systemd/.github/workflows/cifuzz.yml

---
# vi: ts=2 sw=2 et:
# SPDX-License-Identifier: LGPL-2.1-or-later
# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/

name: CIFuzz

permissions:
  contents: read

on:
  pull_request:
    paths:
      - '**/meson.build'
      - '.github/workflows/**'
      - 'meson_options.txt'
      - 'src/**'
      - 'test/fuzz/**'
      - 'tools/oss-fuzz.sh'
  push:
    branches:
      - main
jobs:
  Fuzzing:
    # FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04.
    runs-on: ubuntu-22.04
    if: github.repository == 'systemd/systemd'
    concurrency:
      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }}
      cancel-in-progress: true
    strategy:
      fail-fast: false
      matrix:
        sanitizer: [address, undefined, memory]
        architecture: [x86_64]
        include:
          - sanitizer: address
            architecture: i386
    permissions:
      security-events: write

    steps:
      - name: Build Fuzzers
        id: build
        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
        with:
          oss-fuzz-project-name: 'systemd'
          dry-run: false
          allowed-broken-targets-percentage: 0
          # keep-unaffected-fuzz-targets should be removed once https://github.com/google/oss-fuzz/issues/7011 is fixed
          keep-unaffected-fuzz-targets: true
          sanitizer: ${{ matrix.sanitizer }}
          architecture: ${{ matrix.architecture }}
          output-sarif: true
      - name: Run Fuzzers
        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
        with:
          oss-fuzz-project-name: 'systemd'
          fuzz-seconds: 600
          dry-run: false
          sanitizer: ${{ matrix.sanitizer }}
          output-sarif: true
      - name: Upload Crash
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
        if: failure() && steps.build.outcome == 'success'
        with:
          name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts
          path: ./out/artifacts
      - name: Upload Sarif
        if: always() && steps.build.outcome == 'success'
        uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13
        with:
          # Path to SARIF file relative to the root of the repository
          sarif_file: cifuzz-sarif/results.sarif
          checkout_path: cifuzz-sarif
ci: introduce CIFuzz Per-PR fuzzing provided by OSS-Fuzz using GH workflows. See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ 2020-04-24 12:00:44 +02:00			`---`
			`# vi: ts=2 sw=2 et:`
ci: use LGPLv2+ for all our ci configuration 2021-10-01 12:10:22 +02:00			`# SPDX-License-Identifier: LGPL-2.1-or-later`
ci: introduce CIFuzz Per-PR fuzzing provided by OSS-Fuzz using GH workflows. See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ 2020-04-24 12:00:44 +02:00			`# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/`

			`name: CIFuzz`
ci: tighten several GHActions a bit more with https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions 2021-11-13 14:40:20 +00:00
ci: mimic the "restricted" mode Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token it should be enough to grant the "read contents" permission to most of our actions. The "read metadata" permission is set impliciclty somewhere and can't be set via the "permissions" setting: ``` The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata' ``` 2021-11-13 22:34:04 +00:00			`permissions:`
			`contents: read`
ci: tighten several GHActions a bit more with https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#permissions 2021-11-13 14:40:20 +00:00
cifuzz: run only for relevant PRs Fuzz only PRs with relevant changes (source code and fuzzer corpora) to save resources. 2020-05-08 18:46:46 +02:00			`on:`
			`pull_request:`
			`paths:`
			`- '**/meson.build'`
			`- '.github/workflows/**'`
			`- 'meson_options.txt'`
			`- 'src/**'`
			`- 'test/fuzz/**'`
			`- 'tools/oss-fuzz.sh'`
cifuzz: fuzz the master branch on push Apart from running CIFuzz for each relevant PR, let's run it unconditionally for each push to master to detect possible issues (caused by ignored PRs, etc.). Followup to 94f660a8fe6144b9153c8acaf9e6bb9e47e14b97. 2020-05-08 20:14:19 +02:00			`push:`
			`branches:`
GH Actions: switch to main It's just a follow-up to https://github.com/systemd/systemd/issues/16834 2021-01-21 13:52:18 +00:00			`- main`
ci: introduce CIFuzz Per-PR fuzzing provided by OSS-Fuzz using GH workflows. See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/ 2020-04-24 12:00:44 +02:00			`jobs:`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`Fuzzing:`
ci: Switch to Ubuntu 24.04 2024-06-07 10:55:53 +02:00			`# FIXME: Figure out why 32-bit applications fail to run in docker on Ubuntu 24.04.`
			`runs-on: ubuntu-22.04`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`if: github.repository == 'systemd/systemd'`
ci: cancel previous jobs on ref update Let's save the environment (and reduce the number of jobs in GH Actions queues) by cancelling old jobs on a ref update (force push). See: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#concurrency 2021-11-10 16:45:12 +01:00			`concurrency:`
cifuzz: build fuzzers on i386 as well It's a follow-up to https://github.com/systemd/systemd/pull/23550. 2022-05-29 14:15:15 +00:00			`group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ matrix.architecture }}-${{ github.ref }}`
ci: cancel previous jobs on ref update Let's save the environment (and reduce the number of jobs in GH Actions queues) by cancelling old jobs on a ref update (force push). See: https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#concurrency 2021-11-10 16:45:12 +01:00			`cancel-in-progress: true`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`strategy:`
			`fail-fast: false`
			`matrix:`
			`sanitizer: [address, undefined, memory]`
cifuzz: build fuzzers on i386 as well It's a follow-up to https://github.com/systemd/systemd/pull/23550. 2022-05-29 14:15:15 +00:00			`architecture: [x86_64]`
			`include:`
			`- sanitizer: address`
			`architecture: i386`
ci: Report results from CIFuzz using SARIF Upload results from CIFuzz using SARIF. This will allow CIFuzz to report issues in the security tab. This is a better UI than having to look through logs. TODO(google/oss-fuzz#10452): Add proper descriptions of UBSAN bugs. 2023-06-05 01:37:34 -04:00			`permissions:`
			`security-events: write`

ci: fix indentation 2021-11-10 16:42:07 +01:00			`steps:`
ci: Remove custom build step names Putting build matrix details into a build step name is rather useless as the jobs themselves already contain the needed information. 2023-08-30 19:58:14 +02:00			`- name: Build Fuzzers`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`id: build`
			`uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master`
			`with:`
			`oss-fuzz-project-name: 'systemd'`
			`dry-run: false`
			`allowed-broken-targets-percentage: 0`
ci: run all fuzz targets on CIFuzz CIFuzz has been kind of broken for a couple months because coverage reports downloaded from OSS-Fuzz contain absolute paths while paths to files changed in PRs are relative and they don't match. It makes it kind of hard for CIFuzz to figure out what it should run so it runs either all fuzz targets or just new fuzz targets. Until that issue is fixed let's just always predictably run all fuzz targets. 2022-02-11 02:01:33 +00:00			`# keep-unaffected-fuzz-targets should be removed once https://github.com/google/oss-fuzz/issues/7011 is fixed`
			`keep-unaffected-fuzz-targets: true`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`sanitizer: ${{ matrix.sanitizer }}`
cifuzz: build fuzzers on i386 as well It's a follow-up to https://github.com/systemd/systemd/pull/23550. 2022-05-29 14:15:15 +00:00			`architecture: ${{ matrix.architecture }}`
ci: Report results from CIFuzz using SARIF Upload results from CIFuzz using SARIF. This will allow CIFuzz to report issues in the security tab. This is a better UI than having to look through logs. TODO(google/oss-fuzz#10452): Add proper descriptions of UBSAN bugs. 2023-06-05 01:37:34 -04:00			`output-sarif: true`
ci: Remove custom build step names Putting build matrix details into a build step name is rather useless as the jobs themselves already contain the needed information. 2023-08-30 19:58:14 +02:00			`- name: Run Fuzzers`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master`
			`with:`
			`oss-fuzz-project-name: 'systemd'`
			`fuzz-seconds: 600`
			`dry-run: false`
			`sanitizer: ${{ matrix.sanitizer }}`
ci: Report results from CIFuzz using SARIF Upload results from CIFuzz using SARIF. This will allow CIFuzz to report issues in the security tab. This is a better UI than having to look through logs. TODO(google/oss-fuzz#10452): Add proper descriptions of UBSAN bugs. 2023-06-05 01:37:34 -04:00			`output-sarif: true`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`- name: Upload Crash`
build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.0 to 4.3.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/26f96dfa697d77e81fd5907df203aa23a56210a8...5d5d22a31266ced268874388b861e4b58bb5c2f3) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> 2024-03-01 09:18:57 +00:00			`uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`if: failure() && steps.build.outcome == 'success'`
			`with:`
cifuzz: build fuzzers on i386 as well It's a follow-up to https://github.com/systemd/systemd/pull/23550. 2022-05-29 14:15:15 +00:00			`name: ${{ matrix.sanitizer }}-${{ matrix.architecture }}-artifacts`
ci: fix indentation 2021-11-10 16:42:07 +01:00			`path: ./out/artifacts`
ci: Report results from CIFuzz using SARIF Upload results from CIFuzz using SARIF. This will allow CIFuzz to report issues in the security tab. This is a better UI than having to look through logs. TODO(google/oss-fuzz#10452): Add proper descriptions of UBSAN bugs. 2023-06-05 01:37:34 -04:00			`- name: Upload Sarif`
			`if: always() && steps.build.outcome == 'success'`
build(deps): bump github/codeql-action from 3.25.15 to 3.26.10 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/afb54ba388a7dca6ecae48f608c4ff05ff4cc77a...e2b3eafc8d227b0241d48be5f425d47c2d750a13) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2024-10-01 09:17:13 +00:00			`uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13`
ci: Report results from CIFuzz using SARIF Upload results from CIFuzz using SARIF. This will allow CIFuzz to report issues in the security tab. This is a better UI than having to look through logs. TODO(google/oss-fuzz#10452): Add proper descriptions of UBSAN bugs. 2023-06-05 01:37:34 -04:00			`with:`
			`# Path to SARIF file relative to the root of the repository`
			`sarif_file: cifuzz-sarif/results.sarif`
			`checkout_path: cifuzz-sarif`