Skip to content

Snapshot releases for private packages#133

Open
theoephraim wants to merge 3 commits into
mainfrom
claude/dreamy-wright-9af379
Open

Snapshot releases for private packages#133
theoephraim wants to merge 3 commits into
mainfrom
claude/dreamy-wright-9af379

Conversation

@theoephraim

@theoephraim theoephraim commented Jun 24, 2026

Copy link
Copy Markdown
Member

Closes #126.

Adds snapshot releases — transient, one-off preview publishes for private packages. This is the private-registry counterpart to pkg.pr.new, which can't serve private packages because it publishes to its own public storage. Anyone shipping private packages already has a registry, so snapshots just publish the pending release to it under a throwaway dist-tag.

What it does

bumpy publish --snapshot pr-123          # → @smoke/a@1.4.0-pr-123-a1b2c3d on @pr-123
bumpy ci release --snapshot pr-123       # same + posts install instructions on the PR

Computes the pending release plan → derives a unique prerelease version per package → exact-pins in-plan internal deps → writes versions into the working tree → publishes to a non-latest dist-tag (default: the snapshot name) → restores the tree.

It never consumes bump files, writes changelogs, commits, creates git tags, or makes GitHub releases. Built on the existing channel transient-rewrite machinery (writeTransientVersionsInPlace, renamed from writeChannelVersionsInPlace since both flows share it).

Design notes

  • Strict: requires pending bump files — a snapshot previews exactly the release you've planned. With nothing to release it's a clear no-op.
  • --snapshot and --channel are mutually exclusive — distinct release models.
  • Version strategy (snapshot.versionStrategy): "sha" (default — idempotent per commit, so re-runs on the same commit skip) or "timestamp". Consumers install via the dist-tag regardless, so the version string is just an implementation detail.
  • CI comment uses its own marker so it doesn't clobber the release-plan comment.
  • Forks can't publish/comment (read-only token, no secrets) — expected for private packages; documented.

Docs

  • New ## Snapshot releases and ## pkg.pr.new (public packages) sections in docs/prereleases.md (page retitled "Prereleases & Snapshots"), the latter with the GitHub-App install step + an example workflow.
  • Updated docs/cli.md and docs/configuration.md.

Tests

21 new unit tests for name sanitization, version derivation, idempotency-skip, and plan building. Full suite green (374 pass), typecheck + lint clean.

Verified end-to-end in a scratch repo: mutual-exclusion error, strict no-op with no bump files, and a dry-run producing @smoke/a@1.1.0-pr-1-160d074 on @pr-1 with no tag/commit.

@theoephraim
Add snapshot releases for private packages
9c95018 
Implements `bumpy publish --snapshot <name>` and `bumpy ci release --snapshot <name>`:
transient preview publishes that compute the pending release plan, derive a unique
prerelease version per package, publish to a non-`latest` dist-tag, and restore the
working tree — without consuming bump files, writing changelogs, committing, tagging,
or creating GitHub releases. The private-registry counterpart to pkg.pr.new.

Closes #126
@github-actions

github-actions Bot commented Jun 24, 2026
edited
Loading

Copy link
Copy Markdown

bumpy-frog

The changes in this PR will be included in the next version bump.

minor Minor releases

  • @varlock/bumpy 1.15.1 → 1.16.0

Bump files in this PR

Click here if you want to add another bump file to this PR

This comment is maintained by bumpy.

@theoephraim
docs: split snapshots + pkg.pr.new into their own page
f8bf0f1 
The prereleases doc was already long; move the snapshot releases and
pkg.pr.new sections into a dedicated docs/snapshots.md ("Snapshots & PR
previews"), revert prereleases.md to channel-focused, and cross-link
between them. Repointed cli.md/configuration.md snapshot links.
@theoephraim theoephraim requested a review from philmillman June 24, 2026 18:32
philmillman
philmillman approved these changes Jun 24, 2026
View reviewed changes

@philmillman philmillman left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@theoephraim
docs: clarify private-registry publishing vs "private": true
80954f4 
Snapshots (and normal publish) already work for packages published to a
private registry — scoped + access:restricted/registry, without
"private": true. Make that the documented path and spell out that
"private": true is npm's never-publish marker, which bumpy mirrors:
privatePackages only controls versioning/tagging, never publishing.

Adds a "Publishing to a private registry" section to snapshots.md and a
"Private packages and private registries" note to configuration.md.
@theoephraim theoephraim mentioned this pull request Jun 24, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philmillman philmillman philmillman approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

One-off snapshots

2 participants

@theoephraim @philmillman