gh-143572: Run 'python3-libraries' fuzzer in CI using CIFuzz #143749
Conversation
sethmlarson
requested review from
AA-Turner,
ezio-melotti and
hugovk
as code owners
Misc/NEWS.d/next/Tools-Demos/2026-01-12-13-37-14.gh-issue-143572.WKV_Jk.rst
Outdated
Show resolved
Hide resolved
hugovk
left a comment
hugovk
left a comment
There was a problem hiding this comment.
I think we could also rename most of the "library"/"libraries"/"LIBRARY" to "stdlib"/"STDLIB" and it'd be clearer this is running on the standard library and not any third-party library code.
I agree with this, we can change most of our uses to "stdlib" within this PR except for |
|
Thanks @StanFromIreland and @hugovk for the reviews! I've moved to a reusable workflows approach. I'll try pushing a commit modifying one of the libraries to check that the workflow fires correctly. |
.github/workflows/build.yml
Outdated
| uses: ./.github/workflows/reusable-cifuzz.yml | ||
| with: | ||
| oss-fuzz-project-name: cpython3 | ||
| cifuzz-stdlib: | ||
| needs: build-context | ||
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' |
There was a problem hiding this comment.
| uses: ./.github/workflows/reusable-cifuzz.yml | |
| with: | |
| oss-fuzz-project-name: cpython3 | |
| cifuzz-stdlib: | |
| needs: build-context | |
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| permissions: | |
| security-events: write | |
| uses: ./.github/workflows/reusable-cifuzz.yml | |
| with: | |
| oss-fuzz-project-name: cpython3 | |
| cifuzz-stdlib: | |
| needs: build-context | |
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| permissions: | |
| security-events: write |
(https://github.com/python/cpython/pull/143749/files#r2686916751)
There was a problem hiding this comment.
Can we try https://github.com/python/cpython/pull/143749/files#r2687006554 first, though?
There was a problem hiding this comment.
Yes, looks like it is needed the calling jobs in build.yml, because the CI didn't start:
The workflow is not valid. .github/workflows/build.yml (Line: 639, Col: 3): Error calling workflow 'python/cpython/.github/workflows/reusable-cifuzz.yml@98b701b'. The workflow is requesting 'security-events: write', but is only allowed 'security-events: none'.
https://github.com/python/cpython/actions/runs/20936855037?pr=143749
Maybe we try this smaller change to validate the permissions, before refactoring the matrix?
There was a problem hiding this comment.
I'm attempting the large matrix approach here: 3958c5d
There was a problem hiding this comment.
It seems to have mostly worked? I don't understand why the matrix values are empty, though.
There was a problem hiding this comment.
I'll take a look but will likely have more clarity tomorrow.
|
(I resolved the conflict) |
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
|
@webknjaz I'm not sure why actionlint is refusing the |
|
With the latest commit we got a run, but the values of |
Not sure. Might be a bug in actionlint. Or maybe I misunderstood that this'd work from the docs 🤷♂️ |
Sounds like maybe I messed up the suggested conditionals or something. I'll double-check the current diff. |
| ( | ||
| needs.build-context.outputs.run-ci-fuzz == 'true' | ||
| || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | ||
| ) |
There was a problem hiding this comment.
The parens are redundant here:
| ( | |
| needs.build-context.outputs.run-ci-fuzz == 'true' | |
| || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| ) | |
| needs.build-context.outputs.run-ci-fuzz == 'true' | |
| || needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' |
| # CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/ | ||
| cifuzz: | ||
| name: CIFuzz |
There was a problem hiding this comment.
This would need the same treatment as other matrices.
| name: CIFuzz | |
| # ${{ '' } is a hack to nest jobs under the same sidebar category. | |
| name: CIFuzz${{ '' }} # zizmor: ignore[obfuscation] |
| && '' | ||
| || 'cpython3' | ||
| }} | ||
| - oss-fuzz-project-name: >- | ||
| ${{ | ||
| needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | ||
| && '' |
There was a problem hiding this comment.
The only thing I can think of is that maybe empty strings mess up exclusions in GHA (is it possible they exclude all the matrix factors?). Let's try my initial suggestion first and go from there...
| && '' | |
| || 'cpython3' | |
| }} | |
| - oss-fuzz-project-name: >- | |
| ${{ | |
| needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| && '' | |
| && 'dummy sentinel 🤪' | |
| || 'cpython3' | |
| }} | |
| - oss-fuzz-project-name: >- | |
| ${{ | |
| needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| && 'dummy sentinel 🤪' |
There was a problem hiding this comment.
Another difference is that the original trick uses interpolation in the main matrix definition and here we use it in exclusions.
|
@sethmlarson I'm logging off now but meanwhile, could you restart the entire workflow ticking that debug checkbox in the rerun modal? I don't have privileges to do this myself yet. |
5 participants
Created a list of files and directories that should trigger a re-run of the
python3-librariesfuzzers. Now that the Python repository is the home for this fuzzer it should be easier for Python core developers to fix issues with the fuzzer in case there are issues.