# policy, and support documentation.

name: Scorecard supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained

# ============================================================================

name: Scorecards supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:
  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained

## CSRF Risk { #csrf-risk }

This default behavior provides protection against a class of **Cross-Site Request Forgery (CSRF)** attacks in a very specific scenario.

These attacks exploit the fact that browsers allow scripts to send requests without doing any CORS preflight check when they:

        run: echo "$GITHUB_CONTEXT"

  # https://github.com/marketplace/actions/alls-green#why
  test-redistribute-alls-green:  # This job does nothing and is only used for the branch protection
    if: always()
    needs:
      - test-redistribute
    runs-on: ubuntu-latest
    steps:
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@release/v1

  script.setAttribute("data-project-name", "FastAPI");
  script.setAttribute("data-project-color", "#009485");
  script.setAttribute("data-project-logo", "https://fastapi.tiangolo.com/img/favicon.png");
  script.setAttribute("data-bot-protection-mechanism", "hcaptcha");
  script.setAttribute("data-button-height", "3rem");
  script.setAttribute("data-button-width", "3rem");
  script.setAttribute("data-button-border-radius", "50%");

        if: steps.precommit.outcome == 'failure'
        run: exit 1

  # https://github.com/marketplace/actions/alls-green#why
  pre-commit-alls-green:  # This job does nothing and is only used for the branch protection
    if: always()
    needs:
      - pre-commit
    runs-on: ubuntu-latest
    steps:
      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}

          path: ./site/**
          include-hidden-files: true

  # https://github.com/marketplace/actions/alls-green#why
  docs-all-green:  # This job does nothing and is only used for the branch protection
    if: always()
    needs:
      - build-docs
    runs-on: ubuntu-latest
    steps:
      - name: Decide whether the needed jobs succeeded or failed
        uses: re-actors/alls-green@release/v1

          include-hidden-files: true
      - run: uv run coverage report --fail-under=100

  # https://github.com/marketplace/actions/alls-green#why
  check:  # This job does nothing and is only used for the branch protection
    if: always()
    needs:
      - coverage-combine
      - benchmark
    runs-on: ubuntu-latest
    steps:
      - name: Dump GitHub context
        env:

    }

    /**
     * We attempt to detect deliberate hash flooding attempts. If one is detected, we fall back to a
     * wrapper around j.u.HashSet, which has built-in flooding protection. MAX_RUN_MULTIPLIER was
     * determined experimentally to match our desired probability of false positives.
     */
    // NB: yes, this is surprisingly high, but that's what the experiments said was necessary

    } catch (BucketOverflowException e) {
      // probable hash flooding attack, fall back to j.u.HM based implementation and use its
      // implementation of hash flooding protection
      return JdkBackedImmutableMap.create(n, entryArray, throwIfDuplicateKeys);
    }
  }

  private static <K, V> ImmutableMap<K, V> fromEntryArrayCheckingBucketOverflow(