Files
deepset-ai--haystack/.github/workflows/cflite_pr.yml
T
wehub-resource-sync c56bef871b
Sync docs with Docusaurus / sync (push) Waiting to run
Tests / Check if changed (push) Waiting to run
Tests / format (push) Blocked by required conditions
Tests / check-imports (push) Blocked by required conditions
Tests / Unit / macos-latest (push) Blocked by required conditions
Tests / Unit / ubuntu-latest (push) Blocked by required conditions
Tests / Unit / windows-latest (push) Blocked by required conditions
Tests / mypy (push) Blocked by required conditions
Tests / Integration / ubuntu-latest (push) Blocked by required conditions
Tests / Integration / macos-latest (push) Blocked by required conditions
Tests / Integration / windows-latest (push) Blocked by required conditions
Tests / notify-slack-on-failure (push) Blocked by required conditions
Tests / Mark tests as completed (push) Blocked by required conditions
Update Platform Components Table / update (push) Waiting to run
CodeQL / Analyze (python) (push) Waiting to run
Docker image release / Build base image (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 13:22:28 +08:00

58 lines
2.1 KiB
YAML

name: ClusterFuzzLite PR fuzzing
# Short, code-change-scoped fuzzing run on PRs that touch fuzzed code or the
# fuzzing setup. Catches regressions and crashes introduced by a change.
# Continuous/batch fuzzing can be added later as a separate scheduled workflow.
#
# Scoped to the modules the harnesses actually exercise rather than all of
# `haystack/**`, so the (build-heavy) job doesn't run on every library PR:
# - Pipeline.loads -> core/pipeline, core/serialization, marshal
# - Document.from_dict -> dataclasses
# - document_matches_filter -> utils/filters
# Deep, transitively-reached regressions are better caught by a scheduled batch
# run; random YAML/JSON essentially never reaches haystack/components.
on:
pull_request:
paths:
- "haystack/core/pipeline/**"
- "haystack/core/serialization.py"
- "haystack/core/errors.py"
- "haystack/marshal/**"
- "haystack/dataclasses/**"
- "haystack/utils/filters.py"
- "test/fuzz/**"
- ".clusterfuzzlite/**"
- ".github/workflows/cflite_pr.yml"
permissions:
contents: read
jobs:
pr-fuzzing:
runs-on: ubuntu-latest
concurrency:
group: cflite-pr-${{ github.event.pull_request.number }}
cancel-in-progress: true
steps:
- name: Build Fuzzers
id: build
uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
with:
language: python
sanitizer: address
# Needed so build_fuzzers can check out the PR base for `mode: code-change`
# diffing in the Run Fuzzers step below.
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Run Fuzzers
id: run
uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
fuzz-seconds: 120
mode: code-change
sanitizer: address
# Crashes fail the job and are uploaded as artifacts. SARIF upload is
# disabled to keep the token least-privilege (no security-events: write).
output-sarif: false