From ea7b53ff67764a2abf1f27d4c95d032d2dbb02f9 Mon Sep 17 00:00:00 2001
From: Illia Volochii <illia.volochii@gmail.com>
Date: Mon, 9 Oct 2023 18:30:10 +0300
Subject: gh-107652: Set up CIFuzz to run fuzz targets continuously (#107653)

Co-authored-by: Hugo van Kemenade <hugovk@users.noreply.github.com>
---
 .github/workflows/build.yml                        | 61 ++++++++++++++++++++++
 .../2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst |  2 +
 Modules/_xxtestfuzz/README.rst                     |  3 ++
 3 files changed, 66 insertions(+)
 create mode 100644 Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ffcfbac..277042d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -40,6 +40,7 @@ jobs:
       run-docs: ${{ steps.docs-changes.outputs.run-docs || false }}
       run_tests: ${{ steps.check.outputs.run_tests }}
       run_hypothesis: ${{ steps.check.outputs.run_hypothesis }}
+      run_cifuzz: ${{ steps.check.outputs.run_cifuzz }}
       config_hash: ${{ steps.config_hash.outputs.hash }}
     steps:
       - uses: actions/checkout@v4
@@ -76,6 +77,17 @@ jobs:
             echo "Run hypothesis tests"
             echo "run_hypothesis=true" >> $GITHUB_OUTPUT
           fi
+
+          # oss-fuzz maintains a configuration for fuzzing the main branch of
+          # CPython, so CIFuzz should be run only for code that is likely to be
+          # merged into the main branch; compatibility with older branches may
+          # be broken.
+          if [ "$GITHUB_BASE_REF" = "main" ]; then
+            # The tests are pretty slow so they are executed only for PRs
+            # changing relevant files.
+            FUZZ_RELEVANT_FILES='(\.c$|\.h$|\.cpp$|^configure$|^\.github/workflows/build\.yml$|^Modules/_xxtestfuzz)'
+            git diff --name-only origin/$GITHUB_BASE_REF.. | grep -qvE $FUZZ_RELEVANT_FILES && echo "run_cifuzz=true" >> $GITHUB_OUTPUT || true
+          fi
       - name: Compute hash for config cache key
         id: config_hash
         run: |
@@ -534,6 +546,46 @@ jobs:
     - name: Tests
       run: xvfb-run make test
 
+  # CIFuzz job based on https://google.github.io/oss-fuzz/getting-started/continuous-integration/
+  cifuzz:
+    name: CIFuzz
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    needs: check_source
+    if: needs.check_source.outputs.run_cifuzz == 'true'
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer: [address, undefined, memory]
+    steps:
+      - name: Build fuzzers (${{ matrix.sanitizer }})
+        id: build
+        uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+        with:
+          oss-fuzz-project-name: cpython3
+          sanitizer: ${{ matrix.sanitizer }}
+      - name: Run fuzzers (${{ matrix.sanitizer }})
+        uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+        with:
+          fuzz-seconds: 600
+          oss-fuzz-project-name: cpython3
+          output-sarif: true
+          sanitizer: ${{ matrix.sanitizer }}
+      - name: Upload crash
+        uses: actions/upload-artifact@v3
+        if: failure() && steps.build.outcome == 'success'
+        with:
+          name: ${{ matrix.sanitizer }}-artifacts
+          path: ./out/artifacts
+      - name: Upload SARIF
+        if: always() && steps.build.outcome == 'success'
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: cifuzz-sarif/results.sarif
+          checkout_path: cifuzz-sarif
+
   all-required-green:  # This job does nothing and is only used for the branch protection
     name: All required checks pass
     if: always()
@@ -550,6 +602,7 @@ jobs:
     - build_ubuntu_ssltests
     - test_hypothesis
     - build_asan
+    - cifuzz
 
     runs-on: ubuntu-latest
 
@@ -562,6 +615,7 @@ jobs:
           build_ubuntu_ssltests,
           build_win32,
           build_win_arm64,
+          cifuzz,
           test_hypothesis,
         allowed-skips: >-
           ${{
@@ -586,6 +640,13 @@ jobs:
             || ''
           }}
           ${{
+            !fromJSON(needs.check_source.outputs.run_cifuzz)
+            && '
+            cifuzz,
+            '
+            || ''
+          }}
+          ${{
             !fromJSON(needs.check_source.outputs.run_hypothesis)
             && '
             test_hypothesis,
diff --git a/Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst b/Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst
new file mode 100644
index 0000000..49ec546
--- /dev/null
+++ b/Misc/NEWS.d/next/Tests/2023-08-05-14-01-07.gh-issue-107652.5OxOlT.rst
@@ -0,0 +1,2 @@
+Set up CIFuzz to run fuzz targets in GitHub Actions. Patch by Illia
+Volochii.
diff --git a/Modules/_xxtestfuzz/README.rst b/Modules/_xxtestfuzz/README.rst
index 42bd02a..b951858 100644
--- a/Modules/_xxtestfuzz/README.rst
+++ b/Modules/_xxtestfuzz/README.rst
@@ -13,6 +13,9 @@ oss-fuzz will regularly pull from CPython, discover all the tests in
 automatically be run in oss-fuzz, while also being smoke-tested as part of
 CPython's test suite.
 
+In addition, the tests are run on GitHub Actions using CIFuzz for PRs to the
+main branch changing relevant files.
+
 Adding a new fuzz test
 ----------------------
 
-- 
cgit v0.12