name: OSV-Scanner Scheduled Scan

on:
  schedule:
    - cron: 0 4 * * 1

permissions:
  # Require writing security events to upload SARIF file to security tab
  security-events: write
  # Only need to read contents
  contents: read

jobs:
  scan-scheduled:
    if: github.repository == 'tensorflow/tensorflow'

    name: Scorecards analysis
    runs-on: ubuntu-latest
    permissions:
      # Needed to upload the results to code-scanning dashboard.
      security-events: write
      id-token: write

    steps:
      - name: "Checkout code"
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
        with:
          persist-credentials: false

## Scope

This Code of Conduct applies to all content on tensorflow.org, TensorFlow’s GitHub organization, or any other official TensorFlow web presence allowing for community interactions, as well as at all official TensorFlow events, whether offline or online.

permissions:
  contents: read

jobs:
  build:
    # Don't do this in forks, and if labeled, only for 'kokoro:force-run'
    if: github.repository == 'tensorflow/tensorflow' && (github.event.action != 'labeled' || (github.event.action == 'labeled' && github.event.label.name == 'kokoro:force-run'))
    runs-on: [self-hosted, linux, ARM64]
    strategy:
      matrix:
        pyver: ['3.10']
    steps:

    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: write
      pull-requests: read
    if: |
      github.repository == 'tensorflow/tensorflow' &&
      startsWith(github.event.head_commit.message, 'Rollback of PR #')
    steps:
      - name: Checkout repo
        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      - name: Create a new Github Issue

      - name: Checkout repository for nightly (skipped for releases)
        if: ${{ github.event_name == 'schedule' }}
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: 'nightly'
      - name: Checkout repository for releases (skipped for nightly)
        if: ${{ github.event_name == 'push' }}
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

      - name: Checkout repository for nightly (skipped for releases)
        if: ${{ github.event_name == 'schedule' }}
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
          ref: 'nightly'
      - name: Checkout repository
        if: ${{ github.event_name == 'push' }}
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

jobs:
  cherrypick:
    name: Cherrypick to ${{ github.event.inputs.release_branch}} - ${{ github.event.inputs.git_commit }}
    runs-on: ubuntu-latest
    if: github.repository == 'tensorflow/tensorflow' # Don't do this in forks
    steps:
    - name: Checkout code
      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
      with:
        ref: ${{ github.event.inputs.release_branch }}

    *   Fix regression in deterministic selection of deterministic cuDNN
        convolution algorithms, a regression that was introduced in v2.5. Note
        that nondeterministic out-of-memory events while selecting algorithms
        could still lead to nondeterminism, although this is very unlikely. This
        additional, unlikely source will be eliminated in a later version.

        if: contains(github.event.pull_request.labels.*.name, 'build and push to gcr.io for staging')
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          message: |
            I pushed these containers:
            
            - `gcr.io/tensorflow-sigs/build:${{ github.event.number }}-python3.12`
            - `gcr.io/tensorflow-sigs/build:${{ github.event.number }}-python3.11`