gh-143572: Run 'python3-libraries' fuzzer in CI using CIFuzz

[sethmlarson]

Created a list of files and directories that should trigger a re-run of the python3-libraries fuzzers. Now that the Python repository is the home for this fuzzer it should be easier for Python core developers to fix issues with the fuzzer in case there are issues.

• Issue: Begin running CIFuzz on standard library modules #143572

[hugovk]

I think we could also rename most of the "library"/"libraries"/"LIBRARY" to "stdlib"/"STDLIB" and it'd be clearer this is running on the standard library and not any third-party library code.

[sethmlarson]

I think we could also rename most of the "library"/"libraries"/"LIBRARY" to "stdlib"/"STDLIB" and it'd be clearer this is running on the standard library and not any third-party library code.

I agree with this, we can change most of our uses to "stdlib" within this PR except for oss-fuzz-project-name. I can handle that in a separate PR since we'll have to wait for OSS-Fuzz maintainers to rename the project.

[sethmlarson]

Thanks @StanFromIreland and @hugovk for the reviews! I've moved to a reusable workflows approach. I'll try pushing a commit modifying one of the libraries to check that the workflow fires correctly.

[webknjaz]

I'm 99% sure this is required in the calling jobs in build.yml too. But maybe there's an exception for in-tree workflows. I haven't tested this in a while, though.

If jobs.<job_id>.permissions is not specified in the calling job, the called workflow will have the default permissions for the GITHUB_TOKEN.

(https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations#supported-keywords-for-jobs-that-call-a-reusable-workflow)

GITHUB_TOKEN permissions can only be the same or more restrictive in nested workflows. For example, in the workflow chain A > B > C, if workflow A has package: read token permission, then B and C cannot have package: write permission.

(https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations#access-and-permissions-for-nested-workflows)

---

I think, the above implies that the calling workflow should at least allow the minimum privileges needed here.

[webknjaz]

Suggested change

	uses: ./.github/workflows/reusable-cifuzz.yml
	with:
	oss-fuzz-project-name: cpython3
	cifuzz-stdlib:
	needs: build-context
	if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
	permissions:
	security-events: write
	uses: ./.github/workflows/reusable-cifuzz.yml
	with:
	oss-fuzz-project-name: cpython3
	cifuzz-stdlib:
	needs: build-context
	if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
	permissions:
	security-events: write

(https://github.com/python/cpython/pull/143749/files#r2686916751)

[webknjaz]

Can we try https://github.com/python/cpython/pull/143749/files#r2687006554 first, though?

[hugovk]

Yes, looks like it is needed the calling jobs in build.yml, because the CI didn't start:

The workflow is not valid. .github/workflows/build.yml (Line: 639, Col: 3): Error calling workflow 'python/cpython/.github/workflows/reusable-cifuzz.yml@98b701b'. The workflow is requesting 'security-events: write', but is only allowed 'security-events: none'.

https://github.com/python/cpython/actions/runs/20936855037?pr=143749

Maybe we try this smaller change to validate the permissions, before refactoring the matrix?

[sethmlarson]

I'm attempting the large matrix approach here: 3958c5d

[webknjaz]

Though, it's probably nicer to try collapsing these into a single matrix:

Suggested change

	uses: ./.github/workflows/reusable-cifuzz.yml
	with:
	oss-fuzz-project-name: cpython3
	cifuzz-stdlib:
	needs: build-context
	if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
	uses: ./.github/workflows/reusable-cifuzz.yml
	with:
	oss-fuzz-project-name: python3-libraries
	if: >-
	contains(
	[
	needs.build-context.outputs.run-ci-fuzz,
	needs.build-context.outputs.run-ci-fuzz-stdlib
	],
	'true'
	)
	permissions:
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	sanitizer:
	- address
	- undefined
	- memory
	oss-fuzz-project-name:
	- cpython3
	- python3-libraries
	exclude:
	- oss-fuzz-project-name: >-
	${{
	needs.build-context.outputs.run-ci-fuzz == 'true'
	&& 'dummy sentinel 🤪'
	|| 'cpython3'
	}}
	- oss-fuzz-project-name: >-
	${{
	needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
	&& 'dummy sentinel 🤪'
	|| 'python3-libraries'
	}}
	uses: ./.github/workflows/reusable-cifuzz.yml
	with:
	oss-fuzz-project-name: ${{ matrix.oss-fuzz-project-name }}
	sanitizer: ${{ matrix.sanitizer }}
	timeout-minutes: 60

(an untested idea borrowed from

cpython/.github/workflows/build.yml

Lines 212 to 223 in 03f8d3b

	is-fork: # only used for the exclusion trick
	- ${{ github.repository_owner != 'python' }}
	free-threading:
	- false
	- true
	exclude:
	- os: ghcr.io/cirruslabs/macos-runner:sonoma
	is-fork: true
	- os: macos-14
	is-fork: false
	- os: macos-13
	free-threading: true

)

[hugovk]

(I resolved the conflict)

[sethmlarson]

@webknjaz I'm not sure why actionlint is refusing the contains([...], 'true') syntax used, checking on the allowed function definitions it seemed like this would be allowed?

[sethmlarson]

With the latest commit we got a run, but the values of oss-fuzz-project-name and sanitizer aren't being forwarded (the reusable workflow is seeing an empty string?) from the job matrix into the reusable workflow. I don't think I'm doing anything different than any of the other reusable workflows that use a matrix and forward parameters?