4040 run-docs : ${{ steps.docs-changes.outputs.run-docs || false }}
4141 run_tests : ${{ steps.check.outputs.run_tests }}
4242 run_hypothesis : ${{ steps.check.outputs.run_hypothesis }}
43+ run_cifuzz : ${{ steps.check.outputs.run_cifuzz }}
4344 config_hash : ${{ steps.config_hash.outputs.hash }}
4445 steps :
4546 - uses : actions/checkout@v4
7677 echo "Run hypothesis tests"
7778 echo "run_hypothesis=true" >> $GITHUB_OUTPUT
7879 fi
80+
81+ # oss-fuzz maintains a configuration for fuzzing the main branch of
82+ # CPython, so CIFuzz should be run only for code that is likely to be
83+ # merged into the main branch; compatibility with older branches may
84+ # be broken.
85+ if [ "$GITHUB_BASE_REF" = "main" ]; then
86+ # The tests are pretty slow so they are executed only for PRs
87+ # changing relevant files.
88+ FUZZ_RELEVANT_FILES='(\.c$|\.h$|\.cpp$|^configure$|^\.github/workflows/build\.yml$|^Modules/_xxtestfuzz)'
89+ git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE $FUZZ_RELEVANT_FILES && echo "run_cifuzz=true" >> $GITHUB_OUTPUT || true
90+ fi
7991name : Compute hash for config cache key
8092 id : config_hash
8193 run : |
@@ -534,6 +546,46 @@ jobs:
534546 - name : Tests
535547 run : xvfb-run make test
536548
549+ # CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/
550+ cifuzz :
551+ name : CIFuzz
552+ runs-on : ubuntu-latest
553+ timeout-minutes : 60
554+ needs : check_source
555+ if : needs.check_source.outputs.run_cifuzz == 'true'
556+ permissions :
557+ security-events : write
558+ strategy :
559+ fail-fast : false
560+ matrix :
561+ sanitizer : [address, undefined, memory]
562+ steps :
563+ - name : Build fuzzers (${{ matrix.sanitizer }})
564+ id : build
565+ uses : google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
566+ with :
567+ oss-fuzz-project-name : cpython3
568+ sanitizer : ${{ matrix.sanitizer }}
569+ - name : Run fuzzers (${{ matrix.sanitizer }})
570+ uses : google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
571+ with :
572+ fuzz-seconds : 600
573+ oss-fuzz-project-name : cpython3
574+ output-sarif : true
575+ sanitizer : ${{ matrix.sanitizer }}
576+ - name : Upload crash
577+ uses : actions/upload-artifact@v3
578+ if : failure() && steps.build.outcome == 'success'
579+ with :
580+ name : ${{ matrix.sanitizer }}-artifacts
581+ path : ./out/artifacts
582+ - name : Upload SARIF
583+ if : always() && steps.build.outcome == 'success'
584+ uses : github/codeql-action/upload-sarif@v2
585+ with :
586+ sarif_file : cifuzz-sarif/results.sarif
587+ checkout_path : cifuzz-sarif
588+
537589 all-required-green : # This job does nothing and is only used for the branch protection
538590 name : All required checks pass
539591 if : always()
@@ -550,6 +602,7 @@ jobs:
550602 - build_ubuntu_ssltests
551603 - test_hypothesis
552604 - build_asan
605+ - cifuzz
553606
554607 runs-on : ubuntu-latest
555608
@@ -562,6 +615,7 @@ jobs:
562615 build_ubuntu_ssltests,
563616 build_win32,
564617 build_win_arm64,
618+ cifuzz,
565619 test_hypothesis,
566620allowed-skips : >-
567621 ${{
@@ -585,6 +639,13 @@ jobs:
585639 '
586640 || ''
587641 }}
642+ ${{
643+ !fromJSON(needs.check_source.outputs.run_cifuzz)
644+ && '
645+ cifuzz,
646+ '
647+ || ''
648+ }}
588649 ${{
589650 !fromJSON(needs.check_source.outputs.run_hypothesis)
590651 && '
0 commit comments