name: Sus Fuzzing

on:
  # pull_request_target can be dangerous but necessary here to access secrets.
  # I'm pretty comfortable using it because:
  # - We limit all permissions (including GITHUB_TOKEN) to read-only
  # - We limit runs to labelled PRs only which prevents random exploitation
  # - We don't expose secrets in environment variables which makes exploitation much more difficult
  # - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space)
  pull_request_target:
    types: [labeled, synchronize]
  push:
    paths:
      - "**.zig"
    branches:
      - master
  schedule:
    - cron: "0 0 * * *"
  workflow_dispatch:
    inputs:
      fuzzing_duration:
        type: string
        description: How long should fuzzing last? (sleep time argument)
        default: 15m

permissions: read-all

jobs:
  fuzz:
    if: github.repository_owner == 'zigtools' && (github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz'))
    runs-on: ubuntu-latest

    steps:
      - name: Set Swap Space
        uses: pierotofy/set-swap-space@master
        with:
          swap-size-gb: 10

      - name: Default fuzzing duration
        if: github.event_name != 'pull_request_target'
        run: |
          echo "FUZZING_DURATION=${{ github.event.inputs.fuzzing_duration }}" >> $GITHUB_ENV

      - name: PR fuzzing duration
        if: github.event_name == 'pull_request_target'
        run: |
          echo "FUZZING_DURATION=15m" >> $GITHUB_ENV

      - name: Grab zig
        uses: goto-bus-stop/setup-zig@v1
        with:
          version: master

      - run: zig version
      - run: zig env

      - name: Checkout zig
        uses: actions/checkout@v3
        with:
          path: zig
          repository: "ziglang/zig"
          fetch-depth: 0

      - name: Checkout zls (non-PR)
        if: github.event_name != 'pull_request_target'
        uses: actions/checkout@v3
        with:
          path: zls
          fetch-depth: 0
          submodules: true

      - name: Checkout zls (PR)
        if: github.event_name == 'pull_request_target'
        uses: actions/checkout@v3
        with:
          path: zls
          fetch-depth: 0
          submodules: true
          ref: "refs/pull/${{ github.event.number }}/merge"

      - name: Build zls
        run: |
          cd $GITHUB_WORKSPACE/zls
          pwd
          zig build

      - name: Checkout sus
        uses: actions/checkout@v3
        with:
          path: sus
          repository: "zigtools/sus"
          fetch-depth: 0
          submodules: recursive

      - name: Build sus
        run: |
          cd $GITHUB_WORKSPACE/sus
          pwd
          zig build -Doptimize=ReleaseFast

      - name: Run sus
        continue-on-error: true
        run: |
          cd $GITHUB_WORKSPACE/sus
          FUZZING_DURATION=${{ env.FUZZING_DURATION }}
          { sleep ${FUZZING_DURATION:-1h}; pkill -9 sus; } &
          ./zig-out/bin/sus $GITHUB_WORKSPACE/zls/zig-out/bin/zls markov $GITHUB_WORKSPACE/zig/lib/std

      - name: Upload saved logs
        uses: actions/upload-artifact@v3
        with:
          name: saved-logs
          path: sus/saved_logs/

      - uses: BetaHuhn/do-spaces-action@v2
        with:
          access_key: ${{ secrets.DO_SPACES_ACCESS_KEY }}
          secret_key: ${{ secrets.DO_SPACES_SECRET_KEY }}
          space_name: fuzzing-output
          space_region: nyc3
          source: sus/saved_logs/
          out_dir: ${{ github.event.pull_request.head.repo.full_name || github.repository }}/${{ github.head_ref || github.ref_name }}/${{ github.event.pull_request.head.sha || github.sha }}