Merge pull request #26 from stader-labs/develop

Bnbx fusion migration

.clusterfuzzlite/Dockerfile

@@ -0,0 +1,14 @@
+FROM ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest AS LITE_BUILDER
+
+# Base image with clang toolchain
+FROM gcr.io/oss-fuzz-base/base-builder:v1
+
+# Copy the project's source code.
+COPY . $SRC/app-plugin-staderlabs
+COPY --from=LITE_BUILDER /opt/nanox-secure-sdk $SRC/app-plugin-staderlabs/BOLOS_SDK
+
+# Working directory for build.sh
+WORKDIR $SRC/app-plugin-staderlabs
+
+# Copy build.sh into $SRC dir.
+COPY ./.clusterfuzzlite/build.sh $SRC/

.clusterfuzzlite/build.sh

@@ -0,0 +1,9 @@
+#!/bin/bash -eu
+
+# build fuzzers
+
+pushd fuzzing
+cmake -DBOLOS_SDK=../BOLOS_SDK -Bbuild -H.
+make -C build
+mv ./build/fuzz "${OUT}"
+popd

.clusterfuzzlite/project.yaml

@@ -0,0 +1 @@
+language: c

.github/PULL_REQUEST_TEMPLATE.md

@@ -4,5 +4,5 @@
 - [ ] Target branch is `develop` <!-- unless you have a very good reason -->
 - [ ] Application version has been bumped <!-- required if your changes are to be deployed -->
 
-<!-- Make sure you followed the process described in https://developers.ledger.com/docs/embedded-app/maintenance/ before opening your Pull Request.
+<!-- Make sure you followed the process described in https://developers.ledger.com/docs/device-app/deliver/maintenance before opening your Pull Request.
 Don't hesitate to contact us directly on Discord if you have any questions ! https://developers.ledger.com/discord -->

.github/workflows/build_and_functional_tests.yml

@@ -0,0 +1,46 @@
+name: Build and run functional tests using ragger through reusable workflow
+
+# This workflow will build the app and then run functional tests using the Ragger framework upon Speculos emulation.
+# It calls a reusable workflow developed by Ledger's internal developer team to build the application and upload the
+# resulting binaries.
+# It then calls another reusable workflow to run the Ragger tests on the compiled application binary.
+#
+# While this workflow is optional, having functional testing on your application is mandatory and this workflow and
+# tooling environment is meant to be easy to use and adapt after forking your application
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+      - main
+      - develop
+  pull_request:
+
+jobs:
+  build_plugin:
+    name: Build plugin using the reusable workflow
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_build.yml@v1
+    with:
+      upload_app_binaries_artifact: plugin_binaries
+      flags: "DEBUG=1"
+
+  build_develop_ethereum_app:
+    name: Build Ethereum app using the reusable workflow
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_build.yml@v1
+    with:
+      app_repository: LedgerHQ/app-ethereum
+      app_branch_name: develop
+      flags: "DEBUG=1 CAL_TEST_KEY=1"
+      upload_app_binaries_artifact: ethereum_build_develop
+
+  ragger_tests_with_ethereum_develop:
+    name: Run ragger tests using the reusable workflow
+    needs:
+      - build_plugin
+      - build_develop_ethereum_app
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_ragger_tests.yml@v1
+    with:
+      download_app_binaries_artifact: plugin_binaries
+      additional_app_binaries_artifact: ethereum_build_develop
+      additional_app_binaries_artifact_dir: ./tests/.test_dependencies/ethereum/build

.github/workflows/cflite_cron.yml

@@ -0,0 +1,41 @@
+name: ClusterFuzzLite cron tasks
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main  # Use your actual default branch here.
+  schedule:
+    - cron: '0 13 * * 6'  # At 01:00 PM, only on Saturday
+permissions: read-all
+jobs:
+  Fuzzing:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - mode: batch
+            sanitizer: address
+          - mode: batch
+            sanitizer: memory
+          - mode: prune
+            sanitizer: address
+          - mode: coverage
+            sanitizer: coverage
+    steps:
+    - name: Build Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        language: c # Change this to the language you are fuzzing.
+        sanitizer: ${{ matrix.sanitizer }}
+    - name: Run Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 300 # 5 minutes
+        mode: ${{ matrix.mode }}
+        sanitizer: ${{ matrix.sanitizer }}
+

.github/workflows/cflite_pr.yml

@@ -0,0 +1,43 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+  pull_request:
+    paths:
+      - '**'
+permissions: read-all
+jobs:
+  PR:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined, memory] # Override this with the sanitizers you want.
+    steps:
+    - name: Build Fuzzers (${{ matrix.sanitizer }})
+      id: build
+      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+      with:
+        language: c # Change this to the language you are fuzzing.
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        sanitizer: ${{ matrix.sanitizer }}
+        # Optional but recommended: used to only run fuzzers that are affected
+        # by the PR.
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+    - name: Run Fuzzers (${{ matrix.sanitizer }})
+      id: run
+      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        fuzz-seconds: 300 # 5 minutes
+        mode: 'code-change'
+        sanitizer: ${{ matrix.sanitizer }}
+        output-sarif: true
+        # Optional but recommended: used to download the corpus produced by
+        # batch fuzzing.
+        # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+        # storage-repo-branch: main   # Optional. Defaults to "main"
+        # storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".

.github/workflows/check_sdk.yml

@@ -1,40 +1,16 @@
+---
 name: Check SDK submodule version
 
 on:
   workflow_dispatch:
   push:
     branches:
       - master
+      - main
       - develop
   pull_request:
 
 jobs:
   job_check_SDK:
     name: Check Ethereum plugin SDK submodule is up-to-date
-    runs-on: ubuntu-latest
-    steps:
-      - name: Clone plugin
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      - name: Clone SDK
-        uses: actions/checkout@v3
-        with:
-          repository: LedgerHQ/ethereum-plugin-sdk
-          path: plugin-sdk
-          ref: ${{ github.base_ref || github.ref_name }}
-      - name: Comparing the SDK hash values
-        run: |
-          git config --global --add safe.directory "$GITHUB_WORKSPACE"
-          REPO_SDK_HASH=$(git submodule status | grep sdk | cut -d ' ' -f2)
-          echo "SDK submodule hash: ${REPO_SDK_HASH} (checked out from '${{ github.base_ref || github.ref_name }}')"
-          CURRENT_SDK_HASH=$(cd ./plugin-sdk/ && git rev-parse HEAD)
-          echo "SDK submodule hash: ${CURRENT_SDK_HASH}"
-          if [ ${REPO_SDK_HASH} = ${CURRENT_SDK_HASH} ]
-          then
-              echo "SDK versions match!"
-              exit 0
-          else
-              echo "SDK versions mismatch!"
-              exit 1
-          fi
+    uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_check_ethereum_sdk.yml@v1