ci: use CFLite to test forks (including systemd-stable)

It's like CIFuzz but unlike CIFuzz it's compatible with forks and it should make it possible to run the fuzzers to make sure that patches backported to them are backported correctly without introducing new bugs and regressions.
2026-04-14 08:25:20 +09:00 · 2022-01-29 15:22:43 +00:00
parent aca6badb80
commit 81f84a2c0b
5 changed files with 80 additions and 1 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -12,3 +12,8 @@ updates:
    schedule:
      interval: "monthly"
    open-pull-requests-limit: 2
+  - package-ecosystem: "docker"
+    directory: "/.clusterfuzzlite"
+    schedule:
+      interval: "monthly"
+    open-pull-requests-limit: 2
--- a/.github/workflows/cflite_build.yml
+++ b/.github/workflows/cflite_build.yml
@@ -0,0 +1,31 @@
+---
+# vi: ts=2 sw=2 et:
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+name: ClusterFuzzLite continuous builds
+on:
+  push:
+    branches:
+      - main
+      - v[0-9]+-stable
+
+permissions: read-all
+
+jobs:
+  Build:
+    runs-on: ubuntu-latest
+    if: github.repository != 'systemd/systemd'
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined, memory]
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@41dccd0566905e2a7d1724e7883edbfa66d78877
+      with:
+        sanitizer: ${{ matrix.sanitizer }}
+        upload-build: true
--- a/.github/workflows/cflite_pr.yml
+++ b/.github/workflows/cflite_pr.yml
@@ -0,0 +1,39 @@
+---
+# vi: ts=2 sw=2 et:
+# SPDX-License-Identifier: LGPL-2.1-or-later
+#
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    branches:
+      - main
+      - v[0-9]+-stable
+
+permissions: read-all
+
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    if: github.repository != 'systemd/systemd' || github.event.pull_request.user.login == 'dependabot[bot]'
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined, memory]
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@41dccd0566905e2a7d1724e7883edbfa66d78877
+      with:
+        sanitizer: ${{ matrix.sanitizer }}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@41dccd0566905e2a7d1724e7883edbfa66d78877
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 1200
+        mode: 'code-change'
+        sanitizer: ${{ matrix.sanitizer }}