name: ClusterFuzzLite PR fuzzing # Short, code-change-scoped fuzzing run on PRs that touch fuzzed code or the # fuzzing setup. Catches regressions and crashes introduced by a change. # Continuous/batch fuzzing can be added later as a separate scheduled workflow. # # Scoped to the modules the harnesses actually exercise rather than all of # `haystack/**`, so the (build-heavy) job doesn't run on every library PR: # - Pipeline.loads -> core/pipeline, core/serialization, marshal # - Document.from_dict -> dataclasses # - document_matches_filter -> utils/filters # Deep, transitively-reached regressions are better caught by a scheduled batch # run; random YAML/JSON essentially never reaches haystack/components. on: pull_request: paths: - "haystack/core/pipeline/**" - "haystack/core/serialization.py" - "haystack/core/errors.py" - "haystack/marshal/**" - "haystack/dataclasses/**" - "haystack/utils/filters.py" - "test/fuzz/**" - ".clusterfuzzlite/**" - ".github/workflows/cflite_pr.yml" permissions: contents: read jobs: pr-fuzzing: runs-on: ubuntu-latest concurrency: group: cflite-pr-${{ github.event.pull_request.number }} cancel-in-progress: true steps: - name: Build Fuzzers id: build uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1 with: language: python sanitizer: address # Needed so build_fuzzers can check out the PR base for `mode: code-change` # diffing in the Run Fuzzers step below. github-token: ${{ secrets.GITHUB_TOKEN }} - name: Run Fuzzers id: run uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1 with: github-token: ${{ secrets.GITHUB_TOKEN }} fuzz-seconds: 120 mode: code-change sanitizer: address # Crashes fail the job and are uploaded as artifacts. SARIF upload is # disabled to keep the token least-privilege (no security-events: write). output-sarif: false