Release management, CI/CD pipeline, versioning, changelog generation, and npm publishing
The @claude-flow/deployment module handles release management, version bumping, changelog generation from conventional commits, git tagging, and npm publishing. It includes a security-hardened command execution layer that validates all git commands against an allowlist to prevent command injection.
Handles version bumping, changelog generation, and git tagging.
import { ReleaseManager, prepareRelease } from '@claude-flow/deployment';
const manager = new ReleaseManager(process.cwd());
const result = await manager.prepareRelease({
bumpType: 'minor', // 'major' | 'minor' | 'patch' | 'prerelease'
channel: 'latest', // 'alpha' | 'beta' | 'rc' | 'latest'
generateChangelog: true,
createTag: true,
commit: true,
dryRun: false,
tagPrefix: 'v',
changelogPath: 'CHANGELOG.md',
});
Handles npm publishing with 2FA support and dry-run mode.
import { Publisher, publishToNpm, checkVersionExists, getLatestVersion } from '@claude-flow/deployment';
const publisher = new Publisher();
await publisher.publishToNpm({
tag: 'latest', // npm dist-tag
access: 'public', // 'public' | 'restricted'
dryRun: false,
registry: 'https://registry.npmjs.org',
otp: '123456', // 2FA code
skipBuild: false,
buildCommand: 'npm run build',
});
// Check if version already exists
const exists = await checkVersionExists('my-package', '1.2.3');
// Get latest published version
const latest = await getLatestVersion('my-package');
Pre-release validation checks.
import { Validator, validate } from '@claude-flow/deployment';
const result = await validate({
lint: true,
test: true,
build: true,
checkDependencies: true,
checkGitStatus: true,
lintCommand: 'npm run lint',
testCommand: 'npm test',
buildCommand: 'npm run build',
});
// {
// valid: boolean,
// checks: { lint, test, build, dependencies, gitStatus, packageJson },
// errors: string[],
// warnings: string[],
// }
The version bumping system follows semantic versioning:
| Bump Type | Example | Result |
|---|---|---|
major | 1.2.3 -> 2.0.0 | Reset minor/patch |
minor | 1.2.3 -> 1.3.0 | Reset patch |
patch | 1.2.3 -> 1.2.4 | Increment |
prerelease | 1.2.3 -> 1.2.3-alpha.1 | Add/bump pre |
prerelease | 1.2.3-alpha.1 -> alpha.2 | Same channel |
prerelease | 1.2.3-alpha.2 -> beta.1 | New channel |
Changelogs are auto-generated from conventional commits since the last git tag:
Parses conventional commit format: type(scope): message
feat -> Features sectionfix -> Bug Fixes sectiondocs -> Documentation sectionchore -> Chores sectionBREAKING CHANGE -> Breaking Changes section (top priority)## [1.3.0] - 2026-04-05
### BREAKING CHANGES
- **api**: Remove deprecated v1 endpoints
### Features
- **auth**: Add OAuth2 provider support
### Bug Fixes
- **cache**: Fix memory leak in LRU cache
All shell commands are validated against an allowlist to prevent injection:
Allowed commands:
git status --porcelaingit rev-parse HEADgit log (with arguments)git tag (with arguments)git add (with arguments)git commit (with arguments)git describe (with arguments)Blocked patterns:
; & | \ $ ( ) < >`type VersionBumpType = 'major' | 'minor' | 'patch' | 'prerelease';
type ReleaseChannel = 'alpha' | 'beta' | 'rc' | 'latest';
interface ReleaseResult {
oldVersion: string; // Previous version
newVersion: string; // New version
tag?: string; // Git tag name (e.g., 'v1.3.0')
changelog?: string; // Generated changelog markdown
commitHash?: string; // Commit SHA
success: boolean;
error?: string;
warnings?: string[];
}
interface PublishResult {
packageName: string;
version: string;
tag: string;
tarball?: string; // npm tarball URL
success: boolean;
error?: string;
publishedAt?: Date;
}
// Quick release preparation
await prepareRelease({ bumpType: 'patch' });
// Quick publish
await publishToNpm({ tag: 'latest', dryRun: true });
// Quick validation
await validate({ test: true, lint: true });
// Use prepareRelease() instead
await prepare({ version: '1.0.0', channel: 'stable', changelog: true, dryRun: false });
// Use publishToNpm() instead
await deploy({ name: 'npm', type: 'npm', config: { tag: 'latest' } });