projen
Version:
CDK for software projects
652 lines • 120 kB
JavaScript
"use strict";
var _a;
Object.defineProperty(exports, "__esModule", { value: true });
exports.CodeArtifactAuthProvider = exports.Publisher = void 0;
exports.isAwsCodeArtifactRegistry = isAwsCodeArtifactRegistry;
const JSII_RTTI_SYMBOL_1 = Symbol.for("jsii.rtti");
const consts_1 = require("../build/private/consts");
const component_1 = require("../component");
const github_1 = require("../github");
const constants_1 = require("../github/constants");
const workflows_model_1 = require("../github/workflows-model");
const node_package_1 = require("../javascript/node-package");
const runner_options_1 = require("../runner-options");
const version_1 = require("../version");
const PUBLIB_VERSION = "latest";
/**
* Checks if a URL's host matches the expected host exactly.
* @param url The URL to check
* @param expectedHost The expected host (e.g., "npm.pkg.github.com")
* @returns true if the URL's host matches exactly
*/
function urlHostMatches(url, expectedHost) {
if (!url)
return false;
try {
const parsed = new URL(url.includes("://") ? url : `https://${url}`);
return parsed.host === expectedHost;
}
catch {
return false;
}
}
const GITHUB_PACKAGES_NPM = "npm.pkg.github.com";
const GITHUB_PACKAGES_MAVEN = "maven.pkg.github.com";
const GITHUB_PACKAGES_NUGET = "nuget.pkg.github.com";
const ARTIFACTS_DOWNLOAD_DIR = "dist";
const AWS_CODEARTIFACT_REGISTRY_REGEX = /\.codeartifact\..*\.amazonaws\.com/;
const PUBLIB_TOOLCHAIN = {
js: {},
java: { java: { version: "11" } },
python: { python: { version: "3.x" } },
go: { go: { version: "^1.18.0" } },
dotnet: { dotnet: { version: "6.x" } },
};
const PUBLISH_JOB_PREFIX = "release_";
/**
* Implements GitHub jobs for publishing modules to package managers.
*
* Under the hood, it uses https://github.com/cdklabs/publib
*/
class Publisher extends component_1.Component {
constructor(project, options) {
super(project);
// functions that create jobs associated with a specific branch
this._jobFactories = [];
this._gitHubPrePublishing = [];
this._gitHubPostPublishing = [];
// List of publish jobs added to the publisher
// Maps between the basename and the jobname
this.publishJobs = {};
this.buildJobId = options.buildJobId;
this.artifactName = options.artifactName;
this.publibVersion =
options.publibVersion ?? options.jsiiReleaseVersion ?? PUBLIB_VERSION;
this.jsiiReleaseVersion = this.publibVersion;
this.condition = options.condition;
this.dryRun = options.dryRun ?? false;
this.workflowNodeVersion = options.workflowNodeVersion ?? "lts/*";
this.workflowContainerImage = options.workflowContainerImage;
this.failureIssue = options.failureIssue ?? false;
this.failureIssueLabel = options.failureIssueLabel ?? "failed-release";
this.publishTasks = options.publishTasks ?? false;
this.runsOn = options.workflowRunsOn;
this.runsOnGroup = options.workflowRunsOnGroup;
}
/**
* Called by `Release` to add the publishing jobs to a release workflow
* associated with a specific branch.
* @param branch The branch name
* @param options Branch options
*
* @internal
*/
_renderJobsForBranch(branch, options) {
let jobs = {};
for (const factory of this._jobFactories) {
jobs = {
...jobs,
...factory(branch, options),
};
}
return jobs;
}
/**
* Adds pre publishing steps for the GitHub release job.
*
* @param steps The steps.
*/
addGitHubPrePublishingSteps(...steps) {
this._gitHubPrePublishing.push(...steps);
}
/**
* Adds post publishing steps for the GitHub release job.
*
* @param steps The steps.
*/
addGitHubPostPublishingSteps(...steps) {
this._gitHubPostPublishing.push(...steps);
}
/**
* Publish to git.
*
* This includes generating a project-level changelog and release tags.
*
* @param options Options
*/
publishToGit(options) {
const releaseTagFile = options.releaseTagFile;
const versionFile = options.versionFile;
const changelog = options.changelogFile;
const projectChangelogFile = options.projectChangelogFile;
const gitBranch = options.gitBranch ?? "main";
const taskName = gitBranch === "main" || gitBranch === "master"
? Publisher.PUBLISH_GIT_TASK_NAME
: `${Publisher.PUBLISH_GIT_TASK_NAME}:${gitBranch}`;
const publishTask = this.project.addTask(taskName, {
description: "Prepends the release changelog onto the project changelog, creates a release commit, and tags the release",
env: {
CHANGELOG: changelog,
RELEASE_TAG_FILE: releaseTagFile,
PROJECT_CHANGELOG_FILE: projectChangelogFile ?? "",
VERSION_FILE: versionFile,
},
condition: version_1.CHANGES_SINCE_LAST_RELEASE,
});
if (projectChangelogFile) {
publishTask.builtin("release/update-changelog");
}
publishTask.builtin("release/tag-version");
if (options.gitPushCommand !== "") {
const gitPushCommand = options.gitPushCommand || `git push --follow-tags origin ${gitBranch}`;
publishTask.exec(gitPushCommand);
}
return publishTask;
}
/**
* Creates a GitHub Release.
* @param options Options
*/
publishToGitHubReleases(options) {
const jobName = "github";
this.addPublishJob(jobName, (_branch, branchOptions) => {
return {
registryName: "GitHub Releases",
prePublishSteps: options.prePublishSteps ?? this._gitHubPrePublishing,
postPublishSteps: options.postPublishSteps ?? this._gitHubPostPublishing,
publishTools: options.publishTools,
permissions: {
contents: workflows_model_1.JobPermission.WRITE,
},
needs: Object.entries(this.publishJobs)
.filter(([name, _]) => name != jobName)
.map(([_, job]) => job),
environment: options.githubEnvironment ?? branchOptions.environment,
run: this.githubReleaseCommand(options, branchOptions),
releaseStepIf: "${{ !inputs.dry_run }}",
isPubLib: false,
workflowEnv: {
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}",
},
};
});
}
/**
* Publishes artifacts from `js/**` to npm.
* @param options Options
*/
publishToNpm(options = {}) {
if (options.trustedPublishing && options.npmTokenSecret) {
throw new Error("Cannot use npmTokenSecret when trustedPublishing is enabled. " +
"Trusted publishing uses OIDC tokens for authentication instead of NPM tokens. " +
"Remove the npmTokenSecret option to use trusted publishing.");
}
const trustedPublisher = options.trustedPublishing ? "true" : undefined;
const npmProvenance = options.npmProvenance ? "true" : undefined;
const isGitHubPackages = urlHostMatches(options.registry, GITHUB_PACKAGES_NPM);
const isAwsCodeArtifact = isAwsCodeArtifactRegistry(options.registry);
const isAwsCodeArtifactWithOidc = isAwsCodeArtifact &&
options.codeArtifactOptions?.authProvider ===
CodeArtifactAuthProvider.GITHUB_OIDC;
const needsIdTokenWrite = isAwsCodeArtifactWithOidc || trustedPublisher || npmProvenance;
const npmToken = trustedPublisher
? undefined
: (0, node_package_1.defaultNpmToken)(options.npmTokenSecret, options.registry);
if (options.distTag) {
this.project.logger.warn("The `distTag` option is deprecated. Use the npmDistTag option instead.");
}
const prePublishSteps = options.prePublishSteps ?? [];
if (isAwsCodeArtifactWithOidc) {
if (options.codeArtifactOptions?.accessKeyIdSecret ||
options.codeArtifactOptions?.secretAccessKeySecret) {
throw new Error("access and secret key pair should not be provided when using GITHUB_OIDC auth provider for AWS CodeArtifact");
}
else if (!options.codeArtifactOptions?.roleToAssume) {
throw new Error('"roleToAssume" property is required when using GITHUB_OIDC for AWS CodeArtifact options');
}
const regionCaptureRegex = /codeartifact\.(.+)\.amazonaws\.com/;
const region = options.registry?.match(regionCaptureRegex)?.[1];
prePublishSteps.push({
name: "Configure AWS Credentials via GitHub OIDC Provider",
uses: "aws-actions/configure-aws-credentials@v6",
with: {
"role-to-assume": options.codeArtifactOptions.roleToAssume,
"aws-region": region,
},
});
}
this.addPublishJob("npm", (_branch, branchOptions) => {
if (branchOptions.npmDistTag && options.distTag) {
throw new Error("cannot set branch-level npmDistTag and npmDistTag in publishToNpm()");
}
return {
publishTools: PUBLIB_TOOLCHAIN.js,
prePublishSteps,
postPublishSteps: options.postPublishSteps ?? [],
environment: options.githubEnvironment ?? branchOptions.environment,
run: this.publibCommand("publib-npm"),
registryName: "npm",
env: {
NPM_DIST_TAG: branchOptions.npmDistTag ?? options.distTag ?? "latest",
NPM_REGISTRY: options.registry,
NPM_CONFIG_PROVENANCE: npmProvenance,
NPM_TRUSTED_PUBLISHER: trustedPublisher,
},
permissions: {
idToken: needsIdTokenWrite ? workflows_model_1.JobPermission.WRITE : undefined,
contents: workflows_model_1.JobPermission.READ,
packages: isGitHubPackages ? workflows_model_1.JobPermission.WRITE : undefined,
},
workflowEnv: {
NPM_TOKEN: npmToken ? secret(npmToken) : undefined,
// if we are publishing to AWS CodeArtifact, pass AWS access keys that will be used to generate NPM_TOKEN using AWS CLI.
AWS_ACCESS_KEY_ID: isAwsCodeArtifact && !isAwsCodeArtifactWithOidc
? secret(options.codeArtifactOptions?.accessKeyIdSecret ??
"AWS_ACCESS_KEY_ID")
: undefined,
AWS_SECRET_ACCESS_KEY: isAwsCodeArtifact && !isAwsCodeArtifactWithOidc
? secret(options.codeArtifactOptions?.secretAccessKeySecret ??
"AWS_SECRET_ACCESS_KEY")
: undefined,
AWS_ROLE_TO_ASSUME: isAwsCodeArtifact && !isAwsCodeArtifactWithOidc
? options.codeArtifactOptions?.roleToAssume
: undefined,
},
};
});
}
/**
* Publishes artifacts from `dotnet/**` to NuGet Gallery.
* @param options Options
*/
publishToNuget(options = {}) {
if (options.trustedPublishing && options.nugetApiKeySecret) {
throw new Error("Cannot use nugetApiKeySecret when trustedPublishing is enabled. " +
"Trusted publishing uses OIDC tokens for authentication instead of API keys. " +
"Remove the nugetApiKeySecret option to use trusted publishing.");
}
const isGitHubPackages = urlHostMatches(options.nugetServer, GITHUB_PACKAGES_NUGET);
const needsIdTokenWrite = options.trustedPublishing;
this.addPublishJob("nuget", (_branch, branchOptions) => ({
publishTools: PUBLIB_TOOLCHAIN.dotnet,
prePublishSteps: options.prePublishSteps ?? [],
postPublishSteps: options.postPublishSteps ?? [],
environment: options.githubEnvironment ?? branchOptions.environment,
run: this.publibCommand("publib-nuget"),
registryName: "NuGet Gallery",
permissions: {
contents: workflows_model_1.JobPermission.READ,
packages: isGitHubPackages ? workflows_model_1.JobPermission.WRITE : undefined,
idToken: needsIdTokenWrite ? workflows_model_1.JobPermission.WRITE : undefined,
},
env: {
NUGET_TRUSTED_PUBLISHER: options.trustedPublishing
? "true"
: undefined,
},
workflowEnv: {
NUGET_API_KEY: options.trustedPublishing
? undefined
: secret(isGitHubPackages
? "GITHUB_TOKEN"
: (options.nugetApiKeySecret ?? "NUGET_API_KEY")),
NUGET_SERVER: options.nugetServer ?? undefined,
NUGET_USERNAME: options.trustedPublishing
? secret(options.nugetUsernameSecret ?? "NUGET_USERNAME")
: undefined,
},
}));
}
/**
* Publishes artifacts from `java/**` to Maven.
* @param options Options
*/
publishToMaven(options = {}) {
const isGitHubPackages = urlHostMatches(options.mavenRepositoryUrl, GITHUB_PACKAGES_MAVEN);
const isGitHubActor = isGitHubPackages && options.mavenUsername == undefined;
const mavenServerId = options.mavenServerId ?? (isGitHubPackages ? "github" : "central-ossrh");
if (isGitHubPackages && mavenServerId != "github") {
throw new Error('publishing to GitHub Packages requires the "mavenServerId" to be "github"');
}
if (mavenServerId === "central-ossrh" && options.mavenEndpoint != null) {
throw new Error('Custom endpoints are not supported when publishing to Maven Central (mavenServerId: "central-ossrh"). Please remove "mavenEndpoint" from the options.');
}
this.addPublishJob("maven", (_branch, branchOptions) => ({
registryName: "Maven Central",
publishTools: PUBLIB_TOOLCHAIN.java,
prePublishSteps: options.prePublishSteps ?? [],
postPublishSteps: options.postPublishSteps ?? [],
environment: options.githubEnvironment ?? branchOptions.environment,
run: this.publibCommand("publib-maven"),
env: {
MAVEN_ENDPOINT: options.mavenEndpoint,
MAVEN_SERVER_ID: mavenServerId,
MAVEN_REPOSITORY_URL: options.mavenRepositoryUrl,
},
workflowEnv: {
MAVEN_GPG_PRIVATE_KEY: isGitHubPackages
? undefined
: secret(options.mavenGpgPrivateKeySecret ?? "MAVEN_GPG_PRIVATE_KEY"),
MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: isGitHubPackages
? undefined
: secret(options.mavenGpgPrivateKeyPassphrase ??
"MAVEN_GPG_PRIVATE_KEY_PASSPHRASE"),
MAVEN_PASSWORD: secret(options.mavenPassword ??
(isGitHubPackages ? "GITHUB_TOKEN" : "MAVEN_PASSWORD")),
MAVEN_USERNAME: isGitHubActor
? "${{ github.actor }}"
: secret(options.mavenUsername ?? "MAVEN_USERNAME"),
MAVEN_STAGING_PROFILE_ID: isGitHubPackages
? undefined
: secret(options.mavenStagingProfileId ?? "MAVEN_STAGING_PROFILE_ID"),
},
permissions: {
contents: workflows_model_1.JobPermission.READ,
packages: isGitHubPackages ? workflows_model_1.JobPermission.WRITE : undefined,
},
}));
}
/**
* Publishes wheel artifacts from `python` to PyPI.
* @param options Options
*/
publishToPyPi(options = {}) {
if (options.trustedPublishing &&
(options.twineUsernameSecret || options.twinePasswordSecret)) {
throw new Error("Cannot use twineUsernameSecret and twinePasswordSecret when trustedPublishing is enabled. " +
"Trusted publishing uses OIDC tokens for authentication instead of username/password credentials. " +
"Remove the twineUsernameSecret and twinePasswordSecret options to use trusted publishing.");
}
let permissions = { contents: workflows_model_1.JobPermission.READ };
const prePublishSteps = options.prePublishSteps ?? [];
let workflowEnv = {};
const isAwsCodeArtifact = isAwsCodeArtifactRegistry(options.twineRegistryUrl);
if (isAwsCodeArtifact) {
const { domain, account, region } = awsCodeArtifactInfoFromUrl(options.twineRegistryUrl);
const { authProvider, roleToAssume, accessKeyIdSecret, secretAccessKeySecret, } = options.codeArtifactOptions ?? {};
const useOidcAuth = authProvider === CodeArtifactAuthProvider.GITHUB_OIDC;
if (useOidcAuth) {
if (!roleToAssume) {
throw new Error('"roleToAssume" property is required when using GITHUB_OIDC for AWS CodeArtifact options');
}
permissions = { ...permissions, idToken: workflows_model_1.JobPermission.WRITE };
prePublishSteps.push({
name: "Configure AWS Credentials via GitHub OIDC Provider",
uses: "aws-actions/configure-aws-credentials@v6",
with: {
"role-to-assume": roleToAssume,
"aws-region": region,
},
});
}
prePublishSteps.push({
name: "Generate CodeArtifact Token",
run: `echo "TWINE_PASSWORD=$(aws codeartifact get-authorization-token --domain ${domain} --domain-owner ${account} --region ${region} --query authorizationToken --output text)" >> $GITHUB_ENV`,
env: useOidcAuth
? undefined
: {
AWS_ACCESS_KEY_ID: secret(accessKeyIdSecret ?? "AWS_ACCESS_KEY_ID"),
AWS_SECRET_ACCESS_KEY: secret(secretAccessKeySecret ?? "AWS_SECRET_ACCESS_KEY"),
},
});
workflowEnv = { TWINE_USERNAME: "aws" };
}
else if (options.trustedPublishing) {
permissions = { ...permissions, idToken: workflows_model_1.JobPermission.WRITE };
workflowEnv = {
PYPI_TRUSTED_PUBLISHER: "true",
};
// attestations default to true, only disable when explicitly requested
if (options.attestations === false) {
workflowEnv.PYPI_DISABLE_ATTESTATIONS = "true";
}
}
else {
workflowEnv = {
TWINE_USERNAME: secret(options.twineUsernameSecret ?? "TWINE_USERNAME"),
TWINE_PASSWORD: secret(options.twinePasswordSecret ?? "TWINE_PASSWORD"),
};
}
this.addPublishJob("pypi", (_branch, branchOptions) => ({
registryName: "PyPI",
publishTools: PUBLIB_TOOLCHAIN.python,
permissions,
prePublishSteps,
postPublishSteps: options.postPublishSteps ?? [],
environment: options.githubEnvironment ?? branchOptions.environment,
run: this.publibCommand("publib-pypi"),
env: {
TWINE_REPOSITORY_URL: options.twineRegistryUrl,
},
workflowEnv,
}));
}
/**
* Adds a go publishing job.
* @param options Options
*/
publishToGo(options = {}) {
const prePublishSteps = options.prePublishSteps ?? [];
const workflowEnv = {};
if (options.githubUseSsh) {
workflowEnv.GITHUB_USE_SSH = "true";
workflowEnv.SSH_AUTH_SOCK = "/tmp/ssh_agent.sock";
prePublishSteps.push({
name: "Setup GitHub deploy key",
run: 'ssh-agent -a ${SSH_AUTH_SOCK} && ssh-add - <<< "${GITHUB_DEPLOY_KEY}"',
env: {
GITHUB_DEPLOY_KEY: secret(options.githubDeployKeySecret ?? "GO_GITHUB_DEPLOY_KEY"),
SSH_AUTH_SOCK: workflowEnv.SSH_AUTH_SOCK,
},
});
}
else {
workflowEnv.GITHUB_TOKEN = secret(options.githubTokenSecret ?? "GO_GITHUB_TOKEN");
}
this.addPublishJob("golang", (_branch, branchOptions) => ({
publishTools: PUBLIB_TOOLCHAIN.go,
prePublishSteps: prePublishSteps,
postPublishSteps: options.postPublishSteps ?? [],
environment: options.githubEnvironment ?? branchOptions.environment,
run: this.publibCommand("publib-golang"),
registryName: "GitHub Go Module Repository",
env: {
GIT_BRANCH: options.gitBranch,
GIT_USER_NAME: options.gitUserName ?? constants_1.DEFAULT_GITHUB_ACTIONS_USER.name,
GIT_USER_EMAIL: options.gitUserEmail ?? constants_1.DEFAULT_GITHUB_ACTIONS_USER.email,
GIT_COMMIT_MESSAGE: options.gitCommitMessage,
},
workflowEnv: workflowEnv,
}));
}
addPublishJob(
/**
* The basename of the publish job (should be lowercase).
* Will be extended with a prefix.
*/
basename, factory) {
const jobname = `${PUBLISH_JOB_PREFIX}${basename}`;
this.publishJobs[basename] = jobname;
this._jobFactories.push((branch, branchOptions) => {
const opts = factory(branch, branchOptions);
if (jobname in this._jobFactories) {
throw new Error(`Duplicate job with name "${jobname}"`);
}
const commandToRun = this.dryRun
? `echo "DRY RUN: ${opts.run}"`
: opts.run;
const requiredEnv = new Array();
// jobEnv is the env we pass to the github job (task environment + secrets/expressions).
const jobEnv = { ...opts.env };
const workflowEnvEntries = Object.entries(opts.workflowEnv ?? {}).filter(([_, value]) => value != undefined);
for (const [env, expression] of workflowEnvEntries) {
requiredEnv.push(env);
jobEnv[env] = expression;
}
if (this.publishTasks) {
const branchSuffix = branch === "main" || branch === "master" ? "" : `:${branch}`;
// define a task which can be used through `projen publish:xxx`.
const task = this.project.addTask(`publish:${basename.toLocaleLowerCase()}${branchSuffix}`, {
description: `Publish this package to ${opts.registryName}`,
env: opts.env,
requiredEnv: requiredEnv,
});
// first verify that we are on the correct branch
task.exec(`test "$(git branch --show-current)" = "${branch}"`);
// run commands
task.exec(commandToRun);
}
const steps = [
github_1.WorkflowSteps.downloadArtifact({
name: "Download build artifacts",
with: {
artifactIds: [
`\${{ needs.${this.buildJobId}.outputs.${consts_1.ARTIFACT_ID_OUTPUT} }}`,
],
path: ARTIFACTS_DOWNLOAD_DIR, // this must be "dist" for publib
},
}),
{
name: "Restore build artifact permissions",
continueOnError: true,
run: [
`cd ${ARTIFACTS_DOWNLOAD_DIR} && setfacl --restore=${constants_1.PERMISSION_BACKUP_FILE}`,
].join("\n"),
},
...opts.prePublishSteps,
{
name: "Release",
// it would have been nice if we could just run "projen publish:xxx" here but that is not possible because this job does not checkout sources
if: opts.releaseStepIf,
run: commandToRun,
env: {
...jobEnv,
...((opts.isPubLib ?? true)
? { PUBLIB_DRYRUN: "${{ inputs.dry_run }}" }
: {}),
},
},
...opts.postPublishSteps,
];
const perms = opts.permissions ?? { contents: workflows_model_1.JobPermission.READ };
const container = this.workflowContainerImage
? {
image: this.workflowContainerImage,
}
: undefined;
if (this.failureIssue) {
steps.push(...[
{
name: "Extract Version",
if: "${{ failure() }}",
id: "extract-version",
shell: "bash",
run: 'echo "VERSION=$(cat dist/version.txt)" >> $GITHUB_OUTPUT',
},
{
name: "Create Issue",
if: "${{ failure() }}",
run: `gh issue create --title "Publishing v$VERSION to ${opts.registryName} failed" --body "See $RUN_URL" --label "${this.failureIssueLabel}"`,
env: {
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}",
VERSION: "${{ steps.extract-version.outputs.VERSION }}",
RUN_URL: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}",
},
},
]);
Object.assign(perms, { issues: workflows_model_1.JobPermission.WRITE });
}
return {
[jobname]: {
...(opts.environment ? { environment: opts.environment } : {}),
tools: {
node: { version: this.workflowNodeVersion },
...opts.publishTools,
},
name: `Publish to ${opts.registryName}`,
permissions: perms,
if: this.condition,
needs: [this.buildJobId, ...(opts.needs ?? [])],
...(0, runner_options_1.filteredRunsOnOptions)(this.runsOn, this.runsOnGroup),
container,
steps,
},
};
});
}
publibCommand(command) {
return `npx -p publib@${this.publibVersion} ${command}`;
}
githubReleaseCommand(options, branchOptions) {
const changelogFile = options.changelogFile;
const releaseTagFile = options.releaseTagFile;
// create a github release
const releaseTag = `$(cat ${releaseTagFile})`;
const ghReleaseCommand = [
`gh release create ${releaseTag}`,
"-R $GITHUB_REPOSITORY",
`-F ${changelogFile}`,
`-t ${releaseTag}`,
"--target $GITHUB_SHA",
];
if (branchOptions.prerelease) {
ghReleaseCommand.push("-p");
}
const ghRelease = ghReleaseCommand.join(" ");
// release script that does not error when re-releasing a given version
const idempotentRelease = [
"errout=$(mktemp);",
`${ghRelease} 2> $errout && true;`,
"exitcode=$?;",
'if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" $errout; then',
"cat $errout;",
"exit $exitcode;",
"fi",
].join(" ");
return idempotentRelease;
}
}
exports.Publisher = Publisher;
_a = JSII_RTTI_SYMBOL_1;
Publisher[_a] = { fqn: "projen.release.Publisher", version: "0.99.70" };
Publisher.PUBLISH_GIT_TASK_NAME = "publish:git";
function secret(secretName) {
return `\${{ secrets.${secretName} }}`;
}
/**
* Options for authorizing requests to a AWS CodeArtifact npm repository.
*/
var CodeArtifactAuthProvider;
(function (CodeArtifactAuthProvider) {
/**
* Fixed credentials provided via Github secrets.
*/
CodeArtifactAuthProvider["ACCESS_AND_SECRET_KEY_PAIR"] = "ACCESS_AND_SECRET_KEY_PAIR";
/**
* Ephemeral credentials provided via Github's OIDC integration with an IAM role.
* See:
* https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html
* https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services
*/
CodeArtifactAuthProvider["GITHUB_OIDC"] = "GITHUB_OIDC";
})(CodeArtifactAuthProvider || (exports.CodeArtifactAuthProvider = CodeArtifactAuthProvider = {}));
/**
* Evaluates if the `registryUrl` is a AWS CodeArtifact registry.
* @param registryUrl url of registry
* @returns true for AWS CodeArtifact
*/
function isAwsCodeArtifactRegistry(registryUrl) {
return Boolean(registryUrl && AWS_CODEARTIFACT_REGISTRY_REGEX.test(registryUrl));
}
/**
* Parses info about code artifact domain from given AWS code artifact url
* @param url Of code artifact domain
* @returns domain, account, and region of code artifact domain
*/
function awsCodeArtifactInfoFromUrl(url) {
const captureRegex = /([a-z0-9-]+)-(.+)\.d\.codeartifact\.(.+)\.amazonaws\.com/;
const matches = url?.match(captureRegex) ?? [];
const [_, domain, account, region] = matches;
return { domain, account, region };
}
//# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoicHVibGlzaGVyLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vc3JjL3JlbGVhc2UvcHVibGlzaGVyLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiI7Ozs7QUEyNUNBLDhEQU1DOztBQWg2Q0Qsb0RBQTZEO0FBQzdELDRDQUF5QztBQUN6QyxzQ0FBMEM7QUFDMUMsbURBRzZCO0FBTzdCLCtEQUEwRDtBQUMxRCw2REFBNkQ7QUFHN0Qsc0RBQTBEO0FBQzFELHdDQUF3RDtBQUV4RCxNQUFNLGNBQWMsR0FBRyxRQUFRLENBQUM7QUFFaEM7Ozs7O0dBS0c7QUFDSCxTQUFTLGNBQWMsQ0FDckIsR0FBdUIsRUFDdkIsWUFBb0I7SUFFcEIsSUFBSSxDQUFDLEdBQUc7UUFBRSxPQUFPLEtBQUssQ0FBQztJQUN2QixJQUFJLENBQUM7UUFDSCxNQUFNLE1BQU0sR0FBRyxJQUFJLEdBQUcsQ0FBQyxHQUFHLENBQUMsUUFBUSxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLFdBQVcsR0FBRyxFQUFFLENBQUMsQ0FBQztRQUNyRSxPQUFPLE1BQU0sQ0FBQyxJQUFJLEtBQUssWUFBWSxDQUFDO0lBQ3RDLENBQUM7SUFBQyxNQUFNLENBQUM7UUFDUCxPQUFPLEtBQUssQ0FBQztJQUNmLENBQUM7QUFDSCxDQUFDO0FBQ0QsTUFBTSxtQkFBbUIsR0FBRyxvQkFBb0IsQ0FBQztBQUNqRCxNQUFNLHFCQUFxQixHQUFHLHNCQUFzQixDQUFDO0FBQ3JELE1BQU0scUJBQXFCLEdBQUcsc0JBQXNCLENBQUM7QUFDckQsTUFBTSxzQkFBc0IsR0FBRyxNQUFNLENBQUM7QUFDdEMsTUFBTSwrQkFBK0IsR0FBRyxvQ0FBb0MsQ0FBQztBQUM3RSxNQUFNLGdCQUFnQixHQUEwQjtJQUM5QyxFQUFFLEVBQUUsRUFBRTtJQUNOLElBQUksRUFBRSxFQUFFLElBQUksRUFBRSxFQUFFLE9BQU8sRUFBRSxJQUFJLEVBQUUsRUFBRTtJQUNqQyxNQUFNLEVBQUUsRUFBRSxNQUFNLEVBQUUsRUFBRSxPQUFPLEVBQUUsS0FBSyxFQUFFLEVBQUU7SUFDdEMsRUFBRSxFQUFFLEVBQUUsRUFBRSxFQUFFLEVBQUUsT0FBTyxFQUFFLFNBQVMsRUFBRSxFQUFFO0lBQ2xDLE1BQU0sRUFBRSxFQUFFLE1BQU0sRUFBRSxFQUFFLE9BQU8sRUFBRSxLQUFLLEVBQUUsRUFBRTtDQUN2QyxDQUFDO0FBQ0YsTUFBTSxrQkFBa0IsR0FBRyxVQUFVLENBQUM7QUF5R3RDOzs7O0dBSUc7QUFDSCxNQUFhLFNBQVUsU0FBUSxxQkFBUztJQWdDdEMsWUFBWSxPQUFnQixFQUFFLE9BQXlCO1FBQ3JELEtBQUssQ0FBQyxPQUFPLENBQUMsQ0FBQztRQWhCakIsK0RBQStEO1FBQzlDLGtCQUFhLEdBQXdCLEVBQUUsQ0FBQztRQUV4Qyx5QkFBb0IsR0FBYyxFQUFFLENBQUM7UUFDckMsMEJBQXFCLEdBQWMsRUFBRSxDQUFDO1FBT3ZELDhDQUE4QztRQUM5Qyw0Q0FBNEM7UUFDM0IsZ0JBQVcsR0FBMkIsRUFBRSxDQUFDO1FBS3hELElBQUksQ0FBQyxVQUFVLEdBQUcsT0FBTyxDQUFDLFVBQVUsQ0FBQztRQUNyQyxJQUFJLENBQUMsWUFBWSxHQUFHLE9BQU8sQ0FBQyxZQUFZLENBQUM7UUFDekMsSUFBSSxDQUFDLGFBQWE7WUFDaEIsT0FBTyxDQUFDLGFBQWEsSUFBSSxPQUFPLENBQUMsa0JBQWtCLElBQUksY0FBYyxDQUFDO1FBQ3hFLElBQUksQ0FBQyxrQkFBa0IsR0FBRyxJQUFJLENBQUMsYUFBYSxDQUFDO1FBQzdDLElBQUksQ0FBQyxTQUFTLEdBQUcsT0FBTyxDQUFDLFNBQVMsQ0FBQztRQUNuQyxJQUFJLENBQUMsTUFBTSxHQUFHLE9BQU8sQ0FBQyxNQUFNLElBQUksS0FBSyxDQUFDO1FBQ3RDLElBQUksQ0FBQyxtQkFBbUIsR0FBRyxPQUFPLENBQUMsbUJBQW1CLElBQUksT0FBTyxDQUFDO1FBQ2xFLElBQUksQ0FBQyxzQkFBc0IsR0FBRyxPQUFPLENBQUMsc0JBQXNCLENBQUM7UUFFN0QsSUFBSSxDQUFDLFlBQVksR0FBRyxPQUFPLENBQUMsWUFBWSxJQUFJLEtBQUssQ0FBQztRQUNsRCxJQUFJLENBQUMsaUJBQWlCLEdBQUcsT0FBTyxDQUFDLGlCQUFpQixJQUFJLGdCQUFnQixDQUFDO1FBQ3ZFLElBQUksQ0FBQyxZQUFZLEdBQUcsT0FBTyxDQUFDLFlBQVksSUFBSSxLQUFLLENBQUM7UUFDbEQsSUFBSSxDQUFDLE1BQU0sR0FBRyxPQUFPLENBQUMsY0FBYyxDQUFDO1FBQ3JDLElBQUksQ0FBQyxXQUFXLEdBQUcsT0FBTyxDQUFDLG1CQUFtQixDQUFDO0lBQ2pELENBQUM7SUFFRDs7Ozs7OztPQU9HO0lBQ0ksb0JBQW9CLENBQ3pCLE1BQWMsRUFDZCxPQUErQjtRQUUvQixJQUFJLElBQUksR0FBd0IsRUFBRSxDQUFDO1FBRW5DLEtBQUssTUFBTSxPQUFPLElBQUksSUFBSSxDQUFDLGFBQWEsRUFBRSxDQUFDO1lBQ3pDLElBQUksR0FBRztnQkFDTCxHQUFHLElBQUk7Z0JBQ1AsR0FBRyxPQUFPLENBQUMsTUFBTSxFQUFFLE9BQU8sQ0FBQzthQUM1QixDQUFDO1FBQ0osQ0FBQztRQUVELE9BQU8sSUFBSSxDQUFDO0lBQ2QsQ0FBQztJQUVEOzs7O09BSUc7SUFDSSwyQkFBMkIsQ0FBQyxHQUFHLEtBQWdCO1FBQ3BELElBQUksQ0FBQyxvQkFBb0IsQ0FBQyxJQUFJLENBQUMsR0FBRyxLQUFLLENBQUMsQ0FBQztJQUMzQyxDQUFDO0lBRUQ7Ozs7T0FJRztJQUNJLDRCQUE0QixDQUFDLEdBQUcsS0FBZ0I7UUFDckQsSUFBSSxDQUFDLHFCQUFxQixDQUFDLElBQUksQ0FBQyxHQUFHLEtBQUssQ0FBQyxDQUFDO0lBQzVDLENBQUM7SUFFRDs7Ozs7O09BTUc7SUFDSSxZQUFZLENBQUMsT0FBMEI7UUFDNUMsTUFBTSxjQUFjLEdBQUcsT0FBTyxDQUFDLGNBQWMsQ0FBQztRQUM5QyxNQUFNLFdBQVcsR0FBRyxPQUFPLENBQUMsV0FBVyxDQUFDO1FBQ3hDLE1BQU0sU0FBUyxHQUFHLE9BQU8sQ0FBQyxhQUFhLENBQUM7UUFDeEMsTUFBTSxvQkFBb0IsR0FBRyxPQUFPLENBQUMsb0JBQW9CLENBQUM7UUFDMUQsTUFBTSxTQUFTLEdBQUcsT0FBTyxDQUFDLFNBQVMsSUFBSSxNQUFNLENBQUM7UUFFOUMsTUFBTSxRQUFRLEdBQ1osU0FBUyxLQUFLLE1BQU0sSUFBSSxTQUFTLEtBQUssUUFBUTtZQUM1QyxDQUFDLENBQUMsU0FBUyxDQUFDLHFCQUFxQjtZQUNqQyxDQUFDLENBQUMsR0FBRyxTQUFTLENBQUMscUJBQXFCLElBQUksU0FBUyxFQUFFLENBQUM7UUFFeEQsTUFBTSxXQUFXLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQUMsUUFBUSxFQUFFO1lBQ2pELFdBQVcsRUFDVCwyR0FBMkc7WUFDN0csR0FBRyxFQUFFO2dCQUNILFNBQVMsRUFBRSxTQUFTO2dCQUNwQixnQkFBZ0IsRUFBRSxjQUFjO2dCQUNoQyxzQkFBc0IsRUFBRSxvQkFBb0IsSUFBSSxFQUFFO2dCQUNsRCxZQUFZLEVBQUUsV0FBVzthQUMxQjtZQUNELFNBQVMsRUFBRSxvQ0FBMEI7U0FDdEMsQ0FBQyxDQUFDO1FBQ0gsSUFBSSxvQkFBb0IsRUFBRSxDQUFDO1lBQ3pCLFdBQVcsQ0FBQyxPQUFPLENBQUMsMEJBQTBCLENBQUMsQ0FBQztRQUNsRCxDQUFDO1FBQ0QsV0FBVyxDQUFDLE9BQU8sQ0FBQyxxQkFBcUIsQ0FBQyxDQUFDO1FBRTNDLElBQUksT0FBTyxDQUFDLGNBQWMsS0FBSyxFQUFFLEVBQUUsQ0FBQztZQUNsQyxNQUFNLGNBQWMsR0FDbEIsT0FBTyxDQUFDLGNBQWMsSUFBSSxpQ0FBaUMsU0FBUyxFQUFFLENBQUM7WUFDekUsV0FBVyxDQUFDLElBQUksQ0FBQyxjQUFjLENBQUMsQ0FBQztRQUNuQyxDQUFDO1FBRUQsT0FBTyxXQUFXLENBQUM7SUFDckIsQ0FBQztJQUVEOzs7T0FHRztJQUNJLHVCQUF1QixDQUFDLE9BQXFDO1FBQ2xFLE1BQU0sT0FBTyxHQUFHLFFBQVEsQ0FBQztRQUN6QixJQUFJLENBQUMsYUFBYSxDQUFDLE9BQU8sRUFBRSxDQUFDLE9BQU8sRUFBRSxhQUFhLEVBQXFCLEVBQUU7WUFDeEUsT0FBTztnQkFDTCxZQUFZLEVBQUUsaUJBQWlCO2dCQUMvQixlQUFlLEVBQUUsT0FBTyxDQUFDLGVBQWUsSUFBSSxJQUFJLENBQUMsb0JBQW9CO2dCQUNyRSxnQkFBZ0IsRUFDZCxPQUFPLENBQUMsZ0JBQWdCLElBQUksSUFBSSxDQUFDLHFCQUFxQjtnQkFDeEQsWUFBWSxFQUFFLE9BQU8sQ0FBQyxZQUFZO2dCQUNsQyxXQUFXLEVBQUU7b0JBQ1gsUUFBUSxFQUFFLCtCQUFhLENBQUMsS0FBSztpQkFDOUI7Z0JBQ0QsS0FBSyxFQUFFLE1BQU0sQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLFdBQVcsQ0FBQztxQkFDcEMsTUFBTSxDQUFDLENBQUMsQ0FBQyxJQUFJLEVBQUUsQ0FBQyxDQUFDLEVBQUUsRUFBRSxDQUFDLElBQUksSUFBSSxPQUFPLENBQUM7cUJBQ3RDLEdBQUcsQ0FBQyxDQUFDLENBQUMsQ0FBQyxFQUFFLEdBQUcsQ0FBQyxFQUFFLEVBQUUsQ0FBQyxHQUFHLENBQUM7Z0JBQ3pCLFdBQVcsRUFBRSxPQUFPLENBQUMsaUJBQWlCLElBQUksYUFBYSxDQUFDLFdBQVc7Z0JBQ25FLEdBQUcsRUFBRSxJQUFJLENBQUMsb0JBQW9CLENBQUMsT0FBTyxFQUFFLGFBQWEsQ0FBQztnQkFDdEQsYUFBYSxFQUFFLHdCQUF3QjtnQkFDdkMsUUFBUSxFQUFFLEtBQUs7Z0JBQ2YsV0FBVyxFQUFFO29CQUNYLFlBQVksRUFBRSw2QkFBNkI7aUJBQzVDO2FBQ0YsQ0FBQztRQUNKLENBQUMsQ0FBQyxDQUFDO0lBQ0wsQ0FBQztJQUVEOzs7T0FHRztJQUNJLFlBQVksQ0FBQyxVQUE2QixFQUFFO1FBQ2pELElBQUksT0FBTyxDQUFDLGlCQUFpQixJQUFJLE9BQU8sQ0FBQyxjQUFjLEVBQUUsQ0FBQztZQUN4RCxNQUFNLElBQUksS0FBSyxDQUNiLCtEQUErRDtnQkFDN0QsZ0ZBQWdGO2dCQUNoRiw2REFBNkQsQ0FDaEUsQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLGdCQUFnQixHQUFHLE9BQU8sQ0FBQyxpQkFBaUIsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUM7UUFDeEUsTUFBTSxhQUFhLEdBQUcsT0FBTyxDQUFDLGFBQWEsQ0FBQyxDQUFDLENBQUMsTUFBTSxDQUFDLENBQUMsQ0FBQyxTQUFTLENBQUM7UUFFakUsTUFBTSxnQkFBZ0IsR0FBRyxjQUFjLENBQ3JDLE9BQU8sQ0FBQyxRQUFRLEVBQ2hCLG1CQUFtQixDQUNwQixDQUFDO1FBQ0YsTUFBTSxpQkFBaUIsR0FBRyx5QkFBeUIsQ0FBQyxPQUFPLENBQUMsUUFBUSxDQUFDLENBQUM7UUFDdEUsTUFBTSx5QkFBeUIsR0FDN0IsaUJBQWlCO1lBQ2pCLE9BQU8sQ0FBQyxtQkFBbUIsRUFBRSxZQUFZO2dCQUN2Qyx3QkFBd0IsQ0FBQyxXQUFXLENBQUM7UUFDekMsTUFBTSxpQkFBaUIsR0FDckIseUJBQXlCLElBQUksZ0JBQWdCLElBQUksYUFBYSxDQUFDO1FBQ2pFLE1BQU0sUUFBUSxHQUFHLGdCQUFnQjtZQUMvQixDQUFDLENBQUMsU0FBUztZQUNYLENBQUMsQ0FBQyxJQUFBLDhCQUFlLEVBQUMsT0FBTyxDQUFDLGNBQWMsRUFBRSxPQUFPLENBQUMsUUFBUSxDQUFDLENBQUM7UUFFOUQsSUFBSSxPQUFPLENBQUMsT0FBTyxFQUFFLENBQUM7WUFDcEIsSUFBSSxDQUFDLE9BQU8sQ0FBQyxNQUFNLENBQUMsSUFBSSxDQUN0Qix3RUFBd0UsQ0FDekUsQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLGVBQWUsR0FBYyxPQUFPLENBQUMsZUFBZSxJQUFJLEVBQUUsQ0FBQztRQUVqRSxJQUFJLHlCQUF5QixFQUFFLENBQUM7WUFDOUIsSUFDRSxPQUFPLENBQUMsbUJBQW1CLEVBQUUsaUJBQWlCO2dCQUM5QyxPQUFPLENBQUMsbUJBQW1CLEVBQUUscUJBQXFCLEVBQ2xELENBQUM7Z0JBQ0QsTUFBTSxJQUFJLEtBQUssQ0FDYiw2R0FBNkcsQ0FDOUcsQ0FBQztZQUNKLENBQUM7aUJBQU0sSUFBSSxDQUFDLE9BQU8sQ0FBQyxtQkFBbUIsRUFBRSxZQUFZLEVBQUUsQ0FBQztnQkFDdEQsTUFBTSxJQUFJLEtBQUssQ0FDYix5RkFBeUYsQ0FDMUYsQ0FBQztZQUNKLENBQUM7WUFDRCxNQUFNLGtCQUFrQixHQUFHLG9DQUFvQyxDQUFDO1lBQ2hFLE1BQU0sTUFBTSxHQUFHLE9BQU8sQ0FBQyxRQUFRLEVBQUUsS0FBSyxDQUFDLGtCQUFrQixDQUFDLEVBQUUsQ0FBQyxDQUFDLENBQUMsQ0FBQztZQUNoRSxlQUFlLENBQUMsSUFBSSxDQUFDO2dCQUNuQixJQUFJLEVBQUUsb0RBQW9EO2dCQUMxRCxJQUFJLEVBQUUsMENBQTBDO2dCQUNoRCxJQUFJLEVBQUU7b0JBQ0osZ0JBQWdCLEVBQUUsT0FBTyxDQUFDLG1CQUFtQixDQUFDLFlBQVk7b0JBQzFELFlBQVksRUFBRSxNQUFNO2lCQUNyQjthQUNGLENBQUMsQ0FBQztRQUNMLENBQUM7UUFFRCxJQUFJLENBQUMsYUFBYSxDQUFDLEtBQUssRUFBRSxDQUFDLE9BQU8sRUFBRSxhQUFhLEVBQXFCLEVBQUU7WUFDdEUsSUFBSSxhQUFhLENBQUMsVUFBVSxJQUFJLE9BQU8sQ0FBQyxPQUFPLEVBQUUsQ0FBQztnQkFDaEQsTUFBTSxJQUFJLEtBQUssQ0FDYixxRUFBcUUsQ0FDdEUsQ0FBQztZQUNKLENBQUM7WUFFRCxPQUFPO2dCQUNMLFlBQVksRUFBRSxnQkFBZ0IsQ0FBQyxFQUFFO2dCQUNqQyxlQUFlO2dCQUNmLGdCQUFnQixFQUFFLE9BQU8sQ0FBQyxnQkFBZ0IsSUFBSSxFQUFFO2dCQUNoRCxXQUFXLEVBQUUsT0FBTyxDQUFDLGlCQUFpQixJQUFJLGFBQWEsQ0FBQyxXQUFXO2dCQUNuRSxHQUFHLEVBQUUsSUFBSSxDQUFDLGFBQWEsQ0FBQyxZQUFZLENBQUM7Z0JBQ3JDLFlBQVksRUFBRSxLQUFLO2dCQUNuQixHQUFHLEVBQUU7b0JBQ0gsWUFBWSxFQUFFLGFBQWEsQ0FBQyxVQUFVLElBQUksT0FBTyxDQUFDLE9BQU8sSUFBSSxRQUFRO29CQUNyRSxZQUFZLEVBQUUsT0FBTyxDQUFDLFFBQVE7b0JBQzlCLHFCQUFxQixFQUFFLGFBQWE7b0JBQ3BDLHFCQUFxQixFQUFFLGdCQUFnQjtpQkFDeEM7Z0JBQ0QsV0FBVyxFQUFFO29CQUNYLE9BQU8sRUFBRSxpQkFBaUIsQ0FBQyxDQUFDLENBQUMsK0JBQWEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLFNBQVM7b0JBQzVELFFBQVEsRUFBRSwrQkFBYSxDQUFDLElBQUk7b0JBQzVCLFFBQVEsRUFBRSxnQkFBZ0IsQ0FBQyxDQUFDLENBQUMsK0JBQWEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLFNBQVM7aUJBQzdEO2dCQUNELFdBQVcsRUFBRTtvQkFDWCxTQUFTLEVBQUUsUUFBUSxDQUFDLENBQUMsQ0FBQyxNQUFNLENBQUMsUUFBUSxDQUFDLENBQUMsQ0FBQyxDQUFDLFNBQVM7b0JBQ2xELHdIQUF3SDtvQkFDeEgsaUJBQWlCLEVBQ2YsaUJBQWlCLElBQUksQ0FBQyx5QkFBeUI7d0JBQzdDLENBQUMsQ0FBQyxNQUFNLENBQ0osT0FBTyxDQUFDLG1CQUFtQixFQUFFLGlCQUFpQjs0QkFDNUMsbUJBQW1CLENBQ3RCO3dCQUNILENBQUMsQ0FBQyxTQUFTO29CQUNmLHFCQUFxQixFQUNuQixpQkFBaUIsSUFBSSxDQUFDLHlCQUF5Qjt3QkFDN0MsQ0FBQyxDQUFDLE1BQU0sQ0FDSixPQUFPLENBQUMsbUJBQW1CLEVBQUUscUJBQXFCOzRCQUNoRCx1QkFBdUIsQ0FDMUI7d0JBQ0gsQ0FBQyxDQUFDLFNBQVM7b0JBQ2Ysa0JBQWtCLEVBQ2hCLGlCQUFpQixJQUFJLENBQUMseUJBQXlCO3dCQUM3QyxDQUFDLENBQUMsT0FBTyxDQUFDLG1CQUFtQixFQUFFLFlBQVk7d0JBQzNDLENBQUMsQ0FBQyxTQUFTO2lCQUNoQjthQUNGLENBQUM7UUFDSixDQUFDLENBQUMsQ0FBQztJQUNMLENBQUM7SUFFRDs7O09BR0c7SUFDSSxjQUFjLENBQUMsVUFBK0IsRUFBRTtRQUNyRCxJQUFJLE9BQU8sQ0FBQyxpQkFBaUIsSUFBSSxPQUFPLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUMzRCxNQUFNLElBQUksS0FBSyxDQUNiLGtFQUFrRTtnQkFDaEUsOEVBQThFO2dCQUM5RSxnRUFBZ0UsQ0FDbkUsQ0FBQztRQUNKLENBQUM7UUFFRCxNQUFNLGdCQUFnQixHQUFHLGNBQWMsQ0FDckMsT0FBTyxDQUFDLFdBQVcsRUFDbkIscUJBQXFCLENBQ3RCLENBQUM7UUFDRixNQUFNLGlCQUFpQixHQUFHLE9BQU8sQ0FBQyxpQkFBaUIsQ0FBQztRQUVwRCxJQUFJLENBQUMsYUFBYSxDQUNoQixPQUFPLEVBQ1AsQ0FBQyxPQUFPLEVBQUUsYUFBYSxFQUFxQixFQUFFLENBQUMsQ0FBQztZQUM5QyxZQUFZLEVBQUUsZ0JBQWdCLENBQUMsTUFBTTtZQUNyQyxlQUFlLEVBQUUsT0FBTyxDQUFDLGVBQWUsSUFBSSxFQUFFO1lBQzlDLGdCQUFnQixFQUFFLE9BQU8sQ0FBQyxnQkFBZ0IsSUFBSSxFQUFFO1lBQ2hELFdBQVcsRUFBRSxPQUFPLENBQUMsaUJBQWlCLElBQUksYUFBYSxDQUFDLFdBQVc7WUFDbkUsR0FBRyxFQUFFLElBQUksQ0FBQyxhQUFhLENBQUMsY0FBYyxDQUFDO1lBQ3ZDLFlBQVksRUFBRSxlQUFlO1lBQzdCLFdBQVcsRUFBRTtnQkFDWCxRQUFRLEVBQUUsK0JBQWEsQ0FBQyxJQUFJO2dCQUM1QixRQUFRLEVBQUUsZ0JBQWdCLENBQUMsQ0FBQyxDQUFDLCtCQUFhLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxTQUFTO2dCQUM1RCxPQUFPLEVBQUUsaUJBQWlCLENBQUMsQ0FBQyxDQUFDLCtCQUFhLENBQUMsS0FBSyxDQUFDLENBQUMsQ0FBQyxTQUFTO2FBQzdEO1lBQ0QsR0FBRyxFQUFFO2dCQUNILHVCQUF1QixFQUFFLE9BQU8sQ0FBQyxpQkFBaUI7b0JBQ2hELENBQUMsQ0FBQyxNQUFNO29CQUNSLENBQUMsQ0FBQyxTQUFTO2FBQ2Q7WUFDRCxXQUFXLEVBQUU7Z0JBQ1gsYUFBYSxFQUFFLE9BQU8sQ0FBQyxpQkFBaUI7b0JBQ3RDLENBQUMsQ0FBQyxTQUFTO29CQUNYLENBQUMsQ0FBQyxNQUFNLENBQ0osZ0JBQWdCO3dCQUNkLENBQUMsQ0FBQyxjQUFjO3dCQUNoQixDQUFDLENBQUMsQ0FBQyxPQUFPLENBQUMsaUJBQWlCLElBQUksZUFBZSxDQUFDLENBQ25EO2dCQUNMLFlBQVksRUFBRSxPQUFPLENBQUMsV0FBVyxJQUFJLFNBQVM7Z0JBQzlDLGNBQWMsRUFBRSxPQUFPLENBQUMsaUJBQWlCO29CQUN2QyxDQUFDLENBQUMsTUFBTSxDQUFDLE9BQU8sQ0FBQyxtQkFBbUIsSUFBSSxnQkFBZ0IsQ0FBQztvQkFDekQsQ0FBQyxDQUFDLFNBQVM7YUFDZDtTQUNGLENBQUMsQ0FDSCxDQUFDO0lBQ0osQ0FBQztJQUVEOzs7T0FHRztJQUNJLGNBQWMsQ0FBQyxVQUErQixFQUFFO1FBQ3JELE1BQU0sZ0JBQWdCLEdBQUcsY0FBYyxDQUNyQyxPQUFPLENBQUMsa0JBQWtCLEVBQzFCLHFCQUFxQixDQUN0QixDQUFDO1FBQ0YsTUFBTSxhQUFhLEdBQ2pCLGdCQUFnQixJQUFJLE9BQU8sQ0FBQyxhQUFhLElBQUksU0FBUyxDQUFDO1FBQ3pELE1BQU0sYUFBYSxHQUNqQixPQUFPLENBQUMsYUFBYSxJQUFJLENBQUMsZ0JBQWdCLENBQUMsQ0FBQyxDQUFDLFFBQVEsQ0FBQyxDQUFDLENBQUMsZUFBZSxDQUFDLENBQUM7UUFFM0UsSUFBSSxnQkFBZ0IsSUFBSSxhQUFhLElBQUksUUFBUSxFQUFFLENBQUM7WUFDbEQsTUFBTSxJQUFJLEtBQUssQ0FDYiwyRUFBMkUsQ0FDNUUsQ0FBQztRQUNKLENBQUM7UUFFRCxJQUFJLGFBQWEsS0FBSyxlQUFlLElBQUksT0FBTyxDQUFDLGFBQWEsSUFBSSxJQUFJLEVBQUUsQ0FBQztZQUN2RSxNQUFNLElBQUksS0FBSyxDQUNiLHVKQUF1SixDQUN4SixDQUFDO1FBQ0osQ0FBQztRQUVELElBQUksQ0FBQyxhQUFhLENBQ2hCLE9BQU8sRUFDUCxDQUFDLE9BQU8sRUFBRSxhQUFhLEVBQXFCLEVBQUUsQ0FBQyxDQUFDO1lBQzlDLFlBQVksRUFBRSxlQUFlO1lBQzdCLFlBQVksRUFBRSxnQkFBZ0IsQ0FBQyxJQUFJO1lBQ25DLGVBQWUsRUFBRSxPQUFPLENBQUMsZUFBZSxJQUFJLEVBQUU7WUFDOUMsZ0JBQWdCLEVBQUUsT0FBTyxDQUFDLGdCQUFnQixJQUFJLEVBQUU7WUFDaEQsV0FBVyxFQUFFLE9BQU8sQ0FBQyxpQkFBaUIsSUFBSSxhQUFhLENBQUMsV0FBVztZQUNuRSxHQUFHLEVBQUUsSUFBSSxDQUFDLGFBQWEsQ0FBQyxjQUFjLENBQUM7WUFDdkMsR0FBRyxFQUFFO2dCQUNILGNBQWMsRUFBRSxPQUFPLENBQUMsYUFBYTtnQkFDckMsZUFBZSxFQUFFLGFBQWE7Z0JBQzlCLG9CQUFvQixFQUFFLE9BQU8sQ0FBQyxrQkFBa0I7YUFDakQ7WUFDRCxXQUFXLEVBQUU7Z0JBQ1gscUJBQXFCLEVBQUUsZ0JBQWdCO29CQUNyQyxDQUFDLENBQUMsU0FBUztvQkFDWCxDQUFDLENBQUMsTUFBTSxDQUNKLE9BQU8sQ0FBQyx3QkFBd0IsSUFBSSx1QkFBdUIsQ0FDNUQ7Z0JBQ0wsZ0NBQWdDLEVBQUUsZ0JBQWdCO29CQUNoRCxDQUFDLENBQUMsU0FBUztvQkFDWCxDQUFDLENBQUMsTUFBTSxDQUNKLE9BQU8sQ0FBQyw0QkFBNEI7d0JBQ2xDLGtDQUFrQyxDQUNyQztnQkFDTCxjQUFjLEVBQUUsTUFBTSxDQUNwQixPQUFPLENBQUMsYUFBYTtvQkFDbkIsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUFDLENBQUMsY0FBYyxDQUFDLENBQUMsQ0FBQyxnQkFBZ0IsQ0FBQyxDQUN6RDtnQkFDRCxjQUFjLEVBQUUsYUFBYTtvQkFDM0IsQ0FBQyxDQUFDLHFCQUFxQjtvQkFDdkIsQ0FBQyxDQUFDLE1BQU0sQ0FBQyxPQUFPLENBQUMsYUFBYSxJQUFJLGdCQUFnQixDQUFDO2dCQUNyRCx3QkFBd0IsRUFBRSxnQkFBZ0I7b0JBQ3hDLENBQUMsQ0FBQyxTQUFTO29CQUNYLENBQUMsQ0FBQyxNQUFNLENBQ0osT0FBTyxDQUFDLHFCQUFxQixJQUFJLDBCQUEwQixDQUM1RDthQUNOO1lBQ0QsV0FBVyxFQUFFO2dCQUNYLFFBQVEsRUFBRSwrQkFBYSxDQUFDLElBQUk7Z0JBQzVCLFFBQVEsRUFBRSxnQkFBZ0IsQ0FBQyxDQUFDLENBQUMsK0JBQWEsQ0FBQyxLQUFLLENBQUMsQ0FBQyxDQUFDLFNBQVM7YUFDN0Q7U0FDRixDQUFDLENBQ0gsQ0FBQztJQUNKLENBQUM7SUFFRDs7O09BR0c7SUFDSSxhQUFhLENBQUMsVUFBOEIsRUFBRTtRQUNuRCxJQUNFLE9BQU8sQ0FBQyxpQkFBaUI7WUFDekIsQ0FBQyxPQUFPLENBQUMsbUJBQW1CLElBQUksT0FBTyxDQUFDLG1CQUFtQixDQUFDLEVBQzVELENBQUM7WUFDRCxNQUFNLElBQUksS0FBSyxDQUNiLDRGQUE0RjtnQkFDMUYsbUdBQW1HO2dCQUNuRywyRkFBMkYsQ0FDOUYsQ0FBQztRQUNKLENBQUM7UUFFRCxJQUFJLFdBQVcsR0FBbUIsRUFBRSxRQUFRLEVBQUUsK0JBQWEsQ0FBQyxJQUFJLEVBQUUsQ0FBQztRQUNuRSxNQUFNLGVBQWUsR0FBRyxPQUFPLENBQUMsZUFBZSxJQUFJLEVBQUUsQ0FBQztRQUN0RCxJQUFJLFdBQVcsR0FBdUMsRUFBRSxDQUFDO1FBQ3pELE1BQU0saUJBQWlCLEdBQUcseUJBQXlCLENBQ2pELE9BQU8sQ0FBQyxnQkFBZ0IsQ0FDekIsQ0FBQztRQUNGLElBQUksaUJBQWlCLEVBQUUsQ0FBQztZQUN0QixNQUFNLEVBQUUsTUFBTSxFQUFFLE9BQU8sRUFBRSxNQUFNLEVBQUUsR0FBRywwQkFBMEIsQ0FDNUQsT0FBTyxDQUFDLGdCQUFnQixDQUN6QixDQUFDO1lBQ0YsTUFBTSxFQUNKLFlBQVksRUFDWixZQUFZLEVBQ1osaUJBQWlCLEVBQ2pCLHFCQUFxQixHQUN0QixHQUFHLE9BQU8sQ0FBQyxtQkFBbUIsSUFBSSxFQUFFLENBQUM7WUFDdEMsTUFBTSxXQUFXLEdBQUcsWUFBWSxLQUFLLHdCQUF3QixDQUFDLFdBQVcsQ0FBQztZQUMxRSxJQUFJLFdBQVcsRUFBRSxDQUFDO2dCQUNoQixJQUFJLENBQUMsWUFBWSxFQUFFLENBQUM7b0JBQ2xCLE1BQU0sSUFBSSxLQUFLLENBQ2IseUZBQXlGLENBQzFGLENBQUM7Z0JBQ0osQ0FBQztnQkFDRCxXQUFXLEdBQUcsRUFBRSxHQUFHLFdBQVcsRUFBRSxPQUFPLEVBQUUsK0JBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBQztnQkFDL0QsZUFBZSxDQUFDLElBQUksQ0FBQztvQkFDbkIsSUFBSSxFQUFFLG9EQUFvRDtvQkFDMUQsSUFBSSxFQUFFLDBDQUEwQztvQkFDaEQsSUFBSSxFQUFFO3dCQUNKLGdCQUFnQixFQUFFLFlBQVk7d0JBQzlCLFlBQVksRUFBRSxNQUFNO3FCQUNyQjtpQkFDRixDQUFDLENBQUM7WUFDTCxDQUFDO1lBQ0QsZUFBZSxDQUFDLElBQUksQ0FBQztnQkFDbkIsSUFBSSxFQUFFLDZCQUE2QjtnQkFDbkMsR0FBRyxFQUFFLDRFQUE0RSxNQUFNLG1CQUFtQixPQUFPLGFBQWEsTUFBTSw0REFBNEQ7Z0JBQ2hNLEdBQUcsRUFBRSxXQUFXO29CQUNkLENBQUMsQ0FBQyxTQUFTO29CQUNYLENBQUMsQ0FBQzt3QkFDRSxpQkFBaUIsRUFBRSxNQUFNLENBQ3ZCLGlCQUFpQixJQUFJLG1CQUFtQixDQUN6Qzt3QkFDRCxxQkFBcUIsRUFBRSxNQUFNLENBQzNCLHFCQUFxQixJQUFJLHVCQUF1QixDQUNqRDtxQkFDRjthQUNOLENBQUMsQ0FBQztZQUNILFdBQVcsR0FBRyxFQUFFLGNBQWMsRUFBRSxLQUFLLEVBQUUsQ0FBQztRQUMxQyxDQUFDO2FBQU0sSUFBSSxPQUFPLENBQUMsaUJBQWlCLEVBQUUsQ0FBQztZQUNyQyxXQUFXLEdBQUcsRUFBRSxHQUFHLFdBQVcsRUFBRSxPQUFPLEVBQUUsK0JBQWEsQ0FBQyxLQUFLLEVBQUUsQ0FBQztZQUMvRCxXQUFXLEdBQUc7Z0JBQ1osc0JBQXNCLEVBQUUsTUFBTTthQUMvQixDQUFDO1lBQ0YsdUVBQXVFO1lBQ3ZFLElBQUksT0FBTyxDQUFDLFlBQVksS0FBSyxLQUFLLEVBQUUsQ0FBQztnQkFDbkMsV0FBVyxDQUFDLHlCQUF5QixHQUFHLE1BQU0sQ0FBQztZQUNqRCxDQUFDO1FBQ0gsQ0FBQzthQUFNLENBQUM7WUFDTixXQUFXLEdBQUc7Z0JBQ1osY0FBYyxFQUFFLE1BQU0sQ0FBQyxPQUFPLENBQUMsbUJBQW1CLElBQUksZ0JBQWdCLENBQUM7Z0JBQ3ZFLGNBQWMsRUFBRSxNQUFNLENBQUMsT0FBTyxDQUFDLG1CQUFtQixJQUFJLGdCQUFnQixDQUFDO2FBQ3hFLENBQUM7UUFDSixDQUFDO1FBRUQsSUFBSSxDQUFDLGFBQWEsQ0FDaEIsTUFBTSxFQUNOLENBQUMsT0FBTyxFQUFFLGFBQWEsRUFBcUIsRUFBRSxDQUFDLENBQUM7WUFDOUMsWUFBWSxFQUFFLE1BQU07WUFDcEIsWUFBWSxFQUFFLGdCQUFnQixDQUFDLE1BQU07WUFDckMsV0FBVztZQUNYLGVBQWU7WUFDZixnQkFBZ0IsRUFBRSxPQUFPLENBQUMsZ0JBQWdCLElBQUksRUFBRTtZQUNoRCxXQUFXLEVBQUUsT0FBTyxDQUFDLGlCQUFpQixJQUFJLGFBQWEsQ0FBQyxXQUFXO1lBQ25FLEdBQUcsRUFBRSxJQUFJLENBQUMsYUFBYSxDQUFDLGFBQWEsQ0FBQztZQUN0QyxHQUFHLEVBQUU7Z0JBQ0gsb0JBQW9CLEVBQUUsT0FBTyxDQUFDLGdCQUFnQjthQUMvQztZQUNELFdBQVc7U0FDWixDQUFDLENBQ0gsQ0FBQztJQUNKLENBQUM7SUFFRDs7O09BR0c7SUFDSSxXQUFXLENBQUMsVUFBNEIsRUFBRTtRQUMvQyxNQUFNLGVBQWUsR0FBRyxPQUFPLENBQUMsZUFBZSxJQUFJLEVBQUUsQ0FBQztRQUN0RCxNQUFNLFdBQVcsR0FBMkMsRUFBRSxDQUFDO1FBQy9ELElBQUksT0FBTyxDQUFDLFlBQVksRUFBRSxDQUFDO1lBQ3pCLFdBQVcsQ0FBQyxjQUFjLEdBQUcsTUFBTSxDQUFDO1lBQ3BDLFdBQVcsQ0FBQyxhQUFhLEdBQUcscUJBQXFCLENBQUM7WUFDbEQsZUFBZSxDQUFDLElBQUksQ0FBQztnQkFDbkIsSUFBSSxFQUFFLHlCQUF5QjtnQkFDL0IsR0FBRyxFQUFFLHVFQUF1RTtnQkFDNUUsR0FBRyxFQUFFO29CQUNILGlCQUFpQixFQUFFLE1BQU0sQ0FDdkIsT0FBTyxDQUFDLHFCQUFxQixJQUFJLHNCQUFzQixDQUN4RDtvQkFDRCxhQUFhLEVBQUUsV0FBVyxDQUFDLGFBQWE7aUJBQ3pDO2FBQ0YsQ0FBQyxDQUFDO1FBQ0wsQ0FBQzthQUFNLENBQUM7WUFDTixXQUFXLENBQUMsWUFBWSxHQUFHLE1BQU0sQ0FDL0IsT0FBTyxDQUFDLGlCQUFpQixJQUFJLGlCQUFpQixDQUMvQyxDQUFDO1FBQ0osQ0FBQztRQUVELElBQUksQ0FBQyxhQUFhLENBQ2hCLFFBQVEsRUFDUixDQUFDLE9BQU8sRUFBRSxhQUFhLEVBQXFCLEVBQUUsQ0FBQyxDQUFDO1lBQzlDLFlBQVksRUFBRSxnQkFBZ0IsQ0FBQyxFQUFFO1lBQ2pDLGVBQWUsRUFBRSxlQUFlO1lBQ2hDLGdCQUFnQixFQUFFLE9BQU8sQ0FBQyxnQkFBZ0IsSUFBSSxFQUFFO1lBQ2hELFdBQVcsRUFBRSxPQUFPLENBQUMsaUJBQWlCLElBQUksYUFBYSxDQUFDLFdBQVc7WUFDbkUsR0FBRyxFQUFFLElBQUksQ0FBQyxhQUFhLENBQUMsZUFBZSxDQUFDO1lBQ3hDLFlBQVksRUFBRSw2QkFBNkI7WUFDM0MsR0FBRyxFQUFFO2dCQUNILFVBQVUsRUFBRSxPQUFPLENBQUMsU0FBUztnQkFDN0IsYUFBYSxFQUNYLE9BQU8sQ0FBQyxXQUFXLElBQUksdUNBQTJCLENBQUMsSUFBSTtnQkFDekQsY0FBYyxFQUNaLE9BQU8sQ0FBQyxZQUFZLElBQUksdUNBQTJCLENBQUMsS0FBSztnQkFDM0Qsa0JBQWtCLEVBQUUsT0FBTyxDQUFDLGdCQUFnQjthQUM3QztZQUNELFdBQVcsRUFBRSxXQUFXO1NBQ3pCLENBQUMsQ0FDSCxDQUFDO0lBQ0osQ0FBQztJQUVPLGFBQWE7SUFDbkI7OztPQUdHO0lBQ0gsUUFBZ0IsRUFDaEIsT0FHc0I7UUFFdEIsTUFBTSxPQUFPLEdBQUcsR0FBRyxrQkFBa0IsR0FBRyxRQUFRLEVBQUUsQ0FBQztRQUNuRCxJQUFJLENBQUMsV0FBVyxDQUFDLFFBQVEsQ0FBQyxHQUFHLE9BQU8sQ0FBQztRQUVyQyxJQUFJLENBQUMsYUFBYSxDQUFDLElBQUksQ0FBQyxDQUFDLE1BQU0sRUFBRSxhQUFhLEVBQUUsRUFBRTtZQUNoRCxNQUFNLElBQUksR0FBRyxPQUFPLENBQUMsTUFBTSxFQUFFLGFBQWEsQ0FBQyxDQUFDO1lBQzVDLElBQUksT0FBTyxJQUFJLElBQUksQ0FBQyxhQUFhLEVBQUUsQ0FBQztnQkFDbEMsTUFBTSxJQUFJLEtBQUssQ0FBQyw0QkFBNEIsT0FBTyxHQUFHLENBQUMsQ0FBQztZQUMxRCxDQUFDO1lBRUQsTUFBTSxZQUFZLEdBQUcsSUFBSSxDQUFDLE1BQU07Z0JBQzlCLENBQUMsQ0FBQyxrQkFBa0IsSUFBSSxDQUFDLEdBQUcsR0FBRztnQkFDL0IsQ0FBQyxDQUFDLElBQUksQ0FBQyxHQUFHLENBQUM7WUFDYixNQUFNLFdBQVcsR0FBRyxJQUFJLEtBQUssRUFBVSxDQUFDO1lBRXhDLHdGQUF3RjtZQUN4RixNQUFNLE1BQU0sR0FBMkIsRUFBRSxHQUFHLElBQUksQ0FBQyxHQUFHLEVBQUUsQ0FBQztZQUN2RCxNQUFNLGtCQUFrQixHQUFHLE1BQU0sQ0FBQyxPQUFPLENBQUMsSUFBSSxDQUFDLFdBQVcsSUFBSSxFQUFFLENBQUMsQ0FBQyxNQUFNLENBQ3RFLENBQUMsQ0FBQyxDQUFDLEVBQUUsS0FBSyxDQUFDLEVBQUUsRUFBRSxDQUFDLEtBQUssSUFBSSxTQUFTLENBQ3JCLENBQUM7WUFDaEIsS0FBSyxNQUFNLENBQUMsR0FBRyxFQUFFLFVBQVUsQ0FBQyxJQUFJLGtCQUFrQixFQUFFLENBQUM7Z0JBQ25ELFdBQVcsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7Z0JBQ3RCLE1BQU0sQ0FBQyxHQUFHLENBQUMsR0FBRyxVQUFVLENBQUM7WUFDM0IsQ0FBQztZQUVELElBQUksSUFBSSxDQUFDLFlBQVksRUFBRSxDQUFDO2dCQUN0QixNQUFNLFlBQVksR0FDaEIsTUFBTSxLQUFLLE1BQU0sSUFBSSxNQUFNLEtBQUssUUFBUSxDQUFDLENBQUMsQ0FBQyxFQUFFLENBQUMsQ0FBQyxDQUFDLElBQUksTUFBTSxFQUFFLENBQUM7Z0JBRS9ELGdFQUFnRTtnQkFDaEUsTUFBTSxJQUFJLEdBQUcsSUFBSSxDQUFDLE9BQU8sQ0FBQyxPQUFPLENBQy9CLFdBQVcsUUFBUSxDQUFDLGlCQUFpQixFQUFFLEdBQUcsWUFBWSxFQUFFLEVBQ3hEO29CQUNFLFdBQVcsRUFBRSwyQkFBMkIsSUFBSSxDQUFDLFlBQVksRUFBRTtvQkFDM0QsR0FBRyxFQUFFLElBQUksQ0FBQyxHQUFHO29CQUNiLFdBQVcsRUFBRSxXQUFXO2lCQUN6QixDQUNGLENBQUM7Z0JBRUYsaURBQWlEO2dCQUNqRCxJQUFJLENBQUMsSUFBSSxDQUFDLDBDQUEwQyxNQUFNLEdBQUcsQ0FBQy