config: introduce audit options #11
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: fuzzing | ||
on: | ||
push: | ||
branches: | ||
- 'master' | ||
- 'release/**' | ||
tags: | ||
- '**' | ||
paths: | ||
- '.github/workflows/fuzzing.yml' | ||
- 'src/**' | ||
- 'test/fuzz/**' | ||
- 'test/static/corpus/**' | ||
paths-ignore: | ||
- '**.lua' | ||
pull_request: | ||
types: [opened, reopened, synchronize, labeled] | ||
concurrency: | ||
# Update of a developer branch cancels the previously scheduled workflow | ||
# run for this branch. However, the 'master' branch, release branch, and | ||
# tag workflow runs are never canceled. | ||
# | ||
# We use a trick here: define the concurrency group as 'workflow run ID' + | ||
# 'workflow run attempt' because it is a unique combination for any run. | ||
# So it effectively discards grouping. | ||
# | ||
# Important: we cannot use `github.sha` as a unique identifier because | ||
# pushing a tag may cancel a run that works on a branch push event. | ||
group: ${{ ( | ||
github.ref == 'refs/heads/master' || | ||
startsWith(github.ref, 'refs/heads/release/') || | ||
startsWith(github.ref, 'refs/tags/')) && | ||
format('{0}-{1}', github.run_id, github.run_attempt) || | ||
format('{0}-{1}', github.workflow, github.ref) }} | ||
cancel-in-progress: true | ||
jobs: | ||
fuzzing: | ||
# Run on push to the 'master' and release branches of tarantool/tarantool | ||
# or on pull request if the 'full-ci' label is set. | ||
if: github.repository == 'tarantool/tarantool' && | ||
( github.event_name != 'pull_request' || | ||
contains(github.event.pull_request.labels.*.name, 'full-ci') ) | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
sanitizer: [address, undefined] | ||
steps: | ||
- name: build fuzzers (${{ matrix.sanitizer }}) | ||
id: build | ||
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master | ||
with: | ||
oss-fuzz-project-name: 'tarantool' | ||
dry-run: false | ||
sanitizer: ${{ matrix.sanitizer }} | ||
- name: run fuzzers (${{ matrix.sanitizer }}) | ||
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master | ||
with: | ||
oss-fuzz-project-name: 'tarantool' | ||
fuzz-seconds: 600 | ||
dry-run: false | ||
sanitizer: ${{ matrix.sanitizer }} | ||
- uses: actions/checkout@v3 | ||
id: checkout | ||
if: failure() | ||
with: | ||
path: tarantool | ||
- name: Send VK Teams message on failure | ||
if: failure() && steps.checkout.outcome == 'success' | ||
uses: ./tarantool/.github/actions/report-job-status | ||
with: | ||
bot-token: ${{ secrets.VKTEAMS_BOT_TOKEN }} | ||
- name: upload crash | ||
uses: actions/upload-artifact@v3 | ||
if: failure() && steps.build.outcome == 'success' | ||
with: | ||
name: ${{ matrix.sanitizer }}-artifacts | ||
retention-days: 21 | ||
path: ./out/artifacts |