DOWNLOADS="$(mktemp -d)"
mkdir -p "$DOWNLOADS"
gsutil -m rsync -r "$TFCI_ARTIFACT_STAGING_GCS_URI" "$DOWNLOADS"
ls "$DOWNLOADS"

# Upload all build artifacts to e.g. gs://tensorflow/versions/2.16.0-rc1 (releases) or
# gs://tensorflow/nightly/2.16.0-dev20240105 (nightly), overwriting previous values.
if [[ "$TFCI_ARTIFACT_FINAL_GCS_ENABLE" == 1 ]]; then

# limitations under the License.
# ==============================================================================
# Release jobs are very basic. They don't use any caching or RBE,
# but they do upload logs to resultstore.
# IMPORTANT: trailing slash is required on GCS URIs, as it tells gcloud to
# pretend the path is a directory.
TFCI_ARTIFACT_FINAL_GCS_ENABLE=1

# Disable ALL uploads of any kind.
TFCI_ARTIFACT_FINAL_GCS_ENABLE=
TFCI_ARTIFACT_FINAL_GCS_SA_PATH=
TFCI_ARTIFACT_FINAL_GCS_URI=
TFCI_ARTIFACT_FINAL_PYPI_ARGS=
TFCI_ARTIFACT_FINAL_PYPI_ENABLE=
TFCI_ARTIFACT_LATEST_GCS_URI=
TFCI_ARTIFACT_STAGING_GCS_ENABLE=
TFCI_ARTIFACT_STAGING_GCS_URI=

# limitations under the License.
# ==============================================================================
# IMPORTANT: trailing slash is required on GCS URIs, as it tells gcloud to
# pretend the path is a directory.
# 1. Upload nightlies
TFCI_ARTIFACT_FINAL_GCS_ENABLE=1
TFCI_ARTIFACT_FINAL_GCS_SA_PATH="${KOKORO_KEYSTORE_DIR}/73361_tensorflow_release_binary_uploader_service_account"
TFCI_ARTIFACT_FINAL_GCS_URI="gs://tensorflow/nightly/"

          publish_results: true

      # Upload the results as artifacts (optional).
      - name: "Upload artifact"
        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
        with:
          name: SARIF file
          path: results.sarif
          retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"

      - name: Upload pip wheel to PyPI
        if: github.event_name == 'schedule' || (github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v2')) # only if it is a scheduled nightly or tagged
        shell: bash

# ==============================================================================

name: OSV-Scanner Scheduled Scan

on:
  schedule:
    - cron: 0 4 * * 1

permissions:
  # Require writing security events to upload SARIF file to security tab
  security-events: write
  # Only need to read contents
  contents: read

jobs:
  scan-scheduled:
    if: github.repository == 'tensorflow/tensorflow'

build:sigbuild_local_cache --disk_cache=/tf/cache
# Use the public-access TF DevInfra cache (read only)
build:sigbuild_remote_cache --remote_cache="https://storage.googleapis.com/tensorflow-devinfra-bazel-cache/manylinux2014" --remote_upload_local_results=false
# Change the value of CACHEBUSTER when upgrading the toolchain, or when testing
# different compilation methods. E.g. for a PR to test a new CUDA version, set
# the CACHEBUSTER to the PR number.

#       ./any.sh
#       ...
set -euxo pipefail
cd "$(dirname "$0")/../../"  # tensorflow/
# Any request that includes "nightly_upload" should just use the
# local multi-cache (public read-only cache + disk cache) instead.
export TFCI="$(echo $TFCI | sed 's/,nightly_upload/,public_cache,disk_cache/')"
if [[ -n "${TF_ANY_EXTRA_ENV:-}" ]]; then
  export TFCI="$TFCI,$TF_ANY_EXTRA_ENV"
fi
if [[ -n "${TF_ANY_SCRIPT:-}" ]]; then

# See the License for the specific language governing permissions and
# limitations under the License.
# ==============================================================================

name: Upload SIG Build docker containers modified for release branches

on:
  workflow_dispatch:
  push:
    paths:
      - '.github/workflows/sigbuild-docker-branch.yml'
      - 'tensorflow/tools/tf_sig_build_dockerfiles/**'