@vv0rkz/js-template 1.8.4 → 1.10.0

package/README.md

@@ -58,10 +58,33 @@ export default {
       formats: ['gif', 'png'],       // допустимые форматы
       style: 'click',                // 'click' | 'side-by-side'
     },
+    // Pre-run хук: перед каждой jst-командой сравнивает теги ↔ Releases ↔
+    // демо ↔ README и выводит предупреждения (не блокирует команду).
+    audit: {
+      enable: true,
+      warnOnly: true,
+    },
   },
 
   // Автообновление зависимостей
-  depUpdater: false,                 // 'dependabot' | 'renovate' | false
+  // Короткая форма: 'dependabot' | 'renovate' | false
+  // Расширенная (только dependabot):
+  //   { type: 'dependabot', ignoreMajor: true, autoMerge: { patch: true, minor: true } }
+  depUpdater: false,
+
+  // CI workflow (.github/workflows/ci.yml)
+  ci: {
+    enable: false,                   // включить генерацию ci.yml
+    checks: ['lint', 'test'],        // имена job-ов = имена npm-скриптов
+    nodeVersion: '20',
+  },
+
+  // Branch protection (через gh api)
+  branchProtection: {
+    enable: false,
+    requiredChecks: [],              // должны совпадать с ci.checks
+    enforceAdmins: false,
+  },
 }
 ```
 
@@ -74,8 +97,10 @@ export default {
 | `release.*` | На следующем `jst release` |
 | `labels` | После `jst setup-labels` или `jst apply` |
 | `depUpdater` | После `jst setup-deps` или `jst apply` |
+| `ci.*` | После `jst setup-ci` или `jst apply` |
+| `branchProtection.*` | После `jst setup-branch-protection` (вручную) |
 
-Короткий путь — `jst apply` применит labels + deps за раз.
+Короткий путь — `jst apply` применит labels + deps + ci за раз. Branch protection требует admin-прав и запускается отдельно.
 
 ## Команды
 
@@ -91,9 +116,15 @@ npx jst <команда>       # напрямую
 |---|---|
 | `init` | Инициализация нового проекта |
 | `upgrade` | Обновить конфиги после `npm update` |
-| `apply` | Применить изменения из `jst.config.js` |
+| `apply` | Применить изменения из `jst.config.js` (labels + deps + ci) |
 | `setup-labels` | Настроить GitHub labels |
-| `setup-deps` | Настроить dependabot/renovate |
+| `setup-deps` | Настроить dependabot/renovate (+ auto-merge workflow) |
+| `setup-ci` | Сгенерировать `.github/workflows/ci.yml` |
+| `setup-branch-protection` | Настроить защиту главной ветки через `gh api` |
+| `audit` | Проверить теги/Releases/демо/README на пробелы |
+| `fix-releases` | Создать GitHub Release для тегов без Release |
+
+> Audit запускается автоматически перед каждой `jst`-командой (кроме `init`, `upgrade`, `audit`, `fix-releases`). Отключить разово — флагом `--no-audit`: `jst --no-audit create-task "..."`. Полностью — в `jst.config.js`: `release.audit.enable = false`.
 
 ### Разработка
 

package/bin/cli.js

@@ -7,6 +7,13 @@ import { fileURLToPath } from 'url'
 const __dirname = dirname(fileURLToPath(import.meta.url))
 const toolsDir = join(__dirname, '../tools-gh')
 
+// Strip the global `--no-audit` flag from argv before anyone else looks at it,
+// so downstream command handlers (some of which read process.argv directly)
+// don't see it as a positional argument.
+const noAuditIndex = process.argv.indexOf('--no-audit')
+const noAudit = noAuditIndex !== -1
+if (noAudit) process.argv.splice(noAuditIndex, 1)
+
 const args = process.argv.slice(2)
 const command = args[0]
 const commandArgs = args.slice(1)
@@ -15,6 +22,16 @@ const isWin = platform() === 'win32'
 const npxCmd = isWin ? 'npx.cmd' : 'npx'
 const ghCmd = isWin ? 'gh.exe' : 'gh'
 
+// Commands that should NOT trigger the release audit pre-run hook.
+// `init` runs before tags exist; `audit` / `fix-releases` ARE the audit
+// itself; `upgrade` runs right after `npm update` and may pre-date tags.
+const SKIP_AUDIT = new Set(['audit', 'fix-releases', 'init', 'upgrade', undefined])
+
+function maybeRunAudit() {
+  if (noAudit || SKIP_AUDIT.has(command)) return
+  spawnSync('node', [join(toolsDir, 'release-audit.js'), '--quiet-if-clean'], { stdio: 'inherit' })
+}
+
 const commands = {
   init: () => {
     const initScript = join(__dirname, 'init.js')
@@ -101,6 +118,22 @@ const commands = {
     spawnSync('node', [join(toolsDir, 'setup-deps.js')], { stdio: 'inherit' })
   },
 
+  'setup-ci': () => {
+    spawnSync('node', [join(toolsDir, 'setup-ci.js')], { stdio: 'inherit' })
+  },
+
+  'setup-branch-protection': () => {
+    spawnSync('node', [join(toolsDir, 'setup-branch-protection.js')], { stdio: 'inherit' })
+  },
+
+  audit: () => {
+    spawnSync('node', [join(toolsDir, 'release-audit.js')], { stdio: 'inherit' })
+  },
+
+  'fix-releases': () => {
+    spawnSync('node', [join(toolsDir, 'fix-releases.js')], { stdio: 'inherit' })
+  },
+
   upgrade: () => {
     spawnSync('node', [join(toolsDir, 'upgrade.js')], { stdio: 'inherit' })
   },
@@ -109,7 +142,10 @@ const commands = {
     console.log('⚙️  Применение jst.config.js...\n')
     spawnSync('node', [join(toolsDir, 'setup-labels.js')], { stdio: 'inherit' })
     spawnSync('node', [join(toolsDir, 'setup-deps.js')], { stdio: 'inherit' })
+    spawnSync('node', [join(toolsDir, 'setup-ci.js')], { stdio: 'inherit' })
     console.log('\n✅ Конфиг применён!')
+    console.log('💡 Branch protection не применяется автоматически (требует admin прав).')
+    console.log('   Запусти вручную: npm run _ setup-branch-protection')
   },
 
   'pr-list': () => {
@@ -161,6 +197,7 @@ const commands = {
 }
 
 if (commands[command]) {
+  maybeRunAudit()
   commands[command]()
 } else {
   console.log(`
@@ -175,6 +212,10 @@ if (commands[command]) {
   init-readme               Создать стартовый README.md
   setup-labels              Настроить GitHub labels
   setup-deps                Настроить dependabot/renovate
+  setup-ci                  Сгенерировать .github/workflows/ci.yml
+  setup-branch-protection   Настроить защиту главной ветки (gh api)
+  audit                     Проверить теги/Releases/демо/README на пробелы
+  fix-releases              Создать GitHub Release для тегов без Release
 
 🔧 РАЗРАБОТКА:
   update-readme             Обновить README с версией
@@ -205,6 +246,9 @@ if (commands[command]) {
 ⚙️  КОНФИГУРАЦИЯ:
   jst.config.js             Настройки веток, labels, коммитов, релизов
 
+🚩 ГЛОБАЛЬНЫЕ ФЛАГИ:
+  --no-audit                Отключить release audit для этого запуска
+
 📝 ФОРМАТ КОММИТОВ:
   feat: #9 описание               Фича (ссылка на issue)
   feat(scope): #9 описание        Фича со scope

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vv0rkz/js-template",
-  "version": "1.8.4",
+  "version": "1.10.0",
   "description": "Reusable setup for JS projects with husky, changelog, gh tools",
   "type": "module",
   "bin": {

package/templates/jst.config.js

@@ -103,6 +103,23 @@ export default {
        */
       style: 'click',
     },
+
+    /**
+     * Release audit — пассивная проверка перед каждой jst-командой.
+     * Сравнивает git tags ↔ GitHub Releases ↔ демо-файлы ↔ README-секции
+     * и печатает предупреждения, не блокируя команду.
+     *
+     *   enable    — включить хук (true | false)
+     *   warnOnly  — только предупреждать (true) или падать с кодом 1 (false)
+     *
+     * Отключить разово: `jst --no-audit <command>`
+     * Запустить явно:  `jst audit`
+     * Починить пропуски: `jst fix-releases`
+     */
+    audit: {
+      enable: true,
+      warnOnly: true,
+    },
   },
 
   /**
@@ -121,12 +138,55 @@ export default {
 
   /**
    * Автообновление зависимостей
-   * @type {'dependabot' | 'renovate' | false}
    *
-   * 'dependabot' — создаст .github/dependabot.yml
-   * 'renovate'   — создаст renovate.json
-   * false        — отключено
+   * Короткая форма:
+   *   depUpdater: 'dependabot'   — создаст .github/dependabot.yml
+   *   depUpdater: 'renovate'     — создаст renovate.json
+   *   depUpdater: false          — отключено
+   *
+   * Расширенная форма (только dependabot):
+   *   depUpdater: {
+   *     type: 'dependabot',
+   *     ignoreMajor: true,                       // не открывать major PR-ы
+   *     ignore: { major: true, minor: false },   // или более гранулярно
+   *     autoMerge: { patch: true, minor: true, major: false },
+   *   }
+   *
+   * При `autoMerge` jst дополнительно создаёт
+   * .github/workflows/dependabot-auto-merge.yml
    */
   depUpdater: false,
 
+  /**
+   * Continuous Integration (GitHub Actions)
+   *
+   * При `enable: true` команда `jst setup-ci` (и `jst apply`) создаёт
+   * .github/workflows/ci.yml — workflow с по одной job на каждый check.
+   * Имя job совпадает с именем npm-скрипта, который оно запускает.
+   *
+   *   ci.yml: jobs.lint → runs `npm run lint`
+   *           jobs.test → runs `npm run test`
+   */
+  ci: {
+    enable: false,
+    checks: ['lint', 'test'],
+    nodeVersion: '20',
+  },
+
+  /**
+   * Branch protection (через `gh api`)
+   *
+   * Команда `jst setup-branch-protection` настраивает защиту главной ветки
+   * через GitHub API. Не запускается автоматически в `jst apply` —
+   * требует admin прав на репозитории.
+   *
+   *   requiredChecks — список обязательных status checks (должны совпадать
+   *   с именами job-ов из ci.checks).
+   */
+  branchProtection: {
+    enable: false,
+    requiredChecks: [],
+    enforceAdmins: false,
+  },
+
 }

package/tools-gh/check-demo-for-release.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import { existsSync, readFileSync } from 'fs'
-import { execSync } from 'child_process'
 import { loadConfig } from './config.js'
+import { predictNextVersion } from './version-utils.js'
 
 const config = await loadConfig()
 
@@ -11,16 +11,7 @@ if (!config.release.demo.enable) {
 }
 
 const packageJson = JSON.parse(readFileSync('package.json', 'utf8'))
-const [major, minor, patch] = packageJson.version.split('.').map(Number)
-
-const commitMessages = execSync('git log --oneline -10', { encoding: 'utf8' })
-
-let nextVersion
-if (commitMessages.includes('feat:')) {
-  nextVersion = `v${major}.${minor + 1}.0`
-} else {
-  nextVersion = `v${major}.${minor}.${patch + 1}`
-}
+const nextVersion = predictNextVersion(packageJson.version)
 
 console.log(`📦 Предполагаемая следующая версия: ${nextVersion}`)
 

package/tools-gh/config.js

@@ -25,6 +25,10 @@ const DEFAULTS = {
       formats: ['gif', 'png'],
       style: 'click',
     },
+    audit: {
+      enable: true,
+      warnOnly: true,
+    },
   },
   changelog: {
     types: {
@@ -35,6 +39,28 @@ const DEFAULTS = {
     },
   },
   depUpdater: false,
+  ci: {
+    enable: false,
+    checks: ['lint', 'test'],
+    nodeVersion: '20',
+  },
+  branchProtection: {
+    enable: false,
+    requiredChecks: [],
+    enforceAdmins: false,
+  },
+}
+
+/**
+ * Normalizes `depUpdater` to an object form.
+ *   false               → { type: false }
+ *   'dependabot'        → { type: 'dependabot' }
+ *   { type, ...opts }   → unchanged
+ */
+export function normalizeDepUpdater(depUpdater) {
+  if (!depUpdater) return { type: false }
+  if (typeof depUpdater === 'string') return { type: depUpdater }
+  return { type: false, ...depUpdater }
 }
 
 // --- Branch pattern template engine ---

package/tools-gh/fix-releases.js

@@ -0,0 +1,77 @@
+#!/usr/bin/env node
+import { execSync, spawnSync } from 'child_process'
+import { platform } from 'os'
+
+const isWin = platform() === 'win32'
+const ghCmd = isWin ? 'gh.exe' : 'gh'
+
+function safeExec(cmd) {
+  try {
+    return execSync(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'ignore'] }).trim()
+  } catch {
+    return ''
+  }
+}
+
+try {
+  execSync(`${ghCmd} auth status`, { stdio: 'ignore' })
+} catch {
+  console.error('❌ GitHub CLI не установлен или не авторизован')
+  console.log('💡 Установи: https://cli.github.com/  и выполни: gh auth login')
+  process.exit(1)
+}
+
+const tagsRaw = safeExec('git tag --sort=creatordate')
+const tags = tagsRaw
+  .split('\n')
+  .map((t) => t.trim())
+  .filter((t) => /^v\d+\.\d+\.\d+$/.test(t))
+
+if (tags.length === 0) {
+  console.log('ℹ️  Тегов не найдено — нечего восстанавливать')
+  process.exit(0)
+}
+
+const releasesJson = safeExec(`${ghCmd} release list --json tagName --limit 200`)
+let releaseTags = new Set()
+try {
+  releaseTags = new Set(JSON.parse(releasesJson || '[]').map((r) => r.tagName))
+} catch {
+  console.error('❌ Не удалось распарсить список GitHub Releases')
+  process.exit(1)
+}
+
+const missing = tags.filter((t) => !releaseTags.has(t))
+
+if (missing.length === 0) {
+  console.log('✅ Все теги уже имеют GitHub Release')
+  process.exit(0)
+}
+
+console.log(`🔧 Создаю GitHub Release для ${missing.length} тег(ов):`)
+missing.forEach((t) => console.log(`   • ${t}`))
+console.log()
+
+let created = 0
+let failed = 0
+
+for (const tag of missing) {
+  process.stdout.write(`   ${tag} ... `)
+  const result = spawnSync(ghCmd, ['release', 'create', tag, '--generate-notes', '--title', tag], {
+    stdio: ['ignore', 'pipe', 'pipe'],
+    encoding: 'utf8',
+  })
+
+  if (result.status === 0) {
+    console.log('✅')
+    created++
+  } else {
+    console.log('⚠️')
+    const errMsg = (result.stderr || '').trim().split('\n').slice(0, 2).join(' | ')
+    if (errMsg) console.log(`      ${errMsg}`)
+    failed++
+  }
+}
+
+console.log(`\n📊 Создано: ${created}, ошибок: ${failed}`)
+if (failed > 0) process.exit(1)

package/tools-gh/post-commit-hook.js

@@ -5,8 +5,13 @@ import { loadConfig } from './config.js'
 const config = await loadConfig()
 const { closeKeyword, requireIssue } = config.commits
 
-const commitMsg = execSync('git log -1 --pretty=%B', { encoding: 'utf8' }).trim()
-const commitHash = execSync('git rev-parse --short HEAD', { encoding: 'utf8' }).trim()
+function safeExec(cmd) {
+  try {
+    return execSync(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'ignore'] }).trim()
+  } catch {
+    return ''
+  }
+}
 
 let repoUrl = execSync('git remote get-url origin', { encoding: 'utf8' }).trim()
 if (repoUrl.startsWith('git@github.com:')) {
@@ -15,26 +20,56 @@ if (repoUrl.startsWith('git@github.com:')) {
   repoUrl = repoUrl.replace(/\.git$/, '')
 }
 
-execSync('git push origin HEAD', { stdio: 'inherit' })
+// Capture upstream BEFORE push so we can scan everything that lands on the
+// remote in this push — including older commits whose pushes were previously
+// rejected by pre-push (fixes #10).
+const beforeUpstream = safeExec('git rev-parse @{u}')
+
+try {
+  execSync('git push -u origin HEAD', { stdio: 'inherit' })
+} catch {
+  // pre-push hook may have rejected the push; nothing to close yet.
+  process.exit(1)
+}
+
+// On successful push, scan every commit between the previously known remote
+// HEAD and the new HEAD for close-keywords. If we had no upstream before,
+// fall back to the last 50 commits.
+const range = beforeUpstream ? `${beforeUpstream}..HEAD` : '-50'
+const log = safeExec(`git log ${range} --format=%H%x09%s`)
+
+if (!log) process.exit(0)
 
 const escClose = closeKeyword.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
 const typesGroup = requireIssue.join('|')
 const closePattern = new RegExp(`^(${typesGroup})(\\(.+\\))?: ${escClose} #(\\d+)`)
-const match = commitMsg.match(closePattern)
 
-if (match) {
+const seen = new Set()
+
+for (const line of log.split('\n').filter(Boolean)) {
+  const tabIndex = line.indexOf('\t')
+  if (tabIndex === -1) continue
+  const hash = line.slice(0, tabIndex)
+  const subject = line.slice(tabIndex + 1)
+
+  const match = subject.match(closePattern)
+  if (!match) continue
+
   const issueNumber = match[3]
-  const commitLink = `${repoUrl}/commit/${commitHash}`
-  const firstLine = commitMsg.split('\n')[0]
+  if (seen.has(issueNumber)) continue
+  seen.add(issueNumber)
+
+  const shortHash = hash.slice(0, 7)
+  const commitLink = `${repoUrl}/commit/${hash}`
 
-  console.log(`🔧 Закрываю issue #${issueNumber}...`)
+  console.log(`🔧 Закрываю issue #${issueNumber} (коммит ${shortHash})...`)
 
   try {
     execSync(
-      `gh issue close "${issueNumber}" --comment "✅ Завершено в коммите: [${commitHash}](${commitLink}) - ${firstLine}"`,
+      `gh issue close "${issueNumber}" --comment "✅ Завершено в коммите: [${shortHash}](${commitLink}) - ${subject}"`,
       { stdio: 'inherit' },
     )
   } catch {
-    console.log(`⚠️  Не удалось закрыть issue #${issueNumber}`)
+    console.log(`⚠️  Не удалось закрыть issue #${issueNumber} (возможно уже закрыт)`)
   }
 }

package/tools-gh/release-audit.js

@@ -0,0 +1,103 @@
+#!/usr/bin/env node
+import { execSync } from 'child_process'
+import { existsSync, readFileSync } from 'fs'
+import { platform } from 'os'
+import { loadConfig } from './config.js'
+
+const isWin = platform() === 'win32'
+const ghCmd = isWin ? 'gh.exe' : 'gh'
+
+const config = await loadConfig()
+const audit = (config.release && config.release.audit) || {}
+
+if (audit.enable === false) process.exit(0)
+
+// When invoked as a pre-run hook we stay silent on a clean repo. Stand-alone
+// invocations (`jst audit`) print a positive confirmation.
+const quietIfClean = process.argv.includes('--quiet-if-clean')
+const warnOnly = audit.warnOnly !== false
+
+function safeExec(cmd) {
+  try {
+    return execSync(cmd, { encoding: 'utf8', stdio: ['pipe', 'pipe', 'ignore'] }).trim()
+  } catch {
+    return ''
+  }
+}
+
+const tagsRaw = safeExec('git tag --sort=-creatordate')
+const tags = tagsRaw
+  .split('\n')
+  .map((t) => t.trim())
+  .filter((t) => /^v\d+\.\d+\.\d+$/.test(t))
+
+if (tags.length === 0) process.exit(0)
+
+let releaseTags = new Set()
+const releasesJson = safeExec(`${ghCmd} release list --json tagName --limit 100`)
+if (releasesJson) {
+  try {
+    releaseTags = new Set(JSON.parse(releasesJson).map((r) => r.tagName))
+  } catch {
+    // gh returned non-JSON — treat as "no info", skip the release check
+    releaseTags = null
+  }
+}
+
+const demoCfg = (config.release && config.release.demo) || {}
+const demoEnabled = demoCfg.enable !== false
+const demoDir = demoCfg.dir || 'docs'
+const demoFormats = Array.isArray(demoCfg.formats) && demoCfg.formats.length ? demoCfg.formats : ['gif', 'png']
+
+let readmeContent = ''
+let hasAutoSection = false
+if (existsSync('README.md')) {
+  readmeContent = readFileSync('README.md', 'utf8')
+  hasAutoSection = readmeContent.includes('<!-- AUTOGENERATED_SECTION START -->')
+}
+
+const noRelease = []
+const noDemo = []
+const noReadme = []
+
+for (const tag of tags) {
+  if (releaseTags && !releaseTags.has(tag)) noRelease.push(tag)
+
+  if (demoEnabled) {
+    const hasDemo = demoFormats.some((fmt) => existsSync(`${demoDir}/${tag}.${fmt}`))
+    if (!hasDemo) noDemo.push(tag)
+  }
+
+  if (hasAutoSection && !readmeContent.includes(`### 🟢 ${tag}`)) {
+    noReadme.push(tag)
+  }
+}
+
+const total = noRelease.length + noDemo.length + noReadme.length
+
+if (total === 0) {
+  if (!quietIfClean) console.log('✅ Release audit: всё в порядке')
+  process.exit(0)
+}
+
+// Compact list helper — first N tags then "+M more"
+function fmtTags(list, limit = 5) {
+  if (list.length <= limit) return list.join(', ')
+  return list.slice(0, limit).join(', ') + ` +${list.length - limit} more`
+}
+
+if (noRelease.length) {
+  console.warn(`⚠️  Release audit: ${noRelease.length} тег(ов) без GitHub Release: ${fmtTags(noRelease)}`)
+  console.warn(`   → Исправить: jst fix-releases`)
+}
+if (noDemo.length) {
+  console.warn(`⚠️  Release audit: ${noDemo.length} тег(ов) без демо: ${fmtTags(noDemo)}`)
+  console.warn(`   → Создай файлы в ${demoDir}/<tag>.${demoFormats[0]}`)
+}
+if (noReadme.length) {
+  console.warn(`⚠️  Release audit: README не содержит секции: ${fmtTags(noReadme)}`)
+  console.warn(`   → Исправить: jst update-readme`)
+}
+
+if (!warnOnly) process.exit(1)
+process.exit(0)

package/tools-gh/release.js

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
-import { execSync, spawnSync } from 'child_process'
+import { spawnSync } from 'child_process'
 import { existsSync, readFileSync } from 'fs'
 import { platform } from 'os'
 import { dirname, join } from 'path'
 import { fileURLToPath } from 'url'
 import { loadConfig } from './config.js'
+import { getCommitsSinceLastTag, getLastTag, predictNextVersion } from './version-utils.js'
 
 const __dirname = dirname(fileURLToPath(import.meta.url))
 const isWin = platform() === 'win32'
@@ -23,12 +24,7 @@ console.log(`📦 Текущая версия: ${currentVersion}`)
 
 // 2. Demo check (configurable)
 if (config.release.demo.enable) {
-  const [major, minor, patch] = currentVersion.split('.').map(Number)
-  const recentCommits = execSync('git log --oneline -10', { encoding: 'utf8' })
-  const nextVersion = recentCommits.includes('feat:')
-    ? `v${major}.${minor + 1}.0`
-    : `v${major}.${minor}.${patch + 1}`
-
+  const nextVersion = predictNextVersion(currentVersion)
   console.log(`📦 Предполагаемая следующая версия: ${nextVersion}`)
 
   const { dir: demoDir, formats: demoFormats } = config.release.demo
@@ -58,19 +54,11 @@ if (currentVersion.startsWith('0.')) {
 }
 
 // 4. Commit analysis
-let lastTag = ''
-try {
-  lastTag = execSync('git describe --tags --abbrev=0', { encoding: 'utf8' }).trim()
-  console.log(`📌 Последний тег: ${lastTag}`)
-} catch {
-  console.log('📌 Теги не найдены (первый релиз)')
-}
-
-const commitLog = lastTag
-  ? execSync(`git log ${lastTag}..HEAD --format=%s`, { encoding: 'utf8' })
-  : execSync('git log --format=%s -10', { encoding: 'utf8' })
+const lastTag = getLastTag()
+if (lastTag) console.log(`📌 Последний тег: ${lastTag}`)
+else console.log('📌 Теги не найдены (первый релиз)')
 
-const commits = commitLog.split('\n').filter(Boolean)
+const commits = getCommitsSinceLastTag(lastTag)
 const countByType = (prefix) => commits.filter((c) => c.startsWith(`${prefix}:`)).length
 
 const featCount = countByType('feat')

package/tools-gh/report-issue.js

@@ -6,25 +6,41 @@ const jstRepo = 'vv0rkz/js-template'
 const isWin = platform() === 'win32'
 const ghCmd = isWin ? 'gh.exe' : 'gh'
 
-const title = process.argv.slice(2).join(' ')
+const rawArgs = process.argv.slice(2)
 
 console.log(`📝 Создаю issue в ${jstRepo}...`)
 
-if (!title) {
-  const result = spawnSync(ghCmd, ['issue', 'create', '--repo', jstRepo], { stdio: 'inherit' })
-  process.exit(result.status || 0)
+// If the caller passed any flag (anything starting with `-`), we assume a
+// non-interactive invocation and forward every argument verbatim to
+// `gh issue create`. This enables script/CI usage like:
+//   jst report-issue --title "..." --body-file body.md --label bug
+//
+// Otherwise we keep the historical shorthand and join the positional args
+// into the title:
+//   jst report-issue "Quick bug description"
+const hasFlags = rawArgs.some((a) => a.startsWith('-'))
+
+let ghArgs
+if (rawArgs.length === 0) {
+  ghArgs = ['issue', 'create', '--repo', jstRepo]
+} else if (hasFlags) {
+  ghArgs = ['issue', 'create', '--repo', jstRepo, ...rawArgs]
+} else {
+  ghArgs = ['issue', 'create', '--repo', jstRepo, '--title', rawArgs.join(' ')]
 }
 
-const result = spawnSync(ghCmd, ['issue', 'create', '--repo', jstRepo, '--title', title], {
-  stdio: 'inherit',
-})
+const result = spawnSync(ghCmd, ghArgs, { stdio: 'inherit' })
 
 if (result.status === 0) {
   console.log('\n✅ Issue создан!')
-} else {
-  console.error('❌ Ошибка создания issue')
-  console.log('\n💡 Убедись что:')
-  console.log('   1. Установлен GitHub CLI: gh --version')
-  console.log('   2. Выполнена авторизация: gh auth login')
-  process.exit(1)
+  process.exit(0)
 }
+
+console.error('❌ Ошибка создания issue')
+console.log('\n💡 Убедись что:')
+console.log('   1. Установлен GitHub CLI: gh --version')
+console.log('   2. Выполнена авторизация: gh auth login')
+console.log('   3. Для non-interactive вызова используй флаги:')
+console.log('      jst report-issue --title "..." --body "..."')
+console.log('      jst report-issue --title "..." --body-file body.md')
+process.exit(result.status || 1)

package/tools-gh/setup-branch-protection.js

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+import { execSync, spawnSync } from 'child_process'
+import { platform } from 'os'
+import { loadConfig } from './config.js'
+
+const config = await loadConfig()
+const bp = config.branchProtection
+
+if (!bp || !bp.enable) {
+  console.log('⏭️  Branch protection отключена (branchProtection.enable = false)')
+  console.log('💡 Включи в jst.config.js: branchProtection: { enable: true, requiredChecks: [...] }')
+  process.exit(0)
+}
+
+const requiredChecks = Array.isArray(bp.requiredChecks) ? bp.requiredChecks.filter(Boolean) : []
+const enforceAdmins = !!bp.enforceAdmins
+const mainBranch = (config.branch && config.branch.main) || 'main'
+
+const isWin = platform() === 'win32'
+const ghCmd = isWin ? 'gh.exe' : 'gh'
+
+console.log(`🔒 Настройка branch protection для ветки "${mainBranch}"...\n`)
+
+try {
+  execSync(`${ghCmd} auth status`, { stdio: 'ignore' })
+} catch {
+  console.error('❌ GitHub CLI не установлен или не авторизован')
+  console.log('💡 Установи: https://cli.github.com/')
+  console.log('   И выполни: gh auth login')
+  process.exit(1)
+}
+
+let repoSlug = ''
+try {
+  const remote = execSync('git remote get-url origin', { encoding: 'utf8' }).trim()
+  const match = remote.match(/[:/]([^/:]+\/[^/]+?)(?:\.git)?$/)
+  if (match) repoSlug = match[1]
+} catch {
+  // ignore
+}
+
+if (!repoSlug) {
+  console.error('❌ Не удалось определить owner/repo из git remote origin')
+  process.exit(1)
+}
+
+const payload = {
+  required_status_checks:
+    requiredChecks.length > 0 ? { strict: true, contexts: requiredChecks } : null,
+  enforce_admins: enforceAdmins,
+  required_pull_request_reviews: null,
+  restrictions: null,
+}
+
+console.log(`📍 Repo: ${repoSlug}`)
+console.log(`📍 Required checks: ${requiredChecks.length ? requiredChecks.join(', ') : '(none)'}`)
+console.log(`📍 Enforce admins: ${enforceAdmins}`)
+console.log()
+
+const result = spawnSync(
+  ghCmd,
+  ['api', '-X', 'PUT', `repos/${repoSlug}/branches/${mainBranch}/protection`, '--input', '-'],
+  {
+    input: JSON.stringify(payload),
+    stdio: ['pipe', 'inherit', 'inherit'],
+    encoding: 'utf8',
+  },
+)
+
+if (result.status === 0) {
+  console.log('\n✅ Branch protection настроена!')
+} else {
+  console.error('\n❌ Не удалось настроить branch protection')
+  console.log('💡 Возможные причины:')
+  console.log('   • Нет прав admin на репозиторий')
+  console.log('   • Репозиторий приватный на бесплатном плане (нужен Pro/Team/Enterprise)')
+  console.log('   • Указанные required checks ещё не запускались на этой ветке')
+  process.exit(result.status || 1)
+}

package/tools-gh/setup-ci.js

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+import { existsSync, mkdirSync, writeFileSync } from 'fs'
+import { join } from 'path'
+import { loadConfig } from './config.js'
+
+const config = await loadConfig()
+const ci = config.ci
+
+if (!ci || !ci.enable) {
+  console.log('⏭️  CI отключён (ci.enable = false)')
+  process.exit(0)
+}
+
+const checks = Array.isArray(ci.checks) ? ci.checks.filter(Boolean) : []
+if (checks.length === 0) {
+  console.log('⚠️  ci.enable = true, но ci.checks пуст — workflow не создан')
+  process.exit(0)
+}
+
+const nodeVersion = ci.nodeVersion || '20'
+const mainBranch = (config.branch && config.branch.main) || 'main'
+
+const workflowsDir = join(process.cwd(), '.github', 'workflows')
+if (!existsSync(workflowsDir)) mkdirSync(workflowsDir, { recursive: true })
+
+const filePath = join(workflowsDir, 'ci.yml')
+if (existsSync(filePath)) {
+  console.log('⏭️  .github/workflows/ci.yml уже существует')
+  process.exit(0)
+}
+
+const jobs = checks
+  .map(
+    (check) => `  ${check}:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '${nodeVersion}'
+          cache: npm
+      - run: npm ci
+      - run: npm run ${check}`,
+  )
+  .join('\n\n')
+
+const yaml = `name: CI
+
+on:
+  push:
+    branches: [${mainBranch}]
+  pull_request:
+    branches: [${mainBranch}]
+
+jobs:
+${jobs}
+`
+
+writeFileSync(filePath, yaml)
+console.log('✅ Создан .github/workflows/ci.yml')
+console.log(`   ↳ checks: ${checks.join(', ')}`)
+console.log(`   ↳ node: ${nodeVersion}`)
+console.log(`   ↳ branch: ${mainBranch}`)

package/tools-gh/setup-deps.js

@@ -1,43 +1,139 @@
 #!/usr/bin/env node
 import { existsSync, mkdirSync, writeFileSync } from 'fs'
 import { join } from 'path'
-import { loadConfig } from './config.js'
+import { loadConfig, normalizeDepUpdater } from './config.js'
 
 const config = await loadConfig()
-const { depUpdater } = config
+const dep = normalizeDepUpdater(config.depUpdater)
 
-if (!depUpdater) {
+if (!dep.type) {
   console.log('⏭️  Автообновление зависимостей отключено (depUpdater = false)')
   process.exit(0)
 }
 
-if (depUpdater === 'dependabot') {
+if (dep.type === 'dependabot') {
+  writeDependabotConfig(dep)
+  if (dep.autoMerge) {
+    // shorthand: `autoMerge: true` → enable patch + minor auto-merge
+    const am = dep.autoMerge === true ? { patch: true, minor: true } : dep.autoMerge
+    writeDependabotAutoMergeWorkflow(am)
+  }
+} else if (dep.type === 'renovate') {
+  writeRenovateConfig()
+} else {
+  console.log(`⚠️  Неизвестный depUpdater.type: "${dep.type}"`)
+  console.log('💡 Допустимые значения: "dependabot", "renovate", false')
+  process.exit(1)
+}
+
+// ---- helpers ------------------------------------------------------------
+
+function buildIgnoreList(dep) {
+  // Granular `ignore: { major, minor, patch }` takes precedence over
+  // the simple `ignoreMajor` boolean.
+  const types = []
+  if (dep.ignore && typeof dep.ignore === 'object') {
+    if (dep.ignore.major) types.push('version-update:semver-major')
+    if (dep.ignore.minor) types.push('version-update:semver-minor')
+    if (dep.ignore.patch) types.push('version-update:semver-patch')
+  } else if (dep.ignoreMajor) {
+    types.push('version-update:semver-major')
+  }
+  return types
+}
+
+function writeDependabotConfig(dep) {
   const dir = join(process.cwd(), '.github')
   if (!existsSync(dir)) mkdirSync(dir, { recursive: true })
 
   const filePath = join(dir, 'dependabot.yml')
   if (existsSync(filePath)) {
     console.log('⏭️  .github/dependabot.yml уже существует')
-    process.exit(0)
+    return
   }
 
-  writeFileSync(
-    filePath,
-    `version: 2
-updates:
-  - package-ecosystem: "npm"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 10
-`,
-  )
+  const ignoreTypes = buildIgnoreList(dep)
+  const ignoreBlock = ignoreTypes.length
+    ? `    ignore:\n      - dependency-name: "*"\n        update-types: [${ignoreTypes
+        .map((t) => `"${t}"`)
+        .join(', ')}]\n`
+    : ''
+
+  const yaml =
+    `version: 2\n` +
+    `updates:\n` +
+    `  - package-ecosystem: "npm"\n` +
+    `    directory: "/"\n` +
+    `    schedule:\n` +
+    `      interval: "weekly"\n` +
+    `    open-pull-requests-limit: 10\n` +
+    ignoreBlock
+
+  writeFileSync(filePath, yaml)
   console.log('✅ Создан .github/dependabot.yml')
-} else if (depUpdater === 'renovate') {
+  if (ignoreTypes.length) {
+    console.log(`   ↳ ignore update-types: ${ignoreTypes.join(', ')}`)
+  }
+}
+
+function writeDependabotAutoMergeWorkflow(autoMerge) {
+  const dir = join(process.cwd(), '.github', 'workflows')
+  if (!existsSync(dir)) mkdirSync(dir, { recursive: true })
+
+  const filePath = join(dir, 'dependabot-auto-merge.yml')
+  if (existsSync(filePath)) {
+    console.log('⏭️  .github/workflows/dependabot-auto-merge.yml уже существует')
+    return
+  }
+
+  const conditions = []
+  if (autoMerge.patch) conditions.push("steps.meta.outputs.update-type == 'version-update:semver-patch'")
+  if (autoMerge.minor) conditions.push("steps.meta.outputs.update-type == 'version-update:semver-minor'")
+  if (autoMerge.major) conditions.push("steps.meta.outputs.update-type == 'version-update:semver-major'")
+
+  if (conditions.length === 0) {
+    console.log('⏭️  depUpdater.autoMerge не содержит ни одного true — auto-merge workflow не создан')
+    return
+  }
+
+  const ifClause = conditions.join(' || ')
+
+  const yaml = `name: Dependabot auto-merge
+
+on: pull_request
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: github.actor == 'dependabot[bot]'
+    steps:
+      - name: Fetch metadata
+        id: meta
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: "\${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Enable auto-merge
+        if: ${ifClause}
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: \${{ github.event.pull_request.html_url }}
+          GH_TOKEN: \${{ secrets.GITHUB_TOKEN }}
+`
+
+  writeFileSync(filePath, yaml)
+  console.log('✅ Создан .github/workflows/dependabot-auto-merge.yml')
+}
+
+function writeRenovateConfig() {
   const filePath = join(process.cwd(), 'renovate.json')
   if (existsSync(filePath)) {
     console.log('⏭️  renovate.json уже существует')
-    process.exit(0)
+    return
   }
 
   writeFileSync(
@@ -52,8 +148,4 @@ updates:
     ) + '\n',
   )
   console.log('✅ Создан renovate.json')
-} else {
-  console.log(`⚠️  Неизвестный depUpdater: "${depUpdater}"`)
-  console.log('💡 Допустимые значения: "dependabot", "renovate", false')
-  process.exit(1)
 }

package/tools-gh/version-utils.js

@@ -0,0 +1,40 @@
+import { execSync } from 'child_process'
+
+/**
+ * Returns the last tag (e.g. "v1.8.4") or '' if no tags exist.
+ */
+export function getLastTag() {
+  try {
+    return execSync('git describe --tags --abbrev=0', {
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'ignore'],
+    }).trim()
+  } catch {
+    return ''
+  }
+}
+
+/**
+ * Returns commit subjects since the last tag (or last 10 commits if no tag).
+ */
+export function getCommitsSinceLastTag(lastTag = getLastTag()) {
+  const log = lastTag
+    ? execSync(`git log ${lastTag}..HEAD --format=%s`, { encoding: 'utf8' })
+    : execSync('git log --format=%s -10', { encoding: 'utf8' })
+  return log.split('\n').filter(Boolean)
+}
+
+/**
+ * Predicts the next semver version string ("vX.Y.Z") based on commits since the
+ * last tag. If any feat: commit is present → minor bump; otherwise patch bump.
+ *
+ * Uses commits since the last tag (not last 10 commits) so the prediction stays
+ * correct even after many docs:/refactor: commits land on top of older feat:s.
+ */
+export function predictNextVersion(currentVersion) {
+  const [major, minor, patch] = currentVersion.split('.').map(Number)
+  const commits = getCommitsSinceLastTag()
+  const hasFeat = commits.some((c) => /^feat(\(.+\))?!?:/.test(c))
+
+  return hasFeat ? `v${major}.${minor + 1}.0` : `v${major}.${minor}.${patch + 1}`
+}