bulk-release 2.15.38 → 2.16.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +16 -0
  2. package/README.md +14 -1
  3. package/package.json +7 -7
  4. package/src/main/js/api/npm.js +14 -6
  5. package/src/main/js/config.js +2 -1
package/CHANGELOG.md CHANGED
@@ -1,3 +1,19 @@
1
+ ## [2.16.1](https://github.com/semrel-extra/zx-bulk-release/compare/v2.16.0...v2.16.1) (2026-04-04)
2
+
3
+ ### Fixes & improvements
4
+ * perf: tech release ([3ee886c](https://github.com/semrel-extra/zx-bulk-release/commit/3ee886ce7c4100d109ccb78bcc2d3a19ea27af37))
5
+ * perf: update actions, tech release ([545da15](https://github.com/semrel-extra/zx-bulk-release/commit/545da151a0d47097e5da6001e40eeb725be5eaeb))
6
+
7
+ ## [2.16.0](https://github.com/semrel-extra/zx-bulk-release/compare/v2.15.39...v2.16.0) (2026-04-04)
8
+
9
+ ### Features
10
+ * feat: support npm oidc flow ([7396a6e](https://github.com/semrel-extra/zx-bulk-release/commit/7396a6ec1c4ab498261047ed17cfe42986ab2d54))
11
+
12
+ ## [2.15.39](https://github.com/semrel-extra/zx-bulk-release/compare/v2.15.38...v2.15.39) (2025-10-20)
13
+
14
+ ### Fixes & improvements
15
+ * fix(deps): update dependency zx-extra to v4.0.20 (#75) ([ca4b250](https://github.com/semrel-extra/zx-bulk-release/commit/ca4b2503588bb75f4eebd32f01b6f82facd08b7b))
16
+
1
17
  ## [2.15.38](https://github.com/semrel-extra/zx-bulk-release/compare/v2.15.37...v2.15.38) (2025-09-28)
2
18
 
3
19
  ### Fixes & improvements
package/README.md CHANGED
@@ -83,7 +83,7 @@ Any [cosmiconfig](https://github.com/davidtheclark/cosmiconfig) compliant format
83
83
  ### env vars
84
84
  ```js
85
85
  export const parseEnv = (env = process.env) => {
86
- const {GH_USER, GH_USERNAME, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = env
86
+ const {GH_USER, GH_USERNAME, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = env
87
87
 
88
88
  return {
89
89
  ghUser: GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME,
@@ -93,12 +93,25 @@ export const parseEnv = (env = process.env) => {
93
93
  npmConfig: NPMRC || NPM_USERCONFIG || NPM_CONFIG_USERCONFIG,
94
94
  npmRegistry: NPM_REGISTRY || 'https://registry.npmjs.org',
95
95
  npmProvenance: NPM_PROVENANCE,
96
+ // OIDC trusted publishing: https://docs.npmjs.com/trusted-publishers/
97
+ npmOidc: NPM_OIDC || (!NPM_TOKEN && ACTIONS_ID_TOKEN_REQUEST_URL),
96
98
  gitCommitterName: GIT_COMMITTER_NAME || 'Semrel Extra Bot',
97
99
  gitCommitterEmail: GIT_COMMITTER_EMAIL || 'semrel-extra-bot@hotmail.com',
98
100
  }
99
101
  }
100
102
  ```
101
103
 
104
+ ### OIDC Trusted Publishing
105
+ npm now supports [OIDC trusted publishing](https://docs.npmjs.com/trusted-publishers/) as a replacement for long-lived access tokens. To enable:
106
+ 1. [Configure a trusted publisher](https://docs.npmjs.com/trusted-publishers/) for each package on npmjs.com (link your GitHub repo and workflow)
107
+ 2. Set `NPM_OIDC=true` in your workflow environment
108
+ 3. Ensure your GitHub Actions workflow has `permissions: { id-token: write }`
109
+ 4. Make sure each `package.json` includes the `repository` field matching your GitHub repo URL
110
+
111
+ OIDC mode is also auto-detected when `NPM_TOKEN` is not set and `ACTIONS_ID_TOKEN_REQUEST_URL` is present (GitHub Actions with `id-token: write` permission).
112
+
113
+ When OIDC is active, `NPM_TOKEN` and `NPMRC` are ignored for publishing and `--provenance` is enabled automatically.
114
+
102
115
  ## Demo
103
116
  * [demo-zx-bulk-release](https://github.com/semrel-extra/demo-zx-bulk-release)
104
117
  * [qiwi/pijma](https://github.com/qiwi/pijma)
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "bulk-release",
3
3
  "alias": "bulk-release",
4
- "version": "2.15.38",
4
+ "version": "2.16.1",
5
5
  "description": "zx-based alternative for multi-semantic-release",
6
6
  "type": "module",
7
7
  "exports": {
@@ -26,16 +26,16 @@
26
26
  },
27
27
  "dependencies": {
28
28
  "@semrel-extra/topo": "^1.14.1",
29
- "cosmiconfig": "^9.0.0",
29
+ "cosmiconfig": "^9.0.1",
30
30
  "queuefy": "^1.2.1",
31
- "tar-stream": "^3.1.7",
32
- "zx-extra": "4.0.19"
31
+ "tar-stream": "^3.1.8",
32
+ "zx-extra": "4.0.20"
33
33
  },
34
34
  "devDependencies": {
35
- "c8": "^10.1.3",
36
- "esbuild": "^0.25.9",
35
+ "c8": "^11.0.0",
36
+ "esbuild": "^0.28.0",
37
37
  "uvu": "^0.5.6",
38
- "verdaccio": "6.1.6"
38
+ "verdaccio": "6.3.2"
39
39
  },
40
40
  "publishConfig": {
41
41
  "access": "public"
package/src/main/js/api/npm.js CHANGED
@@ -65,24 +65,32 @@ export const npmRestore = async (pkg) => {
65
65
  }
66
66
 
67
67
  export const npmPublish = async (pkg) => {
68
- const {absPath: cwd, name, version, manifest, config: {npmPublish, npmRegistry, npmToken, npmConfig, npmProvenance}} = pkg
68
+ const {absPath: cwd, name, version, manifest, config: {npmPublish, npmRegistry, npmToken, npmConfig, npmProvenance, npmOidc}} = pkg
69
69
 
70
70
  if (manifest.private || npmPublish === false) return
71
71
 
72
72
  log({pkg})(`publishing npm package ${name} ${version} to ${npmRegistry}`)
73
73
 
74
74
  const npmTag = pkg.preversion ? 'snapshot' : 'latest'
75
- const npmrc = await getNpmrc({npmConfig, npmToken, npmRegistry})
76
75
  const npmFlags = [
77
76
  '--no-workspaces',
78
77
  '--no-git-tag-version',
79
- `--userconfig=${npmrc}`,
80
78
  `--tag=${npmTag}`,
81
- npmProvenance && `--provenance`,
82
79
  npmRegistry && `--registry=${npmRegistry}`,
83
- ].filter(Boolean)
80
+ ]
81
+
82
+ // OIDC trusted publishing: no auth token must be present for npm to use OIDC flow.
83
+ // https://docs.npmjs.com/trusted-publishers/
84
+ if (npmOidc) {
85
+ log({pkg})('npm publish: OIDC trusted publishing enabled')
86
+ npmFlags.push('--provenance')
87
+ } else {
88
+ const npmrc = await getNpmrc({npmConfig, npmToken, npmRegistry})
89
+ npmFlags.push(`--userconfig=${npmrc}`)
90
+ if (npmProvenance) npmFlags.push('--provenance')
91
+ }
84
92
 
85
- await $({cwd})`npm publish ${npmFlags}`
93
+ await $({cwd})`npm publish ${npmFlags.filter(Boolean)}`
86
94
  }
87
95
 
88
96
  export const getNpmrc = async ({npmConfig, npmToken, npmRegistry}) => {
package/src/main/js/config.js CHANGED
@@ -56,7 +56,7 @@ export const normalizeMetaConfig = (meta) =>
56
56
  ? { type: meta } // 'commit' | 'asset' | 'tag'
57
57
  : { type: 'none' }
58
58
 
59
- export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = process.env) =>
59
+ export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = process.env) =>
60
60
  ({
61
61
  ghUser: GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME,
62
62
  ghToken: GH_TOKEN || GITHUB_TOKEN,
@@ -64,6 +64,7 @@ export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USE
64
64
  npmConfig: NPMRC || NPM_USERCONFIG || NPM_CONFIG_USERCONFIG,
65
65
  npmToken: NPM_TOKEN,
66
66
  npmProvenance: NPM_PROVENANCE,
67
+ npmOidc: NPM_OIDC || (!NPM_TOKEN && ACTIONS_ID_TOKEN_REQUEST_URL),
67
68
  npmRegistry: NPM_REGISTRY || 'https://registry.npmjs.org',
68
69
  gitCommitterName: GIT_COMMITTER_NAME || 'Semrel Extra Bot',
69
70
  gitCommitterEmail: GIT_COMMITTER_EMAIL || 'semrel-extra-bot@hotmail.com',