ci(fuzz): auto-run fixer on fuzzer issues and open a draft PR with the fix#8196
Merged
Conversation
Add a thin reusable-workflow caller (fuzzer-issue-autofix.yml) that triggers the existing Fuzzer Fix Automation whenever an issue is opened with the "fuzzer" label or has the label applied. This covers issues filed manually as well as by the scheduled fuzz pipeline, complementing the in-pipeline attempt-fix-* job in fuzz.yml. The label gate is a meaningful boundary: only the github-actions bot and users with triage/write access can apply the "fuzzer" label, so arbitrary external issues cannot trigger the automation. A per-issue concurrency group collapses duplicate opened+labeled triggers. Also allow the "issues" event in the attempt-fix job guard in fuzzer-fix-automation.yml. A called reusable workflow inherits the caller's github.event_name, so when invoked from an issues-triggered caller the inner job sees "issues" rather than "workflow_call" and would otherwise be skipped. Signed-off-by: Joe Isaacs <joe.isaacs@live.co.uk>
Reuse the GitHub App token mechanism from claude-write.yml so the Fuzzer Fix Automation persists its work and surfaces it as a reviewable PR instead of throwing it away after the run. - Attach the claude-automation environment and mint a short-lived App installation token via actions/create-github-app-token. - Pass the App token (not GITHUB_TOKEN) to claude-code-action so the committed fix branch and its PR trigger normal pull_request CI. - After a successful fix, open a draft PR from the branch claude-code pushed (steps.claude.outputs.branch_name), linking the issue, and comment the PR link back on the issue. - Check out with persist-credentials: false so the built-in token isn't left in git config. Draft keeps the per-issue fuzzer flow low-noise: a maintainer reviews the analysis and diff, then marks the PR ready. Signed-off-by: Joe Isaacs <joe.isaacs@live.co.uk>
joseph-isaacs
changed the title
Fuzzer issue titles are "Fuzzing Crash: <variant> in <target>", so the previous PR title doubled up as "fix(fuzz): Fuzzing Crash: ...". Strip the prefix to get "fix(fuzz): <variant> in <target> (#N)". Rewrite the body to state the target and crash file, point to the issue thread for the analysis/diff/test, and explain that it is a draft. Drop any closing keyword: the nightly close-fixed-fuzzer-issues workflow closes the issue only after re-running the crash, so merging this PR should not close the issue on its own. Signed-off-by: Joe Isaacs <joe.isaacs@live.co.uk>
Address review feedback on the issues-triggered fuzzer autofix: 1. The "fuzzer" label is not a trust boundary. Applying a label only needs triage permission, which is below write, yet the autofix calls a workflow that mints the GitHub App token and runs write-capable Claude against attacker-controllable issue-body fields. Add a gate job that runs WITHOUT the claude-automation environment and only lets the run proceed when the issue was authored by a trusted fuzz-report bot, or the actor who opened/labeled it has write/maintain/admin. 2. With explicit workflow permissions, unspecified scopes are disabled, so the crash-artifact download via 'gh run download' needs actions: read. Add it to the issues-triggered caller, the existing attempt-fix-io caller in fuzz.yml, and the reusable workflow job. Signed-off-by: Joe Isaacs <joe.isaacs@live.co.uk>
Merging this PR will not alter performance
|
| Mode | Benchmark | BASE |
HEAD |
Efficiency | |
|---|---|---|---|---|---|
| ❌ | Simulation | chunked_varbinview_opt_canonical_into[(1000, 10)] |
188.4 µs | 225.7 µs | -16.51% |
| ⚡ | Simulation | chunked_varbinview_canonical_into[(100, 100)] |
308 µs | 273.2 µs | +12.71% |
Tip
Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.
Comparing claude/brave-edison-Jf6ky (613932a) with develop (70be73c)
…ude-code-action The draft-PR step keyed on steps.claude.outputs.branch_name, assuming claude-code-action auto-commits to a branch like it does in claude-write.yml. But that auto-branch behavior only kicks in when the action has an issue/PR event to anchor to. The fuzzer fixer runs via workflow_dispatch/workflow_call, so on a real run (issue #8189) Claude edited files and posted analysis as the App bot but no branch was ever pushed, branch_name was empty, and the PR step was skipped. Add an explicit 'Commit and push fix branch' step that stages Claude's modifications to tracked files (git add -u, dropping lockfile churn), commits them signed-off onto fuzzer-fix/issue-<n>, and pushes with the App token. The draft-PR step now gates on that step's pushed output and uses its branch name. Signed-off-by: Joe Isaacs <joe.isaacs@live.co.uk>
A `type: number` workflow input is rendered as a float when interpolated
in an expression, so `${{ inputs.issue_number }}` for issue 8189 became
`8189.0`. That broke the very first step, `gh issue view 8189.0` ("invalid
issue format"), and would also have poisoned the fix branch name and every
issue comment. Declare the dispatch and call inputs as `type: string`; the
`issues` caller's `github.event.issue.number` coerces cleanly to a string.
Signed-off-by: Joe Isaacs <joe.isaacs@live.co.uk>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two related changes to the fuzzer fix automation:
.github/workflows/fuzzer-issue-autofix.ymlruns the existing Fuzzer Fix Automation whenever an issue is opened with, or gains, thefuzzerlabel.fuzzer-fix-automation.ymlnow commits the fix to a branch and opens a draft PR that triggers normal CI, reusing the GitHub App token mechanism fromclaude-write.yml.