Add actions:write for concurrency cancellation

isl-org · Jun 3, 2024 · 004482c · 004482c
1 parent e7f6c2b
commit 004482c
Show file tree

Hide file tree

Showing 11 changed files with 33 additions and 61 deletions.
diff --git a/.github/workflows/clean-gcloud-profiles.yml b/.github/workflows/clean-gcloud-profiles.yml
@@ -16,15 +16,11 @@
 # happens, run this workflow manually to clean up the login profiles.
 
 name: Clean GCloud Profiles
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
-  # push:
-  #   branches:
-  #     - main
-  # pull_request:
-  #   types: [opened, reopened, synchronize]
 
 env:
   GCE_GPU_CI_SA: ${{ secrets.GCE_GPU_CI_SA }}

diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -1,5 +1,7 @@
 name: Documentation
-permissions: read-all
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:
@@ -79,17 +81,13 @@ jobs:
           ccache -s
 
       - name: Upload docs
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: open3d_docs
           path: docs/_out/html
           if-no-files-found: error
 
       - name: Deploy docs if all artifacts available
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' }}
         env:
           GH_TOKEN: ${{ github.token }}

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -1,5 +1,7 @@
 name: MacOS
-permissions: read-all
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:
@@ -113,8 +115,6 @@ jobs:
           ccache -s
 
       - name: Upload package
-        permissions:
-          contents: write
         if: ${{ env.BUILD_SHARED_LIBS == 'ON' }}
         uses: actions/upload-artifact@v4
         with:
@@ -123,8 +123,6 @@ jobs:
           if-no-files-found: error
 
       - name: Update package devel release
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' && env.BUILD_SHARED_LIBS == 'ON' }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -133,8 +131,6 @@ jobs:
           gh release view main-devel
 
       - name: Upload Open3D viewer app
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         if: ${{ env.BUILD_SHARED_LIBS == 'OFF' }}
         with:
@@ -169,17 +165,13 @@ jobs:
           zip -rv "${APP_NAME}" Open3D.app
 
       - name: Upload Open3D viewer app
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: open3d-app-macosx-10_15-universal2
           path: open3d-*-app-macosx-10_15-universal2.zip
           if-no-files-found: error
 
       - name: Update viewer devel release
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -289,8 +281,6 @@ jobs:
           echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV
 
       - name: Upload wheel
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: ${{ env.PIP_PKG_NAME }}
@@ -348,17 +338,13 @@ jobs:
           echo "PIP_PKG_NAME=$NEW_WHL_NAME" >> $GITHUB_ENV
 
       - name: Upload merged wheels
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: ${{ env.PIP_PKG_NAME }}
           path: universal_wheels/${{ env.PIP_PKG_NAME }}
           if-no-files-found: error
 
       - name: Update devel release
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' }}
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
@@ -1,5 +1,7 @@
 name: Style Check
-permissions: read-all
+permissions:
+  contents: read
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml
@@ -1,5 +1,7 @@
 name: Ubuntu CUDA
-permissions: read-all
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:
@@ -150,8 +152,6 @@ jobs:
           fi
 
       - name: Upload package
-        permissions:
-          contents: write
         if: ${{ env.BUILD_PACKAGE == 'true' }}
         uses: actions/upload-artifact@v4
         with:
@@ -160,8 +160,6 @@ jobs:
           if-no-files-found: error
 
       - name: Update devel release
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' && env.BUILD_PACKAGE == 'true' }}
         env:
           GH_TOKEN: ${{ github.token }}

diff --git a/.github/workflows/ubuntu-openblas.yml b/.github/workflows/ubuntu-openblas.yml
@@ -1,5 +1,7 @@
 name: Ubuntu OpenBLAS
-permissions: read-all
+permissions:
+  contents: read
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/ubuntu-sycl.yml b/.github/workflows/ubuntu-sycl.yml
@@ -1,5 +1,7 @@
 name: Ubuntu SYCL
-permissions: read-all
+permissions:
+  contents: read
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml
@@ -1,5 +1,7 @@
 name: Ubuntu Wheel
-permissions: read-all
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:
@@ -79,8 +81,6 @@ jobs:
           echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV
           echo "PIP_CPU_PKG_NAME=$PIP_CPU_PKG_NAME" >> $GITHUB_ENV
       - name: Upload wheel to GitHub artifacts
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: ${{ env.PIP_PKG_NAME }}
@@ -105,9 +105,7 @@ jobs:
         run: |
           gsutil cp ${GITHUB_WORKSPACE}/${{ env.CCACHE_TAR_NAME }}.tar.gz gs://open3d-ci-cache/
       - name: Update devel release
-        permissions:
-          contents: write
-        # if: ${{ github.ref == 'refs/heads/main' }}
+        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           GH_TOKEN: ${{ github.token }}
         run: |

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -1,5 +1,7 @@
 name: Ubuntu
-permissions: read-all
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml
@@ -1,5 +1,7 @@
 name: WebRTC
-permissions: read-all
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:
@@ -62,8 +64,6 @@ jobs:
           build_webrtc
 
       - name: Upload WebRTC
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: webrtc_release_${{ matrix.os }}
@@ -170,8 +170,6 @@ jobs:
           cmake -E sha256sum webrtc_${env:WEBRTC_COMMIT_SHORT}_win.zip | Tee-Object -FilePath checksum_win.txt
 
       - name: Upload WebRTC
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: webrtc_release_windows

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,5 +1,7 @@
 name: Windows
-permissions: read-all
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:
@@ -147,8 +149,6 @@ jobs:
             $env:GITHUB_ENV -Encoding utf8 -Append
 
       - name: Upload Package
-        permissions:
-          contents: write
         if: ${{ matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }}
         uses: actions/upload-artifact@v4
         with:
@@ -157,8 +157,6 @@ jobs:
           if-no-files-found: error
 
       - name: Update devel release with package
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }}
         env:
           GH_TOKEN: ${{ github.token }}
@@ -177,8 +175,6 @@ jobs:
             --target INSTALL
 
       - name: Upload Viewer
-        permissions:
-          contents: write
         if: ${{ matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }}
         uses: actions/upload-artifact@v4
         with:
@@ -187,8 +183,6 @@ jobs:
           if-no-files-found: error
 
       - name: Update devel release with viewer
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }}
         env:
           GH_TOKEN: ${{ github.token }}
@@ -310,17 +304,13 @@ jobs:
           echo "PIP_PKG_NAME=$PIP_PKG_NAME"  | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
 
       - name: Upload wheel
-        permissions:
-          contents: write
         uses: actions/upload-artifact@v4
         with:
           name: ${{ env.PIP_PKG_NAME }}
           path: ${{ env.BUILD_DIR }}/lib/python_package/pip_package/${{ env.PIP_PKG_NAME }}
           if-no-files-found: error
 
       - name: Update devel release with wheel
-        permissions:
-          contents: write
         if: ${{ github.ref == 'refs/heads/main' }}
         env:
           GH_TOKEN: ${{ github.token }}