monoship 1.8.1

package/dist/cli.mjs

@@ -0,0 +1,597 @@
+#!/usr/bin/env node
+import { cac } from "cac";
+import path from "node:path";
+import fs from "node:fs";
+import fg from "fast-glob";
+import consola from "consola";
+import libnpmpack from "libnpmpack";
+import { publish } from "libnpmpublish";
+import { execFile } from "node:child_process";
+import { readFile, unlink, writeFile } from "node:fs/promises";
+import { promisify } from "node:util";
+import semver from "semver";
+import hapic, { hasOwnProperty, isClientError } from "hapic";
+//#region src/core/error.ts
+var BaseError = class extends Error {
+	code;
+	statusCode;
+	constructor(message, options) {
+		super(message);
+		this.code = options.code;
+		this.statusCode = options.statusCode;
+	}
+};
+//#endregion
+//#region src/core/filesystem/node.ts
+var NodeFileSystem = class {
+	async readFile(filePath) {
+		return fs.promises.readFile(filePath, { encoding: "utf-8" });
+	}
+	async writeFile(filePath, content) {
+		await fs.promises.writeFile(filePath, content, { encoding: "utf-8" });
+	}
+	async glob(patterns, options = {}) {
+		return fg(patterns, {
+			ignore: options.ignore || ["node_modules/**"],
+			cwd: options.cwd,
+			absolute: true,
+			onlyDirectories: true
+		});
+	}
+};
+//#endregion
+//#region src/core/logger/consola.ts
+var ConsolaLogger = class {
+	info(message) {
+		consola.info(message);
+	}
+	success(message) {
+		consola.success(message);
+	}
+	warn(message) {
+		consola.warn(message);
+	}
+	error(message) {
+		consola.error(message);
+	}
+};
+//#endregion
+//#region src/core/logger/noop.ts
+var NoopLogger = class {
+	info(_message) {}
+	success(_message) {}
+	warn(_message) {}
+	error(_message) {}
+};
+//#endregion
+//#region src/core/publisher/error.ts
+var PublishError = class extends BaseError {
+	constructor(message, options) {
+		super(message, {
+			code: "EPUBLISH",
+			statusCode: 500
+		});
+		if (options?.cause) this.cause = options.cause;
+	}
+};
+//#endregion
+//#region src/utils/object.ts
+function isObject(input) {
+	return typeof input === "object" && input !== null && !Array.isArray(input);
+}
+function isError(input) {
+	return isObject(input) && typeof input.message === "string";
+}
+//#endregion
+//#region src/core/publisher/npm.ts
+var NpmPublisher = class {
+	/**
+	* Publish a package using libnpmpack + libnpmpublish.
+	*
+	* @returns `true` if published, `false` if the version already exists.
+	* @throws {PublishError} On non-conflict failures (network errors, auth failures, etc.).
+	*/
+	async publish(packagePath, manifest, options) {
+		try {
+			await publish(manifest, await libnpmpack(packagePath), options);
+			return true;
+		} catch (e) {
+			if (this.isNpmJsVersionConflict(e) || this.isNpmPkgGitHubVersionConflict(e)) return false;
+			const cause = isError(e) ? e : void 0;
+			throw new PublishError(cause?.message || "libnpmpublish failed with an unknown error", { cause });
+		}
+	}
+	/**
+	* Determines whether an exception represents a version conflict
+	* when publishing to the npmjs.org registry.
+	*/
+	isNpmJsVersionConflict(ex) {
+		if (!isObject(ex)) return false;
+		if ("code" in ex && ex.code === "EPUBLISHCONFLICT") return true;
+		return "code" in ex && ex.code === "E403" && typeof ex.message === "string" && ex.message.includes("You cannot publish over the previously published versions");
+	}
+	/**
+	* Determines whether an exception represents a version conflict
+	* when publishing to GitHub Packages (npm.pkg.github.com).
+	*/
+	isNpmPkgGitHubVersionConflict(ex) {
+		if (!isObject(ex)) return false;
+		if ("code" in ex && ex.code === "E409") return true;
+		if ("body" in ex && isObject(ex.body) && ex.body.error === "Cannot publish over existing version") return true;
+		return typeof ex.message === "string" && ex.message.startsWith("409 Conflict - PUT https://npm.pkg.github.com");
+	}
+};
+//#endregion
+//#region src/core/publisher/npm-cli.ts
+const execFileAsync$1 = promisify(execFile);
+const AUTH_TOKEN_PATTERN = /^(\/\/.+)\/:_authToken$/;
+/**
+* Extract the auth token entry from publish options.
+*
+* When `registry` is provided, prefers the entry whose scope matches
+* the target registry (host + path). Falls back to the first match
+* if no registry-specific entry is found.
+*/
+function parseAuthTokenEntry(options, registry) {
+	let registryScope;
+	if (registry) try {
+		const url = new URL(registry);
+		registryScope = `//${url.host}${url.pathname.replace(/\/$/, "")}`;
+	} catch {}
+	let fallback;
+	const keys = Object.keys(options);
+	for (const key of keys) {
+		const match = AUTH_TOKEN_PATTERN.exec(key);
+		const registryPath = match?.[1];
+		if (match && registryPath && options[key]) {
+			const entry = {
+				key,
+				token: options[key],
+				registryPath
+			};
+			if (registryScope && registryPath === registryScope) return entry;
+			if (!fallback) fallback = entry;
+		}
+	}
+	return fallback;
+}
+var NpmCliPublisher = class {
+	execFn;
+	readFileFn;
+	writeFileFn;
+	unlinkFn;
+	constructor(options = {}) {
+		this.execFn = options.execFn || execFileAsync$1;
+		this.readFileFn = options.readFileFn || ((fp, enc) => readFile(fp, enc));
+		this.writeFileFn = options.writeFileFn || ((fp, content, enc) => writeFile(fp, content, enc));
+		this.unlinkFn = options.unlinkFn || ((fp) => unlink(fp));
+	}
+	/**
+	* Publish a package by shelling out to `npm publish`.
+	*
+	* Writes a temporary `.npmrc` for auth when a token is present and
+	* restores/removes it after the command completes (even on failure).
+	*
+	* @returns `true` if published, `false` if the version already exists.
+	* @throws {PublishError} On non-conflict failures (network errors, auth failures, etc.).
+	*/
+	async publish(packagePath, _manifest, options) {
+		const args = ["publish"];
+		const authEntry = parseAuthTokenEntry(options, options.registry);
+		if (options.registry) args.push("--registry", options.registry);
+		else if (authEntry) args.push("--registry", `https:${authEntry.registryPath}`);
+		if (options.access) args.push("--access", options.access);
+		if (options.tag) args.push("--tag", options.tag);
+		const env = { ...process.env };
+		let npmrcPath;
+		let existingNpmrc;
+		if (authEntry) {
+			env.NODE_AUTH_TOKEN = authEntry.token;
+			const registryUrl = options.registry || `https:${authEntry.registryPath}`;
+			let npmrcContent;
+			try {
+				const url = new URL(registryUrl);
+				const registryPath = url.pathname.replace(/\/$/, "");
+				npmrcContent = `//${url.host}${registryPath}/:_authToken=\${NODE_AUTH_TOKEN}\n`;
+			} catch {
+				throw new PublishError(`Invalid registry URL: ${registryUrl}`);
+			}
+			npmrcPath = path.join(packagePath, ".npmrc");
+			try {
+				existingNpmrc = await this.readFileFn(npmrcPath, "utf-8");
+			} catch {}
+			const finalContent = existingNpmrc ? `${existingNpmrc.trimEnd()}\n${npmrcContent}` : npmrcContent;
+			await this.writeFileFn(npmrcPath, finalContent, "utf-8");
+		}
+		try {
+			await this.execFn("npm", args, {
+				cwd: packagePath,
+				env
+			});
+			return true;
+		} catch (e) {
+			if (this.isVersionConflict(e)) return false;
+			const cause = isError(e) ? e : void 0;
+			throw new PublishError(cause?.message || "npm publish failed with an unknown error", { cause });
+		} finally {
+			if (npmrcPath) if (typeof existingNpmrc === "string") await this.writeFileFn(npmrcPath, existingNpmrc, "utf-8");
+			else try {
+				await this.unlinkFn(npmrcPath);
+			} catch {}
+		}
+	}
+	isVersionConflict(e) {
+		if (!isObject(e)) return false;
+		let stderr = "";
+		if (typeof e.stderr === "string") stderr = e.stderr;
+		const message = isError(e) ? e.message : "";
+		const combined = `${stderr} ${message}`;
+		return combined.includes("EPUBLISHCONFLICT") || combined.includes("You cannot publish over the previously published versions") || combined.includes("Cannot publish over existing version") || combined.includes("409 Conflict");
+	}
+};
+//#endregion
+//#region src/core/publisher/resolve.ts
+const execFileAsync = promisify(execFile);
+const NPM_MIN_VERSION = "10.0.0";
+async function resolvePublisher(options = {}) {
+	const execFn = options.execFn || execFileAsync;
+	try {
+		const { stdout } = await execFn("npm", ["--version"], {
+			cwd: process.cwd(),
+			env: process.env
+		});
+		const version = stdout.trim();
+		if (semver.gte(version, NPM_MIN_VERSION)) return new NpmCliPublisher({ execFn });
+	} catch {}
+	return new NpmPublisher();
+}
+//#endregion
+//#region src/core/registry-client/error.ts
+var RegistryError = class extends BaseError {
+	constructor(message, statusCode) {
+		super(message, {
+			code: `E${statusCode}`,
+			statusCode
+		});
+	}
+};
+/**
+* Duck-type check for RegistryError shape.
+*
+* Validates the error has `message` (string), `statusCode` (number),
+* and `code` (string) — matching the BaseError contract.
+*
+* @param input The value to check.
+* @returns `true` if the value has the RegistryError shape.
+*/
+function isRegistryError(input) {
+	return isObject(input) && typeof input.message === "string" && typeof input.statusCode === "number" && typeof input.code === "string";
+}
+//#endregion
+//#region src/core/registry-client/hapic.ts
+var HapicRegistryClient = class {
+	async getPackument(name, options) {
+		const path = encodeURIComponent(name).replace(/^%40/, "@");
+		const headers = { ACCEPT: "application/vnd.npm.install-v1+json; q=1.0, application/json; q=0.8, */*" };
+		if (options.token) headers.AUTHORIZATION = `Bearer ${options.token}`;
+		try {
+			return (await hapic.get(new URL(path, options.registry || "https://registry.npmjs.org/").toString(), { headers })).data;
+		} catch (e) {
+			if (isClientError(e)) throw new RegistryError(e.message, e.statusCode || 500);
+			throw new RegistryError(`Registry request failed for ${name}`, 500);
+		}
+	}
+};
+//#endregion
+//#region src/core/token-provider/chain.ts
+var ChainTokenProvider = class {
+	providers;
+	constructor(providers) {
+		this.providers = providers;
+	}
+	async getToken(packageName, registry) {
+		for (const provider of this.providers) {
+			const token = await provider.getToken(packageName, registry);
+			if (token) return token;
+		}
+	}
+};
+//#endregion
+//#region src/core/token-provider/env.ts
+var EnvTokenProvider = class {
+	async getToken(_packageName, _registry) {
+		return process.env.NODE_AUTH_TOKEN || void 0;
+	}
+};
+//#endregion
+//#region src/core/token-provider/memory.ts
+var MemoryTokenProvider = class {
+	token;
+	constructor(token) {
+		this.token = token;
+	}
+	async getToken(_packageName, _registry) {
+		return this.token;
+	}
+};
+//#endregion
+//#region src/core/token-provider/oidc.ts
+var OidcTokenProvider = class {
+	requestUrl;
+	requestToken;
+	fetchFn;
+	maxRetries;
+	retryDelayMs;
+	tokenCache;
+	constructor(options) {
+		this.requestUrl = options.requestUrl;
+		this.requestToken = options.requestToken;
+		this.fetchFn = options.fetchFn ?? globalThis.fetch;
+		this.maxRetries = options.maxRetries ?? 2;
+		this.retryDelayMs = options.retryDelayMs ?? 1e3;
+		this.tokenCache = /* @__PURE__ */ new Map();
+	}
+	async getToken(packageName, registry) {
+		const cacheKey = `${packageName}@${registry}`;
+		const cached = this.tokenCache.get(cacheKey);
+		if (cached) return cached;
+		const audience = `npm:${new URL(registry).host}`;
+		const separator = this.requestUrl.includes("?") ? "&" : "?";
+		const oidcUrl = `${this.requestUrl}${separator}audience=${encodeURIComponent(audience)}`;
+		const oidcResponse = await this.fetchWithRetry(oidcUrl, { headers: { Authorization: `Bearer ${this.requestToken}` } });
+		if (!oidcResponse.ok) throw new Error(`Failed to fetch OIDC token from GitHub: ${oidcResponse.status} ${oidcResponse.statusText}`);
+		const idToken = (await oidcResponse.json()).value;
+		if (!idToken) throw new Error("OIDC response did not contain a valid token");
+		const encodedName = encodeURIComponent(packageName).replace(/^%40/, "@");
+		const exchangeUrl = new URL(`/-/npm/v1/oidc/token/exchange/package/${encodedName}`, registry).toString();
+		const exchangeResponse = await this.fetchWithRetry(exchangeUrl, {
+			method: "POST",
+			headers: { Authorization: `Bearer ${idToken}` }
+		});
+		if (!exchangeResponse.ok) throw new Error(`Failed to exchange OIDC token with npm registry: ${exchangeResponse.status} ${exchangeResponse.statusText}`);
+		const { token } = await exchangeResponse.json();
+		if (!token) throw new Error("Token exchange response did not contain a valid token");
+		this.tokenCache.set(cacheKey, token);
+		return token;
+	}
+	async fetchWithRetry(url, init) {
+		for (let attempt = 0; attempt <= this.maxRetries; attempt++) try {
+			const response = await this.fetchFn(url, init);
+			if (response.ok || response.status < 500) return response;
+			if (attempt < this.maxRetries) {
+				await this.delay(this.retryDelayMs * (attempt + 1));
+				continue;
+			}
+			return response;
+		} catch (e) {
+			if (attempt >= this.maxRetries) throw e;
+			await this.delay(this.retryDelayMs * (attempt + 1));
+		}
+		throw new Error("Unreachable");
+	}
+	delay(ms) {
+		return new Promise((resolve) => {
+			setTimeout(resolve, ms);
+		});
+	}
+};
+//#endregion
+//#region src/package.ts
+async function isPackagePublished(pkg, registryClient, options) {
+	const { name, version } = pkg.content;
+	if (!name || !version) throw new Error(`Name or version attribute is missing in ${pkg.path}`);
+	try {
+		const { versions } = await registryClient.getPackument(name, options);
+		if (typeof versions === "undefined" || typeof versions[version] === "undefined") return false;
+	} catch (e) {
+		if (isRegistryError(e) && e.statusCode === 404) return false;
+		throw e;
+	}
+	return true;
+}
+async function publishPackage(pkg, publisher, options) {
+	let pkgPath;
+	if (path.isAbsolute(pkg.path)) pkgPath = pkg.path;
+	else pkgPath = path.resolve(pkg.path);
+	const publishOptions = { ...pkg.content.publishConfig || {} };
+	if (options.token && options.token.length > 0) {
+		const registry = options.registry || "https://registry.npmjs.org/";
+		const url = new URL(registry);
+		const registryPath = url.pathname.replace(/\/$/, "");
+		publishOptions[`//${url.host}${registryPath}/:_authToken`] = options.token;
+	}
+	return publisher.publish(pkgPath, pkg.content, publishOptions);
+}
+function isPackagePublishable(pkg) {
+	return !!pkg.content.name && !pkg.content.private && !!pkg.content.version;
+}
+//#endregion
+//#region src/package-dependency.ts
+function updatePackagesDependencies(packages) {
+	const pkgDir = {};
+	for (const package_ of packages) pkgDir[package_.content.name] = package_;
+	for (const pkg of packages) {
+		if (pkg.content.dependencies) updatePackageDependenciesByType(pkg, "dependencies", pkgDir);
+		if (pkg.content.devDependencies) updatePackageDependenciesByType(pkg, "devDependencies", pkgDir);
+		if (pkg.content.peerDependencies) updatePackageDependenciesByType(pkg, "peerDependencies", pkgDir);
+	}
+}
+function isDependencyWorkspaceProtocolValue(value) {
+	return value.substring(0, 10) === "workspace:";
+}
+function normalizeDependencyVersionValue(input, pkgVersion) {
+	if (input.length === 1) {
+		if (input === "~" || input === "^") return input + pkgVersion;
+		return pkgVersion;
+	}
+	const firstCharacter = input.substring(0, 1);
+	if (firstCharacter === "*" || firstCharacter === "~" || firstCharacter === "^") {
+		if (semver.valid(input.substring(1))) {
+			if (firstCharacter === "~" || firstCharacter === "^") return firstCharacter + pkgVersion;
+			return pkgVersion;
+		}
+		return pkgVersion;
+	}
+	return pkgVersion;
+}
+function updatePackageDependenciesByType(pkg, depType, pkgDir) {
+	const dependencies = pkg.content[depType];
+	if (!dependencies) return;
+	const keys = Object.keys(dependencies);
+	for (const key of keys) {
+		const value = dependencies[key];
+		if (!value || !isDependencyWorkspaceProtocolValue(value)) continue;
+		if (!hasOwnProperty(pkgDir, key)) {
+			pkg.valid = false;
+			continue;
+		}
+		const depPkg = pkgDir[key];
+		if (!depPkg) {
+			pkg.valid = false;
+			continue;
+		}
+		dependencies[key] = normalizeDependencyVersionValue(value.substring(10), depPkg.content.version);
+		pkg.modified = true;
+	}
+}
+//#endregion
+//#region src/module.ts
+function resolveTokenProvider$1(options) {
+	if (options.tokenProvider) return options.tokenProvider;
+	if (options.token) return new MemoryTokenProvider(options.token);
+	return new EnvTokenProvider();
+}
+async function readWorkspacePackages(workspace, cwd, fileSystem) {
+	const directories = await fileSystem.glob(workspace, {
+		cwd,
+		ignore: ["node_modules/**"]
+	});
+	const pkgs = [];
+	for (const directory of directories) try {
+		const raw = await fileSystem.readFile(path.posix.join(directory, "package.json"));
+		const content = JSON.parse(raw);
+		pkgs.push({
+			path: directory,
+			content
+		});
+	} catch {}
+	return pkgs;
+}
+async function publish$1(options = {}) {
+	const cwd = options.cwd || process.cwd();
+	const registry = options.registry || "https://registry.npmjs.org/";
+	const rootPackage = options.rootPackage ?? true;
+	const fileSystem = options.fileSystem ?? new NodeFileSystem();
+	const registryClient = options.registryClient ?? new HapicRegistryClient();
+	const publisher = options.publisher ?? await resolvePublisher();
+	const tokenProvider = resolveTokenProvider$1(options);
+	const logger = options.logger ?? new NoopLogger();
+	const raw = await fileSystem.readFile(path.posix.join(cwd, "package.json"));
+	let pkg;
+	try {
+		pkg = JSON.parse(raw);
+	} catch {
+		throw new Error(`Invalid JSON in package.json at ${path.posix.join(cwd, "package.json")}`);
+	}
+	const packages = [];
+	if (!Array.isArray(pkg.workspaces) && !rootPackage) return [];
+	if (rootPackage) packages.push({
+		path: cwd,
+		content: pkg
+	});
+	if (Array.isArray(pkg.workspaces)) packages.push(...await readWorkspacePackages(pkg.workspaces, cwd, fileSystem));
+	updatePackagesDependencies(packages);
+	const unpublishedPackages = [];
+	for (const p of packages) {
+		if (!isPackagePublishable(p)) continue;
+		if (p.valid === false) {
+			logger.warn(`Skipping ${p.content.name}: unresolved workspace dependencies`);
+			continue;
+		}
+		const token = await tokenProvider.getToken(p.content.name, registry);
+		if (await isPackagePublished(p, registryClient, {
+			registry,
+			token
+		})) continue;
+		if (p.modified && !options.dryRun) try {
+			await fileSystem.writeFile(path.posix.join(p.path, "package.json"), JSON.stringify(p.content));
+		} catch (e) {
+			const message = isError(e) ? e.message : String(e);
+			logger.warn(`Failed to write package.json for ${p.content.name}: ${message}`);
+			continue;
+		}
+		unpublishedPackages.push({
+			pkg: p,
+			token
+		});
+	}
+	if (unpublishedPackages.length === 0) return [];
+	if (options.dryRun) return unpublishedPackages.map((item) => item.pkg);
+	for (const { pkg: p, token } of unpublishedPackages) p.published = await publishPackage(p, publisher, {
+		token,
+		registry
+	});
+	return unpublishedPackages.map((item) => item.pkg).filter((p) => !!p.published);
+}
+//#endregion
+//#region src/cli.ts
+function isValidUrl(input) {
+	try {
+		return !!new URL(input).protocol;
+	} catch {
+		return false;
+	}
+}
+function resolveTokenProvider(token) {
+	if (token && token.length > 0) return new MemoryTokenProvider(token);
+	const requestUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
+	const requestToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+	if (requestUrl && requestToken) return new ChainTokenProvider([new OidcTokenProvider({
+		requestUrl,
+		requestToken
+	}), new EnvTokenProvider()]);
+	return new EnvTokenProvider();
+}
+const logger = new ConsolaLogger();
+const cli = cac();
+cli.command("", "Publish workspace packages").option("--token <token>", "Token for registry", { default: process.env.NODE_AUTH_TOKEN }).option("--registry <registry>", "Registry url", { default: "https://registry.npmjs.org/" }).option("--root <root>", "Root directory", { default: process.cwd() }).option("--rootPackage", "Also consider the root package for publishing").option("--dryRun", "Show what would be published without actually publishing").action(async (options) => {
+	try {
+		if (!isValidUrl(options.registry)) {
+			logger.error(`Invalid registry URL: ${options.registry}`);
+			process.exit(2);
+		}
+		const tokenProvider = resolveTokenProvider(options.token);
+		if (options.token) process.env.NODE_AUTH_TOKEN = options.token;
+		const publisher = await resolvePublisher();
+		const packages = await publish$1({
+			registry: options.registry,
+			cwd: options.root,
+			rootPackage: options.rootPackage ?? true,
+			dryRun: options.dryRun,
+			fileSystem: new NodeFileSystem(),
+			registryClient: new HapicRegistryClient(),
+			publisher,
+			tokenProvider,
+			logger
+		});
+		if (packages.length === 0) logger.info("No packages need to be published.");
+		else if (options.dryRun) {
+			logger.info("Dry run — the following packages would be published:");
+			for (const pkg of packages) logger.info(`  ${pkg.content.name}@${pkg.content.version} → ${options.registry}`);
+		} else {
+			for (const pkg of packages) logger.success(`Published ${pkg.content.name}@${pkg.content.version}`);
+			logger.info(`Published ${packages.length} package(s).`);
+		}
+		process.exit(0);
+	} catch (e) {
+		if (isError(e)) {
+			logger.error(e.message);
+			if (process.env.DEBUG) logger.error(e.stack || "");
+		} else logger.error("An unknown error occurred.");
+		process.exit(1);
+	}
+});
+cli.help();
+cli.parse();
+//#endregion
+export {};