From 6972dc2c2a7e2a127f761d089b8b9d0ac19064a2 Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Fri, 15 Mar 2024 16:12:52 +0100 Subject: [PATCH 1/3] add permissions and fuzzy job --- .github/workflows/_build.yaml | 2 + .github/workflows/_build_doc.yaml | 2 + .github/workflows/_codecov.yaml | 2 + .github/workflows/_codeql.yaml | 6 +++ .github/workflows/_pre_commit.yaml | 2 + .github/workflows/_pypi_publish.yaml | 2 + .github/workflows/_test_futures_private.yaml | 2 + .github/workflows/_test_futures_public.yaml | 2 + .github/workflows/_test_nft_private.yaml | 2 + .github/workflows/_test_nft_public.yaml | 2 + .github/workflows/_test_spot_private.yaml | 2 + .github/workflows/_test_spot_public.yaml | 2 + .github/workflows/cflite_pr.yaml | 51 ++++++++++++++++++++ .github/workflows/cicd.yaml | 2 + .github/workflows/manual_build.yaml | 2 + .github/workflows/manual_codeql.yaml | 2 + .github/workflows/manual_pre_commit.yaml | 2 + .github/workflows/manual_test_futures.yaml | 2 + .github/workflows/manual_test_spot.yaml | 2 + .github/workflows/scorecard.yml | 1 + 20 files changed, 92 insertions(+) create mode 100644 .github/workflows/cflite_pr.yaml diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml index 12f1ac99..4d38020c 100644 --- a/.github/workflows/_build.yaml +++ b/.github/workflows/_build.yaml @@ -18,6 +18,8 @@ on: type: string required: true +permissions: read-all + jobs: Build: runs-on: ${{ inputs.os }} diff --git a/.github/workflows/_build_doc.yaml b/.github/workflows/_build_doc.yaml index ba13fc08..d92fe466 100644 --- a/.github/workflows/_build_doc.yaml +++ b/.github/workflows/_build_doc.yaml @@ -17,6 +17,8 @@ on: type: string required: true +permissions: read-all + jobs: Build: runs-on: ${{ inputs.os }} diff --git a/.github/workflows/_codecov.yaml b/.github/workflows/_codecov.yaml index b9223bf9..12468bce 100644 --- a/.github/workflows/_codecov.yaml +++ b/.github/workflows/_codecov.yaml @@ -33,6 +33,8 @@ on: FUTURES_SANDBOX_SECRET: required: true +permissions: read-all + jobs: CodeCov: name: Coverage diff --git a/.github/workflows/_codeql.yaml b/.github/workflows/_codeql.yaml index 10f777aa..e0aa3d66 100644 --- a/.github/workflows/_codeql.yaml +++ b/.github/workflows/_codeql.yaml @@ -7,6 +7,12 @@ name: CodeQL on: workflow_call: +# Don't change this permissions. These must match those of the analyze job. +permissions: + actions: read + contents: read + security-events: write + jobs: analyze: name: Analyze diff --git a/.github/workflows/_pre_commit.yaml b/.github/workflows/_pre_commit.yaml index 2e88c862..b7f46741 100644 --- a/.github/workflows/_pre_commit.yaml +++ b/.github/workflows/_pre_commit.yaml @@ -10,6 +10,8 @@ name: Pre-Commit on: workflow_call: +permissions: read-all + jobs: Pre-Commit: runs-on: ubuntu-latest diff --git a/.github/workflows/_pypi_publish.yaml b/.github/workflows/_pypi_publish.yaml index 7df7f294..06af7e37 100644 --- a/.github/workflows/_pypi_publish.yaml +++ b/.github/workflows/_pypi_publish.yaml @@ -19,6 +19,8 @@ on: API_TOKEN: required: true +permissions: read-all + jobs: PyPI-Publish: name: Upload to ${{ inputs.REPOSITORY_URL }} diff --git a/.github/workflows/_test_futures_private.yaml b/.github/workflows/_test_futures_private.yaml index e5dcbbd3..57dbfcf7 100644 --- a/.github/workflows/_test_futures_private.yaml +++ b/.github/workflows/_test_futures_private.yaml @@ -30,6 +30,8 @@ on: FUTURES_SANDBOX_SECRET: required: true +permissions: read-all + jobs: Test-Futures: name: Test ${{ inputs.os }} ${{ inputs.python-version }} diff --git a/.github/workflows/_test_futures_public.yaml b/.github/workflows/_test_futures_public.yaml index 0be2c39b..5dd2b478 100644 --- a/.github/workflows/_test_futures_public.yaml +++ b/.github/workflows/_test_futures_public.yaml @@ -20,6 +20,8 @@ on: type: string required: true +permissions: read-all + jobs: Test-Futures: name: Test ${{ inputs.os }} ${{ inputs.python-version }} diff --git a/.github/workflows/_test_nft_private.yaml b/.github/workflows/_test_nft_private.yaml index 02ac7ade..e886171f 100644 --- a/.github/workflows/_test_nft_private.yaml +++ b/.github/workflows/_test_nft_private.yaml @@ -22,6 +22,8 @@ on: SPOT_SECRET_KEY: required: true +permissions: read-all + jobs: Test-NFT: name: Test ${{ inputs.os }} ${{ inputs.python-version }} diff --git a/.github/workflows/_test_nft_public.yaml b/.github/workflows/_test_nft_public.yaml index 8ffe670c..ea9496ef 100644 --- a/.github/workflows/_test_nft_public.yaml +++ b/.github/workflows/_test_nft_public.yaml @@ -18,6 +18,8 @@ on: type: string required: true +permissions: read-all + jobs: Test-NFT: name: Test ${{ inputs.os }} ${{ inputs.python-version }} diff --git a/.github/workflows/_test_spot_private.yaml b/.github/workflows/_test_spot_private.yaml index 3d25d4b5..403340b4 100644 --- a/.github/workflows/_test_spot_private.yaml +++ b/.github/workflows/_test_spot_private.yaml @@ -27,6 +27,8 @@ on: SPOT_SECRET_KEY: required: true +permissions: read-all + jobs: Test-Spot: name: Test ${{ inputs.os }} ${{ inputs.python-version }} diff --git a/.github/workflows/_test_spot_public.yaml b/.github/workflows/_test_spot_public.yaml index 28b4c0de..44d6b48b 100644 --- a/.github/workflows/_test_spot_public.yaml +++ b/.github/workflows/_test_spot_public.yaml @@ -20,6 +20,8 @@ on: type: string required: true +permissions: read-all + jobs: Test-Spot: name: Test ${{ inputs.os }} ${{ inputs.python-version }} diff --git a/.github/workflows/cflite_pr.yaml b/.github/workflows/cflite_pr.yaml new file mode 100644 index 00000000..43c72c10 --- /dev/null +++ b/.github/workflows/cflite_pr.yaml @@ -0,0 +1,51 @@ +name: ClusterFuzzLite PR fuzzing +on: + pull_request: + paths: + - "**" + +permissions: read-all + +jobs: + PR: + runs-on: ubuntu-latest + concurrency: + group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }} + cancel-in-progress: true + strategy: + fail-fast: false + matrix: + sanitizer: + - address + # Override this with the sanitizers you want. + # - undefined + # - memory + steps: + - name: Build Fuzzers (${{ matrix.sanitizer }}) + id: build + uses: google/clusterfuzzlite/actions/build_fuzzers@v1 + with: + language: python # Change this to the language you are fuzzing. + github-token: ${{ secrets.GITHUB_TOKEN }} + sanitizer: ${{ matrix.sanitizer }} + # Optional but recommended: used to only run fuzzers that are affected + # by the PR. + # See later section on "Git repo for storage". + # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git + # storage-repo-branch: main # Optional. Defaults to "main" + # storage-repo-branch-coverage: gh-pages # Optional. Defaults to "gh-pages". + - name: Run Fuzzers (${{ matrix.sanitizer }}) + id: run + uses: google/clusterfuzzlite/actions/run_fuzzers@v1 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + fuzz-seconds: 600 + mode: "code-change" + sanitizer: ${{ matrix.sanitizer }} + output-sarif: true + # Optional but recommended: used to download the corpus produced by + # batch fuzzing. + # See later section on "Git repo for storage". + # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git + # storage-repo-branch: main # Optional. Defaults to "main" + # storage-repo-branch-coverage: gh-pages # Optional. Defaults to "gh-pages". diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml index 67d10c73..a84615c3 100644 --- a/.github/workflows/cicd.yaml +++ b/.github/workflows/cicd.yaml @@ -52,6 +52,8 @@ on: release: types: [created] +permissions: read-all + concurrency: group: CICD-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/manual_build.yaml b/.github/workflows/manual_build.yaml index fbb90bce..52b51242 100644 --- a/.github/workflows/manual_build.yaml +++ b/.github/workflows/manual_build.yaml @@ -12,6 +12,8 @@ name: PR Manual Build on: workflow_dispatch: +permissions: read-all + jobs: Build: uses: ./.github/workflows/_build.yaml diff --git a/.github/workflows/manual_codeql.yaml b/.github/workflows/manual_codeql.yaml index 9902633e..028abe7b 100644 --- a/.github/workflows/manual_codeql.yaml +++ b/.github/workflows/manual_codeql.yaml @@ -12,6 +12,8 @@ name: PR Manual CodeQL on: workflow_dispatch: +permissions: read-all + jobs: CodeQL: uses: ./.github/workflows/_codeql.yaml diff --git a/.github/workflows/manual_pre_commit.yaml b/.github/workflows/manual_pre_commit.yaml index 13ac1b11..b61d638b 100644 --- a/.github/workflows/manual_pre_commit.yaml +++ b/.github/workflows/manual_pre_commit.yaml @@ -13,6 +13,8 @@ name: PR Manual Pre-Commit on: workflow_dispatch: +permissions: read-all + jobs: Pre-Commit: uses: ./.github/workflows/_pre_commit.yaml diff --git a/.github/workflows/manual_test_futures.yaml b/.github/workflows/manual_test_futures.yaml index 82bd2a2b..4fbe3235 100644 --- a/.github/workflows/manual_test_futures.yaml +++ b/.github/workflows/manual_test_futures.yaml @@ -27,6 +27,8 @@ name: PR Manual Test Futures on: workflow_dispatch: +permissions: read-all + jobs: Test-Futures-Public: uses: ./.github/workflows/_test_futures_public.yaml diff --git a/.github/workflows/manual_test_spot.yaml b/.github/workflows/manual_test_spot.yaml index b88215f7..d65e9781 100644 --- a/.github/workflows/manual_test_spot.yaml +++ b/.github/workflows/manual_test_spot.yaml @@ -35,6 +35,8 @@ name: PR Manual Test Spot on: workflow_dispatch: +permissions: read-all + jobs: Test-Spot-Public: uses: ./.github/workflows/_test_spot_public.yaml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 8979cd61..f6f9d135 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -3,6 +3,7 @@ # policy, and support documentation. name: Scorecard supply-chain security + on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection From 535d9d891a29b9492f5a3c628893ce2e3faaa2b1 Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Fri, 15 Mar 2024 16:15:41 +0100 Subject: [PATCH 2/3] adjust permissions --- .github/workflows/cicd.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml index a84615c3..67d10c73 100644 --- a/.github/workflows/cicd.yaml +++ b/.github/workflows/cicd.yaml @@ -52,8 +52,6 @@ on: release: types: [created] -permissions: read-all - concurrency: group: CICD-${{ github.ref }} cancel-in-progress: true From d068845104b248cd0e92591926902f9ffbc8fdc2 Mon Sep 17 00:00:00 2001 From: Benjamin Thomas Schwertfeger Date: Fri, 15 Mar 2024 16:20:14 +0100 Subject: [PATCH 3/3] remove overhead of fuzzy stuff --- .github/workflows/cflite_pr.yaml | 51 -------------------------------- 1 file changed, 51 deletions(-) delete mode 100644 .github/workflows/cflite_pr.yaml diff --git a/.github/workflows/cflite_pr.yaml b/.github/workflows/cflite_pr.yaml deleted file mode 100644 index 43c72c10..00000000 --- a/.github/workflows/cflite_pr.yaml +++ /dev/null @@ -1,51 +0,0 @@ -name: ClusterFuzzLite PR fuzzing -on: - pull_request: - paths: - - "**" - -permissions: read-all - -jobs: - PR: - runs-on: ubuntu-latest - concurrency: - group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }} - cancel-in-progress: true - strategy: - fail-fast: false - matrix: - sanitizer: - - address - # Override this with the sanitizers you want. - # - undefined - # - memory - steps: - - name: Build Fuzzers (${{ matrix.sanitizer }}) - id: build - uses: google/clusterfuzzlite/actions/build_fuzzers@v1 - with: - language: python # Change this to the language you are fuzzing. - github-token: ${{ secrets.GITHUB_TOKEN }} - sanitizer: ${{ matrix.sanitizer }} - # Optional but recommended: used to only run fuzzers that are affected - # by the PR. - # See later section on "Git repo for storage". - # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git - # storage-repo-branch: main # Optional. Defaults to "main" - # storage-repo-branch-coverage: gh-pages # Optional. Defaults to "gh-pages". - - name: Run Fuzzers (${{ matrix.sanitizer }}) - id: run - uses: google/clusterfuzzlite/actions/run_fuzzers@v1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - fuzz-seconds: 600 - mode: "code-change" - sanitizer: ${{ matrix.sanitizer }} - output-sarif: true - # Optional but recommended: used to download the corpus produced by - # batch fuzzing. - # See later section on "Git repo for storage". - # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git - # storage-repo-branch: main # Optional. Defaults to "main" - # storage-repo-branch-coverage: gh-pages # Optional. Defaults to "gh-pages".