@varlock/bumpy v1.13.2

• #101 (patch) - Harden the publish flow for two failure modes hit when releasing brand-new packages via GitHub Actions + npm trusted publishing (OIDC).
  • Detect the new-package case before any side effects. When OIDC is the only available auth path (no NPM_TOKEN/NODE_AUTH_TOKEN, no .npmrc auth), bumpy now checks the npm registry up front and emits a clear error directing the user to publish a 0.0.0 placeholder before merging — instead of failing partway through with stranded GitHub draft releases and remote tags. The check is skipped when a token fallback is present, so users who enable id-token: write for provenance attestations alongside token auth are unaffected.
  • Replace blanket git push --tags after publish with per-tag force push. gh release create --draft --target SHA creates the tag on the remote at draft-creation time; if a prior publish failed and HEAD has since moved, the remote tag is stale and git push --tags rejects with "already exists". The new logic iterates releasePlan.releases minus failed packages and force-pushes each tag individually, preserving the anySucceeded-aware semantics already used for local tag movement — packages whose targets all succeeded in a prior run are stripped upstream and their tags stay at the SHA the artifact was actually published from.

Published to

• ✅ npm

@varlock/bumpy v1.13.1

• #99 (patch) - Fix scrolling in bumpy add when there are many packages. The interactive bump-select prompt now renders a viewport that fits within the terminal, scrolling the package list (with ▲ N more / ▼ N more indicators) as the cursor moves. Previously, when the list exceeded terminal height, navigating up would snap the cursor back to the bottom because the redraw cursor-up lost its anchor once content scrolled off-screen. Closes #96.

Published to

• ✅ npm

@varlock/bumpy v1.13.0

• #97 (minor) - Recommend pull_request_target for the bumpy ci check workflow so fork PRs receive release-plan comments. Previously, fork PRs running under pull_request got a read-only token, so the check would fail red with no helpful comment — a bad first impression for OSS projects. bumpy ci check now recognizes the pull_request_target event when reading the PR number from GITHUB_EVENT_PATH, and emits a clearer warning that links to the new docs when comment posting fails on a fork PR. See the updated GitHub Actions docs for the new workflow (the version is resolved from the base branch's package.json, so no version pinning duplication).

Published to

• ✅ npm

@varlock/bumpy v1.12.0

• #94 (minor) - Detect catalog entry changes as package changes. When a catalog version in pnpm-workspace.yaml (pnpm) or root package.json (bun/yarn catalog/catalogs, plus workspaces.catalog/workspaces.catalogs) is modified, bumpy add and bumpy check now flag every package that references the changed entry via catalog: / catalog:<name> as changed. Closes #92.

Published to

• ✅ npm

@varlock/bumpy v1.11.0

• #91 (minor) - Add --expect-mode flag to bumpy ci release for asserting the detected release mode (version-pr or publish). Enables split-job release workflows where each job fails loudly if the runtime state doesn't match what the job expects. Refactored ReleaseOptions to rename the existing mode field to autoPublish: boolean and add assertMode. --expect-mode and --auto-publish cannot be combined.

Published to

• ✅ npm

@varlock/bumpy v1.10.2

• #89 (patch) - Always show bump type label on each changelog item instead of only when it differs from the release type

Published to

• ✅ npm

@varlock/bumpy v1.10.1

• #87 - Fix draft release functions (createDraftRelease, updateReleaseBody, finalizeRelease, deleteRelease) to use BUMPY_GH_TOKEN via withReleaseToken so that GitHub release events trigger downstream workflows. Also disables npm staged publishing (not yet ready) and removes the npm upgrade step from the release workflow.

Published to

• ✅ npm

@varlock/bumpy v1.10.0

• #84 (minor) - feat: publish recovery with draft GitHub releases and removal of aggregate release mode
• #85 - Use BUMPY_GH_TOKEN for GitHub release creation so releases trigger downstream workflows. Also adds token redaction to error messages in withPatToken and the new withReleaseToken helper to prevent leakage in CI logs.

Published to

• ✅ npm

@varlock/bumpy v1.9.0

• #76 (minor) - Add npmStaged publish config option for npm staged publishing (npm stage publish), which stages packages on npmjs.com requiring manual 2FA approval before going live.

@varlock/bumpy v1.8.1

• #74 - Fix git push auth in CI by using remote URL token embedding instead of extraheader approach, which doesn't work with actions/checkout@v6
• #73 - Fix git tag push auth using http.extraheader; recover deleted bump files for GitHub release notes in post-merge publish flow