bulk-release 2.19.1 → 2.21.0

package/CHANGELOG.md

@@ -1,3 +1,28 @@
+## [2.21.0](https://github.com/semrel-extra/zx-bulk-release/compare/v2.20.0...v2.21.0) (2026-04-10)
+
+### Fixes & improvements
+* docs: update badges ([c9fc1af](https://github.com/semrel-extra/zx-bulk-release/commit/c9fc1af8cfb3d177dc328d1934cb7e663c36f0ca))
+* fix: fix memoize store ([7fddefa](https://github.com/semrel-extra/zx-bulk-release/commit/7fddefa590ded43907d059d3b58e235adff6fa17))
+* refactor: enhance logger ([89d9cff](https://github.com/semrel-extra/zx-bulk-release/commit/89d9cff7727e2190e6490d51f759e7039a25cdb2))
+* docs: mention testing along the change graph flow ([44fd065](https://github.com/semrel-extra/zx-bulk-release/commit/44fd06568d552ae19e753c91f6536978a9c1d28e))
+* docs: add cmd tpl usage example ([d228de0](https://github.com/semrel-extra/zx-bulk-release/commit/d228de09e456799c9e113b36b971187ae7c3c1be))
+* refactor: rearrange utils ([8beeab6](https://github.com/semrel-extra/zx-bulk-release/commit/8beeab6906e4500429cc165f05b39fc5d57e5a09))
+* refactor: optimize npm ver assert (oidc) ([e3b5939](https://github.com/semrel-extra/zx-bulk-release/commit/e3b5939cfb26ab2c0d84bc4a09ebf5971eb2a33a))
+* refactor: bind zx pkg mdc with logger ([fd763a4](https://github.com/semrel-extra/zx-bulk-release/commit/fd763a42a2229ccbc902936fbbfa4a38652685e5))
+* refactor: align context injection flow ([6edb11b](https://github.com/semrel-extra/zx-bulk-release/commit/6edb11bfa669ae9519a134383f5299d77bc4f1a6))
+* refactor: rearrange processor layers ([ea7ef42](https://github.com/semrel-extra/zx-bulk-release/commit/ea7ef42e5632691dfee8705a4f4ef73e0c166979))
+* refactor: align internal publishers contract ([c16b6d8](https://github.com/semrel-extra/zx-bulk-release/commit/c16b6d8d11ade2d5d159936a457c43c0a2989141))
+* refactor: ghFetch helper ([fc3517e](https://github.com/semrel-extra/zx-bulk-release/commit/fc3517e24e12cc28a63d1088d93cecb1114ce5b5))
+* refactor: introduce `attempt` helper ([57f0d06](https://github.com/semrel-extra/zx-bulk-release/commit/57f0d06a093136e57600f2362ab46e16165c9b59))
+
+### Features
+* feat: add secrets masker ([fffea8b](https://github.com/semrel-extra/zx-bulk-release/commit/fffea8bfbebd6155e40f318a9303551ec4ae6e52))
+
+## [2.20.0](https://github.com/semrel-extra/zx-bulk-release/compare/v2.19.1...v2.20.0) (2026-04-05)
+
+### Features
+* feat: support custom ghe urls (#89) ([e33d53c](https://github.com/semrel-extra/zx-bulk-release/commit/e33d53cfe4ac15d8fd66785622d9df428a15d8e6))
+
 ## [2.19.1](https://github.com/semrel-extra/zx-bulk-release/compare/v2.19.0...v2.19.1) (2026-04-05)
 
 ### Fixes & improvements

package/README.md

@@ -1,9 +1,9 @@
 # zx-bulk-release
 > [zx](https://github.com/google/zx)-based alternative for [multi-semantic-release](https://github.com/dhoulb/multi-semantic-release)
 
-[![CI](https://github.com/semrel-extra/zx-bulk-release/workflows/CI/badge.svg)](https://github.com/semrel-extra/zx-bulk-release/actions)
-[![Maintainability](https://api.codeclimate.com/v1/badges/bb94e929b1b6430781b5/maintainability)](https://codeclimate.com/github/semrel-extra/zx-bulk-release/maintainability)
-[![Test Coverage](https://api.codeclimate.com/v1/badges/bb94e929b1b6430781b5/test_coverage)](https://codeclimate.com/github/semrel-extra/zx-bulk-release/test_coverage)
+[![CI](https://github.com/semrel-extra/zx-bulk-release/workflows/CI/badge.svg?branch=master)](https://github.com/semrel-extra/zx-bulk-release/actions)
+[![Maintainability](https://qlty.sh/badges/semrel-extra/zx-bulk-release/maintainability.svg)](https://qlty.sh/gh/semrel-extra/zx-bulk-release)
+[![Test Coverage](https://qlty.sh/badges/semrel-extra/zx-bulk-release/test_coverage.svg)](https://qlty.sh/gh/semrel-extra/zx-bulk-release)
 [![npm (tag)](https://img.shields.io/npm/v/zx-bulk-release)](https://www.npmjs.com/package/zx-bulk-release)
 
 ## Key features
@@ -74,21 +74,55 @@ await run({
 Any [cosmiconfig](https://github.com/davidtheclark/cosmiconfig) compliant format: `.releaserc`, `.release.json`, `.release.yaml`, etc in the package root or in the repo root dir.
 ```json
 {
-  "cmd": "yarn && yarn build && yarn test",
+  "buildCmd": "yarn && yarn build",
+  "testCmd": "yarn test",
   "npmFetch": true,
   "changelog": "changelog",
-  "ghPages": "gh-pages"
+  "ghPages": "gh-pages",
+  "diffTagUrl": "${repoPublicUrl}/compare/${prevTag}...${newTag}",
+  "diffCommitUrl": "${repoPublicUrl}/commit/${hash}"
 }
 ```
 
+#### Command templating
+`buildCmd`, `testCmd` and `publishCmd` support `${{ variable }}` interpolation. The template context includes all `pkg` fields and the release context (`flags`, `git`, `env`, etc):
+```json
+{
+  "buildCmd": "yarn build --pkg=${{name}} --ver=${{version}}",
+  "testCmd": "yarn test --scope=${{name}}",
+  "publishCmd": "echo releasing ${{name}}@${{version}}"
+}
+```
+Available variables include: `name`, `version`, `absPath`, `relPath`, and anything from `pkg.ctx` (e.g. `git.sha`, `git.root`, `flags.*`).
+
+#### Changelog diff URLs
+By default, changelog entries link to GitHub compare/commit pages. Override `diffTagUrl` and `diffCommitUrl` to customize for other platforms (e.g. Gerrit):
+```json
+{
+  "diffTagUrl": "https://gerrit.foo.com/plugins/gitiles/${repoName}/+/refs/tags/${newTag}",
+  "diffCommitUrl": "https://gerrit.foo.com/plugins/gitiles/${repoName}/+/${hash}%5E%21"
+}
+```
+Available variables: `repoName`, `repoPublicUrl`, `prevTag`, `newTag`, `name`, `version`, `hash`, `short`.
+
+#### GitHub Enterprise
+Set `ghUrl` to point to your GHE instance. API URL (`ghApiUrl`) is derived automatically.
+```json
+{
+  "ghUrl": "https://ghe.corp.com"
+}
+```
+Or via env: `GH_URL=https://ghe.corp.com` / `GITHUB_URL=https://ghe.corp.com`.
+
 ### env vars
 ```js
 export const parseEnv = (env = process.env) => {
-  const {GH_USER, GH_USERNAME, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = env
+  const {GH_USER, GH_USERNAME, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, GH_URL, GITHUB_URL, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = env
 
   return {
-    ghUser:             GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME,
+    ghUser:             GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME || 'x-access-token',
     ghToken:            GH_TOKEN || GITHUB_TOKEN,
+    ghUrl:              GH_URL || GITHUB_URL || 'https://github.com',
     npmToken:           NPM_TOKEN,
     // npmConfig suppresses npmToken
     npmConfig:          NPMRC || NPM_USERCONFIG || NPM_CONFIG_USERCONFIG,
@@ -113,62 +147,39 @@ OIDC mode is also auto-detected when `NPM_TOKEN` is not set and `ACTIONS_ID_TOKE
 
 When OIDC is active, `NPM_TOKEN` and `NPMRC` are ignored for publishing and `--provenance` is enabled automatically.
 
+### Selective testing along the change graph
+In a monorepo, `--dry-run` combined with `--no-build` lets you run tests only for packages affected by the current changes — following the dependency graph, without publishing anything. This gives you a precise CI check scoped to what actually changed:
+```shell
+npx zx-bulk-release --dry-run --no-build
+```
+See [antongolub/misc](https://github.com/antongolub/misc) for a real-world example of this pattern.
+
 ## Demo
 * [demo-zx-bulk-release](https://github.com/semrel-extra/demo-zx-bulk-release)
 * [qiwi/pijma](https://github.com/qiwi/pijma)
+* [antongolub/misc](https://github.com/antongolub/misc)
 
 ## Implementation notes
 ### Flow
-```js
-try {
-  const {packages, queue, root} = await topo({cwd, flags})
-  console.log('queue:', queue)
-
-  for (let name of queue) {
-    const pkg = packages[name]
-
-    await analyze(pkg, packages, root)
-
-    if (pkg.changes.length === 0) continue
-
-    await build(pkg, packages)
-
-    if (flags.dryRun) continue
-
-    await publish(pkg)
-  }
-} catch (e) {
-  console.error(e)
-  throw e
-}
 ```
+topo ─► contextify ─► analyze ──► build ──► test ──► publish ─► clean
+         (per pkg)    (per pkg)   (per pkg)  (per pkg) (per pkg)
+```
+[`@semrel-extra/topo`](https://github.com/semrel-extra/topo) resolves the release queue respecting dependency graphs. The graph allows parallel execution where the dependency tree permits; `memoizeBy` prevents duplicate work when a package is reached by multiple paths.
 
-### `topo`
-[Toposort](https://github.com/semrel-extra/topo) is used to resolve the pkg release queue.
-By default, it omits the packages marked as `private`. You can override this by setting the `--include-private` flag.
-
-### `analyze`
-Determines pkg changes, release type, next version etc.
-
-```js
-export const analyze = async (pkg, packages, root) => {
-  pkg.config = await getPkgConfig(pkg.absPath, root.absPath)
-  pkg.latest = await getLatest(pkg)
-
-  const semanticChanges = await getSemanticChanges(pkg.absPath, pkg.latest.tag?.ref)
-  const depsChanges = await updateDeps(pkg, packages)
-  const changes = [...semanticChanges, ...depsChanges]
+By default, packages marked as `private` are omitted. Override with `--include-private`.
 
-  pkg.changes = changes
-  pkg.version = resolvePkgVersion(changes, pkg.latest.tag?.version || pkg.manifest.version)
-  pkg.manifest.version = pkg.version
-
-  console.log(`[${pkg.name}] semantic changes`, changes)
-}
-```
+### Steps
+Each step has a uniform signature `(pkg, ctx)`:
+- **`contextify`** — resolves per-package config, latest release metadata, and git context.
+- **`analyze`** — determines semantic changes, release type, and next version.
+- **`build`** — runs `buildCmd` (with dep traversal and optional npm artifact fetch).
+- **`test`** — runs `testCmd`.
+- **`publish`** — orchestrates the publisher registry: prepare (serial) → run (parallel) → rollback on failure.
+- **`clean`** — restores `package.json` files and unsets git user config.
 
 Set `config.releaseRules` to override the default rules preset:
-```ts
+```js
 [
   {group: 'Features', releaseType: 'minor', prefixes: ['feat']},
   {group: 'Fixes & improvements', releaseType: 'patch', prefixes: ['fix', 'perf', 'refactor', 'docs', 'patch']},
@@ -176,32 +187,16 @@ Set `config.releaseRules` to override the default rules preset:
 ]
 ```
 
-### `build`
-Applies `config.cmd` to build pkg assets: bundles, docs, etc.
-```js
-export const build = async (pkg, packages) => {
-  // ...
-  if (!pkg.fetched && config.cmd) {
-    console.log(`[${pkg.name}] run cmd '${config.cmd}'`)
-    await $.o({cwd: pkg.absPath, quote: v => v})`${config.cmd}`
-  }
-  // ...
-}
-```
+### Publishers
+Publish targets are a registry of `{name, when, prepare?, run, undo?, snapshot?}` objects:
+- **meta** — pushes release metadata to the `meta` branch (or as a GH release asset).
+- **npm** — publishes to the npm registry.
+- **gh-release** — creates a GitHub release with optional file assets.
+- **gh-pages** — pushes docs to a `gh-pages` branch.
+- **changelog** — pushes a changelog entry to a `changelog` branch.
+- **cmd** — runs a custom `publishCmd`.
 
-### `publish`
-Publish the pkg to git, npm, gh-pages, gh-release, etc.
-```js
-export const publish = async (pkg) => {
-  await fs.writeJson(pkg.manifestPath, pkg.manifest, {spaces: 2})
-  await pushTag(pkg)
-  await pushMeta(pkg)
-  await pushChangelog(pkg)
-  await npmPublish(pkg)
-  await ghRelease(pkg)
-  await ghPages(pkg)
-}
-```
+Teardown walks the registry in reverse, calling `undo()` on each publisher for rollback/recovery.
 
 ### Tags
 [Lerna](https://github.com/lerna/lerna) tags (like `@pkg/name@v1.0.0-beta.0`) are suitable for monorepos, but they don’t follow [semver spec](https://semver.org/). Therefore, we propose another contract:

package/package.json

@@ -1,13 +1,13 @@
 {
   "name": "bulk-release",
   "alias": "bulk-release",
-  "version": "2.19.1",
+  "version": "2.21.0",
   "description": "zx-based alternative for multi-semantic-release",
   "type": "module",
   "exports": {
     ".": "./src/main/js/index.js",
     "./test-utils": "./src/test/js/test-utils.js",
-    "./meta": "./src/main/js/meta.js"
+    "./meta": "./src/main/js/processor/generators/meta.js"
   },
   "bin": "./src/main/js/cli.js",
   "files": [
@@ -35,7 +35,7 @@
     "c8": "^11.0.0",
     "esbuild": "^0.28.0",
     "uvu": "^0.5.6",
-    "verdaccio": "6.3.2"
+    "verdaccio": "6.4.0"
   },
   "publishConfig": {
     "access": "public"

package/src/main/js/config.js

@@ -58,10 +58,18 @@ export const normalizeMetaConfig = (meta) =>
         ? { type: meta } // 'commit' | 'asset' | 'tag'
         : { type: null }
 
-export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = process.env) =>
-  ({
+export const GH_URL = 'https://github.com'
+
+const resolveGhApiUrl = (ghUrl) =>
+  ghUrl === GH_URL ? 'https://api.github.com' : `${ghUrl.replace(/\/$/, '')}/api/v3`
+
+export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GH_URL: _GH_URL, GITHUB_URL, GITHUB_USER, GITHUB_USERNAME, GH_TOKEN, GITHUB_TOKEN, NPM_TOKEN, NPM_REGISTRY, NPMRC, NPM_USERCONFIG, NPM_CONFIG_USERCONFIG, NPM_PROVENANCE, NPM_OIDC, ACTIONS_ID_TOKEN_REQUEST_URL, GIT_COMMITTER_NAME, GIT_COMMITTER_EMAIL} = process.env) => {
+  const ghUrl = _GH_URL || GITHUB_URL || GH_URL
+  return {
     ghUser:             GH_USER || GH_USERNAME || GITHUB_USER || GITHUB_USERNAME || ((GH_TOKEN || GITHUB_TOKEN) ? 'x-access-token' : undefined),
     ghToken:            GH_TOKEN || GITHUB_TOKEN,
+    ghUrl,
+    ghApiUrl:           resolveGhApiUrl(ghUrl),
     ghMeta:             GH_META,
     npmConfig:          NPMRC || NPM_USERCONFIG || NPM_CONFIG_USERCONFIG,
     npmToken:           NPM_TOKEN,
@@ -70,6 +78,7 @@ export const parseEnv = ({GH_USER, GH_USERNAME, GH_META, GITHUB_USER, GITHUB_USE
     npmRegistry:        NPM_REGISTRY || 'https://registry.npmjs.org',
     gitCommitterName:   GIT_COMMITTER_NAME || 'Semrel Extra Bot',
     gitCommitterEmail:  GIT_COMMITTER_EMAIL || 'semrel-extra-bot@hotmail.com',
-  })
+  }
+}
 
 export const normalizeFlags = (flags = {}) => Object.entries(flags).reduce((acc, [k, v]) => ({...acc, [camelize(k)]: v}), {})

package/src/main/js/index.js

@@ -1,7 +1 @@
-import process from 'node:process'
-import { $ } from 'zx-extra'
-
-$.quiet = !process.env.DEBUG
-$.verbose = !!process.env.DEBUG
-
 export {run} from './processor/release.js'

package/src/main/js/processor/api/gh.js

@@ -0,0 +1,111 @@
+// Low-level GitHub API primitives. No domain knowledge, no imports from processor/ or steps/.
+
+import {$, path, tempy, glob, fs, fetch} from 'zx-extra'
+import {asArray, attempt2} from '../../util.js'
+
+export const getCommonPath = files => {
+  const f0 = files[0]
+  const common = files.length === 1
+    ? f0.lastIndexOf('/') + 1
+    : [...f0].findIndex((c, i) => files.some(f => f.charAt(i) !== c))
+  const p = f0.slice(0, common)
+  return p.endsWith('/') ? p : p.slice(0, p.lastIndexOf('/') + 1)
+}
+
+export const GH_API_VERSION = '2022-11-28'
+export const GH_ACCEPT = 'application/vnd.github.v3+json'
+
+export const ghFetch = (url, {ghToken, method = 'GET', headers, body} = {}) => fetch(url, {
+  method,
+  headers: {
+    Accept: GH_ACCEPT,
+    'X-GitHub-Api-Version': GH_API_VERSION,
+    ...(ghToken ? {Authorization: `token ${ghToken}`} : {}),
+    ...headers,
+  },
+  body,
+})
+
+// https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#create-a-release
+export const ghCreateRelease = async ({ghApiUrl, ghToken, repoName, tag, body}) => {
+  const res = await (await ghFetch(`${ghApiUrl}/repos/${repoName}/releases`, {
+    ghToken,
+    method: 'POST',
+    body: JSON.stringify({name: tag, tag_name: tag, body}),
+  })).json()
+
+  if (!res.upload_url) {
+    throw new Error(`gh release failed: ${JSON.stringify(res)}`)
+  }
+  return res
+}
+
+// https://docs.github.com/en/rest/releases/releases?apiVersion=2022-11-28#delete-a-release
+export const ghDeleteReleaseByTag = async ({ghApiUrl, ghToken, repoName, tag}) => {
+  const res = await attempt2(() => ghFetch(`${ghApiUrl}/repos/${repoName}/releases/tags/${tag}`, {ghToken}))
+  if (!res.ok) return false
+  const {id} = await res.json()
+  await attempt2(() => ghFetch(`${ghApiUrl}/repos/${repoName}/releases/${id}`, {ghToken, method: 'DELETE'}))
+  return true
+}
+
+// https://docs.github.com/en/rest/releases/assets?apiVersion=2022-11-28#upload-a-release-asset
+export const ghPrepareAssets = async (assets, _cwd) => {
+  const temp = tempy.temporaryDirectory()
+
+  await Promise.all(assets.map(async ({name, contents, source = 'target/**/*', zip, cwd = _cwd, strip = true}) => {
+    const target = path.join(temp, name)
+
+    if (contents) {
+      await fs.outputFile(target, contents, 'utf8')
+      return
+    }
+
+    const patterns = asArray(source)
+    if (patterns.some(s => s.includes('*'))) {
+      zip = true
+    }
+    const files = await glob(patterns, {cwd, absolute: false, onlyFiles: true})
+
+    if (files.length === 0) {
+      throw new Error(`gh asset not found: ${name} ${source}`)
+    }
+
+    if (!zip && files.length === 1) {
+      await fs.copy(path.join(cwd, files[0]), target)
+      return
+    }
+    const prefix = getCommonPath(files)
+
+    return $.raw`tar -C ${path.join(cwd, prefix)} -cv${zip ? 'z' : ''}f ${target} ${files.map(f => f.slice(prefix.length)).join(' ')}`
+  }))
+
+  return temp
+}
+
+export const ghUploadAssets = async ({ghToken, ghAssets, uploadUrl, cwd}) => {
+  const temp = await ghPrepareAssets(ghAssets, cwd)
+
+  return Promise.all(ghAssets.map(async ({name}) => {
+    const url = `${uploadUrl}?name=${name}`
+    const res = await ghFetch(url, {
+      ghToken,
+      method: 'POST',
+      headers: {'Content-Type': 'application/octet-stream'},
+      body: await fs.readFile(path.join(temp, name)),
+    })
+    if (!res.ok) {
+      throw new Error(`gh asset upload failed for '${name}': ${res.status}`)
+    }
+    return res
+  }))
+}
+
+export const ghGetAsset = async ({repoName, tag, name, ghUrl}) => {
+  const url = `${ghUrl || 'https://github.com'}/${repoName}/releases/download/${tag.ref || tag}/${name}`
+  const res = await attempt2(() => fetch(url))
+  if (!res.ok) {
+    throw new Error(`gh asset fetch failed for '${name}': ${res.status} ${url}`)
+  }
+  return res.text()
+}

package/src/main/js/{api → processor/api}/git.js

@@ -1,6 +1,6 @@
 import {$, fs, path, tempy, copy} from 'zx-extra'
 import {log} from '../log.js'
-import {memoizeBy} from '../util.js'
+import {attempt2, attempt3, memoizeBy} from '../../util.js'
 
 export const fetchRepo = memoizeBy(async ({cwd: _cwd, branch, origin: _origin, basicAuth}) => {
   const origin = _origin || (await getRepo(_cwd, {basicAuth})).repoAuthedUrl
@@ -9,7 +9,7 @@ export const fetchRepo = memoizeBy(async ({cwd: _cwd, branch, origin: _origin, b
   try {
     await _$`git clone --single-branch --branch ${branch} --depth 1 ${origin} .`
   } catch (e) {
-    log({level: 'warn'})(`ref '${branch}' does not exist in ${origin}`)
+    log.warn(`ref '${branch}' does not exist in ${origin}`)
     await _$`git init . &&
             git remote add origin ${origin}`
   }
@@ -18,8 +18,6 @@ export const fetchRepo = memoizeBy(async ({cwd: _cwd, branch, origin: _origin, b
 }, async ({cwd, branch}) => `${await getRoot(cwd)}:${branch}`)
 
 export const pushCommit = async ({cwd, from, to, branch, origin, msg, ignoreFiles, files = [], basicAuth, gitCommitterEmail, gitCommitterName}) => {
-  let retries = 3
-
   const _cwd = await fetchRepo({cwd, branch, origin, basicAuth})
   const _$ = $({cwd: _cwd})
 
@@ -34,31 +32,24 @@ export const pushCommit = async ({cwd, from, to, branch, origin, msg, ignoreFile
     await _$`git add . &&
             git commit -m ${msg}`
   } catch {
-    log({level: 'warn'})(`no changes to commit to ${branch}`)
+    log.warn(`no changes to commit to ${branch}`)
     return
   }
 
-  while (retries > 0) {
-    try {
-      return await _$`git push origin HEAD:refs/heads/${branch}`
-    } catch (e) {
-      retries -= 1
-      log({level: 'error'})('git push failed', 'branch', branch, 'retries left', retries, e)
-
-      if (retries === 0) {
-        throw e
-      }
-
-      await _$`git fetch origin ${branch} &&
-              git rebase origin/${branch}`
+  return attempt3(
+    () => _$`git push origin HEAD:refs/heads/${branch}`,
+    (e) => {
+      log.warn('git push failed, rebasing', 'branch', branch, e)
+      return attempt2(() => _$`git fetch origin ${branch} &&
+              git rebase origin/${branch}`)
     }
-  }
+  )
 }
 
-export const getSha = async (cwd) => (await $({cwd})`git rev-parse HEAD`).toString().trim()
-
 export const getRoot = memoizeBy(async (cwd) => (await $({cwd})`git rev-parse --show-toplevel`).toString().trim())
 
+export const getSha = memoizeBy(async (cwd) => (await $({cwd})`git rev-parse HEAD`).toString().trim(), getRoot)
+
 export const parseOrigin = (originUrl) => {
   const [, , repoHost, repoName] = originUrl.replace(':', '/').replace(/\.git/, '').match(/.+(@|\/\/)([^/]+)\/(.+)$/) || []
 
@@ -102,10 +93,10 @@ export const getCommits = async (cwd, from, to = 'HEAD') => {
     })
 }
 
-export const getTags = async (cwd, ref) =>
-  (await $({cwd})`git tag -l ${ref || '*'}`)
-    .toString()
-    .split('\n')
+export const getTags = memoizeBy(
+  async (cwd, ref = '*') => (await $({cwd})`git tag -l ${ref}`).toString().split('\n'),
+  async (cwd, ref = '*') => `${await getRoot(cwd)}:${ref}`,
+)
 
 export const pushTag = async ({cwd, tag, gitCommitterName, gitCommitterEmail}) => {
   await setUserConfig(cwd, gitCommitterName, gitCommitterEmail)
@@ -119,7 +110,7 @@ export const fetchTags = async (cwd) =>
   $({cwd})`git fetch --tags`
 
 export const deleteRemoteTag = async ({cwd, tag}) => {
-  log()(`rolling back remote tag '${tag}'`)
+  log.info(`rolling back remote tag '${tag}'`)
   await $({cwd, nothrow: true})`git push origin :refs/tags/${tag}`
   await $({cwd, nothrow: true})`git tag -d ${tag}`
 }

package/src/main/js/{api → processor/api}/npm.js

@@ -1,6 +1,15 @@
+import zlib from 'node:zlib'
+import _fs from 'node:fs/promises'
+import _path from 'node:path'
+import tar from 'tar-stream'
+import {Readable} from 'node:stream'
 import {log} from '../log.js'
-import {$, fs, INI, fetch, tempy} from 'zx-extra'
-import {pipify, unzip} from '../util.js'
+import {$, semver, fs, INI, fetch, tempy} from 'zx-extra'
+import {attempt2, memoizeBy} from '../../util.js'
+
+const FETCH_TIMEOUT_MS = 15_000
+const NPM_OIDC_VER = '11.5.0'
+const NPM_VER = (await $`npm --version`).toString().trim()
 
 // https://stackoverflow.com/questions/19978452/how-to-extract-single-file-from-tar-gz-archive-using-node-js
 
@@ -14,17 +23,16 @@ export const fetchPkg = async (pkg) => {
     const tarballUrl = getTarballUrl(npmRegistry, pkg.name, pkg.version)
     const bearerToken = getBearerToken(npmRegistry, npmToken, npmConfig)
     const headers = bearerToken ? {Authorization: bearerToken} : {}
-    log({pkg})(`fetching '${id}' from ${npmRegistry}`)
+    log.info(`fetching '${id}' from ${npmRegistry}`)
 
-    // https://stackoverflow.com/questions/46946380/fetch-api-request-timeout
-    const controller = new AbortController()
-    const timeoutId = setTimeout(() => controller.abort(), 15_000)
-    const tarball = await fetch(tarballUrl, {
+    const ac = new AbortController()
+    const timer = setTimeout(() => ac.abort(), FETCH_TIMEOUT_MS)
+    const tarball = await attempt2(() => fetch(tarballUrl, {
       method: 'GET',
       headers,
-      signal: controller.signal
-    })
-    clearTimeout(timeoutId)
+      signal: ac.signal,
+    }))
+    clearTimeout(timer)
 
     if (!tarball.ok) {
       throw new Error(`registry responded with ${tarball.status} for ${tarballUrl}`)
@@ -32,10 +40,10 @@ export const fetchPkg = async (pkg) => {
 
     await unzip(pipify(tarball.body), {cwd, strip: 1, omit: ['package.json']})
 
-    log({pkg})(`fetch duration '${id}': ${Date.now() - now}`)
+    log.info(`fetch duration '${id}': ${Date.now() - now}`)
     pkg.fetched = true
   } catch (e) {
-    log({pkg, level: 'warn'})(`fetching '${id}' failed`, e)
+    log.warn(`fetching '${id}' failed`, e)
   }
 }
 
@@ -46,8 +54,8 @@ export const fetchManifest = async (pkg, {nothrow} = {}) => {
   const reqOpts = bearerToken ? {headers: {authorization: bearerToken}} : {}
 
   try {
-    const res = await fetch(url, reqOpts)
-    if (!res.ok) throw res
+    const res = await attempt2(() => fetch(url, reqOpts))
+    if (!res.ok) throw new Error(`npm registry responded with ${res.status} for ${url}`)
 
     return res.json() // NOTE .json() is async too
   } catch (e) {
@@ -58,13 +66,13 @@ export const fetchManifest = async (pkg, {nothrow} = {}) => {
 
 export const npmPersist = async (pkg) => {
   const {name, version, manifest, manifestAbsPath} = pkg
-  log({pkg})(`updating ${manifestAbsPath} inners: ${name} ${version}`)
+  log.info(`updating ${manifestAbsPath} inners: ${name} ${version}`)
   await fs.writeJson(manifestAbsPath, manifest, {spaces: 2})
 }
 
 export const npmRestore = async (pkg) => {
   const {manifestRaw, manifestAbsPath} = pkg
-  log({pkg})(`rolling back ${manifestAbsPath} inners to manifestRaw`)
+  log.info(`rolling back ${manifestAbsPath} inners to manifestRaw`)
   await fs.writeFile(manifestAbsPath, manifestRaw, {encoding: 'utf8'})
 }
 
@@ -73,7 +81,7 @@ export const npmPublish = async (pkg) => {
 
   if (manifest.private || npmPublish === false) return
 
-  log({pkg})(`publishing npm package ${name} ${version} to ${npmRegistry}`)
+  log.info(`publishing npm package ${name} ${version} to ${npmRegistry}`)
 
   const npmTag = pkg.preversion ? 'snapshot' : 'latest'
   const npmFlags = [
@@ -86,12 +94,10 @@ export const npmPublish = async (pkg) => {
   // OIDC trusted publishing: no auth token must be present for npm to use OIDC flow.
   // https://docs.npmjs.com/trusted-publishers/
   if (npmOidc) {
-    const npmVersion = (await $`npm --version`).toString().trim()
-    const [major, minor] = npmVersion.split('.').map(Number)
-    if (major < 11 || (major === 11 && minor < 5)) {
-      throw new Error(`npm OIDC trusted publishing requires npm >= 11.5.0, got ${npmVersion}`)
+    if (!semver.gte(NPM_VER, NPM_OIDC_VER)) {
+      throw new Error(`npm OIDC trusted publishing requires npm >= ${NPM_OIDC_VER}, got ${NPM_VER}`)
     }
-    log({pkg})('npm publish: OIDC trusted publishing enabled')
+    log.info('npm publish: OIDC trusted publishing enabled')
     npmFlags.push('--provenance')
   } else {
     const npmrc = await getNpmrc({npmConfig, npmToken, npmRegistry})
@@ -102,16 +108,14 @@ export const npmPublish = async (pkg) => {
   await $({cwd})`npm publish ${npmFlags.filter(Boolean)}`
 }
 
-export const getNpmrc = async ({npmConfig, npmToken, npmRegistry}) => {
-  if (npmConfig) {
-    return npmConfig
-  }
+export const getNpmrc = memoizeBy(async ({npmConfig, npmToken, npmRegistry}) => {
+  if (npmConfig) return npmConfig
 
-  const npmrc =  tempy.temporaryFile({name: '.npmrc'})
+  const npmrc = tempy.temporaryFile({name: '.npmrc'})
   await fs.writeFile(npmrc, `${npmRegistry.replace(/^https?:\/\//, '//')}/:_authToken=${npmToken}`, {encoding: 'utf8'})
 
   return npmrc
-}
+}, ({npmConfig, npmToken, npmRegistry}) => `${npmConfig}:${npmToken}:${npmRegistry}`)
 
 // $`npm view ${name}@${version} dist.tarball`
 export const getTarballUrl = (registry, name, version) => `${registry}/${name}/-/${name.replace(/^.+(%2f|\/)/,'')}-${version}.tgz`
@@ -128,3 +132,41 @@ export const getBearerToken = (npmRegistry, npmToken, npmConfig) => {
 // NOTE registry-auth-token does not work with localhost:4873
 export const getAuthToken = (registry, npmrc) =>
   (Object.entries(npmrc).find(([reg]) => reg.startsWith(registry.replace(/^https?/, ''))) || [])[1]
+
+const pipify = (stream) => stream.pipe ? stream : Readable.from(stream)
+
+const safePath = v => _path.resolve('/', v).slice(1)
+
+const unzip = (stream, {pick, omit, cwd = process.cwd(), strip = 0} = {}) => new Promise((resolve, reject) => {
+  const extract = tar.extract()
+  const results = []
+
+  extract.on('entry', ({name, type}, stream, cb) => {
+    const _name = safePath(strip ? name.split('/').slice(strip).join('/') : name)
+    const fp = _path.join(cwd, _name)
+
+    let data = ''
+    stream.on('data', (chunk) => {
+      if (type !== 'file' || omit?.includes(_name) || (pick && !pick.includes(_name))) return
+      data += chunk
+    })
+
+    stream.on('end', () => {
+      if (data) {
+        results.push(
+          _fs.mkdir(_path.dirname(fp), {recursive: true})
+            .then(() => _fs.writeFile(fp, data, 'utf8'))
+        )
+      }
+      cb()
+    })
+
+    stream.resume()
+  })
+
+  extract.on('finish', () => resolve(Promise.all(results)))
+
+  stream
+    .pipe(zlib.createGunzip())
+    .pipe(extract)
+})