1. Send an email to the SIG Architecture [mailing
   list](https://groups.google.com/forum/#!forum/kubernetes-sig-architecture)
   and the mailing list of the SIG which would own the repo requesting approval
   for creating the staging repository.

2. Once approval has been granted, create the new staging repository.

3. Update
   [`import-restrictions.yaml`](/staging/publishing/import-restrictions.yaml)

type CertificateSigningRequestCondition struct {
	// type of the condition. Known conditions are "Approved", "Denied", and "Failed".
	//
	// An "Approved" condition is added via the /approval subresource,
	// indicating the request was approved and should be issued by the signer.
	//
	// A "Denied" condition is added via the /approval subresource,
	// indicating the request was denied and should not be issued by the signer.
	//

	actions := client.Actions()
	if len(actions) != 1 {
		t.Errorf("expected 1 actions")
	}
	if a := actions[0]; !a.Matches("update", "certificatesigningrequests") ||
		a.GetSubresource() != "approval" {
		t.Errorf("unexpected action: %#v", a)
	}

		if !found {
			_, pkg, found = strings.Cut(fullPkg, "/vendor/")
			if !found {
				continue
			}
		}
		if !isAllowed(pkg) {
			t.Errorf(`
		Package %q should not be vendored into this repo.
		After getting approval from the Go team, add it to allowedPackagePrefixes
		in %s.`,
				pkg, thisFile)
		}
	}
}

func isAllowed(pkg string) bool {
	for _, pre := range allowedPackagePrefixes {

After approval, your plugin will be available on the Gradle Plugin Portal for others to discover and use.

[[consume]]
== Consume the published plugin

Once you successfully publish a plugin, it won't immediately appear on the Portal.

	// Updating /status should not modify spec
	newCSR.Spec = oldCSR.Spec

	// Specifically preserve existing Approved/Denied conditions.
	// Adding/removing Approved/Denied conditions will cause these to fail,
	// and the change in Approved/Denied conditions will produce a validation error
	preserveConditionInstances(newCSR, oldCSR, certificates.CertificateApproved)

	"type":               "type of the condition. Known conditions are \"Approved\", \"Denied\", and \"Failed\".\n\nAn \"Approved\" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer.\n\nA \"Denied\" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer.\n\nA \"Failed\" condition is added via the /status...

      - "certificatesigningrequests"
      - "certificatesigningrequests/approval"
      - "certificatesigningrequests/status"
    verbs: ["update", "create", "get", "delete", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources:
      - "signers"
    resourceNames:
{{- range .Values.global.certSigners }}
    - {{ . | quote }}
{{- end }}
    verbs: ["approve"]
{{- end}}

  # Used by Istiod to verify the JWT tokens

		if err != nil {
			return nil, err
		}
		storage[resource] = csrStorage
		storage[resource+"/status"] = csrStatusStorage
		storage[resource+"/approval"] = csrApprovalStorage
	}

	return storage, nil
}

		return fmt.Errorf("%s requires an authorizer", PluginName)
	}
	return nil
}

var _ admission.ValidationInterface = &Plugin{}
var _ genericadmissioninit.WantsAuthorizer = &Plugin{}

// NewPlugin creates a new CSR approval admission plugin
func NewPlugin() *Plugin {
	return &Plugin{
		Handler: admission.NewHandler(admission.Update),
	}
}

var csrGroupResource = api.Resource("certificatesigningrequests")