c56bef871b
Sync docs with Docusaurus / sync (push) Waiting to run
Tests / Check if changed (push) Waiting to run
Tests / format (push) Blocked by required conditions
Tests / check-imports (push) Blocked by required conditions
Tests / Unit / macos-latest (push) Blocked by required conditions
Tests / Unit / ubuntu-latest (push) Blocked by required conditions
Tests / Unit / windows-latest (push) Blocked by required conditions
Tests / mypy (push) Blocked by required conditions
Tests / Integration / ubuntu-latest (push) Blocked by required conditions
Tests / Integration / macos-latest (push) Blocked by required conditions
Tests / Integration / windows-latest (push) Blocked by required conditions
Tests / notify-slack-on-failure (push) Blocked by required conditions
Tests / Mark tests as completed (push) Blocked by required conditions
Update Platform Components Table / update (push) Waiting to run
CodeQL / Analyze (python) (push) Waiting to run
Docker image release / Build base image (push) Waiting to run
58 lines
2.1 KiB
YAML
58 lines
2.1 KiB
YAML
name: ClusterFuzzLite PR fuzzing
|
|
|
|
# Short, code-change-scoped fuzzing run on PRs that touch fuzzed code or the
|
|
# fuzzing setup. Catches regressions and crashes introduced by a change.
|
|
# Continuous/batch fuzzing can be added later as a separate scheduled workflow.
|
|
#
|
|
# Scoped to the modules the harnesses actually exercise rather than all of
|
|
# `haystack/**`, so the (build-heavy) job doesn't run on every library PR:
|
|
# - Pipeline.loads -> core/pipeline, core/serialization, marshal
|
|
# - Document.from_dict -> dataclasses
|
|
# - document_matches_filter -> utils/filters
|
|
# Deep, transitively-reached regressions are better caught by a scheduled batch
|
|
# run; random YAML/JSON essentially never reaches haystack/components.
|
|
on:
|
|
pull_request:
|
|
paths:
|
|
- "haystack/core/pipeline/**"
|
|
- "haystack/core/serialization.py"
|
|
- "haystack/core/errors.py"
|
|
- "haystack/marshal/**"
|
|
- "haystack/dataclasses/**"
|
|
- "haystack/utils/filters.py"
|
|
- "test/fuzz/**"
|
|
- ".clusterfuzzlite/**"
|
|
- ".github/workflows/cflite_pr.yml"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
pr-fuzzing:
|
|
runs-on: ubuntu-latest
|
|
concurrency:
|
|
group: cflite-pr-${{ github.event.pull_request.number }}
|
|
cancel-in-progress: true
|
|
steps:
|
|
- name: Build Fuzzers
|
|
id: build
|
|
uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
|
|
with:
|
|
language: python
|
|
sanitizer: address
|
|
# Needed so build_fuzzers can check out the PR base for `mode: code-change`
|
|
# diffing in the Run Fuzzers step below.
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Run Fuzzers
|
|
id: run
|
|
uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
|
|
with:
|
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
|
fuzz-seconds: 120
|
|
mode: code-change
|
|
sanitizer: address
|
|
# Crashes fail the job and are uploaded as artifacts. SARIF upload is
|
|
# disabled to keep the token least-privilege (no security-events: write).
|
|
output-sarif: false
|