diff --git a/.github/workflows/clean-gcloud-profiles.yml b/.github/workflows/clean-gcloud-profiles.yml index 9963eabf82b..2521b1de160 100644 --- a/.github/workflows/clean-gcloud-profiles.yml +++ b/.github/workflows/clean-gcloud-profiles.yml @@ -16,15 +16,11 @@ # happens, run this workflow manually to clean up the login profiles. name: Clean GCloud Profiles -permissions: read-all +permissions: + contents: read on: workflow_dispatch: - # push: - # branches: - # - main - # pull_request: - # types: [opened, reopened, synchronize] env: GCE_GPU_CI_SA: ${{ secrets.GCE_GPU_CI_SA }} diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index bcbffa1ac77..83527c68b56 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -1,5 +1,7 @@ name: Documentation -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -79,8 +81,6 @@ jobs: ccache -s - name: Upload docs - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: open3d_docs @@ -88,8 +88,6 @@ jobs: if-no-files-found: error - name: Deploy docs if all artifacts available - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 55a1238b363..362cc2327f0 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -1,5 +1,7 @@ name: MacOS -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -113,8 +115,6 @@ jobs: ccache -s - name: Upload package - permissions: - contents: write if: ${{ env.BUILD_SHARED_LIBS == 'ON' }} uses: actions/upload-artifact@v4 with: @@ -123,8 +123,6 @@ jobs: if-no-files-found: error - name: Update package devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && env.BUILD_SHARED_LIBS == 'ON' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -133,8 +131,6 @@ jobs: gh release view main-devel - name: Upload Open3D viewer app - permissions: - contents: write uses: actions/upload-artifact@v4 if: ${{ env.BUILD_SHARED_LIBS == 'OFF' }} with: @@ -169,8 +165,6 @@ jobs: zip -rv "${APP_NAME}" Open3D.app - name: Upload Open3D viewer app - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: open3d-app-macosx-10_15-universal2 @@ -178,8 +172,6 @@ jobs: if-no-files-found: error - name: Update viewer devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -289,8 +281,6 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV - name: Upload wheel - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -348,8 +338,6 @@ jobs: echo "PIP_PKG_NAME=$NEW_WHL_NAME" >> $GITHUB_ENV - name: Upload merged wheels - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -357,8 +345,6 @@ jobs: if-no-files-found: error - name: Update devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index cf6b7a1ca15..3c27504fdd9 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -1,5 +1,7 @@ name: Style Check -permissions: read-all +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml index a79bb1e1ba8..9cf3cd3e749 100644 --- a/.github/workflows/ubuntu-cuda.yml +++ b/.github/workflows/ubuntu-cuda.yml @@ -1,5 +1,7 @@ name: Ubuntu CUDA -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -150,8 +152,6 @@ jobs: fi - name: Upload package - permissions: - contents: write if: ${{ env.BUILD_PACKAGE == 'true' }} uses: actions/upload-artifact@v4 with: @@ -160,8 +160,6 @@ jobs: if-no-files-found: error - name: Update devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && env.BUILD_PACKAGE == 'true' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/ubuntu-openblas.yml b/.github/workflows/ubuntu-openblas.yml index 06a2c0cd24e..acfe20e4ddf 100644 --- a/.github/workflows/ubuntu-openblas.yml +++ b/.github/workflows/ubuntu-openblas.yml @@ -1,5 +1,7 @@ name: Ubuntu OpenBLAS -permissions: read-all +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-sycl.yml b/.github/workflows/ubuntu-sycl.yml index db8407b2bb7..984d0fe9485 100644 --- a/.github/workflows/ubuntu-sycl.yml +++ b/.github/workflows/ubuntu-sycl.yml @@ -1,5 +1,7 @@ name: Ubuntu SYCL -permissions: read-all +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml index 408988b407a..733c52218ee 100644 --- a/.github/workflows/ubuntu-wheel.yml +++ b/.github/workflows/ubuntu-wheel.yml @@ -1,5 +1,7 @@ name: Ubuntu Wheel -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -79,8 +81,6 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV echo "PIP_CPU_PKG_NAME=$PIP_CPU_PKG_NAME" >> $GITHUB_ENV - name: Upload wheel to GitHub artifacts - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -105,9 +105,7 @@ jobs: run: | gsutil cp ${GITHUB_WORKSPACE}/${{ env.CCACHE_TAR_NAME }}.tar.gz gs://open3d-ci-cache/ - name: Update devel release - permissions: - contents: write - # if: ${{ github.ref == 'refs/heads/main' }} + if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} run: | diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 8c14ca65fc2..7998abb1ea9 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -1,5 +1,7 @@ name: Ubuntu -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml index 863651d86cf..91a9a5b122d 100644 --- a/.github/workflows/webrtc.yml +++ b/.github/workflows/webrtc.yml @@ -1,5 +1,7 @@ name: WebRTC -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -62,8 +64,6 @@ jobs: build_webrtc - name: Upload WebRTC - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: webrtc_release_${{ matrix.os }} @@ -170,8 +170,6 @@ jobs: cmake -E sha256sum webrtc_${env:WEBRTC_COMMIT_SHORT}_win.zip | Tee-Object -FilePath checksum_win.txt - name: Upload WebRTC - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: webrtc_release_windows diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 337698abbe3..c3c1d1e8395 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,5 +1,7 @@ name: Windows -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -147,8 +149,6 @@ jobs: $env:GITHUB_ENV -Encoding utf8 -Append - name: Upload Package - permissions: - contents: write if: ${{ matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }} uses: actions/upload-artifact@v4 with: @@ -157,8 +157,6 @@ jobs: if-no-files-found: error - name: Update devel release with package - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }} env: GH_TOKEN: ${{ github.token }} @@ -177,8 +175,6 @@ jobs: --target INSTALL - name: Upload Viewer - permissions: - contents: write if: ${{ matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }} uses: actions/upload-artifact@v4 with: @@ -187,8 +183,6 @@ jobs: if-no-files-found: error - name: Update devel release with viewer - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }} env: GH_TOKEN: ${{ github.token }} @@ -310,8 +304,6 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append - name: Upload wheel - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -319,8 +311,6 @@ jobs: if-no-files-found: error - name: Update devel release with wheel - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }}