@varlock/bumpy v1.18.0

• #142 (minor)
  Add a pull_request + workflow_run option for commenting on fork PRs, so the privileged half never touches fork code. bumpy ci check --emit-comment <dir> renders the release-plan comment to <dir>/comment.md for upload as an artifact, and a new bumpy ci comment --body-file <path> posts it from a workflow_run job. The target PR is resolved from the trusted workflow_run event (head_sha), never from the (untrusted) artifact.

• #133 (minor)
  Add snapshot releases — transient, one-off preview publishes for private packages (the private-registry counterpart to pkg.pr.new).

  bumpy publish --snapshot <name> computes the pending release plan, derives a unique prerelease version per package (e.g. 1.4.0-pr-123-a1b2c3d), exact-pins in-plan internal deps, publishes to a non-latest dist-tag (default: the snapshot name), then restores the working tree. It never consumes bump files, writes changelogs, commits, creates git tags, or makes GitHub releases. bumpy ci release --snapshot <name> runs the whole thing and, on a PR, posts/updates a comment with the published versions and install instructions. Requires pending bump files; mutually exclusive with --channel.

  Version uniqueness is configurable via the new snapshot.versionStrategy option: "sha" (default — <target>-<name>-<short-sha>, idempotent per commit so re-runs skip) or "timestamp". Consumers install via the dist-tag regardless, so the exact version string is just an implementation detail.

Published to

• ✅ npm

@varlock/bumpy v1.17.0

• #138 (minor)
  Added a global --cwd <dir> flag that runs bumpy as if it were started in <dir>. This makes the pull_request_target PR-check workflow safe against a previously-undocumented attack: a fork PR could commit a bunfig.toml/.npmrc that redirected where bunx @varlock/bumpy itself was fetched from (swapping in a malicious package at the pinned version). The recommended workflow now fetches and runs bumpy from a trusted base checkout and points it at the untrusted PR tree with --cwd ./pr, so package-manager config in the PR can no longer influence how bumpy is obtained.
• #140 (patch)
  bumpy ci check now fails when it runs under pull_request_target without an explicit --cwd, pointing users at the two-checkout workflow. Pass --cwd . to acknowledge an already-trusted checkout. Marked none because it's part of the --cwd feature already shipping in this release.

Published to

• ✅ npm

@varlock/bumpy v1.16.1

• #136 (patch)
  Fixed GitHub release notes coming up empty (No changelog entries.) when the publish ran several commits after the version commit — e.g. a retry after the first publish was blocked and unrelated fixes landed on main. Bump-file recovery assumed the version commit was always HEAD~1..HEAD; it now locates the most recent commit that actually deleted bump files and recovers their content from that commit's parent, so release notes are populated regardless of how far HEAD has moved past versioning.

Published to

• ✅ npm

@varlock/bumpy v1.16.0

• #131 (minor)
  Added a $changelog: false reserved frontmatter key for bump files, which omits a file's body from the changelog and release notes while still applying its version bump. Clearer than relying on a blank body, and lets you keep notes for reviewers. A per-package changelog: false option in the nested form suppresses the entry for just some of a file's packages.

Published to

• ✅ npm

@varlock/bumpy v1.15.2

• #129 (patch)
  Degrade the version PR body when it would exceed GitHub's 65536-character limit (which previously failed the release for large multi-package releases). The body now drops inline change summaries — and hard-truncates as a last resort — instead of erroring.

Published to

• ✅ npm

@varlock/bumpy v1.15.1

• #127 (patch)
  Streamline agent skill distribution and remove the bumpy ai command.

  The canonical add-change skill now lives at the repo root (skills/) as a single source of truth and is synced into the package on prepack (gitignored copy), so it ships version-pinned in the npm tarball and via the Claude Code plugin (claude plugin install @varlock/bumpy).

  The bumpy ai setup command has been removed. Its file-copying targets (opencode, cursor, codex) duplicated the skill into tool-specific directories that drifted from the canonical copy — and had silently been broken in the published package — while the claude target was a thin wrapper around claude plugin install. Install the skill via the Claude Code plugin, or reference the bundled SKILL.md directly from node_modules/@varlock/bumpy/skills/add-change/SKILL.md.

Published to

• ✅ npm

@varlock/bumpy v1.15.0

• #120 (minor)
  Change detection is now package.json-field-aware: when package.json is the only changed file in a package, bumpy diffs it against the base branch and only requires a bump file if a publish-affecting field changed. The new ignoredPackageJsonFields option (default ["devDependencies"]) controls which fields are ignored, so a dev-only dependency bump (e.g. Dependabot) no longer requires a bump file — unless the changed dep matches the package's releaseTriggeringDevDeps.

  ci check no longer posts a "you're good to go" comment while exiting 1. When the check fails because changed packages have no bump file, the comment now matches the failing status, lists the uncovered packages, and points at an empty bump file (bumpy add --empty) to acknowledge an intentional no-release.

  Add a per-package releaseTriggeringDevDeps option: names/globs of devDependencies that affect a package's published output (most often because they're bundled in). A change to one requires a release, and a listed internal workspace dep's own releases cascade with a patch bump — shorthand for a cascadeFrom rule of { trigger: 'patch', bumpAs: 'patch' }.

• #122 (patch)
  Changelog entries now use a block layout when a summary is multi-line, long (>120 chars), or contains markdown block syntax (headings, lists, blockquotes, code fences, tables). In those cases the entry metadata (*(type)*, PR link, "Thanks @user!") goes on its own line and the summary is rendered indented below it, instead of being jammed onto the same line. Short single-line summaries are unchanged and stay inline. Internal blank lines in a summary are now preserved so markdown paragraphs and lists render correctly. Applies to both the default and github formatters.

• #124 (patch)
  Label and link npm targets published to GitHub Packages correctly. Packages publishing to a GitHub Packages registry (npm.pkg.github.com) were labelled npm in the GitHub release notes and bumpy status/bumpy ci plan output, with a "Published to" badge linking to a non-existent npmjs.com page (404). The configured registry is now honoured: such targets are labelled GitHub Packages and link to the package page under the repo (https://github.com/<owner>/<repo>/pkgs/npm/<name>), resolving the repo from the package's repository field or GITHUB_REPOSITORY. Other custom/private registries no longer emit a dead npmjs.com link. buildPublishUrl now honours its registry argument (previously the unused _registry param).

• #125 (patch)
  Fix changed-package detection in single-package (non-monorepo) repos. Both findChangedPackages (used by check/ci check) and mapFilesToPackages (used by generate) matched changed files against pkgRelDir + '/', but for the root package the relative dir is empty, so the check became file.startsWith('/') — always false for git's relative paths. As a result ci check always reported "No managed packages have changed" (never requiring a bump file or posting a PR comment) and generate never attributed commits to the root package. The root package (empty relative dir) now treats every changed file as belonging to it, while still honoring changedFilePatterns.

• #118 (patch)
  Stream buildCommand/publishCommand output live to the parent process and surface the child's real failure reason. Custom publish commands (vsce, ovsx, anything bespoke) previously ran through a buffering runner that discarded stdout and never streamed output, so a failure like an expired marketplace token produced only a generic Command failed wrapper with no usable cause in CI logs. These commands now run through a streaming runner (spawn with piped+teed stdio) that prints output as it happens and includes both stdout and stderr in the thrown error. The capturing runAsync/runArgsAsync helpers (still used for internal git/npm calls whose output is parsed) also now include stdout in their error messages.

Published to

• ✅ npm

@varlock/bumpy v1.14.0

• (minor) - Add prerelease channels — branch-based prerelease lines (e.g. next → @next dist-tag) where prerelease versions are never committed to git. Targets derive from bump files, counters from the registry; shipped bump files are tracked by moving them into .bumpy/<channel>/. Includes channel-aware version / publish / status / ci release flows, exact-pinned lockstep cycle publishes, and promotion-by-merge to stable.
• #115 (patch) - When a prerelease cycle is promoted (channel → main) or graduated (channel → channel), any lingering release PR on the source channel is now closed automatically with an explanatory comment — merging it would have offered another prerelease of a cycle that already moved on.
• #110 (patch) - ci check now reads bump files in channel directories, so promotion PRs (channel → main) and graduation PRs (channel → channel) correctly report the cycle's pending releases instead of failing with "no bump files found". Channel-dir bump files render with their subdir path (next/feature.md) so view/edit links resolve.
• (patch) - Channel release PR titles and bodies now show deterministic versions: targets with a wildcard counter (1.2.0-rc.x) derived purely from committed state, instead of registry-derived counters that could drift between PR creation and publish. Multi-package cycles show a package count in the title instead of an arbitrary lead package. The PR check comment and version output use the same .x wildcard; status / ci plan still show live registry-derived counters (.? when offline).
• #110 (patch) - The PR check comment now explicitly calls out promotion PRs (channel → stable): the headline explains that merging ends the prerelease cycle and ships stable, and bump files that already shipped on a channel are annotated with their dist-tag (e.g. next/feature.md (shipped on @next)).

Published to

• ✅ npm

@varlock/bumpy v1.14.0-rc.1

• #104 (minor) - Add prerelease channels — branch-based prerelease lines (e.g. next → @next dist-tag) where prerelease versions are never committed to git. Targets derive from bump files, counters from the registry; shipped bump files are tracked by moving them into .bumpy/<channel>/. Includes channel-aware version / publish / status / ci release flows, exact-pinned lockstep cycle publishes, and promotion-by-merge to stable.
• #107 (patch) - Channel release PR titles and bodies now show deterministic versions: targets with a wildcard counter (1.2.0-rc.x) derived purely from committed state, instead of registry-derived counters that could drift between PR creation and publish. Multi-package cycles show a package count in the title instead of an arbitrary lead package. The PR check comment and version output use the same .x wildcard; status / ci plan still show live registry-derived counters (.? when offline).

Published to

• ✅ npm

@varlock/bumpy v1.14.0-rc.0

• #104 (minor) - Add prerelease channels — branch-based prerelease lines (e.g. next → @next dist-tag) where prerelease versions are never committed to git. Targets derive from bump files, counters from the registry; shipped bump files are tracked by moving them into .bumpy/<channel>/. Includes channel-aware version / publish / status / ci release flows, exact-pinned lockstep cycle publishes, and promotion-by-merge to stable.

Published to

• ✅ npm