From 19d539bda64a3d2be388a5615af949fb7a582e08 Mon Sep 17 00:00:00 2001
From: bumpy-bot <276066384+bumpy-bot@users.noreply.github.com>
Date: Fri, 5 Jun 2026 18:50:10 +0000
Subject: [PATCH] Version packages

@varlock/bumpy@1.13.2
---
 .bumpy/publish-oidc-and-tag-push.md | 8 --------
 packages/bumpy/CHANGELOG.md         | 8 ++++++++
 packages/bumpy/package.json         | 2 +-
 3 files changed, 9 insertions(+), 9 deletions(-)
 delete mode 100644 .bumpy/publish-oidc-and-tag-push.md

diff --git a/.bumpy/publish-oidc-and-tag-push.md b/.bumpy/publish-oidc-and-tag-push.md
deleted file mode 100644
index e801c34..0000000
--- a/.bumpy/publish-oidc-and-tag-push.md
+++ /dev/null
@@ -1,8 +0,0 @@
----
-'@varlock/bumpy': patch
----
-
-Harden the publish flow for two failure modes hit when releasing brand-new packages via GitHub Actions + npm trusted publishing (OIDC).
-
-- Detect the new-package case before any side effects. When OIDC is the only available auth path (no `NPM_TOKEN`/`NODE_AUTH_TOKEN`, no `.npmrc` auth), bumpy now checks the npm registry up front and emits a clear error directing the user to publish a `0.0.0` placeholder before merging — instead of failing partway through with stranded GitHub draft releases and remote tags. The check is skipped when a token fallback is present, so users who enable `id-token: write` for provenance attestations alongside token auth are unaffected.
-- Replace blanket `git push --tags` after publish with per-tag force push. `gh release create --draft --target SHA` creates the tag on the remote at draft-creation time; if a prior publish failed and HEAD has since moved, the remote tag is stale and `git push --tags` rejects with "already exists". The new logic iterates `releasePlan.releases` minus failed packages and force-pushes each tag individually, preserving the anySucceeded-aware semantics already used for local tag movement — packages whose targets all succeeded in a prior run are stripped upstream and their tags stay at the SHA the artifact was actually published from.
diff --git a/packages/bumpy/CHANGELOG.md b/packages/bumpy/CHANGELOG.md
index 0b7b3b8..a511a81 100644
--- a/packages/bumpy/CHANGELOG.md
+++ b/packages/bumpy/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Changelog
 
+## 1.13.2
+
+<sub>2026-06-05</sub>
+
+- [#101](https://github.com/dmno-dev/bumpy/pull/101) _(patch)_ - Harden the publish flow for two failure modes hit when releasing brand-new packages via GitHub Actions + npm trusted publishing (OIDC).
+  - Detect the new-package case before any side effects. When OIDC is the only available auth path (no `NPM_TOKEN`/`NODE_AUTH_TOKEN`, no `.npmrc` auth), bumpy now checks the npm registry up front and emits a clear error directing the user to publish a `0.0.0` placeholder before merging — instead of failing partway through with stranded GitHub draft releases and remote tags. The check is skipped when a token fallback is present, so users who enable `id-token: write` for provenance attestations alongside token auth are unaffected.
+  - Replace blanket `git push --tags` after publish with per-tag force push. `gh release create --draft --target SHA` creates the tag on the remote at draft-creation time; if a prior publish failed and HEAD has since moved, the remote tag is stale and `git push --tags` rejects with "already exists". The new logic iterates `releasePlan.releases` minus failed packages and force-pushes each tag individually, preserving the anySucceeded-aware semantics already used for local tag movement — packages whose targets all succeeded in a prior run are stripped upstream and their tags stay at the SHA the artifact was actually published from.
+
 ## 1.13.1
 
 <sub>2026-06-03</sub>
diff --git a/packages/bumpy/package.json b/packages/bumpy/package.json
index 22743b4..9ba8162 100644
--- a/packages/bumpy/package.json
+++ b/packages/bumpy/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@varlock/bumpy",
-  "version": "1.13.1",
+  "version": "1.13.2",
   "description": "Modern monorepo versioning and changelog tool",
   "keywords": [
     "bump",