This action runs Go Fuzzing on GitHub Actions.

Create a workflow file such as .github/workflows/fuzz.yml in your repository:

name: "fuzz"
on:
  workflow_dispatch:
  schedule:
    - cron: "36 2 * * 1,4"

permissions:
  contents: write
  pull-requests: write

jobs:
  list:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: "stable"
      - id: list
        uses: shogo82148/actions-go-fuzz/list@v1
    outputs:
      fuzz-tests: ${{steps.list.outputs.fuzz-tests}}

  fuzz:
    runs-on: ubuntu-latest
    timeout-minutes: 360
    needs: list
    strategy:
      fail-fast: false
      matrix:
        include: ${{fromJson(needs.list.outputs.fuzz-tests)}}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: "stable"
      - uses: shogo82148/actions-go-fuzz/run@v1
        with:
          packages: ${{ matrix.package }}
          fuzz-regexp: ${{ matrix.func }}
          fuzz-time: "355m"

The actions-go-fuzz runs fuzz tests by go test -fuzz FuzzFoo, commits failing input and create a pull request if fuzz tests fails. See an example of a pull request generated by the action.

You can also receive the report as Slack Message. Create an Incoming Webhook and set this as the SLACK_INCOMING_WEBHOOK secret value. And then, add a workflow file in your repository:

name: "fuzz"
on:
  workflow_dispatch:
  schedule:
    - cron: "36 2 * * 1,4"

permissions:
  contents: write
  pull-requests: write

jobs:
  list:
    runs-on: ubuntu-latest
    timeout-minutes: 10
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: "stable"
      - id: list
        uses: shogo82148/actions-go-fuzz/list@v1
    outputs:
      fuzz-tests: ${{steps.list.outputs.fuzz-tests}}

  fuzz:
    runs-on: ubuntu-latest
    timeout-minutes: 360
    needs: list
    strategy:
      fail-fast: false
      matrix:
        include: ${{fromJson(needs.list.outputs.fuzz-tests)}}
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-go@v5
        with:
          go-version: "stable"
      - uses: shogo82148/actions-go-fuzz/run@v1
        with:
          packages: ${{ matrix.package }}
          fuzz-regexp: ${{ matrix.func }}
          fuzz-time: "355m"
          report-method: "slack"
          webhook-url: ${{ secrets.SLACK_INCOMING_WEBHOOK }}

With pull-request report method, the actions-go-fuzz action requires the following GitHub permissions:

• contents: write
• pull-requests: write

You can specify the permissions in the workflow YAML file:

permissions:
  contents: write
  pull-requests: write

With slack report method, actions-go-fuzz action requires the following GitHub permissions:

• contents: read

• packages: This is an optional parameter that lets you specify the Go packages for which you want to list the fuzz tests. By default, it targets all packages in your project (./...).
• working-directory: This is also an optional parameter that allows you to specify a working directory. The default is the root directory (.).
• tags: A comma-separated list of additional build tags to consider satisfied during the build. It is equivalent to the -tags flag of the go test command.

• fuzz-tests: JSON-encoded list of all the fuzz tests for the specified Go packages.

• repository: The name of the repository with owner (e.g., shogo82148/actions-go-fuzz). It defaults to the repository where the action is running.
• token: The GitHub token for the repository. It defaults to the token provided by the GitHub Actions environment.
• packages: An optional parameter to specify the Go packages for fuzz tests. By default, it targets all packages in your project (./...).
• working-directory: This is also an optional parameter that allows you to specify a working directory. The default is the root directory (.).
• fuzz-regexp: Run the fuzz test matching the regular expression. Corresponds to the -fuzz flag for the go test command.
• fuzz-time: Fuzz target iteration duration, specified as a time.Duration (for example 1h30s). Corresponds to -fuzztime flag for the go test command. Ensure this is less than your job timeout.
• fuzz-minimize-time: Fuzz minimization duration, specified as a time.Duration (for example 1h30s). Corresponds to -fuzzminimizetime flag for the go test command. If you provide this input, ensure it is less than your job timeout.
• report-method: The method to report the result. pull-request to create a pull request, slack to send a message via Slack Incoming Web Hook.
• base-branch: The base branch name of the pull request.
• head-branch-prefix: The prefix of the head branch name of the pull request.
• webhook-url: The URL of the Slack Incoming Web Hook.
• tags: A comma-separated list of additional build tags to consider satisfied during the build. It is equivalent to the -tags flag of the go test command.

• found: true if new crashers are found. otherwise, it is falsy value.
• head-branch: the name of the head branch of the pull request the action created.
• pull-request-number: the number of the pull request the action created.
• pull-request-url: the URL of the pull request the action created.

The pull request created by this action can be viewed by anyone who has read permissions for the repository. Be careful in handling it as the pull request may contain information about vulnerabilities. If possible, we recommend using the slack report method.

The scripts and documentation in this project are released under the MIT License.