@varlock/bumpy 1.12.0 → 1.13.1

package/README.md

@@ -88,20 +88,40 @@ _examples use bun, but works with Node.js_
 ### PR check workflow
 
 ```yaml
-# .github/workflows/bumpy-check.yml
+# .github/workflows/bumpy-check.yaml
+#
+# ⚠️ Uses `pull_request_target` so fork PR comments work — runs with write
+# perms and secrets, so it MUST NOT execute PR code (no `bun install`, no
+# PR-defined scripts). Bumpy only reads files; its version is resolved from
+# the base branch's package.json. See docs/github-actions.md for details.
 name: Bumpy Check
-on: pull_request
+on: pull_request_target
+
+permissions:
+  pull-requests: write
+  contents: read
 
 jobs:
   check:
     runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
     steps:
       - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
       - uses: oven-sh/setup-bun@v2
-      - run: bun install
-      - run: bunx @varlock/bumpy ci check
+
+      # Resolve bumpy's version from the base branch (trusted) — not the PR's
+      # package.json (which a fork PR could swap to a malicious version).
+      # Change "main" to your base branch if different.
+      - name: Resolve bumpy version from base
+        run: |
+          git fetch origin main --depth=1
+          VERSION=$(git show "origin/main:package.json" \
+            | jq -r '.devDependencies["@varlock/bumpy"] // .dependencies["@varlock/bumpy"]' \
+            | sed 's/[\^~]//')
+          echo "BUMPY_VERSION=$VERSION" >> "$GITHUB_ENV"
+
+      - run: bunx "@varlock/bumpy@$BUMPY_VERSION" ci check
         env:
           GH_TOKEN: ${{ github.token }}
 ```

package/dist/{add-DQA1TVHA.mjs → add-5how2kia.mjs}

@@ -24,6 +24,10 @@ const LEVELS = [
 * - Changed packages default to "patch", unchanged to "none"
 * - Enter to confirm
 * - Ctrl+C / Escape to cancel
+*
+* Renders a viewport that fits within the terminal so the list scrolls instead of
+* overflowing — otherwise large package counts cause the redraw cursor-up to lose
+* its anchor once content scrolls off-screen.
 */
 async function bumpSelectPrompt(items) {
 	const changedEntries = items.map((item, idx) => ({
@@ -35,7 +39,44 @@ async function bumpSelectPrompt(items) {
 		idx
 	})).filter(({ item }) => !item.changed);
 	const displayOrder = [...changedEntries, ...unchangedEntries];
+	const rows = [];
+	const itemRowIndex = [];
+	{
+		let displayIdx = 0;
+		if (changedEntries.length > 0) {
+			rows.push({
+				kind: "header",
+				text: "Changed"
+			});
+			for (const { idx } of changedEntries) {
+				itemRowIndex.push(rows.length);
+				rows.push({
+					kind: "item",
+					itemIdx: idx,
+					displayIdx
+				});
+				displayIdx++;
+			}
+			if (unchangedEntries.length > 0) rows.push({ kind: "separator" });
+		}
+		if (unchangedEntries.length > 0) {
+			rows.push({
+				kind: "header",
+				text: "Unchanged"
+			});
+			for (const { idx } of unchangedEntries) {
+				itemRowIndex.push(rows.length);
+				rows.push({
+					kind: "item",
+					itemIdx: idx,
+					displayIdx
+				});
+				displayIdx++;
+			}
+		}
+	}
 	let cursor = 0;
+	let scroll = 0;
 	const levels = items.map((item) => item.initialLevel !== void 0 ? item.initialLevel : item.changed ? "patch" : "skip");
 	return new Promise((resolve) => {
 		const { stdin, stdout } = process;
@@ -57,38 +98,77 @@ async function bumpSelectPrompt(items) {
 				if (selected.length === 0) lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("(none selected)")}`);
 				else for (const { item, idx } of selected) lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.cyan(item.name)} ${import_picocolors.default.dim("→")} ${import_picocolors.default.bold(levels[idx])}`);
 				lines.push(import_picocolors.default.dim("│"));
+				const output = lines.join("\n") + "\n";
+				stdout.write(output);
+				renderedLines = lines.length;
+				return;
+			}
+			const headerChrome = [
+				`${import_picocolors.default.cyan("◆")}  Select bump levels`,
+				`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("↑/↓ navigate · ←/→ change level · enter to confirm")}`,
+				`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("0 skip current · x skip all · r reset all to defaults")}`,
+				import_picocolors.default.dim("│")
+			];
+			const selectedCount = levels.filter((l) => l !== "skip").length;
+			const footerChrome = [
+				import_picocolors.default.dim("│"),
+				`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`${selectedCount} package${selectedCount !== 1 ? "s" : ""} selected`)}`,
+				import_picocolors.default.dim("└")
+			];
+			const termRows = stdout.rows || 24;
+			const chromeLines = headerChrome.length + footerChrome.length;
+			const MIN_BODY = 3;
+			const availableBody = Math.max(MIN_BODY, termRows - chromeLines - 1);
+			let visibleRows;
+			let topIndicator = null;
+			let bottomIndicator = null;
+			let stickyHeader = null;
+			if (rows.length <= availableBody) {
+				visibleRows = rows;
+				scroll = 0;
 			} else {
-				lines.push(`${import_picocolors.default.cyan("◆")}  Select bump levels`);
-				lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("↑/↓ navigate · ←/→ change level · enter to confirm")}`);
-				lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("0 skip current · x skip all · r reset all to defaults")}`);
-				lines.push(import_picocolors.default.dim("│"));
-				let displayIdx = 0;
-				if (changedEntries.length > 0) {
-					lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline("Changed")}`);
-					for (const { item, idx } of changedEntries) {
-						lines.push(formatRow(item, levels[idx], cursor === displayIdx));
-						displayIdx++;
-					}
-					if (unchangedEntries.length > 0) lines.push(import_picocolors.default.dim("│"));
+				let windowSize = Math.max(MIN_BODY, availableBody - 2);
+				const focusedRowIdx = itemRowIndex[cursor];
+				const adjustScroll = () => {
+					if (focusedRowIdx < scroll) scroll = focusedRowIdx;
+					else if (focusedRowIdx >= scroll + windowSize) scroll = focusedRowIdx - windowSize + 1;
+					scroll = Math.max(0, Math.min(scroll, rows.length - windowSize));
+				};
+				adjustScroll();
+				const section = getCurrentSection(cursor, changedEntries.length, unchangedEntries.length);
+				if (section !== null && section.headerRowIdx < scroll) {
+					windowSize = Math.max(MIN_BODY, windowSize - 1);
+					adjustScroll();
+					stickyHeader = `${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline(section.name)}`;
 				}
-				if (unchangedEntries.length > 0) {
-					lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline("Unchanged")}`);
-					for (const { item, idx } of unchangedEntries) {
-						lines.push(formatRow(item, levels[idx], cursor === displayIdx));
-						displayIdx++;
-					}
-				}
-				lines.push(import_picocolors.default.dim("│"));
-				const selectedCount = levels.filter((l) => l !== "skip").length;
-				lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`${selectedCount} package${selectedCount !== 1 ? "s" : ""} selected`)}`);
-				lines.push(`${import_picocolors.default.dim("└")}`);
+				visibleRows = rows.slice(scroll, scroll + windowSize);
+				const above = scroll;
+				const below = rows.length - (scroll + windowSize);
+				if (above > 0) topIndicator = `${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`▲ ${above} more`)}`;
+				if (below > 0) bottomIndicator = `${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`▼ ${below} more`)}`;
+			}
+			lines.push(...headerChrome);
+			if (topIndicator !== null) lines.push(topIndicator);
+			if (stickyHeader !== null) lines.push(stickyHeader);
+			for (const row of visibleRows) if (row.kind === "separator") lines.push(import_picocolors.default.dim("│"));
+			else if (row.kind === "header") lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline(row.text)}`);
+			else {
+				const item = items[row.itemIdx];
+				const isFocused = row.displayIdx === cursor;
+				lines.push(formatRow(item, levels[row.itemIdx], isFocused));
 			}
+			if (bottomIndicator !== null) lines.push(bottomIndicator);
+			lines.push(...footerChrome);
 			const output = lines.join("\n") + "\n";
 			stdout.write(output);
 			renderedLines = lines.length;
 		}
+		function onResize() {
+			render();
+		}
 		function cleanup() {
 			stdin.removeListener("keypress", onKeypress);
+			stdout.removeListener("resize", onResize);
 			rl.close();
 			stdout.write("\x1B[?25h");
 			if (stdin.isTTY) stdin.setRawMode(false);
@@ -141,8 +221,24 @@ async function bumpSelectPrompt(items) {
 			render();
 		}
 		stdin.on("keypress", onKeypress);
+		stdout.on("resize", onResize);
 	});
 }
+/** Returns the section the focused item is in, plus the row index of its header. */
+function getCurrentSection(cursor, changedCount, unchangedCount) {
+	if (cursor < changedCount) {
+		if (changedCount === 0) return null;
+		return {
+			headerRowIdx: 0,
+			name: "Changed"
+		};
+	}
+	if (unchangedCount === 0) return null;
+	return {
+		headerRowIdx: changedCount > 0 ? changedCount + 2 : 0,
+		name: "Unchanged"
+	};
+}
 function formatRow(item, level, focused) {
 	return `${import_picocolors.default.dim("│")}  ${focused ? import_picocolors.default.cyan("›") : " "} ${focused ? import_picocolors.default.cyan(item.name) : item.name} ${import_picocolors.default.dim(`(${item.version})`)}  ${formatLevel(level, focused)}`;
 }

package/dist/{ci-DBZW9k4S.mjs → ci-CIamssoq.mjs}

@@ -8,7 +8,7 @@ import { f as withGitToken, i as getChangedFiles } from "./git-DJJ64SW9.mjs";
 import { t as randomName } from "./names-COooXAFg.mjs";
 import { n as findChangedPackages } from "./check-CsF0zh8r.mjs";
 import { t as resolveCommitMessage } from "./commit-message-CSWVKPJ-.mjs";
-import { appendFileSync, mkdirSync, writeFileSync } from "node:fs";
+import { appendFileSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { createHash } from "node:crypto";
 //#region src/commands/ci.ts
 /**
@@ -157,7 +157,7 @@ async function ciPlanCommand(rootDir) {
 		packageNames: plan.releases.map((r) => r.name)
 	};
 	else {
-		const { findUnpublishedPackages } = await import("./publish-BDA1bOZ7.mjs");
+		const { findUnpublishedPackages } = await import("./publish-h6rM58Cq.mjs");
 		const unpublished = await findUnpublishedPackages(packages, config);
 		if (unpublished.length > 0) output = {
 			mode: "publish",
@@ -234,7 +234,7 @@ async function ciReleaseCommand(rootDir, opts) {
 		const msg = bumpFiles.length === 0 ? "No pending bump files — checking for unpublished packages..." : "Bump files found but no packages would be released — checking for unpublished packages...";
 		log.info(msg);
 		const recoveredBumpFiles = recoverDeletedBumpFiles(rootDir);
-		const { publishCommand } = await import("./publish-BDA1bOZ7.mjs");
+		const { publishCommand } = await import("./publish-h6rM58Cq.mjs");
 		await publishCommand(rootDir, {
 			tag: opts.tag,
 			recoveredBumpFiles
@@ -287,7 +287,7 @@ async function autoPublish(rootDir, config, plan, tag) {
 		], { cwd: rootDir });
 	}
 	log.step("Running bumpy publish...");
-	const { publishCommand } = await import("./publish-BDA1bOZ7.mjs");
+	const { publishCommand } = await import("./publish-h6rM58Cq.mjs");
 	await publishCommand(rootDir, { tag });
 }
 /**
@@ -721,6 +721,7 @@ async function postOrUpdatePrComment(prNumber, body, rootDir) {
 		}
 	} catch (err) {
 		log.warn(`  Failed to comment on PR: ${err instanceof Error ? err.message : err}`);
+		if (process.env.GITHUB_EVENT_NAME === "pull_request" && isForkPr()) log.warn("  This PR is from a fork. Fork PRs running on `pull_request` get a read-only token\n  and cannot post comments. Switch the workflow to `pull_request_target` —\n  see https://bumpy.varlock.dev/docs/github-actions");
 	}
 }
 function detectPrBranch(rootDir) {
@@ -736,9 +737,14 @@ function detectPrBranch(rootDir) {
 	], { cwd: rootDir })?.trim() || null;
 }
 function detectPrNumber() {
-	if (process.env.GITHUB_EVENT_NAME === "pull_request") {
-		const match = process.env.GITHUB_REF?.match(/refs\/pull\/(\d+)\//);
-		if (match) return match[1];
+	const eventName = process.env.GITHUB_EVENT_NAME;
+	if (eventName === "pull_request" || eventName === "pull_request_target") {
+		const num = readGitHubEventPayload()?.pull_request?.number;
+		if (typeof num === "number") return String(num);
+		if (eventName === "pull_request") {
+			const match = process.env.GITHUB_REF?.match(/refs\/pull\/(\d+)\//);
+			if (match) return match[1];
+		}
 	}
 	const envPr = process.env.BUMPY_PR_NUMBER || process.env.PR_NUMBER || null;
 	if (envPr && !/^\d+$/.test(envPr)) {
@@ -747,5 +753,21 @@ function detectPrNumber() {
 	}
 	return envPr;
 }
+function readGitHubEventPayload() {
+	const path = process.env.GITHUB_EVENT_PATH;
+	if (!path) return null;
+	try {
+		return JSON.parse(readFileSync(path, "utf-8"));
+	} catch {
+		return null;
+	}
+}
+/** True when running on a PR whose head repo differs from the base repo (i.e. a fork). */
+function isForkPr() {
+	const event = readGitHubEventPayload();
+	const headId = event?.pull_request?.head?.repo?.id;
+	const baseId = event?.pull_request?.base?.repo?.id;
+	return typeof headId === "number" && typeof baseId === "number" && headId !== baseId;
+}
 //#endregion
 export { CI_PLAN_CACHE_PATH, ciCheckCommand, ciPlanCommand, ciReleaseCommand };

package/dist/cli.mjs

@@ -31,7 +31,7 @@ async function main() {
 			}
 			case "add": {
 				const rootDir = await findRoot();
-				const { addCommand } = await import("./add-DQA1TVHA.mjs");
+				const { addCommand } = await import("./add-5how2kia.mjs");
 				await addCommand(rootDir, {
 					packages: flags.packages,
 					message: flags.message,
@@ -89,17 +89,17 @@ async function main() {
 				const subcommand = args[1];
 				const ciFlags = parseFlags(args.slice(2));
 				if (subcommand === "check") {
-					const { ciCheckCommand } = await import("./ci-DBZW9k4S.mjs");
+					const { ciCheckCommand } = await import("./ci-CIamssoq.mjs");
 					await ciCheckCommand(rootDir, {
 						comment: ciFlags.comment !== void 0 ? ciFlags.comment === true : void 0,
 						strict: ciFlags.strict === true,
 						noFail: ciFlags["no-fail"] === true
 					});
 				} else if (subcommand === "plan") {
-					const { ciPlanCommand } = await import("./ci-DBZW9k4S.mjs");
+					const { ciPlanCommand } = await import("./ci-CIamssoq.mjs");
 					await ciPlanCommand(rootDir);
 				} else if (subcommand === "release") {
-					const { ciReleaseCommand } = await import("./ci-DBZW9k4S.mjs");
+					const { ciReleaseCommand } = await import("./ci-CIamssoq.mjs");
 					const expectModeFlag = ciFlags["expect-mode"];
 					const autoPublishFlag = ciFlags["auto-publish"] === true;
 					if (expectModeFlag !== void 0 && expectModeFlag !== "version-pr" && expectModeFlag !== "publish") {
@@ -127,7 +127,7 @@ async function main() {
 			}
 			case "publish": {
 				const rootDir = await findRoot();
-				const { publishCommand } = await import("./publish-BDA1bOZ7.mjs");
+				const { publishCommand } = await import("./publish-h6rM58Cq.mjs");
 				await publishCommand(rootDir, {
 					dryRun: flags["dry-run"] === true,
 					tag: flags.tag,
@@ -151,7 +151,7 @@ async function main() {
 			}
 			case "--version":
 			case "-v":
-				console.log(`bumpy 1.12.0`);
+				console.log(`bumpy 1.13.1`);
 				break;
 			case "help":
 			case "--help":
@@ -171,7 +171,7 @@ async function main() {
 }
 function printHelp() {
 	console.log(`
-  ${colorize(`🐸 bumpy v1.12.0`, "bold")} - Modern monorepo versioning
+  ${colorize(`🐸 bumpy v1.13.1`, "bold")} - Modern monorepo versioning
 
   Usage: bumpy <command> [options]
 

package/dist/{publish-BDA1bOZ7.mjs → publish-h6rM58Cq.mjs}

@@ -7,7 +7,7 @@ import { r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
 import { i as loadFormatter, n as generateChangelogEntry } from "./changelog-CbaET5V6.mjs";
 import { c as hasUncommittedChanges, l as pushWithTags } from "./git-DJJ64SW9.mjs";
 import { t as publishPackages } from "./publish-pipeline-DSj14dW6.mjs";
-import { CI_PLAN_CACHE_PATH } from "./ci-DBZW9k4S.mjs";
+import { CI_PLAN_CACHE_PATH } from "./ci-CIamssoq.mjs";
 //#region src/core/github-release.ts
 /** Get the current HEAD commit SHA */
 function getHeadSha(rootDir) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@varlock/bumpy",
-  "version": "1.12.0",
+  "version": "1.13.1",
   "description": "Modern monorepo versioning and changelog tool",
   "keywords": [
     "bump",