@visulima/vis 1.0.0-alpha.36 → 1.0.0-alpha.38
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +13 -0
- package/LICENSE.md +1 -503
- package/dist/bin.js +1 -1
- package/dist/binx.js +1 -1
- package/dist/config/index.d.ts +7 -0
- package/dist/packem_chunks/DEFAULT_CLEAN_KEEP.js +1 -0
- package/dist/packem_chunks/bin.js +302 -515
- package/dist/packem_chunks/bloom-sync.js +1 -1
- package/dist/packem_chunks/catalog-detector.js +1 -0
- package/dist/packem_chunks/detect.js +3 -0
- package/dist/packem_chunks/detect2.js +8 -0
- package/dist/packem_chunks/discord.js +4 -0
- package/dist/packem_chunks/dynamic-import.js +1 -0
- package/dist/packem_chunks/extra-files.js +3 -0
- package/dist/packem_chunks/fix.js +1 -1
- package/dist/packem_chunks/git.js +3 -0
- package/dist/packem_chunks/handler10.js +1 -1
- package/dist/packem_chunks/handler12.js +1 -1
- package/dist/packem_chunks/handler13.js +1 -1
- package/dist/packem_chunks/handler14.js +1 -1
- package/dist/packem_chunks/handler15.js +1 -1
- package/dist/packem_chunks/handler16.js +1 -1
- package/dist/packem_chunks/handler17.js +1 -1
- package/dist/packem_chunks/handler18.js +1 -1
- package/dist/packem_chunks/handler19.js +1 -1
- package/dist/packem_chunks/handler21.js +1 -1
- package/dist/packem_chunks/handler27.js +1 -1
- package/dist/packem_chunks/handler28.js +1 -1
- package/dist/packem_chunks/handler29.js +1 -1
- package/dist/packem_chunks/handler3.js +4 -4
- package/dist/packem_chunks/handler30.js +2 -7
- package/dist/packem_chunks/handler31.js +2 -33
- package/dist/packem_chunks/handler32.js +2 -3
- package/dist/packem_chunks/handler33.js +3 -8
- package/dist/packem_chunks/handler34.js +6 -4
- package/dist/packem_chunks/handler35.js +1 -1
- package/dist/packem_chunks/handler36.js +42 -5
- package/dist/packem_chunks/handler37.js +8 -11
- package/dist/packem_chunks/handler38.js +9 -3
- package/dist/packem_chunks/handler39.js +74 -21
- package/dist/packem_chunks/handler4.js +1 -1
- package/dist/packem_chunks/handler40.js +5 -61
- package/dist/packem_chunks/handler41.js +4 -3
- package/dist/packem_chunks/handler42.js +3 -6
- package/dist/packem_chunks/handler43.js +2 -24
- package/dist/packem_chunks/handler44.js +1 -25
- package/dist/packem_chunks/handler45.js +1 -153
- package/dist/packem_chunks/handler46.js +1 -10
- package/dist/packem_chunks/handler47.js +3 -24
- package/dist/packem_chunks/handler48.js +1 -322
- package/dist/packem_chunks/handler49.js +7 -708
- package/dist/packem_chunks/handler5.js +6 -6
- package/dist/packem_chunks/handler50.js +33 -48
- package/dist/packem_chunks/handler51.js +3 -27
- package/dist/packem_chunks/handler52.js +8 -3
- package/dist/packem_chunks/handler53.js +4 -200
- package/dist/packem_chunks/handler54.js +1 -38
- package/dist/packem_chunks/handler55.js +12 -0
- package/dist/packem_chunks/handler56.js +7 -0
- package/dist/packem_chunks/handler57.js +5 -0
- package/dist/packem_chunks/handler58.js +11 -0
- package/dist/packem_chunks/handler59.js +3 -0
- package/dist/packem_chunks/handler60.js +22 -0
- package/dist/packem_chunks/handler61.js +61 -0
- package/dist/packem_chunks/handler62.js +3 -0
- package/dist/packem_chunks/handler63.js +6 -0
- package/dist/packem_chunks/handler64.js +708 -0
- package/dist/packem_chunks/handler65.js +24 -0
- package/dist/packem_chunks/handler66.js +25 -0
- package/dist/packem_chunks/handler67.js +153 -0
- package/dist/packem_chunks/handler68.js +10 -0
- package/dist/packem_chunks/handler69.js +24 -0
- package/dist/packem_chunks/handler7.js +1 -1
- package/dist/packem_chunks/handler70.js +322 -0
- package/dist/packem_chunks/handler71.js +48 -0
- package/dist/packem_chunks/handler72.js +27 -0
- package/dist/packem_chunks/handler73.js +3 -0
- package/dist/packem_chunks/handler74.js +190 -0
- package/dist/packem_chunks/handler75.js +38 -0
- package/dist/packem_chunks/handler8.js +1 -1
- package/dist/packem_chunks/handler9.js +1 -1
- package/dist/packem_chunks/heal-accept.js +1 -1
- package/dist/packem_chunks/heal.js +1 -1
- package/dist/packem_chunks/help-command.js +1 -1
- package/dist/packem_chunks/index.js +1 -7
- package/dist/packem_chunks/index2.js +7 -0
- package/dist/packem_chunks/interface.js +2 -0
- package/dist/packem_chunks/keys-refresh.js +1 -1
- package/dist/packem_chunks/list.js +1 -1
- package/dist/packem_chunks/loader.js +1 -1
- package/dist/packem_chunks/orchestrator.js +39 -0
- package/dist/packem_chunks/pre-mode.js +2 -0
- package/dist/packem_chunks/print-config.js +2 -0
- package/dist/packem_chunks/prompts.js +7 -0
- package/dist/packem_chunks/publish-guards.js +1 -0
- package/dist/packem_chunks/registry.js +48 -0
- package/dist/packem_chunks/resolveFormatter.js +9 -0
- package/dist/packem_chunks/security.js +1 -0
- package/dist/packem_chunks/shell-runner.js +1 -0
- package/dist/packem_chunks/slack.js +2 -0
- package/dist/packem_chunks/snapshot.js +2 -0
- package/dist/packem_chunks/stage-publisher.js +1 -0
- package/dist/packem_chunks/staged-registry.js +2 -0
- package/dist/packem_chunks/state.js +3 -0
- package/dist/packem_chunks/success-walk.js +8 -0
- package/dist/packem_chunks/sync.js +1 -1
- package/dist/packem_chunks/sync2.js +1 -1
- package/dist/packem_chunks/tripwire.js +1 -1
- package/dist/packem_chunks/verify-lockfile.js +2 -2
- package/dist/packem_chunks/version-resolver.js +2 -0
- package/dist/packem_chunks/webhook.js +1 -0
- package/dist/packem_chunks/workflow-templates.js +167 -0
- package/dist/packem_chunks/workspace.js +2 -0
- package/dist/packem_shared/AfterAllProjectsVersioned-CAKI2nWf.js +1 -0
- package/dist/packem_shared/ReleaseClient-YHzBIxYS.js +1 -0
- package/dist/packem_shared/VisReleaseError-DMGRBTNO.js +1 -0
- package/dist/packem_shared/{ai-analysis-DT3bU-_M.js → ai-analysis-K-DKU3ZA.js} +1 -1
- package/dist/packem_shared/{ai-fix-BkNqd5nP.js → ai-fix-BPrYoCk8.js} +1 -1
- package/dist/packem_shared/api.d-BPftyU9r.d.ts +27 -0
- package/dist/packem_shared/createAdapter-bU4DIP3F.js +1 -0
- package/dist/packem_shared/createVersionActions-BK43SNDH.js +1 -0
- package/dist/packem_shared/{cyclonedx-86-DbHtf.js → cyclonedx-kYozDyxp.js} +3 -3
- package/dist/packem_shared/defineFormatter-D5dCp6Kv.js +1 -0
- package/dist/packem_shared/dependency-scan-anTuZB1t.js +1 -0
- package/dist/packem_shared/{docker-tNrDU3oK.js → docker-BMLrNtWm.js} +1 -1
- package/dist/packem_shared/{failure-log-Dwqt6_Ga.js → failure-log-CEWP3bP0.js} +1 -1
- package/dist/packem_shared/index-BJbpNthk.js +1 -0
- package/dist/packem_shared/index-CgcF6_wo.js +1 -0
- package/dist/packem_shared/{index-C0Vj3XF8.js → index-D1_fbGbj.js} +1 -1
- package/dist/packem_shared/interface.d-B7VK2rcH.d.ts +148 -0
- package/dist/packem_shared/interface.d-Cezzifoh.d.ts +106 -0
- package/dist/packem_shared/{missing-package-json-41VUWFBY.js → missing-package-json-BfWUxTGv.js} +1 -1
- package/dist/packem_shared/{native-config-sync-BKAZ0NIs.js → native-config-sync-BEkJW7g3.js} +8 -8
- package/dist/packem_shared/pm-runner-OGResYrA.js +1 -0
- package/dist/packem_shared/provenance-_CJjMKwu.js +1 -0
- package/dist/packem_shared/public-api-WqUCiyIe.js +131 -0
- package/dist/packem_shared/{registry-keys-Bf2zzlcZ.js → registry-keys-BfFto6vI.js} +1 -1
- package/dist/packem_shared/{resolve-explicit-jH0RKyMJ.js → resolve-explicit-CMDl55Nz.js} +2 -2
- package/dist/packem_shared/s1ngularity-Dhr3bPk0.js +1 -0
- package/dist/packem_shared/{scan-progress-JBbd9QeT.js → scan-progress-DG7_JmTV.js} +1 -1
- package/dist/packem_shared/{signatures-D1H6h6GH.js → signatures-C730vkyK.js} +2 -2
- package/dist/packem_shared/slug-DoueYuLo.js +1 -0
- package/dist/packem_shared/spinner-CV3WVJLv.js +1 -0
- package/dist/packem_shared/sticky-comment-D6_7-w8T.js +1 -0
- package/dist/packem_shared/{tabs-BqUepRaD.js → tabs-BuTy5gPV.js} +1 -1
- package/dist/packem_shared/{typosquats-C8qg1neE.js → typosquats-DN78xx1x.js} +1 -1
- package/dist/packem_shared/use-measured-height-_eVGWtWt.js +1 -0
- package/dist/packem_shared/verify-6WCmFmy8.js +1 -0
- package/dist/packem_shared/{vis-update-app-CTwRkNgj.js → vis-update-app-k3fDxech.js} +1 -1
- package/dist/release/core/changelog/index.d.ts +5 -0
- package/dist/release/core/changelog/index.js +1 -0
- package/dist/release/core/package-managers/index.d.ts +6 -0
- package/dist/release/core/package-managers/index.js +1 -0
- package/dist/release/core/version-actions/index.d.ts +14 -0
- package/dist/release/core/version-actions/index.js +1 -0
- package/dist/release/index.d.ts +196 -0
- package/dist/release/index.js +1 -0
- package/dist/release/plugin-sdk.d.ts +127 -0
- package/dist/release/plugin-sdk.js +1 -0
- package/dist/release/presets.d.ts +225 -0
- package/dist/release/presets.js +1 -0
- package/dist/release/types.d.ts +1377 -0
- package/dist/release/types.js +1 -0
- package/index.d.ts +201 -201
- package/index.js +578 -752
- package/package.json +53 -11
- package/schemas/vis-config.schema.json +1394 -6
- package/schemas/vis-release-config.schema.json +1390 -0
- package/dist/packem_shared/dependency-scan-BDTH898x.js +0 -1
- package/dist/packem_shared/index-CB4p298r.js +0 -1
- package/dist/packem_shared/index-DMefdF51.js +0 -1
- package/dist/packem_shared/pm-runner-pVihAfxV.js +0 -1
- package/dist/packem_shared/provenance-DMuEftgc.js +0 -1
- package/dist/packem_shared/s1ngularity-BkfgC6NO.js +0 -1
- package/dist/packem_shared/spinner-BXSl864p.js +0 -1
- package/dist/packem_shared/use-measured-height-BBJ9intr.js +0 -1
- package/dist/packem_shared/verify-Du7xZ2BJ.js +0 -1
|
@@ -1,5 +1,42 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
1
|
+
const i=`
|
|
2
|
+
🔧 vis release CI setup
|
|
3
|
+
|
|
4
|
+
1. Workflow permissions
|
|
5
|
+
Add to .github/workflows/vis-release.yml:
|
|
6
|
+
permissions:
|
|
7
|
+
contents: write
|
|
8
|
+
pull-requests: write
|
|
9
|
+
id-token: write # required for OIDC trusted publishing on npm
|
|
10
|
+
|
|
11
|
+
2. Secrets
|
|
12
|
+
Required:
|
|
13
|
+
- VIS_GH_TOKEN — PAT or GitHub App token. Used to force-push the
|
|
14
|
+
version-PR branch and create/edit the version PR. The default
|
|
15
|
+
\${{ github.token }} is anti-recursion-locked and cannot trigger
|
|
16
|
+
downstream workflows on the version-PR.
|
|
17
|
+
- GH_TOKEN — \${{ github.token }} works for read-only / commenting.
|
|
18
|
+
Optional:
|
|
19
|
+
- NPM_TOKEN — fallback when OIDC is not available. Trusted Publishing
|
|
20
|
+
(id-token: write) is preferred.
|
|
21
|
+
|
|
22
|
+
3. Trusted Publishing on npm
|
|
23
|
+
For each published package:
|
|
24
|
+
a. https://npmjs.com/package/<name>/access → Publishing access
|
|
25
|
+
b. Add a Trusted Publisher with provider=GitHub Actions
|
|
26
|
+
c. Repository: visulima/visulima
|
|
27
|
+
d. Workflow filename: vis-release.yml
|
|
28
|
+
e. Environment name: (leave blank unless you use one)
|
|
29
|
+
|
|
30
|
+
4. Concurrency group (recommended)
|
|
31
|
+
concurrency:
|
|
32
|
+
group: vis-release-\${{ github.ref }}
|
|
33
|
+
cancel-in-progress: false
|
|
34
|
+
|
|
35
|
+
5. Husky pre-commit gate (optional)
|
|
36
|
+
Add to .husky/pre-commit:
|
|
37
|
+
vis release check --hook pre-commit --no-fail
|
|
38
|
+
(Or run \`vis release init\` and confirm the prompt — it'll auto-wire
|
|
39
|
+
the hook if you say yes.)
|
|
40
|
+
|
|
41
|
+
📚 RFC: packages/tooling/vis/rfc/design-release-manager.md (§16)
|
|
42
|
+
`,o=async({logger:e})=>{e.info(i)};export{o as default};
|
|
@@ -1,11 +1,8 @@
|
|
|
1
|
-
import{
|
|
2
|
-
|
|
3
|
-
`
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
${
|
|
9
|
-
`))},Oe=async({argument:e,fs:o,logger:t,options:r,process:n,workspaceRoot:s})=>{const i=await be({autoInstall:!!r.install,configPath:r.config,cwd:s??n.cwd,files:e.filter(Boolean),fix:!!r.fix,fs:o,json:!!r.json,logger:t});i!==0&&(process.exitCode=i)},$e=async(e,o)=>{try{return await e.access(o),!0}catch{return!1}},ye=async e=>{const o=_({input:process.stdin,output:process.stderr}),t=await new Promise(r=>{o.question(` ${e} already exists. Overwrite? ${m("[y/N]")} `,n=>{r(n.trim().toLowerCase())})});return o.close(),t==="y"||t==="yes"},je=async({argument:e,fs:o,logger:t,options:r,process:n,workspaceRoot:s})=>{const i=s??n.cwd,l=e[0]??"Dockerfile",a=A(l)?l:h(i,l),d=X(i)?.manager??"npm",u=(r.focus??"").split(",").map(f=>f.trim()).find(Boolean),c=re({focus:u,manager:d,nodeVersion:r.node??"22"});if(r.dryRun){process.stdout.write(c.endsWith(`
|
|
10
|
-
`)?c:`${c}
|
|
11
|
-
`);return}if(await $e(o,a)&&!r.force){if(!process.stdin.isTTY){t.error(`${a} already exists. Re-run with --force to overwrite.`),process.exitCode=1;return}if(!await ye(a)){t.info("Aborted — existing Dockerfile left untouched.");return}}await o.writeFile(a,c),t.info(`Created ${a} (package manager: ${d}).`),t.info(m(`Next: vis docker scaffold${u?` --focus=${u}`:""} --include-sources, then DOCKER_BUILDKIT=1 docker build .`))};export{je as initExecute,Oe as lintExecute,Ce as pruneExecute,Se as scaffoldExecute};
|
|
1
|
+
import{b as g}from"./orchestrator.js";import{detectRemoteProvider as h,createRemoteClient as $}from"./detect2.js";import{createShellRunner as w}from"./shell-runner.js";import{runSnapshot as R}from"./snapshot.js";const y=(r,o)=>{if(r.length===0)return"_No packages were affected by this PR._";const n=["### 📦 Preview Packages",""];for(const e of r){const t=`${e.name}@${e.version}`;n.push(`- \`${e.name}\` → \`${e.version}\``),o?n.push(` \`\`\`sh
|
|
2
|
+
npm i ${t} --registry ${o}
|
|
3
|
+
\`\`\``):n.push(` \`\`\`sh
|
|
4
|
+
npm i ${t}
|
|
5
|
+
\`\`\``)}return n.join(`
|
|
6
|
+
`)},S=async({logger:r,options:o,workspaceRoot:n})=>{const e=n??process.cwd(),t=w(),l=await h(e,t),a=$(l),s=a.detectPullRequestNumber(process.env),p=o.tag??(s?`pr-${s}`:void 0);if(!p){r.error("Could not determine snapshot tag. Pass --tag or run in a PR context (GITHUB_REF=refs/pull/<n>/merge)."),process.exitCode=1;return}if(o.onClose){await C(e,t,a,s,r);return}let c,u;try{c=await g({cwd:e});const{printConfigIfRequested:i}=await import("./print-config.js");if(i(o,c,r))return;u=await R({context:c,runner:t,tag:p})}catch(i){r.error(`Snapshot failed: ${i.message}`),process.exitCode=1;return}if(r.info(`Snapshotted ${u.published.length} package(s) at version ${u.snapshotVersion} → tag "${u.tag}"`),!s)return;const d=await a.detectRepoSlug(e,t);if(!d){r.warn("Could not detect repo slug — skipping sticky PR comment.");return}const m="<!-- vis-release-snapshot-comment -->",f=`${m}
|
|
7
|
+
|
|
8
|
+
${y(u.published,c.config.snapshot?.registry)}`;try{const i=await a.upsertStickyComment(t,{body:f,cwd:e,issueNumber:s,marker:m,repo:d});i&&r.info(`${i.created?"Posted":"Updated"} snapshot comment on PR #${s}.`)}catch(i){r.warn(`upsertStickyComment failed (publish already succeeded): ${i.message}`)}},C=async(r,o,n,e,t)=>{if(!e){t.error("PR-close cleanup requires a PR context."),process.exitCode=1;return}const l=await n.detectRepoSlug(r,o);if(!l){t.warn("Could not detect repo slug — skipping cleanup.");return}const a=await o.run("gh",["api",`repos/${l}/pulls/${e}/commits`,"--paginate"],{cwd:r,silent:!0});if(a.exitCode!==0){t.warn(`gh api failed: ${a.stderr}`);return}let s;try{s=JSON.parse(a.stdout)}catch{t.warn("Could not parse gh api output.");return}const p=[`pr-${e}`];for(const c of s)p.push(c.sha,c.sha.slice(0,7));t.info(`Cleanup intent for PR #${e}: ${p.length} tag pattern(s) across ${s.length} commit(s)`),t.info("Default backend (pkg-pr-new) auto-cleans by TTL — no DELETE issued. Implement a custom backend's delete endpoint to enable real cleanup.")};export{S as default};
|
|
@@ -1,3 +1,9 @@
|
|
|
1
|
-
import{
|
|
2
|
-
`);break}case"junit":{m.write(oe({runs:b.map(n=>({adapter:n.adapter.id,durationMs:n.durationMs,findings:n.findings})),workspaceRoot:r}));break}case"minimal":{ye(p.findings,r,m);break}case"sarif":{m.write(ne({runs:b.map(n=>({adapter:n.adapter.id,findings:n.findings,presence:g.find(a=>a.adapter.id===n.adapter.id)?.presence})),workspaceRoot:r}));break}default:we(p.findings,r,y,t)}}finally{m?.close()}const S=y==="fix"?p.hadProcessFailure?1:0:pe({...p,maxSeverity:p.findings.length>0?"error":void 0});S!==0&&(process.exitCode=S)};if(e.watch){const l=[...new Set(x.flatMap(({adapter:o})=>o.extensions))];await ee({extensions:l,initialFiles:d,label:"fmt",log:o=>{t.info(o)},runCycle:M,workspaceRoot:r});return}await M(d)},ke=t=>{const e=t;return[...e._??e.args??[]]},we=(t,e,s,i)=>{if(t.length===0){i.info(F(s==="fix"?"✓ fmt: nothing to change":"✓ fmt: all files already formatted"));return}const r=le(t),u=s==="fix"?L(N("Formatted:")):N("Would change:");i.info(u);for(const w of r.keys())i.info(` ${O("·")} ${P(e,w)}`);s==="check"&&(i.info(""),i.info(O(`Run \`vis fmt\` to apply changes (${String(r.size)} file${r.size===1?"":"s"}).`)))},ye=(t,e,s)=>{for(const i of t)s.write(`${i.adapter} ${P(e,i.file)}
|
|
3
|
-
`)};
|
|
1
|
+
import{b as j}from"./orchestrator.js";const A=async({logger:u,options:m,workspaceRoot:h})=>{const c=h??process.cwd(),a=[];let n;try{n=await j({cwd:c}),a.push({message:"vis.config.ts loaded; release block parsed.",name:"config-loads",severity:"error",status:"pass"})}catch(e){a.push({message:`Config failed to load: ${e.message}`,name:"config-loads",severity:"error",status:"fail"}),await $(u,m,a),process.exitCode=1;return}n.packages.length===0?a.push({message:"No packages discovered. Ensure your package manager's workspace block resolves.",name:"workspace-discovered",severity:"error",status:"fail"}):a.push({message:`Discovered ${n.packages.length} workspace package(s).`,name:"workspace-discovered",severity:"info",status:"pass"});try{const e=await n.pm.detectVersion(c);e?a.push({message:`${n.pm.id}@${e} (min required: ${n.pm.minVersion})`,name:"pm-version",severity:"info",status:"pass"}):a.push({message:`Could not detect ${n.pm.id} version.`,name:"pm-version",severity:"warn",status:"skip"})}catch(e){a.push({message:`Skipped: ${e.message}`,name:"pm-version",severity:"warn",status:"skip"})}n.branch&&n.channel?a.push({message:`Branch "${n.branch}" → channel ${n.channel.tag}${n.channel.prerelease?` (preid: ${n.channel.prerelease})`:""}, mode: ${n.channel.mode}`,name:"branch-channel",severity:"info",status:"pass"}):n.branch&&!n.channel?a.push({message:`Branch "${n.branch}" does not match any configured channel. Releases will use dist-tag "latest" by default.`,name:"branch-channel",severity:"warn",status:"fail"}):a.push({message:"No branch detected (detached HEAD or non-git workspace).",name:"branch-channel",severity:"warn",status:"skip"});try{await import("node:child_process").then(({execSync:e})=>{try{return e("gh --version",{stdio:"ignore"}),!0}catch{return!1}})?a.push({message:"gh CLI is on PATH.",name:"gh-cli-available",severity:"info",status:"pass"}):a.push({message:"gh CLI not found. GH releases / PR comments will be skipped.",name:"gh-cli-available",severity:"warn",status:"fail"})}catch{}if(process.env.CI==="true"||process.env.GITHUB_ACTIONS==="true")try{const{createShellRunner:e}=await import("./shell-runner.js"),i=await e().run("gh",["auth","status","--show-token"],{cwd:c,silent:!0}),t=`${i.stdout}
|
|
2
|
+
${i.stderr}`,s=/Token scopes:\s*(.+)/.exec(t);if(i.exitCode!==0||!s)a.push({message:"Skipped: `gh auth status` did not return a parseable Token scopes line. (Fine-grained tokens / OIDC-only auth fall in this bucket.)",name:"github.token-scopes",severity:"info",status:"skip"});else{const r=s[1].split(",").map(l=>l.trim().replaceAll(/^['"]|['"]$/g,"")).filter(Boolean),o=new Set(["admin:org","admin:repo_hook","delete_repo","repo","site_admin"]),g=r.filter(l=>o.has(l));g.length>0?a.push({message:`Token carries broader scopes than vis needs: ${g.join(", ")}. The release flow needs only contents:write + pull-requests:write (+ optional id-token:write for OIDC). Consider provisioning a fine-grained PAT or scoping the workflow's permissions block.`,name:"github.token-scopes",severity:"warn",status:"fail"}):a.push({message:`Token scopes look appropriately narrow: ${r.join(", ")||"(none)"}.`,name:"github.token-scopes",severity:"info",status:"pass"})}}catch{a.push({message:"Skipped: gh auth status could not be invoked.",name:"github.token-scopes",severity:"info",status:"skip"})}(process.env.CI==="true"||process.env.GITHUB_ACTIONS==="true")&&(process.env.ACTIONS_ID_TOKEN_REQUEST_URL?a.push({message:"GitHub Actions OIDC env vars present.",name:"oidc-available",severity:"info",status:"pass"}):process.env.NPM_TOKEN?a.push({message:"OIDC env vars missing; falling back to NPM_TOKEN. Add `permissions: { id-token: write }` to the workflow to enable trusted publishing.",name:"oidc-available",severity:"warn",status:"fail"}):a.push({message:"Neither OIDC env vars nor NPM_TOKEN are set in CI. Publish will fail.",name:"oidc-available",severity:"error",status:"fail"}));const y=await import("node:fs/promises"),b=await import("node:path");for(const e of n.packages){if(e.manifest.napi===void 0)continue;const i=b.join(e.dir,"npm");try{const t=(await y.readdir(i,{withFileTypes:!0})).filter(g=>g.isDirectory());if(t.length===0){a.push({message:`${e.name} has a napi field but no npm/<platform>/ subdirs. Run pnpm exec napi artifacts before publishing.`,name:`napi-${e.name}-platforms`,severity:"warn",status:"fail"});continue}const s=[];for(const g of t){const l=b.join(i,g.name,"package.json");try{const p=JSON.parse(await y.readFile(l,"utf8"));p.version!==e.version&&s.push(`${g.name} (${p.version} vs parent ${e.version})`)}catch{s.push(`${g.name} (unreadable manifest)`)}}s.length>0?a.push({message:`${e.name}: platform versions out of sync — ${s.join(", ")}. They'll be re-synced on next publish.`,name:`napi-${e.name}-versions`,severity:"warn",status:"fail"}):a.push({message:`${e.name}: ${t.length} platform package(s), all versions in sync.`,name:`napi-${e.name}`,severity:"info",status:"pass"});const r=e.manifest.optionalDependencies??{},o=[];for(const g of t)try{const l=JSON.parse(await y.readFile(b.join(i,g.name,"package.json"),"utf8"));Object.hasOwn(r,l.name)||o.push(l.name)}catch{}o.length>0&&a.push({message:`${e.name}: missing optionalDependencies entries for: ${o.join(", ")}. Consumers won't get the right binary.`,name:`napi-${e.name}-optdeps`,severity:"error",status:"fail"})}catch{a.push({message:`${e.name}: could not read npm/ subdir.`,name:`napi-${e.name}-platforms`,severity:"warn",status:"skip"})}}{const{resolveVersionActionsId:e}=await import("./orchestrator.js").then(t=>t.w),i=n.packages.filter(t=>e(t,n.perPackageConfig.get(t.name)??{})==="jsr");for(const t of i){const s=n.perPackageConfig.get(t.name)??{},r=["jsr","publish","--dry-run","--allow-dirty"],o=s.jsrConfigPath;o!==void 0&&o!=="jsr.json"&&r.push("--config",o);for(const g of s.jsrPublishArgs??[])r.push(g);try{const g=await n.pm.runner.run("npx",r,{cwd:t.dir,silent:!0});g.exitCode===0?a.push({message:`${t.name}: \`jsr publish --dry-run\` passed.`,name:`jsr-dry-run/${t.name}`,severity:"info",status:"pass"}):a.push({message:`${t.name}: \`jsr publish --dry-run\` reported issues (slow types / exports / auth?): ${(g.stderr||g.stdout).trim().slice(0,300)}`,name:`jsr-dry-run/${t.name}`,severity:"warn",status:"fail"})}catch(g){a.push({message:`${t.name}: could not run \`npx jsr publish --dry-run\` (${g.message}). Install the jsr CLI / check network to enable this pre-flight.`,name:`jsr-dry-run/${t.name}`,severity:"warn",status:"skip"})}}}if(n.plan.warnings.length>0)for(const e of n.plan.warnings)a.push({message:e,name:"plan-warning",severity:"warn",status:"fail"});else a.push({message:n.plan.releases.length===0?"No pending releases.":`Plan resolves ${n.plan.releases.length} release(s).`,name:"plan-readable",severity:"info",status:"pass"});const d=n.config.publish?.guards;if(d?.packSecretScan)try{await import("@visulima/secret-scanner"),a.push({message:"@visulima/secret-scanner resolves; pack-set secret scanning will run.",name:"publish-guards.packSecretScan",severity:"info",status:"pass"})}catch{a.push({message:"publish.guards.packSecretScan is enabled but @visulima/secret-scanner is not installed. pnpm add -D @visulima/secret-scanner, or set the gate to false.",name:"publish-guards.packSecretScan",severity:"error",status:"fail"})}d?.audit&&d.audit!=="off"&&a.push({message:`Runtime npm audit gate active at "${d.audit}" severity.`,name:"publish-guards.audit",severity:"info",status:"pass"});const f=n.config.publish?.releaseAssets;if((f?.stampHashes||f?.uploadTarball)&&a.push({message:`Release-asset attestation: stampHashes=${f.stampHashes??!1}, uploadTarball=${f.uploadTarball??!1}.`,name:"publish-releaseAssets",severity:"info",status:"pass"}),n.config.publish?.stage){try{const{execSync:r}=await import("node:child_process"),o=r("npm --version",{stdio:["ignore","pipe","ignore"]}).toString().trim(),[g="0",l="0"]=o.split("."),p=Number.parseInt(g,10)>11||Number.parseInt(g,10)===11&&Number.parseInt(l,10)>=15;a.push({message:p?`npm ${o} supports \`npm stage publish\`.`:`npm ${o} is too old for staged publishing. Upgrade to npm ≥ 11.15.0.`,name:"publish-stage.npm-version",severity:p?"info":"error",status:p?"pass":"fail"})}catch{a.push({message:"publish.stage is enabled but npm is not on PATH.",name:"publish-stage.npm-version",severity:"error",status:"fail"})}const e=n.config.publish?.registry??"https://registry.npmjs.org/",i=/(?:^|:\/\/)registry\.npmjs\.(?:org|com)\//.test(e);a.push({message:i?"Registry is npmjs.com; staging is supported.":`publish.stage is enabled but registry "${e}" is not npmjs.com. Staging is npm Inc-specific; the request will be rejected.`,name:"publish-stage.registry",severity:i?"info":"warn",status:i?"pass":"fail"});const t=n.packages.filter(r=>r.manifest.publishConfig?.access==="restricted"),s=!!process.env.ACTIONS_ID_TOKEN_REQUEST_URL&&!process.env.NPM_TOKEN;t.length>0&&s&&a.push({message:`${t.length} package(s) have publishConfig.access: "restricted" and OIDC trusted publishing is active. Staging this combo is not supported in v1 (no static token for the post-decision read). Set NPM_TOKEN, or disable publish.stage for these packages.`,name:"publish-stage.oidc-restricted",severity:"error",status:"fail"})}try{const{DEFAULT_CHANGES_DIR:e}=await import("./DEFAULT_CLEAN_KEEP.js"),{readStagedRegistry:i}=await import("./staged-registry.js"),t=await i(c,n.config.changesDir??e);if(t.pending.length>0){const s=t.pending.map(r=>`${r.name}@${r.version} (${r.reason})`).join(", ");a.push({message:`${t.pending.length} pending stage(s) recorded in .vis/release/staged.json: ${s}. Approve / reject before the next release: vis release stage approve --all`,name:"publish-stage.pending",severity:"warn",status:"fail"})}}catch{}try{const{DEFAULT_CHANGES_DIR:e}=await import("./DEFAULT_CLEAN_KEEP.js"),{readFile:i}=await import("node:fs/promises"),{join:t}=await import("node:path"),s=t(c,n.config.changesDir??e,".state.json"),r=await i(s,"utf8"),o=JSON.parse(r);Array.isArray(o.stagedIds)&&o.stagedIds.length>0&&a.push({message:`Found ${o.stagedIds.length} legacy stage id(s) in .state.json#stagedIds: ${o.stagedIds.join(", ")}. The new registry lives in .vis/release/staged.json. Approve / reject these via npmjs.com or \`vis release stage approve <id>\` to avoid losing them.`,name:"publish-stage.legacy-stagedIds",severity:"warn",status:"fail"})}catch{}{const e=n.packages.filter(i=>n.perPackageConfig.get(i.name)?.versionActions==="shell");for(const i of e){const t=n.perPackageConfig.get(i.name)??{},s=n.config.allowCustomCommands,r=s===!0||Array.isArray(s)&&s.includes(i.name),o=t.publishCommand!==void 0&&t.publishCommand!=="";r||a.push({message:`${i.name} uses versionActions: "shell" but release.allowCustomCommands does not permit it. Set allowCustomCommands: true or include "${i.name}" in the array.`,name:`shell-actions.${i.name}.trust-gate`,severity:"error",status:"fail"}),o?r&&a.push({message:`${i.name} → shell publish (${Array.isArray(t.publishCommand)?`${t.publishCommand.length} commands`:"1 command"}).`,name:`shell-actions.${i.name}`,severity:"info",status:"pass"}):a.push({message:`${i.name} uses versionActions: "shell" but no publishCommand is configured. Set release.packages["${i.name}"].publishCommand.`,name:`shell-actions.${i.name}.publish-command`,severity:"error",status:"fail"})}}if(!n.config.gitUser)try{const{createShellRunner:e}=await import("./shell-runner.js"),i=e(),t=await i.run("git",["config","user.name"],{cwd:c,silent:!0}),s=await i.run("git",["config","user.email"],{cwd:c,silent:!0}),r=t.exitCode===0&&t.stdout.trim().length>0,o=s.exitCode===0&&s.stdout.trim().length>0;!r||!o?a.push({message:`git config user.name/user.email is not set (name=${r?"ok":"missing"}, email=${o?"ok":"missing"}). vis auto-commits staged.json and version bumps — these will fail without an identity. Set release.gitUser in vis.config.ts or configure git globally.`,name:"git.identity",severity:"warn",status:"fail"}):a.push({message:`git identity: ${t.stdout.trim()} <${s.stdout.trim()}>.`,name:"git.identity",severity:"info",status:"pass"})}catch{}if(n.config.signing){const{signing:e}=n.config;try{const{createShellRunner:i}=await import("./shell-runner.js"),t=i(),s=await t.run("git",["config","user.signingkey"],{cwd:c,silent:!0}),r=await t.run("git",["config","gpg.format"],{cwd:c,silent:!0}),o=s.exitCode===0?s.stdout.trim():"",g=r.exitCode===0?r.stdout.trim():"",l=o.length>0||!!e.key;if(e.mode==="ssh")g!=="ssh"||!l?a.push({message:`release.signing.mode is "ssh" but git config is incomplete (gpg.format=${g||"<unset>"}, user.signingkey=${l?"ok":"missing"}). Run \`git config gpg.format ssh\` and \`git config user.signingkey <path-to-key>\` before releasing.`,name:"git.signing",severity:"warn",status:"fail"}):a.push({message:"git signing: ssh mode active (gpg.format=ssh, signingkey configured).",name:"git.signing",severity:"info",status:"pass"});else if(e.mode==="sigstore"){const{gitsignAvailable:p}=await import("./git.js");await p({cwd:c,runner:t})?a.push({message:"git signing: sigstore mode (preview); gitsign is on PATH.",name:"git.signing",severity:"info",status:"pass"}):a.push({message:'release.signing.mode is "sigstore" (preview) but gitsign is not on PATH. Tags will fall back to GPG signing with a warning. Install gitsign: https://github.com/sigstore/gitsign',name:"git.signing",severity:"warn",status:"fail"})}else if(l){const p=e.key?/[\\/]/.test(e.key)||/\.(?:pem|gpg|key|asc|p12|pfx)$/i.test(e.key)||e.key.length<8?"configured":`…${e.key.slice(-4)}`:"from git config";a.push({message:`git signing: gpg mode active (key: ${p}).`,name:"git.signing",severity:"info",status:"pass"})}else a.push({message:'release.signing.mode is "gpg" but neither release.signing.key nor git config user.signingkey is set. Configure one before releasing.',name:"git.signing",severity:"warn",status:"fail"})}catch(i){a.push({message:`Could not verify git signing config: ${i.message}.`,name:"git.signing",severity:"warn",status:"skip"})}}if(n.config.floatingMajorTag===!0&&n.config.signing?.mode==="sigstore"&&a.push({message:`release.floatingMajorTag and release.signing.mode="sigstore" are both enabled. The floating-tag retarget force-pushes <unscoped-name>-v<major> (e.g. acme-action-v1) on every release, which appends a new sigstore transparency-log entry to Rekor each time (Rekor is append-only — entries are never removed). Over a long-lived major you'll accumulate one log entry per release. Consider either dropping floatingMajorTag (and pin consumers to a specific tag) or switching to gpg/ssh signing if the Rekor footprint matters for your project.`,name:"floating-major-tag.signing-risk",severity:"warn",status:"fail"}),n.config.floatingMajorTag===!0)try{const{createShellRunner:e}=await import("./shell-runner.js"),i=await e().run("git",["tag","--list","v*"],{cwd:c,silent:!0});if(i.exitCode===0){const t=i.stdout.split(`
|
|
3
|
+
`).map(s=>s.trim()).filter(s=>/^v\d+$/.test(s));if(t.length===0)a.push({message:"No legacy `v<major>` tags found; floating-tag migration is clean.",name:"floating-major-tag.legacy-tags",severity:"info",status:"pass"});else{const s=t.slice(0,5),r=t.length>5?` (+${t.length-5} more)`:"",o=t[0],g=o.slice(1);a.push({message:`Legacy floating-major tags detected (${s.join(", ")}${r}). After upgrading the floating-tag format to \`<safe-name>-v<major>\`, these legacy tags are no longer updated. Consumers pinning \`<repo>@${o}\` will silently freeze at the pre-upgrade commit. Migration:
|
|
4
|
+
1. Re-tag the legacy tag to point at the new floating tag:
|
|
5
|
+
git tag -f ${o} <safe-name>-v${g}
|
|
6
|
+
git push --force origin ${o}
|
|
7
|
+
2. Or sunset the legacy tag and announce the new pin to consumers.`,name:"floating-major-tag.legacy-tags",severity:"warn",status:"fail"})}}else a.push({message:`Skipped: \`git tag --list "v*"\` exited ${i.exitCode}.`,name:"floating-major-tag.legacy-tags",severity:"info",status:"skip"})}catch(e){a.push({message:`Skipped: could not list git tags: ${e.message}.`,name:"floating-major-tag.legacy-tags",severity:"info",status:"skip"})}if(m.firstRelease===!0){const e=[];try{const{createShellRunner:i}=await import("./shell-runner.js"),t=i(),s=new Set,r=n.config.releaseTagPattern??"{name}@{version}";s.add(r);for(const o of n.packages){const g=n.perPackageConfig.get(o.name)?.releaseTagPattern??r;s.add(g)}for(const o of s){const g=o.replaceAll(/\{(?:name|unscopedName|version|major|minor|patch|date|channel)\}/g,()=>"*"),l=await t.run("git",["tag","--list",g],{cwd:c,silent:!0});if(l.exitCode!==0)continue;const p=l.stdout.split(`
|
|
8
|
+
`).map(v=>v.trim()).filter(Boolean);p.length>0&&e.push(`Found ${p.length} git tag(s) matching "${o}": ${p.slice(0,5).join(", ")}${p.length>5?` (+${p.length-5} more)`:""}.`)}}catch(i){e.push(`Could not scan git tags: ${i.message}.`)}try{const{resolveVersionActionsId:i}=await import("./orchestrator.js").then(s=>s.w),{createVersionActions:t}=await import("../packem_shared/createVersionActions-BK43SNDH.js");for(const s of n.packages){const r=n.perPackageConfig.get(s.name),o=i(s,r??{});let g;try{g=t(o)}catch{continue}let l;try{l=await g.readPublishedVersion.call(g,{perPackageConfig:r,pkg:s,pm:n.pm})}catch{continue}l&&l.length>0&&e.push(`${s.name} is already published at version ${l}.`)}}catch(i){e.push(`Could not probe published versions: ${i.message}.`)}e.length>0?a.push({message:`--first-release is set but the workspace is NOT greenfield: ${e.join(" ")} Remove --first-release and run a normal release, or roll back the existing tags / unpublish before bootstrapping.`,name:"first-release.repo-not-greenfield",severity:"error",status:"fail"}):a.push({message:"Workspace looks greenfield (no matching release tags, no published versions detected). Safe to use --first-release.",name:"first-release.repo-not-greenfield",severity:"info",status:"pass"})}if(n.config.gitlabHost){const{detectRemoteProvider:e}=await import("./detect2.js"),{createShellRunner:i}=await import("./shell-runner.js"),t=await e(c,i(),n.config.provider);t==="gitlab"?a.push({message:`Self-hosted GitLab host configured: ${n.config.gitlabHost}.`,name:"gitlab-host",severity:"info",status:"pass"}):a.push({message:`release.gitlabHost is set ("${n.config.gitlabHost}") but the resolved provider is "${t}". The host will be ignored. Either set release.provider: "gitlab" or remove gitlabHost.`,name:"gitlab-host",severity:"warn",status:"fail"})}if(n.config.githubHost){const{detectRemoteProvider:e}=await import("./detect2.js"),{createShellRunner:i}=await import("./shell-runner.js"),t=await e(c,i(),n.config.provider);t==="github"?await import("node:child_process").then(({execSync:s})=>{try{return s("gh --version",{stdio:"ignore"}),!0}catch{return!1}})?a.push({message:`Self-hosted GitHub Enterprise host configured: ${n.config.githubHost}.`,name:"github-host",severity:"info",status:"pass"}):a.push({message:`release.githubHost is set ("${n.config.githubHost}") but the gh CLI is not on PATH. Install gh and run \`gh auth login --hostname ${n.config.githubHost}\` before releasing.`,name:"github-host",severity:"error",status:"fail"}):a.push({message:`release.githubHost is set ("${n.config.githubHost}") but the resolved provider is "${t}". The host will be ignored. Either set release.provider: "github" or remove githubHost.`,name:"github-host",severity:"warn",status:"fail"})}{const e=await import("node:fs/promises"),i=await import("node:path");let t;for(const s of n.packages){const r=n.perPackageConfig.get(s.name);if(r){if(r.uvLockPath){const o=i.isAbsolute(r.uvLockPath)?r.uvLockPath:i.join(s.dir,r.uvLockPath);try{await e.access(o),a.push({message:`uv.lock present at ${o}.`,name:`uv-lockfile/${s.name}`,severity:"info",status:"pass"})}catch{a.push({message:`${s.name}: configured uvLockPath "${r.uvLockPath}" doesn't exist (expected ${o}). Run \`uv lock\` to generate it, or remove uvLockPath if the lockfile lives elsewhere.`,name:`uv-lockfile/${s.name}`,severity:"warn",status:"fail"})}}if(r.uvWorkspace?.root){const o=i.resolve(s.dir,r.uvWorkspace.root),g=i.relative(o,s.dir).replaceAll("\\","/");switch(t||({checkUvWorkspaceMembership:t}=await import("./registry.js").then(l=>l.g)),await t(o,g)){case"member":{a.push({message:`${s.name} is a member of the uv workspace rooted at ${o}.`,name:`uv-workspace/${s.name}`,severity:"info",status:"pass"});break}case"no-root-pyproject":{a.push({message:`${s.name}: uvWorkspace.root points at ${o} but no pyproject.toml was found there. Verify the path is correct.`,name:`uv-workspace/${s.name}`,severity:"warn",status:"fail"});break}case"no-workspace":{a.push({message:`${s.name}: uvWorkspace.root points at ${o} but that pyproject.toml has no [tool.uv.workspace] block. Add one with a "members" list, or drop the uvWorkspace setting.`,name:`uv-workspace/${s.name}`,severity:"warn",status:"fail"});break}default:a.push({message:`${s.name}: uv workspace root at ${o} has [tool.uv.workspace] but its "members" list doesn't include "${g}". Add the package to members or correct uvWorkspace.root.`,name:`uv-workspace/${s.name}`,severity:"warn",status:"fail"})}}}}}const{execFileSync:w}=await import("node:child_process"),k=(e,i)=>{const t=e.split(".").map(r=>Number.parseInt(r,10)),s=i.split(".").map(r=>Number.parseInt(r,10));for(const[r,o]of s.entries()){const g=t[r]??0;if(g!==(o??0))return g>(o??0)}return!0};{const e=process.versions.node,[i=0,t=0]=e.split(".").map(r=>Number.parseInt(r,10)),s=i===22&&t>=14||i>=24||i===23;a.push({message:`node@${e} (min: 22.14.0 || >=24.10.0)`,name:"node-version",severity:s?"info":"error",status:s?"pass":"fail"})}for(const[e,i,t]of[["git","2.31","git-version"],["gh","2.40","gh-version"]])try{const s=w(e,["--version"],{stdio:["ignore","pipe","ignore"]}).toString(),r=/(\d+\.\d+\.\d+)/.exec(s);if(!r)continue;const o=k(r[1],i);a.push({message:`${e}@${r[1]} (min: ${i})`,name:t,severity:o?"info":e==="git"?"error":"warn",status:o?"pass":"fail"})}catch{}{const e=new Set([n.config.publish?.registry??"https://registry.npmjs.org"]);for(const i of n.packages){const t=n.perPackageConfig.get(i.name)?.registry;t&&e.add(t)}for(const i of e)try{const t=i.replace(/\/+$/,""),s=await fetch(`${t}/-/ping`,{method:"HEAD",signal:AbortSignal.timeout(3e3)});a.push({message:`${i} reachable (HTTP ${s.status}).`,name:"registry-reachable",severity:s.ok||s.status===404?"info":"warn",status:"pass"})}catch(t){a.push({message:`${i} not reachable: ${t.message}. Publishing may fail (or you're offline — this is a warning).`,name:"registry-reachable",severity:"warn",status:"fail"})}}try{const e=w("git",["tag","--list"],{cwd:c,stdio:["ignore","pipe","ignore"]}).toString().split(/\r?\n/).map(s=>s.trim()).filter(Boolean),i=/(?:^|@)\d+\.\d+\.\d+(?:[-+].+)?$/,t=e.filter(s=>!i.test(s)&&!/^v?\d+\.\d+\.\d+/.test(s));a.push({message:e.length===0?"No git tags yet (fresh repo).":`${e.length-t.length}/${e.length} tags parse as a release tag${t.length>0?` (unrecognised: ${t.slice(0,3).join(", ")}${t.length>3?"…":""})`:""}.`,name:"tags-parseable",severity:"warn",status:t.length>0?"fail":"pass"})}catch{}{const{readFile:e}=await import("node:fs/promises"),i=await import("node:path");let t=0,s=0;for(const r of n.packages)try{const o=await e(i.join(r.dir,"CHANGELOG.md"),"utf8");s+=1,/^#{1,2}\s/m.test(o)&&(t+=1)}catch{}s>0&&a.push({message:`${t}/${s} existing CHANGELOG.md file(s) have a recognised heading structure.`,name:"changelog-format",severity:"info",status:t===s?"pass":"fail"})}try{const e=await n.pm.readCatalogYaml(c);if(e){const{parseCatalogs:i}=await import("./registry.js").then(r=>r.f),t=i(e),s=[];for(const r of n.packages)for(const o of["dependencies","devDependencies","peerDependencies","optionalDependencies"]){const g=r.manifest[o];if(!(!g||typeof g!="object"))for(const[l,p]of Object.entries(g)){if(typeof p!="string"||!p.startsWith("catalog:"))continue;const v=p.slice(8)||"default";(v==="default"?t.default?.[l]:t.named?.[v]?.[l])||s.push(`${r.name} → ${l} (${p})`)}}a.push({message:s.length===0?"All catalog: references resolve against pnpm-workspace.yaml.":`${s.length} catalog: reference(s) don't resolve: ${s.slice(0,3).join("; ")}${s.length>3?"…":""}`,name:"catalog-consistency",severity:"warn",status:s.length===0?"pass":"fail"})}}catch{}await $(u,m,a);const C=a.some(e=>e.severity==="error"&&e.status==="fail");process.exitCode=C?1:0},$=async(u,m,h)=>{if(m.json){process.stdout.write(`${JSON.stringify({checks:h},null,2)}
|
|
9
|
+
`);return}for(const c of h){const a=`${c.status==="pass"?"✓":c.status==="fail"?"✗":"—"} [${c.severity}] ${c.name}: ${c.message}`;c.severity==="error"&&c.status==="fail"?u.error(a):c.severity==="warn"&&c.status==="fail"?u.warn(a):u.info(a)}};export{A as default};
|
|
@@ -1,22 +1,75 @@
|
|
|
1
|
-
import{createRequire as
|
|
2
|
-
|
|
3
|
-
`)}
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
`)}
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
`),
|
|
12
|
-
|
|
13
|
-
`)}
|
|
1
|
+
import{createRequire as N}from"node:module";const R=N(import.meta.url),j=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,A=e=>{if(typeof j<"u"&&j.versions&&j.versions.node){const[n,a]=j.versions.node.split(".").map(Number);if(n>22||n===22&&a>=3||n===20&&a>=16)return j.getBuiltinModule(e)}return R(e)},{mkdir:J,readFile:$,writeFile:w,readdir:S,access:M,rm:O}=A("node:fs/promises"),{join:l,relative:v,dirname:P}=A("node:path"),k=async e=>{try{return await M(e),!0}catch{return!1}},_=async e=>await k(l(e,".changeset"))?"changesets":await k(l(e,".bumpy"))?"bumpy":await(async()=>{for(const a of[".releaserc.json",".releaserc.cjs",".releaserc.js"])if(await k(l(e,a)))return!0;const n=[l(e,"packages"),l(e,"apps")];for(;n.length>0;){const a=n.shift();let t;try{t=await S(a,{withFileTypes:!0})}catch{continue}for(const s of t)if(s.isDirectory()){if(s.name==="node_modules"||s.name.startsWith("."))continue;n.push(l(a,s.name))}else if(s.name===".releaserc.json"||s.name===".releaserc.cjs"||s.name===".releaserc.js")return!0;if(n.length>200)break}return!1})()?"semantic-release":"fresh",C=async e=>{const n=[];for(const s of[".releaserc.json",".releaserc.cjs",".releaserc.js"]){const f=l(e,s);await k(f)&&n.push(f)}const a=[l(e,"packages"),l(e,"apps")];let t=0;for(;a.length>0&&t<5e3;){const s=a.shift();t+=1;let f;try{f=await S(s,{withFileTypes:!0})}catch{continue}for(const i of f){const r=l(s,i.name);if(i.isDirectory()){if(i.name==="node_modules"||i.name.startsWith("."))continue;a.push(r)}else(i.name===".releaserc.json"||i.name===".releaserc.cjs"||i.name===".releaserc.js")&&n.push(r)}}return n},F=async e=>{if(!e.endsWith(".json"))return{path:e};try{const n=await $(e,"utf8"),a=JSON.parse(n);return{branches:a.branches,extends:typeof a.extends=="string"?a.extends:void 0,path:e,plugins:Array.isArray(a.plugins)?a.plugins:void 0}}catch{return}},B=e=>Array.isArray(e)?e.map(n=>{if(typeof n=="string")return{name:n};if(typeof n=="object"&&n!==null&&typeof n.name=="string"){const a=n;return{channel:a.channel,name:a.name,prerelease:a.prerelease}}}).filter(n=>n!==void 0):[],T=e=>{const n={};for(const a of e){const t={tag:"latest"};typeof a.prerelease=="string"?(t.prerelease=a.prerelease,t.tag=a.prerelease,t.mode="auto-publish"):a.prerelease===!0?(t.prerelease=a.name,t.tag=a.name,t.mode="auto-publish"):(t.tag=a.channel??(a.name==="main"||a.name==="master"?"latest":a.name),t.mode="version-pr"),n[a.name]=t}return n},z=async({logger:e,options:n,workspaceRoot:a})=>{const t=a??process.cwd(),s=n.dryRun===!0;let f=n.apply===!0;s&&f&&(e.warn("--apply is ignored because --dry-run is set (dry-run takes precedence)."),f=!1);let i;n.fromSemanticRelease?i="semantic-release":n.fromChangesets?i="changesets":n.fromBumpy?i="bumpy":n.fresh?i="fresh":i=await _(t),e.info(`Detected source: ${i}`),e.info("");const r=l(t,".vis","release"),c=".vis/release/.state.json",g=".vis/release/.lock",u=l(t,".gitignore");if(s)e.info(`[dry-run] would create directory: ${r}`),e.info(`[dry-run] would append to .gitignore:
|
|
2
|
+
${c}
|
|
3
|
+
${g}`);else{await J(r,{recursive:!0}),e.info(`Created ${v(t,r)}/`);try{const p=await $(u,"utf8"),h=[];p.includes(c)||h.push(c),p.includes(g)||h.push(g),h.length>0&&(await w(u,`${p.replace(/\n*$/,`
|
|
4
|
+
`)}
|
|
5
|
+
# vis release subsystem
|
|
6
|
+
${h.join(`
|
|
7
|
+
`)}
|
|
8
|
+
`),e.info("Updated .gitignore."))}catch{await w(u,`# vis release subsystem
|
|
9
|
+
${c}
|
|
10
|
+
${g}
|
|
11
|
+
`),e.info("Created .gitignore.")}}const o=".vis/release/**",d=l(t,".secretlintignore");if(s)e.info(`[dry-run] would add to .secretlintignore:
|
|
12
|
+
${o}`);else try{const p=await $(d,"utf8");p.includes(o)||(await w(d,`${p.replace(/\n*$/,`
|
|
13
|
+
`)}
|
|
14
|
+
# vis release change files (author handles false-positive secretlint)
|
|
15
|
+
${o}
|
|
16
|
+
`),e.info("Updated .secretlintignore."))}catch{await w(d,`# vis release change files (author handles false-positive secretlint)
|
|
17
|
+
${o}
|
|
18
|
+
`),e.info("Created .secretlintignore.")}switch(i){case"bumpy":{await U(t,s,e);break}case"changesets":{await E(t,s,e);break}case"semantic-release":{await D(t,s,f,e);break}default:V(e)}await q(t,s,n.yes===!0,e),await G(t,s,n,e),e.info(""),e.info("Next steps:"),e.info(" 1. Add the `release: { ... }` block above to your vis.config.ts"),e.info(" 2. Author your first change file: vis release add"),e.info(" 3. Preview the plan: vis release status"),e.info(" 4. Apply: vis release version --dry-run")},D=async(e,n,a,t)=>{const s=await C(e);if(t.info(`Found ${s.length} .releaserc file(s).`),s.length===0)return;let f=[],i=0;for(const o of s){const d=await F(o);d&&(d.branches&&(f=[...f,...B(d.branches)]),d.plugins?.some(p=>typeof p=="string"&&p.includes("native-addons"))&&(i+=1),d.plugins?.some(p=>Array.isArray(p)&&typeof p[0]=="string"&&p[0].includes("native-addons"))&&(i+=1))}const r=new Set,c=f.filter(o=>r.has(o.name)?!1:(r.add(o.name),!0)),g=c.length>0?T(c):{alpha:{mode:"auto-publish",prerelease:"alpha",tag:"alpha"},main:{mode:"version-pr",tag:"latest"}};t.info(""),t.info("Suggested vis.config.ts release block (paste into your existing config):"),t.info("");const u=` release: {
|
|
19
|
+
baseBranch: "main",
|
|
20
|
+
defaultManaged: false, // flip to true after Phase 6
|
|
21
|
+
channels: {
|
|
22
|
+
${Object.entries(g).map(([o,d])=>` ${JSON.stringify(o)}: ${JSON.stringify(d)},`).join(`
|
|
23
|
+
`)}
|
|
24
|
+
},
|
|
25
|
+
publish: {
|
|
26
|
+
packManager: "auto",
|
|
27
|
+
publishStrategy: "npm-publish-tarball",
|
|
28
|
+
publishArgs: ["--provenance"],
|
|
29
|
+
protocolResolution: "pack",
|
|
30
|
+
catalogResolution: "auto",
|
|
31
|
+
cleanPackageJson: true,
|
|
32
|
+
},
|
|
33
|
+
gitUser: { name: "release-bot", email: "release-bot@example.com" },
|
|
34
|
+
},`;if(t.info(u),t.info(""),i>0&&(t.info(`Found ${i} package(s) using a NAPI native-addons plugin.`),t.info("These will auto-detect via the `napi` field in package.json — no config needed."),t.info("")),t.info("Migration is per-package opt-in (RFC §17.1). For each package you want to migrate:"),t.info(' 1. Add to its package.json: "vis-release": { "managed": true }'),t.info(" 2. Backfill any missing git tags so already-published detection works."),t.info(" 3. Add to multi-semantic-release's --ignore-packages list in your release workflow."),t.info(""),!a){t.info("Existing .releaserc.json files are kept in place during transition (deleted in Phase 6)."),t.info("Re-run with `--apply` to perform the writes automatically.");return}t.info(""),t.info("Applying migration writes (--apply set)…"),await I(e,s,u,t),t.info(""),t.info("Migration writes complete. Follow-up steps you still need to do manually:"),t.info(" - Update your CI workflow: remove `multi-semantic-release` step, add `vis release ci/release` step (see `.github/workflows/vis-release.yml` example in the vis package)"),t.info(" - Run `pnpm install` to drop semantic-release deps once you remove them from root package.json"),t.info(" - Run `vis release doctor` to verify the migration")},I=async(e,n,a,t)=>{const s=l(e,"vis.config.ts"),f=await $(s,"utf8").catch(()=>{});if(f===void 0){const i=`import { defineConfig } from "@visulima/vis/config";
|
|
14
35
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
`)
|
|
19
|
-
`)
|
|
20
|
-
|
|
21
|
-
`);const
|
|
22
|
-
|
|
36
|
+
export default defineConfig({
|
|
37
|
+
${a}
|
|
38
|
+
});
|
|
39
|
+
`;await w(s,i),t.info(` wrote ${v(e,s)}`)}else if(/\brelease\s*:/.test(f))t.warn(` skipped ${v(e,s)} — already has a \`release\` key; merge the suggested block manually.`);else{const i=W(f,a);i===void 0?t.warn(` skipped ${v(e,s)} — could not locate \`defineConfig({\` or \`export default {\` to inject into; merge the suggested block manually.`):(await w(s,i),t.info(` updated ${v(e,s)} (injected release block)`))}for(const i of n){const r=P(i),c=l(r,"package.json");if(!await k(c))continue;const g=await $(c,"utf8");let u;try{u=JSON.parse(g)}catch{t.warn(` skipped ${v(e,c)} — invalid JSON.`);continue}const o=u["vis-release"];if(o!==null&&typeof o=="object"&&o.managed===!0)continue;const d=o!==null&&typeof o=="object"?{...o,managed:!0}:{managed:!0};u["vis-release"]=d,await w(c,`${JSON.stringify(u,void 0,4)}
|
|
40
|
+
`),t.info(` updated ${v(e,c)} (added vis-release.managed = true)`)}for(const i of n)await O(i,{force:!0}),t.info(` deleted ${v(e,i)}`)},W=(e,n)=>{const a=/defineConfig\s*\(\s*\{/.exec(e);if(a!==null){const s=a.index+a[0].length;return`${e.slice(0,s)}
|
|
41
|
+
${n}
|
|
42
|
+
${e.slice(s)}`}const t=/export\s+default\s+\{/.exec(e);if(t!==null){const s=t.index+t[0].length;return`${e.slice(0,s)}
|
|
43
|
+
${n}
|
|
44
|
+
${e.slice(s)}`}},E=async(e,n,a)=>{const t=l(e,".changeset"),s=l(t,"config.json"),f=l(t,"pre.json");if(await k(f)){a.error("Pre-release mode is active in changesets (.changeset/pre.json exists)."),a.error("Run `changeset pre exit && changeset version` to consume pending changes, then re-run `vis release init`."),process.exitCode=1;return}let i={};try{i=JSON.parse(await $(s,"utf8"))}catch{a.warn(".changeset/config.json missing or unreadable; using defaults.")}const r={access:i.access==="restricted"?"restricted":"public",baseBranch:typeof i.baseBranch=="string"?i.baseBranch:"main",defaultManaged:!0,fixed:Array.isArray(i.fixed)?i.fixed:[],ignore:Array.isArray(i.ignore)?i.ignore:[],linked:Array.isArray(i.linked)?i.linked:[],privatePackages:i.privatePackages??{tag:!1,version:!1},updateInternalDependencies:i.updateInternalDependencies??"out-of-range"},c=i.changelog,g=typeof c=="string"?c:Array.isArray(c)&&typeof c[0]=="string"?c[0]:void 0;let u;c===!1?u="false":g?.includes("@changesets/changelog-github")?u='"github"':(g?.includes("@changesets/cli"),u='"default"');const o=[];let d=0;try{const p=await S(t);for(const h of p)!h.endsWith(".md")||h==="README.md"||o.push(h)}catch{}if(o.length>0){const p=l(e,".vis","release");let h=0;for(const b of o){const m=l(t,b),y=l(p,b);if(n){a.info(`[dry-run] would copy ${m} → ${y}`);continue}if(await k(y)){a.info(`Skipping existing ${v(e,y)}.`),h+=1;continue}const x=await $(m,"utf8");await w(y,x),d+=1}h>0&&a.info(`Skipped ${h} file(s) that already exist in .vis/release/.`)}a.info(`Found ${o.length} pending .changeset/*.md file(s); ${d>0?`copied ${d} to .vis/release/`:"(dry-run — would copy)"}.`),a.info(""),a.info("Suggested vis.config.ts release block:"),a.info(""),a.info(` release: {
|
|
45
|
+
baseBranch: ${JSON.stringify(r.baseBranch)},
|
|
46
|
+
access: ${JSON.stringify(r.access)},
|
|
47
|
+
defaultManaged: ${r.defaultManaged},
|
|
48
|
+
updateInternalDependencies: ${JSON.stringify(r.updateInternalDependencies)},
|
|
49
|
+
fixed: ${JSON.stringify(r.fixed)},
|
|
50
|
+
linked: ${JSON.stringify(r.linked)},
|
|
51
|
+
ignore: ${JSON.stringify(r.ignore)},
|
|
52
|
+
privatePackages: ${JSON.stringify(r.privatePackages)},
|
|
53
|
+
changelog: ${u},
|
|
54
|
+
publish: {
|
|
55
|
+
packManager: "auto",
|
|
56
|
+
publishStrategy: "npm-publish-tarball",
|
|
57
|
+
cleanPackageJson: true,
|
|
58
|
+
},
|
|
59
|
+
},`),a.info(""),a.info("After confirming the config, you can delete `.changeset/` (or run `vis release init --remove-changesets`).")},U=async(e,n,a)=>{const t=l(e,".bumpy"),s=l(t,"_config.json");let f={};try{f=JSON.parse(await $(s,"utf8"))}catch{a.warn(".bumpy/_config.json missing or unreadable; using defaults.")}const i=JSON.stringify(f,null,4).split(`
|
|
60
|
+
`).map(g=>` ${g}`).join(`
|
|
61
|
+
`),r=[];let c=0;try{const g=await S(t);for(const u of g)!u.endsWith(".md")||u==="README.md"||r.push(u)}catch{}if(r.length>0){const g=l(e,".vis","release");let u=0;for(const o of r){const d=l(t,o),p=l(g,o);if(n){a.info(`[dry-run] would copy ${d} → ${p}`);continue}if(await k(p)){a.info(`Skipping existing ${v(e,p)}.`),u+=1;continue}const h=await $(d,"utf8");await w(p,h),c+=1}u>0&&a.info(`Skipped ${u} file(s) that already exist in .vis/release/.`)}a.info(`Found ${r.length} pending .bumpy/*.md file(s); ${c>0?`copied ${c} to .vis/release/`:"(dry-run)"}.`),a.info(""),a.info("Suggested vis.config.ts release block (bumpy config translates 1:1):"),a.info(""),a.info(` release: ${i.trimStart()},`),a.info(""),a.info("After confirming, delete `.bumpy/`.")},q=async(e,n,a,t)=>{const s=l(e,".husky","pre-commit");if(!await k(s))return;const f=await $(s,"utf8").catch(()=>"");if(f.includes("vis release check"))return;const i="vis release check --hook pre-commit --no-fail";if(!await(async()=>{if(!process.stdout.isTTY||process.env.CI==="true")return!1;if(a)return!0;try{const{confirmPrompt:c}=await import("./prompts.js");return await c(`Wire \`${i}\` into your .husky/pre-commit hook?`,!0)}catch{return!1}})()){t.info(""),t.info("Optional: add this line to .husky/pre-commit:"),t.info(` ${i}`);return}if(n){t.info(`[dry-run] would append \`${i}\` to .husky/pre-commit`);return}const r=`${f.replace(/\n*$/,`
|
|
62
|
+
`)}${i}
|
|
63
|
+
`;await w(s,r),t.info("Wired vis release check into .husky/pre-commit.")},G=async(e,n,a,t)=>{const s=a.workflows===!0,f=a.yes===!0;if(!s&&(!process.stdout.isTTY||process.env.CI==="true"))return;if(!(s||f||await(async()=>{try{const{confirmPrompt:m}=await import("./prompts.js");return await m("Generate CI workflow files for the active provider?",!0)}catch{return!1}})())){t.info(""),t.info("Skipped workflow generation. Re-run with `vis release init --workflows` later.");return}const{detectRemoteProvider:i}=await import("./detect2.js"),{generateWorkflowFiles:r}=await import("./workflow-templates.js"),{detectPackageManager:c}=await import("../packem_shared/createAdapter-bU4DIP3F.js"),{createShellRunner:g}=await import("./shell-runner.js"),u=g(),o=await i(e,u,void 0),d=await c(e,u),p=a.packageManager??d;let h={};try{const{loadVisConfig:m}=await import("../packem_shared/CONFIG_FILES-BfaR0jKT.js"),y=await m(e);y.release&&(h=y.release)}catch{}const b=r(h,{packageManager:p,provider:o});t.info(""),t.info(`Generating ${b.length} workflow file(s) for ${o}:`);for(const m of b){const y=l(e,m.path);if(await k(y)){t.warn(` ${m.path} — already exists, skipping`);continue}if(n){t.info(` ${m.path} — [dry-run] would write ${m.content.length} bytes`);continue}const x=await import("node:path");await J(x.dirname(y),{recursive:!0}),await w(y,m.content),t.info(` ${m.path} — wrote ${m.content.length} bytes`)}},V=e=>{e.info(""),e.info("Suggested vis.config.ts release block:"),e.info(""),e.info(` release: {
|
|
64
|
+
baseBranch: "main",
|
|
65
|
+
defaultManaged: true,
|
|
66
|
+
channels: {
|
|
67
|
+
main: { tag: "latest", mode: "version-pr" },
|
|
68
|
+
},
|
|
69
|
+
publish: {
|
|
70
|
+
packManager: "auto",
|
|
71
|
+
publishStrategy: "npm-publish-tarball",
|
|
72
|
+
publishArgs: ["--provenance"],
|
|
73
|
+
cleanPackageJson: true,
|
|
74
|
+
},
|
|
75
|
+
},`)};export{z as default};
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import{createRequire as b}from"node:module";import{h as _,k as O,
|
|
1
|
+
import{createRequire as b}from"node:module";import{h as _,k as O,d as j}from"./bin.js";import{w as E}from"../packem_shared/pm-runner-OGResYrA.js";import{l as R}from"../packem_shared/dependency-scan-anTuZB1t.js";import{r as I}from"../packem_shared/provenance-_CJjMKwu.js";import{r as P}from"../packem_shared/signatures-C730vkyK.js";import{loadOptionalSigstore as C}from"./loader.js";const N=b(import.meta.url),u=typeof globalThis<"u"&&typeof globalThis.process<"u"?globalThis.process:process,$=r=>{if(typeof u<"u"&&u.versions&&u.versions.node){const[o,t]=u.versions.node.split(".").map(Number);if(o>22||o===22&&t>=3||o===20&&t>=16)return u.getBuiltinModule(r)}return N(r)},{createHash:S}=$("node:crypto"),{isAbsolute:k,resolve:y,basename:v}=$("node:path"),T=r=>(r??"").split(",").map(o=>o.trim()).filter(o=>o.length>0),K=async({logger:r,options:o,workspaceRoot:t})=>{if(!t)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");const i=o.format??"table",c=o.prodOnly??!1,p=o.failOn==="error"?"error":"warning",l=T(o.allowlist),a=E(t),d=R(t,a.name,{includeDev:!c}).map(({name:e,version:n})=>({name:e,version:n})),[m,g]=await Promise.all([I(d,{allowlist:l,workspaceRoot:t}),P(d,{allowlist:l,workspaceRoot:t})]),s=[...m.map(e=>({code:"provenance-regression",message:`Resolved ${e.packageName}@${e.version} has no published provenance attestation, but ${e.packageName}@${e.priorVersionWithProvenance} did — a provenance regression.`,packageName:e.packageName,severity:"warning",version:e.version})),...g.map(e=>({code:e.code,message:e.message,packageName:e.packageName,severity:e.severity,version:e.version}))],f=s.filter(e=>p==="error"?e.severity==="error":!0);if(i==="json")process.stdout.write(`${JSON.stringify({findings:s,ok:f.length===0},void 0,2)}
|
|
2
2
|
`);else if(i==="ndjson")for(const e of s)process.stdout.write(`${JSON.stringify(e)}
|
|
3
3
|
`);else if(s.length===0)r.info(`No provenance regressions or signature problems across ${String(d.length)} locked packages.`);else{const e=process.stdout.columns||80;r.info(_(O.createElement(j,{data:s.map(n=>({code:n.code,package:`${n.packageName}@${n.version}`,severity:n.severity}))}),{columns:e}));for(const n of s)r.warn(`${n.packageName}@${n.version}: ${n.message}`)}f.length>0&&(process.exitCode=1)},D=()=>process.env.CI==="true"||typeof process.env.ACTIONS_ID_TOKEN_REQUEST_URL=="string"||typeof process.env.SIGSTORE_ID_TOKEN=="string",q=(r,o,t)=>({_type:"https://in-toto.io/Statement/v1",predicate:{buildDefinition:{buildType:"https://visulima.com/vis/attest/v1",externalParameters:{workspaceRoot:t},internalParameters:{},resolvedDependencies:[]},runDetails:{builder:{id:"https://visulima.com/vis"},metadata:{invocationId:process.env.GITHUB_RUN_ID??"",startedOn:new Date().toISOString()}}},predicateType:"https://slsa.dev/provenance/v1",subject:[{digest:{sha256:o},name:r}]}),G=async({argument:r,fs:o,logger:t,options:i,workspaceRoot:c})=>{if(!c)throw new Error("Could not determine workspace root. Run this command inside a monorepo.");const p=r[0];if(!p)throw new Error("Missing subject. Usage: vis attest <path-to-artifact>");const l=i.predicate??"slsaProvenance";if(l!=="slsaProvenance")throw new Error(`Unsupported predicate '${l}'. Only 'slsaProvenance' is supported.`);const a=k(p)?p:y(c,p),d=i.requireSigning??!1,m=i.format??"table";let g;try{g=await o.readFile(a)}catch{throw new Error(`Cannot read subject artifact at ${a}.`)}const s=S("sha256").update(g).digest("hex");if(!D()){const h="No ambient OIDC token (not running in CI). Keyless signing needs a Fulcio identity from CI OIDC.";if(d)throw new Error(`${h} Re-run in CI or drop --require-signing.`);if(m==="json"){process.stdout.write(`${JSON.stringify({ok:!1,reason:"no-ambient-oidc",sha256:s,skipped:!0,subject:v(a)},void 0,2)}
|
|
4
4
|
`);return}t.warn(`${h} Skipping signing (subject sha256: ${s}). Pass --require-signing to make this fatal.`);return}const f=q(v(a),s,c),e=Buffer.from(JSON.stringify(f)),n=await(await C({workspaceRoot:c})).attest(e,"application/vnd.in-toto+json"),w=i.output?k(i.output)?i.output:y(c,i.output):`${a}.sigstore`;if(await o.writeFile(w,`${JSON.stringify(n,void 0,2)}
|
|
@@ -1,61 +1,5 @@
|
|
|
1
|
-
import{
|
|
2
|
-
`),
|
|
3
|
-
`)}
|
|
4
|
-
|
|
5
|
-
`}
|
|
6
|
-
`},Z=["**/CODEOWNERS"],ee=["**/node_modules/**","**/dist/**","**/build/**","**/coverage/**","**/.git/**","**/.next/**","**/.nuxt/**"],te=e=>{const t=[];for(const o of e.split(/\r?\n/u)){const s=o.indexOf("#"),n=(s===-1?o:o.slice(0,s)).trim();if(n.length===0)continue;const r=n.split(/\s+/u);if(r.length<2)continue;const[i,...a]=r,c=a.filter(f=>f.length>0);!i||c.length===0||t.push({owners:c,path:i})}return t},oe=(e,t)=>{const o=t.replace(/^\.\/?/,"").replace(/\/$/,"");return e.startsWith("/")?o===""?e:`/${o}${e}`:o===""?`/${e}`:`/${o}/${e}`},ne=async(e,t,o)=>{const s=t&&t.length>0?[...t]:[...Z],n=[...ee];if(o){const a=o.replace(/^\.\/?/,"").replace(/^\/+/,"");a.length>0&&n.push(a)}const r=await H(s,{absolute:!0,cwd:e,ignore:n}),i=[];for(const a of r){let c;try{c=F(a)}catch{continue}const f=P(a),h=S(e,f);for(const p of te(c))i.push({owners:p.owners,path:oe(p.path,h)})}return i},re=/^(?:https?:\/\/)?(?:www\.)?github\.com\/([^/?#]+)/iu,se=e=>{if(!e)return;const t=e.match(re);if(!t?.[1])return;const o=t[1].trim();if(!(o===""||o.includes(" ")))return`@${o.replace(/^@/,"")}`},ae=(e,t)=>{const o=[];for(const[s,n]of Object.entries(e.projects)){if(n.owners&&n.owners.length>0)continue;const r=n.root??s,i=b(t,r,"package.json"),a=C(i);if(!a)continue;const c=B(a.maintainers);if(!c||c.length===0)continue;const f=[],h=new Set;for(const p of c){const $=se(p.url);$&&!h.has($)&&(h.add($),f.push($))}f.length!==0&&o.push({owners:f,path:r===""||r==="."?"/":`/${r}/`,projectId:s})}return o},ie=["author","bugs","homepage","license","repository","engines"],N=e=>typeof e=="object"&&e!==null&&!Array.isArray(e),E=(e,t)=>{if(e===t)return!0;if(typeof e!=typeof t||e===null||t===null)return!1;if(Array.isArray(e)){if(!Array.isArray(t)||e.length!==t.length)return!1;for(const[o,s]of e.entries())if(!E(s,t[o]))return!1;return!0}if(typeof e=="object"&&typeof t=="object"){const o=Object.keys(e),s=Object.keys(t);if(o.length!==s.length)return!1;for(const n of o)if(!E(e[n],t[n]))return!1;return!0}return!1},R=e=>e===void 0?e:structuredClone(e),ce=(e,t,o)=>{if(e==="repository"&&N(t)&&N(o)){const s={};for(const[n,r]of Object.entries(t))n!=="directory"&&(s[n]=R(r));return typeof o.directory=="string"&&(s.directory=o.directory),s}return R(t)},de=(e,t,o)=>{const s=[];for(const n of o.fields){if(!Object.hasOwn(e,n))continue;const r=e[n],i=t[n],a=ce(n,r,i);E(a,i)||s.push({after:a,before:i,field:n,packageJsonPath:""})}return s},fe=(e,t)=>{for(const o of t)e[o.field]=o.after},x="Generated by `vis sync codeowners --write-guard`. Do not edit by hand.",le=e=>{const t=e.replace(/^\.?\/+/u,"").replace(/\/+$/u,"");return t===""||t==="."?"**":`${t}/**`},L=e=>{const t=new Set,o=[];for(const s of[...e].sort((n,r)=>n.name.localeCompare(r.name))){const n=le(s.root);t.has(n)||(t.add(n),o.push(n))}return o},pe=e=>{const t=L(e),o=t.map(n=>` - "${n}"`).join(`
|
|
7
|
-
`),s=t.map(n=>` ${n}`).join(`
|
|
8
|
-
`);return`# ${x}
|
|
9
|
-
name: Write Guard
|
|
10
|
-
|
|
11
|
-
on:
|
|
12
|
-
pull_request:
|
|
13
|
-
paths:
|
|
14
|
-
${o}
|
|
15
|
-
|
|
16
|
-
permissions:
|
|
17
|
-
contents: read
|
|
18
|
-
pull-requests: read
|
|
19
|
-
|
|
20
|
-
jobs:
|
|
21
|
-
write-guard:
|
|
22
|
-
runs-on: ubuntu-latest
|
|
23
|
-
steps:
|
|
24
|
-
- uses: actions/checkout@v4
|
|
25
|
-
with:
|
|
26
|
-
fetch-depth: 0
|
|
27
|
-
- uses: geritol/write-guard@v1
|
|
28
|
-
with:
|
|
29
|
-
codeowners: CODEOWNERS
|
|
30
|
-
paths: |
|
|
31
|
-
${s}
|
|
32
|
-
`},ue=e=>{const t=L(e).map(o=>` - "${o}/*"`).join(`
|
|
33
|
-
`);return`# ${x}
|
|
34
|
-
#
|
|
35
|
-
# SOFT GUARD ONLY — this job does NOT block a merge by itself.
|
|
36
|
-
# It verifies the generated CODEOWNERS is in sync and flags that a
|
|
37
|
-
# restricted path changed. GitLab CI cannot portably gate a merge on
|
|
38
|
-
# code-owner *approval* from a job, so REAL ENFORCEMENT REQUIRES the
|
|
39
|
-
# native GitLab setting:
|
|
40
|
-
# Settings -> Repository -> Protected branches ->
|
|
41
|
-
# "Require approval from Code Owners" (GitLab Premium / Ultimate)
|
|
42
|
-
# https://docs.gitlab.com/ee/user/project/codeowners/
|
|
43
|
-
# Without that setting enabled, this job is advisory only.
|
|
44
|
-
write-guard:
|
|
45
|
-
stage: test
|
|
46
|
-
image: node:22-alpine
|
|
47
|
-
rules:
|
|
48
|
-
- if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
|
|
49
|
-
changes:
|
|
50
|
-
${t}
|
|
51
|
-
script:
|
|
52
|
-
- corepack enable
|
|
53
|
-
- pnpm install --frozen-lockfile
|
|
54
|
-
- pnpm vis sync codeowners --check
|
|
55
|
-
- >-
|
|
56
|
-
echo "SOFT GUARD: a restricted path changed. This job does NOT enforce
|
|
57
|
-
code-owner approval. Enable 'Require approval from Code Owners' on the
|
|
58
|
-
protected branch (GitLab Premium/Ultimate) for a real merge gate:
|
|
59
|
-
https://docs.gitlab.com/ee/user/project/codeowners/"
|
|
60
|
-
`},he=e=>e.length===0?[]:[{content:pe(e),path:".github/workflows/write-guard.yml"},{content:ue(e),path:".gitlab/write-guard.gitlab-ci.yml"}],D=new Set(["nested-codeowners","package-json-maintainers","project-json"]),A=(e,t,o)=>{const s=new Set,n=[];for(const r of e??[])for(const i of r.split(",")){const a=i.trim();if(a.length===0)continue;if(o&&!o(a))throw new Error(`Unknown codeowners source: "${a}". Known: ${[...D].join(", ")}.`);const c=a;s.has(c)||(s.add(c),n.push(c))}return n.length>0?n:[...t]},ge=e=>D.has(e),G=["codeowners","package-json-fields"],me=(e,t)=>t.some(o=>_(o,e)),we=async(e,t,o,s,n)=>{const r=Object.entries(s.projects).filter(([,a])=>a.restricted===!0).map(([a,c])=>({name:a,root:c.root??a})),i=he(r);if(i.length===0){t.info("No projects flagged `restricted: true` in project.json. Skipping Write Guard.");return}if(n){let a=!1;for(const c of i){const f=b(o,c.path);let h="";try{h=await e.readFile(f,"utf8")}catch(p){if(p.code!=="ENOENT")throw p}h.trim()!==c.content.trim()&&(t.error(`${c.path} is out of date. Run \`vis sync codeowners --write-guard\` to update it.`),a=!0)}a?process.exitCode=1:t.info(`Write Guard CI is up to date (${i.length} files, ${r.length} restricted projects).`);return}for(const a of i){const c=b(o,a.path);T(P(c)),I(c,a.content),t.info(`Wrote ${a.path}`)}t.info(`Write Guard CI scoped to ${r.length} restricted project${r.length===1?"":"s"}.`)},$e=async({fs:e,logger:t,options:o,visConfig:s,workspaceRoot:n})=>{const r=n,{workspace:i}=M(r,s),a=s?.codeowners;o.writeGuard===!0&&await we(e,t,r,i,o.check===!0);const c=A(o.from,a?.sources??["project-json"],ge),f=o.regenerationCommand??a?.regenerationCommand,h=o.preserveBlock===!0||a?.preserveBlock===!0,p=a?.blockMarker??O,$=o.nestedIncludes??a?.nestedIncludes,g=o.out??"CODEOWNERS",w=[];if(c.includes("nested-codeowners")){const m=await ne(r,$,g);for(const j of m)w.push({...j,source:"nested"})}if(c.includes("package-json-maintainers")){const m=ae(i,r);for(const j of m)w.push({...j,source:"maintainers"})}const l=c.includes("project-json")?v(i,a,w):v({projects:{}},a,w);if(l.length===0){t.info("No `owners` entries found in any source. Nothing to sync.");return}const y=b(r,g);let d="";try{d=await e.readFile(y,"utf8")}catch(m){if(m.code!=="ENOENT")throw m}const u={regenerationCommand:f},k=h?X(d,V(l,p,u),p):Q(l,u);if(o.check){if(d.trim()!==k.trim()){t.error(`${y} is out of date. Run \`vis sync codeowners\` to update it.`),process.exitCode=1;return}t.info(`${y} is up to date.`);return}I(y,k),t.info(`Wrote ${l.length} entries to ${y}`)},ke=({logger:e,options:t,visConfig:o,workspaceRoot:s})=>{const n=s,r=o?.editorconfig??!0,i=C(b(n,"package.json"));if(!i){e.error("Could not read root package.json. Nothing to sync."),process.exitCode=1;return}const a=A(t.fields,ie),c=t.ignorePackageName??[],f=t.check===!0,h=(t.format??"human").toLowerCase(),p=t.quiet===!0,$=J(n).filter(d=>d!=="."),g=[];let w=0;for(const d of $){const u=b(n,d,"package.json"),k=C(u);if(!k)continue;const m=typeof k.name=="string"?k.name:void 0;if(m!==void 0&&c.length>0&&me(m,c))continue;w+=1;const j=de(i,k,{fields:a});j.length!==0&&g.push({filePath:u,packageJsonPath:S(n,u),packageName:m,pkg:k,pkgChanges:j})}if(!f)for(const d of g)fe(d.pkg,d.pkgChanges),U(d.filePath,d.pkg,{indent:q(d.filePath,{useEditorconfig:r}),overwrite:!0});const l=g.flatMap(d=>d.pkgChanges.map(u=>({after:u.after,before:u.before,field:u.field,packageJsonPath:d.packageJsonPath,packageName:d.packageName}))),y={changes:l,fields:a,kind:"package-json-fields",mode:f?"check":"write",totalChanges:l.length,totalPackages:w};if(h==="json")process.stdout.write(`${JSON.stringify(y,null,4)}
|
|
61
|
-
`);else if(l.length===0)e.info(`All ${w} package${w===1?"":"s"} in sync (fields: ${a.join(", ")}).`);else if(f){if(!p)for(const d of l)e.error(`${d.packageJsonPath}: ${d.field} drifts from root`);e.error(`Found ${l.length} field drift${l.length===1?"":"s"} across ${g.length} package${g.length===1?"":"s"}. Run \`vis sync package-json-fields\` to fix.`)}else{if(!p)for(const d of g)e.info(`${d.packageJsonPath}: synced ${d.pkgChanges.map(u=>u.field).join(", ")}`);e.info(`Synced ${l.length} field${l.length===1?"":"s"} across ${g.length} package${g.length===1?"":"s"}.`)}f&&l.length>0&&(process.exitCode=1)},Oe=async e=>{const t=e.argument[0];if(!t)throw new Error(`Missing sync kind. Usage: vis sync <kind> (known kinds: ${G.join(", ")})`);if(!e.workspaceRoot)throw new Error("Could not determine workspace root. Run inside a monorepo.");if(t==="codeowners"){await $e(e);return}if(t==="package-json-fields"){ke(e);return}throw new Error(`Unknown sync kind: "${t}". Known kinds: ${G.join(", ")}.`)};export{Oe as default};
|
|
1
|
+
import{b as d}from"./orchestrator.js";const k=async({logger:c,options:o,workspaceRoot:p})=>{const l=p??process.cwd(),t=await d({channel:o.channel,cwd:l,firstRelease:o.firstRelease===!0,skipRegistryLookup:!0}),{printConfigIfRequested:f}=await import("./print-config.js");if(f(o,t,c))return;const s=o.package,i=s?t.plan.releases.filter(e=>e.name===s):t.plan.releases;if(i.length===0){if(s!==void 0&&s!==""){const e=new Set(t.plan.releases.map(a=>a.name)).has(s),r=t.packages.some(a=>a.name===s);let n;if(e)n=`release plan unexpectedly empty for "${s}"`;else if(r)n=`package "${s}" is in the workspace but has no pending release (no change file targets it).`;else{const a=t.packages.slice(0,5).map(u=>u.name).join(", "),m=a?` Known workspace packages: ${a}${t.packages.length>5?", …":""}.`:"";n=`package "${s}" is not in this workspace.${m}`}c.error(`--package filter matched no releases: ${n}`),o.json&&process.stdout.write(`${JSON.stringify({error:n},null,2)}
|
|
2
|
+
`),process.exitCode=1;return}o.json&&process.stdout.write(`{}
|
|
3
|
+
`);return}if(o.json){const e={};for(const r of i)e[r.name]={from:r.oldVersion,to:r.newVersion};process.stdout.write(`${JSON.stringify(e,null,2)}
|
|
4
|
+
`);return}const g=[...i].sort((e,r)=>e.name.localeCompare(r.name));for(const e of g)process.stdout.write(`${e.name} ${e.oldVersion} -> ${e.newVersion}
|
|
5
|
+
`)};export{k as default};
|