gh-143572: Run 'python3-libraries' fuzzer in CI using CIFuzz #143749
Conversation
sethmlarson
requested review from
AA-Turner,
ezio-melotti and
hugovk
as code owners
Misc/NEWS.d/next/Tools-Demos/2026-01-12-13-37-14.gh-issue-143572.WKV_Jk.rst
Outdated
Show resolved
Hide resolved
hugovk
left a comment
hugovk
left a comment
There was a problem hiding this comment.
I think we could also rename most of the "library"/"libraries"/"LIBRARY" to "stdlib"/"STDLIB" and it'd be clearer this is running on the standard library and not any third-party library code.
I agree with this, we can change most of our uses to "stdlib" within this PR except for |
|
Thanks @StanFromIreland and @hugovk for the reviews! I've moved to a reusable workflows approach. I'll try pushing a commit modifying one of the libraries to check that the workflow fires correctly. |
| permissions: | ||
| contents: read | ||
| security-events: write |
There was a problem hiding this comment.
I'm 99% sure this is required in the calling jobs in build.yml too. But maybe there's an exception for in-tree workflows. I haven't tested this in a while, though.
If
jobs.<job_id>.permissionsis not specified in the calling job, the called workflow will have the default permissions for theGITHUB_TOKEN.
GITHUB_TOKENpermissions can only be the same or more restrictive in nested workflows. For example, in the workflow chain A > B > C, if workflow A has package: read token permission, then B and C cannot havepackage: writepermission.
I think, the above implies that the calling workflow should at least allow the minimum privileges needed here.
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| sanitizer: [address, undefined, memory] |
There was a problem hiding this comment.
Could pass this through inputs instead of having a matrix here? The idea of reusable-*.yml modules was that the matrices are kept on the top layer (build.yml) where the context is, while the steps are in single-job matrix-less reusable workflows.
There was a problem hiding this comment.
The calling side for this would be #143749 (comment)
| cifuzz: | ||
| name: CIFuzz | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 60 |
There was a problem hiding this comment.
I recommend having timeout-minutes in the inputs too. This allows having all the numbers surfaced in build.yml.
| value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }} # bool | ||
| run-ci-fuzz-stdlib: | ||
| description: Whether to run the CIFuzz job for 'python3-libraries' fuzzer | ||
| value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }} # bool |
There was a problem hiding this comment.
@sethmlarson did you mark @StanFromIreland's suggestion as resolved by accident?
| value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }} # bool | |
| value: ${{ jobs.compute-changes.outputs.run-ci-fuzz-stdlib }} # bool |
EDIT: corrected the referenced output name in my suggestion too
There was a problem hiding this comment.
Ah, I thought I had fixed that instance but I guess not? Thanks for catching this.
| uses: ./.github/workflows/reusable-cifuzz.yml | ||
| with: | ||
| oss-fuzz-project-name: cpython3 | ||
| cifuzz-stdlib: | ||
| needs: build-context | ||
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' |
There was a problem hiding this comment.
| uses: ./.github/workflows/reusable-cifuzz.yml | |
| with: | |
| oss-fuzz-project-name: cpython3 | |
| cifuzz-stdlib: | |
| needs: build-context | |
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| permissions: | |
| security-events: write | |
| uses: ./.github/workflows/reusable-cifuzz.yml | |
| with: | |
| oss-fuzz-project-name: cpython3 | |
| cifuzz-stdlib: | |
| needs: build-context | |
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| permissions: | |
| security-events: write |
(https://github.com/python/cpython/pull/143749/files#r2686916751)
There was a problem hiding this comment.
Can we try https://github.com/python/cpython/pull/143749/files#r2687006554 first, though?
There was a problem hiding this comment.
Yes, looks like it is needed the calling jobs in build.yml, because the CI didn't start:
The workflow is not valid. .github/workflows/build.yml (Line: 639, Col: 3): Error calling workflow 'python/cpython/.github/workflows/reusable-cifuzz.yml@98b701b'. The workflow is requesting 'security-events: write', but is only allowed 'security-events: none'.
https://github.com/python/cpython/actions/runs/20936855037?pr=143749
Maybe we try this smaller change to validate the permissions, before refactoring the matrix?
| uses: ./.github/workflows/reusable-cifuzz.yml | ||
| with: | ||
| oss-fuzz-project-name: cpython3 | ||
| cifuzz-stdlib: | ||
| needs: build-context | ||
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | ||
| uses: ./.github/workflows/reusable-cifuzz.yml | ||
| with: | ||
| oss-fuzz-project-name: python3-libraries |
There was a problem hiding this comment.
Though, it's probably nicer to try collapsing these into a single matrix:
| uses: ./.github/workflows/reusable-cifuzz.yml | |
| with: | |
| oss-fuzz-project-name: cpython3 | |
| cifuzz-stdlib: | |
| needs: build-context | |
| if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| uses: ./.github/workflows/reusable-cifuzz.yml | |
| with: | |
| oss-fuzz-project-name: python3-libraries | |
| if: >- | |
| contains( | |
| [ | |
| needs.build-context.outputs.run-ci-fuzz, | |
| needs.build-context.outputs.run-ci-fuzz-stdlib | |
| ], | |
| 'true' | |
| ) | |
| permissions: | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| sanitizer: | |
| - address | |
| - undefined | |
| - memory | |
| oss-fuzz-project-name: | |
| - cpython3 | |
| - python3-libraries | |
| exclude: | |
| - oss-fuzz-project-name: >- | |
| ${{ | |
| needs.build-context.outputs.run-ci-fuzz == 'true' | |
| && 'dummy sentinel 🤪' | |
| || 'cpython3' | |
| }} | |
| - oss-fuzz-project-name: >- | |
| ${{ | |
| needs.build-context.outputs.run-ci-fuzz-stdlib == 'true' | |
| && 'dummy sentinel 🤪' | |
| || 'python3-libraries' | |
| }} | |
| uses: ./.github/workflows/reusable-cifuzz.yml | |
| with: | |
| oss-fuzz-project-name: ${{ matrix.oss-fuzz-project-name }} | |
| sanitizer: ${{ matrix.sanitizer }} | |
| timeout-minutes: 60 |
(an untested idea borrowed from
cpython/.github/workflows/build.yml
Lines 212 to 223 in 03f8d3b
|
(I resolved the conflict) |
5 participants
Created a list of files and directories that should trigger a re-run of the
python3-librariesfuzzers. Now that the Python repository is the home for this fuzzer it should be easier for Python core developers to fix issues with the fuzzer in case there are issues.