ci: turn on CIFuzz

Now that almost all the bugs reported by OSS-Fuzz have been
fixed libsepol/cil should be stable enough to get CIFuzz working
more or less reliably. It should help to catch regressions/new bugs
faster.

https://google.github.io/oss-fuzz/getting-started/continuous-integration/

The patch was tested on GitHub in https://github.com/SELinuxProject/selinux/pull/285
The CIFuzz job can be found at https://github.com/SELinuxProject/selinux/actions/runs/1017865690

Signed-off-by: Evgeny Vereshchagin <evvers@ya.ru>
This commit is contained in:
Evgeny Vereshchagin 2021-07-10 12:03:01 +00:00 committed by Nicolas Iooss
parent 1711757378
commit a2a40f0345
No known key found for this signature in database
GPG Key ID: C191415F340DAAA0

39
.github/workflows/cifuzz.yml vendored Normal file
View File

@ -0,0 +1,39 @@
---
name: CIFuzz
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
Fuzzing:
runs-on: ubuntu-latest
if: github.repository == 'SELinuxProject/selinux'
strategy:
fail-fast: false
matrix:
sanitizer: [address, undefined, memory]
steps:
- name: Build Fuzzers (${{ matrix.sanitizer }})
id: build
uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
with:
oss-fuzz-project-name: 'selinux'
dry-run: false
allowed-broken-targets-percentage: 0
sanitizer: ${{ matrix.sanitizer }}
- name: Run Fuzzers (${{ matrix.sanitizer }})
uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
with:
oss-fuzz-project-name: 'selinux'
fuzz-seconds: 180
dry-run: false
sanitizer: ${{ matrix.sanitizer }}
- name: Upload Crash
uses: actions/upload-artifact@v1
if: failure() && steps.build.outcome == 'success'
with:
name: ${{ matrix.sanitizer }}-artifacts
path: ./out/artifacts