name: CIFuzz
on:
  pull_request:
    branches: '**'
    paths:
      - '**.c'
      - '**.cc'
      - '**.cpp'
      - '**.cxx'
      - '**.h'
      - 'testdata/**'
      - '.github/workflows/**'
  push:
    branches:
      - main
      - 'maint/maint*'
    paths:
      - '**.c'
      - '**.cc'
      - '**.cpp'
      - '**.cxx'
      - '**.h'
      - 'testdata/**'
      - '.github/workflows/**'
  workflow_dispatch:
permissions: {}
jobs:
  Fuzzing:
    runs-on: ubuntu-22.04  # Updated in BRS
    permissions:
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        sanitizer: [address, undefined]
    steps:
    - name: Build Fuzzers
      id: build
      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
      with:
        oss-fuzz-project-name: 'icu'
        sanitizer: ${{ matrix.sanitizer }}
    - name: Run Fuzzers
      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
      with:
        oss-fuzz-project-name: 'icu'
        fuzz-seconds: 600
        output-sarif: true
        sanitizer: ${{ matrix.sanitizer }}
    - name: Upload Crash
      uses: actions/upload-artifact@v4
      if: failure() && steps.build.outcome == 'success'
      with:
        name: ${{ matrix.sanitizer }}-artifacts
        path: ./out/artifacts   
    - name: Upload Sarif
      if: always() && steps.build.outcome == 'success'
      uses: github/codeql-action/upload-sarif@v3.28.10
      with:
        # Path to SARIF file relative to the root of the repository
        sarif_file: cifuzz-sarif/results.sarif
        checkout_path: cifuzz-sarif