diff --git a/.bumpy/publish-oidc-and-tag-push.md b/.bumpy/publish-oidc-and-tag-push.md
deleted file mode 100644
index e801c34..0000000
--- a/.bumpy/publish-oidc-and-tag-push.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-'@varlock/bumpy': patch
----
-
-Harden the publish flow for two failure modes hit when releasing brand-new packages via GitHub Actions + npm trusted publishing (OIDC).
-
-- Detect the new-package case before any side effects. When OIDC is the only available auth path (no `NPM_TOKEN`/`NODE_AUTH_TOKEN`, no `.npmrc` auth), bumpy now checks the npm registry up front and emits a clear error directing the user to publish a `0.0.0` placeholder before merging — instead of failing partway through with stranded GitHub draft releases and remote tags. The check is skipped when a token fallback is present, so users who enable `id-token: write` for provenance attestations alongside token auth are unaffected.
-- Replace blanket `git push --tags` after publish with per-tag force push. `gh release create --draft --target SHA` creates the tag on the remote at draft-creation time; if a prior publish failed and HEAD has since moved, the remote tag is stale and `git push --tags` rejects with "already exists". The new logic iterates `releasePlan.releases` minus failed packages and force-pushes each tag individually, preserving the anySucceeded-aware semantics already used for local tag movement — packages whose targets all succeeded in a prior run are stripped upstream and their tags stay at the SHA the artifact was actually published from.
diff --git a/packages/bumpy/CHANGELOG.md b/packages/bumpy/CHANGELOG.md
index 0b7b3b8..a511a81 100644
--- a/packages/bumpy/CHANGELOG.md
+++ b/packages/bumpy/CHANGELOG.md
@@ -1,5 +1,13 @@
# Changelog
+## 1.13.2
+
+2026-06-05
+
+- [#101](https://github.com/dmno-dev/bumpy/pull/101) _(patch)_ - Harden the publish flow for two failure modes hit when releasing brand-new packages via GitHub Actions + npm trusted publishing (OIDC).
+ - Detect the new-package case before any side effects. When OIDC is the only available auth path (no `NPM_TOKEN`/`NODE_AUTH_TOKEN`, no `.npmrc` auth), bumpy now checks the npm registry up front and emits a clear error directing the user to publish a `0.0.0` placeholder before merging — instead of failing partway through with stranded GitHub draft releases and remote tags. The check is skipped when a token fallback is present, so users who enable `id-token: write` for provenance attestations alongside token auth are unaffected.
+ - Replace blanket `git push --tags` after publish with per-tag force push. `gh release create --draft --target SHA` creates the tag on the remote at draft-creation time; if a prior publish failed and HEAD has since moved, the remote tag is stale and `git push --tags` rejects with "already exists". The new logic iterates `releasePlan.releases` minus failed packages and force-pushes each tag individually, preserving the anySucceeded-aware semantics already used for local tag movement — packages whose targets all succeeded in a prior run are stripped upstream and their tags stay at the SHA the artifact was actually published from.
+
## 1.13.1
2026-06-03
diff --git a/packages/bumpy/package.json b/packages/bumpy/package.json
index 22743b4..9ba8162 100644
--- a/packages/bumpy/package.json
+++ b/packages/bumpy/package.json
@@ -1,6 +1,6 @@
{
"name": "@varlock/bumpy",
- "version": "1.13.1",
+ "version": "1.13.2",
"description": "Modern monorepo versioning and changelog tool",
"keywords": [
"bump",