run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
run_tests: ${{ steps.check.outputs.run_tests }}
run_hypothesis: ${{ steps.check.outputs.run_hypothesis }}
+ run_cifuzz: ${{ steps.check.outputs.run_cifuzz }}
config_hash: ${{ steps.config_hash.outputs.hash }}
steps:
- uses: actions/checkout@v4
echo "Run hypothesis tests"
echo "run_hypothesis=true" >> $GITHUB_OUTPUT
fi
+
+ # oss-fuzz maintains a configuration for fuzzing the main branch of
+ # CPython, so CIFuzz should be run only for code that is likely to be
+ # merged into the main branch; compatibility with older branches may
+ # be broken.
+ if [ "$GITHUB_BASE_REF" = "main" ]; then
+ # The tests are pretty slow so they are executed only for PRs
+ # changing relevant files.
+ FUZZ_RELEVANT_FILES='(\.c$|\.h$|\.cpp$|^configure$|^\.github/workflows/build\.yml$|^Modules/_xxtestfuzz)'
+ git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE $FUZZ_RELEVANT_FILES && echo "run_cifuzz=true" >> $GITHUB_OUTPUT || true
+ fi
- name: Compute hash for config cache key
id: config_hash
run: |
- name: Tests
run: xvfb-run make test
+ # CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/
+ cifuzz:
+ name: CIFuzz
+ runs-on: ubuntu-latest
+ timeout-minutes: 60
+ needs: check_source
+ if: needs.check_source.outputs.run_cifuzz == 'true'
+ permissions:
+ security-events: write
+ strategy:
+ fail-fast: false
+ matrix:
+ sanitizer: [address, undefined, memory]
+ steps:
+ - name: Build fuzzers (${{ matrix.sanitizer }})
+ id: build
+ uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+ with:
+ oss-fuzz-project-name: cpython3
+ sanitizer: ${{ matrix.sanitizer }}
+ - name: Run fuzzers (${{ matrix.sanitizer }})
+ uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+ with:
+ fuzz-seconds: 600
+ oss-fuzz-project-name: cpython3
+ output-sarif: true
+ sanitizer: ${{ matrix.sanitizer }}
+ - name: Upload crash
+ uses: actions/upload-artifact@v3
+ if: failure() && steps.build.outcome == 'success'
+ with:
+ name: ${{ matrix.sanitizer }}-artifacts
+ path: ./out/artifacts
+ - name: Upload SARIF
+ if: always() && steps.build.outcome == 'success'
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: cifuzz-sarif/results.sarif
+ checkout_path: cifuzz-sarif
+
all-required-green: # This job does nothing and is only used for the branch protection
name: All required checks pass
if: always()
- build_ubuntu_ssltests
- test_hypothesis
- build_asan
+ - cifuzz
runs-on: ubuntu-latest
build_ubuntu_ssltests,
build_win32,
build_win_arm64,
+ cifuzz,
test_hypothesis,
allowed-skips: >-
${{
'
|| ''
}}
+ ${{
+ !fromJSON(needs.check_source.outputs.run_cifuzz)
+ && '
+ cifuzz,
+ '
+ || ''
+ }}
${{
!fromJSON(needs.check_source.outputs.run_hypothesis)
&& '
projects / thirdparty / Python / cpython.git / commitdiff
