haystack/.github/workflows/cflite_pr.yml at main · CloudEngineHub/haystack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: ClusterFuzzLite PR fuzzing

# Short, code-change-scoped fuzzing run on PRs that touch fuzzed code or the
# fuzzing setup. Catches regressions and crashes introduced by a change.
# Continuous/batch fuzzing can be added later as a separate scheduled workflow.
#
# Scoped to the modules the harnesses actually exercise rather than all of
# `haystack/**`, so the (build-heavy) job doesn't run on every library PR:
#   - Pipeline.loads          -> core/pipeline, core/serialization, marshal
#   - Document.from_dict       -> dataclasses
#   - document_matches_filter  -> utils/filters
# Deep, transitively-reached regressions are better caught by a scheduled batch
# run; random YAML/JSON essentially never reaches haystack/components.
on:
  pull_request:
    paths:
      - "haystack/core/pipeline/**"
      - "haystack/core/serialization.py"
      - "haystack/core/errors.py"
      - "haystack/marshal/**"
      - "haystack/dataclasses/**"
      - "haystack/utils/filters.py"
      - "test/fuzz/**"
      - ".clusterfuzzlite/**"
      - ".github/workflows/cflite_pr.yml"

permissions:
  contents: read

jobs:
  pr-fuzzing:
    runs-on: ubuntu-latest
    concurrency:
      group: cflite-pr-${{ github.event.pull_request.number }}
      cancel-in-progress: true
    steps:
      - name: Build Fuzzers
        id: build
        uses: google/clusterfuzzlite/actions/build_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
        with:
          language: python
          sanitizer: address
          # Needed so build_fuzzers can check out the PR base for `mode: code-change`
          # diffing in the Run Fuzzers step below.
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Run Fuzzers
        id: run
        uses: google/clusterfuzzlite/actions/run_fuzzers@884713a6c30a92e5e8544c39945cd7cb630abcd1 # v1
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          fuzz-seconds: 120
          mode: code-change
          sanitizer: address
          # Crashes fail the job and are uploaded as artifacts. SARIF upload is
          # disabled to keep the token least-privilege (no security-events: write).
          output-sarif: false