bstring/.github/workflows/fuzz.yml at main · msteinert/bstring · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: ClusterFuzzLite
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
    types:
      - opened
      - synchronize
      - reopened
  schedule:
    - cron: '0 3 * * 0'  # Weekly on Sunday at 03:00 UTC
  workflow_dispatch:

permissions:
  actions: read
  contents: read

jobs:
  # Run for a short window on every PR / push to catch regressions introduced
  # by the change under review.
  PR:
    name: Fuzzing (code-change)
    if: github.event_name == 'pull_request' || github.event_name == 'push'
    runs-on: ubuntu-latest
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}-pr
      cancel-in-progress: true
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Build fuzz targets
        uses: google/clusterfuzzlite/actions/build_fuzzers@d2c7d068aab9081cbbc57825ad0d5d6ca6674f95
        with:
          language: c
          sanitizer: address
      - name: Run fuzz targets
        uses: google/clusterfuzzlite/actions/run_fuzzers@d2c7d068aab9081cbbc57825ad0d5d6ca6674f95
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          fuzz-seconds: 60
          mode: code-change
          sanitizer: address
          output-sarif: true
      - name: Upload SARIF results
        if: always() && hashFiles('sarif-results/address.sarif') != ''
        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
        with:
          sarif_file: sarif-results/address.sarif

  # Run longer on a schedule to build up a persistent corpus and surface
  # crashes that require deeper exploration.
  batch:
    name: Fuzzing (batch)
    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Build fuzz targets
        uses: google/clusterfuzzlite/actions/build_fuzzers@d2c7d068aab9081cbbc57825ad0d5d6ca6674f95
        with:
          language: c
          sanitizer: address
      - name: Run fuzz targets
        uses: google/clusterfuzzlite/actions/run_fuzzers@d2c7d068aab9081cbbc57825ad0d5d6ca6674f95
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          fuzz-seconds: 3600
          mode: batch
          sanitizer: address