Job level token permissions for github actions (#6830)

* Run CUDA and  ARM CI for every PR change
* Remove old release artifacts regularly in a separate workflow for cleaning old releases

.github/workflows/documentation.yml

@@ -1,7 +1,5 @@
 name: Documentation
-permissions:
-  contents: write
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -21,8 +19,9 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  headless-docs:
-    # Build headless and docs
+  headless-docs:   # Build headless and docs
+    permissions:
+      contents: write  # Artifact upload and release upload
     runs-on: ubuntu-latest  # Warn about build issues in new versions
     env:
       OPEN3D_ML_ROOT: ${{ github.workspace }}/Open3D-ML
@@ -78,52 +77,25 @@ jobs:
           ccache -s
           source util/ci_utils.sh
           build_docs "$DEVELOPER_BUILD"
+          # PWD: Open3D/docs
           ccache -s
+          tar_file="open3d-${GITHUB_SHA}-docs.tar.gz"
+          rm -rf "${GITHUB_WORKSPACE}/${tar_file}"
+          # Docs in docs/_out/html
+          tar -C _out -cvzf "${GITHUB_WORKSPACE}/${tar_file}" html
 
       - name: Upload docs
         uses: actions/upload-artifact@v4
         with:
-          name: open3d_docs
-          path: docs/_out/html
+          name: open3d-${{ github.sha }}-docs.tar.gz
+          path: open3d-${{ github.sha }}-docs.tar.gz
           if-no-files-found: error
+          compression-level: 0 # no compression
 
-      - name: Deploy docs if all artifacts available
+      - name: Update devel release
         if: ${{ github.ref == 'refs/heads/main' }}
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          tar_file="open3d-${GITHUB_SHA}-docs.tar.gz"
-          rm -rf ${tar_file}
-          # Docs in docs/_out/html
-          tar -C docs/_out -cvzf ${tar_file} html
-
-          echo "Waiting for other release assets..."
-          this_sha=$(echo ${GITHUB_SHA} | cut -c 1-6)
-          n_this_sha_assets=$(gh release view main-devel --json assets --jq ".assets | map(select(.name | contains(\"${this_sha}\"))) | length")
-          # Total assets from each main branch commmit:
-          # Python wheels (4x4) + Viewer (3) + C++ libs (4+2+2) = 27,
-          while ((n_this_sha_assets < 27)); do
-              sleep 60
-              echo -n "."
-              n_this_sha_assets=$(gh release view main-devel --json assets --jq ".assets | map(select(.name | contains(\"${this_sha}\"))) | length")
-          done
-          gh release upload main-devel ${tar_file} --clobber
-          gh release view main-devel
-
-          echo "\nAll assets ready. Removing release assets except from last 3 commits: ${last_shas[@]}"
-          release_assets=($(gh release view main-devel --json assets --jq '.assets[] | .name'))
-          last_shas=($(git log --pretty=format:%h --abbrev-commit -n 3))
-          for relass in "${release_assets[@]}"; do
-              found=false
-              for last_sha in "${last_shas[@]}"; do
-                  if [[ $relass == *${last_sha}* ]]; then
-                      found=true
-                  fi
-              done
-              if [ $found == false ]; then
-                  set -x
-                  gh release delete-asset main-devel $relass
-                  set +x
-              fi
-          done
+          gh release upload main-devel open3d-${{ github.sha }}-docs.tar.gz --clobber
           gh release view main-devel

.github/workflows/macos.yml

@@ -1,7 +1,5 @@
 name: MacOS
-permissions:
-  contents: write
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -28,6 +26,8 @@ env:
 
 jobs:
   MacOS:
+    permissions:
+      contents: write  # upload
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -139,6 +139,8 @@ jobs:
           if-no-files-found: error
 
   fuse-viewer:
+    permissions:
+      contents: write  # Release upload
     name: Fuse x64 and ARM64 viewer app
     runs-on: [macos-12]
     needs: [MacOS]
@@ -182,6 +184,8 @@ jobs:
 
   build-wheel:
     name: Build wheel
+    permissions:
+      contents: write  # upload
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -289,6 +293,8 @@ jobs:
 
   fuse-wheel:
     name: Fuse universal2 wheel
+    permissions:
+      contents: write  # Release upload
     runs-on: [macos-12]
     needs: [build-wheel]
     strategy:
@@ -354,6 +360,8 @@ jobs:
 
   test-wheel:
     name: Test wheel
+    permissions:
+      contents: read
     runs-on: ${{ matrix.os }}
     needs: [build-wheel]
     strategy:

.github/workflows/style.yml

@@ -1,7 +1,5 @@
 name: Style Check
-permissions:
-  contents: read
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -17,6 +15,8 @@ concurrency:
 
 jobs:
   style-check:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source code

.github/workflows/ubuntu-cuda.yml

@@ -1,7 +1,5 @@
 name: Ubuntu CUDA
-permissions:
-  contents: write
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -14,8 +12,7 @@ on:
     branches:
       - main
   pull_request:
-    # Reduce CI frequency for paid CI.
-    types: [review_requested]
+    types: [opened, reopened, synchronize]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -30,6 +27,8 @@ jobs:
   skip-check:
     runs-on: ubuntu-latest
     name: Skip job for forks
+    permissions:
+      contents: read
     outputs:
       skip: ${{ steps.check.outputs.skip }}
     steps:
@@ -46,6 +45,8 @@ jobs:
 
   build-and-run-docker:
     name: Build and run
+    permissions:
+      contents: write   # upload
     runs-on: ubuntu-latest
     needs: [skip-check]
     if: needs.skip-check.outputs.skip == 'no'

.github/workflows/ubuntu-openblas.yml

@@ -1,16 +1,13 @@
 name: Ubuntu OpenBLAS
-permissions:
-  contents: read
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
   push:
     branches:
       - main
   pull_request:
-    # Reduce CI frequency for paid CI.
-    types: [review_requested]
+    types: [opened, reopened, synchronize]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -22,6 +19,8 @@ env:
 
 jobs:
   openblas-amd64:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -57,6 +56,8 @@ jobs:
           fi
 
   openblas-arm64:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: [skip-arm64-check-on-fork]
     if: needs.skip-arm64-check-on-fork.outputs.skip == 'no'

.github/workflows/ubuntu-sycl.yml

@@ -1,7 +1,5 @@
 name: Ubuntu SYCL
-permissions:
-  contents: read
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -21,6 +19,8 @@ env:
 
 jobs:
   ubuntu-sycl:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/ubuntu-wheel.yml

@@ -1,7 +1,5 @@
 name: Ubuntu Wheel
-permissions:
-  contents: write
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -28,6 +26,8 @@ env:
 
 jobs:
   build-wheel:
+    permissions:
+      contents: write  # Release upload
     name: Build wheel
     runs-on: ubuntu-latest
     strategy:
@@ -115,6 +115,8 @@ jobs:
 
   test-wheel-cpu:
     name: Test wheel CPU
+    permissions:
+      contents: read
     runs-on: ubuntu-20.04
     needs: [build-wheel]
     strategy:

.github/workflows/ubuntu.yml

@@ -1,7 +1,5 @@
 name: Ubuntu
-permissions:
-  contents: write
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -25,6 +23,8 @@ env:
 
 jobs:
   ubuntu:
+    permissions:
+      contents: write  # Release upload
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/update-release.yml

@@ -0,0 +1,38 @@
+name: Clean release
+permissions: {}
+on:
+  workflow_run:  # Triggered when long running macos workflow ends
+    workflows: [macos]
+    types: [completed]
+    # branches: [main]
+
+jobs:
+ clean-release:
+    permissions:
+      contents: write  # Release upload
+    env:
+      GH_TOKEN: ${{ github.token }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Clean old release assets
+        run: |
+          # Total assets from each main branch commmit:
+          # Python wheels (4x4) + Viewer (3) + C++ libs (4+2+2) = 27,
+          release_assets=($(gh release view main-devel --json assets --jq '.assets[] | .name'))
+          last_shas=($(git log --pretty=format:%h --abbrev-commit -n 3))
+          echo "Removing release assets except from last 3 commits: ${last_shas[@]}"
+          for relass in "${release_assets[@]}"; do
+              found=false
+              for last_sha in "${last_shas[@]}"; do
+                  if [[ $relass == *${last_sha}* ]]; then
+                      found=true
+                  fi
+              done
+              if [ $found == false ]; then
+                  set -x
+                  gh release delete-asset main-devel $relass
+                  set +x
+              fi
+          done
+          gh release view main-devel

.github/workflows/vtk_packages.yml

@@ -1,6 +1,5 @@
 name: VTK Packages
-permissions:
-  contents: write
+permissions: {}
 
 on:
   # Allows you to run this workflow manually from the Actions tab
@@ -9,6 +8,8 @@ on:
 jobs:
 
   Linux:
+    permissions:
+      contents: write
     # TODO: Convert to docker
     runs-on: ubuntu-18.04
     steps:
@@ -34,6 +35,8 @@ jobs:
           if-no-files-found: error
 
   Windows:
+    permissions:
+      contents: write
     runs-on: windows-2019
     env:
       SRC_DIR: "D:\\a\\open3d\\open3d"
@@ -84,6 +87,8 @@ jobs:
           if-no-files-found: error
 
   MacOS:
+    permissions:
+      contents: write
     runs-on: macos-12
     strategy:
       fail-fast: false

.github/workflows/webrtc.yml

@@ -1,7 +1,5 @@
 name: WebRTC
-permissions:
-  contents: write
-  actions: write
+permissions: {}
 
 on:
   workflow_dispatch:
@@ -26,6 +24,8 @@ env:
 jobs:
 
   Unix:
+    permissions:
+      contents: write  # upload
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -73,6 +73,8 @@ jobs:
           if-no-files-found: error
 
   Windows:
+    permissions:
+      contents: write  # upload
     # https://chromium.googlesource.com/chromium/src/+/HEAD/docs/windows_build_instructions.md
     runs-on: windows-2019
     env: