mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 23:21:22 +03:00
e7a966915d
Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token it should be enough to grant the "read contents" permission to most of our actions. The "read metadata" permission is set impliciclty somewhere and can't be set via the "permissions" setting: ``` The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata' ```
56 lines
1.6 KiB
YAML
56 lines
1.6 KiB
YAML
---
|
|
# vi: ts=2 sw=2 et:
|
|
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
# See: https://google.github.io/oss-fuzz/getting-started/continuous-integration/
|
|
|
|
name: CIFuzz
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- '**/meson.build'
|
|
- '.github/workflows/**'
|
|
- 'meson_options.txt'
|
|
- 'src/**'
|
|
- 'test/fuzz/**'
|
|
- 'tools/oss-fuzz.sh'
|
|
push:
|
|
branches:
|
|
- main
|
|
jobs:
|
|
Fuzzing:
|
|
runs-on: ubuntu-latest
|
|
if: github.repository == 'systemd/systemd'
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
sanitizer: [address, undefined, memory]
|
|
steps:
|
|
- name: Build Fuzzers (${{ matrix.sanitizer }})
|
|
id: build
|
|
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
|
|
with:
|
|
oss-fuzz-project-name: 'systemd'
|
|
dry-run: false
|
|
allowed-broken-targets-percentage: 0
|
|
sanitizer: ${{ matrix.sanitizer }}
|
|
- name: Run Fuzzers (${{ matrix.sanitizer }})
|
|
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
|
|
with:
|
|
oss-fuzz-project-name: 'systemd'
|
|
fuzz-seconds: 600
|
|
dry-run: false
|
|
sanitizer: ${{ matrix.sanitizer }}
|
|
- name: Upload Crash
|
|
uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
|
|
if: failure() && steps.build.outcome == 'success'
|
|
with:
|
|
name: ${{ matrix.sanitizer }}-artifacts
|
|
path: ./out/artifacts
|