accessible_namespaces:
  - '**'
  ingress_enabled: false
login_token:
  signing_key: CHANGEME00000000
external_services:
  # Kiali will not start up without tracing service. We don't want to require it.
  tracing:

        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
            const script = require('./.github/workflows/trusted_partners.js');
            const username = context.payload.pull_request.user.login;
            const domain = await script.get_email_domain({github, username});
            switch(domain) {

		ACB_SMARTCARD_REQUIRED     = 0x00001000, /* 1 = Smart Card required */
		ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
		ACB_NOT_DELEGATED          = 0x00004000, /* 1 = Not delegated */
		ACB_USE_DES_KEY_ONLY       = 0x00008000, /* 1 = Use DES key only */
		ACB_DONT_REQUIRE_PREAUTH   = 0x00010000  /* 1 = Preauth not required */
	} SamrAcctFlags;

	[op(0x01)]

# Disable sign-off checking for members of the Gradle GitHub organization
require:

		ACB_SMARTCARD_REQUIRED     = 0x00001000, /* 1 = Smart Card required */
		ACB_TRUSTED_FOR_DELEGATION = 0x00002000, /* 1 = Trusted for Delegation */
		ACB_NOT_DELEGATED          = 0x00004000, /* 1 = Not delegated */
		ACB_USE_DES_KEY_ONLY       = 0x00008000, /* 1 = Use DES key only */
		ACB_DONT_REQUIRE_PREAUTH   = 0x00010000  /* 1 = Preauth not required */
	} SamrAcctFlags;

	[op(0x01)]

        uses: actions/github-script@d556feaca394842dc55e4734bf3bb9f685482fa0 # v6.3.3
        with:
          github-token: ${{secrets.GITHUB_TOKEN}}
          script: |
            const script = require('./.github/workflows/create_issue.js')

      # Note the pod will be crashlooping, so this may take a few minutes to become fully functional based on when the retry occurs.
      # This requires no RBAC privilege, but does require `securityContext.privileged/CAP_SYS_ADMIN`.
      repairPods: true

      initContainerName: "istio-validation"

      brokenPodLabelKey: "cni.istio.io/uninitialized"
      brokenPodLabelValue: "true"

# limitations under the License.
# ==============================================================================

name: OSV-Scanner Scheduled Scan

on:
  schedule:
    - cron: 0 4 * * 1

permissions:
  # Require writing security events to upload SARIF file to security tab
  security-events: write
  # Only need to read contents
  contents: read

jobs:
  scan-scheduled:
    if: github.repository == 'tensorflow/tensorflow'

            # capabilities we actually require
            capabilities:
              drop:
              - ALL
              add:
              # CAP_NET_ADMIN is required to allow ipset and route table access
              - NET_ADMIN
              # CAP_NET_RAW is required to allow iptables mutation of the `nat` table
              - NET_RAW
              # CAP_SYS_ADMIN is required for both ambient and repair, in order to open

Settings controlling the load balancer algorithms. oneOf: - not: anyOf: - required: - simple - required: - consistentHash - required: - simple - required: - consistentHash properties: consistentHash: allOf: - oneOf: - not: anyOf: - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterNa - required: - httpHeaderName - required: - httpCookie - required: - useSourceIp - required: - httpQueryParameterNa - oneOf: - not: anyOf: - required: - ringHash...