npm - bulk-release - Versions diffs - 2.15.39 → 2.16.2 - Mend

bulk-release 2.15.39 → 2.16.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,19 @@
+## [2.16.2](https://github.com/semrel-extra/zx-bulk-release/compare/v2.16.1...v2.16.2) (2026-04-05)
+### Fixes & improvements
+* fix: handle tarball error ([3fb2fb7](https://github.com/semrel-extra/zx-bulk-release/commit/3fb2fb7a3ff8820a6499275737ea9a74bc281f0b))
+## [2.16.1](https://github.com/semrel-extra/zx-bulk-release/compare/v2.16.0...v2.16.1) (2026-04-04)
+### Fixes & improvements
+* perf: tech release ([3ee886c](https://github.com/semrel-extra/zx-bulk-release/commit/3ee886ce7c4100d109ccb78bcc2d3a19ea27af37))
+* perf: update actions, tech release ([545da15](https://github.com/semrel-extra/zx-bulk-release/commit/545da151a0d47097e5da6001e40eeb725be5eaeb))
+## [2.16.0](https://github.com/semrel-extra/zx-bulk-release/compare/v2.15.39...v2.16.0) (2026-04-04)
+### Features
+* feat: support npm oidc flow ([7396a6e](https://github.com/semrel-extra/zx-bulk-release/commit/7396a6ec1c4ab498261047ed17cfe42986ab2d54))
 ## [2.15.39](https://github.com/semrel-extra/zx-bulk-release/compare/v2.15.38...v2.15.39) (2025-10-20)
 ### Fixes & improvements

package/README.md CHANGED Viewed

@@ -83,7 +83,7 @@ Any [cosmiconfig](https://github.com/davidtheclark/cosmiconfig) compliant format
 ### env vars
 ```js
 export const parseEnv = (env = process.env) => {
-  const {GH_USER, GH_USERNAME, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = env
+  const {GH_USER, GH_USERNAME, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = env
   return {
     ghUser:             GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME,
@@ -93,12 +93,25 @@ export const parseEnv = (env = process.env) => {
     npmConfig:          NPMRC || NPM_USERCONFIG || NPM_CONFIG_USERCONFIG,
     npmRegistry:        NPM_REGISTRY || 'https://registry.npmjs.org',
     npmProvenance:      NPM_PROVENANCE,
+    // OIDC trusted publishing: https://docs.npmjs.com/trusted-publishers/
+    npmOidc:            NPM_OIDC || (!NPM_TOKEN && ACTIONS_ID_TOKEN_REQUEST_URL),
     gitCommitterName:   GIT_COMMITTER_NAME || 'Semrel Extra Bot',
     gitCommitterEmail:  GIT_COMMITTER_EMAIL || 'semrel-extra-bot@hotmail.com',
   }
 }
 ```
+### OIDC Trusted Publishing
+npm now supports [OIDC trusted publishing](https://docs.npmjs.com/trusted-publishers/) as a replacement for long-lived access tokens. To enable:
+1. [Configure a trusted publisher](https://docs.npmjs.com/trusted-publishers/) for each package on npmjs.com (link your GitHub repo and workflow)
+2. Set `NPM_OIDC=true` in your workflow environment
+3. Ensure your GitHub Actions workflow has `permissions: { id-token: write }`
+4. Make sure each `package.json` includes the `repository` field matching your GitHub repo URL
+OIDC mode is also auto-detected when `NPM_TOKEN` is not set and `ACTIONS_ID_TOKEN_REQUEST_URL` is present (GitHub Actions with `id-token: write` permission).
+When OIDC is active, `NPM_TOKEN` and `NPMRC` are ignored for publishing and `--provenance` is enabled automatically.
 ## Demo
 * [demo-zx-bulk-release](https://github.com/semrel-extra/demo-zx-bulk-release)
 * [qiwi/pijma](https://github.com/qiwi/pijma)

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "bulk-release",
   "alias": "bulk-release",
-  "version": "2.15.39",
+  "version": "2.16.2",
   "description": "zx-based alternative for multi-semantic-release",
   "type": "module",
   "exports": {
@@ -26,16 +26,16 @@
   },
   "dependencies": {
     "@semrel-extra/topo": "^1.14.1",
-    "cosmiconfig": "^9.0.0",
+    "cosmiconfig": "^9.0.1",
     "queuefy": "^1.2.1",
-    "tar-stream": "^3.1.7",
+    "tar-stream": "^3.1.8",
     "zx-extra": "4.0.20"
   },
   "devDependencies": {
-    "c8": "^10.1.3",
-    "esbuild": "^0.25.9",
+    "c8": "^11.0.0",
+    "esbuild": "^0.28.0",
     "uvu": "^0.5.6",
-    "verdaccio": "6.2.0"
+    "verdaccio": "6.3.2"
   },
   "publishConfig": {
     "access": "public"

package/src/main/js/api/npm.js CHANGED Viewed

@@ -26,6 +26,10 @@ export const fetchPkg = async (pkg) => {
     })
     clearTimeout(timeoutId)
+    if (!tarball.ok) {
+      throw new Error(`registry responded with ${tarball.status} for ${tarballUrl}`)
+    }
     await unzip(pipify(tarball.body), {cwd, strip: 1, omit: ['package.json']})
     log({pkg})(`fetch duration '${id}': ${Date.now() - now}`)
@@ -65,24 +69,32 @@ export const npmRestore = async (pkg) => {
 }
 export const npmPublish = async (pkg) => {
-  const {absPath: cwd, name, version, manifest, config: {npmPublish, npmRegistry, npmToken, npmConfig, npmProvenance}} = pkg
+  const {absPath: cwd, name, version, manifest, config: {npmPublish, npmRegistry, npmToken, npmConfig, npmProvenance, npmOidc}} = pkg
   if (manifest.private || npmPublish === false) return
   log({pkg})(`publishing npm package ${name} ${version} to ${npmRegistry}`)
   const npmTag = pkg.preversion ? 'snapshot' : 'latest'
-  const npmrc = await getNpmrc({npmConfig, npmToken, npmRegistry})
   const npmFlags = [
     '--no-workspaces',
     '--no-git-tag-version',
-    `--userconfig=${npmrc}`,
     `--tag=${npmTag}`,
-    npmProvenance && `--provenance`,
     npmRegistry && `--registry=${npmRegistry}`,
-  ].filter(Boolean)
+  ]
+  // OIDC trusted publishing: no auth token must be present for npm to use OIDC flow.
+  // https://docs.npmjs.com/trusted-publishers/
+  if (npmOidc) {
+    log({pkg})('npm publish: OIDC trusted publishing enabled')
+    npmFlags.push('--provenance')
+  } else {
+    const npmrc = await getNpmrc({npmConfig, npmToken, npmRegistry})
+    npmFlags.push(`--userconfig=${npmrc}`)
+    if (npmProvenance) npmFlags.push('--provenance')
+  }
-  await $({cwd})`npm publish ${npmFlags}`
+  await $({cwd})`npm publish ${npmFlags.filter(Boolean)}`
 }
 export const getNpmrc = async ({npmConfig, npmToken, npmRegistry}) => {

package/src/main/js/config.js CHANGED Viewed

@@ -56,7 +56,7 @@ export const normalizeMetaConfig = (meta) =>
       ? { type: meta } // 'commit' | 'asset' | 'tag'
       : { type: 'none' }
-export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = process.env) =>
+export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = process.env) =>
   ({
     ghUser:             GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME,
     ghToken:            GH_TOKEN || GITHUB_TOKEN,
@@ -64,6 +64,7 @@ export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USE
     npmConfig:          NPMRC || NPM_USERCONFIG || NPM_CONFIG_USERCONFIG,
     npmToken:           NPM_TOKEN,
     npmProvenance:      NPM_PROVENANCE,
+    npmOidc:            NPM_OIDC || (!NPM_TOKEN && ACTIONS_ID_TOKEN_REQUEST_URL),
     npmRegistry:        NPM_REGISTRY || 'https://registry.npmjs.org',
     gitCommitterName:   GIT_COMMITTER_NAME || 'Semrel Extra Bot',
     gitCommitterEmail:  GIT_COMMITTER_EMAIL || 'semrel-extra-bot@hotmail.com',