From 8eafa9d5b62cd61b5f95ebd54350ad436a6f99fc Mon Sep 17 00:00:00 2001
From: M Hickford <hickford@google.com>
Date: Mon, 25 Jul 2022 15:46:38 +0100
Subject: [PATCH] ClusterFuzzLite integration and GitHub Actions (#37)

* ClusterFuzzLite integration

Following https://google.github.io/clusterfuzzlite/build-integration/ with bits of https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/#native-go-fuzzing-support

* Add GitHub actions for PR fuzzing and continuous builds

https://google.github.io/clusterfuzzlite/running-clusterfuzzlite/github-actions/
---
 .clusterfuzzlite/Dockerfile        |  5 ++++
 .clusterfuzzlite/build.sh          |  6 ++++
 .clusterfuzzlite/project.yaml      |  6 ++++
 .github/workflows/cflite_build.yml | 28 +++++++++++++++++
 .github/workflows/cflite_pr.yml    | 48 ++++++++++++++++++++++++++++++
 5 files changed, 93 insertions(+)
 create mode 100644 .clusterfuzzlite/Dockerfile
 create mode 100644 .clusterfuzzlite/build.sh
 create mode 100644 .clusterfuzzlite/project.yaml
 create mode 100644 .github/workflows/cflite_build.yml
 create mode 100644 .github/workflows/cflite_pr.yml

diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
new file mode 100644
index 0000000..ba75c57
--- /dev/null
+++ b/.clusterfuzzlite/Dockerfile
@@ -0,0 +1,5 @@
+# https://google.github.io/clusterfuzzlite/build-integration/#dockerfile
+FROM gcr.io/oss-fuzz-base/base-builder-go
+COPY . $SRC/merkle
+WORKDIR $SRC/merkle
+COPY .clusterfuzzlite/build.sh $SRC/
diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh
new file mode 100644
index 0000000..7db9375
--- /dev/null
+++ b/.clusterfuzzlite/build.sh
@@ -0,0 +1,6 @@
+# https://google.github.io/oss-fuzz/getting-started/new-project-guide/go-lang/#buildsh
+# undocumented dependency
+go install github.com/AdamKorcz/go-118-fuzz-build@latest
+go get github.com/AdamKorcz/go-118-fuzz-build/utils
+# necessary to list each fuzz test explicitly
+compile_native_go_fuzzer github.com/transparency-dev/merkle/compact FuzzRangeNodes FuzzRangeNodes
diff --git a/.clusterfuzzlite/project.yaml b/.clusterfuzzlite/project.yaml
new file mode 100644
index 0000000..2218ae3
--- /dev/null
+++ b/.clusterfuzzlite/project.yaml
@@ -0,0 +1,6 @@
+# https://google.github.io/clusterfuzzlite//build-integration/go-lang/
+language: go
+fuzzing_engines:
+  - libfuzzer
+sanitizers:
+  - address
diff --git a/.github/workflows/cflite_build.yml b/.github/workflows/cflite_build.yml
new file mode 100644
index 0000000..a5ee747
--- /dev/null
+++ b/.github/workflows/cflite_build.yml
@@ -0,0 +1,28 @@
+name: ClusterFuzzLite continuous builds
+on:
+  push:
+    branches:
+      - main  # Use your actual default branch here.
+permissions: read-all
+jobs:
+  Build:
+   runs-on: ubuntu-latest
+   concurrency:
+     group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+     cancel-in-progress: true
+   strategy:
+     fail-fast: false
+     matrix:
+        sanitizer:
+        - address
+        # Override this with the sanitizers you want.
+        # - undefined
+        # - memory
+   steps:
+   - name: Build Fuzzers (${{ matrix.sanitizer }})
+     id: build
+     uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+     with:
+        language: go
+        sanitizer: ${{ matrix.sanitizer }}
+        upload-build: true
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
new file mode 100644
index 0000000..9cad6d9
--- /dev/null
+++ b/.github/workflows/cflite_pr.yml
@@ -0,0 +1,48 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    paths:
+      - '**'
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+        - address
+        # Override this with the sanitizers you want.
+        # - undefined
+        # - memory
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: go
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        sanitizer: ${{ matrix.sanitizer }}
+        # Optional but recommended: used to only run fuzzers that are affected
+        # by the PR.
+        # See later section on "Git repo for storage".
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 600
+        mode: 'code-change'
+        sanitizer: ${{ matrix.sanitizer }}
+        # Optional but recommended: used to download the corpus produced by
+        # batch fuzzing.
+        # See later section on "Git repo for storage".
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".