Fuzz (Weekly deep) #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Fuzz (Weekly deep) | |
| permissions: | |
| contents: read | |
| on: | |
| schedule: | |
| - cron: "0 6 * * 1" # Mondays 06:00 UTC | |
| workflow_dispatch: | |
| jobs: | |
| weekly_setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| targets: ${{ steps.discover.outputs.targets }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Discover fuzz targets | |
| id: discover | |
| run: | | |
| shopt -s nullglob | |
| arr=() | |
| for f in fuzz/fuzz_targets/*.rs; do | |
| arr+=("$(basename "$f" .rs)") | |
| done | |
| if [ ${#arr[@]} -eq 0 ]; then | |
| echo '::warning::No fuzz targets found; defaulting to config and idmap' | |
| arr=("config" "idmap") | |
| fi | |
| json=$(printf '%s\n' "${arr[@]}" | jq -R -s -c 'split("\n")[:-1]') | |
| echo "targets=$json" >> "$GITHUB_OUTPUT" | |
| weekly_run: | |
| needs: weekly_setup | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| target: ${{ fromJSON(needs.weekly_setup.outputs.targets) }} | |
| env: | |
| ASAN_OPTIONS: detect_leaks=0 | |
| RUST_BACKTRACE: 1 | |
| MAX_TIME: 1800 # 30 minutes | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: dtolnay/rust-toolchain@55d80eb3c5a4228eec5390a083c092095115c6f1 # nightly | |
| with: { components: llvm-tools-preview } | |
| - name: Install deps | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y clang lld llvm libpam0g-dev libudev-dev libssl-dev pkg-config tpm-udev libtss2-dev libcap-dev libdhash-dev libkrb5-dev libpcre2-dev libclang-dev autoconf gettext libdbus-1-dev libunistring-dev | |
| - name: Restore cargo cache | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: | | |
| ~/.cargo/registry | |
| ~/.cargo/git | |
| target | |
| key: cargo-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }} | |
| - name: Restore weekly corpora | |
| uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 | |
| with: | |
| path: | | |
| fuzz/corpus | |
| fuzz/artifacts | |
| key: fuzz-weekly-corpus-${{ runner.os }}-${{ github.sha }} | |
| restore-keys: | | |
| fuzz-weekly-corpus-${{ runner.os }}- | |
| fuzz-pr-corpus-${{ runner.os }}- | |
| - name: Install cargo-fuzz | |
| run: cargo install cargo-fuzz --locked | |
| - name: Run ${{ matrix.target }} (ASan deep) | |
| run: | | |
| set -euxo pipefail | |
| mkdir -p "fuzz/corpus/${{ matrix.target }}" "fuzz/artifacts/${{ matrix.target }}" | |
| cargo fuzz run ${{ matrix.target }} --sanitizer address -- -max_total_time=$MAX_TIME -print_final_stats=1 | |
| - name: Upload crash artifacts (if any) | |
| if: failure() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: fuzz-crashes-${{ matrix.target }} | |
| path: fuzz/artifacts/${{ matrix.target }} | |
| if-no-files-found: ignore | |
| - name: Upload updated corpus (delta) | |
| if: always() | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: fuzz-weekly-corpus-${{ matrix.target }} | |
| path: fuzz/corpus/${{ matrix.target }} | |
| if-no-files-found: ignore |