map sigbuild-r2.12-python3.9 2.12-python3.9
        map sigbuild-r2.12-python3.10 2.12-python3.10
        map sigbuild-r2.12-python3.11 2.12-python3.11
        # TF 2.12 + Clang (containers are the same, but env vars in configs.bzl are different)
        map sigbuild-r2.12-clang 2.12-python3.9
        map sigbuild-r2.12-clang-python3.8 2.12-python3.8
        map sigbuild-r2.12-clang-python3.9 2.12-python3.9

# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
  branch_protection_rule:

        env:
          DEX_LDAP_SERVER: "openldap:389"
          DEX_ISSUER: "http://127.0.0.1:5557/dex"
          DEX_WEB_HTTP: "0.0.0.0:5557"

    strategy:
      # When ldap, etcd or openid vars are empty below, those external servers
      # are turned off - i.e. if ldap="", then ldap server is not enabled for
      # the tests.
      matrix:
        go-version: [1.21.x]
        ldap: ["", "localhost:389"]

  # On PR branches, we cancel the job if new commits are pushed
  group: ${{ (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/release' ) && format('contributor-pr-base-{0}', github.sha) || format('contributor-pr-{0}', github.ref) }}
  cancel-in-progress: true


env:
  # Set the DEVELOCITY_ACCESS_KEY so that Gradle Build Scans are generated
  DEVELOCITY_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_ACCESS_KEY }}

# If you want to make a change in this file, edit the original one and run "make gen".

# The stable profile deploys admission control to ensure that only stable resources and fields are used
# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
experimental:

    imagePullSecrets: []

    # Used to locate istiod.
    istioNamespace: istio-system

    externalIstiod: false
    remotePilotAddress: ""

    # Platform where Istio is deployed. Possible values are: "openshift", "gcp".
    # An empty value means it is a vanilla Kubernetes distribution, therefore no special
    # treatment will be considered.
    platform: ""

{{- $gateway := index .Values "gateways" "istio-egressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
     Any settings from values.gateways should be here - these are options specific to the gateway.
     Global settings, like the image, various env vars and volumes, etc will be injected.
     The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}

{{- $gateway := index .Values "gateways" "istio-ingressgateway" }}
{{- if ne $gateway.injectionTemplate "" }}
{{/* This provides a minimal gateway, ready to be injected.
     Any settings from values.gateways should be here - these are options specific to the gateway.
     Global settings, like the image, various env vars and volumes, etc will be injected.
     The normal Deployment is not suitable for this, as the original pod spec will override the injection template. */}}

# If you want to make a change in this file, edit the original one and run "make gen".

# The stable profile deploys admission control to ensure that only stable resources and fields are used
# THIS IS CURRENTLY EXPERIMENTAL AND SUBJECT TO CHANGE
experimental:

install ## users: ## Username, password and policy to be assigned to the user ## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics] ## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management ## NOTE: this will fail if LDAP is enabled in your MinIO deployment ## make sure to disable this if you are using LDAP. - accessKey: console secretKey: console123 policy: consoleAdmin # Or you can refer...