ldk-fuzzing-corpus/.github/workflows/nightly.yml at master · lightningdevkit/ldk-fuzzing-corpus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: Nightly corpus management

on:
  schedule:
    # 04:17 UTC every day. Avoid the top of the hour to dodge GitHub Actions
    # cron contention.
    - cron: '17 4 * * *'
  workflow_dispatch:

# Limit concurrency so a manual dispatch and the nightly run can't race.
concurrency:
  group: nightly-corpus
  cancel-in-progress: false

jobs:
  process-prs:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
    outputs:
      head_sha: ${{ steps.head.outputs.sha }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Configure git identity
        run: |
          git config user.name "ldk-corpus-bot"
          git config user.email "ldk-corpus-bot@users.noreply.github.com"
      - name: Process open pull requests
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: ./scripts/manage-prs.sh
      - name: Capture post-merge HEAD
        id: head
        run: |
          git fetch origin master
          echo "sha=$(git rev-parse origin/master)" >> "$GITHUB_OUTPUT"

  minimize:
    needs: process-prs
    runs-on: self-hosted
    permissions:
      contents: write
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          ref: ${{ needs.process-prs.outputs.head_sha }}
          fetch-depth: 0
      - name: Install Rust 1.75 toolchain
        run: |
          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
            | sh -s -- -y --profile=minimal --default-toolchain 1.75
          echo "$HOME/.cargo/bin" >> "$GITHUB_PATH"
      - name: Run honggfuzz minimization
        env:
          CORPUS_DIR: ${{ github.workspace }}
        run: ./scripts/minimize-corpus.sh
      - name: Open PR with minimized corpus and auto-merge once CI passes
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          BOT_PAT: ${{ secrets.PR_RETRIGGER_PAT }}
          RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
        run: |
          git config user.name "ldk-corpus-bot"
          git config user.email "ldk-corpus-bot@users.noreply.github.com"
          if [ -z "$(git status --porcelain)" ]; then
            echo "Corpus is already minimal; nothing to commit."
            exit 0
          fi
          BRANCH="ci/minimize-${GITHUB_RUN_ID}"
          git checkout -b "$BRANCH"
          git add -A rust-lightning
          git commit -m "Nightly minimized corpus" -m "Run: $RUN_URL"
          git push -u origin "$BRANCH"
          PR_URL=$(gh pr create \
            --base master \
            --head "$BRANCH" \
            --title "Nightly minimized corpus" \
            --body "Automatically generated by minimization run: $RUN_URL")
          PR_NUM="${PR_URL##*/}"
          echo "Opened PR #$PR_NUM ($PR_URL)"

          # Actions taken with GITHUB_TOKEN don't trigger workflows, so
          # `pr-validation.yml` (the `validate` check required by the
          # branch ruleset) never fires on a PR we just opened. Close
          # and reopen with a PAT to emit a `reopened` event under a
          # non-GITHUB_TOKEN actor — that does trigger workflows.
          # `pull_request.user.login` is set at creation time and isn't
          # changed by reopen, so the validator still sees the author
          # as `github-actions[bot]` and applies the bot-author rules
          # (which permit `removed`/`modified` and `.gitkeep`).
          GH_TOKEN="$BOT_PAT" gh pr close "$PR_NUM"
          GH_TOKEN="$BOT_PAT" gh pr reopen "$PR_NUM"

          # Poll the PR's status checks for up to 15m. We merge as soon as
          # the rollup is SUCCESS, otherwise just close it.
          DEADLINE=$(( $(date +%s) + 900 ))
          ROLLUP="PENDING"
          while [ "$(date +%s)" -lt "$DEADLINE" ]; do
            ROLLUP=$(gh pr view "$PR_NUM" --json statusCheckRollup --jq '
              (.statusCheckRollup // [])
              | map(.conclusion // .status // "PENDING")
              | if length == 0 then "PENDING"
                elif any(. == "FAILURE" or . == "CANCELLED" or . == "TIMED_OUT" or . == "ACTION_REQUIRED") then "FAILURE"
                elif all(. == "SUCCESS" or . == "NEUTRAL" or . == "SKIPPED") then "SUCCESS"
                else "PENDING"
                end')
            echo "Status check rollup for #$PR_NUM: $ROLLUP"
            case "$ROLLUP" in
              SUCCESS|FAILURE) break ;;
            esac
            sleep 5
          done

          case "$ROLLUP" in
            SUCCESS)
              gh pr merge "$PR_NUM" --merge --delete-branch
              echo "Merged #$PR_NUM."
              ;;
            FAILURE)
              echo "Status checks for #$PR_NUM failed; leaving PR open for triage."
              ;;
            *)
              echo "Status checks for #$PR_NUM still PENDING after 15m; abandoning."
              gh pr close "$PR_NUM" --delete-branch
              ;;
          esac