zx-bulk-release 3.1.7 → 3.1.8

package/CHANGELOG.md

@@ -1,3 +1,8 @@
+## [3.1.8](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.7...v3.1.8) (2026-04-13)
+
+### Fixes & improvements
+* perf: minor internal code imprs ([f3f0aae](https://github.com/semrel-extra/zx-bulk-release/commit/f3f0aae2e7dc4045a6573a8e270acdf6a3d983d8))
+
 ## [3.1.7](https://github.com/semrel-extra/zx-bulk-release/compare/v3.1.6...v3.1.7) (2026-04-13)
 
 ### Fixes & improvements

package/README.md

@@ -46,7 +46,7 @@ GH_TOKEN=ghtoken GH_USER=username NPM_TOKEN=npmtoken npx zx-bulk-release [opts]
 |------------------------------|---------------------------------------------------------------------------------------------------|------------------|
 | `--receive`                  | Consume rebuild signal, analyze, preflight. Writes `zbr-context.json`. Run before deps install.  |                  |
 | `--pack [dir]`               | Pack only: build, test, and write delivery tars to `dir`. No credentials needed.                  | `parcels`        |
-| `--verify [dir]`             | Verify untrusted parcels against context, copy valid ones to `parcels/`. Use `--context` for path. | `parcels`       |
+| `--verify [in:out]`          | Verify untrusted parcels against context, copy valid ones to output dir. Use `--context` for path. | `parcels:parcels` |
 | `--context <path>`           | Path to trusted `zbr-context.json` (used with `--verify`).                                       | `zbr-context.json` |
 | `--deliver [dir]`            | Deliver only: read tars from `dir` and run delivery channels. No source code needed.              | `parcels`        |
 | `--ignore`                   | Packages to ignore: `a, b`                                                                        |                  |
@@ -181,7 +181,7 @@ jobs:
           path: parcels-unverified/
 
       # verify — validate untrusted parcels against trusted context
-      - run: npx zx-bulk-release --verify parcels-unverified/
+      - run: npx zx-bulk-release --verify parcels-unverified/:parcels/
 
       # deliver — only verified parcels
       - run: npx zx-bulk-release --deliver
@@ -381,7 +381,7 @@ Each step has a uniform signature `(pkg, ctx)`:
 - **`preflight`** — checks tag availability on remote, re-resolves version on conflict, skips duplicates.
 - **`build`** — runs `buildCmd` (with dep traversal and optional npm artifact fetch).
 - **`test`** — runs `testCmd`.
-- **`pack`** — stages delivery artifacts into self-describing tar containers (`npm pack`, docs copy, assets, release notes). Each tar is named `parcel.{sha7}.{channel}.{tag}.{hash6}.tar` and contains a `manifest.json` with channel name, delivery instructions, and template credentials (`${{ENV_VAR}}`). A directive meta-parcel is also generated, listing all parcels and their delivery steps. After this step, everything the courier needs is outside the project dir.
+- **`pack`** — stages delivery artifacts into self-describing tar containers (`npm pack`, docs copy, assets, release notes). Each tar is named `parcel.{sha7}.{channel}.{name}.{version}.{hash6}.tar` and contains a `manifest.json` with channel name, delivery instructions, and template credentials (`${{ENV_VAR}}`). A directive meta-parcel is also generated, listing all parcels and their delivery steps. After this step, everything the courier needs is outside the project dir.
 - **`publish`** — hands tars to courier's `deliver()`, runs `cmd` channel separately. Tag push is handled by the `git-tag` channel.
 - **`clean`** — restores `package.json` files and unsets git user config.
 
@@ -397,13 +397,13 @@ Set `config.releaseRules` to override the default rules preset:
 ### Tar containers
 Each delivery artifact is a self-describing tar archive:
 ```
-parcel.{sha7}.{channel}.{tag}.{hash6}.tar
+parcel.{sha7}.{channel}.{name}.{version}.{hash6}.tar
   manifest.json    — channel name, delivery params, template credentials
   package.tgz     — (npm channel) npm tarball
   assets/          — (gh-release channel) release assets
   docs/            — (gh-pages channel) documentation files
 ```
-The `sha7` prefix groups all parcels of one commit. The `hash6` suffix is a content hash for deduplication — two builds of the same commit producing identical content yield the same filename (last-writer-wins), while different content gets a different hash.
+The `sha7` prefix groups all parcels of one commit. `name` is the sanitized package name (`@scope/pkg` → `scope-pkg`). The `hash6` suffix is a content hash for deduplication — two builds of the same commit producing identical content yield the same filename (last-writer-wins), while different content gets a different hash.
 
 A **directive** meta-parcel (`parcel.{sha7}.directive.{ts}.tar`) is generated alongside regular parcels. It contains the complete delivery map: package queue, per-package channel steps, and an authoritative list of parcel filenames. The directive enables coordinated delivery — see [DELIVER_SPEC.md](./DELIVER_SPEC.md).
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "zx-bulk-release",
   "alias": "bulk-release",
-  "version": "3.1.7",
+  "version": "3.1.8",
   "description": "zx-based alternative for multi-semantic-release",
   "type": "module",
   "exports": {

package/src/main/js/post/api/git.js

@@ -1,10 +1,10 @@
-export const DEFAULT_GIT_COMMITTER_NAME  = 'Semrel Extra Bot'
-export const DEFAULT_GIT_COMMITTER_EMAIL = 'semrel-extra-bot@hotmail.com'
-
 import {$, fs, path, tempy, copy} from 'zx-extra'
 import {log} from '../log.js'
 import {attempt2, attempt3, memoizeBy} from '../../util.js'
 
+export const DEFAULT_GIT_COMMITTER_NAME  = 'Semrel Extra Bot'
+export const DEFAULT_GIT_COMMITTER_EMAIL = 'semrel-extra-bot@hotmail.com'
+
 export const fetchRepo = memoizeBy(async ({cwd: _cwd, branch, origin: _origin, basicAuth}) => {
   if (!_origin && !_cwd) throw new Error('fetchRepo requires either origin or cwd')
   const origin = _origin || (await getRepo(_cwd, {basicAuth})).repoAuthedUrl

package/src/main/js/post/api/npm.js

@@ -3,8 +3,9 @@ import _fs from 'node:fs/promises'
 import _path from 'node:path'
 import tar from 'tar-stream'
 import {Readable} from 'node:stream'
-import {log} from '../log.js'
 import {$, semver, fs, INI, fetch, tempy} from 'zx-extra'
+
+import {log} from '../log.js'
 import {attempt2, memoizeBy} from '../../util.js'
 
 const FETCH_TIMEOUT_MS = 15_000

package/src/main/js/post/tar.js

@@ -1,8 +1,7 @@
 import tar from 'tar-stream'
 import crypto from 'node:crypto'
-import {fs, path} from 'zx-extra'
 import {pipeline} from 'node:stream/promises'
-import {createWriteStream, createReadStream} from 'node:fs'
+import {fs, path} from 'zx-extra'
 
 export const packTar = async (tarPath, manifest, files = []) => {
   await fs.ensureDir(path.dirname(tarPath))
@@ -20,13 +19,13 @@ export const packTar = async (tarPath, manifest, files = []) => {
   }
 
   pack.finalize()
-  await pipeline(pack, createWriteStream(tarPath))
+  await pipeline(pack, fs.createWriteStream(tarPath))
   return tarPath
 }
 
 export const hashFile = async (filePath) => {
   const hash = crypto.createHash('sha1')
-  await pipeline(createReadStream(filePath), hash)
+  await pipeline(fs.createReadStream(filePath), hash)
   return hash.digest('hex').slice(0, 6)
 }
 
@@ -68,7 +67,7 @@ export const unpackTar = async (tarPath, destDir) => {
     extract.on('error', reject)
   })
 
-  await pipeline(createReadStream(tarPath), extract)
+  await pipeline(fs.createReadStream(tarPath), extract)
   await done
   return {manifest, dir: destDir}
 }

package/src/test/js/utils/mock.js

@@ -19,7 +19,7 @@ function proc(stdout = '', code = 0) {
   return p
 }
 
-export function createMock(responses = []) {
+export function createSpawnMock(responses = []) {
   const calls = []
   const spawn = (cmd, args) => {
     const command = args?.[args.length - 1] || cmd