ci: pin Atheris fuzzing job to Python 3.11

[27Bslash6]

Problem

The Security Deep workflow has been failing on the Atheris Python-Rust Fuzzing job (run 26693957972). It is not a fuzz finding — no crashes were found, the fuzzer never started. The job dies at dependency install.

Root cause

The atheris-fuzzing job had no Python pin, so uv floated to its newest managed interpreter — cpython-3.14.5. But atheris==2.3.0 ships prebuilt wheels only through cp311 (cp36–cp311; none for 3.12/3.13/3.14). On 3.14, uv fell back to building atheris from sdist, whose build step (find_libfuzzer.sh) requires clang + libFuzzer:

RuntimeError: Failed to find libFuzzer; set $CLANG_BIN ... or $LIBFUZZER_LIB
find_libfuzzer.sh returned non-zero exit status 1

The self-hosted cachekit runner has neither, so uv sync exited 1 before any fuzzing ran. It started failing when uv's bundled Python catalog advanced past atheris's wheel coverage.

Fix

Pin both uv sync and uv run to Python 3.11 — the newest version with an atheris wheel (already in the CI matrix). The wheel installs directly: no source build, no clang dependency on the runner. Both invocations are pinned because uv run re-resolves the interpreter independently.

Pinning to 3.12 would not work — atheris 2.3.0 has no cp312 wheel either.

Testing

• actionlint passes (pre-commit).
• Verify on merge: the Atheris job installs from wheel and runs the fuzz targets instead of failing at install.

Non-blocking job (nightly Security Deep, doesn't gate releases), but it was hiding real future fuzz findings while red.

Summary by CodeRabbit

• Chores
  • Enhanced internal security testing processes to ensure consistent execution environment during automated fuzzing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c7888f1a-58a4-47c9-924e-7541386d39f3

📥 Commits

Reviewing files that changed from the base of the PR and between 6c699e9 and 8d8160b.

📒 Files selected for processing (1)

• .github/workflows/security-deep.yml

---

Walkthrough

The GitHub Actions workflow for security-deep fuzzing is updated to explicitly pin the Atheris fuzzing job to Python 3.11. The uv sync dependency installation step and all uv run fuzz target execution commands now include --python 3.11 flags to ensure the pinned Python version is used throughout the fuzzing process.

Changes

Atheris Fuzzing Python Version Pin

Layer / File(s)	Summary
Python 3.11 pinning for Atheris fuzzing .github/workflows/security-deep.yml	Dependency installation and fuzz target execution steps are updated to explicitly pin Python 3.11 via uv sync --python 3.11 and uv run --python 3.11, preventing unintended interpreter version resolution.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

• cachekit-io/cachekit-py#132: Modifies .github/workflows/security-deep.yml to set up runtime environment for fuzzing and miri jobs using environment variable pinning.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides a detailed explanation of the problem, root cause, fix, and testing approach. However, it does not follow the repository's template structure with required sections.	Restructure the description to match the template: add sections for Motivation, Type of Change (mark CI/CD change), Security Checklist, and confirm all template requirements are addressed.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and concisely summarises the main change—pinning the Atheris fuzzing job to Python 3.11 in the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pin-atheris-python-311

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}