Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@ jobs:
rust:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v7
- uses: dtolnay/rust-toolchain@stable
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
with:
toolchain: stable
- name: Check formatting
run: cargo fmt --check
- name: Test
Expand Down
75 changes: 75 additions & 0 deletions .github/workflows/fuzz.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
name: Fuzz

on:
# Bounded smoke fuzzing on every PR that touches fuzzable surfaces or the
# harness. Time budget is capped low to keep CI cost predictable.
pull_request:
paths:
- "src/**"
- "crates/**"
- "fuzz/**"
- ".github/workflows/fuzz.yml"
# Longer nightly run for deeper exploration (optional, off the PR critical path).
schedule:
- cron: "0 3 * * *"
workflow_dispatch:

permissions:
contents: read

concurrency:
group: fuzz-${{ github.ref }}
cancel-in-progress: true

jobs:
fuzz:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- fuzz_score_request
- fuzz_appdata_json
- fuzz_parse_admin_tokens
- fuzz_dnsbl_zone
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

- name: Install nightly toolchain
uses: dtolnay/rust-toolchain@efcb852328a9f50117170cc43094fb6f09eaf1ae # nightly
with:
toolchain: nightly

- name: Cache cargo-fuzz build
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
with:
path: |
~/.cargo/bin/cargo-fuzz
fuzz/target
key: cargo-fuzz-${{ runner.os }}-${{ matrix.target }}-${{ hashFiles('fuzz/Cargo.toml') }}

- name: Install cargo-fuzz
run: cargo install cargo-fuzz --version 0.13.2 --locked || true

# PRs: 60s per target. Nightly/manual: 300s per target.
- name: Set fuzz duration
run: |
if [ "${{ github.event_name }}" = "pull_request" ]; then
echo "FUZZ_SECONDS=60" >> "$GITHUB_ENV"
else
echo "FUZZ_SECONDS=300" >> "$GITHUB_ENV"
fi

- name: Fuzz ${{ matrix.target }}
run: |
cargo fuzz run ${{ matrix.target }} -- \
-max_total_time="$FUZZ_SECONDS" \
-rss_limit_mb=2048

- name: Upload crash artifacts
if: failure()
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: fuzz-artifacts-${{ matrix.target }}
path: fuzz/artifacts/${{ matrix.target }}/
if-no-files-found: ignore
10 changes: 6 additions & 4 deletions .github/workflows/scorecard-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,24 +9,26 @@ on:

permissions:
contents: read
security-events: write

jobs:
analysis:
name: Scorecard Analysis
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v7
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
persist-credentials: false
- name: Run analysis
uses: ossf/scorecard-action@v2.4.3
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: false
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v4
uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4
with:
sarif_file: results.sarif
165 changes: 165 additions & 0 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading