Architecture
Overviewβ
Universal Release Tool is a plugin-based release automation system supporting multiple package ecosystems through a unified interface.
Core Conceptsβ
1. Adaptersβ
Each ecosystem (npm, Cargo, Docker, etc.) has an adapter implementing the PackageManagerAdapter interface:
interface PackageManagerAdapter {
// Detection
canHandle(packagePath: string): Promise<boolean>;
// Version management
readVersion(packagePath: string): Promise<string>;
writeVersion(packagePath: string, version: string): Promise<void>;
// Metadata
getPackageInfo(packagePath: string): Promise<PackageInfo>;
// Validation
validate(
packagePath: string,
config: EcosystemConfig,
): Promise<ValidationResult>;
// Publishing
publish(packagePath: string, config: PublishConfig): Promise<PublishResult>;
verify(packageName: string, version: string): Promise<boolean>;
// Rollback
rollback(
packageName: string,
version: string,
strategy: RollbackStrategy,
): Promise<void>;
}
2. Configurationβ
Single .release.yaml file with:
- Global settings (SBOM, attestation, signing)
- Ecosystem-specific configs
- Validation rules
- Registry configurations
3. Orchestratorβ
The ReleaseOrchestrator coordinates the release process:
- Load configuration
- Detect or select ecosystem
- Run validation pipeline
- Execute dry-run (optional)
- Publish to registries
- Generate SBOM
- Create attestation
- Sign artifacts
- Verify publication
4. Version Managerβ
Uses Bun's built-in semver API for:
- Version parsing and comparison
- Bumping (major, minor, patch, prerelease)
- Conventional commits analysis
- Next version detection
Data Flowβ
User Command
β
CLI (Commander.js)
β
ReleaseOrchestrator
β
βββ ConfigManager (load .release.yaml)
βββ AdapterRegistry (detect ecosystem)
βββ VersionManager (version operations)
βββ PackageManagerAdapter
βββ Validate
βββ Dry-run
βββ Publish
βββ Verify
Ecosystem Adaptersβ
npm/pnpm/yarnβ
- Detects:
package.json - Publishes via: npm publish, pnpm publish, yarn publish
- Rollback: npm deprecate
Cargo (Rust)β
- Detects:
Cargo.toml - Publishes via: cargo publish
- Rollback: cargo yank
Docker/OCIβ
- Detects:
Dockerfile - Publishes via: docker push
- Supports: Multiple registries (GHCR, Docker Hub, etc.)
Python/PyPIβ
- Detects:
setup.pyorpyproject.toml - Publishes via: twine upload
- Rollback: Not supported (PyPI policy)
Go Modulesβ
- Detects:
go.mod - Publishes via: Git tags + proxy notification
- Registry: pkg.go.dev
Security Featuresβ
SBOM Generationβ
- Uses external tools (syft, cyclonedx-cli)
- Supports SPDX and CycloneDX formats
- Generated pre-publish
Provenance Attestationβ
- SLSA framework support
- In-toto integration
- Attaches to published artifacts
Artifact Signingβ
- Cosign for container images
- GPG for traditional packages
- Key management via environment variables
Extension Pointsβ
Adding New Ecosystemsβ
- Create adapter in
src/adapters/ - Implement
PackageManagerAdapter - Register in CLI
- Add config schema
- Document in README
Custom Validationβ
Adapters can override:
validate(): Custom validation logicbuild(): Build stepstest(): Test execution
Pre/Post Hooksβ
Configure via prePublishScripts:
ecosystems:
npm:
prePublishScripts:
- npm audit
- npm run security-check
Performanceβ
- Bun runtime for fast startup
- Lazy adapter loading
- Parallel validation where possible
- Caching of git operations
Error Handlingβ
- Structured error types
- Rollback on failure (when supported)
- Detailed error messages with context
- Exit codes for CI/CD integration
Testing Strategyβ
- Unit tests for version management
- Integration tests for adapters
- Mock registries for publish tests
- GitHub Actions CI/CD
Future Enhancementsβ
- Plugin system for custom adapters
- Monorepo support (Nx, Turborepo)
- Changelog generation
- GitLab CI integration
- Web UI for configuration
- Analytics and telemetry