0.8 line

.github/workflows/fuzz.yml

@@ -0,0 +1,65 @@
+name: Fuzz
+
+# Fuzz targets are excluded from the default cargo workspace and require
+# nightly + cargo-fuzz. Run on demand or on a slow schedule, not on every
+# PR.
+on:
+  workflow_dispatch:
+    inputs:
+      duration_secs:
+        description: "Per-target fuzz duration (seconds)"
+        required: false
+        default: "60"
+  schedule:
+    # Sunday 03:30 UTC — once a week is enough for the parser surface
+    # we're covering; bump if/when we add more targets.
+    - cron: "30 3 * * 0"
+
+# Default to a read-only token. The job uploads artifacts on failure,
+# which is satisfied by `contents: read` plus `actions/upload-artifact`'s
+# own scoping; no write access to repo contents is needed.
+permissions:
+  contents: read
+
+jobs:
+  fuzz:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        target:
+          - tlv_list_parse
+          - tlv_list_parse_lenient
+          - raw_tlv_parse
+          - packet_unauth_parse
+          - packet_auth_parse
+          - agentx_decode_header
+          - agentx_decode_oid
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install nightly toolchain
+        uses: dtolnay/rust-toolchain@nightly
+      - name: Install cargo-fuzz
+        run: cargo install cargo-fuzz --locked
+      - name: Run fuzz target
+        env:
+          # Use env-var indirection per GitHub security guidance: matrix
+          # values are author-controlled, but pulling them through env
+          # protects against future template changes that might let
+          # untrusted input slip in.
+          FUZZ_TARGET: ${{ matrix.target }}
+          DURATION: ${{ github.event.inputs.duration_secs || '60' }}
+        run: |
+          cd fuzz
+          cargo +nightly fuzz run "$FUZZ_TARGET" -- -max_total_time="$DURATION"
+      - name: Upload crashes (if any)
+        if: failure()
+        uses: actions/upload-artifact@v4
+        env:
+          FUZZ_TARGET: ${{ matrix.target }}
+        with:
+          name: fuzz-crashes-${{ matrix.target }}
+          path: |
+            fuzz/artifacts/${{ matrix.target }}/
+            fuzz/corpus/${{ matrix.target }}/
+          if-no-files-found: ignore

.github/workflows/rust.yml

@@ -2,14 +2,20 @@ name: CI
 
 on:
   push:
-    branches: [master]
+    branches: ['**']
   pull_request:
     branches: [master]
 
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
 
+# Default to a read-only token. Jobs that need to upload artifacts or
+# create check-runs should opt in explicitly with their own `permissions:`
+# block; today nothing on this workflow writes back to the repo.
+permissions:
+  contents: read
+
 jobs:
   fmt:
     name: Rustfmt
@@ -67,9 +73,14 @@ jobs:
           - os: macos-latest
             rust: stable
             features: ""
-          - os: windows-latest
-            rust: stable
-            features: ""
+          # No Windows test job: the lib test binary statically links
+          # pnet's Packet.dll / wpcap.dll, which neither windows-latest
+          # nor windows-2022 ship any more (windows-2025 rollover
+          # dropped it; the Npcap installer hangs on /S silent mode in
+          # CI). Build coverage for Windows is preserved by the
+          # `build-release` matrix below. The long-term fix is gating
+          # pnet behind a Cargo feature on Windows so the default
+          # binary doesn't link it at all — tracked for 0.8.1.
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@master
@@ -78,13 +89,6 @@ jobs:
       - uses: Swatinem/rust-cache@v2
         with:
           key: test-${{ matrix.os }}-${{ matrix.rust }}
-      - name: Install Npcap SDK (Windows)
-        if: matrix.os == 'windows-latest'
-        shell: pwsh
-        run: |
-          Invoke-WebRequest -Uri "https://npcap.com/dist/npcap-sdk-1.13.zip" -OutFile "$env:TEMP/npcap-sdk.zip"
-          Expand-Archive -Path "$env:TEMP/npcap-sdk.zip" -DestinationPath "C:/npcap-sdk"
-          echo "LIB=C:/npcap-sdk/Lib/x64" >> $env:GITHUB_ENV
       - name: Run tests
         run: cargo test --verbose ${{ matrix.features }}
 
@@ -125,7 +129,8 @@ jobs:
             target: x86_64-unknown-linux-gnu
           - os: macos-latest
             target: x86_64-apple-darwin
-          - os: windows-latest
+          # See pin rationale on the test job above.
+          - os: windows-2022
             target: x86_64-pc-windows-msvc
     steps:
       - uses: actions/checkout@v4
@@ -136,7 +141,7 @@ jobs:
         with:
           key: release-${{ matrix.target }}
       - name: Install Npcap SDK (Windows)
-        if: matrix.os == 'windows-latest'
+        if: matrix.os == 'windows-2022'
         shell: pwsh
         run: |
           Invoke-WebRequest -Uri "https://npcap.com/dist/npcap-sdk-1.13.zip" -OutFile "$env:TEMP/npcap-sdk.zip"
@@ -241,8 +246,34 @@ jobs:
   security-audit:
     name: Security Audit
     runs-on: ubuntu-latest
+    # Override the workflow-default contents-read token so the
+    # rustsec/audit-check action can post its findings as a check-run
+    # (it needs checks:write) and open issues for new advisories
+    # (issues:write — optional but harmless).
+    permissions:
+      contents: read
+      checks: write
+      issues: write
     steps:
       - uses: actions/checkout@v4
       - uses: rustsec/audit-check@v2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  mib-lint:
+    name: MIB Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install libsmi tools
+        # The package supplying `smilint` is named `smitools` on Ubuntu
+        # 24.04+ and `libsmi2-bin` on older Debian/Ubuntu. Try the new
+        # name first; fall back so the job survives a base-image bump.
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y smitools || sudo apt-get install -y libsmi2-bin
+      - name: Lint STAMP-SUITE-MIB
+        # Lint level 4 = errors and major warnings (style nits like missing
+        # DESCRIPTION clauses are ignored). Raise to -l 6 once the MIB is
+        # clean at level 5.
+        run: smilint -l 4 mibs/STAMP-SUITE-MIB.mib