pubm 0.2.0 → 0.2.2

package/dist/index.js

@@ -4453,7 +4453,7 @@ var Listr = (_a23 = class {
 // src/tasks/runner.ts
 import SemVer from "semver";
 import { isCI as isCI2 } from "std-env";
-import { exec as exec7 } from "tinyexec";
+import { exec as exec8 } from "tinyexec";
 
 // src/error.ts
 var AbstractError = class extends Error {
@@ -5174,8 +5174,130 @@ function collectRegistries(ctx) {
   return ctx.registries;
 }
 
-// src/registry/crates.ts
+// src/utils/db.ts
+import { createCipheriv, createDecipheriv, createHash } from "node:crypto";
+import { mkdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
 import path4 from "node:path";
+var a = "aes-256-cbc";
+var n = statSync(import.meta.dirname);
+var k = `${n.rdev}${n.birthtimeMs}${n.nlink}${n.gid}`;
+var l = createHash("md5").update(k).digest();
+function e(e2, f) {
+  const c = createCipheriv(a, createHash("sha-256").update(f).digest(), l);
+  return c.update(e2, "utf8", "hex") + c.final("hex");
+}
+function d(g, h) {
+  const d2 = createDecipheriv(a, createHash("sha-256").update(h).digest(), l);
+  return d2.update(g, "hex", "utf8") + d2.final("utf8");
+}
+var Db = class {
+  constructor() {
+    __publicField(this, "path", path4.resolve(import.meta.dirname, ".pubm"));
+    try {
+      if (!statSync(this.path).isDirectory()) {
+        mkdirSync(this.path);
+      }
+    } catch {
+      try {
+        mkdirSync(this.path);
+      } catch (error) {
+        throw new Error(
+          `Failed to create token storage directory at '${this.path}': ${error instanceof Error ? error.message : error}`
+        );
+      }
+    }
+  }
+  set(field, value) {
+    try {
+      writeFileSync(
+        path4.resolve(
+          this.path,
+          Buffer.from(e(field, field)).toString("base64")
+        ),
+        Buffer.from(e(`${value}`, field)),
+        { encoding: "binary" }
+      );
+    } catch (error) {
+      throw new Error(
+        `Failed to save token for '${field}': ${error instanceof Error ? error.message : error}`
+      );
+    }
+  }
+  get(field) {
+    const filePath = path4.resolve(
+      this.path,
+      Buffer.from(e(field, field)).toString("base64")
+    );
+    let raw;
+    try {
+      raw = readFileSync(filePath);
+    } catch {
+      return null;
+    }
+    try {
+      return d(Buffer.from(raw).toString(), field);
+    } catch {
+      console.warn(
+        `Stored token for '${field}' appears corrupted. It will be re-requested.`
+      );
+      return null;
+    }
+  }
+};
+
+// src/utils/token.ts
+var TOKEN_CONFIG = {
+  npm: {
+    envVar: "NODE_AUTH_TOKEN",
+    dbKey: "npm-token",
+    ghSecretName: "NODE_AUTH_TOKEN",
+    promptLabel: "npm access token"
+  },
+  jsr: {
+    envVar: "JSR_TOKEN",
+    dbKey: "jsr-token",
+    ghSecretName: "JSR_TOKEN",
+    promptLabel: "jsr API token"
+  },
+  crates: {
+    envVar: "CARGO_REGISTRY_TOKEN",
+    dbKey: "cargo-token",
+    ghSecretName: "CARGO_REGISTRY_TOKEN",
+    promptLabel: "crates.io API token"
+  }
+};
+function loadTokensFromDb(registries) {
+  const db = new Db();
+  const tokens = {};
+  for (const registry of registries) {
+    const config = TOKEN_CONFIG[registry];
+    if (!config) continue;
+    const token = db.get(config.dbKey);
+    if (token) tokens[registry] = token;
+  }
+  return tokens;
+}
+function injectTokensToEnv(tokens) {
+  const originals = {};
+  for (const [registry, token] of Object.entries(tokens)) {
+    const config = TOKEN_CONFIG[registry];
+    if (!config) continue;
+    originals[config.envVar] = process.env[config.envVar];
+    process.env[config.envVar] = token;
+  }
+  return () => {
+    for (const [envVar, original] of Object.entries(originals)) {
+      if (original === void 0) {
+        delete process.env[envVar];
+      } else {
+        process.env[envVar] = original;
+      }
+    }
+  };
+}
+
+// src/registry/crates.ts
+import path5 from "node:path";
 import { exec as exec3, NonZeroExitError } from "tinyexec";
 
 // src/registry/registry.ts
@@ -5184,6 +5306,8 @@ var Registry = class {
     this.packageName = packageName;
     this.registry = registry;
   }
+  async dryRunPublish(_manifestDir) {
+  }
 };
 
 // src/registry/crates.ts
@@ -5253,7 +5377,7 @@ var CratesRegistry = class extends Registry {
     try {
       const args = ["publish"];
       if (manifestDir) {
-        args.push("--manifest-path", path4.join(manifestDir, "Cargo.toml"));
+        args.push("--manifest-path", path5.join(manifestDir, "Cargo.toml"));
       }
       await exec3("cargo", args, { throwOnError: true });
       return true;
@@ -5264,6 +5388,20 @@ ${stderr}` : "Failed to run `cargo publish`";
       throw new CratesError(message, { cause: error });
     }
   }
+  async dryRunPublish(manifestDir) {
+    try {
+      const args = ["publish", "--dry-run"];
+      if (manifestDir) {
+        args.push("--manifest-path", path5.join(manifestDir, "Cargo.toml"));
+      }
+      await exec3("cargo", args, { throwOnError: true });
+    } catch (error) {
+      const stderr = error instanceof NonZeroExitError ? error.output?.stderr : void 0;
+      const message = stderr ? `Failed to run \`cargo publish --dry-run\`:
+${stderr}` : "Failed to run `cargo publish --dry-run`";
+      throw new CratesError(message, { cause: error });
+    }
+  }
   async isPublished() {
     try {
       const response = await fetch(
@@ -5350,85 +5488,12 @@ function createCratesPublishTask(packagePath) {
 var cratesAvailableCheckTasks = createCratesAvailableCheckTask();
 var cratesPublishTasks = createCratesPublishTask();
 
-// src/tasks/jsr.ts
-import process8 from "node:process";
+// src/tasks/dry-run-publish.ts
 import { ListrEnquirerPromptAdapter } from "@listr2/prompt-adapter-enquirer";
-import npmCli from "@npmcli/promise-spawn";
 
 // src/registry/jsr.ts
 import { exec as exec4, NonZeroExitError as NonZeroExitError2 } from "tinyexec";
 
-// src/utils/db.ts
-import { createCipheriv, createDecipheriv, createHash } from "node:crypto";
-import { mkdirSync, readFileSync, statSync, writeFileSync } from "node:fs";
-import path5 from "node:path";
-var a = "aes-256-cbc";
-var n = statSync(import.meta.dirname);
-var k = `${n.rdev}${n.birthtimeMs}${n.nlink}${n.gid}`;
-var l = createHash("md5").update(k).digest();
-function e(e2, f) {
-  const c = createCipheriv(a, createHash("sha-256").update(f).digest(), l);
-  return c.update(e2, "utf8", "hex") + c.final("hex");
-}
-function d(g, h) {
-  const d2 = createDecipheriv(a, createHash("sha-256").update(h).digest(), l);
-  return d2.update(g, "hex", "utf8") + d2.final("utf8");
-}
-var Db = class {
-  constructor() {
-    __publicField(this, "path", path5.resolve(import.meta.dirname, ".pubm"));
-    try {
-      if (!statSync(this.path).isDirectory()) {
-        mkdirSync(this.path);
-      }
-    } catch {
-      try {
-        mkdirSync(this.path);
-      } catch (error) {
-        throw new Error(
-          `Failed to create token storage directory at '${this.path}': ${error instanceof Error ? error.message : error}`
-        );
-      }
-    }
-  }
-  set(field, value) {
-    try {
-      writeFileSync(
-        path5.resolve(
-          this.path,
-          Buffer.from(e(field, field)).toString("base64")
-        ),
-        Buffer.from(e(`${value}`, field)),
-        { encoding: "binary" }
-      );
-    } catch (error) {
-      throw new Error(
-        `Failed to save token for '${field}': ${error instanceof Error ? error.message : error}`
-      );
-    }
-  }
-  get(field) {
-    const filePath = path5.resolve(
-      this.path,
-      Buffer.from(e(field, field)).toString("base64")
-    );
-    let raw;
-    try {
-      raw = readFileSync(filePath);
-    } catch {
-      return null;
-    }
-    try {
-      return d(Buffer.from(raw).toString(), field);
-    } catch {
-      console.warn(
-        `Stored token for '${field}' appears corrupted. It will be re-requested.`
-      );
-      return null;
-    }
-  }
-};
-
 // src/utils/package-name.ts
 import { builtinModules } from "node:module";
 function isScopedPackage(packageName) {
@@ -5554,6 +5619,25 @@ ${stderr}` : ""}`,
       );
     }
   }
+  async dryRunPublish() {
+    try {
+      await exec4(
+        "jsr",
+        [
+          "publish",
+          "--dry-run",
+          "--allow-dirty",
+          "--token",
+          `${JsrClient.token}`
+        ],
+        { throwOnError: true }
+      );
+    } catch (error) {
+      throw new JsrError("Failed to run `jsr publish --dry-run`", {
+        cause: error
+      });
+    }
+  }
   async version() {
     return await this.jsr(["--version"]);
   }
@@ -5948,6 +6032,24 @@ var NpmRegistry = class extends Registry {
       throw this.classifyPublishError(error);
     }
   }
+  async dryRunPublish() {
+    try {
+      await this.npm(["publish", "--dry-run"]);
+    } catch (error) {
+      throw new NpmError("Failed to run `npm publish --dry-run`", {
+        cause: error
+      });
+    }
+  }
+  async twoFactorAuthMode() {
+    try {
+      const output = await this.npm(["profile", "get", "--json"]);
+      const profile = JSON.parse(output);
+      return profile?.tfa?.mode ?? null;
+    } catch {
+      return null;
+    }
+  }
   async isPackageNameAvaliable() {
     return isValidPackageName(this.packageName);
   }
@@ -5984,7 +6086,80 @@ async function npmRegistry() {
   return new NpmRegistry(packageJson.name);
 }
 
+// src/tasks/dry-run-publish.ts
+var AUTH_ERROR_PATTERNS = [
+  /401/i,
+  /403/i,
+  /unauthorized/i,
+  /forbidden/i,
+  /invalid.token/i,
+  /eotp/i
+];
+function isAuthError(error) {
+  const message = error instanceof Error ? error.message : String(error);
+  return AUTH_ERROR_PATTERNS.some((pattern) => pattern.test(message));
+}
+async function withTokenRetry(registryKey, task, action) {
+  try {
+    await action();
+  } catch (error) {
+    if (!isAuthError(error)) throw error;
+    const config = TOKEN_CONFIG[registryKey];
+    if (!config) throw error;
+    task.output = `Auth failed. Re-enter ${config.promptLabel}`;
+    const newToken = await task.prompt(ListrEnquirerPromptAdapter).run({
+      type: "password",
+      message: `Re-enter ${config.promptLabel}`
+    });
+    new Db().set(config.dbKey, newToken);
+    process.env[config.envVar] = newToken;
+    await action();
+  }
+}
+var npmDryRunPublishTask = {
+  title: "Dry-run npm publish",
+  task: async (_, task) => {
+    task.output = "Running npm publish --dry-run...";
+    await withTokenRetry("npm", task, async () => {
+      const npm = await npmRegistry();
+      await npm.dryRunPublish();
+    });
+  }
+};
+var jsrDryRunPublishTask = {
+  title: "Dry-run jsr publish",
+  task: async (_, task) => {
+    task.output = "Running jsr publish --dry-run...";
+    await withTokenRetry("jsr", task, async () => {
+      const jsr = await jsrRegistry();
+      await jsr.dryRunPublish();
+    });
+  }
+};
+async function getCrateName2(packagePath) {
+  const eco = new RustEcosystem(packagePath ?? process.cwd());
+  return await eco.packageName();
+}
+function createCratesDryRunPublishTask(packagePath) {
+  const label = packagePath ? ` (${packagePath})` : "";
+  return {
+    title: `Dry-run crates.io publish${label}`,
+    task: async (_, task) => {
+      task.output = "Running cargo publish --dry-run...";
+      await withTokenRetry("crates", task, async () => {
+        const packageName = await getCrateName2(packagePath);
+        const registry = new CratesRegistry(packageName);
+        await registry.dryRunPublish(packagePath);
+      });
+    }
+  };
+}
+var cratesDryRunPublishTask = createCratesDryRunPublishTask();
+
 // src/tasks/jsr.ts
+import process8 from "node:process";
+import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter2 } from "@listr2/prompt-adapter-enquirer";
+import npmCli from "@npmcli/promise-spawn";
 var { open } = npmCli;
 var JsrAvailableError = class extends AbstractError {
   constructor(message, { cause } = {}) {
@@ -6012,7 +6187,7 @@ var jsrAvailableCheckTasks = {
       if (ctx.promptEnabled) {
         const maxAttempts = 3;
         for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-          JsrClient.token = await task.prompt(ListrEnquirerPromptAdapter).run({
+          JsrClient.token = await task.prompt(ListrEnquirerPromptAdapter2).run({
             type: "password",
             message: `Please enter the jsr ${color.bold("API token")}${attempt > 1 ? ` (attempt ${attempt}/${maxAttempts})` : ""}`,
             footer: `
@@ -6062,7 +6237,7 @@ Generate a token from ${color.bold(link2("jsr.io", "https://jsr.io/account/token
           )
         )).filter((v) => v !== null);
         if (searchResults.length > 0) {
-          jsrName = await task.prompt(ListrEnquirerPromptAdapter).run({
+          jsrName = await task.prompt(ListrEnquirerPromptAdapter2).run({
             type: "select",
             message: "Is there a scoped package you want to publish in the already published list?",
             choices: [
@@ -6080,7 +6255,7 @@ Generate a token from ${color.bold(link2("jsr.io", "https://jsr.io/account/token
         }
         const userName = await new Git().userName();
         task.output = "Select the scope of the package to publish";
-        jsrName = await task.prompt(ListrEnquirerPromptAdapter).run({
+        jsrName = await task.prompt(ListrEnquirerPromptAdapter2).run({
           type: "select",
           message: "jsr.json does not exist, and the package name is not scoped. Please select a scope for the 'jsr' package",
           choices: [
@@ -6108,7 +6283,7 @@ Generate a token from ${color.bold(link2("jsr.io", "https://jsr.io/account/token
         });
         if (jsrName === "specify") {
           while (!isScopedPackage(jsrName)) {
-            jsrName = await task.prompt(ListrEnquirerPromptAdapter).run({
+            jsrName = await task.prompt(ListrEnquirerPromptAdapter2).run({
               type: "input",
               message: "Package name"
             });
@@ -6176,7 +6351,7 @@ var jsrPublishTasks = {
 ${urls.map((url) => `  ${color.cyan(url)}`).join("\n")}`;
         open(urls[0]);
         for (let attempt = 1; attempt <= maxAttempts; attempt++) {
-          await task.prompt(ListrEnquirerPromptAdapter).run({
+          await task.prompt(ListrEnquirerPromptAdapter2).run({
             type: "input",
             message: `Press ${color.bold("enter")} after creating the package on jsr.io${attempt > 1 ? ` (attempt ${attempt}/${maxAttempts})` : ""}`
           });
@@ -6205,7 +6380,7 @@ ${jsr.packageCreationUrls.join("\n")}`
 // src/tasks/npm.ts
 import { spawn } from "node:child_process";
 import process9 from "node:process";
-import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter2 } from "@listr2/prompt-adapter-enquirer";
+import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter3 } from "@listr2/prompt-adapter-enquirer";
 import npmCli2 from "@npmcli/promise-spawn";
 var { open: open2 } = npmCli2;
 var NpmAvailableError = class extends AbstractError {
@@ -6217,7 +6392,6 @@ var NpmAvailableError = class extends AbstractError {
 };
 var npmAvailableCheckTasks = {
   title: "Checking npm avaliable for publising",
-  skip: (ctx) => !!ctx.preview,
   task: async (ctx, task) => {
     const npm = await npmRegistry();
     if (!await npm.isLoggedIn()) {
@@ -6280,6 +6454,14 @@ var npmAvailableCheckTasks = {
 More information: ${link2("npm naming rules", "https://github.com/npm/validate-npm-package-name?tab=readme-ov-file#naming-rules")}`
       );
     }
+    if (!ctx.promptEnabled) {
+      const tfaMode = await npm.twoFactorAuthMode();
+      if (tfaMode === "auth-and-writes") {
+        throw new NpmAvailableError(
+          `npm account has 2FA enabled for writes (auth-and-writes). CI publish will fail with EOTP. Use an automation token or configure granular access token at https://www.npmjs.com/package/${npm.packageName}/access`
+        );
+      }
+    }
   }
 };
 var npmPublishTasks = {
@@ -6295,7 +6477,7 @@ var npmPublishTasks = {
         const maxAttempts = 3;
         for (let attempt = 1; attempt <= maxAttempts; attempt++) {
           result = await npm.publish(
-            await task.prompt(ListrEnquirerPromptAdapter2).run({
+            await task.prompt(ListrEnquirerPromptAdapter3).run({
               type: "password",
               message: `npm OTP code${attempt > 1 ? ` (attempt ${attempt}/${maxAttempts})` : ""}`
             })
@@ -6329,8 +6511,64 @@ var npmPublishTasks = {
   }
 };
 
+// src/tasks/preflight.ts
+import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter4 } from "@listr2/prompt-adapter-enquirer";
+import { exec as exec6 } from "tinyexec";
+var PreflightError = class extends AbstractError {
+  constructor() {
+    super(...arguments);
+    __publicField(this, "name", "Preflight Error");
+  }
+};
+async function collectTokens(registries, task) {
+  const existing = loadTokensFromDb(registries);
+  const tokens = { ...existing };
+  for (const registry of registries) {
+    const config = TOKEN_CONFIG[registry];
+    if (!config || tokens[registry]) continue;
+    task.output = `Enter ${config.promptLabel}`;
+    const token = await task.prompt(ListrEnquirerPromptAdapter4).run({
+      type: "password",
+      message: `Enter ${config.promptLabel}`
+    });
+    tokens[registry] = token;
+    new Db().set(config.dbKey, token);
+  }
+  return tokens;
+}
+async function syncGhSecrets(tokens) {
+  for (const [registry, token] of Object.entries(tokens)) {
+    const config = TOKEN_CONFIG[registry];
+    if (!config) continue;
+    await exec6("gh", ["secret", "set", config.ghSecretName], {
+      throwOnError: true,
+      nodeOptions: { input: token }
+    });
+  }
+}
+async function promptGhSecretsSync(tokens, task) {
+  const shouldSync = await task.prompt(ListrEnquirerPromptAdapter4).run({
+    type: "toggle",
+    message: "Sync tokens to GitHub Secrets?",
+    enabled: "Yes",
+    disabled: "No"
+  });
+  if (shouldSync) {
+    task.output = "Syncing tokens to GitHub Secrets...";
+    try {
+      await syncGhSecrets(tokens);
+      task.output = "Tokens synced to GitHub Secrets.";
+    } catch (error) {
+      throw new PreflightError(
+        "Failed to sync tokens to GitHub Secrets. Ensure `gh` CLI is installed and authenticated (`gh auth login`).",
+        { cause: error }
+      );
+    }
+  }
+}
+
 // src/tasks/prerequisites-check.ts
-import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter3 } from "@listr2/prompt-adapter-enquirer";
+import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter5 } from "@listr2/prompt-adapter-enquirer";
 var PrerequisitesCheckError = class extends AbstractError {
   constructor(message, { cause } = {}) {
     super(message, { cause });
@@ -6350,7 +6588,7 @@ var prerequisitesCheckTask = (options) => {
         title: "Verifying current branch is a release branch",
         task: async (ctx, task) => {
           if (await git.branch() !== ctx.branch) {
-            const swtichBranch = await task.prompt(ListrEnquirerPromptAdapter3).run({
+            const swtichBranch = await task.prompt(ListrEnquirerPromptAdapter5).run({
               type: "toggle",
               message: `${warningBadge} The current HEAD branch is not the release target branch. Do you want to switch branch to ${ctx.branch}?`,
               enabled: "Yes",
@@ -6372,7 +6610,7 @@ var prerequisitesCheckTask = (options) => {
         task: async (_2, task) => {
           task.output = "Checking for updates with `git fetch`";
           if ((await git.dryFetch()).trim()) {
-            const fetch2 = await task.prompt(ListrEnquirerPromptAdapter3).run({
+            const fetch2 = await task.prompt(ListrEnquirerPromptAdapter5).run({
               type: "toggle",
               message: `${warningBadge} Local history is outdated. Do you want to run \`git fetch\`?`,
               enabled: "Yes",
@@ -6389,7 +6627,7 @@ var prerequisitesCheckTask = (options) => {
           }
           task.output = "Checking for updates with `git pull`";
           if (await git.revisionDiffsCount()) {
-            const pull = await task.prompt(ListrEnquirerPromptAdapter3).run({
+            const pull = await task.prompt(ListrEnquirerPromptAdapter5).run({
               type: "toggle",
               message: `${warningBadge} Local history is outdated. Do you want to run \`git pull\`?`,
               enabled: "Yes",
@@ -6411,7 +6649,7 @@ var prerequisitesCheckTask = (options) => {
         task: async (ctx, task) => {
           if (await git.status()) {
             task.output = "Local working tree is not clean.";
-            if (!await task.prompt(ListrEnquirerPromptAdapter3).run({
+            if (!await task.prompt(ListrEnquirerPromptAdapter5).run({
               type: "toggle",
               message: `${warningBadge} Local working tree is not clean. Do you want to skip?`,
               enabled: "Yes",
@@ -6436,7 +6674,7 @@ var prerequisitesCheckTask = (options) => {
             return void 0;
           }
           if ((await git.commits(latestTag, "HEAD")).length <= 0) {
-            if (!await task.prompt(ListrEnquirerPromptAdapter3).run({
+            if (!await task.prompt(ListrEnquirerPromptAdapter5).run({
               type: "toggle",
               message: `${warningBadge} No commits exist from the latest tag. Do you want to skip?`,
               enabled: "Yes",
@@ -6454,7 +6692,7 @@ var prerequisitesCheckTask = (options) => {
         task: async (ctx, task) => {
           const gitTag = `v${ctx.version}`;
           if (await git.checkTagExist(gitTag)) {
-            const deleteTag = await task.prompt(ListrEnquirerPromptAdapter3).run({
+            const deleteTag = await task.prompt(ListrEnquirerPromptAdapter5).run({
               type: "toggle",
               message: `${warningBadge} The Git tag '${gitTag}' already exists. Do you want to delete tag?`,
               enabled: "Yes",
@@ -6476,13 +6714,13 @@ var prerequisitesCheckTask = (options) => {
 };
 
 // src/tasks/required-conditions-check.ts
-import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter4 } from "@listr2/prompt-adapter-enquirer";
+import { ListrEnquirerPromptAdapter as ListrEnquirerPromptAdapter6 } from "@listr2/prompt-adapter-enquirer";
 
 // src/registry/custom-registry.ts
-import { exec as exec6 } from "tinyexec";
+import { exec as exec7 } from "tinyexec";
 var CustomRegistry = class extends NpmRegistry {
   async npm(args) {
-    const { stdout } = await exec6(
+    const { stdout } = await exec7(
       "npm",
       args.concat("--registry", this.registry),
       { throwOnError: true }
@@ -6584,7 +6822,7 @@ var requiredConditionsCheckTask = (options) => createListr({
               task: async (_3, task) => {
                 const jsr = await jsrRegistry();
                 if (!await jsr.isInstalled()) {
-                  const install = await task.prompt(ListrEnquirerPromptAdapter4).run({
+                  const install = await task.prompt(ListrEnquirerPromptAdapter6).run({
                     type: "toggle",
                     message: `${warningBadge} jsr is not installed. Do you want to install jsr?`,
                     enabled: "Yes",
@@ -6718,14 +6956,66 @@ async function collectPublishTasks(ctx) {
   }
   return collectRegistries(ctx).map(registryTask);
 }
+function dryRunRegistryTask(registry) {
+  switch (registry) {
+    case "npm":
+      return npmDryRunPublishTask;
+    case "jsr":
+      return jsrDryRunPublishTask;
+    case "crates":
+      return cratesDryRunPublishTask;
+    default:
+      return npmDryRunPublishTask;
+  }
+}
+async function collectDryRunPublishTasks(ctx) {
+  if (ctx.packages?.length) {
+    const nonCratesTasks = ctx.packages.flatMap(
+      (pkg) => pkg.registries.filter((reg) => reg !== "crates").map((reg) => dryRunRegistryTask(reg))
+    );
+    const cratesPaths = ctx.packages.filter((pkg) => pkg.registries.includes("crates")).map((pkg) => pkg.path);
+    if (cratesPaths.length === 0) {
+      return nonCratesTasks;
+    }
+    const sortedPaths = await sortCratesByDependencyOrder(cratesPaths);
+    const sequentialCratesTask = {
+      title: "Dry-run crates.io publish (sequential)",
+      task: (_ctx, task) => task.newListr(
+        sortedPaths.map((p) => createCratesDryRunPublishTask(p)),
+        { concurrent: false }
+      )
+    };
+    return [...nonCratesTasks, sequentialCratesTask];
+  }
+  return collectRegistries(ctx).map(dryRunRegistryTask);
+}
 async function run(options) {
   const ctx = {
     ...options,
     promptEnabled: !isCI2 && process10.stdin.isTTY
   };
+  let cleanupEnv;
   try {
     if (options.contents) process10.chdir(options.contents);
-    if (!options.publishOnly) {
+    if (options.preflight) {
+      await createListr({
+        title: "Collecting registry tokens",
+        task: async (ctx2, task) => {
+          const registries2 = collectRegistries(ctx2);
+          const tokens = await collectTokens(registries2, task);
+          await promptGhSecretsSync(tokens, task);
+          cleanupEnv = injectTokensToEnv(tokens);
+          ctx2.promptEnabled = false;
+        }
+      }).run(ctx);
+      await prerequisitesCheckTask({
+        skip: options.skipPrerequisitesCheck
+      }).run(ctx);
+      await requiredConditionsCheckTask({
+        skip: options.skipConditionsCheck
+      }).run(ctx);
+    }
+    if (!options.publishOnly && !options.preflight) {
       await prerequisitesCheckTask({
         skip: options.skipPrerequisitesCheck
       }).run(ctx);
@@ -6739,14 +7029,55 @@ async function run(options) {
         task: async (ctx2, parentTask) => parentTask.newListr(await collectPublishTasks(ctx2), {
           concurrent: true
         })
-      } : [
+      } : options.preflight ? [
+        {
+          skip: options.skipTests,
+          title: "Running tests",
+          task: async (ctx2) => {
+            const packageManager = await getPackageManager();
+            try {
+              await exec8(packageManager, ["run", ctx2.testScript], {
+                throwOnError: true
+              });
+            } catch (error) {
+              throw new AbstractError(
+                `Test script '${ctx2.testScript}' failed. Run \`${packageManager} run ${ctx2.testScript}\` locally to see full output.`,
+                { cause: error }
+              );
+            }
+          }
+        },
+        {
+          skip: options.skipBuild,
+          title: "Building the project",
+          task: async (ctx2) => {
+            const packageManager = await getPackageManager();
+            try {
+              await exec8(packageManager, ["run", ctx2.buildScript], {
+                throwOnError: true
+              });
+            } catch (error) {
+              throw new AbstractError(
+                `Build script '${ctx2.buildScript}' failed. Run \`${packageManager} run ${ctx2.buildScript}\` locally to see full output.`,
+                { cause: error }
+              );
+            }
+          }
+        },
+        {
+          title: "Validating publish (dry-run)",
+          task: async (ctx2, parentTask) => parentTask.newListr(await collectDryRunPublishTasks(ctx2), {
+            concurrent: true
+          })
+        }
+      ] : [
         {
           skip: options.skipTests,
           title: "Running tests",
           task: async (ctx2) => {
             const packageManager = await getPackageManager();
             try {
-              await exec7(packageManager, ["run", ctx2.testScript], {
+              await exec8(packageManager, ["run", ctx2.testScript], {
                 throwOnError: true
               });
             } catch (error) {
@@ -6763,7 +7094,7 @@ async function run(options) {
           task: async (ctx2) => {
             const packageManager = await getPackageManager();
             try {
-              await exec7(packageManager, ["run", ctx2.buildScript], {
+              await exec8(packageManager, ["run", ctx2.buildScript], {
                 throwOnError: true
               });
             } catch (error) {
@@ -6888,13 +7219,24 @@ ${repositoryUrl}/compare/${lastRev}...${latestTag}`;
         parts.push(`${color.bold(name)} on ${color.red("crates.io")}`);
       }
     }
-    console.log(
-      `
+    if (options.preflight) {
+      cleanupEnv?.();
+      console.log(
+        `
+
+\u2705 Preflight check passed. CI publish should succeed for ${parts.join(", ")}.
+`
+      );
+    } else {
+      console.log(
+        `
 
 \u{1F680} Successfully published ${parts.join(", ")} ${color.blueBright(`v${ctx.version}`)} \u{1F680}
 `
-    );
+      );
+    }
   } catch (e2) {
+    cleanupEnv?.();
     consoleError(e2);
     await rollback();
     process10.exit(1);