diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 166b5f30..a3765510 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,27 +2,34 @@ name: Lint and format 💅 on: workflow_dispatch: - # push: - # pull_request: - # branches: - # - main - # - develop + push: + pull_request: + branches: + - main + - develop + - master # for safety reasons + - dev # for safety reasons jobs: lint: - runs-on: ubuntu-latest + runs-on: ${{ github.repository_owner == 'zondax' && 'zondax-runners' || 'ubuntu-latest' }} container: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest steps: - uses: actions/checkout@v4 with: submodules: recursive - name: Add missing deps + env: + DEBIAN_FRONTEND: noninteractive run: | - DEBIAN_FRONTEND=noninteractive apt-get update apt-get install -y bear sudo - name: Generate compilation database run: bear -- make -j BOLOS_SDK="$NANOSP_SDK" + - name: Setup python + uses: actions/setup-python@v5 + with: + python-version: "3.11" - name: Lint and format 💅 uses: cpp-linter/cpp-linter-action@v2 id: linter diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 2df9ea0b..c7d56e2d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -264,3 +264,84 @@ jobs: tag_name: ${{ steps.flex.outputs.tag_name }} draft: false prerelease: false + + fuzzing: + name: fuzzing + runs-on: ubuntu-latest + container: + image: rust:latest + steps: + - uses: actions/checkout@v3 + + # Install only the additional dependencies needed for honggfuzz + - name: Install system dependencies + run: | + apt-get update && apt-get install -y \ + binutils-dev \ + libunwind-dev \ + libblocksruntime-dev \ + liblzma-dev + + - name: Install honggfuzz + run: cargo install honggfuzz + + - name: Generate corpus + run: | + cd app/hfuzz-parser/corpus + cargo run + + # Different fuzzing durations based on trigger + - name: Quick fuzz (PR) + if: github.event_name == 'push' + run: | + cd app/hfuzz-parser + timeout 5m cargo hfuzz run transaction ../hfuzz_corpus/ + + - name: Medium fuzz (main) + if: github.event_name == 'pull_request' + run: | + cd app/hfuzz-parser + timeout 15m cargo hfuzz run transaction ../hfuzz_corpus/ + + - name: Extended fuzz (weekly) + if: github.event_name == 'schedule' + run: | + cd app/hfuzz-parser + timeout 30m cargo hfuzz run transaction ../hfuzz_corpus/ + + - name: Check for crashes + run: | + if ls app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.* 1> /dev/null 2>&1; then + echo "::error::Crashes found during fuzzing!" + exit 1 + fi + + - name: Upload crash artifacts + if: failure() + uses: actions/upload-artifact@v3 + with: + name: crash-reports + path: | + app/hfuzz-parser/hfuzz_workspace/transaction/SIGABRT.PC.* + app/hfuzz-parser/hfuzz_workspace/transaction/HONGGFUZZ.REPORT.TXT + app/hfuzz-parser/hfuzz_workspace/transaction/input/ + + - name: Cache corpus + uses: actions/cache@v3 + with: + path: app/hfuzz_corpus + key: ${{ runner.os }}-fuzz-corpus-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-fuzz-corpus- + + - name: Notify on failure + if: failure() + uses: actions/github-script@v6 + with: + script: | + github.rest.issues.create({ + owner: context.repo.owner, + repo: context.repo.repo, + title: 'Fuzzing found crashes', + body: 'Fuzzing job failed. Check the artifacts in the workflow run.' + })