@varlock/bumpy 1.13.0 → 1.13.2

package/README.md

@@ -15,22 +15,21 @@
 
 # @varlock/bumpy 🐸
 
-A modern package versioning, release, and changelog generation tool. Built for monorepos, but works great in simpler projects too.
+A modern package versioning, release, and changelog generation tool. Built for monorepos, but works great in simple projects too.
 
 ## How It Works
 
-Bumpy uses **bump files** (you may know them as "changesets" if coming from [that tool 🦋](https://github.com/changesets/changesets)) - small markdown files that declare an intent to release packages with a bump level (patch/minor/major), and a description that ends up in changelogs. Developers create these files as part of their PRs, and these files are then used to consolidate changes, generate changelogs, and trigger publishing. Specifically:
+Bumpy uses **bump files** (you may know them as "changesets" if coming from [that tool 🦋](https://github.com/changesets/changesets)) - small markdown files that declare an _intent to release packages_ with a bump level (patch/minor/major), and a description that ends up in changelogs. Developers create these files as part of their PRs, and these files are then used to consolidate changes, generate changelogs, and trigger publishing.
 
 - Devs/agents create bump files as part of their PRs (using `bumpy add` or manually)
 - A git hook (pre-commit or pre-push) can enforce bump files exist for changed packages
 - In CI, a workflow checks PRs for bump files, leaves a comment on the PR detailing changed packages
 - As PRs merge to the base branch, a "release PR" is kept up to date
-  - Shows what packages will be released and their changelogs
-    - Including packages bumped automatically due to dependency relationships
+  - Shows what packages will be released and their changelogs (incl. those bumped via dep relationships)
 - When release PR is merged, publishing is triggered
-  - Pending bump files are deleted and packages are published with updated versions and changelogs
+  - Pending bump files are deleted and packages are published with updated versions and changelogs, github tags+releases created
 
-All of this is automated via two simple GitHub Actions workflows (see [CI setup](#ci--github-actions) below). You can also run everything locally with `bumpy status`, `bumpy version`, and `bumpy publish`.
+All of this is automated via two simple GitHub Actions workflows (see [actions guide](https://github.com/dmno-dev/bumpy/blob/main/docs/github-actions.md)). Or can be triggered locally.
 
 ### Example bump file
 
@@ -42,21 +41,23 @@ All of this is automated via two simple GitHub Actions workflows (see [CI setup]
 '@myorg/utils': patch
 ---
 
-Added user language preference to the core config.
+Added user lang prefs to core config.
 Fixed locale fallback logic in utils.
 ```
 
 ## Features
 
-- **All package managers** - npm, pnpm, yarn, and bun workspaces
+- **All package managers** - npm, pnpm, yarn, and bun workspaces. With full `workspace:` and `catalog:` support
 - **Smart dependency propagation** - configurable rules for how version bumps cascade through your dependency graph (see [version propagation docs](https://github.com/dmno-dev/bumpy/blob/main/docs/version-propagation.md))
-- **Pack-then-publish** - by default, publishes to npm (resolving `workspace:` and `catalog:` protocols, with OIDC/provenance support). Supports [npm staged publishing](https://docs.npmjs.com/staged-publishing) for 2FA-gated releases. Per-package custom publish commands let you target anything - VSCode extensions, Docker images, JSR, private registries, etc.
+- **OIDC + staged publishing** - supports OIDC, provenance, [npm staged publishing](https://docs.npmjs.com/staged-publishing)
+- **Custom release targets** - Per-package custom publish commands let you target anything - VSCode extensions, Docker images, JSR, private registries, etc.
 - **Flexible package management** - include/exclude any package individually via per-package config, glob patterns, or `privatePackages` setting
 - **Non-interactive CLI** - `bumpy add` works fully non-interactively for CI/CD and AI-assisted development
 - **Aggregated GitHub releases** - optionally create a single consolidated release instead of one per package
 - **Auto-generate from commits** - `bumpy generate` creates bump files from branch commits - works with any commit style, with enhanced detection for conventional commits
 - **Pluggable changelog formatters** - built-in `"default"` and `"github"` formatters, or write your own
 - **Zero runtime dependencies** - dependencies are minimal and bundled at release time
+- **No additional action/app needed** - no external github action or app to audit and trust
 
 ## Getting Started
 
@@ -67,6 +68,9 @@ bun add -d @varlock/bumpy  # or npm/pnpm/yarn
 # Initialize (creates .bumpy/ directory and config, migrates from changesets if applicable)
 bunx bumpy init
 
+# Interactive guidance setting up CI
+bunx bumpy ci setup
+
 # Create a bump file
 bunx bumpy add
 
@@ -78,138 +82,15 @@ Then set up CI to automate versioning and publishing (see below).
 
 ## CI / GitHub Actions
 
-No GitHub App to install, no separate action to rely on - just call `bumpy ci` directly in your workflows. Two commands handle the entire release lifecycle:
-
-- **`bumpy ci check`** - runs on every PR. Computes the release plan from pending bump files and posts/updates a comment on the PR showing what versions would be released. Warns if any changed packages are missing bump files.
-- **`bumpy ci release`** - runs on push to main. If pending bump files exist, it opens (or updates) a "Version Packages" PR that applies all version bumps and changelog updates. If the current push _is_ the Version Packages PR being merged, it publishes the new versions, creates git tags, and creates GitHub releases.
-
-_examples use bun, but works with Node.js_
-
-### PR check workflow
-
-```yaml
-# .github/workflows/bumpy-check.yaml
-#
-# ⚠️ Uses `pull_request_target` so fork PR comments work — runs with write
-# perms and secrets, so it MUST NOT execute PR code (no `bun install`, no
-# PR-defined scripts). Bumpy only reads files; its version is resolved from
-# the base branch's package.json. See docs/github-actions.md for details.
-name: Bumpy Check
-on: pull_request_target
-
-permissions:
-  pull-requests: write
-  contents: read
-
-jobs:
-  check:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-      - uses: oven-sh/setup-bun@v2
-
-      # Resolve bumpy's version from the base branch (trusted) — not the PR's
-      # package.json (which a fork PR could swap to a malicious version).
-      # Change "main" to your base branch if different.
-      - name: Resolve bumpy version from base
-        run: |
-          git fetch origin main --depth=1
-          VERSION=$(git show "origin/main:package.json" \
-            | jq -r '.devDependencies["@varlock/bumpy"] // .dependencies["@varlock/bumpy"]' \
-            | sed 's/[\^~]//')
-          echo "BUMPY_VERSION=$VERSION" >> "$GITHUB_ENV"
-
-      - run: bunx "@varlock/bumpy@$BUMPY_VERSION" ci check
-        env:
-          GH_TOKEN: ${{ github.token }}
-```
-
-### Release workflow
-
-```yaml
-# .github/workflows/bumpy-release.yml - trusted publishing (OIDC, no secret needed)
-name: Bumpy Release
-on:
-  push:
-    branches: [main]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      id-token: write # required for npm trusted publishing (OIDC) and provenance
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - uses: oven-sh/setup-bun@v2
-      - uses: actions/setup-node@v6
-        with:
-          node-version: latest
-      - run: npm install -g npm@latest # ensure npm >= 11.15.0 for OIDC/staged publishing
-      - run: bun install
-      - run: bunx @varlock/bumpy ci release
-        env:
-          GH_TOKEN: ${{ github.token }}
-          BUMPY_GH_TOKEN: ${{ secrets.BUMPY_GH_TOKEN }} # PAT so that version PR triggers CI
-```
-
-> **Trusted publishing setup:** Configure each package on [npmjs.com](https://docs.npmjs.com/trusted-publishers/) → Package Settings → Trusted Publishers → GitHub Actions. Specify your org/user, repo, and the workflow filename (`bumpy-release.yml`). No `NPM_TOKEN` secret needed. Enable `provenance` and `npmStaged` in your [publish config](https://github.com/dmno-dev/bumpy/blob/main/docs/configuration.md#staged-publishing) for maximum security.
-
-<details>
-<summary>Alternative: token-based auth (NPM_TOKEN secret)</summary>
-
-```yaml
-# .github/workflows/bumpy-release.yml - token-based auth
-name: Bumpy Release
-on:
-  push:
-    branches: [main]
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - uses: oven-sh/setup-bun@v2
-      - run: bun install
-      - run: bunx @varlock/bumpy ci release
-        env:
-          GH_TOKEN: ${{ github.token }}
-          BUMPY_GH_TOKEN: ${{ secrets.BUMPY_GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-```
-
-</details>
-
-### Token setup
-
-The default `github.token` works for basic functionality, but GitHub's anti-recursion guard means PRs created by the default token won't trigger other workflows - so your regular CI (tests, linting, etc.) won't run automatically on the Version Packages PR. To fix this, provide a `BUMPY_GH_TOKEN` secret using either a **fine-grained PAT** or a **GitHub App token**. See the [full token setup guide](https://github.com/dmno-dev/bumpy/blob/main/docs/github-actions.md#token-setup) for details.
+No GitHub App to install, no separate action to rely on — just call `bumpy ci` directly in your workflows. Three commands across two workflows handle the entire release lifecycle:
 
-Run `bumpy ci setup` for interactive guidance, or set it up manually:
+- **`bumpy ci check`** — on every PR, posts/updates a comment showing the release plan and warns if changed packages are missing bump files.
+- **`bumpy ci plan`** — on push to main, detects what should happen next (`version-pr`, `publish`, or nothing) without needing write permissions or publish credentials. Used to gate downstream jobs in split-job workflows.
+- **`bumpy ci release`** — opens/updates the "Version Packages" PR, or publishes new versions and creates git tags + GitHub releases when that PR is merged.
 
-1. Create a [fine-grained personal access token](https://github.com/settings/personal-access-tokens) with:
-   - **Repository access:** your repo only
-   - **Permissions:** Contents (read & write), Pull requests (read & write)
-2. Add it as a repository secret named `BUMPY_GH_TOKEN`
-3. Add it to your release workflow:
-   ```yaml
-   - run: bunx @varlock/bumpy ci release
-     env:
-       GH_TOKEN: ${{ github.token }}
-       BUMPY_GH_TOKEN: ${{ secrets.BUMPY_GH_TOKEN }}
-   ```
+Run `bumpy ci setup` for interactive guidance, and see the [GitHub Actions setup guide](https://github.com/dmno-dev/bumpy/blob/main/docs/github-actions.md) for ready-to-copy workflows, token setup, and trusted publishing.
 
-### Local versioning and publishing
+## Local versioning and publishing
 
 If you prefer to version and publish locally instead of via CI:
 
@@ -270,7 +151,7 @@ bunx bumpy --help  # invoke built cli
 - Better support for versioning non-JS packages and usage without package.json files
 - Plugin system for different publish targets, and support multiple targets per package
 - Tracking workspace-level / non-publishable changes
-- More frogs 🐸
+- More frogs 🐸🐸🐸
 
 ---
 

package/dist/{add-DQA1TVHA.mjs → add-Dt1hddMt.mjs}

@@ -2,10 +2,10 @@ import { n as log, r as require_picocolors, s as __toESM } from "./logger-BgksGF
 import { n as exists, t as ensureDir } from "./fs-CBXKZhoU.mjs";
 import { a as loadConfig, r as getBumpyDir } from "./config-D_4GYDJi.mjs";
 import { a as writeBumpFile, r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-B7hmXZlB.mjs";
-import { i as getChangedFiles } from "./git-DJJ64SW9.mjs";
+import { a as getChangedFiles } from "./git-BWPimLgc.mjs";
 import { l as pt, o as gt, r as Ot, s as mt, t as unwrap, u as wt } from "./clack-W95rXis0.mjs";
 import { n as slugify, t as randomName } from "./names-COooXAFg.mjs";
-import { n as findChangedPackages } from "./check-CsF0zh8r.mjs";
+import { n as findChangedPackages } from "./check-Dvi0DIqC.mjs";
 import { resolve } from "node:path";
 import * as readline from "node:readline";
 //#region src/prompts/bump-select.ts
@@ -24,6 +24,10 @@ const LEVELS = [
 * - Changed packages default to "patch", unchanged to "none"
 * - Enter to confirm
 * - Ctrl+C / Escape to cancel
+*
+* Renders a viewport that fits within the terminal so the list scrolls instead of
+* overflowing — otherwise large package counts cause the redraw cursor-up to lose
+* its anchor once content scrolls off-screen.
 */
 async function bumpSelectPrompt(items) {
 	const changedEntries = items.map((item, idx) => ({
@@ -35,7 +39,44 @@ async function bumpSelectPrompt(items) {
 		idx
 	})).filter(({ item }) => !item.changed);
 	const displayOrder = [...changedEntries, ...unchangedEntries];
+	const rows = [];
+	const itemRowIndex = [];
+	{
+		let displayIdx = 0;
+		if (changedEntries.length > 0) {
+			rows.push({
+				kind: "header",
+				text: "Changed"
+			});
+			for (const { idx } of changedEntries) {
+				itemRowIndex.push(rows.length);
+				rows.push({
+					kind: "item",
+					itemIdx: idx,
+					displayIdx
+				});
+				displayIdx++;
+			}
+			if (unchangedEntries.length > 0) rows.push({ kind: "separator" });
+		}
+		if (unchangedEntries.length > 0) {
+			rows.push({
+				kind: "header",
+				text: "Unchanged"
+			});
+			for (const { idx } of unchangedEntries) {
+				itemRowIndex.push(rows.length);
+				rows.push({
+					kind: "item",
+					itemIdx: idx,
+					displayIdx
+				});
+				displayIdx++;
+			}
+		}
+	}
 	let cursor = 0;
+	let scroll = 0;
 	const levels = items.map((item) => item.initialLevel !== void 0 ? item.initialLevel : item.changed ? "patch" : "skip");
 	return new Promise((resolve) => {
 		const { stdin, stdout } = process;
@@ -57,38 +98,77 @@ async function bumpSelectPrompt(items) {
 				if (selected.length === 0) lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("(none selected)")}`);
 				else for (const { item, idx } of selected) lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.cyan(item.name)} ${import_picocolors.default.dim("→")} ${import_picocolors.default.bold(levels[idx])}`);
 				lines.push(import_picocolors.default.dim("│"));
+				const output = lines.join("\n") + "\n";
+				stdout.write(output);
+				renderedLines = lines.length;
+				return;
+			}
+			const headerChrome = [
+				`${import_picocolors.default.cyan("◆")}  Select bump levels`,
+				`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("↑/↓ navigate · ←/→ change level · enter to confirm")}`,
+				`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("0 skip current · x skip all · r reset all to defaults")}`,
+				import_picocolors.default.dim("│")
+			];
+			const selectedCount = levels.filter((l) => l !== "skip").length;
+			const footerChrome = [
+				import_picocolors.default.dim("│"),
+				`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`${selectedCount} package${selectedCount !== 1 ? "s" : ""} selected`)}`,
+				import_picocolors.default.dim("└")
+			];
+			const termRows = stdout.rows || 24;
+			const chromeLines = headerChrome.length + footerChrome.length;
+			const MIN_BODY = 3;
+			const availableBody = Math.max(MIN_BODY, termRows - chromeLines - 1);
+			let visibleRows;
+			let topIndicator = null;
+			let bottomIndicator = null;
+			let stickyHeader = null;
+			if (rows.length <= availableBody) {
+				visibleRows = rows;
+				scroll = 0;
 			} else {
-				lines.push(`${import_picocolors.default.cyan("◆")}  Select bump levels`);
-				lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("↑/↓ navigate · ←/→ change level · enter to confirm")}`);
-				lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim("0 skip current · x skip all · r reset all to defaults")}`);
-				lines.push(import_picocolors.default.dim("│"));
-				let displayIdx = 0;
-				if (changedEntries.length > 0) {
-					lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline("Changed")}`);
-					for (const { item, idx } of changedEntries) {
-						lines.push(formatRow(item, levels[idx], cursor === displayIdx));
-						displayIdx++;
-					}
-					if (unchangedEntries.length > 0) lines.push(import_picocolors.default.dim("│"));
+				let windowSize = Math.max(MIN_BODY, availableBody - 2);
+				const focusedRowIdx = itemRowIndex[cursor];
+				const adjustScroll = () => {
+					if (focusedRowIdx < scroll) scroll = focusedRowIdx;
+					else if (focusedRowIdx >= scroll + windowSize) scroll = focusedRowIdx - windowSize + 1;
+					scroll = Math.max(0, Math.min(scroll, rows.length - windowSize));
+				};
+				adjustScroll();
+				const section = getCurrentSection(cursor, changedEntries.length, unchangedEntries.length);
+				if (section !== null && section.headerRowIdx < scroll) {
+					windowSize = Math.max(MIN_BODY, windowSize - 1);
+					adjustScroll();
+					stickyHeader = `${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline(section.name)}`;
 				}
-				if (unchangedEntries.length > 0) {
-					lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline("Unchanged")}`);
-					for (const { item, idx } of unchangedEntries) {
-						lines.push(formatRow(item, levels[idx], cursor === displayIdx));
-						displayIdx++;
-					}
-				}
-				lines.push(import_picocolors.default.dim("│"));
-				const selectedCount = levels.filter((l) => l !== "skip").length;
-				lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`${selectedCount} package${selectedCount !== 1 ? "s" : ""} selected`)}`);
-				lines.push(`${import_picocolors.default.dim("└")}`);
+				visibleRows = rows.slice(scroll, scroll + windowSize);
+				const above = scroll;
+				const below = rows.length - (scroll + windowSize);
+				if (above > 0) topIndicator = `${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`▲ ${above} more`)}`;
+				if (below > 0) bottomIndicator = `${import_picocolors.default.dim("│")}  ${import_picocolors.default.dim(`▼ ${below} more`)}`;
+			}
+			lines.push(...headerChrome);
+			if (topIndicator !== null) lines.push(topIndicator);
+			if (stickyHeader !== null) lines.push(stickyHeader);
+			for (const row of visibleRows) if (row.kind === "separator") lines.push(import_picocolors.default.dim("│"));
+			else if (row.kind === "header") lines.push(`${import_picocolors.default.dim("│")}  ${import_picocolors.default.underline(row.text)}`);
+			else {
+				const item = items[row.itemIdx];
+				const isFocused = row.displayIdx === cursor;
+				lines.push(formatRow(item, levels[row.itemIdx], isFocused));
 			}
+			if (bottomIndicator !== null) lines.push(bottomIndicator);
+			lines.push(...footerChrome);
 			const output = lines.join("\n") + "\n";
 			stdout.write(output);
 			renderedLines = lines.length;
 		}
+		function onResize() {
+			render();
+		}
 		function cleanup() {
 			stdin.removeListener("keypress", onKeypress);
+			stdout.removeListener("resize", onResize);
 			rl.close();
 			stdout.write("\x1B[?25h");
 			if (stdin.isTTY) stdin.setRawMode(false);
@@ -141,8 +221,24 @@ async function bumpSelectPrompt(items) {
 			render();
 		}
 		stdin.on("keypress", onKeypress);
+		stdout.on("resize", onResize);
 	});
 }
+/** Returns the section the focused item is in, plus the row index of its header. */
+function getCurrentSection(cursor, changedCount, unchangedCount) {
+	if (cursor < changedCount) {
+		if (changedCount === 0) return null;
+		return {
+			headerRowIdx: 0,
+			name: "Changed"
+		};
+	}
+	if (unchangedCount === 0) return null;
+	return {
+		headerRowIdx: changedCount > 0 ? changedCount + 2 : 0,
+		name: "Unchanged"
+	};
+}
 function formatRow(item, level, focused) {
 	return `${import_picocolors.default.dim("│")}  ${focused ? import_picocolors.default.cyan("›") : " "} ${focused ? import_picocolors.default.cyan(item.name) : item.name} ${import_picocolors.default.dim(`(${item.version})`)}  ${formatLevel(level, focused)}`;
 }

package/dist/{check-CsF0zh8r.mjs → check-Dvi0DIqC.mjs}

@@ -4,7 +4,7 @@ import { a as DEP_TYPES } from "./types-Bkh-igOJ.mjs";
 import { a as loadConfig, o as loadPackageConfig, r as getBumpyDir } from "./config-D_4GYDJi.mjs";
 import { a as isCatalogRefAffected, i as diffCatalogMaps, n as detectPackageManager, o as parseCatalogs, t as CATALOG_FILES } from "./package-manager-Db_vTztt.mjs";
 import { r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-B7hmXZlB.mjs";
-import { i as getChangedFiles, n as getBaseCompareRef, o as getFileStatuses, u as readFileAtRef } from "./git-DJJ64SW9.mjs";
+import { a as getChangedFiles, r as getBaseCompareRef, s as getFileStatuses, u as readFileAtRef } from "./git-BWPimLgc.mjs";
 import { relative, resolve } from "node:path";
 //#region ../../node_modules/.bun/picomatch@4.0.4/node_modules/picomatch/lib/constants.js
 var require_constants = /* @__PURE__ */ __commonJSMin(((exports, module) => {

package/dist/{ci-CIamssoq.mjs → ci-B7gF6CFP.mjs}

@@ -4,9 +4,9 @@ import { n as detectPackageManager } from "./package-manager-Db_vTztt.mjs";
 import { i as recoverDeletedBumpFiles, r as readBumpFiles, s as discoverWorkspace, t as filterBranchBumpFiles } from "./bump-file-B7hmXZlB.mjs";
 import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-mK7iGeGq.mjs";
 import { n as runArgs, r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { f as withGitToken, i as getChangedFiles } from "./git-DJJ64SW9.mjs";
+import { a as getChangedFiles, f as withGitToken } from "./git-BWPimLgc.mjs";
 import { t as randomName } from "./names-COooXAFg.mjs";
-import { n as findChangedPackages } from "./check-CsF0zh8r.mjs";
+import { n as findChangedPackages } from "./check-Dvi0DIqC.mjs";
 import { t as resolveCommitMessage } from "./commit-message-CSWVKPJ-.mjs";
 import { appendFileSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { createHash } from "node:crypto";
@@ -157,7 +157,7 @@ async function ciPlanCommand(rootDir) {
 		packageNames: plan.releases.map((r) => r.name)
 	};
 	else {
-		const { findUnpublishedPackages } = await import("./publish-h6rM58Cq.mjs");
+		const { findUnpublishedPackages } = await import("./publish-VYBhDYFM.mjs");
 		const unpublished = await findUnpublishedPackages(packages, config);
 		if (unpublished.length > 0) output = {
 			mode: "publish",
@@ -234,7 +234,7 @@ async function ciReleaseCommand(rootDir, opts) {
 		const msg = bumpFiles.length === 0 ? "No pending bump files — checking for unpublished packages..." : "Bump files found but no packages would be released — checking for unpublished packages...";
 		log.info(msg);
 		const recoveredBumpFiles = recoverDeletedBumpFiles(rootDir);
-		const { publishCommand } = await import("./publish-h6rM58Cq.mjs");
+		const { publishCommand } = await import("./publish-VYBhDYFM.mjs");
 		await publishCommand(rootDir, {
 			tag: opts.tag,
 			recoveredBumpFiles
@@ -287,7 +287,7 @@ async function autoPublish(rootDir, config, plan, tag) {
 		], { cwd: rootDir });
 	}
 	log.step("Running bumpy publish...");
-	const { publishCommand } = await import("./publish-h6rM58Cq.mjs");
+	const { publishCommand } = await import("./publish-VYBhDYFM.mjs");
 	await publishCommand(rootDir, { tag });
 }
 /**

package/dist/cli.mjs

@@ -31,7 +31,7 @@ async function main() {
 			}
 			case "add": {
 				const rootDir = await findRoot();
-				const { addCommand } = await import("./add-DQA1TVHA.mjs");
+				const { addCommand } = await import("./add-Dt1hddMt.mjs");
 				await addCommand(rootDir, {
 					packages: flags.packages,
 					message: flags.message,
@@ -43,7 +43,7 @@ async function main() {
 			}
 			case "status": {
 				const rootDir = await findRoot();
-				const { statusCommand } = await import("./status-BbsDr6t7.mjs");
+				const { statusCommand } = await import("./status-DxzKPM8d.mjs");
 				await statusCommand(rootDir, {
 					json: flags.json === true,
 					packagesOnly: flags.packages === true,
@@ -61,7 +61,7 @@ async function main() {
 			}
 			case "generate": {
 				const rootDir = await findRoot();
-				const { generateCommand } = await import("./generate-CvCvUaRV.mjs");
+				const { generateCommand } = await import("./generate-DohUlhu3.mjs");
 				await generateCommand(rootDir, {
 					from: flags.from,
 					dryRun: flags["dry-run"] === true,
@@ -71,7 +71,7 @@ async function main() {
 			}
 			case "check": {
 				const rootDir = await findRoot();
-				const { checkCommand } = await import("./check-CsF0zh8r.mjs").then((n) => n.t);
+				const { checkCommand } = await import("./check-Dvi0DIqC.mjs").then((n) => n.t);
 				const hookValue = flags.hook;
 				if (hookValue && hookValue !== "pre-commit" && hookValue !== "pre-push") {
 					log.error(`Invalid --hook value "${hookValue}". Expected "pre-commit" or "pre-push".`);
@@ -89,17 +89,17 @@ async function main() {
 				const subcommand = args[1];
 				const ciFlags = parseFlags(args.slice(2));
 				if (subcommand === "check") {
-					const { ciCheckCommand } = await import("./ci-CIamssoq.mjs");
+					const { ciCheckCommand } = await import("./ci-B7gF6CFP.mjs");
 					await ciCheckCommand(rootDir, {
 						comment: ciFlags.comment !== void 0 ? ciFlags.comment === true : void 0,
 						strict: ciFlags.strict === true,
 						noFail: ciFlags["no-fail"] === true
 					});
 				} else if (subcommand === "plan") {
-					const { ciPlanCommand } = await import("./ci-CIamssoq.mjs");
+					const { ciPlanCommand } = await import("./ci-B7gF6CFP.mjs");
 					await ciPlanCommand(rootDir);
 				} else if (subcommand === "release") {
-					const { ciReleaseCommand } = await import("./ci-CIamssoq.mjs");
+					const { ciReleaseCommand } = await import("./ci-B7gF6CFP.mjs");
 					const expectModeFlag = ciFlags["expect-mode"];
 					const autoPublishFlag = ciFlags["auto-publish"] === true;
 					if (expectModeFlag !== void 0 && expectModeFlag !== "version-pr" && expectModeFlag !== "publish") {
@@ -127,7 +127,7 @@ async function main() {
 			}
 			case "publish": {
 				const rootDir = await findRoot();
-				const { publishCommand } = await import("./publish-h6rM58Cq.mjs");
+				const { publishCommand } = await import("./publish-VYBhDYFM.mjs");
 				await publishCommand(rootDir, {
 					dryRun: flags["dry-run"] === true,
 					tag: flags.tag,
@@ -151,7 +151,7 @@ async function main() {
 			}
 			case "--version":
 			case "-v":
-				console.log(`bumpy 1.13.0`);
+				console.log(`bumpy 1.13.2`);
 				break;
 			case "help":
 			case "--help":
@@ -171,7 +171,7 @@ async function main() {
 }
 function printHelp() {
 	console.log(`
-  ${colorize(`🐸 bumpy v1.13.0`, "bold")} - Modern monorepo versioning
+  ${colorize(`🐸 bumpy v1.13.2`, "bold")} - Modern monorepo versioning
 
   Usage: bumpy <command> [options]
 

package/dist/{generate-CvCvUaRV.mjs → generate-DohUlhu3.mjs}

@@ -3,7 +3,7 @@ import { t as ensureDir } from "./fs-CBXKZhoU.mjs";
 import { a as loadConfig, r as getBumpyDir } from "./config-D_4GYDJi.mjs";
 import { a as writeBumpFile, o as discoverPackages } from "./bump-file-B7hmXZlB.mjs";
 import { s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { r as getBranchCommits, s as getFilesChangedInCommit } from "./git-DJJ64SW9.mjs";
+import { c as getFilesChangedInCommit, i as getBranchCommits } from "./git-BWPimLgc.mjs";
 import { n as slugify, t as randomName } from "./names-COooXAFg.mjs";
 import { relative } from "node:path";
 //#region src/commands/generate.ts

package/dist/{git-DJJ64SW9.mjs → git-BWPimLgc.mjs}

@@ -8,13 +8,23 @@ function createTag(tag, opts) {
 		tag
 	], opts);
 }
-/** Push tags to remote, using BUMPY_GH_TOKEN if available */
-function pushWithTags(opts) {
+/**
+* Force-push a single tag to origin, using BUMPY_GH_TOKEN if available.
+*
+* Force is required because `gh release create --draft --target SHA` creates
+* the tag on the remote at draft-creation time. If a previous publish attempt
+* failed and HEAD has since moved, the remote tag points at the stale SHA —
+* `git push --tags` would reject. The caller is responsible for ensuring the
+* local tag is at the correct SHA (i.e. only call after a successful publish).
+*/
+function forcePushTag(tag, opts) {
 	withGitToken(opts?.cwd, () => {
 		runArgs([
 			"git",
 			"push",
-			"--tags"
+			"origin",
+			`refs/tags/${tag}`,
+			"--force"
 		], opts);
 	});
 }
@@ -260,4 +270,4 @@ function getFileStatuses(dir, opts) {
 	return statuses;
 }
 //#endregion
-export { getCurrentBranch as a, hasUncommittedChanges as c, tagExists as d, withGitToken as f, getChangedFiles as i, pushWithTags as l, getBaseCompareRef as n, getFileStatuses as o, getBranchCommits as r, getFilesChangedInCommit as s, createTag as t, readFileAtRef as u };
+export { getChangedFiles as a, getFilesChangedInCommit as c, tagExists as d, withGitToken as f, getBranchCommits as i, hasUncommittedChanges as l, forcePushTag as n, getCurrentBranch as o, getBaseCompareRef as r, getFileStatuses as s, createTag as t, readFileAtRef as u };

package/dist/index.mjs

@@ -4,5 +4,5 @@ import { a as writeBumpFile, n as parseBumpFile, o as discoverPackages, r as rea
 import { a as DependencyGraph, i as stripProtocol, n as bumpVersion, r as satisfies, t as assembleReleasePlan } from "./release-plan-mK7iGeGq.mjs";
 import { a as prependToChangelog, i as loadFormatter, n as generateChangelogEntry, t as defaultFormatter } from "./changelog-CbaET5V6.mjs";
 import { t as applyReleasePlan } from "./apply-release-plan-DD2R7SL2.mjs";
-import { t as publishPackages } from "./publish-pipeline-DSj14dW6.mjs";
+import { t as publishPackages } from "./publish-pipeline-BPedWvKS.mjs";
 export { BUMP_LEVELS, DEFAULT_BUMP_RULES, DEFAULT_CONFIG, DEFAULT_PUBLISH_CONFIG, DEP_TYPES, DependencyGraph, applyReleasePlan, assembleReleasePlan, bumpLevel, bumpVersion, defaultFormatter, discoverPackages, findRoot, generateChangelogEntry, getBumpyDir, hasCascade, loadConfig, loadFormatter, matchGlob, maxBump, normalizeCascadeConfig, parseBumpFile, prependToChangelog, publishPackages, readBumpFiles, satisfies, stripProtocol, writeBumpFile };

package/dist/{publish-h6rM58Cq.mjs → publish-VYBhDYFM.mjs}

@@ -5,9 +5,9 @@ import { s as discoverWorkspace } from "./bump-file-B7hmXZlB.mjs";
 import { a as DependencyGraph } from "./release-plan-mK7iGeGq.mjs";
 import { r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
 import { i as loadFormatter, n as generateChangelogEntry } from "./changelog-CbaET5V6.mjs";
-import { c as hasUncommittedChanges, l as pushWithTags } from "./git-DJJ64SW9.mjs";
-import { t as publishPackages } from "./publish-pipeline-DSj14dW6.mjs";
-import { CI_PLAN_CACHE_PATH } from "./ci-CIamssoq.mjs";
+import { d as tagExists, l as hasUncommittedChanges, n as forcePushTag } from "./git-BWPimLgc.mjs";
+import { n as willUseOidcExclusively, t as publishPackages } from "./publish-pipeline-BPedWvKS.mjs";
+import { CI_PLAN_CACHE_PATH } from "./ci-B7gF6CFP.mjs";
 //#region src/core/github-release.ts
 /** Get the current HEAD commit SHA */
 function getHeadSha(rootDir) {
@@ -332,6 +332,17 @@ async function publishCommand(rootDir, opts) {
 	else log.bold("Publishing:");
 	for (const r of toPublish) console.log(`  ${r.name}@${colorize(r.newVersion, "cyan")}`);
 	console.log();
+	if (willUseOidcExclusively(rootDir)) {
+		const newPackages = await findPackagesMissingFromNpm(toPublish, packages);
+		if (newPackages.length > 0) {
+			const logFn = opts.dryRun ? log.warn : log.error;
+			logFn(`Trusted publishing (OIDC) cannot create a new package. The following don't exist on npm yet:`);
+			for (const name of newPackages) logFn(`  • ${name}`);
+			logFn(`Publish a 0.0.0 placeholder version manually to claim the name, then configure`);
+			logFn(`trusted publishing on npmjs.com. Bumpy will then publish the real version via OIDC.`);
+			if (!opts.dryRun) process.exit(1);
+		}
+	}
 	const formatter = config.changelog !== false ? await loadFormatter(config.changelog, rootDir) : void 0;
 	const ghAvailable = isGhAvailable();
 	const publishTargetsByPkg = /* @__PURE__ */ new Map();
@@ -489,12 +500,22 @@ async function publishCommand(rootDir, opts) {
 		log.error(`Failed ${result.failed.length}: ${result.failed.map((f) => `${f.name} (${f.error})`).join(", ")}`);
 		process.exit(1);
 	}
-	if (!opts.dryRun && !opts.noPush && result.published.length > 0) try {
+	if (!opts.dryRun && !opts.noPush && result.published.length > 0) {
+		const failed = new Set(result.failed.map((f) => f.name));
+		const pushed = [];
 		log.step("Pushing tags...");
-		pushWithTags({ cwd: rootDir });
-		log.success("Pushed tags to remote");
-	} catch (err) {
-		log.warn(`Failed to push tags: ${err instanceof Error ? err.message : err}`);
+		for (const release of releasePlan.releases) {
+			if (failed.has(release.name)) continue;
+			const tag = `${release.name}@${release.newVersion}`;
+			if (!tagExists(tag, { cwd: rootDir })) continue;
+			try {
+				forcePushTag(tag, { cwd: rootDir });
+				pushed.push(tag);
+			} catch (err) {
+				log.warn(`  Failed to push tag ${tag}: ${err instanceof Error ? err.message : err}`);
+			}
+		}
+		if (pushed.length > 0) log.success(`Pushed ${pushed.length} tag(s) to remote`);
 	}
 	if (!ghAvailable && result.published.length > 0) await createIndividualReleases(releasePlan.releases.filter((r) => result.published.some((p) => p.name === r.name)), releasePlan.bumpFiles, rootDir, {
 		dryRun: opts.dryRun,
@@ -618,5 +639,38 @@ async function checkIfPublished(name, version, pkgConfig) {
 		return false;
 	}
 }
+/**
+* Check whether a package exists on npm at all (any version).
+* Returns true if the package is registered, false if it doesn't exist or the query fails.
+*/
+async function packageExistsOnNpm(name, registry) {
+	const args = [
+		"npm",
+		"info",
+		name,
+		"name"
+	];
+	if (registry) args.push("--registry", registry);
+	try {
+		return (await runArgsAsync(args)).trim() === name;
+	} catch {
+		return false;
+	}
+}
+/**
+* Filter `toPublish` to package names that don't exist on npm yet.
+* Skips packages not going through the standard npm publish flow.
+*/
+async function findPackagesMissingFromNpm(toPublish, packages) {
+	const missing = [];
+	await Promise.all(toPublish.map(async (release) => {
+		const pkg = packages.get(release.name);
+		const pkgConfig = pkg.bumpy || {};
+		if (pkgConfig.publishCommand || pkgConfig.skipNpmPublish) return;
+		if (pkg.private && !pkgConfig.publishCommand) return;
+		if (!await packageExistsOnNpm(release.name, pkgConfig.registry)) missing.push(release.name);
+	}));
+	return missing;
+}
 //#endregion
 export { findUnpublishedPackages, publishCommand };

package/dist/{publish-pipeline-DSj14dW6.mjs → publish-pipeline-BPedWvKS.mjs}

@@ -3,7 +3,7 @@ import { a as readJson, u as updateJsonNestedField } from "./fs-CBXKZhoU.mjs";
 import { s as resolveCatalogDep } from "./package-manager-Db_vTztt.mjs";
 import { i as stripProtocol } from "./release-plan-mK7iGeGq.mjs";
 import { i as runAsync, o as sq, r as runArgsAsync, s as tryRunArgs } from "./shell-C8KgKnMQ.mjs";
-import { d as tagExists, t as createTag } from "./git-DJJ64SW9.mjs";
+import { d as tagExists, t as createTag } from "./git-BWPimLgc.mjs";
 import { resolve } from "node:path";
 import { unlink } from "node:fs/promises";
 import { appendFileSync, existsSync, readFileSync, writeFileSync } from "node:fs";
@@ -23,6 +23,21 @@ function detectOidcProvider() {
 	if (process.env.CIRCLECI && process.env.NPM_ID_TOKEN) return "circleci";
 	return null;
 }
+/**
+* Returns true when OIDC trusted publishing is the only available npm auth path:
+* an OIDC provider is detected AND no token env vars or .npmrc auth are present.
+*
+* Used to gate checks that only matter when OIDC will definitely be used — e.g.
+* erroring when a brand-new package can't be bootstrapped via trusted publishing.
+* Detection alone is leaky (id-token: write is also set for provenance), so this
+* helper avoids false positives when a token fallback exists.
+*/
+function willUseOidcExclusively(rootDir) {
+	if (!detectOidcProvider()) return false;
+	if (process.env.NPM_TOKEN || process.env.NODE_AUTH_TOKEN) return false;
+	const npmrcPath = resolve(rootDir, ".npmrc");
+	return !(existsSync(npmrcPath) ? readFileSync(npmrcPath, "utf-8") : "").includes(":_authToken=");
+}
 const OIDC_NPM_UPGRADE_HINTS = {
 	"github-actions": "Add `actions/setup-node@v6` with `node-version: lts/*` to your workflow",
 	gitlab: "Use a Node.js image with npm >= 11.5.1 or run `npm install -g npm@latest`",
@@ -306,4 +321,4 @@ async function resolveProtocolsInPlace(pkg, packages, releasePlan, catalogs) {
 	}
 }
 //#endregion
-export { publishPackages as t };
+export { willUseOidcExclusively as n, publishPackages as t };

package/dist/{status-BbsDr6t7.mjs → status-DxzKPM8d.mjs}

@@ -2,7 +2,7 @@ import { n as log, t as colorize } from "./logger-BgksGFuf.mjs";
 import { a as loadConfig } from "./config-D_4GYDJi.mjs";
 import { o as discoverPackages, r as readBumpFiles, t as filterBranchBumpFiles } from "./bump-file-B7hmXZlB.mjs";
 import { a as DependencyGraph, t as assembleReleasePlan } from "./release-plan-mK7iGeGq.mjs";
-import { a as getCurrentBranch, i as getChangedFiles } from "./git-DJJ64SW9.mjs";
+import { a as getChangedFiles, o as getCurrentBranch } from "./git-BWPimLgc.mjs";
 //#region src/commands/status.ts
 async function statusCommand(rootDir, opts) {
 	const config = await loadConfig(rootDir);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@varlock/bumpy",
-  "version": "1.13.0",
+  "version": "1.13.2",
   "description": "Modern monorepo versioning and changelog tool",
   "keywords": [
     "bump",