plop-pack-git-commit
v0.1.0
Published
PlopJS action pack to stage, commit, and push changes with git
Maintainers
Readme
plop-pack-git-commit
PlopJS action pack that stages changes, creates a git commit, and pushes to origin.
Inspired by plop-pack-git-init, but focused on committing existing or generated files in an already initialized repository.
Installation
pnpm add plop-pack-git-commit
# or
npm i plop-pack-git-commitUsage
module.exports = function (plop) {
plop.load("plop-pack-git-commit");
plop.setGenerator("example", {
prompts: [],
actions: [
{
type: "add",
path: "notes/{{name}}.md",
template: "# {{name}}\n",
},
{
type: "gitCommit",
path: process.cwd(),
message: "docs: add {{name}} note",
files: "notes/{{name}}.md",
},
],
});
};Commit specific file(s)
{
type: "gitCommit",
path: process.cwd(),
message: "docs: add contact note",
files: "notes/contacto.md",
}files accepts a string or an array of strings.
Commit everything pending
{
type: "gitCommit",
path: process.cwd(),
message: "chore: sync generated files",
all: true,
}This runs git add -A before committing.
Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| path | string | process.cwd() | Repository path |
| message | string | required | Commit message |
| files | string \| string[] | — | Stage only these paths |
| all | boolean | — | Stage all changes with git add -A |
| verbose | boolean | false | Stream git output to the terminal |
| skipEmpty | boolean | true | Resolve instead of failing when there is nothing to commit |
Provide either files or all: true. They are mutually exclusive.
Push behavior
After a successful commit, the action always runs:
git push origin HEAD- If there was nothing to commit (
skipEmpty), push is skipped. - If
originis missing or push fails, the action resolves with a warning instead of failing the generator. The commit remains local.
Schema export
You can validate action configs outside Plop:
import { gitCommitConfigSchema } from "plop-pack-git-commit";
const result = gitCommitConfigSchema.safeParse({
path: process.cwd(),
message: "feat: add generator output",
all: true,
});Requirements
gitavailable inPATH- Git user identity configured (
user.name,user.email) - Remote
originconfigured when you expect push to succeed
Development
pnpm install
pnpm check # lint + test + build
pnpm lint
pnpm test
pnpm buildGitHub Actions
| Workflow | Trigger | Purpose |
|----------|---------|---------|
| CI | push/PR to main | lint, test, build |
| Security audit | push/PR + weekly | pnpm audit fails on high/critical |
| Dependency review | pull requests | blocks PRs that add vulnerable deps |
| CodeQL | push/PR + weekly | static analysis for TypeScript/JavaScript |
| Release | GitHub Release published | verify tag, pnpm check, publish to npm |
Dependabot opens weekly PRs to update dependencies.
Security releases (automated)
When a Dependabot security PR is merged to main:
Security release preparechecks:- PR author is
dependabot[bot] - PR body/labels reference security advisories (GHSA/CVE)
pnpm auditshows fewer vulnerabilities than before the merge
- PR author is
- If all pass, it opens a review PR (
security-release/x.y.z) that bumps the patch version (z) and prepends a Security section toCHANGELOG.md(packages, versions, advisories). - If audit does not improve, no release PR is created.
- When you merge the security release PR,
Security release publishtagsvx.y.z, creates a GitHub Release titledSecurity release x.y.z, and publishes to npm.
Manual feature releases still use the Release workflow (GitHub Release UI). Bot-authored security releases use the dedicated publish workflow to avoid duplicate npm publishes.
Releasing to npm (manual)
- Bump
versioninpackage.json(e.g.0.1.1). - Commit, push to
main, and create a GitHub Release with tagv0.1.1(must matchpackage.json). - The
Releaseworkflow runspnpm checkand publishes with npm provenance.
Repository secret required:
| Secret | Purpose |
|--------|---------|
| NPM_TOKEN | npm automation token with publish access to this package |
Enable Dependabot alerts and Code scanning under repository Settings → Code security.
License
MIT
