t.Helper()
				if len(errors) == 0 {
					t.Fatal("expected errors, got none")
				}
				if e, a := `metadata.annotations[api-approved.kubernetes.io]: Invalid value: "invalid": protected groups must have approval annotation "api-approved.kubernetes.io" with either a URL or a reason starting with "unapproved", see https://github.com/kubernetes/enhancements/pull/1111`, errors.ToAggregate().Error(); e != a {
					t.Fatal(errors)
				}
			},
		},

	// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
	// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
	KubeAPIApprovedAnnotation = "api-approved.kubernetes.io"

	// The value should be a link to a URL where the current spec was approved, so updates to the spec should also update the URL.
	// If the API is unapproved, you may set the annotation to a string starting with `"unapproved"`.  For instance, `"unapproved, temporarily squatting"` or `"unapproved, experimental-only"`.  This is discouraged.
	KubeAPIApprovedAnnotation = "api-approved.kubernetes.io"

		signerName:           signerName,
		isRequestForSignerFn: isRequestForSignerFn,
	}
	return ret, nil
}

func (s *signer) handle(ctx context.Context, csr *capi.CertificateSigningRequest) error {
	// Ignore unapproved or failed requests
	if !certificates.IsCertificateRequestApproved(csr) || certificates.HasTrueCondition(csr, capi.CertificateFailed) {
		return nil
	}

name: Label Approved

on:
  schedule:
    - cron: "0 12 * * *"
  workflow_dispatch:

jobs:
  label-approved:
    if: github.repository_owner == 'tiangolo'
    runs-on: ubuntu-latest
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJson(github) }}
      run: echo "$GITHUB_CONTEXT"
    - uses: docker://tiangolo/label-approved:0.0.4
      with:
        token: ${{ secrets.FASTAPI_LABEL_APPROVED }}

	"status":             "status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be \"False\" or \"Unknown\".",

type RequestConditionType string

// Well-known condition types for certificate requests.
const (
	// Approved indicates the request was approved and should be issued by the signer.
	CertificateApproved RequestConditionType = "Approved"
	// Denied indicates the request was denied and should not be issued by the signer.
	CertificateDenied RequestConditionType = "Denied"

		name string
		// parameters to be set on the generated CSR
		commonName string
		dnsNames   []string
		org        []string
		usages     []capi.KeyUsage
		// whether the generated CSR should be marked as approved
		approved bool
		// whether the generated CSR should be marked as failed
		failed bool
		// the signerName to be set on the generated CSR
		signerName string
		// if true, expect an error to be returned
		err bool

message CertificateSigningRequestCondition {
  // type of the condition. Known conditions are "Approved", "Denied", and "Failed".
  //
  // An "Approved" condition is added via the /approval subresource,
  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,

message CertificateSigningRequestCondition {
  // type of the condition. Known conditions are "Approved", "Denied", and "Failed".
  //
  // An "Approved" condition is added via the /approval subresource,
  // indicating the request was approved and should be issued by the signer.
  //
  // A "Denied" condition is added via the /approval subresource,