name: Sus Fuzzing on: # pull_request_target can be dangerous but necessary here to access secrets. # I'm pretty comfortable using it because: # - We limit all permissions (including GITHUB_TOKEN) to read-only # - We limit runs to labelled PRs only which prevents random exploitation # - We don't expose secrets in environment variables which makes exploitation much more difficult # - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space) pull_request_target: types: [labeled, synchronize] push: paths: - "**.zig" branches: - master schedule: - cron: "0 0 * * *" workflow_dispatch: inputs: fuzzing_duration: type: string description: How long should fuzzing last? (sleep time argument) default: 15m permissions: read-all jobs: fuzz: if: github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz') runs-on: ubuntu-latest steps: - name: Set Swap Space uses: pierotofy/set-swap-space@master with: swap-size-gb: 10 - name: Default fuzzing duration if: github.event_name != 'pull_request_target' run: | echo "FUZZING_DURATION=${{ github.event.inputs.fuzzing_duration }}" >> $GITHUB_ENV - name: PR fuzzing duration if: github.event_name == 'pull_request_target' run: | echo "FUZZING_DURATION=15m" >> $GITHUB_ENV - name: Grab zig uses: goto-bus-stop/setup-zig@v1 with: version: master - run: zig version - run: zig env - name: Checkout zig uses: actions/checkout@v3 with: path: zig repository: "ziglang/zig" fetch-depth: 0 - name: Checkout zls uses: actions/checkout@v3 with: path: zls fetch-depth: 0 submodules: true - name: Build zls run: | cd $GITHUB_WORKSPACE/zls pwd zig build - name: Checkout sus uses: actions/checkout@v3 with: path: sus repository: "zigtools/sus" fetch-depth: 0 submodules: recursive - name: Build sus run: | cd $GITHUB_WORKSPACE/sus pwd zig build -Drelease-fast - name: Run sus continue-on-error: true run: | cd $GITHUB_WORKSPACE/sus FUZZING_DURATION=${{ env.FUZZING_DURATION }} { sleep ${FUZZING_DURATION:-1h}; pkill -9 sus; } & ./zig-out/bin/sus $GITHUB_WORKSPACE/zls/zig-out/bin/zls markov $GITHUB_WORKSPACE/zig/lib/std - name: Upload saved logs uses: actions/upload-artifact@v3 with: name: saved-logs path: sus/saved_logs/ - uses: BetaHuhn/do-spaces-action@v2 with: access_key: ${{ secrets.DO_SPACES_ACCESS_KEY }} secret_key: ${{ secrets.DO_SPACES_SECRET_KEY }} space_name: fuzzing-output space_region: nyc3 source: sus/saved_logs/ out_dir: ${{ github.repository_owner }}/${{ github.event.repository.name }}/${{ github.head_ref || github.ref_name }}/${{ github.sha }}