From 8b74846889ae66571aad27c88404af20d0c740ad Mon Sep 17 00:00:00 2001 From: Sameer Sheorey Date: Mon, 3 Jun 2024 14:38:59 -0700 Subject: [PATCH 1/3] Add security policy, test GITHUB_TOKEN permissions. --- .github/workflows/clean-gcloud-profiles.yml | 1 + .github/workflows/documentation.yml | 1 + .github/workflows/macos.yml | 1 + .github/workflows/style.yml | 1 + .github/workflows/ubuntu-cuda.yml | 1 + .github/workflows/ubuntu-openblas.yml | 1 + .github/workflows/ubuntu-sycl.yml | 1 + .github/workflows/ubuntu-wheel.yml | 1 + .github/workflows/ubuntu.yml | 1 + .github/workflows/vtk_packages.yml | 1 + .github/workflows/webrtc.yml | 1 + .github/workflows/windows.yml | 1 + SECURITY.md | 5 +++++ 13 files changed, 17 insertions(+) create mode 100644 SECURITY.md diff --git a/.github/workflows/clean-gcloud-profiles.yml b/.github/workflows/clean-gcloud-profiles.yml index 0aec813a48f..9963eabf82b 100644 --- a/.github/workflows/clean-gcloud-profiles.yml +++ b/.github/workflows/clean-gcloud-profiles.yml @@ -16,6 +16,7 @@ # happens, run this workflow manually to clean up the login profiles. name: Clean GCloud Profiles +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 00580af33d9..613be624f2a 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -1,4 +1,5 @@ name: Documentation +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index f0234f975ee..d75557cd443 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -1,4 +1,5 @@ name: MacOS +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index e0de61516be..cf6b7a1ca15 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -1,4 +1,5 @@ name: Style Check +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml index 1ff1d20c75b..43e170818e7 100644 --- a/.github/workflows/ubuntu-cuda.yml +++ b/.github/workflows/ubuntu-cuda.yml @@ -1,4 +1,5 @@ name: Ubuntu CUDA +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-openblas.yml b/.github/workflows/ubuntu-openblas.yml index 9bbb423f457..06a2c0cd24e 100644 --- a/.github/workflows/ubuntu-openblas.yml +++ b/.github/workflows/ubuntu-openblas.yml @@ -1,4 +1,5 @@ name: Ubuntu OpenBLAS +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-sycl.yml b/.github/workflows/ubuntu-sycl.yml index 4f4c9f6d9c1..db8407b2bb7 100644 --- a/.github/workflows/ubuntu-sycl.yml +++ b/.github/workflows/ubuntu-sycl.yml @@ -1,4 +1,5 @@ name: Ubuntu SYCL +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml index 2ff88c74b6a..f7fa7a728c8 100644 --- a/.github/workflows/ubuntu-wheel.yml +++ b/.github/workflows/ubuntu-wheel.yml @@ -1,4 +1,5 @@ name: Ubuntu Wheel +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index ba2765c82c7..3d0439972a0 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -1,4 +1,5 @@ name: Ubuntu +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/vtk_packages.yml b/.github/workflows/vtk_packages.yml index acd20c5260b..6bf78e5e83a 100644 --- a/.github/workflows/vtk_packages.yml +++ b/.github/workflows/vtk_packages.yml @@ -1,4 +1,5 @@ name: VTK Packages +permissions: read-all on: # pull_request: diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml index 90c45e053e7..ce6508a4dbe 100644 --- a/.github/workflows/webrtc.yml +++ b/.github/workflows/webrtc.yml @@ -1,4 +1,5 @@ name: WebRTC +permissions: read-all on: workflow_dispatch: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 141f1917a30..251f4f70736 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,4 +1,5 @@ name: Windows +permissions: read-all on: workflow_dispatch: diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..38d9c833993 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Security Policy +Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation. + +## Reporting a Vulnerability +Please report any security vulnerabilities in this project utilizing the guidelines [here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html). \ No newline at end of file From e7f6c2b5288d3cc20d6df3913f77bdc88b290a88 Mon Sep 17 00:00:00 2001 From: Sameer Sheorey Date: Mon, 3 Jun 2024 15:01:48 -0700 Subject: [PATCH 2/3] contents:write for artifact upload, github releases --- .github/workflows/documentation.yml | 4 ++++ .github/workflows/macos.yml | 16 ++++++++++++++++ .github/workflows/ubuntu-cuda.yml | 4 ++++ .github/workflows/ubuntu-wheel.yml | 4 ++++ .github/workflows/ubuntu.yml | 6 ++++++ .github/workflows/vtk_packages.yml | 6 ++++++ .github/workflows/webrtc.yml | 4 ++++ .github/workflows/windows.yml | 12 ++++++++++++ 8 files changed, 56 insertions(+) diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 613be624f2a..bcbffa1ac77 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -79,6 +79,8 @@ jobs: ccache -s - name: Upload docs + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: open3d_docs @@ -86,6 +88,8 @@ jobs: if-no-files-found: error - name: Deploy docs if all artifacts available + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index d75557cd443..55a1238b363 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -113,6 +113,8 @@ jobs: ccache -s - name: Upload package + permissions: + contents: write if: ${{ env.BUILD_SHARED_LIBS == 'ON' }} uses: actions/upload-artifact@v4 with: @@ -121,6 +123,8 @@ jobs: if-no-files-found: error - name: Update package devel release + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' && env.BUILD_SHARED_LIBS == 'ON' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -129,6 +133,8 @@ jobs: gh release view main-devel - name: Upload Open3D viewer app + permissions: + contents: write uses: actions/upload-artifact@v4 if: ${{ env.BUILD_SHARED_LIBS == 'OFF' }} with: @@ -163,6 +169,8 @@ jobs: zip -rv "${APP_NAME}" Open3D.app - name: Upload Open3D viewer app + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: open3d-app-macosx-10_15-universal2 @@ -170,6 +178,8 @@ jobs: if-no-files-found: error - name: Update viewer devel release + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -279,6 +289,8 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV - name: Upload wheel + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -336,6 +348,8 @@ jobs: echo "PIP_PKG_NAME=$NEW_WHL_NAME" >> $GITHUB_ENV - name: Upload merged wheels + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -343,6 +357,8 @@ jobs: if-no-files-found: error - name: Update devel release + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml index 43e170818e7..a79bb1e1ba8 100644 --- a/.github/workflows/ubuntu-cuda.yml +++ b/.github/workflows/ubuntu-cuda.yml @@ -150,6 +150,8 @@ jobs: fi - name: Upload package + permissions: + contents: write if: ${{ env.BUILD_PACKAGE == 'true' }} uses: actions/upload-artifact@v4 with: @@ -158,6 +160,8 @@ jobs: if-no-files-found: error - name: Update devel release + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' && env.BUILD_PACKAGE == 'true' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml index f7fa7a728c8..408988b407a 100644 --- a/.github/workflows/ubuntu-wheel.yml +++ b/.github/workflows/ubuntu-wheel.yml @@ -79,6 +79,8 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV echo "PIP_CPU_PKG_NAME=$PIP_CPU_PKG_NAME" >> $GITHUB_ENV - name: Upload wheel to GitHub artifacts + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -103,6 +105,8 @@ jobs: run: | gsutil cp ${GITHUB_WORKSPACE}/${{ env.CCACHE_TAR_NAME }}.tar.gz gs://open3d-ci-cache/ - name: Update devel release + permissions: + contents: write # if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 3d0439972a0..8c14ca65fc2 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -71,6 +71,8 @@ jobs: docker/docker_test.sh cpu-shared-ml-release fi - name: Upload package to GitHub artifacts + permissions: + contents: write if: ${{ env.BUILD_SHARED_LIBS == 'ON' }} uses: actions/upload-artifact@v4 with: @@ -78,6 +80,8 @@ jobs: path: open3d-devel-*.tar.xz if-no-files-found: error - name: Upload viewer to GitHub artifacts + permissions: + contents: write if: ${{ env.BUILD_SHARED_LIBS == 'OFF' }} uses: actions/upload-artifact@v4 with: @@ -85,6 +89,8 @@ jobs: path: open3d-viewer-*-Linux.deb if-no-files-found: error - name: Update devel release + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/vtk_packages.yml b/.github/workflows/vtk_packages.yml index 6bf78e5e83a..88e20dc1f89 100644 --- a/.github/workflows/vtk_packages.yml +++ b/.github/workflows/vtk_packages.yml @@ -26,6 +26,8 @@ jobs: make -j$(nproc) cmake -E sha256sum vtk*.tar.gz > checksum_linux.txt - name: Upload artifacts + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: vtk_linux @@ -76,6 +78,8 @@ jobs: ls cmake -E sha256sum (get-item vtk*.tar.gz).Name > checksum_win_${{matrix.configuration}}.txt - name: Upload package + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: vtk_windows_${{matrix.configuration}} @@ -103,6 +107,8 @@ jobs: make -j2 cmake -E sha256sum vtk*.tar.gz > checksum_macos.txt - name: Upload artifacts + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: vtk_macos diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml index ce6508a4dbe..863651d86cf 100644 --- a/.github/workflows/webrtc.yml +++ b/.github/workflows/webrtc.yml @@ -62,6 +62,8 @@ jobs: build_webrtc - name: Upload WebRTC + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: webrtc_release_${{ matrix.os }} @@ -168,6 +170,8 @@ jobs: cmake -E sha256sum webrtc_${env:WEBRTC_COMMIT_SHORT}_win.zip | Tee-Object -FilePath checksum_win.txt - name: Upload WebRTC + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: webrtc_release_windows diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 251f4f70736..337698abbe3 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -147,6 +147,8 @@ jobs: $env:GITHUB_ENV -Encoding utf8 -Append - name: Upload Package + permissions: + contents: write if: ${{ matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }} uses: actions/upload-artifact@v4 with: @@ -155,6 +157,8 @@ jobs: if-no-files-found: error - name: Update devel release with package + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }} env: GH_TOKEN: ${{ github.token }} @@ -173,6 +177,8 @@ jobs: --target INSTALL - name: Upload Viewer + permissions: + contents: write if: ${{ matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }} uses: actions/upload-artifact@v4 with: @@ -181,6 +187,8 @@ jobs: if-no-files-found: error - name: Update devel release with viewer + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }} env: GH_TOKEN: ${{ github.token }} @@ -302,6 +310,8 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append - name: Upload wheel + permissions: + contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -309,6 +319,8 @@ jobs: if-no-files-found: error - name: Update devel release with wheel + permissions: + contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} From d50bfb29b6fe20b8009e2de9fa0e917bae579f5e Mon Sep 17 00:00:00 2001 From: Sameer Sheorey Date: Mon, 3 Jun 2024 16:24:20 -0700 Subject: [PATCH 3/3] Add actions:write for concurrency cancellation --- .github/workflows/clean-gcloud-profiles.yml | 8 ++------ .github/workflows/documentation.yml | 8 +++----- .github/workflows/macos.yml | 20 +++----------------- .github/workflows/style.yml | 4 +++- .github/workflows/ubuntu-cuda.yml | 8 +++----- .github/workflows/ubuntu-openblas.yml | 4 +++- .github/workflows/ubuntu-sycl.yml | 4 +++- .github/workflows/ubuntu-wheel.yml | 10 ++++------ .github/workflows/ubuntu.yml | 10 +++------- .github/workflows/vtk_packages.yml | 11 ++--------- .github/workflows/webrtc.yml | 8 +++----- .github/workflows/windows.yml | 16 +++------------- 12 files changed, 35 insertions(+), 76 deletions(-) diff --git a/.github/workflows/clean-gcloud-profiles.yml b/.github/workflows/clean-gcloud-profiles.yml index 9963eabf82b..2521b1de160 100644 --- a/.github/workflows/clean-gcloud-profiles.yml +++ b/.github/workflows/clean-gcloud-profiles.yml @@ -16,15 +16,11 @@ # happens, run this workflow manually to clean up the login profiles. name: Clean GCloud Profiles -permissions: read-all +permissions: + contents: read on: workflow_dispatch: - # push: - # branches: - # - main - # pull_request: - # types: [opened, reopened, synchronize] env: GCE_GPU_CI_SA: ${{ secrets.GCE_GPU_CI_SA }} diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index bcbffa1ac77..83527c68b56 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -1,5 +1,7 @@ name: Documentation -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -79,8 +81,6 @@ jobs: ccache -s - name: Upload docs - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: open3d_docs @@ -88,8 +88,6 @@ jobs: if-no-files-found: error - name: Deploy docs if all artifacts available - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 55a1238b363..362cc2327f0 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -1,5 +1,7 @@ name: MacOS -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -113,8 +115,6 @@ jobs: ccache -s - name: Upload package - permissions: - contents: write if: ${{ env.BUILD_SHARED_LIBS == 'ON' }} uses: actions/upload-artifact@v4 with: @@ -123,8 +123,6 @@ jobs: if-no-files-found: error - name: Update package devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && env.BUILD_SHARED_LIBS == 'ON' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -133,8 +131,6 @@ jobs: gh release view main-devel - name: Upload Open3D viewer app - permissions: - contents: write uses: actions/upload-artifact@v4 if: ${{ env.BUILD_SHARED_LIBS == 'OFF' }} with: @@ -169,8 +165,6 @@ jobs: zip -rv "${APP_NAME}" Open3D.app - name: Upload Open3D viewer app - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: open3d-app-macosx-10_15-universal2 @@ -178,8 +172,6 @@ jobs: if-no-files-found: error - name: Update viewer devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -289,8 +281,6 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV - name: Upload wheel - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -348,8 +338,6 @@ jobs: echo "PIP_PKG_NAME=$NEW_WHL_NAME" >> $GITHUB_ENV - name: Upload merged wheels - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -357,8 +345,6 @@ jobs: if-no-files-found: error - name: Update devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index cf6b7a1ca15..3c27504fdd9 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -1,5 +1,7 @@ name: Style Check -permissions: read-all +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml index a79bb1e1ba8..9cf3cd3e749 100644 --- a/.github/workflows/ubuntu-cuda.yml +++ b/.github/workflows/ubuntu-cuda.yml @@ -1,5 +1,7 @@ name: Ubuntu CUDA -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -150,8 +152,6 @@ jobs: fi - name: Upload package - permissions: - contents: write if: ${{ env.BUILD_PACKAGE == 'true' }} uses: actions/upload-artifact@v4 with: @@ -160,8 +160,6 @@ jobs: if-no-files-found: error - name: Update devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && env.BUILD_PACKAGE == 'true' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/ubuntu-openblas.yml b/.github/workflows/ubuntu-openblas.yml index 06a2c0cd24e..acfe20e4ddf 100644 --- a/.github/workflows/ubuntu-openblas.yml +++ b/.github/workflows/ubuntu-openblas.yml @@ -1,5 +1,7 @@ name: Ubuntu OpenBLAS -permissions: read-all +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-sycl.yml b/.github/workflows/ubuntu-sycl.yml index db8407b2bb7..984d0fe9485 100644 --- a/.github/workflows/ubuntu-sycl.yml +++ b/.github/workflows/ubuntu-sycl.yml @@ -1,5 +1,7 @@ name: Ubuntu SYCL -permissions: read-all +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml index 408988b407a..733c52218ee 100644 --- a/.github/workflows/ubuntu-wheel.yml +++ b/.github/workflows/ubuntu-wheel.yml @@ -1,5 +1,7 @@ name: Ubuntu Wheel -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -79,8 +81,6 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" >> $GITHUB_ENV echo "PIP_CPU_PKG_NAME=$PIP_CPU_PKG_NAME" >> $GITHUB_ENV - name: Upload wheel to GitHub artifacts - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -105,9 +105,7 @@ jobs: run: | gsutil cp ${GITHUB_WORKSPACE}/${{ env.CCACHE_TAR_NAME }}.tar.gz gs://open3d-ci-cache/ - name: Update devel release - permissions: - contents: write - # if: ${{ github.ref == 'refs/heads/main' }} + if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} run: | diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 8c14ca65fc2..08ef6721fea 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -1,5 +1,7 @@ name: Ubuntu -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -71,8 +73,6 @@ jobs: docker/docker_test.sh cpu-shared-ml-release fi - name: Upload package to GitHub artifacts - permissions: - contents: write if: ${{ env.BUILD_SHARED_LIBS == 'ON' }} uses: actions/upload-artifact@v4 with: @@ -80,8 +80,6 @@ jobs: path: open3d-devel-*.tar.xz if-no-files-found: error - name: Upload viewer to GitHub artifacts - permissions: - contents: write if: ${{ env.BUILD_SHARED_LIBS == 'OFF' }} uses: actions/upload-artifact@v4 with: @@ -89,8 +87,6 @@ jobs: path: open3d-viewer-*-Linux.deb if-no-files-found: error - name: Update devel release - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/vtk_packages.yml b/.github/workflows/vtk_packages.yml index 88e20dc1f89..a134daeb71a 100644 --- a/.github/workflows/vtk_packages.yml +++ b/.github/workflows/vtk_packages.yml @@ -1,9 +1,8 @@ name: VTK Packages -permissions: read-all +permissions: + contents: write on: - # pull_request: - # branches: [ main ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: @@ -26,8 +25,6 @@ jobs: make -j$(nproc) cmake -E sha256sum vtk*.tar.gz > checksum_linux.txt - name: Upload artifacts - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: vtk_linux @@ -78,8 +75,6 @@ jobs: ls cmake -E sha256sum (get-item vtk*.tar.gz).Name > checksum_win_${{matrix.configuration}}.txt - name: Upload package - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: vtk_windows_${{matrix.configuration}} @@ -107,8 +102,6 @@ jobs: make -j2 cmake -E sha256sum vtk*.tar.gz > checksum_macos.txt - name: Upload artifacts - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: vtk_macos diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml index 863651d86cf..91a9a5b122d 100644 --- a/.github/workflows/webrtc.yml +++ b/.github/workflows/webrtc.yml @@ -1,5 +1,7 @@ name: WebRTC -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -62,8 +64,6 @@ jobs: build_webrtc - name: Upload WebRTC - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: webrtc_release_${{ matrix.os }} @@ -170,8 +170,6 @@ jobs: cmake -E sha256sum webrtc_${env:WEBRTC_COMMIT_SHORT}_win.zip | Tee-Object -FilePath checksum_win.txt - name: Upload WebRTC - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: webrtc_release_windows diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 337698abbe3..c3c1d1e8395 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,5 +1,7 @@ name: Windows -permissions: read-all +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -147,8 +149,6 @@ jobs: $env:GITHUB_ENV -Encoding utf8 -Append - name: Upload Package - permissions: - contents: write if: ${{ matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }} uses: actions/upload-artifact@v4 with: @@ -157,8 +157,6 @@ jobs: if-no-files-found: error - name: Update devel release with package - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' }} env: GH_TOKEN: ${{ github.token }} @@ -177,8 +175,6 @@ jobs: --target INSTALL - name: Upload Viewer - permissions: - contents: write if: ${{ matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }} uses: actions/upload-artifact@v4 with: @@ -187,8 +183,6 @@ jobs: if-no-files-found: error - name: Update devel release with viewer - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' && matrix.BUILD_SHARED_LIBS == 'OFF' && matrix.STATIC_RUNTIME == 'ON' && matrix.BUILD_CUDA_MODULE == 'OFF' && matrix.CONFIG == 'Release' }} env: GH_TOKEN: ${{ github.token }} @@ -310,8 +304,6 @@ jobs: echo "PIP_PKG_NAME=$PIP_PKG_NAME" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append - name: Upload wheel - permissions: - contents: write uses: actions/upload-artifact@v4 with: name: ${{ env.PIP_PKG_NAME }} @@ -319,8 +311,6 @@ jobs: if-no-files-found: error - name: Update devel release with wheel - permissions: - contents: write if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }}