zls/.github/workflows/fuzz.yml

115 lines
3.3 KiB
YAML
Raw Normal View History

2023-01-21 23:27:16 +00:00
name: Sus Fuzzing
on:
# pull_request_target can be dangerous but necessary here to access secrets.
# I'm pretty comfortable using it because:
# - We limit all permissions (including GITHUB_TOKEN) to read-only
# - We limit runs to labelled PRs only which prevents random exploitation
# - We don't expose secrets in environment variables which makes exploitation much more difficult
# - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space)
pull_request_target:
types: [labeled, synchronize]
2023-01-21 23:27:16 +00:00
push:
paths:
- "**.zig"
2023-01-21 23:27:16 +00:00
branches:
- master
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
inputs:
fuzzing_duration:
type: string
description: How long should fuzzing last? (sleep time argument)
default: 15m
permissions: read-all
2023-01-21 23:27:16 +00:00
jobs:
fuzz:
if: github.repository_owner == 'zigtools' && (github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz'))
2023-01-21 23:27:16 +00:00
runs-on: ubuntu-latest
steps:
- name: Set Swap Space
uses: pierotofy/set-swap-space@master
with:
swap-size-gb: 10
- name: Default fuzzing duration
if: github.event_name != 'pull_request_target'
run: |
2023-01-22 10:40:03 +00:00
echo "FUZZING_DURATION=${{ github.event.inputs.fuzzing_duration }}" >> $GITHUB_ENV
- name: PR fuzzing duration
if: github.event_name == 'pull_request_target'
run: |
2023-01-22 10:40:03 +00:00
echo "FUZZING_DURATION=15m" >> $GITHUB_ENV
2023-01-21 23:27:16 +00:00
- name: Grab zig
uses: goto-bus-stop/setup-zig@v1
with:
version: master
- run: zig version
- run: zig env
- name: Checkout zig
uses: actions/checkout@v3
with:
path: zig
repository: "ziglang/zig"
fetch-depth: 0
- name: Checkout zls
uses: actions/checkout@v3
with:
path: zls
fetch-depth: 0
submodules: true
- name: Build zls
run: |
cd $GITHUB_WORKSPACE/zls
pwd
zig build
- name: Checkout sus
uses: actions/checkout@v3
with:
path: sus
repository: "zigtools/sus"
fetch-depth: 0
submodules: recursive
- name: Build sus
run: |
cd $GITHUB_WORKSPACE/sus
pwd
zig build -Drelease-fast
- name: Run sus
continue-on-error: true
run: |
cd $GITHUB_WORKSPACE/sus
2023-01-22 10:40:03 +00:00
FUZZING_DURATION=${{ env.FUZZING_DURATION }}
2023-01-21 23:27:16 +00:00
{ sleep ${FUZZING_DURATION:-1h}; pkill -9 sus; } &
./zig-out/bin/sus $GITHUB_WORKSPACE/zls/zig-out/bin/zls markov $GITHUB_WORKSPACE/zig/lib/std
- name: Upload saved logs
uses: actions/upload-artifact@v3
with:
name: saved-logs
path: sus/saved_logs/
- uses: BetaHuhn/do-spaces-action@v2
with:
access_key: ${{ secrets.DO_SPACES_ACCESS_KEY }}
secret_key: ${{ secrets.DO_SPACES_SECRET_KEY }}
space_name: fuzzing-output
space_region: nyc3
source: sus/saved_logs/
out_dir: ${{ github.event.pull_request.head.repo.full_name || github.repository }}/${{ github.head_ref || github.ref_name }}/${{ github.event.pull_request.head.sha || github.sha }}
2023-01-21 23:27:16 +00:00