- type: checkboxes
    attributes:
      label: Checklist
      options:
        - label: >
            I agree to follow the
            [code of conduct](https://github.com/google/.github/blob/master/CODE_OF_CONDUCT.md).
          required: true
        - label: >
            I have read and understood the [contribution
            guidelines](https://github.com/google/guava/wiki/HowToContribute#feature-requests).

# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven

name: Java CI with Maven

on:
  push:
    branches:
    - master
    - "*.x"
  pull_request:
    branches:
    - master
    - "*.x"

jobs:
  build:
    runs-on: ${{ matrix.os }}

    strategy:
      matrix:
        os: [ubuntu-latest, windows-latest]

    steps:

  push:
    branches:
      - master
  pull_request:
    types: [opened, labeled, unlabeled, synchronize]

permissions:
  contents: read

env:
  GRADLE_OPTS: "-Dorg.gradle.jvmargs=-Xmx4g -Dorg.gradle.daemon=false -Dkotlin.incremental=false"

jobs:
  test_containers:
    permissions:
      checks: write # for actions/upload-artifact
    runs-on: ubuntu-latest

{{- define "mesh" }}
    # The trust domain corresponds to the trust root of a system.
    # Refer to https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain
    trustDomain: "cluster.local"

    # The namespace to treat as the administrative root namespace for Istio configuration.
    # When processing a leaf namespace Istio will search for declarations in that namespace first

name: Test

on:
  push:
    branches:
      - master
  pull_request:
    types:
      - opened
      - synchronize
  schedule:
    # cron every week on monday
    - cron: "0 0 * * 1"

jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - name: Dump GitHub context
        env:
          GITHUB_CONTEXT: ${{ toJson(github) }}
        run: echo "$GITHUB_CONTEXT"
      - uses: actions/checkout@v4

# Usage: Go to
# https://github.com/tensorflow/tensorflow/actions/workflows/release-branch-cherrypick.yml
# and click "Run Workflow." Leave "Use Workflow From" set to "master", then
# input the branch name and paste the cherry-pick commit and click Run. A PR
# will be created.

name: Release Branch Cherrypick
on:
  workflow_dispatch:
    inputs:

  # To guarantee Maintained check is occasionally updated. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
  schedule:
    - cron: '45 9 * * 0'
  push:
    branches: [ "master" ]

# Declare default permissions as read only.
permissions: read-all

jobs:
  analysis:
    name: Scorecard analysis
    runs-on: ubuntu-latest
    permissions:

jobs:
  run:
    name: Spell Check with Typos
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Actions Repository
      uses: actions/checkout@v4

    - name: Check spelling of repo

# Configures Depdendabot to PR go security updates only

version: 2
updates:
  # Go configuration for master branch
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
      interval: "daily"
    # Limit number of open PRs to 0 so that we only get security updates
    # See https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/configuring-dependabot-security-updates

  push:
    paths:
      - '.github/workflows/sigbuild-docker.yml'
      - 'tensorflow/tools/tf_sig_build_dockerfiles/**'
      - '!tensorflow/tools/tf_sig_build_dockerfiles/README.md'
    branches:
      - master

permissions:
  contents: read

jobs:
  docker:
    if: github.repository == 'tensorflow/tensorflow' # Don't do this in forks
    runs-on: ubuntu-latest
    strategy:
      matrix: