@backstage/backend-defaults 0.3.0-next.2 → 0.3.0-next.3

package/dist/urlReader.cjs.js

@@ -1,7 +1,2982 @@
 'use strict';
 
-var backendCommon = require('@backstage/backend-common');
+var integration = require('@backstage/integration');
+var fetch = require('node-fetch');
+var minimatch = require('minimatch');
+var stream = require('stream');
+var errors = require('@backstage/errors');
+var getRawBody = require('raw-body');
+var parseGitUrl = require('git-url-parse');
+var lodash = require('lodash');
+var base64Stream = require('base64-stream');
+var concatStream = require('concat-stream');
+var fs = require('fs-extra');
+var os = require('os');
+var platformPath = require('path');
+var tar = require('tar');
+var util = require('util');
+var isomorphicGit = require('isomorphic-git');
+var http = require('isomorphic-git/http/node');
+var integrationAwsNode = require('@backstage/integration-aws-node');
+var credentialProviders = require('@aws-sdk/credential-providers');
+var clientS3 = require('@aws-sdk/client-s3');
+var abortController = require('@aws-sdk/abort-controller');
+var posix = require('path/posix');
+var archiver = require('archiver');
+var yauzl = require('yauzl');
 var backendPluginApi = require('@backstage/backend-plugin-api');
+var GoogleCloud = require('@google-cloud/storage');
+var clientCodecommit = require('@aws-sdk/client-codecommit');
+
+function _interopDefaultCompat (e) { return e && typeof e === 'object' && 'default' in e ? e : { default: e }; }
+
+function _interopNamespaceCompat(e) {
+  if (e && typeof e === 'object' && 'default' in e) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var fetch__default = /*#__PURE__*/_interopDefaultCompat(fetch);
+var getRawBody__default = /*#__PURE__*/_interopDefaultCompat(getRawBody);
+var parseGitUrl__default = /*#__PURE__*/_interopDefaultCompat(parseGitUrl);
+var concatStream__default = /*#__PURE__*/_interopDefaultCompat(concatStream);
+var fs__default = /*#__PURE__*/_interopDefaultCompat(fs);
+var os__default = /*#__PURE__*/_interopDefaultCompat(os);
+var platformPath__default = /*#__PURE__*/_interopDefaultCompat(platformPath);
+var tar__default = /*#__PURE__*/_interopDefaultCompat(tar);
+var isomorphicGit__default = /*#__PURE__*/_interopDefaultCompat(isomorphicGit);
+var http__default = /*#__PURE__*/_interopDefaultCompat(http);
+var archiver__default = /*#__PURE__*/_interopDefaultCompat(archiver);
+var yauzl__default = /*#__PURE__*/_interopDefaultCompat(yauzl);
+var GoogleCloud__namespace = /*#__PURE__*/_interopNamespaceCompat(GoogleCloud);
+
+class ReadUrlResponseFactory {
+  /**
+   * Resolves a ReadUrlResponse from a Readable stream.
+   */
+  static async fromReadable(stream, options) {
+    let buffer;
+    const conflictError = new errors.ConflictError(
+      "Cannot use buffer() and stream() from the same ReadUrlResponse"
+    );
+    let hasCalledStream = false;
+    let hasCalledBuffer = false;
+    return {
+      buffer: () => {
+        hasCalledBuffer = true;
+        if (hasCalledStream)
+          throw conflictError;
+        if (buffer)
+          return buffer;
+        buffer = getRawBody__default.default(stream);
+        return buffer;
+      },
+      stream: () => {
+        hasCalledStream = true;
+        if (hasCalledBuffer)
+          throw conflictError;
+        return stream;
+      },
+      etag: options?.etag,
+      lastModifiedAt: options?.lastModifiedAt
+    };
+  }
+  /**
+   * Resolves a ReadUrlResponse from an old-style NodeJS.ReadableStream.
+   */
+  static async fromNodeJSReadable(oldStyleStream, options) {
+    const readable = stream.Readable.from(oldStyleStream);
+    return ReadUrlResponseFactory.fromReadable(readable, options);
+  }
+}
+
+class AzureUrlReader {
+  constructor(integration, deps) {
+    this.integration = integration;
+    this.deps = deps;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    const credentialProvider = integration.DefaultAzureDevOpsCredentialsProvider.fromIntegrations(integrations);
+    return integrations.azure.list().map((integration) => {
+      const reader = new AzureUrlReader(integration, {
+        treeResponseFactory,
+        credentialsProvider: credentialProvider
+      });
+      const predicate = (url) => url.host === integration.config.host;
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    const { signal } = options ?? {};
+    const builtUrl = integration.getAzureFileFetchUrl(url);
+    let response;
+    try {
+      const credentials = await this.deps.credentialsProvider.getCredentials({
+        url: builtUrl
+      });
+      response = await fetch__default.default(builtUrl, {
+        headers: credentials?.headers,
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can
+        // be removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        ...signal && { signal }
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${url}, ${e}`);
+    }
+    if (response.ok && response.status !== 203) {
+      return ReadUrlResponseFactory.fromNodeJSReadable(response.body);
+    }
+    const message = `${url} could not be read as ${builtUrl}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    throw new Error(message);
+  }
+  async readTree(url, options) {
+    const { etag, filter, signal } = options ?? {};
+    const credentials = await this.deps.credentialsProvider.getCredentials({
+      url
+    });
+    const commitsAzureResponse = await fetch__default.default(integration.getAzureCommitsUrl(url), {
+      headers: credentials?.headers
+    });
+    if (!commitsAzureResponse.ok) {
+      const message = `Failed to read tree from ${url}, ${commitsAzureResponse.status} ${commitsAzureResponse.statusText}`;
+      if (commitsAzureResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    const commitSha = (await commitsAzureResponse.json()).value[0].commitId;
+    if (etag && etag === commitSha) {
+      throw new errors.NotModifiedError();
+    }
+    const archiveAzureResponse = await fetch__default.default(integration.getAzureDownloadUrl(url), {
+      headers: {
+        ...credentials?.headers,
+        Accept: "application/zip"
+      },
+      // TODO(freben): The signal cast is there because pre-3.x versions of
+      // node-fetch have a very slightly deviating AbortSignal type signature.
+      // The difference does not affect us in practice however. The cast can be
+      // removed after we support ESM for CLI dependencies and migrate to
+      // version 3 of node-fetch.
+      // https://github.com/backstage/backstage/issues/8242
+      ...signal && { signal }
+    });
+    if (!archiveAzureResponse.ok) {
+      const message = `Failed to read tree from ${url}, ${archiveAzureResponse.status} ${archiveAzureResponse.statusText}`;
+      if (archiveAzureResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    let subpath;
+    const path = new URL(url).searchParams.get("path");
+    if (path) {
+      subpath = path.split("/").filter(Boolean).slice(-1)[0];
+    }
+    return await this.deps.treeResponseFactory.fromZipArchive({
+      stream: stream.Readable.from(archiveAzureResponse.body),
+      etag: commitSha,
+      filter,
+      subpath
+    });
+  }
+  async search(url, options) {
+    const treeUrl = new URL(url);
+    const path = treeUrl.searchParams.get("path");
+    const matcher = path && new minimatch.Minimatch(path.replace(/^\/+/, ""));
+    treeUrl.searchParams.delete("path");
+    const tree = await this.readTree(treeUrl.toString(), {
+      etag: options?.etag,
+      signal: options?.signal,
+      filter: (p) => matcher ? matcher.match(p) : true
+    });
+    const files = await tree.files();
+    return {
+      etag: tree.etag,
+      files: files.map((file) => ({
+        url: this.integration.resolveUrl({
+          url: `/${file.path}`,
+          base: url
+        }),
+        content: file.content,
+        lastModifiedAt: file.lastModifiedAt
+      }))
+    };
+  }
+  toString() {
+    const { host, credentials } = this.integration.config;
+    return `azure{host=${host},authed=${Boolean(
+      credentials !== void 0 && credentials.length > 0
+    )}}`;
+  }
+}
+
+function parseLastModified(value) {
+  if (!value) {
+    return void 0;
+  }
+  return new Date(value);
+}
+
+class BitbucketCloudUrlReader {
+  constructor(integration, deps) {
+    this.integration = integration;
+    this.deps = deps;
+    const { host, username, appPassword } = integration.config;
+    if (username && !appPassword) {
+      throw new Error(
+        `Bitbucket Cloud integration for '${host}' has configured a username but is missing a required appPassword.`
+      );
+    }
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    return integrations.bitbucketCloud.list().map((integration) => {
+      const reader = new BitbucketCloudUrlReader(integration, {
+        treeResponseFactory
+      });
+      const predicate = (url) => url.host === integration.config.host;
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    const { etag, lastModifiedAfter, signal } = options ?? {};
+    const bitbucketUrl = integration.getBitbucketCloudFileFetchUrl(
+      url,
+      this.integration.config
+    );
+    const requestOptions = integration.getBitbucketCloudRequestOptions(
+      this.integration.config
+    );
+    let response;
+    try {
+      response = await fetch__default.default(bitbucketUrl.toString(), {
+        headers: {
+          ...requestOptions.headers,
+          ...etag && { "If-None-Match": etag },
+          ...lastModifiedAfter && {
+            "If-Modified-Since": lastModifiedAfter.toUTCString()
+          }
+        },
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can be
+        // removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        ...signal && { signal }
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${url}, ${e}`);
+    }
+    if (response.status === 304) {
+      throw new errors.NotModifiedError();
+    }
+    if (response.ok) {
+      return ReadUrlResponseFactory.fromNodeJSReadable(response.body, {
+        etag: response.headers.get("ETag") ?? void 0,
+        lastModifiedAt: parseLastModified(
+          response.headers.get("Last-Modified")
+        )
+      });
+    }
+    const message = `${url} could not be read as ${bitbucketUrl}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    throw new Error(message);
+  }
+  async readTree(url, options) {
+    const { filepath } = parseGitUrl__default.default(url);
+    const lastCommitShortHash = await this.getLastCommitShortHash(url);
+    if (options?.etag && options.etag === lastCommitShortHash) {
+      throw new errors.NotModifiedError();
+    }
+    const downloadUrl = await integration.getBitbucketCloudDownloadUrl(
+      url,
+      this.integration.config
+    );
+    const archiveResponse = await fetch__default.default(
+      downloadUrl,
+      integration.getBitbucketCloudRequestOptions(this.integration.config)
+    );
+    if (!archiveResponse.ok) {
+      const message = `Failed to read tree from ${url}, ${archiveResponse.status} ${archiveResponse.statusText}`;
+      if (archiveResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    return await this.deps.treeResponseFactory.fromTarArchive({
+      stream: stream.Readable.from(archiveResponse.body),
+      subpath: filepath,
+      etag: lastCommitShortHash,
+      filter: options?.filter
+    });
+  }
+  async search(url, options) {
+    const { filepath } = parseGitUrl__default.default(url);
+    const matcher = new minimatch.Minimatch(filepath);
+    const treeUrl = lodash.trimEnd(url.replace(filepath, ""), "/");
+    const tree = await this.readTree(treeUrl, {
+      etag: options?.etag,
+      filter: (path) => matcher.match(path)
+    });
+    const files = await tree.files();
+    return {
+      etag: tree.etag,
+      files: files.map((file) => ({
+        url: this.integration.resolveUrl({
+          url: `/${file.path}`,
+          base: url
+        }),
+        content: file.content,
+        lastModifiedAt: file.lastModifiedAt
+      }))
+    };
+  }
+  toString() {
+    const { host, username, appPassword } = this.integration.config;
+    const authed = Boolean(username && appPassword);
+    return `bitbucketCloud{host=${host},authed=${authed}}`;
+  }
+  async getLastCommitShortHash(url) {
+    const { name: repoName, owner: project, ref } = parseGitUrl__default.default(url);
+    let branch = ref;
+    if (!branch) {
+      branch = await integration.getBitbucketCloudDefaultBranch(
+        url,
+        this.integration.config
+      );
+    }
+    const commitsApiUrl = `${this.integration.config.apiBaseUrl}/repositories/${project}/${repoName}/commits/${branch}`;
+    const commitsResponse = await fetch__default.default(
+      commitsApiUrl,
+      integration.getBitbucketCloudRequestOptions(this.integration.config)
+    );
+    if (!commitsResponse.ok) {
+      const message = `Failed to retrieve commits from ${commitsApiUrl}, ${commitsResponse.status} ${commitsResponse.statusText}`;
+      if (commitsResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    const commits = await commitsResponse.json();
+    if (commits && commits.values && commits.values.length > 0 && commits.values[0].hash) {
+      return commits.values[0].hash.substring(0, 12);
+    }
+    throw new Error(`Failed to read response from ${commitsApiUrl}`);
+  }
+}
+
+class BitbucketUrlReader {
+  constructor(integration, logger, deps) {
+    this.integration = integration;
+    this.deps = deps;
+    const { host, token, username, appPassword } = integration.config;
+    const replacement = host === "bitbucket.org" ? "bitbucketCloud" : "bitbucketServer";
+    logger.warn(
+      `[Deprecated] Please migrate from "integrations.bitbucket" to "integrations.${replacement}".`
+    );
+    if (!token && username && !appPassword) {
+      throw new Error(
+        `Bitbucket integration for '${host}' has configured a username but is missing a required appPassword.`
+      );
+    }
+  }
+  static factory = ({ config, logger, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    return integrations.bitbucket.list().filter(
+      (item) => !integrations.bitbucketCloud.byHost(item.config.host) && !integrations.bitbucketServer.byHost(item.config.host)
+    ).map((integration) => {
+      const reader = new BitbucketUrlReader(integration, logger, {
+        treeResponseFactory
+      });
+      const predicate = (url) => url.host === integration.config.host;
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    const { etag, lastModifiedAfter, signal } = options ?? {};
+    const bitbucketUrl = integration.getBitbucketFileFetchUrl(url, this.integration.config);
+    const requestOptions = integration.getBitbucketRequestOptions(this.integration.config);
+    let response;
+    try {
+      response = await fetch__default.default(bitbucketUrl.toString(), {
+        headers: {
+          ...requestOptions.headers,
+          ...etag && { "If-None-Match": etag },
+          ...lastModifiedAfter && {
+            "If-Modified-Since": lastModifiedAfter.toUTCString()
+          }
+        },
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can be
+        // removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        ...signal && { signal }
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${url}, ${e}`);
+    }
+    if (response.status === 304) {
+      throw new errors.NotModifiedError();
+    }
+    if (response.ok) {
+      return ReadUrlResponseFactory.fromNodeJSReadable(response.body, {
+        etag: response.headers.get("ETag") ?? void 0,
+        lastModifiedAt: parseLastModified(
+          response.headers.get("Last-Modified")
+        )
+      });
+    }
+    const message = `${url} could not be read as ${bitbucketUrl}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    throw new Error(message);
+  }
+  async readTree(url, options) {
+    const { filepath } = parseGitUrl__default.default(url);
+    const lastCommitShortHash = await this.getLastCommitShortHash(url);
+    if (options?.etag && options.etag === lastCommitShortHash) {
+      throw new errors.NotModifiedError();
+    }
+    const downloadUrl = await integration.getBitbucketDownloadUrl(
+      url,
+      this.integration.config
+    );
+    const archiveBitbucketResponse = await fetch__default.default(
+      downloadUrl,
+      integration.getBitbucketRequestOptions(this.integration.config)
+    );
+    if (!archiveBitbucketResponse.ok) {
+      const message = `Failed to read tree from ${url}, ${archiveBitbucketResponse.status} ${archiveBitbucketResponse.statusText}`;
+      if (archiveBitbucketResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    return await this.deps.treeResponseFactory.fromTarArchive({
+      stream: stream.Readable.from(archiveBitbucketResponse.body),
+      subpath: filepath,
+      etag: lastCommitShortHash,
+      filter: options?.filter
+    });
+  }
+  async search(url, options) {
+    const { filepath } = parseGitUrl__default.default(url);
+    const matcher = new minimatch.Minimatch(filepath);
+    const treeUrl = lodash.trimEnd(url.replace(filepath, ""), "/");
+    const tree = await this.readTree(treeUrl, {
+      etag: options?.etag,
+      filter: (path) => matcher.match(path)
+    });
+    const files = await tree.files();
+    return {
+      etag: tree.etag,
+      files: files.map((file) => ({
+        url: this.integration.resolveUrl({
+          url: `/${file.path}`,
+          base: url
+        }),
+        content: file.content,
+        lastModifiedAt: file.lastModifiedAt
+      }))
+    };
+  }
+  toString() {
+    const { host, token, username, appPassword } = this.integration.config;
+    let authed = Boolean(token);
+    if (!authed) {
+      authed = Boolean(username && appPassword);
+    }
+    return `bitbucket{host=${host},authed=${authed}}`;
+  }
+  async getLastCommitShortHash(url) {
+    const { resource, name: repoName, owner: project, ref } = parseGitUrl__default.default(url);
+    let branch = ref;
+    if (!branch) {
+      branch = await integration.getBitbucketDefaultBranch(url, this.integration.config);
+    }
+    const isHosted = resource === "bitbucket.org";
+    const commitsApiUrl = isHosted ? `${this.integration.config.apiBaseUrl}/repositories/${project}/${repoName}/commits/${branch}` : `${this.integration.config.apiBaseUrl}/projects/${project}/repos/${repoName}/commits`;
+    const commitsResponse = await fetch__default.default(
+      commitsApiUrl,
+      integration.getBitbucketRequestOptions(this.integration.config)
+    );
+    if (!commitsResponse.ok) {
+      const message = `Failed to retrieve commits from ${commitsApiUrl}, ${commitsResponse.status} ${commitsResponse.statusText}`;
+      if (commitsResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    const commits = await commitsResponse.json();
+    if (isHosted) {
+      if (commits && commits.values && commits.values.length > 0 && commits.values[0].hash) {
+        return commits.values[0].hash.substring(0, 12);
+      }
+    } else {
+      if (commits && commits.values && commits.values.length > 0 && commits.values[0].id) {
+        return commits.values[0].id.substring(0, 12);
+      }
+    }
+    throw new Error(`Failed to read response from ${commitsApiUrl}`);
+  }
+}
+
+class BitbucketServerUrlReader {
+  constructor(integration, deps) {
+    this.integration = integration;
+    this.deps = deps;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    return integrations.bitbucketServer.list().map((integration) => {
+      const reader = new BitbucketServerUrlReader(integration, {
+        treeResponseFactory
+      });
+      const predicate = (url) => url.host === integration.config.host;
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    const { etag, lastModifiedAfter, signal } = options ?? {};
+    const bitbucketUrl = integration.getBitbucketServerFileFetchUrl(
+      url,
+      this.integration.config
+    );
+    const requestOptions = integration.getBitbucketServerRequestOptions(
+      this.integration.config
+    );
+    let response;
+    try {
+      response = await fetch__default.default(bitbucketUrl.toString(), {
+        headers: {
+          ...requestOptions.headers,
+          ...etag && { "If-None-Match": etag },
+          ...lastModifiedAfter && {
+            "If-Modified-Since": lastModifiedAfter.toUTCString()
+          }
+        },
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can be
+        // removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        ...signal && { signal }
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${url}, ${e}`);
+    }
+    if (response.status === 304) {
+      throw new errors.NotModifiedError();
+    }
+    if (response.ok) {
+      return ReadUrlResponseFactory.fromNodeJSReadable(response.body, {
+        etag: response.headers.get("ETag") ?? void 0,
+        lastModifiedAt: parseLastModified(
+          response.headers.get("Last-Modified")
+        )
+      });
+    }
+    const message = `${url} could not be read as ${bitbucketUrl}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    throw new Error(message);
+  }
+  async readTree(url, options) {
+    const { filepath } = parseGitUrl__default.default(url);
+    const lastCommitShortHash = await this.getLastCommitShortHash(url);
+    if (options?.etag && options.etag === lastCommitShortHash) {
+      throw new errors.NotModifiedError();
+    }
+    const downloadUrl = await integration.getBitbucketServerDownloadUrl(
+      url,
+      this.integration.config
+    );
+    const archiveResponse = await fetch__default.default(
+      downloadUrl,
+      integration.getBitbucketServerRequestOptions(this.integration.config)
+    );
+    if (!archiveResponse.ok) {
+      const message = `Failed to read tree from ${url}, ${archiveResponse.status} ${archiveResponse.statusText}`;
+      if (archiveResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    return await this.deps.treeResponseFactory.fromTarArchive({
+      stream: stream.Readable.from(archiveResponse.body),
+      subpath: filepath,
+      etag: lastCommitShortHash,
+      filter: options?.filter
+    });
+  }
+  async search(url, options) {
+    const { filepath } = parseGitUrl__default.default(url);
+    const matcher = new minimatch.Minimatch(filepath);
+    const treeUrl = lodash.trimEnd(url.replace(filepath, ""), "/");
+    const tree = await this.readTree(treeUrl, {
+      etag: options?.etag,
+      filter: (path) => matcher.match(path)
+    });
+    const files = await tree.files();
+    return {
+      etag: tree.etag,
+      files: files.map((file) => ({
+        url: this.integration.resolveUrl({
+          url: `/${file.path}`,
+          base: url
+        }),
+        content: file.content,
+        lastModifiedAt: file.lastModifiedAt
+      }))
+    };
+  }
+  toString() {
+    const { host, token } = this.integration.config;
+    const authed = Boolean(token);
+    return `bitbucketServer{host=${host},authed=${authed}}`;
+  }
+  async getLastCommitShortHash(url) {
+    const { name: repoName, owner: project, ref: branch } = parseGitUrl__default.default(url);
+    const branchParameter = branch ? `?filterText=${encodeURIComponent(branch)}` : "/default";
+    const branchListUrl = `${this.integration.config.apiBaseUrl}/projects/${project}/repos/${repoName}/branches${branchParameter}`;
+    const branchListResponse = await fetch__default.default(
+      branchListUrl,
+      integration.getBitbucketServerRequestOptions(this.integration.config)
+    );
+    if (!branchListResponse.ok) {
+      const message = `Failed to retrieve branch list from ${branchListUrl}, ${branchListResponse.status} ${branchListResponse.statusText}`;
+      if (branchListResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    const branchMatches = await branchListResponse.json();
+    if (branchMatches && branchMatches.size > 0) {
+      const exactBranchMatch = branchMatches.values.filter(
+        (branchDetails) => branchDetails.displayId === branch
+      )[0];
+      return exactBranchMatch.latestCommit.substring(0, 12);
+    }
+    if (!branch && branchMatches) {
+      return branchMatches.latestCommit.substring(0, 12);
+    }
+    throw new Error(
+      `Failed to find Last Commit using ${branch ? `branch "${branch}"` : "default branch"} in response from ${branchListUrl}`
+    );
+  }
+}
+
+function isAuthCallbackOptions(options) {
+  return "onAuth" in options;
+}
+class Git {
+  constructor(config) {
+    this.config = config;
+    this.onAuth = config.onAuth;
+    this.headers = {
+      "user-agent": "git/@isomorphic-git",
+      ...config.token ? { Authorization: `Bearer ${config.token}` } : {}
+    };
+  }
+  headers;
+  /** https://isomorphic-git.org/docs/en/clone */
+  async clone(options) {
+    const { url, dir, ref, depth, noCheckout } = options;
+    this.config.logger?.info(`Cloning repo {dir=${dir},url=${url}}`);
+    try {
+      return await isomorphicGit__default.default.clone({
+        fs: fs__default.default,
+        http: http__default.default,
+        url,
+        dir,
+        ref,
+        singleBranch: true,
+        depth: depth ?? 1,
+        noCheckout,
+        onProgress: this.onProgressHandler(),
+        headers: this.headers,
+        onAuth: this.onAuth
+      });
+    } catch (ex) {
+      this.config.logger?.error(`Failed to clone repo {dir=${dir},url=${url}}`);
+      if (ex.data) {
+        throw new Error(`${ex.message} {data=${JSON.stringify(ex.data)}}`);
+      }
+      throw ex;
+    }
+  }
+  onAuth;
+  onProgressHandler = () => {
+    let currentPhase = "";
+    return (event) => {
+      if (currentPhase !== event.phase) {
+        currentPhase = event.phase;
+        this.config.logger?.info(event.phase);
+      }
+      const total = event.total ? `${Math.round(event.loaded / event.total * 100)}%` : event.loaded;
+      this.config.logger?.debug(`status={${event.phase},total={${total}}}`);
+    };
+  };
+  static fromAuth = (options) => {
+    if (isAuthCallbackOptions(options)) {
+      const { onAuth, logger: logger2 } = options;
+      return new Git({ onAuth, logger: logger2 });
+    }
+    const { username, password, token, logger } = options;
+    return new Git({ onAuth: () => ({ username, password }), token, logger });
+  };
+}
+
+const pipeline$3 = util.promisify(stream.pipeline);
+const GITILES_BASE_URL_DEPRECATION_MESSSAGE = `A gitilesBaseUrl must be provided for the gerrit integration to work. You can disable this check by setting DISABLE_GERRIT_GITILES_REQUIREMENT=1 but this will be removed in a future release. If you are not able to use the gitiles gerrit plugin, please open an issue towards https://github.com/backstage/backstage`;
+const createTemporaryDirectory = async (workDir) => await fs__default.default.mkdtemp(platformPath.join(workDir, "/gerrit-clone-"));
+class GerritUrlReader {
+  constructor(integration, deps, workDir) {
+    this.integration = integration;
+    this.deps = deps;
+    this.workDir = workDir;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    if (!integrations.gerrit) {
+      return [];
+    }
+    const workDir = config.getOptionalString("backend.workingDirectory") ?? os__default.default.tmpdir();
+    return integrations.gerrit.list().map((integration) => {
+      if (integration.config.gitilesBaseUrl === integration.config.baseUrl && process.env.DISABLE_GERRIT_GITILES_REQUIREMENT === void 0) {
+        throw new Error(GITILES_BASE_URL_DEPRECATION_MESSSAGE);
+      }
+      const reader = new GerritUrlReader(
+        integration,
+        { treeResponseFactory },
+        workDir
+      );
+      const predicate = (url) => {
+        const gitilesUrl = new URL(integration.config.gitilesBaseUrl);
+        return url.host === gitilesUrl.host;
+      };
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    const apiUrl = integration.getGerritFileContentsApiUrl(this.integration.config, url);
+    let response;
+    try {
+      response = await fetch__default.default(apiUrl, {
+        method: "GET",
+        ...integration.getGerritRequestOptions(this.integration.config),
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can
+        // be removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        signal: options?.signal
+      });
+    } catch (e) {
+      throw new Error(`Unable to read gerrit file ${url}, ${e}`);
+    }
+    if (response.ok) {
+      let responseBody;
+      return {
+        buffer: async () => {
+          if (responseBody === void 0) {
+            responseBody = await response.text();
+          }
+          return Buffer.from(responseBody, "base64");
+        },
+        stream: () => {
+          const readable = stream.Readable.from(response.body);
+          return readable.pipe(new base64Stream.Base64Decode());
+        }
+      };
+    }
+    if (response.status === 404) {
+      throw new errors.NotFoundError(`File ${url} not found.`);
+    }
+    throw new Error(
+      `${url} could not be read as ${apiUrl}, ${response.status} ${response.statusText}`
+    );
+  }
+  async readTree(url, options) {
+    const apiUrl = integration.getGerritBranchApiUrl(this.integration.config, url);
+    let response;
+    try {
+      response = await fetch__default.default(apiUrl, {
+        method: "GET",
+        ...integration.getGerritRequestOptions(this.integration.config)
+      });
+    } catch (e) {
+      throw new Error(`Unable to read branch state ${url}, ${e}`);
+    }
+    if (response.status === 404) {
+      throw new errors.NotFoundError(`Not found: ${url}`);
+    }
+    if (!response.ok) {
+      throw new Error(
+        `${url} could not be read as ${apiUrl}, ${response.status} ${response.statusText}`
+      );
+    }
+    const branchInfo = await integration.parseGerritJsonResponse(response);
+    if (options?.etag === branchInfo.revision) {
+      throw new errors.NotModifiedError();
+    }
+    if (this.integration.config.gitilesBaseUrl !== this.integration.config.baseUrl) {
+      return this.readTreeFromGitiles(url, branchInfo.revision, options);
+    }
+    return this.readTreeFromGitClone(url, branchInfo.revision, options);
+  }
+  async search() {
+    throw new Error("GerritReader does not implement search");
+  }
+  toString() {
+    const { host, password } = this.integration.config;
+    return `gerrit{host=${host},authed=${Boolean(password)}}`;
+  }
+  async readTreeFromGitClone(url, revision, options) {
+    const { filePath } = integration.parseGerritGitilesUrl(this.integration.config, url);
+    const git = Git.fromAuth({
+      username: this.integration.config.username,
+      password: this.integration.config.password
+    });
+    const tempDir = await createTemporaryDirectory(this.workDir);
+    const cloneUrl = integration.getGerritCloneRepoUrl(this.integration.config, url);
+    try {
+      await git.clone({
+        url: cloneUrl,
+        dir: platformPath.join(tempDir, "repo"),
+        ref: revision,
+        depth: 1
+      });
+      const data = await new Promise(async (resolve) => {
+        await pipeline$3(
+          tar__default.default.create({ cwd: tempDir }, [""]),
+          concatStream__default.default(resolve)
+        );
+      });
+      const tarArchive = stream.Readable.from(data);
+      return await this.deps.treeResponseFactory.fromTarArchive({
+        stream: tarArchive,
+        subpath: filePath === "/" ? void 0 : filePath,
+        etag: revision,
+        filter: options?.filter
+      });
+    } catch (error) {
+      throw new Error(`Could not clone ${cloneUrl}: ${error}`);
+    } finally {
+      await fs__default.default.rm(tempDir, { recursive: true, force: true });
+    }
+  }
+  async readTreeFromGitiles(url, revision, options) {
+    const { branch, filePath, project } = integration.parseGerritGitilesUrl(
+      this.integration.config,
+      url
+    );
+    const archiveUrl = integration.buildGerritGitilesArchiveUrl(
+      this.integration.config,
+      project,
+      branch,
+      filePath
+    );
+    const archiveResponse = await fetch__default.default(archiveUrl, {
+      ...integration.getGerritRequestOptions(this.integration.config),
+      // TODO(freben): The signal cast is there because pre-3.x versions of
+      // node-fetch have a very slightly deviating AbortSignal type signature.
+      // The difference does not affect us in practice however. The cast can
+      // be removed after we support ESM for CLI dependencies and migrate to
+      // version 3 of node-fetch.
+      // https://github.com/backstage/backstage/issues/8242
+      signal: options?.signal
+    });
+    if (archiveResponse.status === 404) {
+      throw new errors.NotFoundError(`Not found: ${archiveUrl}`);
+    }
+    if (!archiveResponse.ok) {
+      throw new Error(
+        `${url} could not be read as ${archiveUrl}, ${archiveResponse.status} ${archiveResponse.statusText}`
+      );
+    }
+    return await this.deps.treeResponseFactory.fromTarArchive({
+      stream: archiveResponse.body,
+      etag: revision,
+      filter: options?.filter,
+      stripFirstDirectory: false
+    });
+  }
+}
+
+class GithubUrlReader {
+  constructor(integration, deps) {
+    this.integration = integration;
+    this.deps = deps;
+    if (!integration.config.apiBaseUrl && !integration.config.rawBaseUrl) {
+      throw new Error(
+        `GitHub integration '${integration.title}' must configure an explicit apiBaseUrl or rawBaseUrl`
+      );
+    }
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    const credentialsProvider = integration.DefaultGithubCredentialsProvider.fromIntegrations(integrations);
+    return integrations.github.list().map((integration) => {
+      const reader = new GithubUrlReader(integration, {
+        treeResponseFactory,
+        credentialsProvider
+      });
+      const predicate = (url) => url.host === integration.config.host;
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  getCredentials = async (url, options) => {
+    if (options?.token) {
+      return {
+        headers: {
+          Authorization: `Bearer ${options.token}`
+        },
+        type: "token",
+        token: options.token
+      };
+    }
+    return await this.deps.credentialsProvider.getCredentials({
+      url
+    });
+  };
+  async readUrl(url, options) {
+    const credentials = await this.getCredentials(url, options);
+    const ghUrl = integration.getGithubFileFetchUrl(
+      url,
+      this.integration.config,
+      credentials
+    );
+    const response = await this.fetchResponse(ghUrl, {
+      headers: {
+        ...credentials?.headers,
+        ...options?.etag && { "If-None-Match": options.etag },
+        ...options?.lastModifiedAfter && {
+          "If-Modified-Since": options.lastModifiedAfter.toUTCString()
+        },
+        Accept: "application/vnd.github.v3.raw"
+      },
+      // TODO(freben): The signal cast is there because pre-3.x versions of
+      // node-fetch have a very slightly deviating AbortSignal type signature.
+      // The difference does not affect us in practice however. The cast can
+      // be removed after we support ESM for CLI dependencies and migrate to
+      // version 3 of node-fetch.
+      // https://github.com/backstage/backstage/issues/8242
+      signal: options?.signal
+    });
+    return ReadUrlResponseFactory.fromNodeJSReadable(response.body, {
+      etag: response.headers.get("ETag") ?? void 0,
+      lastModifiedAt: parseLastModified(response.headers.get("Last-Modified"))
+    });
+  }
+  async readTree(url, options) {
+    const repoDetails = await this.getRepoDetails(url);
+    const commitSha = repoDetails.commitSha;
+    if (options?.etag && options.etag === commitSha) {
+      throw new errors.NotModifiedError();
+    }
+    const { filepath } = parseGitUrl__default.default(url);
+    const { headers } = await this.getCredentials(url, options);
+    return this.doReadTree(
+      repoDetails.repo.archive_url,
+      commitSha,
+      filepath,
+      // TODO(freben): The signal cast is there because pre-3.x versions of
+      // node-fetch have a very slightly deviating AbortSignal type signature.
+      // The difference does not affect us in practice however. The cast can be
+      // removed after we support ESM for CLI dependencies and migrate to
+      // version 3 of node-fetch.
+      // https://github.com/backstage/backstage/issues/8242
+      { headers, signal: options?.signal },
+      options
+    );
+  }
+  async search(url, options) {
+    const repoDetails = await this.getRepoDetails(url);
+    const commitSha = repoDetails.commitSha;
+    if (options?.etag && options.etag === commitSha) {
+      throw new errors.NotModifiedError();
+    }
+    const { filepath } = parseGitUrl__default.default(url);
+    const { headers } = await this.getCredentials(url, options);
+    const files = await this.doSearch(
+      url,
+      repoDetails.repo.trees_url,
+      repoDetails.repo.archive_url,
+      commitSha,
+      filepath,
+      { headers, signal: options?.signal }
+    );
+    return { files, etag: commitSha };
+  }
+  toString() {
+    const { host, token } = this.integration.config;
+    return `github{host=${host},authed=${Boolean(token)}}`;
+  }
+  async doReadTree(archiveUrl, sha, subpath, init, options) {
+    const archive = await this.fetchResponse(
+      archiveUrl.replace("{archive_format}", "tarball").replace("{/ref}", `/${sha}`),
+      init
+    );
+    return await this.deps.treeResponseFactory.fromTarArchive({
+      // TODO(Rugvip): Underlying implementation of fetch will be node-fetch, we probably want
+      //               to stick to using that in exclusively backend code.
+      stream: stream.Readable.from(archive.body),
+      subpath,
+      etag: sha,
+      filter: options?.filter
+    });
+  }
+  async doSearch(url, treesUrl, archiveUrl, sha, query, init) {
+    function pathToUrl(path) {
+      const updated = new URL(url);
+      const base = updated.pathname.split("/").slice(1, 5).join("/");
+      updated.pathname = `${base}/${path}`;
+      return updated.toString();
+    }
+    const matcher = new minimatch.Minimatch(query.replace(/^\/+/, ""));
+    const recursiveTree = await this.fetchJson(
+      treesUrl.replace("{/sha}", `/${sha}?recursive=true`),
+      init
+    );
+    if (!recursiveTree.truncated) {
+      const matching = recursiveTree.tree.filter(
+        (item) => item.type === "blob" && item.path && item.url && matcher.match(item.path)
+      );
+      return matching.map((item) => ({
+        url: pathToUrl(item.path),
+        content: async () => {
+          const blob = await this.fetchJson(item.url, init);
+          return Buffer.from(blob.content, "base64");
+        }
+      }));
+    }
+    const tree = await this.doReadTree(archiveUrl, sha, "", init, {
+      filter: (path) => matcher.match(path)
+    });
+    const files = await tree.files();
+    return files.map((file) => ({
+      url: pathToUrl(file.path),
+      content: file.content,
+      lastModifiedAt: file.lastModifiedAt
+    }));
+  }
+  async getRepoDetails(url) {
+    const parsed = parseGitUrl__default.default(url);
+    const { ref, full_name } = parsed;
+    const credentials = await this.deps.credentialsProvider.getCredentials({
+      url
+    });
+    const { headers } = credentials;
+    const commitStatus = await this.fetchJson(
+      `${this.integration.config.apiBaseUrl}/repos/${full_name}/commits/${ref || await this.getDefaultBranch(full_name, credentials)}/status?per_page=0`,
+      { headers }
+    );
+    return {
+      commitSha: commitStatus.sha,
+      repo: commitStatus.repository
+    };
+  }
+  async getDefaultBranch(repoFullName, credentials) {
+    const repo = await this.fetchJson(
+      `${this.integration.config.apiBaseUrl}/repos/${repoFullName}`,
+      { headers: credentials.headers }
+    );
+    return repo.default_branch;
+  }
+  async fetchResponse(url, init) {
+    const urlAsString = url.toString();
+    const response = await fetch__default.default(urlAsString, init);
+    if (!response.ok) {
+      let message = `Request failed for ${urlAsString}, ${response.status} ${response.statusText}`;
+      if (response.status === 304) {
+        throw new errors.NotModifiedError();
+      }
+      if (response.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      if (this.integration.parseRateLimitInfo(response).isRateLimited) {
+        message += " (rate limit exceeded)";
+      }
+      throw new Error(message);
+    }
+    return response;
+  }
+  async fetchJson(url, init) {
+    const response = await this.fetchResponse(url, init);
+    return await response.json();
+  }
+}
+
+class GitlabUrlReader {
+  constructor(integration, deps) {
+    this.integration = integration;
+    this.deps = deps;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    return integrations.gitlab.list().map((integration) => {
+      const reader = new GitlabUrlReader(integration, {
+        treeResponseFactory
+      });
+      const predicate = (url) => url.host === integration.config.host;
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    const { etag, lastModifiedAfter, signal } = options ?? {};
+    const builtUrl = await this.getGitlabFetchUrl(url);
+    let response;
+    try {
+      response = await fetch__default.default(builtUrl, {
+        headers: {
+          ...integration.getGitLabRequestOptions(this.integration.config).headers,
+          ...etag && { "If-None-Match": etag },
+          ...lastModifiedAfter && {
+            "If-Modified-Since": lastModifiedAfter.toUTCString()
+          }
+        },
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can be
+        // removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        ...signal && { signal }
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${url}, ${e}`);
+    }
+    if (response.status === 304) {
+      throw new errors.NotModifiedError();
+    }
+    if (response.ok) {
+      return ReadUrlResponseFactory.fromNodeJSReadable(response.body, {
+        etag: response.headers.get("ETag") ?? void 0,
+        lastModifiedAt: parseLastModified(
+          response.headers.get("Last-Modified")
+        )
+      });
+    }
+    const message = `${url} could not be read as ${builtUrl}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    throw new Error(message);
+  }
+  async readTree(url, options) {
+    const { etag, signal } = options ?? {};
+    const { ref, full_name, filepath } = parseGitUrl__default.default(url);
+    let repoFullName = full_name;
+    const relativePath = integration.getGitLabIntegrationRelativePath(
+      this.integration.config
+    );
+    if (relativePath) {
+      const rectifiedRelativePath = `${lodash.trimStart(relativePath, "/")}/`;
+      repoFullName = full_name.replace(rectifiedRelativePath, "");
+    }
+    const projectGitlabResponse = await fetch__default.default(
+      new URL(
+        `${this.integration.config.apiBaseUrl}/projects/${encodeURIComponent(
+          repoFullName
+        )}`
+      ).toString(),
+      integration.getGitLabRequestOptions(this.integration.config)
+    );
+    if (!projectGitlabResponse.ok) {
+      const msg = `Failed to read tree from ${url}, ${projectGitlabResponse.status} ${projectGitlabResponse.statusText}`;
+      if (projectGitlabResponse.status === 404) {
+        throw new errors.NotFoundError(msg);
+      }
+      throw new Error(msg);
+    }
+    const projectGitlabResponseJson = await projectGitlabResponse.json();
+    const branch = ref || projectGitlabResponseJson.default_branch;
+    const commitsReqParams = new URLSearchParams();
+    commitsReqParams.set("ref_name", branch);
+    if (!!filepath) {
+      commitsReqParams.set("path", filepath);
+    }
+    const commitsGitlabResponse = await fetch__default.default(
+      new URL(
+        `${this.integration.config.apiBaseUrl}/projects/${encodeURIComponent(
+          repoFullName
+        )}/repository/commits?${commitsReqParams.toString()}`
+      ).toString(),
+      {
+        ...integration.getGitLabRequestOptions(this.integration.config),
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can
+        // be removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        ...signal && { signal }
+      }
+    );
+    if (!commitsGitlabResponse.ok) {
+      const message = `Failed to read tree (branch) from ${url}, ${commitsGitlabResponse.status} ${commitsGitlabResponse.statusText}`;
+      if (commitsGitlabResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    const commitSha = (await commitsGitlabResponse.json())[0]?.id ?? "";
+    if (etag && etag === commitSha) {
+      throw new errors.NotModifiedError();
+    }
+    const archiveReqParams = new URLSearchParams();
+    archiveReqParams.set("sha", branch);
+    if (!!filepath) {
+      archiveReqParams.set("path", filepath);
+    }
+    const archiveGitLabResponse = await fetch__default.default(
+      `${this.integration.config.apiBaseUrl}/projects/${encodeURIComponent(
+        repoFullName
+      )}/repository/archive?${archiveReqParams.toString()}`,
+      {
+        ...integration.getGitLabRequestOptions(this.integration.config),
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can
+        // be removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        ...signal && { signal }
+      }
+    );
+    if (!archiveGitLabResponse.ok) {
+      const message = `Failed to read tree (archive) from ${url}, ${archiveGitLabResponse.status} ${archiveGitLabResponse.statusText}`;
+      if (archiveGitLabResponse.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    return await this.deps.treeResponseFactory.fromTarArchive({
+      stream: stream.Readable.from(archiveGitLabResponse.body),
+      subpath: filepath,
+      etag: commitSha,
+      filter: options?.filter
+    });
+  }
+  async search(url, options) {
+    const { filepath } = parseGitUrl__default.default(url);
+    const staticPart = this.getStaticPart(filepath);
+    const matcher = new minimatch.Minimatch(filepath);
+    const treeUrl = lodash.trimEnd(url.replace(filepath, staticPart), `/`);
+    const pathPrefix = staticPart ? `${staticPart}/` : "";
+    const tree = await this.readTree(treeUrl, {
+      etag: options?.etag,
+      signal: options?.signal,
+      filter: (path) => matcher.match(`${pathPrefix}${path}`)
+    });
+    const files = await tree.files();
+    return {
+      etag: tree.etag,
+      files: files.map((file) => ({
+        url: this.integration.resolveUrl({
+          url: `/${pathPrefix}${file.path}`,
+          base: url
+        }),
+        content: file.content,
+        lastModifiedAt: file.lastModifiedAt
+      }))
+    };
+  }
+  /**
+   * This function splits the input globPattern string into segments using the  path separator /. It then iterates over
+   * the segments from the end of the array towards the beginning, checking if the concatenated string up to that
+   * segment matches the original globPattern using the minimatch function. If a match is found, it continues iterating.
+   * If no match is found, it returns the concatenated string up to the current segment, which is the static part of the
+   * glob pattern.
+   *
+   * E.g. `catalog/foo/*.yaml` will return `catalog/foo`.
+   *
+   * @param globPattern the glob pattern
+   * @private
+   */
+  getStaticPart(globPattern) {
+    const segments = globPattern.split("/");
+    let i = segments.length;
+    while (i > 0 && new minimatch.Minimatch(segments.slice(0, i).join("/")).match(globPattern)) {
+      i--;
+    }
+    return segments.slice(0, i).join("/");
+  }
+  toString() {
+    const { host, token } = this.integration.config;
+    return `gitlab{host=${host},authed=${Boolean(token)}}`;
+  }
+  async getGitlabFetchUrl(target) {
+    const targetUrl = new URL(target);
+    if (targetUrl.pathname.includes("/-/jobs/artifacts/")) {
+      return this.getGitlabArtifactFetchUrl(targetUrl).then(
+        (value) => value.toString()
+      );
+    }
+    return integration.getGitLabFileFetchUrl(target, this.integration.config);
+  }
+  // convert urls of the form:
+  //    https://example.com/<namespace>/<project>/-/jobs/artifacts/<ref>/raw/<path_to_file>?job=<job_name>
+  // to urls of the form:
+  //    https://example.com/api/v4/projects/:id/jobs/artifacts/:ref_name/raw/*artifact_path?job=<job_name>
+  async getGitlabArtifactFetchUrl(target) {
+    if (!target.pathname.includes("/-/jobs/artifacts/")) {
+      throw new Error("Unable to process url as an GitLab artifact");
+    }
+    try {
+      const [namespaceAndProject, ref] = target.pathname.split("/-/jobs/artifacts/");
+      const projectPath = new URL(target);
+      projectPath.pathname = namespaceAndProject;
+      const projectId = await this.resolveProjectToId(projectPath);
+      const relativePath = integration.getGitLabIntegrationRelativePath(
+        this.integration.config
+      );
+      const newUrl = new URL(target);
+      newUrl.pathname = `${relativePath}/api/v4/projects/${projectId}/jobs/artifacts/${ref}`;
+      return newUrl;
+    } catch (e) {
+      throw new Error(
+        `Unable to translate GitLab artifact URL: ${target}, ${e}`
+      );
+    }
+  }
+  async resolveProjectToId(pathToProject) {
+    let project = pathToProject.pathname;
+    const relativePath = integration.getGitLabIntegrationRelativePath(
+      this.integration.config
+    );
+    if (relativePath) {
+      project = project.replace(relativePath, "");
+    }
+    project = project.replace(/^\//, "");
+    const result = await fetch__default.default(
+      `${pathToProject.origin}${relativePath}/api/v4/projects/${encodeURIComponent(project)}`,
+      integration.getGitLabRequestOptions(this.integration.config)
+    );
+    const data = await result.json();
+    if (!result.ok) {
+      throw new Error(`Gitlab error: ${data.error}, ${data.error_description}`);
+    }
+    return Number(data.id);
+  }
+}
+
+class GiteaUrlReader {
+  constructor(integration, deps) {
+    this.integration = integration;
+    this.deps = deps;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    return integration.ScmIntegrations.fromConfig(config).gitea.list().map((integration) => {
+      const reader = new GiteaUrlReader(integration, { treeResponseFactory });
+      const predicate = (url) => {
+        return url.host === integration.config.host;
+      };
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    let response;
+    const blobUrl = integration.getGiteaFileContentsUrl(this.integration.config, url);
+    try {
+      response = await fetch__default.default(blobUrl, {
+        method: "GET",
+        ...integration.getGiteaRequestOptions(this.integration.config),
+        signal: options?.signal
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${blobUrl}, ${e}`);
+    }
+    if (response.ok) {
+      const { encoding, content } = await response.json();
+      if (encoding === "base64") {
+        return ReadUrlResponseFactory.fromReadable(
+          stream.Readable.from(Buffer.from(content, "base64")),
+          {
+            etag: response.headers.get("ETag") ?? void 0,
+            lastModifiedAt: parseLastModified(
+              response.headers.get("Last-Modified")
+            )
+          }
+        );
+      }
+      throw new Error(`Unknown encoding: ${encoding}`);
+    }
+    const message = `${url} could not be read as ${blobUrl}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    if (response.status === 304) {
+      throw new errors.NotModifiedError();
+    }
+    if (response.status === 403) {
+      throw new errors.AuthenticationError();
+    }
+    throw new Error(message);
+  }
+  async readTree(url, options) {
+    const lastCommitHash = await this.getLastCommitHash(url);
+    if (options?.etag && options.etag === lastCommitHash) {
+      throw new errors.NotModifiedError();
+    }
+    const archiveUri = integration.getGiteaArchiveUrl(this.integration.config, url);
+    let response;
+    try {
+      response = await fetch__default.default(archiveUri, {
+        method: "GET",
+        ...integration.getGiteaRequestOptions(this.integration.config),
+        signal: options?.signal
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${archiveUri}, ${e}`);
+    }
+    const parsedUri = integration.parseGiteaUrl(this.integration.config, url);
+    return this.deps.treeResponseFactory.fromTarArchive({
+      stream: stream.Readable.from(response.body),
+      subpath: parsedUri.path,
+      etag: lastCommitHash,
+      filter: options?.filter
+    });
+  }
+  search() {
+    throw new Error("GiteaUrlReader search not implemented.");
+  }
+  toString() {
+    const { host } = this.integration.config;
+    return `gitea{host=${host},authed=${Boolean(
+      this.integration.config.password
+    )}}`;
+  }
+  async getLastCommitHash(url) {
+    const commitUri = integration.getGiteaLatestCommitUrl(this.integration.config, url);
+    const response = await fetch__default.default(
+      commitUri,
+      integration.getGiteaRequestOptions(this.integration.config)
+    );
+    if (!response.ok) {
+      const message = `Failed to retrieve latest commit information from ${commitUri}, ${response.status} ${response.statusText}`;
+      if (response.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    return (await response.json()).sha;
+  }
+}
+
+class HarnessUrlReader {
+  constructor(integration, deps) {
+    this.integration = integration;
+    this.deps = deps;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    return integration.ScmIntegrations.fromConfig(config).harness.list().map((integration) => {
+      const reader = new HarnessUrlReader(integration, {
+        treeResponseFactory
+      });
+      const predicate = (url) => {
+        return url.host === integration.config.host;
+      };
+      return { reader, predicate };
+    });
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    let response;
+    const blobUrl = integration.getHarnessFileContentsUrl(this.integration.config, url);
+    try {
+      response = await fetch__default.default(blobUrl, {
+        method: "GET",
+        ...integration.getHarnessRequestOptions(this.integration.config),
+        signal: options?.signal
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${blobUrl}, ${e}`);
+    }
+    if (response.ok) {
+      const jsonResponse = { data: response.body };
+      if (jsonResponse) {
+        return ReadUrlResponseFactory.fromReadable(
+          stream.Readable.from(jsonResponse.data),
+          {
+            etag: response.headers.get("ETag") ?? void 0
+          }
+        );
+      }
+      throw new Error(`Unknown json: ${jsonResponse}`);
+    }
+    const message = `${url} x ${blobUrl}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    if (response.status === 304) {
+      throw new errors.NotModifiedError();
+    }
+    if (response.status === 403) {
+      throw new errors.AuthenticationError();
+    }
+    throw new Error(message);
+  }
+  async readTree(url, options) {
+    const lastCommitHash = await this.getLastCommitHash(url);
+    if (options?.etag && options.etag === lastCommitHash) {
+      throw new errors.NotModifiedError();
+    }
+    const archiveUri = integration.getHarnessArchiveUrl(this.integration.config, url);
+    let response;
+    try {
+      response = await fetch__default.default(archiveUri, {
+        method: "GET",
+        ...integration.getHarnessRequestOptions(this.integration.config),
+        signal: options?.signal
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${archiveUri}, ${e}`);
+    }
+    const parsedUri = integration.parseHarnessUrl(this.integration.config, url);
+    return this.deps.treeResponseFactory.fromZipArchive({
+      stream: stream.Readable.from(response.body),
+      subpath: parsedUri.path,
+      etag: lastCommitHash,
+      filter: options?.filter
+    });
+  }
+  search() {
+    throw new Error("HarnessUrlReader search not implemented.");
+  }
+  toString() {
+    const { host } = this.integration.config;
+    return `harness{host=${host},authed=${Boolean(
+      this.integration.config.token || this.integration.config.apiKey
+    )}}`;
+  }
+  async getLastCommitHash(url) {
+    const commitUri = integration.getHarnessLatestCommitUrl(this.integration.config, url);
+    const response = await fetch__default.default(
+      commitUri,
+      integration.getHarnessRequestOptions(this.integration.config)
+    );
+    if (!response.ok) {
+      const message = `Failed to retrieve latest commit information from ${commitUri}, ${response.status} ${response.statusText}`;
+      if (response.status === 404) {
+        throw new errors.NotFoundError(message);
+      }
+      throw new Error(message);
+    }
+    return (await response.json()).latest_commit.sha;
+  }
+}
+
+const DEFAULT_REGION = "us-east-1";
+function parseUrl$1(url, config) {
+  const parsedUrl = new URL(url);
+  const pathname = parsedUrl.pathname.substring(1);
+  const host = parsedUrl.host;
+  if (config.host === "amazonaws.com" || config.host === "amazonaws.com.cn") {
+    const match = host.match(
+      /^(?:([a-z0-9.-]+)\.)?s3(?:[.-]([a-z0-9-]+))?\.amazonaws\.com(\.cn)?$/
+    );
+    if (!match) {
+      throw new Error(`Invalid AWS S3 URL ${url}`);
+    }
+    const [, hostBucket, hostRegion] = match;
+    if (config.s3ForcePathStyle || !hostBucket) {
+      const slashIndex = pathname.indexOf("/");
+      if (slashIndex < 0) {
+        throw new Error(
+          `Invalid path-style AWS S3 URL ${url}, does not contain bucket in the path`
+        );
+      }
+      return {
+        path: pathname.substring(slashIndex + 1),
+        bucket: pathname.substring(0, slashIndex),
+        region: hostRegion ?? DEFAULT_REGION
+      };
+    }
+    return {
+      path: pathname,
+      bucket: hostBucket,
+      region: hostRegion ?? DEFAULT_REGION
+    };
+  }
+  const usePathStyle = config.s3ForcePathStyle || host.length === config.host.length;
+  if (usePathStyle) {
+    const slashIndex = pathname.indexOf("/");
+    if (slashIndex < 0) {
+      throw new Error(
+        `Invalid path-style AWS S3 URL ${url}, does not contain bucket in the path`
+      );
+    }
+    return {
+      path: pathname.substring(slashIndex + 1),
+      bucket: pathname.substring(0, slashIndex),
+      region: DEFAULT_REGION
+    };
+  }
+  return {
+    path: pathname,
+    bucket: host.substring(0, host.length - config.host.length - 1),
+    region: DEFAULT_REGION
+  };
+}
+class AwsS3UrlReader {
+  constructor(credsManager, integration, deps) {
+    this.credsManager = credsManager;
+    this.integration = integration;
+    this.deps = deps;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    const credsManager = integrationAwsNode.DefaultAwsCredentialsManager.fromConfig(config);
+    return integrations.awsS3.list().map((integration) => {
+      const reader = new AwsS3UrlReader(credsManager, integration, {
+        treeResponseFactory
+      });
+      const predicate = (url) => url.host.endsWith(integration.config.host);
+      return { reader, predicate };
+    });
+  };
+  /**
+   * If accessKeyId and secretAccessKey are missing, the standard credentials provider chain will be used:
+   * https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html
+   */
+  static buildStaticCredentials(accessKeyId, secretAccessKey) {
+    return async () => {
+      return {
+        accessKeyId,
+        secretAccessKey
+      };
+    };
+  }
+  static async buildCredentials(credsManager, region, integration) {
+    if (!integration) {
+      return (await credsManager.getCredentialProvider()).sdkCredentialProvider;
+    }
+    const accessKeyId = integration.config.accessKeyId;
+    const secretAccessKey = integration.config.secretAccessKey;
+    let explicitCredentials;
+    if (accessKeyId && secretAccessKey) {
+      explicitCredentials = AwsS3UrlReader.buildStaticCredentials(
+        accessKeyId,
+        secretAccessKey
+      );
+    } else {
+      explicitCredentials = (await credsManager.getCredentialProvider()).sdkCredentialProvider;
+    }
+    const roleArn = integration.config.roleArn;
+    if (roleArn) {
+      return credentialProviders.fromTemporaryCredentials({
+        masterCredentials: explicitCredentials,
+        params: {
+          RoleSessionName: "backstage-aws-s3-url-reader",
+          RoleArn: roleArn,
+          ExternalId: integration.config.externalId
+        },
+        clientConfig: { region }
+      });
+    }
+    return explicitCredentials;
+  }
+  async buildS3Client(credsManager, region, integration) {
+    const credentials = await AwsS3UrlReader.buildCredentials(
+      credsManager,
+      region,
+      integration
+    );
+    const s3 = new clientS3.S3Client({
+      region,
+      credentials,
+      endpoint: integration.config.endpoint,
+      forcePathStyle: integration.config.s3ForcePathStyle
+    });
+    return s3;
+  }
+  async retrieveS3ObjectData(stream$1) {
+    return new Promise((resolve, reject) => {
+      try {
+        const chunks = [];
+        stream$1.on("data", (chunk) => chunks.push(chunk));
+        stream$1.on(
+          "error",
+          (e) => reject(new errors.ForwardedError("Unable to read stream", e))
+        );
+        stream$1.on("end", () => resolve(stream.Readable.from(Buffer.concat(chunks))));
+      } catch (e) {
+        throw new errors.ForwardedError("Unable to parse the response data", e);
+      }
+    });
+  }
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    const { etag, lastModifiedAfter } = options ?? {};
+    try {
+      const { path, bucket, region } = parseUrl$1(url, this.integration.config);
+      const s3Client = await this.buildS3Client(
+        this.credsManager,
+        region,
+        this.integration
+      );
+      const abortController$1 = new abortController.AbortController();
+      const params = {
+        Bucket: bucket,
+        Key: path,
+        ...etag && { IfNoneMatch: etag },
+        ...lastModifiedAfter && {
+          IfModifiedSince: lastModifiedAfter
+        }
+      };
+      options?.signal?.addEventListener("abort", () => abortController$1.abort());
+      const getObjectCommand = new clientS3.GetObjectCommand(params);
+      const response = await s3Client.send(getObjectCommand, {
+        abortSignal: abortController$1.signal
+      });
+      const s3ObjectData = await this.retrieveS3ObjectData(
+        response.Body
+      );
+      return ReadUrlResponseFactory.fromReadable(s3ObjectData, {
+        etag: response.ETag,
+        lastModifiedAt: response.LastModified
+      });
+    } catch (e) {
+      if (e.$metadata && e.$metadata.httpStatusCode === 304) {
+        throw new errors.NotModifiedError();
+      }
+      throw new errors.ForwardedError("Could not retrieve file from S3", e);
+    }
+  }
+  async readTree(url, options) {
+    try {
+      const { path, bucket, region } = parseUrl$1(url, this.integration.config);
+      const s3Client = await this.buildS3Client(
+        this.credsManager,
+        region,
+        this.integration
+      );
+      const abortController$1 = new abortController.AbortController();
+      const allObjects = [];
+      const responses = [];
+      let continuationToken;
+      let output;
+      do {
+        const listObjectsV2Command = new clientS3.ListObjectsV2Command({
+          Bucket: bucket,
+          ContinuationToken: continuationToken,
+          Prefix: path
+        });
+        options?.signal?.addEventListener(
+          "abort",
+          () => abortController$1.abort()
+        );
+        output = await s3Client.send(listObjectsV2Command, {
+          abortSignal: abortController$1.signal
+        });
+        if (output.Contents) {
+          output.Contents.forEach((contents) => {
+            allObjects.push(contents.Key);
+          });
+        }
+        continuationToken = output.NextContinuationToken;
+      } while (continuationToken);
+      for (let i = 0; i < allObjects.length; i++) {
+        const getObjectCommand = new clientS3.GetObjectCommand({
+          Bucket: bucket,
+          Key: String(allObjects[i])
+        });
+        const response = await s3Client.send(getObjectCommand);
+        const s3ObjectData = await this.retrieveS3ObjectData(
+          response.Body
+        );
+        responses.push({
+          data: s3ObjectData,
+          path: posix.relative(path, String(allObjects[i])),
+          lastModifiedAt: response?.LastModified ?? void 0
+        });
+      }
+      return await this.deps.treeResponseFactory.fromReadableArray(responses);
+    } catch (e) {
+      throw new errors.ForwardedError("Could not retrieve file tree from S3", e);
+    }
+  }
+  async search() {
+    throw new Error("AwsS3Reader does not implement search");
+  }
+  toString() {
+    const secretAccessKey = this.integration.config.secretAccessKey;
+    return `awsS3{host=${this.integration.config.host},authed=${Boolean(
+      secretAccessKey
+    )}}`;
+  }
+}
+
+const isInRange = (num, [start, end]) => {
+  return num >= start && num <= end;
+};
+const parsePortRange = (port) => {
+  const isRange = port.includes("-");
+  if (isRange) {
+    const range = port.split("-").map((v) => parseInt(v, 10)).filter(Boolean);
+    if (range.length !== 2)
+      throw new Error(`Port range is not valid: ${port}`);
+    const [start, end] = range;
+    if (start <= 0 || end <= 0 || start > end)
+      throw new Error(`Port range is not valid: [${start}, ${end}]`);
+    return range;
+  }
+  const parsedPort = parseInt(port, 10);
+  return [parsedPort, parsedPort];
+};
+const parsePortPredicate = (port) => {
+  if (port) {
+    const range = parsePortRange(port);
+    return (url) => {
+      if (url.port)
+        return isInRange(parseInt(url.port, 10), range);
+      if (url.protocol === "http:")
+        return isInRange(80, range);
+      if (url.protocol === "https:")
+        return isInRange(443, range);
+      return false;
+    };
+  }
+  return (url) => !url.port;
+};
+class FetchUrlReader {
+  /**
+   * The factory creates a single reader that will be used for reading any URL that's listed
+   * in configuration at `backend.reading.allow`. The allow list contains a list of objects describing
+   * targets to allow, containing the following fields:
+   *
+   * `host`:
+   *   Either full hostnames to match, or subdomain wildcard matchers with a leading '*'.
+   *   For example 'example.com' and '*.example.com' are valid values, 'prod.*.example.com' is not.
+   *
+   * `paths`:
+   *   An optional list of paths which are allowed. If the list is omitted all paths are allowed.
+   */
+  static factory = ({ config }) => {
+    const predicates = config.getOptionalConfigArray("backend.reading.allow")?.map((allowConfig) => {
+      const paths = allowConfig.getOptionalStringArray("paths");
+      const checkPath = paths ? (url) => {
+        const targetPath = platformPath__default.default.posix.normalize(url.pathname);
+        return paths.some(
+          (allowedPath) => targetPath.startsWith(allowedPath)
+        );
+      } : (_url) => true;
+      const host = allowConfig.getString("host");
+      const [hostname, port] = host.split(":");
+      const checkPort = parsePortPredicate(port);
+      if (hostname.startsWith("*.")) {
+        const suffix = hostname.slice(1);
+        return (url) => url.hostname.endsWith(suffix) && checkPath(url) && checkPort(url);
+      }
+      return (url) => url.hostname === hostname && checkPath(url) && checkPort(url);
+    }) ?? [];
+    const reader = new FetchUrlReader();
+    const predicate = (url) => predicates.some((p) => p(url));
+    return [{ reader, predicate }];
+  };
+  async read(url) {
+    const response = await this.readUrl(url);
+    return response.buffer();
+  }
+  async readUrl(url, options) {
+    let response;
+    try {
+      response = await fetch__default.default(url, {
+        headers: {
+          ...options?.etag && { "If-None-Match": options.etag },
+          ...options?.lastModifiedAfter && {
+            "If-Modified-Since": options.lastModifiedAfter.toUTCString()
+          },
+          ...options?.token && { Authorization: `Bearer ${options.token}` }
+        },
+        // TODO(freben): The signal cast is there because pre-3.x versions of
+        // node-fetch have a very slightly deviating AbortSignal type signature.
+        // The difference does not affect us in practice however. The cast can
+        // be removed after we support ESM for CLI dependencies and migrate to
+        // version 3 of node-fetch.
+        // https://github.com/backstage/backstage/issues/8242
+        signal: options?.signal
+      });
+    } catch (e) {
+      throw new Error(`Unable to read ${url}, ${e}`);
+    }
+    if (response.status === 304) {
+      throw new errors.NotModifiedError();
+    }
+    if (response.ok) {
+      return ReadUrlResponseFactory.fromNodeJSReadable(response.body, {
+        etag: response.headers.get("ETag") ?? void 0,
+        lastModifiedAt: parseLastModified(
+          response.headers.get("Last-Modified")
+        )
+      });
+    }
+    const message = `could not read ${url}, ${response.status} ${response.statusText}`;
+    if (response.status === 404) {
+      throw new errors.NotFoundError(message);
+    }
+    throw new Error(message);
+  }
+  async readTree() {
+    throw new Error("FetchUrlReader does not implement readTree");
+  }
+  async search() {
+    throw new Error("FetchUrlReader does not implement search");
+  }
+  toString() {
+    return "fetch{}";
+  }
+}
+
+function notAllowedMessage(url) {
+  return `Reading from '${url}' is not allowed. You may need to configure an integration for the target host, or add it to the configured list of allowed hosts at 'backend.reading.allow'`;
+}
+class UrlReaderPredicateMux {
+  readers = [];
+  register(tuple) {
+    this.readers.push(tuple);
+  }
+  async readUrl(url, options) {
+    const parsed = new URL(url);
+    for (const { predicate, reader } of this.readers) {
+      if (predicate(parsed)) {
+        return reader.readUrl(url, options);
+      }
+    }
+    throw new errors.NotAllowedError(notAllowedMessage(url));
+  }
+  async readTree(url, options) {
+    const parsed = new URL(url);
+    for (const { predicate, reader } of this.readers) {
+      if (predicate(parsed)) {
+        return await reader.readTree(url, options);
+      }
+    }
+    throw new errors.NotAllowedError(notAllowedMessage(url));
+  }
+  async search(url, options) {
+    const parsed = new URL(url);
+    for (const { predicate, reader } of this.readers) {
+      if (predicate(parsed)) {
+        return await reader.search(url, options);
+      }
+    }
+    throw new errors.NotAllowedError(notAllowedMessage(url));
+  }
+  toString() {
+    return `predicateMux{readers=${this.readers.map((t) => t.reader).join(",")}`;
+  }
+}
+
+const pipeline$2 = util.promisify(stream.pipeline);
+const directoryNameRegex = /^[^\/]+\//;
+function stripFirstDirectoryFromPath(path) {
+  return path.replace(directoryNameRegex, "");
+}
+const streamToBuffer = (stream) => {
+  return new Promise(async (resolve, reject) => {
+    try {
+      await pipeline$2(stream, concatStream__default.default(resolve));
+    } catch (ex) {
+      reject(ex);
+    }
+  });
+};
+
+const TarParseStream = tar.Parse;
+const pipeline$1 = util.promisify(stream.pipeline);
+class TarArchiveResponse {
+  constructor(stream, subPath, workDir, etag, filter, stripFirstDirectory = true) {
+    this.stream = stream;
+    this.subPath = subPath;
+    this.workDir = workDir;
+    this.etag = etag;
+    this.filter = filter;
+    this.stripFirstDirectory = stripFirstDirectory;
+    if (subPath) {
+      if (!subPath.endsWith("/")) {
+        this.subPath += "/";
+      }
+      if (subPath.startsWith("/")) {
+        throw new TypeError(
+          `TarArchiveResponse subPath must not start with a /, got '${subPath}'`
+        );
+      }
+    }
+    this.etag = etag;
+  }
+  read = false;
+  // Make sure the input stream is only read once
+  onlyOnce() {
+    if (this.read) {
+      throw new Error("Response has already been read");
+    }
+    this.read = true;
+  }
+  async files() {
+    this.onlyOnce();
+    const files = Array();
+    const parser = new TarParseStream();
+    parser.on("entry", (entry) => {
+      if (entry.type === "Directory") {
+        entry.resume();
+        return;
+      }
+      const relativePath = this.stripFirstDirectory ? stripFirstDirectoryFromPath(entry.path) : entry.path;
+      if (this.subPath) {
+        if (!relativePath.startsWith(this.subPath)) {
+          entry.resume();
+          return;
+        }
+      }
+      const path = relativePath.slice(this.subPath.length);
+      if (this.filter) {
+        if (!this.filter(path, { size: entry.remain })) {
+          entry.resume();
+          return;
+        }
+      }
+      const content = new Promise(async (resolve) => {
+        await pipeline$1(entry, concatStream__default.default(resolve));
+      });
+      files.push({
+        path,
+        content: () => content
+      });
+      entry.resume();
+    });
+    await pipeline$1(this.stream, parser);
+    return files;
+  }
+  async archive() {
+    if (!this.subPath) {
+      this.onlyOnce();
+      return this.stream;
+    }
+    const tmpDir = await this.dir();
+    try {
+      const data = await new Promise(async (resolve) => {
+        await pipeline$1(
+          tar__default.default.create({ cwd: tmpDir }, [""]),
+          concatStream__default.default(resolve)
+        );
+      });
+      return stream.Readable.from(data);
+    } finally {
+      await fs__default.default.remove(tmpDir);
+    }
+  }
+  async dir(options) {
+    this.onlyOnce();
+    const dir = options?.targetDir ?? await fs__default.default.mkdtemp(platformPath__default.default.join(this.workDir, "backstage-"));
+    let strip = this.subPath ? this.subPath.split("/").length : 1;
+    if (!this.stripFirstDirectory) {
+      strip--;
+    }
+    let filterError = void 0;
+    await pipeline$1(
+      this.stream,
+      tar__default.default.extract({
+        strip,
+        cwd: dir,
+        filter: (path, stat) => {
+          if (filterError) {
+            return false;
+          }
+          const relativePath = this.stripFirstDirectory ? stripFirstDirectoryFromPath(path) : path;
+          if (this.subPath && !relativePath.startsWith(this.subPath)) {
+            return false;
+          }
+          if (this.filter) {
+            const innerPath = path.split("/").slice(strip).join("/");
+            try {
+              return this.filter(innerPath, { size: stat.size });
+            } catch (error) {
+              filterError = error;
+              return false;
+            }
+          }
+          return true;
+        }
+      })
+    );
+    if (filterError) {
+      if (!options?.targetDir) {
+        await fs__default.default.remove(dir).catch(() => {
+        });
+      }
+      throw filterError;
+    }
+    return dir;
+  }
+}
+
+class ZipArchiveResponse {
+  constructor(stream, subPath, workDir, etag, filter) {
+    this.stream = stream;
+    this.subPath = subPath;
+    this.workDir = workDir;
+    this.etag = etag;
+    this.filter = filter;
+    if (subPath) {
+      if (!subPath.endsWith("/")) {
+        this.subPath += "/";
+      }
+      if (subPath.startsWith("/")) {
+        throw new TypeError(
+          `ZipArchiveResponse subPath must not start with a /, got '${subPath}'`
+        );
+      }
+    }
+    this.etag = etag;
+  }
+  read = false;
+  // Make sure the input stream is only read once
+  onlyOnce() {
+    if (this.read) {
+      throw new Error("Response has already been read");
+    }
+    this.read = true;
+  }
+  // File path relative to the root extracted directory or a sub directory if subpath is set.
+  getInnerPath(path) {
+    return path.slice(this.subPath.length);
+  }
+  shouldBeIncluded(entry) {
+    if (this.subPath) {
+      if (!entry.fileName.startsWith(this.subPath)) {
+        return false;
+      }
+    }
+    if (this.filter) {
+      return this.filter(this.getInnerPath(entry.fileName), {
+        size: entry.uncompressedSize
+      });
+    }
+    return true;
+  }
+  async streamToTemporaryFile(stream) {
+    const tmpDir = await fs__default.default.mkdtemp(
+      platformPath__default.default.join(this.workDir, "backstage-tmp")
+    );
+    const tmpFile = platformPath__default.default.join(tmpDir, "tmp.zip");
+    const writeStream = fs__default.default.createWriteStream(tmpFile);
+    return new Promise((resolve, reject) => {
+      writeStream.on("error", reject);
+      writeStream.on("finish", () => {
+        writeStream.end();
+        resolve({
+          fileName: tmpFile,
+          cleanup: () => fs__default.default.rm(tmpDir, { recursive: true })
+        });
+      });
+      stream.pipe(writeStream);
+    });
+  }
+  forEveryZipEntry(zip, callback) {
+    return new Promise((resolve, reject) => {
+      yauzl__default.default.open(zip, { lazyEntries: true }, (err, zipfile) => {
+        if (err || !zipfile) {
+          reject(err || new Error(`Failed to open zip file ${zip}`));
+          return;
+        }
+        zipfile.on("entry", async (entry) => {
+          if (!entry.fileName.endsWith("/") && this.shouldBeIncluded(entry)) {
+            zipfile.openReadStream(entry, async (openErr, readStream) => {
+              if (openErr || !readStream) {
+                reject(
+                  openErr || new Error(`Failed to open zip entry ${entry.fileName}`)
+                );
+                return;
+              }
+              await callback(entry, readStream);
+              zipfile.readEntry();
+            });
+          } else {
+            zipfile.readEntry();
+          }
+        });
+        zipfile.once("end", () => resolve());
+        zipfile.on("error", (e) => reject(e));
+        zipfile.readEntry();
+      });
+    });
+  }
+  async files() {
+    this.onlyOnce();
+    const files = Array();
+    const temporary = await this.streamToTemporaryFile(this.stream);
+    await this.forEveryZipEntry(temporary.fileName, async (entry, content) => {
+      files.push({
+        path: this.getInnerPath(entry.fileName),
+        content: async () => await streamToBuffer(content),
+        lastModifiedAt: entry.lastModFileTime ? new Date(entry.lastModFileTime) : void 0
+      });
+    });
+    await temporary.cleanup();
+    return files;
+  }
+  async archive() {
+    this.onlyOnce();
+    if (!this.subPath) {
+      return this.stream;
+    }
+    const archive = archiver__default.default("zip");
+    const temporary = await this.streamToTemporaryFile(this.stream);
+    await this.forEveryZipEntry(temporary.fileName, async (entry, content) => {
+      archive.append(await streamToBuffer(content), {
+        name: this.getInnerPath(entry.fileName)
+      });
+    });
+    archive.finalize();
+    await temporary.cleanup();
+    return archive;
+  }
+  async dir(options) {
+    this.onlyOnce();
+    const dir = options?.targetDir ?? await fs__default.default.mkdtemp(platformPath__default.default.join(this.workDir, "backstage-"));
+    const temporary = await this.streamToTemporaryFile(this.stream);
+    await this.forEveryZipEntry(temporary.fileName, async (entry, content) => {
+      const entryPath = this.getInnerPath(entry.fileName);
+      const dirname = platformPath__default.default.dirname(entryPath);
+      if (dirname) {
+        await fs__default.default.mkdirp(backendPluginApi.resolveSafeChildPath(dir, dirname));
+      }
+      return new Promise(async (resolve, reject) => {
+        const file = fs__default.default.createWriteStream(backendPluginApi.resolveSafeChildPath(dir, entryPath));
+        file.on("finish", resolve);
+        content.on("error", reject);
+        content.pipe(file);
+      });
+    });
+    await temporary.cleanup();
+    return dir;
+  }
+}
+
+const pipeline = util.promisify(stream.pipeline);
+class ReadableArrayResponse {
+  constructor(stream, workDir, etag) {
+    this.stream = stream;
+    this.workDir = workDir;
+    this.etag = etag;
+    this.etag = etag;
+  }
+  read = false;
+  // Make sure the input stream is only read once
+  onlyOnce() {
+    if (this.read) {
+      throw new Error("Response has already been read");
+    }
+    this.read = true;
+  }
+  async files() {
+    this.onlyOnce();
+    const files = Array();
+    for (let i = 0; i < this.stream.length; i++) {
+      if (!this.stream[i].path.endsWith("/")) {
+        files.push({
+          path: this.stream[i].path,
+          content: () => getRawBody__default.default(this.stream[i].data),
+          lastModifiedAt: this.stream[i]?.lastModifiedAt
+        });
+      }
+    }
+    return files;
+  }
+  async archive() {
+    const tmpDir = await this.dir();
+    try {
+      const data = await new Promise(async (resolve) => {
+        await pipeline(
+          tar__default.default.create({ cwd: tmpDir }, [""]),
+          concatStream__default.default(resolve)
+        );
+      });
+      return stream.Readable.from(data);
+    } finally {
+      await fs__default.default.remove(tmpDir);
+    }
+  }
+  async dir(options) {
+    this.onlyOnce();
+    const dir = options?.targetDir ?? await fs__default.default.mkdtemp(platformPath__default.default.join(this.workDir, "backstage-"));
+    for (let i = 0; i < this.stream.length; i++) {
+      if (!this.stream[i].path.endsWith("/")) {
+        const filePath = platformPath__default.default.join(dir, this.stream[i].path);
+        await fs__default.default.mkdir(platformPath.dirname(filePath), { recursive: true });
+        await pipeline(this.stream[i].data, fs__default.default.createWriteStream(filePath));
+      }
+    }
+    return dir;
+  }
+}
+
+class DefaultReadTreeResponseFactory {
+  constructor(workDir) {
+    this.workDir = workDir;
+  }
+  static create(options) {
+    return new DefaultReadTreeResponseFactory(
+      options.config.getOptionalString("backend.workingDirectory") ?? os__default.default.tmpdir()
+    );
+  }
+  async fromTarArchive(options) {
+    return new TarArchiveResponse(
+      options.stream,
+      options.subpath ?? "",
+      this.workDir,
+      options.etag,
+      options.filter,
+      options.stripFirstDirectory ?? true
+    );
+  }
+  async fromZipArchive(options) {
+    return new ZipArchiveResponse(
+      options.stream,
+      options.subpath ?? "",
+      this.workDir,
+      options.etag,
+      options.filter
+    );
+  }
+  async fromReadableArray(options) {
+    return new ReadableArrayResponse(options, this.workDir, "");
+  }
+}
+
+var name = "@backstage/backend-defaults";
+var version = "0.3.0-next.3";
+var description = "Backend defaults used by Backstage backend apps";
+var backstage = {
+	role: "node-library"
+};
+var publishConfig = {
+	access: "public"
+};
+var keywords = [
+	"backstage"
+];
+var homepage = "https://backstage.io";
+var repository = {
+	type: "git",
+	url: "https://github.com/backstage/backstage",
+	directory: "packages/backend-defaults"
+};
+var license = "Apache-2.0";
+var exports$1 = {
+	".": "./src/index.ts",
+	"./cache": "./src/entrypoints/cache/index.ts",
+	"./database": "./src/entrypoints/database/index.ts",
+	"./discovery": "./src/entrypoints/discovery/index.ts",
+	"./lifecycle": "./src/entrypoints/lifecycle/index.ts",
+	"./permissions": "./src/entrypoints/permissions/index.ts",
+	"./rootConfig": "./src/entrypoints/rootConfig/index.ts",
+	"./rootLifecycle": "./src/entrypoints/rootLifecycle/index.ts",
+	"./scheduler": "./src/entrypoints/scheduler/index.ts",
+	"./urlReader": "./src/entrypoints/urlReader/index.ts",
+	"./package.json": "./package.json"
+};
+var main = "src/index.ts";
+var types = "src/index.ts";
+var typesVersions = {
+	"*": {
+		cache: [
+			"src/entrypoints/cache/index.ts"
+		],
+		database: [
+			"src/entrypoints/database/index.ts"
+		],
+		discovery: [
+			"src/entrypoints/discovery/index.ts"
+		],
+		lifecycle: [
+			"src/entrypoints/lifecycle/index.ts"
+		],
+		permissions: [
+			"src/entrypoints/permissions/index.ts"
+		],
+		rootConfig: [
+			"src/entrypoints/rootConfig/index.ts"
+		],
+		rootLifecycle: [
+			"src/entrypoints/rootLifecycle/index.ts"
+		],
+		scheduler: [
+			"src/entrypoints/scheduler/index.ts"
+		],
+		urlReader: [
+			"src/entrypoints/urlReader/index.ts"
+		],
+		"package.json": [
+			"package.json"
+		]
+	}
+};
+var files = [
+	"config.d.ts",
+	"dist",
+	"migrations"
+];
+var scripts = {
+	build: "backstage-cli package build",
+	clean: "backstage-cli package clean",
+	lint: "backstage-cli package lint",
+	prepack: "backstage-cli package prepack",
+	postpack: "backstage-cli package postpack",
+	start: "backstage-cli package start",
+	test: "backstage-cli package test"
+};
+var dependencies = {
+	"@aws-sdk/abort-controller": "^3.347.0",
+	"@aws-sdk/client-codecommit": "^3.350.0",
+	"@aws-sdk/client-s3": "^3.350.0",
+	"@aws-sdk/credential-providers": "^3.350.0",
+	"@aws-sdk/types": "^3.347.0",
+	"@backstage/backend-app-api": "workspace:^",
+	"@backstage/backend-common": "workspace:^",
+	"@backstage/backend-dev-utils": "workspace:^",
+	"@backstage/backend-plugin-api": "workspace:^",
+	"@backstage/config": "workspace:^",
+	"@backstage/config-loader": "workspace:^",
+	"@backstage/errors": "workspace:^",
+	"@backstage/integration": "workspace:^",
+	"@backstage/integration-aws-node": "workspace:^",
+	"@backstage/plugin-events-node": "workspace:^",
+	"@backstage/plugin-permission-node": "workspace:^",
+	"@backstage/types": "workspace:^",
+	"@google-cloud/storage": "^7.0.0",
+	"@keyv/memcache": "^1.3.5",
+	"@keyv/redis": "^2.5.3",
+	"@octokit/rest": "^19.0.3",
+	"@opentelemetry/api": "^1.3.0",
+	archiver: "^6.0.0",
+	"base64-stream": "^1.0.0",
+	"better-sqlite3": "^9.0.0",
+	"concat-stream": "^2.0.0",
+	cron: "^3.0.0",
+	"fs-extra": "^11.2.0",
+	"git-url-parse": "^14.0.0",
+	"isomorphic-git": "^1.23.0",
+	keyv: "^4.5.2",
+	knex: "^3.0.0",
+	lodash: "^4.17.21",
+	luxon: "^3.0.0",
+	minimatch: "^9.0.0",
+	mysql2: "^3.0.0",
+	"node-fetch": "^2.6.7",
+	"p-limit": "^3.1.0",
+	pg: "^8.11.3",
+	"pg-connection-string": "^2.3.0",
+	"raw-body": "^2.4.1",
+	tar: "^6.1.12",
+	uuid: "^9.0.0",
+	yauzl: "^3.0.0",
+	yn: "^4.0.0",
+	zod: "^3.22.4"
+};
+var devDependencies = {
+	"@aws-sdk/util-stream-node": "^3.350.0",
+	"@backstage/backend-plugin-api": "workspace:^",
+	"@backstage/backend-test-utils": "workspace:^",
+	"@backstage/cli": "workspace:^",
+	"aws-sdk-client-mock": "^4.0.0",
+	msw: "^1.0.0",
+	"wait-for-expect": "^3.0.2"
+};
+var configSchema = "config.d.ts";
+var packageinfo = {
+	name: name,
+	version: version,
+	description: description,
+	backstage: backstage,
+	publishConfig: publishConfig,
+	keywords: keywords,
+	homepage: homepage,
+	repository: repository,
+	license: license,
+	exports: exports$1,
+	main: main,
+	types: types,
+	typesVersions: typesVersions,
+	files: files,
+	scripts: scripts,
+	dependencies: dependencies,
+	devDependencies: devDependencies,
+	configSchema: configSchema
+};
+
+const GOOGLE_GCS_HOST = "storage.cloud.google.com";
+const parseURL = (url) => {
+  const { host, pathname } = new URL(url);
+  if (host !== GOOGLE_GCS_HOST) {
+    throw new Error(`not a valid GCS URL: ${url}`);
+  }
+  const [, bucket, ...key] = pathname.split("/");
+  return {
+    host,
+    bucket,
+    key: key.join("/")
+  };
+};
+class GoogleGcsUrlReader {
+  constructor(integration, storage) {
+    this.integration = integration;
+    this.storage = storage;
+  }
+  static factory = ({ config, logger }) => {
+    if (!config.has("integrations.googleGcs")) {
+      return [];
+    }
+    const gcsConfig = integration.readGoogleGcsIntegrationConfig(
+      config.getConfig("integrations.googleGcs")
+    );
+    let storage;
+    if (!gcsConfig.clientEmail || !gcsConfig.privateKey) {
+      logger.info(
+        "googleGcs credentials not found in config. Using default credentials provider."
+      );
+      storage = new GoogleCloud__namespace.Storage({
+        userAgent: `backstage/backend-defaults.GoogleGcsUrlReader/${packageinfo.version}`
+      });
+    } else {
+      storage = new GoogleCloud__namespace.Storage({
+        credentials: {
+          client_email: gcsConfig.clientEmail || void 0,
+          private_key: gcsConfig.privateKey || void 0
+        },
+        userAgent: `backstage/backend-defaults.GoogleGcsUrlReader/${packageinfo.version}`
+      });
+    }
+    const reader = new GoogleGcsUrlReader(gcsConfig, storage);
+    const predicate = (url) => url.host === GOOGLE_GCS_HOST;
+    return [{ reader, predicate }];
+  };
+  readStreamFromUrl(url) {
+    const { bucket, key } = parseURL(url);
+    return this.storage.bucket(bucket).file(key).createReadStream();
+  }
+  async read(url) {
+    try {
+      return await getRawBody__default.default(this.readStreamFromUrl(url));
+    } catch (error) {
+      throw new Error(`unable to read gcs file from ${url}, ${error}`);
+    }
+  }
+  async readUrl(url, _options) {
+    const stream = this.readStreamFromUrl(url);
+    return ReadUrlResponseFactory.fromReadable(stream);
+  }
+  async readTree() {
+    throw new Error("GcsUrlReader does not implement readTree");
+  }
+  async search(url) {
+    const { bucket, key: pattern } = parseURL(url);
+    if (!pattern.endsWith("*") || pattern.indexOf("*") !== pattern.length - 1) {
+      throw new Error("GcsUrlReader only supports prefix-based searches");
+    }
+    const [files] = await this.storage.bucket(bucket).getFiles({
+      autoPaginate: true,
+      prefix: pattern.split("*").join("")
+    });
+    return {
+      files: files.map((file) => {
+        const fullUrl = ["https:/", GOOGLE_GCS_HOST, bucket, file.name].join(
+          "/"
+        );
+        return {
+          url: fullUrl,
+          content: async () => {
+            const readResponse = await this.readUrl(fullUrl);
+            return readResponse.buffer();
+          }
+        };
+      }),
+      // TODO etag is not implemented yet.
+      etag: "NOT/IMPLEMENTED"
+    };
+  }
+  toString() {
+    const key = this.integration.privateKey;
+    return `googleGcs{host=${GOOGLE_GCS_HOST},authed=${Boolean(key)}}`;
+  }
+}
+
+function parseUrl(url, requireGitPath = false) {
+  const parsedUrl = new URL(url);
+  if (parsedUrl.pathname.includes("/files/edit/")) {
+    throw new Error(
+      "Please provide the view url to yaml file from CodeCommit, not the edit url"
+    );
+  }
+  if (requireGitPath && !parsedUrl.pathname.includes("/browse/")) {
+    throw new Error("Please provide full path to yaml file from CodeCommit");
+  }
+  const hostMatch = parsedUrl.host.match(
+    /^([^\.]+)\.console\.aws\.amazon\.com$/
+  );
+  if (!hostMatch) {
+    throw new Error(
+      `Invalid AWS CodeCommit URL (unexpected host format): ${url}`
+    );
+  }
+  const [, region] = hostMatch;
+  const pathMatch = parsedUrl.pathname.match(
+    /^\/codesuite\/codecommit\/repositories\/([^\/]+)\/browse\/((.*)\/)?--\/(.*)$/
+  );
+  if (!pathMatch) {
+    if (!requireGitPath) {
+      const pathname = parsedUrl.pathname.split("/--/")[0].replace("/codesuite/codecommit/repositories/", "");
+      const [repositoryName2, commitSpecifier2] = pathname.split("/browse");
+      return {
+        region,
+        repositoryName: repositoryName2.replace(/^\/|\/$/g, ""),
+        path: "/",
+        commitSpecifier: commitSpecifier2 === "" ? void 0 : commitSpecifier2?.replace(/^\/|\/$/g, "")
+      };
+    }
+    throw new Error(
+      `Invalid AWS CodeCommit URL (unexpected path format): ${url}`
+    );
+  }
+  const [, repositoryName, , commitSpecifier, path] = pathMatch;
+  return {
+    region,
+    repositoryName,
+    path,
+    // the commitSpecifier is passed to AWS SDK which does not allow empty strings so replace empty string with undefined
+    commitSpecifier: commitSpecifier === "" ? void 0 : commitSpecifier
+  };
+}
+class AwsCodeCommitUrlReader {
+  constructor(credsManager, integration, deps) {
+    this.credsManager = credsManager;
+    this.integration = integration;
+    this.deps = deps;
+  }
+  static factory = ({ config, treeResponseFactory }) => {
+    const integrations = integration.ScmIntegrations.fromConfig(config);
+    const credsManager = integrationAwsNode.DefaultAwsCredentialsManager.fromConfig(config);
+    return integrations.awsCodeCommit.list().map((integration) => {
+      const reader = new AwsCodeCommitUrlReader(credsManager, integration, {
+        treeResponseFactory
+      });
+      const predicate = (url) => {
+        return url.host.endsWith(integration.config.host) && url.pathname.startsWith("/codesuite/codecommit");
+      };
+      return { reader, predicate };
+    });
+  };
+  /**
+   * If accessKeyId and secretAccessKey are missing, the standard credentials provider chain will be used:
+   * https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/auth/DefaultAWSCredentialsProviderChain.html
+   */
+  static buildStaticCredentials(accessKeyId, secretAccessKey) {
+    return async () => {
+      return {
+        accessKeyId,
+        secretAccessKey
+      };
+    };
+  }
+  static async buildCredentials(credsManager, region, integration) {
+    if (!integration) {
+      return (await credsManager.getCredentialProvider()).sdkCredentialProvider;
+    }
+    const accessKeyId = integration.config.accessKeyId;
+    const secretAccessKey = integration.config.secretAccessKey;
+    let explicitCredentials;
+    if (accessKeyId && secretAccessKey) {
+      explicitCredentials = AwsCodeCommitUrlReader.buildStaticCredentials(
+        accessKeyId,
+        secretAccessKey
+      );
+    } else {
+      explicitCredentials = (await credsManager.getCredentialProvider()).sdkCredentialProvider;
+    }
+    const roleArn = integration.config.roleArn;
+    if (roleArn) {
+      return credentialProviders.fromTemporaryCredentials({
+        masterCredentials: explicitCredentials,
+        params: {
+          RoleSessionName: "backstage-aws-code-commit-url-reader",
+          RoleArn: roleArn,
+          ExternalId: integration.config.externalId
+        },
+        clientConfig: { region }
+      });
+    }
+    return explicitCredentials;
+  }
+  async buildCodeCommitClient(credsManager, region, integration) {
+    const credentials = await AwsCodeCommitUrlReader.buildCredentials(
+      credsManager,
+      region,
+      integration
+    );
+    const codeCommit = new clientCodecommit.CodeCommitClient({
+      region,
+      credentials
+    });
+    return codeCommit;
+  }
+  async readUrl(url, options) {
+    try {
+      const { path, repositoryName, region, commitSpecifier } = parseUrl(
+        url,
+        true
+      );
+      const codeCommitClient = await this.buildCodeCommitClient(
+        this.credsManager,
+        region,
+        this.integration
+      );
+      const abortController$1 = new abortController.AbortController();
+      const input = {
+        repositoryName,
+        commitSpecifier,
+        filePath: path
+      };
+      options?.signal?.addEventListener("abort", () => abortController$1.abort());
+      const getObjectCommand = new clientCodecommit.GetFileCommand(input);
+      const response = await codeCommitClient.send(
+        getObjectCommand,
+        {
+          abortSignal: abortController$1.signal
+        }
+      );
+      if (options?.etag && options.etag === response.commitId) {
+        throw new errors.NotModifiedError();
+      }
+      return ReadUrlResponseFactory.fromReadable(
+        stream.Readable.from([response?.fileContent]),
+        {
+          etag: response.commitId
+        }
+      );
+    } catch (e) {
+      if (e.$metadata && e.$metadata.httpStatusCode === 304) {
+        throw new errors.NotModifiedError();
+      }
+      if (e.name && e.name === "NotModifiedError") {
+        throw new errors.NotModifiedError();
+      }
+      throw new errors.ForwardedError("Could not retrieve file from CodeCommit", e);
+    }
+  }
+  async readTreePath(codeCommitClient, abortSignal, path, repositoryName, commitSpecifier, etag) {
+    const getFolderCommand = new clientCodecommit.GetFolderCommand({
+      folderPath: path,
+      repositoryName,
+      commitSpecifier
+    });
+    const response = await codeCommitClient.send(getFolderCommand, {
+      abortSignal
+    });
+    if (etag && etag === response.commitId) {
+      throw new errors.NotModifiedError();
+    }
+    const output = [];
+    if (response.files) {
+      response.files.forEach((file) => {
+        if (file.absolutePath) {
+          output.push(file.absolutePath);
+        }
+      });
+    }
+    if (!response.subFolders) {
+      return output;
+    }
+    for (const subFolder of response.subFolders) {
+      if (subFolder.absolutePath) {
+        output.push(
+          ...await this.readTreePath(
+            codeCommitClient,
+            abortSignal,
+            subFolder.absolutePath,
+            repositoryName,
+            commitSpecifier,
+            etag
+          )
+        );
+      }
+    }
+    return output;
+  }
+  async readTree(url, options) {
+    try {
+      const { path, repositoryName, region, commitSpecifier } = parseUrl(url);
+      const codeCommitClient = await this.buildCodeCommitClient(
+        this.credsManager,
+        region,
+        this.integration
+      );
+      const abortController$1 = new abortController.AbortController();
+      options?.signal?.addEventListener("abort", () => abortController$1.abort());
+      const allFiles = await this.readTreePath(
+        codeCommitClient,
+        abortController$1.signal,
+        path,
+        repositoryName,
+        commitSpecifier,
+        options?.etag
+      );
+      const responses = [];
+      for (let i = 0; i < allFiles.length; i++) {
+        const getFileCommand = new clientCodecommit.GetFileCommand({
+          repositoryName,
+          filePath: String(allFiles[i]),
+          commitSpecifier
+        });
+        const response = await codeCommitClient.send(getFileCommand);
+        const objectData = await stream.Readable.from([response?.fileContent]);
+        responses.push({
+          data: objectData,
+          path: posix.relative(
+            path.startsWith("/") ? path : `/${path}`,
+            allFiles[i].startsWith("/") ? allFiles[i] : `/${allFiles[i]}`
+          )
+        });
+      }
+      return await this.deps.treeResponseFactory.fromReadableArray(responses);
+    } catch (e) {
+      if (e.name && e.name === "NotModifiedError") {
+        throw new errors.NotModifiedError();
+      }
+      throw new errors.ForwardedError(
+        "Could not retrieve file tree from CodeCommit",
+        e
+      );
+    }
+  }
+  async search() {
+    throw new Error("AwsCodeCommitReader does not implement search");
+  }
+  toString() {
+    const secretAccessKey = this.integration.config.secretAccessKey;
+    return `awsCodeCommit{host=${this.integration.config.host},authed=${Boolean(
+      secretAccessKey
+    )}}`;
+  }
+}
+
+class UrlReaders {
+  /**
+   * Creates a custom {@link @backstage/backend-plugin-api#UrlReaderService} wrapper for your own set of factories.
+   */
+  static create(options) {
+    const { logger, config, factories } = options;
+    const mux = new UrlReaderPredicateMux();
+    const treeResponseFactory = DefaultReadTreeResponseFactory.create({
+      config
+    });
+    for (const factory of factories ?? []) {
+      const tuples = factory({ config, logger, treeResponseFactory });
+      for (const tuple of tuples) {
+        mux.register(tuple);
+      }
+    }
+    return mux;
+  }
+  /**
+   * Creates a {@link @backstage/backend-plugin-api#UrlReaderService} wrapper that includes all the default factories
+   * from this package.
+   *
+   * Any additional factories passed will be loaded before the default ones.
+   */
+  static default(options) {
+    const { logger, config, factories = [] } = options;
+    return UrlReaders.create({
+      logger,
+      config,
+      factories: factories.concat([
+        AzureUrlReader.factory,
+        BitbucketCloudUrlReader.factory,
+        BitbucketServerUrlReader.factory,
+        BitbucketUrlReader.factory,
+        GerritUrlReader.factory,
+        GithubUrlReader.factory,
+        GiteaUrlReader.factory,
+        GitlabUrlReader.factory,
+        GoogleGcsUrlReader.factory,
+        HarnessUrlReader.factory,
+        AwsS3UrlReader.factory,
+        AwsCodeCommitUrlReader.factory,
+        FetchUrlReader.factory
+      ])
+    });
+  }
+}
 
 const urlReaderServiceFactory = backendPluginApi.createServiceFactory({
   service: backendPluginApi.coreServices.urlReader,
@@ -10,12 +2985,25 @@ const urlReaderServiceFactory = backendPluginApi.createServiceFactory({
     logger: backendPluginApi.coreServices.logger
   },
   async factory({ config, logger }) {
-    return backendCommon.UrlReaders.default({
+    return UrlReaders.default({
       config,
       logger
     });
   }
 });
 
+exports.AwsS3UrlReader = AwsS3UrlReader;
+exports.AzureUrlReader = AzureUrlReader;
+exports.BitbucketCloudUrlReader = BitbucketCloudUrlReader;
+exports.BitbucketServerUrlReader = BitbucketServerUrlReader;
+exports.BitbucketUrlReader = BitbucketUrlReader;
+exports.FetchUrlReader = FetchUrlReader;
+exports.GerritUrlReader = GerritUrlReader;
+exports.GiteaUrlReader = GiteaUrlReader;
+exports.GithubUrlReader = GithubUrlReader;
+exports.GitlabUrlReader = GitlabUrlReader;
+exports.HarnessUrlReader = HarnessUrlReader;
+exports.ReadUrlResponseFactory = ReadUrlResponseFactory;
+exports.UrlReaders = UrlReaders;
 exports.urlReaderServiceFactory = urlReaderServiceFactory;
 //# sourceMappingURL=urlReader.cjs.js.map