125 lines
3.6 KiB
YAML
125 lines
3.6 KiB
YAML
name: Sus Fuzzing
|
|
|
|
on:
|
|
# pull_request_target can be dangerous but necessary here to access secrets.
|
|
# I'm pretty comfortable using it because:
|
|
# - We limit all permissions (including GITHUB_TOKEN) to read-only
|
|
# - We limit runs to labelled PRs only which prevents random exploitation
|
|
# - We don't expose secrets in environment variables which makes exploitation much more difficult
|
|
# - The secrets that we reference aren't all that important anyways (they can only access our DigitalOcean Space)
|
|
pull_request_target:
|
|
types: [labeled, synchronize]
|
|
push:
|
|
paths:
|
|
- "**.zig"
|
|
branches:
|
|
- master
|
|
schedule:
|
|
- cron: "0 0 * * *"
|
|
workflow_dispatch:
|
|
inputs:
|
|
fuzzing_duration:
|
|
type: string
|
|
description: How long should fuzzing last? (sleep time argument)
|
|
default: 15m
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
fuzz:
|
|
if: github.repository_owner == 'zigtools' && (github.event_name != 'pull_request_target' || contains(github.event.pull_request.labels.*.name, 'pr:fuzz'))
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Set Swap Space
|
|
uses: pierotofy/set-swap-space@master
|
|
with:
|
|
swap-size-gb: 10
|
|
|
|
- name: Default fuzzing duration
|
|
if: github.event_name != 'pull_request_target'
|
|
run: |
|
|
echo "FUZZING_DURATION=${{ github.event.inputs.fuzzing_duration }}" >> $GITHUB_ENV
|
|
|
|
- name: PR fuzzing duration
|
|
if: github.event_name == 'pull_request_target'
|
|
run: |
|
|
echo "FUZZING_DURATION=15m" >> $GITHUB_ENV
|
|
|
|
- name: Grab zig
|
|
uses: goto-bus-stop/setup-zig@v1
|
|
with:
|
|
version: master
|
|
|
|
- run: zig version
|
|
- run: zig env
|
|
|
|
- name: Checkout zig
|
|
uses: actions/checkout@v3
|
|
with:
|
|
path: zig
|
|
repository: "ziglang/zig"
|
|
fetch-depth: 0
|
|
|
|
- name: Checkout zls (non-PR)
|
|
if: github.event_name != 'pull_request_target'
|
|
uses: actions/checkout@v3
|
|
with:
|
|
path: zls
|
|
fetch-depth: 0
|
|
submodules: true
|
|
|
|
- name: Checkout zls (PR)
|
|
if: github.event_name == 'pull_request_target'
|
|
uses: actions/checkout@v3
|
|
with:
|
|
path: zls
|
|
fetch-depth: 0
|
|
submodules: true
|
|
ref: "refs/pull/${{ github.event.number }}/merge"
|
|
|
|
- name: Build zls
|
|
run: |
|
|
cd $GITHUB_WORKSPACE/zls
|
|
pwd
|
|
zig build
|
|
|
|
- name: Checkout sus
|
|
uses: actions/checkout@v3
|
|
with:
|
|
path: sus
|
|
repository: "zigtools/sus"
|
|
fetch-depth: 0
|
|
submodules: recursive
|
|
|
|
- name: Build sus
|
|
run: |
|
|
cd $GITHUB_WORKSPACE/sus
|
|
pwd
|
|
zig build -Doptimize=ReleaseFast
|
|
|
|
- name: Run sus
|
|
continue-on-error: true
|
|
run: |
|
|
cd $GITHUB_WORKSPACE/sus
|
|
FUZZING_DURATION=${{ env.FUZZING_DURATION }}
|
|
{ sleep ${FUZZING_DURATION:-1h}; pkill -9 sus; } &
|
|
./zig-out/bin/sus $GITHUB_WORKSPACE/zls/zig-out/bin/zls markov $GITHUB_WORKSPACE/zig/lib/std
|
|
|
|
- name: Upload saved logs
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: saved-logs
|
|
path: sus/saved_logs/
|
|
|
|
- uses: BetaHuhn/do-spaces-action@v2
|
|
with:
|
|
access_key: ${{ secrets.DO_SPACES_ACCESS_KEY }}
|
|
secret_key: ${{ secrets.DO_SPACES_SECRET_KEY }}
|
|
space_name: fuzzing-output
|
|
space_region: nyc3
|
|
source: sus/saved_logs/
|
|
out_dir: ${{ github.event.pull_request.head.repo.full_name || github.repository }}/${{ github.head_ref || github.ref_name }}/${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
|
|
|