diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ffcfbac290b726..277042dfda1903 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -40,6 +40,7 @@ jobs:
run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
run_tests: ${{ steps.check.outputs.run_tests }}
run_hypothesis: ${{ steps.check.outputs.run_hypothesis }}
+ run_cifuzz: ${{ steps.check.outputs.run_cifuzz }}
config_hash: ${{ steps.config_hash.outputs.hash }}
steps:
- uses: actions/checkout@v4
@@ -76,6 +77,17 @@ jobs:
echo "Run hypothesis tests"
echo "run_hypothesis=true" >> $GITHUB_OUTPUT
fi
+
+ # oss-fuzz maintains a configuration for fuzzing the main branch of
+ # CPython, so CIFuzz should be run only for code that is likely to be
+ # merged into the main branch; compatibility with older branches may
+ # be broken.
+ if [ "$GITHUB_BASE_REF" = "main" ]; then
+ # The tests are pretty slow so they are executed only for PRs
+ # changing relevant files.
+ FUZZ_RELEVANT_FILES='(\.c$|\.h$|\.cpp$|^configure$|^\.github/workflows/build\.yml$|^Modules/_xxtestfuzz)'
+ git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE $FUZZ_RELEVANT_FILES && echo "run_cifuzz=true" >> $GITHUB_OUTPUT || true
+ fi
- name: Compute hash for config cache key
id: config_hash
run: |
@@ -534,6 +546,46 @@ jobs:
- name: Tests
run: xvfb-run make test
+ # CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/
+ cifuzz:
+ name: CIFuzz
+ runs-on: ubuntu-latest
+ timeout-minutes: 60
+ needs: check_source
+ if: needs.check_source.outputs.run_cifuzz == 'true'
+ permissions:
+ security-events: write
+ strategy:
+ fail-fast: false
+ matrix:
+ sanitizer: [address, undefined, memory]
+ steps:
+ - name: Build fuzzers (${{ matrix.sanitizer }})
+ id: build
+ uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+ with:
+ oss-fuzz-project-name: cpython3
+ sanitizer: ${{ matrix.sanitizer }}
+ - name: Run fuzzers (${{ matrix.sanitizer }})
+ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+ with:
+ fuzz-seconds: 600
+ oss-fuzz-project-name: cpython3
+ output-sarif: true
+ sanitizer: ${{ matrix.sanitizer }}
+ - name: Upload crash
+ uses: actions/upload-artifact@v3
+ if: failure() && steps.build.outcome == 'success'
+ with:
+ name: ${{ matrix.sanitizer }}-artifacts
+ path: ./out/artifacts
+ - name: Upload SARIF
+ if: always() && steps.build.outcome == 'success'
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: cifuzz-sarif/results.sarif
+ checkout_path: cifuzz-sarif
+
all-required-green: # This job does nothing and is only used for the branch protection
name: All required checks pass
if: always()
@@ -550,6 +602,7 @@ jobs:
- build_ubuntu_ssltests
- test_hypothesis
- build_asan
+ - cifuzz
runs-on: ubuntu-latest
@@ -562,6 +615,7 @@ jobs:
build_ubuntu_ssltests,
build_win32,
build_win_arm64,
+ cifuzz,
test_hypothesis,
allowed-skips: >-
${{
@@ -585,6 +639,13 @@ jobs:
'
|| ''
}}
+ ${{
+ !fromJSON(needs.check_source.outputs.run_cifuzz)
+ && '
+ cifuzz,
+ '
+ || ''
+ }}
${{
!fromJSON(needs.check_source.outputs.run_hypothesis)
&& '
diff --git a/Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst b/Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst
new file mode 100644
index 00000000000000..49ec5465b7bcc6
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst
@@ -0,0 +1,2 @@
+Set up CIFuzz to run fuzz targets in GitHub Actions. Patch by Illia
+Volochii.
diff --git a/Modules/_xxtestfuzz/README.rst b/Modules/_xxtestfuzz/README.rst
index 42bd02a03cbedd..b951858458c82f 100644
--- a/Modules/_xxtestfuzz/README.rst
+++ b/Modules/_xxtestfuzz/README.rst
@@ -13,6 +13,9 @@ oss-fuzz will regularly pull from CPython, discover all the tests in
automatically be run in oss-fuzz, while also being smoke-tested as part of
CPython's test suite.
+In addition, the tests are run on GitHub Actions using CIFuzz for PRs to the
+main branch changing relevant files.
+
Adding a new fuzz test
----------------------
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy