tenseleyflow/shithub / 7da9698

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package api

+

+import (

+	"errors"

+	"net/http"

+	"strconv"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/jackc/pgx/v5"

+

+	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/auth/pat"

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// mountActionsLifecycle registers user/PAT-authenticated Actions lifecycle

+// controls. Runner-owned job endpoints stay in runners.go and use job JWTs.

+func (h *Handlers) mountActionsLifecycle(r chi.Router) {

+	r.Group(func(r chi.Router) {

+		r.Use(middleware.RequireScope(pat.ScopeRepoWrite))

+		r.Post("/api/v1/jobs/{id}/cancel", h.workflowJobCancel)

+	})

+}

+

+func (h *Handlers) workflowJobCancel(w http.ResponseWriter, r *http.Request) {

+	auth := middleware.PATAuthFromContext(r.Context())

+	if auth.UserID == 0 {

+		writeAPIError(w, http.StatusUnauthorized, "unauthenticated")

+		return

+	}

+	jobID, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)

+	if err != nil || jobID <= 0 {

+		writeAPIError(w, http.StatusNotFound, "job not found")

+		return

+	}

+	job, run, repo, ok := h.resolveCancellableJob(w, r, auth.UserID, jobID)

+	if !ok {

+		return

+	}

+	result, err := actionslifecycle.CancelJob(r.Context(), actionslifecycle.Deps{

+		Pool:   h.d.Pool,

+		Logger: h.d.Logger,

+	}, job.ID, actionslifecycle.CancelReasonUser)

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "api actions cancel job", "job_id", job.ID, "error", err)

+		writeAPIError(w, http.StatusInternalServerError, "cancel failed")

+		return

+	}

+	writeJSON(w, http.StatusAccepted, map[string]any{

+		"job_id":         job.ID,

+		"run_id":         run.ID,

+		"repo_id":        repo.ID,

+		"changed_jobs":   len(result.ChangedJobs),

+		"run_completed":  result.RunCompleted,

+		"run_conclusion": string(result.RunConclusion),

+	})

+}

+

+func (h *Handlers) resolveCancellableJob(

+	w http.ResponseWriter,

+	r *http.Request,

+	userID int64,

+	jobID int64,

+) (actionsdb.WorkflowJob, actionsdb.WorkflowRun, reposdb.Repo, bool) {

+	q := actionsdb.New()

+	job, err := q.GetWorkflowJobByID(r.Context(), h.d.Pool, jobID)

+	if err != nil {

+		writeAPIError(w, http.StatusNotFound, "job not found")

+		return actionsdb.WorkflowJob{}, actionsdb.WorkflowRun{}, reposdb.Repo{}, false

+	}

+	run, err := q.GetWorkflowRunByID(r.Context(), h.d.Pool, job.RunID)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			writeAPIError(w, http.StatusNotFound, "job not found")

+		} else {

+			writeAPIError(w, http.StatusInternalServerError, "run lookup failed")

+		}

+		return actionsdb.WorkflowJob{}, actionsdb.WorkflowRun{}, reposdb.Repo{}, false

+	}

+	repo, err := reposdb.New().GetRepoByID(r.Context(), h.d.Pool, run.RepoID)

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			writeAPIError(w, http.StatusNotFound, "job not found")

+		} else {

+			writeAPIError(w, http.StatusInternalServerError, "repo lookup failed")

+		}

+		return actionsdb.WorkflowJob{}, actionsdb.WorkflowRun{}, reposdb.Repo{}, false

+	}

+	actor := policy.UserActor(userID, "", false, false)

+	if !policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoWrite, policy.NewRepoRefFromRepo(repo)).Allow {

+		writeAPIError(w, http.StatusNotFound, "job not found")

+		return actionsdb.WorkflowJob{}, actionsdb.WorkflowRun{}, reposdb.Repo{}, false

+	}

+	return job, run, repo, true

+}

+		// S41g Actions lifecycle controls.

+		h.mountActionsLifecycle(r)

+	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"

+	notifyWorker := false

+	if updated.Status == actionsdb.WorkflowJobStatusCancelled {

+		steps, err := q.CancelOpenWorkflowStepsForJob(ctx, tx, updated.ID)

+		if err != nil {

+			return actionsdb.WorkflowJob{}, false, "", err

+		}

+		for _, step := range steps {

+			if err := logstream.NotifyDone(ctx, tx, step.ID); err != nil {

+				return actionsdb.WorkflowJob{}, false, "", err

+			}

+			if h.d.ObjectStore != nil {

+				if _, err := worker.Enqueue(ctx, tx, finalize.KindWorkflowFinalizeStep, finalize.Payload{StepID: step.ID}, worker.EnqueueOptions{}); err != nil {

+					return actionsdb.WorkflowJob{}, false, "", err

+				}

+				notifyWorker = true

+			}

+		}

+	}

+	if notifyWorker {

+		if err := worker.Notify(ctx, h.d.Pool); err != nil && h.d.Logger != nil {

+			h.d.Logger.WarnContext(ctx, "runner cancelled-step finalizer notify failed", "job_id", updated.ID, "error", err)

+		}

+	}

+	return actionslifecycle.SyncCheckRunForJob(ctx, actionslifecycle.Deps{Pool: h.d.Pool, Logger: h.d.Logger}, job)

+	"github.com/tenseleyFlow/shithub/internal/auth/pat"

+func TestWorkflowJobCancelAPIRequestsCancellation(t *testing.T) {

+	ctx := context.Background()

+	pool := dbtest.NewTestDB(t)

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+	repoID, userID := setupRunnerAPIRepo(t, pool)

+	runID := enqueueRunnerAPIRun(t, pool, logger, repoID, userID)

+	jobs, err := actionsdb.New().ListJobsForRun(ctx, pool, runID)

+	if err != nil {

+		t.Fatalf("ListJobsForRun: %v", err)

+	}

+	if len(jobs) != 1 {

+		t.Fatalf("jobs: %+v", jobs)

+	}

+	rawPAT := mintRunnerAPIPAT(t, pool, userID, string(pat.ScopeRepoWrite))

+	router := newRunnerAPIRouter(t, pool, logger, runnerAPISigner(t, time.Now()))

+

+	req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/api/v1/jobs/%d/cancel", jobs[0].ID), nil)

+	req.Header.Set("Authorization", "Bearer "+rawPAT)

+	rr := httptest.NewRecorder()

+	router.ServeHTTP(rr, req)

+	if rr.Code != http.StatusAccepted {

+		t.Fatalf("cancel status: got %d, want 202; body=%s", rr.Code, rr.Body.String())

+	}

+	var body struct {

+		ChangedJobs  int  `json:"changed_jobs"`

+		RunCompleted bool `json:"run_completed"`

+	}

+	if err := json.Unmarshal(rr.Body.Bytes(), &body); err != nil {

+		t.Fatalf("decode response: %v", err)

+	}

+	if body.ChangedJobs != 1 || !body.RunCompleted {

+		t.Fatalf("response: %+v", body)

+	}

+	job, err := actionsdb.New().GetWorkflowJobByID(ctx, pool, jobs[0].ID)

+	if err != nil {

+		t.Fatalf("GetWorkflowJobByID: %v", err)

+	}

+	if job.Status != actionsdb.WorkflowJobStatusCancelled || !job.CancelRequested ||

+		!job.Conclusion.Valid || job.Conclusion.CheckConclusion != actionsdb.CheckConclusionCancelled {

+		t.Fatalf("job: %+v", job)

+	}

+	run, err := actionsdb.New().GetWorkflowRunByID(ctx, pool, runID)

+	if err != nil {

+		t.Fatalf("GetWorkflowRunByID: %v", err)

+	}

+	if run.Status != actionsdb.WorkflowRunStatusCompleted ||

+		!run.Conclusion.Valid || run.Conclusion.CheckConclusion != actionsdb.CheckConclusionCancelled {

+		t.Fatalf("run: %+v", run)

+	}

+}

+

+func mintRunnerAPIPAT(t *testing.T, pool *pgxpool.Pool, userID int64, scopes ...string) string {

+	t.Helper()

+	raw, hash, prefix, err := pat.Mint()

+	if err != nil {

+		t.Fatalf("pat.Mint: %v", err)

+	}

+	if _, err := usersdb.New().InsertUserToken(context.Background(), pool, usersdb.InsertUserTokenParams{

+		UserID:      userID,

+		Name:        "api test",

+		TokenHash:   hash,

+		TokenPrefix: prefix,

+		Scopes:      scopes,

+	}); err != nil {

+		t.Fatalf("InsertUserToken: %v", err)

+	}

+	return raw

+}

+

+	CancelHref     string

+	CanCancel      bool

+	CancelHref string

+	CanCancel  bool

+	// CancelRequested is true after a running job has been asked to stop but

+	// before its runner has reported the terminal cancelled state.

+	CancelRequested bool

+	IsCancellable   bool

+	Depth           int

+	Steps           []actionsStepDetailView

+	h.applyActionsCancelControls(r, row, &view)

+		CancelHref:     runPath + "/cancel",

+		CancelHref: "/" + owner + "/" + repoName + "/actions/runs/" + strconv.FormatInt(runIndex, 10) +

+			"/jobs/" + strconv.FormatInt(int64(row.JobIndex), 10) + "/cancel",

+		CancelRequested: row.CancelRequested,

+		IsCancellable: row.Status == actionsdb.WorkflowJobStatusQueued ||

+			row.Status == actionsdb.WorkflowJobStatusRunning,

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package repo

+

+import (

+	"errors"

+	"net/http"

+	"strconv"

+

+	"github.com/jackc/pgx/v5"

+

+	actionslifecycle "github.com/tenseleyFlow/shithub/internal/actions/lifecycle"

+	actionsdb "github.com/tenseleyFlow/shithub/internal/actions/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/auth/policy"

+	reposdb "github.com/tenseleyFlow/shithub/internal/repos/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+func (h *Handlers) repoActionRunCancel(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoWrite)

+	if !ok {

+		return

+	}

+	runIndex, ok := parsePositiveInt64Param(r, "runIndex")

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	run, err := actionsdb.New().GetWorkflowRunForRepoByIndex(r.Context(), h.d.Pool, actionsdb.GetWorkflowRunForRepoByIndexParams{

+		RepoID:   row.ID,

+		RunIndex: runIndex,

+	})

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		} else {

+			h.d.Logger.WarnContext(r.Context(), "repo actions: lookup run for cancel", "repo_id", row.ID, "run_index", runIndex, "error", err)

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		}

+		return

+	}

+	if _, err := actionslifecycle.CancelRun(r.Context(), actionslifecycle.Deps{

+		Pool:   h.d.Pool,

+		Logger: h.d.Logger,

+	}, run.ID, actionslifecycle.CancelReasonUser); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: cancel run", "run_id", run.ID, "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	http.Redirect(w, r, repoActionRunHref(owner.Username, row.Name, runIndex), http.StatusSeeOther)

+}

+

+func (h *Handlers) repoActionJobCancel(w http.ResponseWriter, r *http.Request) {

+	row, owner, ok := h.loadRepoAndAuthorize(w, r, policy.ActionRepoWrite)

+	if !ok {

+		return

+	}

+	runIndex, ok := parsePositiveInt64Param(r, "runIndex")

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	jobIndex, ok := parseNonNegativeInt32Param(r, "jobIndex")

+	if !ok {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	q := actionsdb.New()

+	run, err := q.GetWorkflowRunForRepoByIndex(r.Context(), h.d.Pool, actionsdb.GetWorkflowRunForRepoByIndexParams{

+		RepoID:   row.ID,

+		RunIndex: runIndex,

+	})

+	if err != nil {

+		if errors.Is(err, pgx.ErrNoRows) {

+			h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		} else {

+			h.d.Logger.WarnContext(r.Context(), "repo actions: lookup run for job cancel", "repo_id", row.ID, "run_index", runIndex, "error", err)

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		}

+		return

+	}

+	jobs, err := q.ListJobsForRun(r.Context(), h.d.Pool, run.ID)

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: list jobs for cancel", "run_id", run.ID, "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	var jobID int64

+	for _, job := range jobs {

+		if job.JobIndex == jobIndex {

+			jobID = job.ID

+			break

+		}

+	}

+	if jobID == 0 {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	if _, err := actionslifecycle.CancelJob(r.Context(), actionslifecycle.Deps{

+		Pool:   h.d.Pool,

+		Logger: h.d.Logger,

+	}, jobID, actionslifecycle.CancelReasonUser); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "repo actions: cancel job", "job_id", jobID, "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	http.Redirect(w, r, repoActionRunHref(owner.Username, row.Name, runIndex)+"#job-"+strconv.FormatInt(int64(jobIndex), 10), http.StatusSeeOther)

+}

+

+func (h *Handlers) applyActionsCancelControls(r *http.Request, row reposdb.Repo, view *actionsRunDetailView) {

+	if view == nil || view.IsTerminal {

+		return

+	}

+	viewer := middleware.CurrentUserFromContext(r.Context())

+	dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, viewer.PolicyActor(), policy.ActionRepoWrite, policy.NewRepoRefFromRepo(row))

+	if !dec.Allow {

+		return

+	}

+	for i := range view.Jobs {

+		if view.Jobs[i].IsCancellable && !view.Jobs[i].CancelRequested {

+			view.Jobs[i].CanCancel = true

+			view.CanCancel = true

+		}

+	}

+}

+

+func repoActionRunHref(owner, repoName string, runIndex int64) string {

+	return "/" + owner + "/" + repoName + "/actions/runs/" + strconv.FormatInt(runIndex, 10)

+}

+func TestRepoActionRunRendersCancelControlsForWritersOnly(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	now := time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC)

+	runID := f.insertWorkflowRun(t, workflowRunFixture{

+		RunIndex:      12,

+		WorkflowFile:  ".shithub/workflows/ci.yml",

+		WorkflowName:  "CI",

+		HeadRef:       "trunk",

+		Event:         actionsdb.WorkflowRunEventPush,

+		Status:        actionsdb.WorkflowRunStatusRunning,

+		ActorUserID:   f.owner.ID,

+		CreatedOffset: -5 * time.Minute,

+		StartedOffset: -4 * time.Minute,

+	}, now)

+	f.insertWorkflowJob(t, workflowJobFixture{

+		RunID:    runID,

+		JobIndex: 0,

+		JobKey:   "build",

+		JobName:  "Build",

+		RunsOn:   "ubuntu-latest",

+		Status:   actionsdb.WorkflowJobStatusQueued,

+	})

+

+	resp := httptest.NewRecorder()

+	req := httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/12", nil)

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("owner status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	body := resp.Body.String()

+	for _, want := range []string{

+		"CANCEL_RUN=/alice/public-repo/actions/runs/12/cancel;",

+		"CANCEL_JOB=/alice/public-repo/actions/runs/12/jobs/0/cancel;",

+	} {

+		if !strings.Contains(body, want) {

+			t.Fatalf("owner body missing %q in %s", want, body)

+		}

+	}

+

+	resp = httptest.NewRecorder()

+	req = httptest.NewRequest(http.MethodGet, "/alice/public-repo/actions/runs/12", nil)

+	f.actionsMux(viewerFor(f.stranger)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusOK {

+		t.Fatalf("stranger status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if strings.Contains(resp.Body.String(), "CANCEL_") {

+		t.Fatalf("cancel controls leaked to non-writer: %s", resp.Body.String())

+	}

+}

+

+func TestRepoActionRunCancelCancelsQueuedRun(t *testing.T) {

+	t.Parallel()

+	f := newRepoFixture(t)

+	now := time.Date(2026, 5, 11, 12, 0, 0, 0, time.UTC)

+	runID := f.insertWorkflowRun(t, workflowRunFixture{

+		RunIndex:      13,

+		WorkflowFile:  ".shithub/workflows/ci.yml",

+		WorkflowName:  "CI",

+		HeadRef:       "trunk",

+		Event:         actionsdb.WorkflowRunEventPush,

+		Status:        actionsdb.WorkflowRunStatusQueued,

+		ActorUserID:   f.owner.ID,

+		CreatedOffset: -5 * time.Minute,

+	}, now)

+	jobID := f.insertWorkflowJob(t, workflowJobFixture{

+		RunID:    runID,

+		JobIndex: 0,

+		JobKey:   "build",

+		JobName:  "Build",

+		RunsOn:   "ubuntu-latest",

+		Status:   actionsdb.WorkflowJobStatusQueued,

+	})

+	stepID := f.insertWorkflowStep(t, workflowStepFixture{

+		JobID:      jobID,

+		StepIndex:  0,

+		RunCommand: "go test ./...",

+	})

+

+	resp := httptest.NewRecorder()

+	req := httptest.NewRequest(http.MethodPost, "/alice/public-repo/actions/runs/13/cancel", nil)

+	f.actionsMux(viewerFor(f.owner)).ServeHTTP(resp, req)

+	if resp.Code != http.StatusSeeOther {

+		t.Fatalf("status=%d body=%s", resp.Code, resp.Body.String())

+	}

+	if loc := resp.Header().Get("Location"); loc != "/alice/public-repo/actions/runs/13" {

+		t.Fatalf("Location=%q", loc)

+	}

+	job, err := actionsdb.New().GetWorkflowJobByID(context.Background(), f.pool, jobID)

+	if err != nil {

+		t.Fatalf("GetWorkflowJobByID: %v", err)

+	}

+	if job.Status != actionsdb.WorkflowJobStatusCancelled || !job.CancelRequested {

+		t.Fatalf("job: %+v", job)

+	}

+	step, err := actionsdb.New().GetWorkflowStepByID(context.Background(), f.pool, stepID)

+	if err != nil {

+		t.Fatalf("GetWorkflowStepByID: %v", err)

+	}

+	if step.Status != actionsdb.WorkflowStepStatusCancelled {

+		t.Fatalf("step: %+v", step)

+	}

+	run, err := actionsdb.New().GetWorkflowRunByID(context.Background(), f.pool, runID)

+	if err != nil {

+		t.Fatalf("GetWorkflowRunByID: %v", err)

+	}

+	if run.Status != actionsdb.WorkflowRunStatusCompleted ||

+		!run.Conclusion.Valid || run.Conclusion.CheckConclusion != actionsdb.CheckConclusionCancelled {

+		t.Fatalf("run: %+v", run)

+	}

+}

+

+	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/cancel", f.handlers.repoActionRunCancel)

+	mux.Post("/{owner}/{repo}/actions/runs/{runIndex}/jobs/{jobIndex}/cancel", f.handlers.repoActionJobCancel)

+// /{owner}/{repo}/actions/. Caller wraps with RequireUser.

+	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/cancel", h.repoActionRunCancel)

+	r.Post("/{owner}/{repo}/actions/runs/{runIndex}/jobs/{jobIndex}/cancel", h.repoActionJobCancel)

+		"repo/action_run.html":         {Data: []byte(`{{ define "page" }}RUN={{ .Run.Title }}:#{{ .Run.RunIndex }}:{{ .Run.Event }}:{{ .Run.ActorUsername }}:{{ .Run.StateClass }};{{ if .Run.CanCancel }}CANCEL_RUN={{ .Run.CancelHref }};{{ end }}SUMMARY={{ .Run.JobCount }}:{{ .Run.CompletedCount }}:{{ .Run.FailureCount }}:{{ .Run.ArtifactCount }};{{ range .Run.Jobs }}JOB={{ .Name }}:{{ .StateClass }}:{{ .NeedsText }}:{{ .RunsOn }};{{ if .CanCancel }}CANCEL_JOB={{ .CancelHref }};{{ end }}{{ if .CancelRequested }}CANCEL_REQUESTED={{ .Name }};{{ end }}{{ range .Steps }}STEP={{ .Name }}:{{ .StateClass }}:{{ .LogHref }};{{ end }}{{ end }}{{ end }}`)},

+.shithub-actions-inline-form {

+  margin: 0;

+}

+.shithub-actions-job-actions {

+  display: flex;

+  justify-content: flex-end;

+  padding: 0 1rem 0.75rem;

+}

+.shithub-actions-cancel-requested {

+  display: inline-flex;

+  align-items: center;

+  gap: 0.35rem;

+  color: var(--fg-muted);

+  font-size: 0.82rem;

+}

+      {{ if .Run.CanCancel }}

+        <form method="POST" action="{{ .Run.CancelHref }}" class="shithub-actions-inline-form">

+          <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+          <button type="submit" class="shithub-button shithub-button-danger">{{ octicon "stop" }} Cancel workflow</button>

+        </form>

+      {{ end }}

+            {{ if or .CanCancel .CancelRequested }}

+              <div class="shithub-actions-job-actions">

+                {{ if .CanCancel }}

+                  <form method="POST" action="{{ .CancelHref }}" class="shithub-actions-inline-form">

+                    <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">

+                    <button type="submit" class="shithub-button shithub-button-danger">{{ octicon "stop" }} Cancel job</button>

+                  </form>

+                {{ else if .CancelRequested }}

+                  <span class="shithub-actions-cancel-requested">{{ octicon "stopwatch" }} Cancel requested</span>

+                {{ end }}

+              </div>

+            {{ end }}