"k8s.io/kubernetes/plugin/pkg/admission/admit"
	"k8s.io/kubernetes/plugin/pkg/admission/alwayspullimages"
	"k8s.io/kubernetes/plugin/pkg/admission/antiaffinity"
	certapproval "k8s.io/kubernetes/plugin/pkg/admission/certificates/approval"
	"k8s.io/kubernetes/plugin/pkg/admission/certificates/ctbattest"
	certsigning "k8s.io/kubernetes/plugin/pkg/admission/certificates/signing"

//     compression). This is an optional area; by default, there should be no <SystemRecommendations> section in the
//     system.xml. Vendors can work with Veeam Product Management and the Alliances team on getting approval to integrate
//     specific system recommendations based on current support case statistics and storage performance possibilities.

name: Label Approved

on:
  schedule:
    - cron: "0 12 * * *"
  workflow_dispatch:

jobs:
  label-approved:
    if: github.repository_owner == 'tiangolo'
    runs-on: ubuntu-latest
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJson(github) }}
      run: echo "$GITHUB_CONTEXT"
    - uses: docker://tiangolo/label-approved:0.0.4
      with:
        token: ${{ secrets.FASTAPI_LABEL_APPROVED }}

// signing requests (CSRs). Since there are mechanisms that automatically
// create CSRs, and mechanisms that automatically approve CSRs, in order to
// prevent a build up of CSRs over time, it is necessary to GC them. CSRs will
// be removed if they meet one of the following criteria: the CSR is Approved
// with a certificate and is old enough to be past the GC issued deadline, the

	defer func() {
		_ = cleanupCSR(client, csr)
	}()

	// 2. Approve the CSR
	if approveCsr {
		approvalMessage := fmt.Sprintf("CSR (%s) for the certificate (%s) is approved", csr.Name, dnsName)
		err = approveCSR(client, csr, approvalMessage)
		if err != nil {
			return nil, nil, fmt.Errorf("failed to approve CSR request: %v", err)
		}
		log.Debugf("CSR (%v) is approved", csr.Name)
	}

	// 3. Read the signed certificate

		},
	})
}

// AutoApproveNodeBootstrapTokens creates RBAC rules in a way that makes Node Bootstrap Tokens' CSR auto-approved by the csrapprover controller
func AutoApproveNodeBootstrapTokens(client clientset.Interface) error {
	fmt.Println("[bootstrap-token] Configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token")

	// Always create this kubeadm-specific binding though

			// note that this means that we will ignore CSRs that set a duration
			// but never get approved/signed.  this is fine because the point
			// of these metrics is to understand if the duration is honored
			// by the signer.  we are not checking the behavior of the approver.
			if len(issuedCert) == 0 {
				return
			}

			signer := compressSignerName(oldCSR.Spec.SignerName)

echo '[INFO] Installing go-licenses...'
go install github.com/google/go-licenses@latest

# Fetching CNCF Approved List Of Licenses
# Refer: https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
curl -s 'https://spdx.org/licenses/licenses.json' -o "${ARTIFACTS}"/licenses.json

echo '[INFO] Fetching current list of CNCF approved licenses...'

	v1 "k8s.io/api/core/v1"
)

// IsCertificateRequestApproved returns true if a certificate request has the
// "Approved" condition and no "Denied" conditions; false otherwise.
func IsCertificateRequestApproved(csr *certificates.CertificateSigningRequest) bool {
	approved, denied := GetCertApprovalCondition(&csr.Status)
	return approved && !denied
}

		expectedIsApproved bool
	}{
		{
			"Not any conditions exist",
			nil,
			false,
		}, {
			"Approved not exist and Denied exist",
			[]certificatesapi.CertificateSigningRequestCondition{
				{
					Type: certificatesapi.CertificateDenied,
				},
			},
			false,
		}, {
			"Approved exist and Denied not exist",
			[]certificatesapi.CertificateSigningRequestCondition{
				{