Add security policy, GITHUB_TOKEN access restrictions. (isl-org#6814)

* Add security policy * contents:write for artifact upload, github releases * Add actions:write for concurrency cancellation
rxba · Jun 4, 2024 · 525c4e6 · 525c4e6
1 parent f1f275b
commit 525c4e6
Show file tree

Hide file tree

Showing 13 changed files with 40 additions and 8 deletions.
diff --git a/.github/workflows/clean-gcloud-profiles.yml b/.github/workflows/clean-gcloud-profiles.yml
@@ -16,14 +16,11 @@
 # happens, run this workflow manually to clean up the login profiles.
 
 name: Clean GCloud Profiles
+permissions:
+  contents: read
 
 on:
   workflow_dispatch:
-  # push:
-  #   branches:
-  #     - main
-  # pull_request:
-  #   types: [opened, reopened, synchronize]
 
 env:
   GCE_GPU_CI_SA: ${{ secrets.GCE_GPU_CI_SA }}

diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -1,4 +1,7 @@
 name: Documentation
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -1,4 +1,7 @@
 name: MacOS
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml
@@ -1,4 +1,7 @@
 name: Style Check
+permissions:
+  contents: read
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml
@@ -1,4 +1,7 @@
 name: Ubuntu CUDA
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/ubuntu-openblas.yml b/.github/workflows/ubuntu-openblas.yml
@@ -1,4 +1,7 @@
 name: Ubuntu OpenBLAS
+permissions:
+  contents: read
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/ubuntu-sycl.yml b/.github/workflows/ubuntu-sycl.yml
@@ -1,4 +1,7 @@
 name: Ubuntu SYCL
+permissions:
+  contents: read
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml
@@ -1,4 +1,7 @@
 name: Ubuntu Wheel
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:
@@ -102,7 +105,7 @@ jobs:
         run: |
           gsutil cp ${GITHUB_WORKSPACE}/${{ env.CCACHE_TAR_NAME }}.tar.gz gs://open3d-ci-cache/
       - name: Update devel release
-        # if: ${{ github.ref == 'refs/heads/main' }}
+        if: ${{ github.ref == 'refs/heads/main' }}
         env:
           GH_TOKEN: ${{ github.token }}
         run: |

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -1,4 +1,7 @@
 name: Ubuntu
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/vtk_packages.yml b/.github/workflows/vtk_packages.yml
@@ -1,8 +1,8 @@
 name: VTK Packages
+permissions:
+  contents: write
 
 on:
-  # pull_request:
-    # branches: [ main ]
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 

diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml
@@ -1,4 +1,7 @@
 name: WebRTC
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,4 +1,7 @@
 name: Windows
+permissions:
+  contents: write
+  actions: write
 
 on:
   workflow_dispatch:

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,5 @@
+# Security Policy
+Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation. 
+
+## Reporting a Vulnerability
+Please report any security vulnerabilities in this project utilizing the guidelines [here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html).