permissions:
  contents: read

jobs:
  build:
    # Don't do this in forks, and if labeled, only for 'kokoro:force-run'
    if: github.repository == 'tensorflow/tensorflow' && (github.event.action != 'labeled' || (github.event.action == 'labeled' && github.event.label.name == 'kokoro:force-run'))
    runs-on: [self-hosted, linux, ARM64]
    strategy:
      matrix:
        pyver: ['3.10']
    steps:

        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
      -
        name: Login to DockerHub
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}

        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
      -
        name: Login to DockerHub
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}

      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
      -
        name: Login to GCR
        if: contains(github.event.pull_request.labels.*.name, 'build and push to gcr.io for staging')
        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
        with:
          registry: gcr.io

              console.log(await script.filter({github, context, domain}));
              break;
            case "google.com":
              console.log("Googler. No action necessary");
              break;
            default:
              console.log("Skip Trusted Partner Action");

        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0

      - name: Check whether the citation metadata from CITATION.cff is valid
        uses: citation-file-format/cffconvert-github-action@4cf11baa70a673bfdf9dad0acc7ee33b3f4b6084 # v2.0.0
        with:

      - name: "Run analysis"
        uses: ossf/scorecard-action@15c10fcf1cf912bd22260bfec67569a359ab87da # v2.1.1
        with:
          results_file: results.sarif
          results_format: sarif
          # Publish the results to enable scorecard badges. For more details, see
          # https://github.com/ossf/scorecard-action#publishing-results.

    steps:
    - name: Checkout code
      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
    - name: Get file changes
      id: get_file_changes
      uses: trilom/file-changes-action@a6ca26c14274c33b15e6499323aac178af06ad4b # v1.2.4
      with:
        output: ' '
    - name: Report list of changed files
      run: |
        echo Changed files: ${{ steps.get_file_changes.outputs.files }}

  security-events: write
  # Only need to read contents
  contents: read

jobs:
  scan-scheduled:
    if: github.repository == 'tensorflow/tensorflow'
    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@v1.6.2-beta1"
    with:
      scan-args: |-
        --lockfile=requirements.txt:./requirements_lock_3_9.txt
        --lockfile=requirements.txt:./requirements_lock_3_10.txt