job level token permissions for github actions

Run CUDA and ARM CI for every PR change Remove old release artifacts regularly [fix]
isl-org · Jun 14, 2024 · 88ad8ee · 88ad8ee
1 parent 0bdedd3
commit 88ad8ee
Show file tree

Hide file tree

Showing 11 changed files with 86 additions and 58 deletions.
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -1,7 +1,5 @@
 name: Documentation
-permissions:
- contents: write
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -22,6 +20,8 @@ concurrency:
 
 jobs:
  headless-docs:
+ permissions:
+ contents: write # Artifact upload and release upload
  # Build headless and docs
  runs-on: ubuntu-latest # Warn about build issues in new versions
  env:
@@ -79,40 +79,45 @@ jobs:
  source util/ci_utils.sh
  build_docs "$DEVELOPER_BUILD"
  ccache -s
+ tar_file="open3d-${GITHUB_SHA}-docs.tar.gz"
+ rm -rf ${tar_file}
+ # Docs in docs/_out/html
+ tar -C docs/_out -cvzf ${tar_file} html
 
  - name: Upload docs
  uses: actions/upload-artifact@v4
  with:
- name: open3d_docs
- path: docs/_out/html
+ name: open3d-${{ github.sha }}-docs.tar.gz
+ path: open3d-${{ github.sha }}-docs.tar.gz
  if-no-files-found: error
+ compression-level: 0 # no compression
 
+ update-release:
+ permissions:
+ contents: write # Release upload
+ on:
+ workflow_run:
+ workflows: [macos, windows, ubuntu, ubuntu-wheel, ubuntu-cuda]
+ types:
+ - completed
+ needs: headless-docs
+ if: ${{ github.ref == 'refs/heads/main' }}
+ env:
+ GH_TOKEN: ${{ github.token }}
+ steps:
+ - name: Download docs
+ uses: actions/download-artifact@v4
+ with:
+ name: open3d-${{ github.sha }}-docs.tar.gz
  - name: Deploy docs if all artifacts available
- if: ${{ github.ref == 'refs/heads/main' }}
- env:
- GH_TOKEN: ${{ github.token }}
  run: |
- tar_file="open3d-${GITHUB_SHA}-docs.tar.gz"
- rm -rf ${tar_file}
- # Docs in docs/_out/html
- tar -C docs/_out -cvzf ${tar_file} html
-
- echo "Waiting for other release assets..."
- this_sha=$(echo ${GITHUB_SHA} | cut -c 1-6)
- n_this_sha_assets=$(gh release view main-devel --json assets --jq ".assets | map(select(.name | contains(\"${this_sha}\"))) | length")
+ echo "Uploading docs to main-devel release..."
+ gh release upload main-devel open3d-${{ github.sha }}-docs.tar.gz --clobber
  # Total assets from each main branch commmit:
  # Python wheels (4x4) + Viewer (3) + C++ libs (4+2+2) = 27,
- while ((n_this_sha_assets < 27)); do
- sleep 60
- echo -n "."
- n_this_sha_assets=$(gh release view main-devel --json assets --jq ".assets | map(select(.name | contains(\"${this_sha}\"))) | length")
- done
- gh release upload main-devel ${tar_file} --clobber
- gh release view main-devel
-
- echo "\nAll assets ready. Removing release assets except from last 3 commits: ${last_shas[@]}"
  release_assets=($(gh release view main-devel --json assets --jq '.assets[] | .name'))
  last_shas=($(git log --pretty=format:%h --abbrev-commit -n 3))
+ echo "\nAll assets ready. Removing release assets except from last 3 commits: ${last_shas[@]}"
  for relass in "${release_assets[@]}"; do
  found=false
  for last_sha in "${last_shas[@]}"; do

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -1,7 +1,5 @@
 name: MacOS
-permissions:
- contents: write
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -28,6 +26,8 @@ env:
 
 jobs:
  MacOS:
+ permissions:
+ contents: write # upload
  runs-on: ${{ matrix.os }}
  strategy:
  fail-fast: false
@@ -139,6 +139,8 @@ jobs:
  if-no-files-found: error
 
  fuse-viewer:
+ permissions:
+ contents: write # Release upload
  name: Fuse x64 and ARM64 viewer app
  runs-on: [macos-12]
  needs: [MacOS]
@@ -182,6 +184,8 @@ jobs:
 
  build-wheel:
  name: Build wheel
+ permissions:
+ contents: write # upload
  runs-on: ${{ matrix.os }}
  strategy:
  fail-fast: false
@@ -289,6 +293,8 @@ jobs:
 
  fuse-wheel:
  name: Fuse universal2 wheel
+ permissions:
+ contents: write # Release upload
  runs-on: [macos-12]
  needs: [build-wheel]
  strategy:
@@ -354,6 +360,8 @@ jobs:
 
  test-wheel:
  name: Test wheel
+ permissions:
+ contents: read
  runs-on: ${{ matrix.os }}
  needs: [build-wheel]
  strategy:

diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
@@ -1,7 +1,5 @@
 name: Style Check
-permissions:
- contents: read
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -17,6 +15,8 @@ concurrency:
 
 jobs:
  style-check:
+ permissions:
+ contents: read
  runs-on: ubuntu-latest
  steps:
  - name: Checkout source code

diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml
@@ -1,7 +1,5 @@
 name: Ubuntu CUDA
-permissions:
- contents: write
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -14,8 +12,7 @@ on:
  branches:
  - main
  pull_request:
- # Reduce CI frequency for paid CI.
- types: [review_requested]
+ types: [opened, reopened, synchronize]
 
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -30,6 +27,8 @@ jobs:
  skip-check:
  runs-on: ubuntu-latest
  name: Skip job for forks
+ permissions:
+ contents: read
  outputs:
  skip: ${{ steps.check.outputs.skip }}
  steps:
@@ -46,6 +45,8 @@ jobs:
 
  build-and-run-docker:
  name: Build and run
+ permissions:
+ contents: write # upload
  runs-on: ubuntu-latest
  needs: [skip-check]
  if: needs.skip-check.outputs.skip == 'no'

diff --git a/.github/workflows/ubuntu-openblas.yml b/.github/workflows/ubuntu-openblas.yml
@@ -1,16 +1,13 @@
 name: Ubuntu OpenBLAS
-permissions:
- contents: read
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
  push:
  branches:
  - main
  pull_request:
- # Reduce CI frequency for paid CI.
- types: [review_requested]
+ types: [opened, reopened, synchronize]
 
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -22,6 +19,8 @@ env:
 
 jobs:
  openblas-amd64:
+ permissions:
+ contents: read
  runs-on: ubuntu-latest
  strategy:
  fail-fast: false
@@ -57,6 +56,8 @@ jobs:
  fi
 
  openblas-arm64:
+ permissions:
+ contents: read
  runs-on: ubuntu-latest
  needs: [skip-arm64-check-on-fork]
  if: needs.skip-arm64-check-on-fork.outputs.skip == 'no'

diff --git a/.github/workflows/ubuntu-sycl.yml b/.github/workflows/ubuntu-sycl.yml
@@ -1,7 +1,5 @@
 name: Ubuntu SYCL
-permissions:
- contents: read
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -21,6 +19,8 @@ env:
 
 jobs:
  ubuntu-sycl:
+ permissions:
+ contents: read
  runs-on: ubuntu-latest
  strategy:
  fail-fast: false

diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml
@@ -1,7 +1,5 @@
 name: Ubuntu Wheel
-permissions:
- contents: write
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -28,6 +26,8 @@ env:
 
 jobs:
  build-wheel:
+ permissions:
+ contents: write # Release upload
  name: Build wheel
  runs-on: ubuntu-latest
  strategy:
@@ -115,6 +115,8 @@ jobs:
 
  test-wheel-cpu:
  name: Test wheel CPU
+ permissions:
+ contents: read
  runs-on: ubuntu-20.04
  needs: [build-wheel]
  strategy:

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -1,7 +1,5 @@
 name: Ubuntu
-permissions:
- contents: write
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -25,6 +23,8 @@ env:
 
 jobs:
  ubuntu:
+ permissions:
+ contents: write # Release upload
  runs-on: ubuntu-latest
  strategy:
  fail-fast: false

diff --git a/.github/workflows/vtk_packages.yml b/.github/workflows/vtk_packages.yml
@@ -1,6 +1,5 @@
 name: VTK Packages
-permissions:
- contents: write
+permissions: {}
 
 on:
  # Allows you to run this workflow manually from the Actions tab
@@ -9,6 +8,8 @@ on:
 jobs:
 
  Linux:
+ permissions:
+ contents: write
  # TODO: Convert to docker
  runs-on: ubuntu-18.04
  steps:
@@ -34,6 +35,8 @@ jobs:
  if-no-files-found: error
 
  Windows:
+ permissions:
+ contents: write
  runs-on: windows-2019
  env:
  SRC_DIR: "D:\\a\\open3d\\open3d"
@@ -84,6 +87,8 @@ jobs:
  if-no-files-found: error
 
  MacOS:
+ permissions:
+ contents: write
  runs-on: macos-12
  strategy:
  fail-fast: false

diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml
@@ -1,7 +1,5 @@
 name: WebRTC
-permissions:
- contents: write
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -26,6 +24,8 @@ env:
 jobs:
 
  Unix:
+ permissions:
+ contents: write # upload
  runs-on: ${{ matrix.os }}
  strategy:
  fail-fast: false
@@ -73,6 +73,8 @@ jobs:
  if-no-files-found: error
 
  Windows:
+ permissions:
+ contents: write # upload
  # https://chromium.googlesource.com/chromium/src/+/HEAD/docs/windows_build_instructions.md
  runs-on: windows-2019
  env:

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,7 +1,5 @@
 name: Windows
-permissions:
- contents: write
- actions: write
+permissions: {}
 
 on:
  workflow_dispatch:
@@ -34,6 +32,8 @@ env:
 
 jobs:
  windows:
+ permissions:
+ contents: write # upload
  runs-on: windows-2019
  strategy:
  fail-fast: false
@@ -234,6 +234,8 @@ jobs:
 
  build-wheel:
  name: Build wheel
+ permissions:
+ contents: write # upload
  runs-on: windows-2019
  strategy:
  fail-fast: false
@@ -320,6 +322,8 @@ jobs:
 
  test-wheel:
  name: Test wheel
+ permissions:
+ contents: read
  runs-on: windows-2019
  needs: [build-wheel]
  strategy: