From 8d8160b50b5d680ae22404b8f1fd4be893b28e44 Mon Sep 17 00:00:00 2001
From: Ray Walker <ray@27b.io>
Date: Sun, 31 May 2026 16:28:56 +1000
Subject: [PATCH] ci: pin Atheris fuzzing job to Python 3.11
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The atheris-fuzzing job had no Python pin, so uv floated to its newest
managed interpreter (cpython 3.14.5). atheris 2.3.0 ships prebuilt wheels
only through cp311 — on 3.14 uv falls back to building from sdist, whose
build step (find_libfuzzer.sh) requires clang + libFuzzer. The self-hosted
'cachekit' runner has neither, so 'uv sync' failed before any fuzzing ran,
turning Security Deep red on an install error (not a fuzz finding).

Pin both 'uv sync' and 'uv run' to 3.11 (newest version with an atheris
wheel; already in the CI matrix) so the wheel installs directly — no source
build, no clang dependency on the runner.
---
 .github/workflows/security-deep.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security-deep.yml b/.github/workflows/security-deep.yml
index 80c204e..95cc958 100644
--- a/.github/workflows/security-deep.yml
+++ b/.github/workflows/security-deep.yml
@@ -114,16 +114,21 @@ jobs:
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
+    # Pin to 3.11: atheris 2.3.0's newest prebuilt wheel is cp311. On a newer
+    # interpreter uv builds atheris from sdist, which needs clang + libFuzzer
+    # (find_libfuzzer.sh) — absent on the self-hosted runner, so install fails
+    # before any fuzzing runs. Both uv sync and uv run must pin, or uv run
+    # re-resolves to a different interpreter and re-triggers the source build.
     - name: Install dependencies
       run: |
-        uv sync --group dev --group fuzz
+        uv sync --group dev --group fuzz --python 3.11
 
     - name: Run Atheris fuzz targets (10 min each)
       run: |
         for fuzz_target in tests/fuzzing/fuzz_*.py; do
           if [ -f "$fuzz_target" ]; then
             echo "Fuzzing $fuzz_target..."
-            timeout 10m uv run python "$fuzz_target" -max_total_time=600 || true
+            timeout 10m uv run --python 3.11 python "$fuzz_target" -max_total_time=600 || true
           fi
         done