bulk-release 2.20.0 → 2.21.1

package/src/main/js/{api → processor/api}/npm.js

@@ -1,6 +1,15 @@
+import zlib from 'node:zlib'
+import _fs from 'node:fs/promises'
+import _path from 'node:path'
+import tar from 'tar-stream'
+import {Readable} from 'node:stream'
 import {log} from '../log.js'
-import {$, fs, INI, fetch, tempy} from 'zx-extra'
-import {pipify, unzip} from '../util.js'
+import {$, semver, fs, INI, fetch, tempy} from 'zx-extra'
+import {attempt2, memoizeBy} from '../../util.js'
+
+const FETCH_TIMEOUT_MS = 15_000
+const NPM_OIDC_VER = '11.5.0'
+const NPM_VER = (await $`npm --version`).toString().trim()
 
 // https://stackoverflow.com/questions/19978452/how-to-extract-single-file-from-tar-gz-archive-using-node-js
 
@@ -14,17 +23,16 @@ export const fetchPkg = async (pkg) => {
     const tarballUrl = getTarballUrl(npmRegistry, pkg.name, pkg.version)
     const bearerToken = getBearerToken(npmRegistry, npmToken, npmConfig)
     const headers = bearerToken ? {Authorization: bearerToken} : {}
-    log({pkg})(`fetching '${id}' from ${npmRegistry}`)
+    log.info(`fetching '${id}' from ${npmRegistry}`)
 
-    // https://stackoverflow.com/questions/46946380/fetch-api-request-timeout
-    const controller = new AbortController()
-    const timeoutId = setTimeout(() => controller.abort(), 15_000)
-    const tarball = await fetch(tarballUrl, {
+    const ac = new AbortController()
+    const timer = setTimeout(() => ac.abort(), FETCH_TIMEOUT_MS)
+    const tarball = await attempt2(() => fetch(tarballUrl, {
       method: 'GET',
       headers,
-      signal: controller.signal
-    })
-    clearTimeout(timeoutId)
+      signal: ac.signal,
+    }))
+    clearTimeout(timer)
 
     if (!tarball.ok) {
       throw new Error(`registry responded with ${tarball.status} for ${tarballUrl}`)
@@ -32,10 +40,10 @@ export const fetchPkg = async (pkg) => {
 
     await unzip(pipify(tarball.body), {cwd, strip: 1, omit: ['package.json']})
 
-    log({pkg})(`fetch duration '${id}': ${Date.now() - now}`)
+    log.info(`fetch duration '${id}': ${Date.now() - now}`)
     pkg.fetched = true
   } catch (e) {
-    log({pkg, level: 'warn'})(`fetching '${id}' failed`, e)
+    log.warn(`fetching '${id}' failed`, e)
   }
 }
 
@@ -46,8 +54,8 @@ export const fetchManifest = async (pkg, {nothrow} = {}) => {
   const reqOpts = bearerToken ? {headers: {authorization: bearerToken}} : {}
 
   try {
-    const res = await fetch(url, reqOpts)
-    if (!res.ok) throw res
+    const res = await attempt2(() => fetch(url, reqOpts))
+    if (!res.ok) throw new Error(`npm registry responded with ${res.status} for ${url}`)
 
     return res.json() // NOTE .json() is async too
   } catch (e) {
@@ -58,13 +66,13 @@ export const fetchManifest = async (pkg, {nothrow} = {}) => {
 
 export const npmPersist = async (pkg) => {
   const {name, version, manifest, manifestAbsPath} = pkg
-  log({pkg})(`updating ${manifestAbsPath} inners: ${name} ${version}`)
+  log.info(`updating ${manifestAbsPath} inners: ${name} ${version}`)
   await fs.writeJson(manifestAbsPath, manifest, {spaces: 2})
 }
 
 export const npmRestore = async (pkg) => {
   const {manifestRaw, manifestAbsPath} = pkg
-  log({pkg})(`rolling back ${manifestAbsPath} inners to manifestRaw`)
+  log.info(`rolling back ${manifestAbsPath} inners to manifestRaw`)
   await fs.writeFile(manifestAbsPath, manifestRaw, {encoding: 'utf8'})
 }
 
@@ -73,7 +81,7 @@ export const npmPublish = async (pkg) => {
 
   if (manifest.private || npmPublish === false) return
 
-  log({pkg})(`publishing npm package ${name} ${version} to ${npmRegistry}`)
+  log.info(`publishing npm package ${name} ${version} to ${npmRegistry}`)
 
   const npmTag = pkg.preversion ? 'snapshot' : 'latest'
   const npmFlags = [
@@ -86,12 +94,10 @@ export const npmPublish = async (pkg) => {
   // OIDC trusted publishing: no auth token must be present for npm to use OIDC flow.
   // https://docs.npmjs.com/trusted-publishers/
   if (npmOidc) {
-    const npmVersion = (await $`npm --version`).toString().trim()
-    const [major, minor] = npmVersion.split('.').map(Number)
-    if (major < 11 || (major === 11 && minor < 5)) {
-      throw new Error(`npm OIDC trusted publishing requires npm >= 11.5.0, got ${npmVersion}`)
+    if (!semver.gte(NPM_VER, NPM_OIDC_VER)) {
+      throw new Error(`npm OIDC trusted publishing requires npm >= ${NPM_OIDC_VER}, got ${NPM_VER}`)
     }
-    log({pkg})('npm publish: OIDC trusted publishing enabled')
+    log.info('npm publish: OIDC trusted publishing enabled')
     npmFlags.push('--provenance')
   } else {
     const npmrc = await getNpmrc({npmConfig, npmToken, npmRegistry})
@@ -102,16 +108,14 @@ export const npmPublish = async (pkg) => {
   await $({cwd})`npm publish ${npmFlags.filter(Boolean)}`
 }
 
-export const getNpmrc = async ({npmConfig, npmToken, npmRegistry}) => {
-  if (npmConfig) {
-    return npmConfig
-  }
+export const getNpmrc = memoizeBy(async ({npmConfig, npmToken, npmRegistry}) => {
+  if (npmConfig) return npmConfig
 
-  const npmrc =  tempy.temporaryFile({name: '.npmrc'})
+  const npmrc = tempy.temporaryFile({name: '.npmrc'})
   await fs.writeFile(npmrc, `${npmRegistry.replace(/^https?:\/\//, '//')}/:_authToken=${npmToken}`, {encoding: 'utf8'})
 
   return npmrc
-}
+}, ({npmConfig, npmToken, npmRegistry}) => `${npmConfig}:${npmToken}:${npmRegistry}`)
 
 // $`npm view ${name}@${version} dist.tarball`
 export const getTarballUrl = (registry, name, version) => `${registry}/${name}/-/${name.replace(/^.+(%2f|\/)/,'')}-${version}.tgz`
@@ -128,3 +132,41 @@ export const getBearerToken = (npmRegistry, npmToken, npmConfig) => {
 // NOTE registry-auth-token does not work with localhost:4873
 export const getAuthToken = (registry, npmrc) =>
   (Object.entries(npmrc).find(([reg]) => reg.startsWith(registry.replace(/^https?/, ''))) || [])[1]
+
+const pipify = (stream) => stream.pipe ? stream : Readable.from(stream)
+
+const safePath = v => _path.resolve('/', v).slice(1)
+
+const unzip = (stream, {pick, omit, cwd = process.cwd(), strip = 0} = {}) => new Promise((resolve, reject) => {
+  const extract = tar.extract()
+  const results = []
+
+  extract.on('entry', ({name, type}, stream, cb) => {
+    const _name = safePath(strip ? name.split('/').slice(strip).join('/') : name)
+    const fp = _path.join(cwd, _name)
+
+    let data = ''
+    stream.on('data', (chunk) => {
+      if (type !== 'file' || omit?.includes(_name) || (pick && !pick.includes(_name))) return
+      data += chunk
+    })
+
+    stream.on('end', () => {
+      if (data) {
+        results.push(
+          _fs.mkdir(_path.dirname(fp), {recursive: true})
+            .then(() => _fs.writeFile(fp, data, 'utf8'))
+        )
+      }
+      cb()
+    })
+
+    stream.resume()
+  })
+
+  extract.on('finish', () => resolve(Promise.all(results)))
+
+  stream
+    .pipe(zlib.createGunzip())
+    .pipe(extract)
+})

package/src/main/js/processor/deps.js

@@ -5,7 +5,7 @@ export {traverseQueue, traverseDeps} from '@semrel-extra/topo'
 
 export const updateDeps = async (pkg) => {
   const changes = []
-  const {context: {packages}} = pkg
+  const {packages} = pkg.ctx
 
   await traverseDeps({pkg, packages, cb: async ({name, version, deps, scope, pkg: dep}) => {
     const prev = pkg.latest.meta?.[scope]?.[name]

package/src/main/js/processor/exec.js

@@ -1,16 +1,16 @@
 import {tpl} from '../util.js'
-import {log} from '../log.js'
+import {log} from './log.js'
 import {$} from 'zx-extra'
 
 export const exec = async (pkg, name) => {
-  const cmd = tpl(pkg.context.flags[name] ?? pkg.config[name], {...pkg, ...pkg.context})
+  const cmd = tpl(pkg.ctx.flags[name] ?? pkg.config[name], {...pkg, ...pkg.ctx})
   const now = Date.now()
 
   if (cmd) {
-    log({pkg})(`run ${name} '${cmd}'`)
+    log.info(`run ${name} '${cmd}'`)
     const result = await $({cwd: pkg.absPath, quote: v => v, preferLocal: true})`${cmd}`
 
-    log({pkg})(`duration ${name}: ${Date.now() - now}`)
+    log.info(`duration ${name}: ${Date.now() - now}`)
     return result
   }
 }

package/src/main/js/processor/generators/meta.js

@@ -0,0 +1,80 @@
+// Meta generator: builds pkg.meta payload and resolves latest-release meta from git tags / gh assets / meta branch.
+
+import {semver, $, fs, path} from 'zx-extra'
+import {fetchRepo, getTags as getGitTags, getRepo} from '../api/git.js'
+import {fetchManifest} from '../api/npm.js'
+import {ghGetAsset} from '../api/gh.js'
+import {parseTag} from './tag.js'
+
+export const isAssetMode = (type) => type === 'asset' || type === 'assets'
+
+// Build pkg.meta and, in asset mode, inject a meta.json entry into pkg.config.ghAssets.
+// Runs in the prepare phase — serial, before any publisher.run() — so the asset mutation
+// is guaranteed visible to gh-release.
+export const prepareMeta = async (pkg) => {
+  const {type} = pkg.config.meta
+  if (type === null) return
+
+  const {absPath: cwd} = pkg
+  const hash = (await $.o({cwd})`git rev-parse HEAD`).toString().trim()
+  pkg.meta = {
+    META_VERSION: '1',
+    hash,
+    name: pkg.name,
+    version: pkg.version,
+    dependencies: pkg.dependencies,
+    devDependencies: pkg.devDependencies,
+    peerDependencies: pkg.peerDependencies,
+    optionalDependencies: pkg.optionalDependencies,
+  }
+
+  if (isAssetMode(type)) {
+    pkg.config.ghAssets = [...pkg.config.ghAssets || [], {
+      name: 'meta.json',
+      contents: JSON.stringify(pkg.meta, null, 2),
+    }]
+  }
+}
+
+export const getLatest = async (pkg) => {
+  const {absPath: cwd, name} = pkg
+  const tag = await getLatestTag(cwd, name)
+  const meta = await getLatestMeta(pkg, tag)
+
+  return {tag, meta}
+}
+
+export const getTags = async (cwd, ref) =>
+  (await getGitTags(cwd, ref))
+    .map(tag => parseTag(tag.trim()))
+    .filter(Boolean)
+    .sort((a, b) => semver.rcompare(a.version, b.version))
+
+export const getLatestTag = async (cwd, name) =>
+  (await getTags(cwd)).find(tag => tag.name === name)
+
+export const getLatestTaggedVersion = async (cwd, name) =>
+  (await getLatestTag(cwd, name))?.version || undefined
+
+export const getArtifactPath = (tag) => tag.toLowerCase().replace(/[^a-z0-9-]/g, '-')
+
+export const getLatestMeta = async (pkg, tag) => {
+  if (tag) {
+    const {absPath: cwd, config: {ghBasicAuth: basicAuth, ghUrl}} = pkg
+    const {repoName} = await getRepo(cwd, {basicAuth})
+
+    try {
+      return JSON.parse(await ghGetAsset({repoName, tag, name: 'meta.json', ghUrl}))
+    } catch {}
+
+    try {
+      const _cwd = await fetchRepo({cwd, branch: 'meta', basicAuth})
+      return await Promise.any([
+        fs.readJson(path.resolve(_cwd, `${getArtifactPath(tag)}.json`)),
+        fs.readJson(path.resolve(_cwd, getArtifactPath(tag), 'meta.json'))
+      ])
+    } catch {}
+  }
+
+  return fetchManifest(pkg, {nothrow: true})
+}

package/src/main/js/{api/changelog.js → processor/generators/notes.js}

@@ -1,25 +1,7 @@
-import {$} from 'zx-extra'
-import {queuefy} from 'queuefy'
-import {fetchRepo, getRepo, pushCommit} from './git.js'
-import {log} from '../log.js'
-import {formatTag} from '../processor/meta.js'
-import {msgJoin} from '../util.js'
+// Release notes formatting. Pure except for a single getRepo() call to resolve repoPublicUrl.
 
-export const pushChangelog = queuefy(async (pkg) => {
-  const {absPath: cwd, config: {changelog: opts, gitCommitterEmail, gitCommitterName, ghBasicAuth: basicAuth}} = pkg
-  if (!opts) return
-
-  log({pkg})('push changelog')
-  const [branch = 'changelog', file = `${pkg.name.replace(/[^a-z0-9-]/ig, '')}-changelog.md`, ..._msg] = typeof opts === 'string'
-    ? opts.split(' ')
-    : [opts.branch, opts.file, opts.msg]
-  const _cwd = await fetchRepo({cwd, branch, basicAuth})
-  const msg = msgJoin(_msg, pkg, 'chore: update changelog ${{name}}')
-  const releaseNotes = await formatReleaseNotes(pkg)
-
-  await $({cwd: _cwd})`echo ${releaseNotes}"\n$(cat ./${file})" > ./${file}`
-  await pushCommit({cwd, branch, msg, gitCommitterEmail, gitCommitterName, basicAuth})
-})
+import {getRepo} from '../api/git.js'
+import {formatTag} from './tag.js'
 
 export const DIFF_TAG_URL = '${repoPublicUrl}/compare/${prevTag}...${newTag}'
 export const DIFF_COMMIT_URL = '${repoPublicUrl}/commit/${hash}'

package/src/main/js/processor/{meta.js → generators/tag.js}

@@ -1,78 +1,7 @@
-// Semantic tags processing
+// Pure tag parsing/formatting. No IO, no side effects.
 
 import {Buffer} from 'node:buffer'
-import {queuefy} from 'queuefy'
-import {semver, $, fs, path} from 'zx-extra'
-import {log} from '../log.js'
-import {fetchRepo, pushCommit, getTags as getGitTags, pushTag, getRepo} from '../api/git.js'
-import {fetchManifest} from '../api/npm.js'
-import {ghGetAsset} from '../api/gh.js'
-
-export const pushReleaseTag = async (pkg) => {
-  const {name, version, tag = formatTag({name, version}), config: {gitCommitterEmail, gitCommitterName}} = pkg
-  const cwd = pkg.context.git.root
-
-  pkg.context.git.tag = tag
-  log({pkg})(`push release tag ${tag}`)
-
-  await pushTag({cwd, tag, gitCommitterEmail, gitCommitterName})
-}
-
-export const prepareMeta = async (pkg) => {
-  const {absPath: cwd} = pkg
-  const hash = (await $.o({cwd})`git rev-parse HEAD`).toString().trim()
-  pkg.meta = {
-    META_VERSION: '1',
-    hash,
-    name: pkg.name,
-    version: pkg.version,
-    dependencies: pkg.dependencies,
-    devDependencies: pkg.devDependencies,
-    peerDependencies: pkg.peerDependencies,
-    optionalDependencies: pkg.optionalDependencies,
-  }
-}
-
-export const pushMeta = queuefy(async (pkg) => {
-  const {type} = pkg.config.meta
-
-  if (type === null) {
-    return
-  }
-
-  if (!pkg.meta) {
-    await prepareMeta(pkg)
-  }
-
-  if (type === 'asset' || type === 'assets') {
-    pkg.config.ghAssets = [...pkg.config.ghAssets || [], {
-      name: 'meta.json',
-      contents: JSON.stringify(pkg.meta, null, 2)
-    }]
-    return
-  }
-
-  log({pkg})('push artifact to branch \'meta\'')
-
-  const {name, version, meta, tag = formatTag({name, version}), absPath: cwd, config: {gitCommitterEmail, gitCommitterName, ghBasicAuth: basicAuth}} = pkg
-  const to = '.'
-  const branch = 'meta'
-  const msg = `chore: release meta ${name} ${version}`
-  const files = [{relpath: `${getArtifactPath(tag)}.json`, contents: meta}]
-
-  await pushCommit({cwd, to, branch, msg, files, gitCommitterEmail, gitCommitterName, basicAuth})
-})
-
-export const getLatest = async (pkg) => {
-  const {absPath: cwd, name } = pkg
-  const tag = await getLatestTag(cwd, name)
-  const meta = await getLatestMeta(pkg, tag)
-
-  return {
-    tag,
-    meta
-  }
-}
+import {semver} from 'zx-extra'
 
 const isSafeName = n => /^(@?[a-z0-9-]+\/)?[a-z0-9-]+$/.test(n)
 
@@ -197,41 +126,6 @@ export const parseTag = (tag) => f0.parse(tag) || f1.parse(tag) || lerna.parse(t
 
 export const formatTag = (tag, tagFormat = tag.format) => getFormatter(tagFormat).format(tag) || f0.format(tag) || f1.format(tag) || null
 
-export const getTags = async (cwd, ref = '') =>
-  (await getGitTags(cwd, ref))
-    .map(tag => parseTag(tag.trim()))
-    .filter(Boolean)
-    .sort((a, b) => semver.rcompare(a.version, b.version))
-
-export const getLatestTag = async (cwd, name) =>
-  (await getTags(cwd)).find(tag => tag.name === name)
-
-export const getLatestTaggedVersion = async (cwd, name) =>
-  (await getLatestTag(cwd, name))?.version || undefined
-
 export const formatDateTag = (date = new Date()) => `${date.getUTCFullYear()}.${date.getUTCMonth() + 1}.${date.getUTCDate()}`
 
-export const parseDateTag = (date) => new Date(date.replaceAll('.', '-')+'Z')
-
-export const getArtifactPath = (tag) => tag.toLowerCase().replace(/[^a-z0-9-]/g, '-')
-
-export const getLatestMeta = async (pkg, tag) => {
-  if (tag) {
-    const {absPath: cwd, config: {ghBasicAuth: basicAuth, ghUrl}} = pkg
-    const {repoName} = await getRepo(cwd, {basicAuth})
-
-    try {
-      return JSON.parse(await ghGetAsset({repoName, tag, name: 'meta.json', ghUrl}))
-    } catch {}
-
-    try {
-      const _cwd = await fetchRepo({cwd, branch: 'meta', basicAuth})
-      return await Promise.any([
-        fs.readJson(path.resolve(_cwd, `${getArtifactPath(tag)}.json`)),
-        fs.readJson(path.resolve(_cwd, getArtifactPath(tag), 'meta.json'))
-      ])
-    } catch {}
-  }
-
-  return fetchManifest(pkg, {nothrow: true})
-}
+export const parseDateTag = (date) => new Date(date.replaceAll('.', '-') + 'Z')

package/src/main/js/processor/log.js

@@ -0,0 +1,86 @@
+import {$, fs} from 'zx-extra'
+import {get, set} from '../util.js'
+
+// Credential redactor: masks tokens/passwords that may leak into log output.
+// Secrets are registered via `log.secret(value)` — typically once, when env/config is parsed.
+const secrets = new Set()
+export const redact = (v) => {
+  if (!secrets.size || typeof v !== 'string') return v
+  for (const s of secrets) v = v.replaceAll(s, '***')
+  return v
+}
+
+// Module-level logger. Delegates to $.report when inside a release run, falls back to console.
+const sanitize = (args) => args.map(a => typeof a === 'string' ? redact(a) : a)
+const r = () => $.report || console
+
+export const log = Object.assign(
+  (...args) => r().log(...sanitize(args)),
+  {
+    info:   (...args) => r().log(...sanitize(args)),
+    warn:   (...args) => r().warn(...sanitize(args)),
+    error:  (...args) => r().error(...sanitize(args)),
+    secret: (...values) => values.forEach(v => { if (v) secrets.add(String(v)) }),
+  }
+)
+
+export const createReport = ({logger = console, packages = {}, queue = [], flags} = {}) => ({
+  logger,
+  flags,
+  file: flags.report || flags.file,
+  status: 'initial',
+  events: [],
+  queue,
+  packages: Object.entries(packages).reduce((acc, [name, {manifest: {version}, absPath, relPath}]) => {
+    acc[name] = {
+      status: 'initial',
+      name,
+      version,
+      path: absPath,
+      relPath
+    }
+    return acc
+  }, {}),
+  get(key, pkgName) {
+    return get(
+      pkgName ? this.packages[pkgName] : this,
+      key
+    )
+  },
+  set(key, value, pkgName) {
+    // set({k1: v1, k2: v2}, pkgName) — batch
+    if (key && typeof key === 'object') {
+      const target = value ? this.packages[value] : this
+      for (const [k, v] of Object.entries(key)) set(target, k, v)
+      return this
+    }
+    set(
+      pkgName ? this.packages[pkgName] : this,
+      key,
+      value
+    )
+    return this
+  },
+  setStatus(status, name) {
+    this.set('status', status, name)
+    this.save()
+    return this
+  },
+  getStatus(status, name) {
+    return this.get('status', name)
+  },
+  _log(level, ...chunks) {
+    const scope = $.scope || '~'
+    const msg = sanitize(chunks)
+    this.events.push({msg, scope, date: Date.now(), level})
+    logger[level === 'info' ? 'log' : level](`[${scope}]`, ...msg)
+    return this
+  },
+  log(...chunks)   { return this._log('info', ...chunks) },
+  warn(...chunks)  { return this._log('warn', ...chunks) },
+  error(...chunks) { return this._log('error', ...chunks) },
+  save() {
+    this.file && fs.outputJsonSync(this.file, this)
+    return this
+  }
+})

package/src/main/js/processor/publishers/changelog.js

@@ -0,0 +1,26 @@
+import {$} from 'zx-extra'
+import {queuefy} from 'queuefy'
+import {fetchRepo, pushCommit} from '../api/git.js'
+import {formatReleaseNotes} from '../generators/notes.js'
+import {log} from '../log.js'
+import {asTuple, msgJoin} from '../../util.js'
+
+const run = queuefy(async (pkg) => {
+  const {absPath: cwd, config: {changelog: opts, gitCommitterEmail, gitCommitterName, ghBasicAuth: basicAuth}} = pkg
+  if (!opts) return
+
+  log.info('push changelog')
+  const [branch = 'changelog', file = `${pkg.name.replace(/[^a-z0-9-]/ig, '')}-changelog.md`, ..._msg] = asTuple(opts, ['branch', 'file', 'msg'])
+  const _cwd = await fetchRepo({cwd, branch, basicAuth})
+  const msg = msgJoin(_msg, pkg, 'chore: update changelog ${{name}}')
+  const releaseNotes = await formatReleaseNotes(pkg)
+
+  await $({cwd: _cwd})`echo ${releaseNotes}"\n$(cat ./${file})" > ./${file}`
+  await pushCommit({cwd, branch, msg, gitCommitterEmail, gitCommitterName, basicAuth})
+})
+
+export default {
+  name: 'changelog',
+  when: (pkg) => !!pkg.config.changelog,
+  run,
+}

package/src/main/js/processor/publishers/cmd.js

@@ -0,0 +1,6 @@
+export default {
+  name: 'cmd',
+  when: (pkg) => !!(pkg.ctx?.flags?.publishCmd ?? pkg.config.publishCmd),
+  run:  (pkg, exec) => exec(pkg, 'publishCmd'),
+  snapshot: true,
+}

package/src/main/js/processor/publishers/gh-pages.js

@@ -0,0 +1,32 @@
+import {queuefy} from 'queuefy'
+import {path} from 'zx-extra'
+import {log} from '../log.js'
+import {pushCommit} from '../api/git.js'
+import {asTuple, msgJoin} from '../../util.js'
+
+const run = queuefy(async (pkg) => {
+  const {config: {ghPages: opts, gitCommitterEmail, gitCommitterName, ghBasicAuth: basicAuth}} = pkg
+  if (!opts) return
+
+  const [branch = 'gh-pages', from = 'docs', to = '.', ..._msg] = asTuple(opts, ['branch', 'from', 'to', 'msg'])
+  const msg = msgJoin(_msg, pkg, 'docs: update docs ${{name}} ${{version}}')
+
+  log.info(`publish docs to ${branch}`)
+
+  await pushCommit({
+    cwd: path.join(pkg.absPath, from),
+    from: '.',
+    to,
+    branch,
+    msg,
+    gitCommitterEmail,
+    gitCommitterName,
+    basicAuth,
+  })
+})
+
+export default {
+  name: 'gh-pages',
+  when: (pkg) => !!pkg.config.ghPages,
+  run,
+}

package/src/main/js/processor/publishers/gh-release.js

@@ -0,0 +1,41 @@
+import {log} from '../log.js'
+import {getRepo, getRoot} from '../api/git.js'
+import {ghCreateRelease, ghDeleteReleaseByTag, ghUploadAssets} from '../api/gh.js'
+import {formatTag} from '../generators/tag.js'
+import {formatReleaseNotes} from '../generators/notes.js'
+
+const run = async (pkg) => {
+  const {ghBasicAuth: basicAuth, ghToken, ghAssets, ghApiUrl} = pkg.config
+  if (!ghToken) return null
+
+  log.info('create gh release')
+
+  const now = Date.now()
+  const {name, version, absPath: cwd, tag = formatTag({name, version})} = pkg
+  const {repoName} = await getRepo(cwd, {basicAuth})
+  const body = await formatReleaseNotes(pkg)
+  const res = await ghCreateRelease({ghApiUrl, ghToken, repoName, tag, body})
+
+  if (ghAssets?.length) {
+    // GH API returns a pseudo-url `...releases/110103594/assets{?name,label}` — strip the template.
+    const uploadUrl = res.upload_url.slice(0, res.upload_url.indexOf('{'))
+    await ghUploadAssets({ghToken, ghAssets, uploadUrl, cwd})
+  }
+
+  log.info(`duration gh release: ${Date.now() - now}`)
+}
+
+const undo = async (pkg, {tag}) => {
+  const {ghBasicAuth: basicAuth, ghToken, ghApiUrl} = pkg.config
+  if (!ghToken) return
+  const cwd = await getRoot(pkg.absPath)
+  const {repoName} = await getRepo(cwd, {basicAuth})
+  await ghDeleteReleaseByTag({ghApiUrl, ghToken, repoName, tag})
+}
+
+export default {
+  name: 'gh-release',
+  when: (pkg) => !!pkg.config.ghToken,
+  run,
+  undo,
+}