Now that almost all the bugs reported by OSS-Fuzz have been fixed libsepol/cil should be stable enough to get CIFuzz working more or less reliably. It should help to catch regressions/new bugs faster. https://google.github.io/oss-fuzz/getting-started/continuous-integration/ The patch was tested on GitHub in https://github.com/SELinuxProject/selinux/pull/285 The CIFuzz job can be found at https://github.com/SELinuxProject/selinux/actions/runs/1017865690 Signed-off-by: Evgeny Vereshchagin <evvers@xxxxx> --- .github/workflows/cifuzz.yml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/cifuzz.yml diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml new file mode 100644 index 00000000..5c2233a2 --- /dev/null +++ b/.github/workflows/cifuzz.yml @@ -0,0 +1,39 @@ +--- +name: CIFuzz +on: + push: + branches: + - master + pull_request: + branches: + - master +jobs: + Fuzzing: + runs-on: ubuntu-latest + if: github.repository == 'SELinuxProject/selinux' + strategy: + fail-fast: false + matrix: + sanitizer: [address, undefined, memory] + steps: + - name: Build Fuzzers (${{ matrix.sanitizer }}) + id: build + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + with: + oss-fuzz-project-name: 'selinux' + dry-run: false + allowed-broken-targets-percentage: 0 + sanitizer: ${{ matrix.sanitizer }} + - name: Run Fuzzers (${{ matrix.sanitizer }}) + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + with: + oss-fuzz-project-name: 'selinux' + fuzz-seconds: 180 + dry-run: false + sanitizer: ${{ matrix.sanitizer }} + - name: Upload Crash + uses: actions/upload-artifact@v1 + if: failure() && steps.build.outcome == 'success' + with: + name: ${{ matrix.sanitizer }}-artifacts + path: ./out/artifacts -- 2.31.1
