Add CIFuzz Github Action #203
Conversation
Signed-off-by: David Korczynski <david@adalogics.com>
| name: CIFuzz | ||
| on: [pull_request] | ||
| jobs: |
There was a problem hiding this comment.
Can we restrict the permission to contents read?
| name: CIFuzz | |
| on: [pull_request] | |
| jobs: | |
| name: CIFuzz | |
| on: [pull_request] | |
| permissions: | |
| contents: read | |
| jobs: |
There was a problem hiding this comment.
I did this now -- I think it should work but am not entirely sure. @jonathanmetzman can you confirm?
There was a problem hiding this comment.
I'm not sure either, could we get CIFuzz to run in this PR to test?
Signed-off-by: David Korczynski <david@adalogics.com>
| steps: | ||
| - name: Build Fuzzers | ||
| id: build | ||
| uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@a790ab47e189e5e3b4941b991f4784ec769a9e70 |
There was a problem hiding this comment.
Pinning may temporarily work with CIFuzz, but you will need to update the pinned version if you update double-conversion in OSS-Fuzz.
There was a problem hiding this comment.
@floitsch let me know what you think -- I pinned due to your request #203 (comment) but given the feedback from @jonathanmetzman let me know which you prefer. There aren't many updates in https://github.com/google/oss-fuzz/tree/master/projects/double-conversion which may speak for keeping the hashes.
There was a problem hiding this comment.
There are almont no updates for double-conversion's oss-fuzz. I think we can pin the version.
The hash-pinning was recommended by @joycebrum.
I can get convinced either way: given the limited permissions there isn't a lot of risk (not that I think that the oss-fuzz repository would get taken over), but with the limited amount of changes pinning should also be fine.
There was a problem hiding this comment.
Actually I was wrong, even updates to the integration are not affected by pinning. Pinning will prevent you from getting updates to CIFuzz though.
I'll explain:
The main thing that gets pinned are these files: https://github.com/google/oss-fuzz/blob/master/infra/cifuzz/actions/build_fuzzers/action.yml https://github.com/google/oss-fuzz/blob/master/infra/build_fuzzers.Dockerfile (and by extension the CIFuzz source code)
That's because once build_fuzzers.Dockerfile gets built, it pulls from gcr.io/oss-fuzz-base/cifuzz-base See here) which is continuously updated and contains your build integration.
I don't think CIFuzz is unique in not pinning the docker image it inherits from, so in many cases, including this one, pinning is providing no security.
Pinning is not providing any security here. I think some breakages outweighs no security, but I'm happy to try to support your usage either way.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
floitsch
left a comment
floitsch
left a comment
There was a problem hiding this comment.
LGTM.
I will give a few days for comments before committing.
Feel free to ping me if I forget.
3 participants
Add CIFuzz workflow action to have fuzzers build and run on each PR.
This service is offered by OSS-Fuzz where double-conversion already runs. CIFuzz can help catch regressions and fuzzing build issues early, and has a variety of features (see the URL above). In the current PR the fuzzers gets build on a pull request and will run for 300 seconds.