bulk-release 2.18.2 → 2.19.0

package/CHANGELOG.md

@@ -1,3 +1,16 @@
+## [2.19.0](https://github.com/semrel-extra/zx-bulk-release/compare/v2.18.3...v2.19.0) (2026-04-05)
+
+### Features
+* feat: assert npm version for npm oidc flow ([647c612](https://github.com/semrel-extra/zx-bulk-release/commit/647c612f5ced01c8230ae1f625bbb6920f1e789d))
+
+### Fixes & improvements
+* fix: enable --debug info strem ([3a8ef02](https://github.com/semrel-extra/zx-bulk-release/commit/3a8ef02974a7b7a1fd8624041a37a2203cd6ec56))
+
+## [2.18.3](https://github.com/semrel-extra/zx-bulk-release/compare/v2.18.2...v2.18.3) (2026-04-05)
+
+### Fixes & improvements
+* fix: use default gh username ([5f3ae20](https://github.com/semrel-extra/zx-bulk-release/commit/5f3ae20f4977b8c1f1d09a7367d15d78c211e6a8))
+
 ## [2.18.2](https://github.com/semrel-extra/zx-bulk-release/compare/v2.18.1...v2.18.2) (2026-04-05)
 
 ### Fixes & improvements

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "bulk-release",
   "alias": "bulk-release",
-  "version": "2.18.2",
+  "version": "2.19.0",
   "description": "zx-based alternative for multi-semantic-release",
   "type": "module",
   "exports": {

package/src/main/js/api/npm.js

@@ -86,6 +86,11 @@ export const npmPublish = async (pkg) => {
   // OIDC trusted publishing: no auth token must be present for npm to use OIDC flow.
   // https://docs.npmjs.com/trusted-publishers/
   if (npmOidc) {
+    const npmVersion = (await $`npm --version`).toString().trim()
+    const [major, minor] = npmVersion.split('.').map(Number)
+    if (major < 11 || (major === 11 && minor < 5)) {
+      throw new Error(`npm OIDC trusted publishing requires npm >= 11.5.0, got ${npmVersion}`)
+    }
     log({pkg})('npm publish: OIDC trusted publishing enabled')
     npmFlags.push('--provenance')
   } else {

package/src/main/js/config.js

@@ -58,7 +58,7 @@ export const normalizeMetaConfig = (meta) =>
 
 export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = process.env) =>
   ({
-    ghUser:             GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME,
+    ghUser:             GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME || ((GH_TOKEN || GITHUB_TOKEN) ? 'x-access-token' : undefined),
     ghToken:            GH_TOKEN || GITHUB_TOKEN,
     ghMeta:             GH_META,
     npmConfig:          NPMRC || NPM_USERCONFIG || NPM_CONFIG_USERCONFIG,

package/src/main/js/processor/release.js

@@ -104,6 +104,7 @@ export const createContext = async ({flags, env: _env, cwd}) => {
   $.report =        report
   $.env =           env
   $.verbose =       !!(flags.debug || $.env.DEBUG ) || $.verbose
+  $.quiet =         !$.verbose
 
   return {
     report,

package/src/main/js/steps/contextify.js

@@ -29,6 +29,7 @@ export const rollbackRelease = async (pkg) => {
 
   const cwd = pkg.context.git.root
   const {ghBasicAuth: basicAuth, ghToken, gitCommitterName, gitCommitterEmail} = pkg.config
+  if (!basicAuth) throw new Error('rollback requires git credentials (GH_TOKEN)')
   const {repoName} = await getRepo(cwd, {basicAuth})
 
   log({pkg})(`rollback: cleaning up failed release for tag '${tag}'`)
@@ -98,6 +99,7 @@ export const recover = async (pkg) => {
 
   const cwd = await getRoot(pkg.absPath)
   const {ghBasicAuth: basicAuth, ghToken, gitCommitterName, gitCommitterEmail} = pkg.config
+  if (!basicAuth) throw new Error('recover requires git credentials (GH_TOKEN)')
   const {repoName} = await getRepo(cwd, {basicAuth})
 
   log({pkg})(`recover: tag '${tag.ref}' exists but ${pkg.name}@${tag.version} not found on npm, rolling back failed release`)