import { Role } from "aws-cdk-lib/aws-iam";
import type { Construct } from "constructs";
import type { IGithubActionOidcFilter } from "./filters/IGithubActionOidcFilter";
import { RoleProps } from "./generated/IamRoleProps";
import { type IGithubActionsIdentityProvider } from "./IGithubActionsIdentityProvider";
export interface GithubActionsRoleConfiguration {
    /**
     * Reference to the Github Actions OpenID Connect Provider configured in AWS IAM.
     *
     * Either pass an construct defined by `new GithubActionsOidcProvider`
     * or a retrieved reference from `GithubActionsOidcProvider.fromAccount`.
     * There can be only one (per AWS Account).
     */
    readonly provider: IGithubActionsIdentityProvider;
    /**
     * Subject filters to apply to the Github Actions OIDC token.
     *
     * This filters restrict which repo/branch/tag/etc. can assume the role. This construct
     * exposes many common filters, but you can also pass a custom filter if you need to.
     *
     * For a basic starting point, you can allow all branches to access the role via:
     *
     * const subjectFilters = [
     *   new BranchFilter({ owner: "my-org", repository: "my-repo", branch: "*" }),
     * ]
     */
    readonly subjectFilters: IGithubActionOidcFilter[];
}
export interface GithubActionsRoleProps extends GithubActionsRoleConfiguration, RoleProps {
}
/**
 * A role that can be assumed by Github Actions via OIDC.
 *
 * Learn more at https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect
 */
export declare class GithubActionsRole extends Role {
    constructor(scope: Construct, id: string, props: GithubActionsRoleProps);
}