Fuzz #260
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Fuzz | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '12 3 * * 0' # At 03:12 AM UTC on Sunday. | |
env: | |
CARGO_INCREMENTAL: 0 | |
CARGO_NET_RETRY: 10 | |
RUSTUP_MAX_RETRIES: 10 | |
RUST_BACKTRACE: short | |
CARGO_REGISTRIES_CRATES_IO_PROTOCOL: sparse | |
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1 | |
jobs: | |
corpus-download: | |
name: Download corpus | |
runs-on: ubuntu-20.04 | |
env: | |
AZURE_STORAGE_KEY: ${{ secrets.CORPUS_AZURE_STORAGE_KEY }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download fuzzing corpus | |
run: cargo xtask fuzz corpus-fetch -v | |
- name: Save corpus | |
uses: actions/cache/save@v4 | |
with: | |
path: | | |
./fuzz/corpus | |
./fuzz/artifacts | |
key: fuzz-corpus-${{ github.run_id }} | |
fuzz: | |
name: Fuzzing ${{ matrix.target }} | |
runs-on: ubuntu-20.04 | |
needs: corpus-download | |
strategy: | |
fail-fast: false | |
matrix: | |
target: [ pdu_decoding, rle_decompression, bitmap_stream, cliprdr_format, channel_processing ] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download corpus | |
uses: actions/cache/restore@v4 | |
with: | |
fail-on-cache-miss: true | |
path: | | |
./fuzz/corpus | |
./fuzz/artifacts | |
key: fuzz-corpus-${{ github.run_id }} | |
- name: Print corpus | |
run: | | |
tree ./fuzz/corpus | |
tree ./fuzz/artifacts | |
- name: Rust cache | |
uses: Swatinem/[email protected] | |
with: | |
workspaces: fuzz -> target | |
- name: Binary cache | |
uses: actions/cache@v4 | |
with: | |
path: ./.cargo/local_root/bin | |
key: ${{ runner.os }}-bin-${{ github.job }}-${{ hashFiles('xtask/src/bin_version.rs') }} | |
- name: Prepare runner | |
run: cargo xtask fuzz install -v | |
- name: Fuzz | |
run: cargo xtask fuzz run --duration 1000 --target ${{ matrix.target }} -v | |
- name: Minify fuzzing corpus | |
if: ${{ always() && !cancelled() }} | |
run: cargo xtask fuzz corpus-min --target ${{ matrix.target }} -v | |
# Use GitHub artifacts instead of cache for the updated corpus | |
# because same cache can’t be used by multiple jobs at the same time. | |
# Also, we can’t dynamically create a unique cache keys for all | |
# the targets, because then we can’t easily retrieve this cache | |
# without hardcoding a step for each one. It’s not good for maintenance. | |
- name: Prepare minified corpus upload | |
# We want to upload artifacts even if fuzzing "fails" (so we can retrieve the artifact causing the crash) | |
if: ${{ always() && !cancelled() }} | |
run: | | |
mkdir ${{ runner.temp }}/corpus/ | |
cp -r ./fuzz/corpus/${{ matrix.target }} ${{ runner.temp }}/corpus | |
mkdir ${{ runner.temp }}/artifacts/ | |
cp -r ./fuzz/artifacts/${{ matrix.target }} ${{ runner.temp }}/artifacts | |
- name: Upload minified corpus | |
if: ${{ always() && !cancelled() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
retention-days: 7 | |
name: minified-corpus-${{ matrix.target }} | |
path: | | |
${{ runner.temp }}/corpus | |
${{ runner.temp }}/artifacts | |
corpus-merge: | |
name: Corpus merge artifacts | |
runs-on: ubuntu-latest | |
needs: fuzz | |
if: ${{ always() && !cancelled() }} | |
steps: | |
- name: Merge Artifacts | |
uses: actions/upload-artifact/merge@v4 | |
with: | |
name: minified-corpus | |
pattern: minified-corpus-* | |
delete-merged: true | |
corpus-upload: | |
name: Upload corpus | |
runs-on: ubuntu-20.04 | |
needs: corpus-merge | |
if: ${{ always() && !cancelled() }} | |
env: | |
AZURE_STORAGE_KEY: ${{ secrets.CORPUS_AZURE_STORAGE_KEY }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Download updated corpus | |
uses: actions/download-artifact@v4 | |
with: | |
name: minified-corpus | |
path: ./fuzz/ | |
- name: Print corpus | |
run: | | |
tree ./fuzz/corpus | |
tree ./fuzz/artifacts | |
- name: Upload fuzzing corpus | |
run: cargo xtask fuzz corpus-push -v | |
- name: Clean corpus cache | |
run: | | |
curl -L \ | |
-X DELETE \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ github.token }}"\ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
"${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/actions/caches?key=fuzz-corpus-${{ github.run_id }}" | |
notify: | |
name: Notify failure | |
runs-on: ubuntu-latest | |
if: ${{ always() && contains(needs.*.result, 'failure') && github.event_name == 'schedule' }} | |
needs: | |
- fuzz | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_ARCHITECTURE }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
steps: | |
- name: Send slack notification | |
id: slack | |
uses: slackapi/[email protected] | |
with: | |
payload: | | |
{ | |
"blocks": [ | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "*${{ github.repository }}* :warning: \n Fuzz workflow for *${{ github.repository }}* <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|found a bug>" | |
} | |
} | |
] | |
} |