "- Version bump via cascade rule");
+	if (release.isGroupBump) lines.push(sourceList ? `- *(${release.type})* Version bump from group with ${sourceList}` : `- *(${release.type})* Version bump from group`);
+	if (release.isCascadeBump && !release.isDependencyBump && !release.isGroupBump) lines.push(sourceList ? `- *(${release.type})* Version bump from ${sourceList}` : `- *(${release.type})* Version bump via cascade rule`);
 	lines.push("");
 	return lines.join("\n");
 };
 const BUILTIN_FORMATTERS = {
 	default: defaultFormatter,
 	github: async () => {
-		const { createGithubFormatter } = await import("./changelog-github-CPVrJHyB.mjs");
+		const { createGithubFormatter } = await import("./changelog-github-DXDnWkrB.mjs");
 		return createGithubFormatter();
 	}
 };
@@ -56,7 +55,7 @@ const BUILTIN_FORMATTERS = {
 async function loadFormatter(changelog, rootDir) {
 	const [name, options] = Array.isArray(changelog) ? changelog : [changelog, {}];
 	if (name === "github") {
-		const { createGithubFormatter } = await import("./changelog-github-CPVrJHyB.mjs");
+		const { createGithubFormatter } = await import("./changelog-github-DXDnWkrB.mjs");
 		return createGithubFormatter(options);
 	}
 	if (typeof name === "string" && BUILTIN_FORMATTERS[name]) {

package/dist/{changelog-github-CPVrJHyB.mjs → changelog-github-DXDnWkrB.mjs}

@@ -1,6 +1,6 @@
 import { c as maxBump } from "./types-Bkh-igOJ.mjs";
 import { s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { o as sortBumpFilesByType, r as getBumpTypeForPackage } from "./changelog-A-EwWggW.mjs";
+import { o as sortBumpFilesByType, r as getBumpTypeForPackage } from "./changelog-CbaET5V6.mjs";
 //#region src/core/changelog-github.ts
 /** Authors filtered from "Thanks" attribution by default (e.g. bots) */
 /** Authors filtered from "Thanks" attribution by default (e.g. AI/automation bots) */
@@ -41,8 +41,7 @@ function createGithubFormatter(options = {}) {
 		const sorted = sortBumpFilesByType(bumpFiles.filter((bf) => release.bumpFiles.includes(bf.id)), release.name);
 		for (const bf of sorted) {
 			if (!bf.summary) continue;
-			const type = getBumpTypeForPackage(bf, release.name);
-			const tag = type !== release.type ? ` *(${type})*` : "";
+			const tag = ` *(${getBumpTypeForPackage(bf, release.name)})*`;
 			const { cleanSummary, overrides } = extractSummaryMeta(bf.summary);
 			const gitInfo = resolveBumpFileInfo(bf.id, repoSlug, serverUrl, overrides);
 			const summaryLines = cleanSummary.split("\n");
@@ -60,11 +59,11 @@ function createGithubFormatter(options = {}) {
 		const sourceList = release.bumpSources.length > 0 ? release.bumpSources.map((s) => `\`${s.name}\` v${s.newVersion}`).join(", ") : "";
 		if (release.isDependencyBump) {
 			const depBumpType = release.bumpSources.reduce((max, s) => maxBump(max, s.bumpType), void 0);
-			const depTag = depBumpType && depBumpType !== release.type ? ` *(${depBumpType})* -` : "";
+			const depTag = depBumpType ? ` *(${depBumpType})*` : "";
 			lines.push(`-${depTag} Updated dependency ${sourceList || "(internal)"}`);
 		}
-		if (release.isGroupBump) lines.push(sourceList ? `- Version bump from group with ${sourceList}` : "- Version bump from group");
-		if (release.isCascadeBump && !release.isDependencyBump && !release.isGroupBump) lines.push(sourceList ? `- Version bump from ${sourceList}` : "- Version bump via cascade rule");
+		if (release.isGroupBump) lines.push(sourceList ? `- *(${release.type})* Version bump from group with ${sourceList}` : `- *(${release.type})* Version bump from group`);
+		if (release.isCascadeBump && !release.isDependencyBump && !release.isGroupBump) lines.push(sourceList ? `- *(${release.type})* Version bump from ${sourceList}` : `- *(${release.type})* Version bump via cascade rule`);
 		lines.push("");
 		return lines.join("\n");
 	};

package/dist/{ci-fXCBOIqu.mjs → ci-D73iWdkg.mjs}

@@ -157,7 +157,7 @@ async function ciPlanCommand(rootDir) {
 		packageNames: plan.releases.map((r) => r.name)
 	};
 	else {
-		const { findUnpublishedPackages } = await import("./publish-BHHWtI1W.mjs");
+		const { findUnpublishedPackages } = await import("./publish-DWs1u5HU.mjs");
 		const unpublished = await findUnpublishedPackages(packages, config);
 		if (unpublished.length > 0) output = {
 			mode: "publish",
@@ -212,8 +212,10 @@ function writeGitHubOutput(key, value) {
 	appendFileSync(outputFile, `${key}<<${delimiter}\n${value}\n${delimiter}\n`);
 }
 /**
-* CI release: either auto-publish or create a version PR.
-* Designed for merge-to-main workflows.
+* CI release: either create a version PR (bump files present) or publish unpublished
+* packages (no bump files — i.e. a version PR was just merged). Pass `autoPublish` to
+* collapse both steps into a single push-to-main, or `assertMode` to refuse running
+* when the detected state doesn't match expectations (used by split-job workflows).
 */
 async function ciReleaseCommand(rootDir, opts) {
 	const config = await loadConfig(rootDir);
@@ -225,33 +227,38 @@ async function ciReleaseCommand(rootDir, opts) {
 		for (const err of releaseParseErrors) log.error(err);
 		throw new Error("Bump file parse errors must be fixed before releasing.");
 	}
-	if (bumpFiles.length === 0) {
-		log.info("No pending bump files — checking for unpublished packages...");
-		const recoveredBumpFiles = recoverDeletedBumpFiles(rootDir);
-		const { publishCommand } = await import("./publish-BHHWtI1W.mjs");
-		await publishCommand(rootDir, {
-			tag: opts.tag,
-			recoveredBumpFiles
-		});
-		return;
-	}
-	const plan = assembleReleasePlan(bumpFiles, packages, depGraph, config);
-	if (plan.releases.length === 0) {
-		log.info("Bump files found but no packages would be released — checking for unpublished packages...");
+	const plan = bumpFiles.length > 0 ? assembleReleasePlan(bumpFiles, packages, depGraph, config) : null;
+	const detectedMode = plan && plan.releases.length > 0 ? "version-pr" : "publish";
+	if (opts.assertMode && opts.assertMode !== detectedMode) throw new Error(`Expected mode "${opts.assertMode}" but detected "${detectedMode}". Either remove --expect-mode, or gate this step on the output of "bumpy ci plan".`);
+	if (detectedMode === "publish") {
+		const msg = bumpFiles.length === 0 ? "No pending bump files — checking for unpublished packages..." : "Bump files found but no packages would be released — checking for unpublished packages...";
+		log.info(msg);
 		const recoveredBumpFiles = recoverDeletedBumpFiles(rootDir);
-		const { publishCommand } = await import("./publish-BHHWtI1W.mjs");
+		const { publishCommand } = await import("./publish-DWs1u5HU.mjs");
 		await publishCommand(rootDir, {
 			tag: opts.tag,
 			recoveredBumpFiles
 		});
 		return;
 	}
-	if (opts.mode === "auto-publish") await autoPublish(rootDir, config, plan, opts.tag);
+	if (opts.autoPublish) await autoPublish(rootDir, config, plan, opts.tag);
 	else await createVersionPr(rootDir, plan, config, new Map([...packages.values()].map((p) => [p.name, p.relativeDir])), opts.branch);
 }
+/**
+* "Auto-publish" mode: skip the Version Packages PR and ship version+publish in one run.
+*
+* The only thing forfeited vs. the default flow is the preview/review gate on version
+* bumps. Credentials are NOT a differentiator — a single-job non-auto-publish workflow
+* also carries both PR-write and publish creds, just split across two runs. The real
+* credential separation comes from the split-job pattern, which is orthogonal to (and
+* incompatible with) this flag, since this collapses both paths into one execution.
+*
+* That incompatibility is also why --auto-publish and --expect-mode are mutually exclusive:
+* --expect-mode is for split-job workflows where each job runs exactly one path.
+*/
 async function autoPublish(rootDir, config, plan, tag) {
 	log.step("Running bumpy version...");
-	const { versionCommand } = await import("./version-88KuPbWa.mjs");
+	const { versionCommand } = await import("./version-Bxin6aQC.mjs");
 	await versionCommand(rootDir);
 	log.step("Committing version changes...");
 	runArgs([
@@ -280,7 +287,7 @@ async function autoPublish(rootDir, config, plan, tag) {
 		], { cwd: rootDir });
 	}
 	log.step("Running bumpy publish...");
-	const { publishCommand } = await import("./publish-BHHWtI1W.mjs");
+	const { publishCommand } = await import("./publish-DWs1u5HU.mjs");
 	await publishCommand(rootDir, { tag });
 }
 /**
@@ -354,7 +361,7 @@ async function createVersionPr(rootDir, plan, config, packageDirs, branchName) {
 		branch
 	], { cwd: rootDir });
 	log.step("Running bumpy version...");
-	const { versionCommand } = await import("./version-88KuPbWa.mjs");
+	const { versionCommand } = await import("./version-Bxin6aQC.mjs");
 	await versionCommand(rootDir);
 	runArgs([
 		"git",

package/dist/cli.mjs

@@ -55,7 +55,7 @@ async function main() {
 			}
 			case "version": {
 				const rootDir = await findRoot();
-				const { versionCommand } = await import("./version-88KuPbWa.mjs");
+				const { versionCommand } = await import("./version-Bxin6aQC.mjs");
 				await versionCommand(rootDir, { commit: flags.commit === true });
 				break;
 			}
@@ -89,19 +89,30 @@ async function main() {
 				const subcommand = args[1];
 				const ciFlags = parseFlags(args.slice(2));
 				if (subcommand === "check") {
-					const { ciCheckCommand } = await import("./ci-fXCBOIqu.mjs");
+					const { ciCheckCommand } = await import("./ci-D73iWdkg.mjs");
 					await ciCheckCommand(rootDir, {
 						comment: ciFlags.comment !== void 0 ? ciFlags.comment === true : void 0,
 						strict: ciFlags.strict === true,
 						noFail: ciFlags["no-fail"] === true
 					});
 				} else if (subcommand === "plan") {
-					const { ciPlanCommand } = await import("./ci-fXCBOIqu.mjs");
+					const { ciPlanCommand } = await import("./ci-D73iWdkg.mjs");
 					await ciPlanCommand(rootDir);
 				} else if (subcommand === "release") {
-					const { ciReleaseCommand } = await import("./ci-fXCBOIqu.mjs");
+					const { ciReleaseCommand } = await import("./ci-D73iWdkg.mjs");
+					const expectModeFlag = ciFlags["expect-mode"];
+					const autoPublishFlag = ciFlags["auto-publish"] === true;
+					if (expectModeFlag !== void 0 && expectModeFlag !== "version-pr" && expectModeFlag !== "publish") {
+						log.error(`Invalid --expect-mode value: "${expectModeFlag}". Must be "version-pr" or "publish".`);
+						process.exit(1);
+					}
+					if (expectModeFlag !== void 0 && autoPublishFlag) {
+						log.error("--expect-mode and --auto-publish cannot be used together.");
+						process.exit(1);
+					}
 					await ciReleaseCommand(rootDir, {
-						mode: ciFlags["auto-publish"] === true ? "auto-publish" : "version-pr",
+						autoPublish: autoPublishFlag,
+						assertMode: expectModeFlag,
 						tag: ciFlags.tag,
 						branch: ciFlags.branch
 					});
@@ -116,7 +127,7 @@ async function main() {
 			}
 			case "publish": {
 				const rootDir = await findRoot();
-				const { publishCommand } = await import("./publish-BHHWtI1W.mjs");
+				const { publishCommand } = await import("./publish-DWs1u5HU.mjs");
 				await publishCommand(rootDir, {
 					dryRun: flags["dry-run"] === true,
 					tag: flags.tag,
@@ -140,7 +151,7 @@ async function main() {
 			}
 			case "--version":
 			case "-v":
-				console.log(`bumpy 1.10.1`);
+				console.log(`bumpy 1.11.0`);
 				break;
 			case "help":
 			case "--help":
@@ -160,7 +171,7 @@ async function main() {
 }
 function printHelp() {
 	console.log(`
-  ${colorize(`🐸 bumpy v1.10.1`, "bold")} - Modern monorepo versioning
+  ${colorize(`🐸 bumpy v1.11.0`, "bold")} - Modern monorepo versioning
 
   Usage: bumpy <command> [options]
 
@@ -213,6 +224,7 @@ function printHelp() {
     --no-fail               Warn only, never exit 1
 
   CI release options:
+    --expect-mode <mode>    Assert detected mode: "version-pr" or "publish" (errors if mismatched)
     --auto-publish          Version + publish directly (default: create version PR)
     --tag <tag>             npm dist-tag for auto-publish
     --branch <name>         Branch name for version PR (default: bumpy/version-packages)

package/dist/index.d.mts

@@ -28,7 +28,7 @@ interface PublishConfig {
   packManager: 'auto' | 'npm' | 'pnpm' | 'bun' | 'yarn';
   /** Command to use for publishing. "npm" uses npm publish (supports OIDC). Default: "npm" */
   publishManager: 'npm' | 'pnpm' | 'bun' | 'yarn';
-  /** Extra args appended to the publish command (e.g., "--provenance") */
+  /** Extra args appended to the publish command (e.g., "--tag next") */
   publishArgs: string[];
   /**
    * How to handle workspace:/catalog: protocol resolution.

package/dist/index.mjs

@@ -2,7 +2,7 @@ import { a as DEP_TYPES, c as maxBump, i as DEFAULT_PUBLISH_CONFIG, l as normali
 import { a as loadConfig, n as findRoot, r as getBumpyDir, s as matchGlob } from "./config-D_4GYDJi.mjs";
 import { a as writeBumpFile, n as parseBumpFile, o as discoverPackages, r as readBumpFiles } from "./bump-file-B9DpXK5X.mjs";
 import { a as DependencyGraph, i as stripProtocol, n as bumpVersion, r as satisfies, t as assembleReleasePlan } from "./release-plan-mK7iGeGq.mjs";
-import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry, t as defaultFormatter } from "./changelog-A-EwWggW.mjs";
-import { t as applyReleasePlan } from "./apply-release-plan-CmjqYo0t.mjs";
+import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry, t as defaultFormatter } from "./changelog-CbaET5V6.mjs";
+import { t as applyReleasePlan } from "./apply-release-plan-DD2R7SL2.mjs";
 import { t as publishPackages } from "./publish-pipeline-BRnqVylg.mjs";
 export { BUMP_LEVELS, DEFAULT_BUMP_RULES, DEFAULT_CONFIG, DEFAULT_PUBLISH_CONFIG, DEP_TYPES, DependencyGraph, applyReleasePlan, assembleReleasePlan, bumpLevel, bumpVersion, defaultFormatter, discoverPackages, findRoot, generateChangelogEntry, getBumpyDir, hasCascade, loadConfig, loadFormatter, matchGlob, maxBump, normalizeCascadeConfig, parseBumpFile, prependToChangelog, publishPackages, readBumpFiles, satisfies, stripProtocol, writeBumpFile };

package/dist/{publish-BHHWtI1W.mjs → publish-DWs1u5HU.mjs}

@@ -4,10 +4,10 @@ import { n as detectWorkspaces } from "./package-manager-BQPwXwu5.mjs";
 import { s as discoverWorkspace } from "./bump-file-B9DpXK5X.mjs";
 import { a as DependencyGraph } from "./release-plan-mK7iGeGq.mjs";
 import { r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { i as loadFormatter, n as generateChangelogEntry } from "./changelog-A-EwWggW.mjs";
+import { i as loadFormatter, n as generateChangelogEntry } from "./changelog-CbaET5V6.mjs";
 import { c as pushWithTags, s as hasUncommittedChanges } from "./git-JGLQtk-M.mjs";
 import { t as publishPackages } from "./publish-pipeline-BRnqVylg.mjs";
-import { CI_PLAN_CACHE_PATH } from "./ci-fXCBOIqu.mjs";
+import { CI_PLAN_CACHE_PATH } from "./ci-D73iWdkg.mjs";
 //#region src/core/github-release.ts
 /** Get the current HEAD commit SHA */
 function getHeadSha(rootDir) {

package/dist/{version-88KuPbWa.mjs → version-Bxin6aQC.mjs}

@@ -4,7 +4,7 @@ import { n as detectWorkspaces } from "./package-manager-BQPwXwu5.mjs";
 import { o as discoverPackages, r as readBumpFiles } from "./bump-file-B9DpXK5X.mjs";
 import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-mK7iGeGq.mjs";
 import { n as runArgs, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { t as applyReleasePlan } from "./apply-release-plan-CmjqYo0t.mjs";
+import { t as applyReleasePlan } from "./apply-release-plan-DD2R7SL2.mjs";
 import { t as resolveCommitMessage } from "./commit-message-CSWVKPJ-.mjs";
 //#region src/commands/version.ts
 async function versionCommand(rootDir, opts = {}) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@varlock/bumpy",
-  "version": "1.10.1",
+  "version": "1.11.0",
   "description": "Modern monorepo versioning and changelog tool",
   "keywords": [
     "bump",