From 525c4e6567f3a885f930571c3cc83233e35573aa Mon Sep 17 00:00:00 2001 From: Sameer Sheorey <41028320+ssheorey@users.noreply.github.com> Date: Tue, 4 Jun 2024 08:02:33 -0700 Subject: [PATCH] Add security policy, GITHUB_TOKEN access restrictions. (#6814) * Add security policy * contents:write for artifact upload, github releases * Add actions:write for concurrency cancellation --- .github/workflows/clean-gcloud-profiles.yml | 7 ++----- .github/workflows/documentation.yml | 3 +++ .github/workflows/macos.yml | 3 +++ .github/workflows/style.yml | 3 +++ .github/workflows/ubuntu-cuda.yml | 3 +++ .github/workflows/ubuntu-openblas.yml | 3 +++ .github/workflows/ubuntu-sycl.yml | 3 +++ .github/workflows/ubuntu-wheel.yml | 5 ++++- .github/workflows/ubuntu.yml | 3 +++ .github/workflows/vtk_packages.yml | 4 ++-- .github/workflows/webrtc.yml | 3 +++ .github/workflows/windows.yml | 3 +++ SECURITY.md | 5 +++++ 13 files changed, 40 insertions(+), 8 deletions(-) create mode 100644 SECURITY.md diff --git a/.github/workflows/clean-gcloud-profiles.yml b/.github/workflows/clean-gcloud-profiles.yml index 0aec813a48f..2521b1de160 100644 --- a/.github/workflows/clean-gcloud-profiles.yml +++ b/.github/workflows/clean-gcloud-profiles.yml @@ -16,14 +16,11 @@ # happens, run this workflow manually to clean up the login profiles. name: Clean GCloud Profiles +permissions: + contents: read on: workflow_dispatch: - # push: - # branches: - # - main - # pull_request: - # types: [opened, reopened, synchronize] env: GCE_GPU_CI_SA: ${{ secrets.GCE_GPU_CI_SA }} diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 00580af33d9..83527c68b56 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -1,4 +1,7 @@ name: Documentation +permissions: + contents: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index f0234f975ee..362cc2327f0 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -1,4 +1,7 @@ name: MacOS +permissions: + contents: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index e0de61516be..3c27504fdd9 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -1,4 +1,7 @@ name: Style Check +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-cuda.yml b/.github/workflows/ubuntu-cuda.yml index 1ff1d20c75b..9cf3cd3e749 100644 --- a/.github/workflows/ubuntu-cuda.yml +++ b/.github/workflows/ubuntu-cuda.yml @@ -1,4 +1,7 @@ name: Ubuntu CUDA +permissions: + contents: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-openblas.yml b/.github/workflows/ubuntu-openblas.yml index 9bbb423f457..acfe20e4ddf 100644 --- a/.github/workflows/ubuntu-openblas.yml +++ b/.github/workflows/ubuntu-openblas.yml @@ -1,4 +1,7 @@ name: Ubuntu OpenBLAS +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-sycl.yml b/.github/workflows/ubuntu-sycl.yml index 4f4c9f6d9c1..984d0fe9485 100644 --- a/.github/workflows/ubuntu-sycl.yml +++ b/.github/workflows/ubuntu-sycl.yml @@ -1,4 +1,7 @@ name: Ubuntu SYCL +permissions: + contents: read + actions: write on: workflow_dispatch: diff --git a/.github/workflows/ubuntu-wheel.yml b/.github/workflows/ubuntu-wheel.yml index 2ff88c74b6a..733c52218ee 100644 --- a/.github/workflows/ubuntu-wheel.yml +++ b/.github/workflows/ubuntu-wheel.yml @@ -1,4 +1,7 @@ name: Ubuntu Wheel +permissions: + contents: write + actions: write on: workflow_dispatch: @@ -102,7 +105,7 @@ jobs: run: | gsutil cp ${GITHUB_WORKSPACE}/${{ env.CCACHE_TAR_NAME }}.tar.gz gs://open3d-ci-cache/ - name: Update devel release - # if: ${{ github.ref == 'refs/heads/main' }} + if: ${{ github.ref == 'refs/heads/main' }} env: GH_TOKEN: ${{ github.token }} run: | diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index ba2765c82c7..08ef6721fea 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -1,4 +1,7 @@ name: Ubuntu +permissions: + contents: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/vtk_packages.yml b/.github/workflows/vtk_packages.yml index acd20c5260b..a134daeb71a 100644 --- a/.github/workflows/vtk_packages.yml +++ b/.github/workflows/vtk_packages.yml @@ -1,8 +1,8 @@ name: VTK Packages +permissions: + contents: write on: - # pull_request: - # branches: [ main ] # Allows you to run this workflow manually from the Actions tab workflow_dispatch: diff --git a/.github/workflows/webrtc.yml b/.github/workflows/webrtc.yml index 90c45e053e7..91a9a5b122d 100644 --- a/.github/workflows/webrtc.yml +++ b/.github/workflows/webrtc.yml @@ -1,4 +1,7 @@ name: WebRTC +permissions: + contents: write + actions: write on: workflow_dispatch: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 141f1917a30..c3c1d1e8395 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,4 +1,7 @@ name: Windows +permissions: + contents: write + actions: write on: workflow_dispatch: diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..38d9c833993 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Security Policy +Intel is committed to rapidly addressing security vulnerabilities affecting our customers and providing clear guidance on the solution, impact, severity and mitigation. + +## Reporting a Vulnerability +Please report any security vulnerabilities in this project utilizing the guidelines [here](https://www.intel.com/content/www/us/en/security-center/vulnerability-handling-guidelines.html). \ No newline at end of file