uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            const script = require('./.github/workflows/create_issue.js')

		ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
		ACB_NOT_DELEGATED          = 0x00004000, /* 1 = Not delegated */
		ACB_USE_DES_KEY_ONLY       = 0x00008000, /* 1 = Use DES key only */
		ACB_DONT_REQUIRE_PREAUTH   = 0x00010000  /* 1 = Preauth not required */
	} SamrAcctFlags;

	[op(0x01)]
	int SamrCloseHandle([in] policy_handle *handle);

	[op(0x39)]
	int SamrConnect2([in,string,unique] wchar_t *system_name,

  accessible_namespaces:
  - '**'
  ingress_enabled: false
login_token:
  signing_key: CHANGEME00000000
external_services:
  # Kiali will not start up without tracing service. We don't want to require it.
  tracing:

# Disable sign-off checking for members of the Gradle GitHub organization
require:

		ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
		ACB_NOT_DELEGATED          = 0x00004000, /* 1 = Not delegated */
		ACB_USE_DES_KEY_ONLY       = 0x00008000, /* 1 = Use DES key only */
		ACB_DONT_REQUIRE_PREAUTH   = 0x00010000  /* 1 = Preauth not required */
	} SamrAcctFlags;

	[op(0x01)]
	int SamrCloseHandle([in] policy_handle *handle);

	[op(0x39)]
	int SamrConnect2([in,string,unique] wchar_t *system_name,

      # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
      # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
      repairPods: true

      initContainerName: "istio-validation"

      brokenPodLabelKey: "cni.istio.io/uninitialized"
      brokenPodLabelValue: "true"

        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const script = require('./.github/workflows/trusted_partners.js');
            const username = context.payload.pull_request.user.login;
            const domain = await script.get_email_domain({github, username});
            switch(domain) {

# limitations under the License.
# ==============================================================================

name: OSV-Scanner Scheduled Scan

on:
  schedule:
    - cron: 0 4 * * 1

permissions:
  # Require writing security events to upload SARIF file to security tab
  security-events: write
  # Only need to read contents
  contents: read

jobs:
  scan-scheduled:
    if: github.repository == 'tensorflow/tensorflow'

            # Both ambient and sidecar repair mode require elevated node privileges to function.
            # But we don't need _everything_ in `privileged`, so drop+readd capabilities based on feature.
            # privileged is redundant with CAP_SYS_ADMIN
            # since it's redundant, hardcode it to `true`, then manually drop ALL + readd granular
            # capabilities we actually require
            capabilities:
              drop: