-
-
Notifications
You must be signed in to change notification settings - Fork 33.9k
gh-143572: Run 'python3-libraries' fuzzer in CI using CIFuzz #143749
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gh-143572: Run 'python3-libraries' fuzzer in CI using CIFuzz #143749
Conversation
Misc/NEWS.d/next/Tools-Demos/2026-01-12-13-37-14.gh-issue-143572.WKV_Jk.rst
Outdated
Show resolved
Hide resolved
@hugovk
hugovk
left a comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we could also rename most of the "library"/"libraries"/"LIBRARY" to "stdlib"/"STDLIB" and it'd be clearer this is running on the standard library and not any third-party library code.
sethmlarson
commented
Jan 12, 2026
I think we could also rename most of the "library"/"libraries"/"LIBRARY" to "stdlib"/"STDLIB" and it'd be clearer this is running on the standard library and not any third-party library code.
I agree with this, we can change most of our uses to "stdlib" within this PR except for oss-fuzz-project-name. I can handle that in a separate PR since we'll have to wait for OSS-Fuzz maintainers to rename the project.
sethmlarson
commented
Jan 12, 2026
Thanks @StanFromIreland and @hugovk for the reviews! I've moved to a reusable workflows approach. I'll try pushing a commit modifying one of the libraries to check that the workflow fires correctly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm 99% sure this is required in the calling jobs in build.yml too. But maybe there's an exception for in-tree workflows. I haven't tested this in a while, though.
If
jobs.<job_id>.permissionsis not specified in the calling job, the called workflow will have the default permissions for theGITHUB_TOKEN.
GITHUB_TOKENpermissions can only be the same or more restrictive in nested workflows. For example, in the workflow chain A > B > C, if workflow A has package: read token permission, then B and C cannot havepackage: writepermission.
I think, the above implies that the calling workflow should at least allow the minimum privileges needed here.
.github/workflows/build.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(https://github.com/python/cpython/pull/143749/files#r2686916751)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we try https://github.com/python/cpython/pull/143749/files#r2687006554 first, though?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, looks like it is needed the calling jobs in build.yml, because the CI didn't start:
The workflow is not valid. .github/workflows/build.yml (Line: 639, Col: 3): Error calling workflow 'python/cpython/.github/workflows/reusable-cifuzz.yml@98b701b'. The workflow is requesting 'security-events: write', but is only allowed 'security-events: none'.
https://github.com/python/cpython/actions/runs/20936855037?pr=143749
Maybe we try this smaller change to validate the permissions, before refactoring the matrix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm attempting the large matrix approach here: 3958c5d
.github/workflows/build.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Though, it's probably nicer to try collapsing these into a single matrix:
(an untested idea borrowed from
cpython/.github/workflows/build.yml
Lines 212 to 223 in 03f8d3b
hugovk
commented
Jan 13, 2026
(I resolved the conflict)
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <578543+webknjaz@users.noreply.github.com>
sethmlarson
commented
Jan 13, 2026
@webknjaz I'm not sure why actionlint is refusing the contains([...], 'true') syntax used, checking on the allowed function definitions it seemed like this would be allowed?
Uh oh!
There was an error while loading. Please reload this page.
Created a list of files and directories that should trigger a re-run of the
python3-librariesfuzzers. Now that the Python repository is the home for this fuzzer it should be easier for Python core developers to fix issues with the fuzzer in case there are issues.