Release in CI pipeline #231
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This file exists over using one workflow and a matrix because matrices don't give you an easy way to use different | |
# secrets. The way that exists, having the secret's key name be a value, only works within `with` and not in `env` | |
# blocks (see https://github.com/orgs/community/discussions/26302#discussioncomment-3905492). This is a problem because | |
# we need to load the secret in `env` in order to check that it's there, so we can know if we want to run the fuzzing | |
# job. And we need _that_ because any PRs that come in from forks may not have these secrets defined and thus would | |
# cause our CI to fail if we let the steps run. | |
name: CI Fuzz Featured Project | |
# Set an action secret called "FEATURED_CI_FUZZ_API_TOKEN" with an API token | |
# generated in CI Fuzz web interface. | |
on: | |
workflow_dispatch: | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
env: | |
PROJECT_NAME: projects/Jazzer-2bd02dc5 | |
# The fuzzing server gRPC URL. | |
FUZZING_SERVER_ADDRESS: grpc.code-intelligence.com:443 | |
# The fuzzing server HTTP URL. | |
WEB_APP_ADDRESS: https://app.code-intelligence.com | |
# Directory in which the repository will be cloned. | |
CHECKOUT_DIR: checkout-dir/ | |
CIFUZZ_DOWNLOAD_URL: "https://github.com/CodeIntelligenceTesting/cifuzz/releases/latest/download/cifuzz_installer_linux_amd64" | |
CIFUZZ_INSTALL_DIR: ./cifuzz | |
FUZZING_ARTIFACT: fuzzing-artifact.tar.gz | |
jobs: | |
setup: | |
runs-on: ubuntu-latest | |
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets | |
env: | |
ci_fuzz_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }} | |
steps: | |
- id: checkout | |
name: Checkout Repository | |
uses: actions/checkout@v3 | |
with: | |
path: ${{ env.CHECKOUT_DIR }} | |
- id: install-cifuzz | |
name: Install cifuzz | |
run: | | |
curl --fail --silent --show-error --location -o cifuzz_installer "$CIFUZZ_DOWNLOAD_URL" | |
chmod u+x cifuzz_installer | |
./cifuzz_installer --install-dir $CIFUZZ_INSTALL_DIR | |
- name: Mount Bazel disk cache | |
uses: actions/cache@v3 | |
with: | |
path: "/home/runner/.cache/bazel-disk" | |
key: bazel-disk-cache-linux-8 | |
- name: Set Build Buddy config | |
run: $CHECKOUT_DIR/.github/scripts/echoBuildBuddyConfig.sh ${{ secrets.BUILDBUDDY_API_KEY }} >> $GITHUB_ENV | |
shell: bash | |
- id: build-jazzer | |
name: Build Jazzer deps | |
run: cd $CHECKOUT_DIR && bazel build //deploy:jazzer-junit-project //deploy:jazzer-project //deploy:jazzer-api-project //selffuzz:jazzer_selffuzz //selffuzz:jazzer_api_selffuzz | |
- id: build-fuzzers | |
name: Build Fuzzers | |
run: | | |
export cifuzz_DIR="$GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/share/cmake" | |
cd $CHECKOUT_DIR/selffuzz/ | |
$GITHUB_WORKSPACE/$CIFUZZ_INSTALL_DIR/bin/cifuzz bundle \ | |
--commit $GITHUB_SHA \ | |
--branch $GITHUB_REF_NAME \ | |
--output $GITHUB_WORKSPACE/$CHECKOUT_DIR/$FUZZING_ARTIFACT | |
shell: "bash" | |
- id: start-fuzzing | |
name: Start Fuzzing | |
uses: CodeIntelligenceTesting/github-actions/start-fuzzing@v5 | |
if: ${{ env.ci_fuzz_token != '' }} | |
with: | |
ci_fuzz_api_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }} | |
fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} | |
fuzzing_artifact: ${{ env.CHECKOUT_DIR }}/${{ env.FUZZING_ARTIFACT }} | |
checkout_directory: ${{ env.CHECKOUT_DIR }}/selffuzz | |
project: ${{ env.PROJECT_NAME }} | |
- id: monitor-fuzzing | |
name: Fuzzing | |
uses: CodeIntelligenceTesting/github-actions/monitor-fuzzing@v5 | |
if: ${{ env.ci_fuzz_token != '' }} | |
with: | |
ci_fuzz_api_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }} | |
test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} | |
fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} | |
dashboard_address: ${{ env.WEB_APP_ADDRESS }} | |
project: ${{ env.PROJECT_NAME }} | |
- id: save-results | |
name: Save Fuzz Test Results | |
uses: CodeIntelligenceTesting/github-actions/save-results@v5 | |
if: ${{ env.ci_fuzz_token != '' && (success() || failure()) }} | |
with: | |
ci_fuzz_api_token: ${{ secrets.FEATURED_CI_FUZZ_API_TOKEN }} | |
test_collection_run: ${{ steps.start-fuzzing.outputs.test_collection_run }} | |
fuzzing_server_address: ${{ env.FUZZING_SERVER_ADDRESS }} | |
dashboard_address: ${{ env.WEB_APP_ADDRESS }} | |
project: ${{ env.PROJECT_NAME }} | |
- id: upload-artifact | |
uses: actions/upload-artifact@v3 | |
if: ${{ env.ci_fuzz_token != '' && (success() || failure()) }} | |
with: | |
name: ci_fuzz_results-featured | |
path: | | |
findings.json | |
coverage.json | |
web_app_address.txt |