Merge pull request #1 from step-security/release

feat: Initial release

Author: amanstep

.Rbuildignore

@@ -0,0 +1,17 @@
+^pr-fetch$
+^pr-push$
+^run-rchk$
+^setup-r$
+^setup-pandoc$
+^setup-tinytex$
+^examples$
+^LICENSE$
+^.github$
+^actions\.Rproj$
+^\.Rproj\.user$
+^Makefile$
+^CITATION.cff$
+^\.clusterfuzzlite$
+^check-r-package$
+^setup-r-dependencies$
+^setup-renv$

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,5 @@
+FROM gcr.io/oss-fuzz-base/base-builder:v1@sha256:ffd8a9fe9f951451e7b28610c83b0264e9fe20449af1f1dc31e243ec947315f7
+RUN apt-get update && apt-get install -y r-base make libxml2-dev libcurl4-openssl-dev
+COPY . $SRC/actions
+WORKDIR actions
+COPY .clusterfuzzlite/build.sh $SRC/

.clusterfuzzlite/build.sh

@@ -0,0 +1,20 @@
+#!/bin/bash -eu
+
+# build project
+# e.g.
+# ./autogen.sh
+# ./configure
+# make -j$(nproc) all
+
+cd /src/actions/src
+$CC -c fuzzer.c
+ar rcs fuzzer.a fuzzer.o
+
+# build fuzzers
+# e.g.
+# $CXX $CXXFLAGS -std=c++11 -Iinclude \
+#     /path/to/name_of_fuzzer.cc -o $OUT/name_of_fuzzer \
+#     $LIB_FUZZING_ENGINE /path/to/library.a
+
+$CC $CFLAGS fuzzer.c -o $OUT/fuzzer \
+    $LIB_FUZZING_ENGINE /src/actions/src/fuzzer.a

.clusterfuzzlite/project.yaml

@@ -0,0 +1 @@
+language: c

.github/workflows/actions_release.yml

@@ -0,0 +1,27 @@
+name: Release GitHub Actions
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Tag for the release"
+        required: true
+      working_directory:
+        description: "Working directories to run commands in (comma-separated, optional)"
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  release:
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+
+    uses: step-security/reusable-workflows/.github/workflows/actions_release.yaml@3e8d79e9716f171de1ce34a53e49f87ef9fddec4
+    with:
+      tag: "${{ github.event.inputs.tag }}"
+      working_directory: ${{github.event.inputs.working_directory}}

.github/workflows/audit_package.yml

@@ -0,0 +1,37 @@
+name: NPM Audit Fix Run
+
+on:
+  workflow_dispatch:
+    inputs:
+      force:
+        description: "Use --force flag for npm audit fix?"
+        required: true
+        type: boolean
+      base_branch:
+        description: "Specify a base branch"
+        required: false
+        default: "main"
+  schedule:
+    - cron: "0 0 * * 1"
+
+jobs:
+  audit-fix:
+    strategy:
+      matrix:
+        working_directory:
+          - pr-fetch
+          - pr-push
+          - setup-pandoc
+          - setup-r
+          - setup-tinytex
+    uses: step-security/reusable-workflows/.github/workflows/audit_fix.yml@3e8d79e9716f171de1ce34a53e49f87ef9fddec4
+    with:
+      force: ${{ inputs.force || false }}
+      base_branch: ${{ inputs.base_branch || 'main' }}
+      working_directory: ${{ matrix.working_directory }}
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write

.github/workflows/auto_cherry_pick.yml

@@ -0,0 +1,23 @@
+name: Auto Cherry-Pick from Upstream
+
+on:
+  workflow_dispatch:
+    inputs:
+      base_branch:
+        description: "Base branch to create the PR against"
+        required: true
+        default: "main"
+
+permissions:
+  contents: write
+  pull-requests: write
+  packages: read
+  issues: write
+
+jobs:
+  cherry-pick:
+    uses: step-security/reusable-workflows/.github/workflows/auto_cherry_pick.yaml@v1
+    with:
+      original-owner: "r-lib"
+      repo-name: "actions"
+      base_branch: ${{ inputs.base_branch }}

.github/workflows/cflite_build.yml

@@ -0,0 +1,29 @@
+name: ClusterFuzzLite continuous builds
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'src/**'
+  workflow_dispatch:
+
+permissions: read-all
+jobs:
+  Build:
+   runs-on: ubuntu-latest
+   concurrency:
+     group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+     cancel-in-progress: true
+   strategy:
+     fail-fast: false
+     matrix:
+        sanitizer:
+        - address
+   steps:
+   - name: Build Fuzzers (${{ matrix.sanitizer }})
+     id: build
+     uses: google/clusterfuzzlite/actions/build_fuzzers@82652fb49e77bc29c35da1167bb286e93c6bcc05
+     with:
+        language: c # Change this to the language you are fuzzing.
+        sanitizer: ${{ matrix.sanitizer }}
+        upload-build: true

.github/workflows/cflite_pr.yml

@@ -0,0 +1,41 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    paths:
+      - 'src/**'
+  push:
+    branches:
+      - main
+    paths:
+      - 'src/**'
+  workflow_dispatch:
+
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+        - address
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@82652fb49e77bc29c35da1167bb286e93c6bcc05
+      with:
+        language: c
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        sanitizer: ${{ matrix.sanitizer }}
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@82652fb49e77bc29c35da1167bb286e93c6bcc05
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 600
+        mode: 'code-change'
+        sanitizer: ${{ matrix.sanitizer }}
+        output-sarif: true

.github/workflows/check-full.yaml

@@ -0,0 +1,64 @@
+# NOTE: This workflow is overkill for most R packages and
+# check-standard.yaml is likely a better choice.
+# usethis::use_github_action("check-standard") will install it.
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+name: R-CMD-check.yaml
+
+permissions: read-all
+
+jobs:
+  R-CMD-check:
+    runs-on: ${{ matrix.config.os }}
+
+    name: ${{ matrix.config.os }} (${{ matrix.config.r }})
+
+    strategy:
+      fail-fast: false
+      matrix:
+        config:
+          - {os: macos-latest,   r: 'release'}
+
+          - {os: windows-latest, r: 'release'}
+          # use 4.0 or 4.1 to check with rtools40's older compiler
+          - {os: windows-latest, r: 'oldrel-4'}
+
+          - {os: ubuntu-latest,  r: 'devel', http-user-agent: 'release'}
+          - {os: ubuntu-latest,  r: 'release'}
+          - {os: ubuntu-latest,  r: 'oldrel-1'}
+          - {os: ubuntu-latest,  r: 'oldrel-2'}
+          - {os: ubuntu-latest,  r: 'oldrel-3'}
+          - {os: ubuntu-latest,  r: 'oldrel-4'}
+
+          - {os: ubuntu-22.04-arm, r: 'release' }
+
+
+    env:
+      GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
+      R_KEEP_PKG_SOURCE: yes
+
+    steps:
+      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
+
+      - uses: ./setup-pandoc
+
+      - uses: ./setup-r
+        with:
+          r-version: ${{ matrix.config.r }}
+          http-user-agent: ${{ matrix.config.http-user-agent }}
+          use-public-rspm: true
+
+      - uses: gaborcsardi/quarto-actions/setup@fix/linux-arm64
+
+      - uses: ./setup-r-dependencies
+        with:
+          extra-packages: any::rcmdcheck
+          needs: check
+
+      - uses: ./check-r-package
+        with:
+          upload-snapshots: true
+          build_args: 'c("--no-manual","--compact-vignettes=gs+qpdf")'