Move to matrix with excludes approach

sethmlarson · webknjaz · sethmlarson · commit 3958c5d16245 · 2026-01-13T11:44:20.000-06:00
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) &lt;578543+webknjaz@users.noreply.github.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -642,17 +642,46 @@ jobs:
           "$BUILD_DIR/cross-python/bin/python3" -m test test_sysconfig test_site test_embed
 
   cifuzz:
+    name: CIFuzz
     needs: build-context
-    if: needs.build-context.outputs.run-ci-fuzz == 'true'
-    uses: ./.github/workflows/reusable-cifuzz.yml
-    with:
-      oss-fuzz-project-name: cpython3
-  cifuzz-stdlib:
-    needs: build-context
-    if: needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
+    if: >-
+      contains(
+        [
+          needs.build-context.outputs.run-ci-fuzz,
+          needs.build-context.outputs.run-ci-fuzz-stdlib
+        ],
+        'true'
+      )
+    permissions:
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+        - address
+        - undefined
+        - memory
+        oss-fuzz-project-name:
+        - cpython3
+        - python3-libraries
+        exclude:
+        - oss-fuzz-project-name: >-
+            ${{
+              needs.build-context.outputs.run-ci-fuzz == 'true'
+              && ''
+              || 'cpython3'
+            }}
+        - oss-fuzz-project-name: >-
+            ${{
+              needs.build-context.outputs.run-ci-fuzz-stdlib == 'true'
+              && ''
+              || 'python3-libraries'
+            }}
     uses: ./.github/workflows/reusable-cifuzz.yml
     with:
-      oss-fuzz-project-name: python3-libraries
+      oss-fuzz-project-name: ${{ matrix.oss-fuzz-project-name }}
+      sanitizer: ${{ matrix.sanitizer }}
+      timeout-minutes: 60
 
   all-required-green:  # This job does nothing and is only used for the branch protection
     name: All required checks pass
@@ -677,7 +706,6 @@ jobs:
     - build-san
     - cross-build-linux
     - cifuzz
-    - cifuzz-stdlib
     if: always()
 
     steps:
@@ -709,7 +737,7 @@ jobs:
           }}
           ${{ !fromJSON(needs.build-context.outputs.run-windows-tests) && 'build-windows,' || '' }}
           ${{ !fromJSON(needs.build-context.outputs.run-ci-fuzz) && 'cifuzz,' || '' }}
-          ${{ !fromJSON(needs.build-context.outputs.run-ci-fuzz-stdlib) && 'cifuzz-stdlib,' || '' }}
+          ${{ !fromJSON(needs.build-context.outputs.run-ci-fuzz-stdlib) && 'cifuzz,' || '' }}
           ${{ !fromJSON(needs.build-context.outputs.run-macos) && 'build-macos,' || '' }}
           ${{
             !fromJSON(needs.build-context.outputs.run-ubuntu)
diff --git a/.github/workflows/reusable-cifuzz.yml b/.github/workflows/reusable-cifuzz.yml
@@ -8,39 +8,40 @@ on:
         description: OSS-Fuzz project name
         required: true
         type: string
-
-permissions:
-  contents: read
-  security-events: write
+      sanitizer:
+        description: OSS-Fuzz sanitizer
+        required: true
+        type: string
+      timeout-minutes:
+        description: Timeout in minutes for the action
+        required: false
+        default: 60
+        type: number
 
 jobs:
   cifuzz:
     name: CIFuzz
     runs-on: ubuntu-latest
-    timeout-minutes: 60
-    strategy:
-      fail-fast: false
-      matrix:
-        sanitizer: [address, undefined, memory]
+    timeout-minutes: ${{ inputs.timeout-minutes }}
     steps:
-      - name: Build fuzzers (${{ matrix.sanitizer }})
+      - name: Build fuzzers (${{ inputs.sanitizer }})
         id: build
         uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
         with:
           oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
-          sanitizer: ${{ matrix.sanitizer }}
-      - name: Run fuzzers (${{ matrix.sanitizer }})
+          sanitizer: ${{ inputs.sanitizer }}
+      - name: Run fuzzers (${{ inputs.sanitizer }})
         uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
         with:
           fuzz-seconds: 600
           oss-fuzz-project-name: ${{ inputs.oss-fuzz-project-name }}
           output-sarif: true
-          sanitizer: ${{ matrix.sanitizer }}
+          sanitizer: ${{ inputs.sanitizer }}
       - name: Upload crash
         if: failure() && steps.build.outcome == 'success'
         uses: actions/upload-artifact@v6
         with:
-          name: ${{ matrix.sanitizer }}-artifacts
+          name: ${{ inputs.sanitizer }}-artifacts
           path: ./out/artifacts
       - name: Upload SARIF
         if: always() && steps.build.outcome == 'success'
diff --git a/.github/workflows/reusable-context.yml b/.github/workflows/reusable-context.yml
@@ -25,7 +25,7 @@ on:  # yamllint disable-line rule:truthy
         value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }}  # bool
       run-ci-fuzz-stdlib:
         description: Whether to run the CIFuzz job for 'python3-libraries' fuzzer
-        value: ${{ jobs.compute-changes.outputs.run-ci-fuzz }}  # bool
+        value: ${{ jobs.compute-changes.outputs.run-ci-fuzz-stdlib }}  # bool
       run-docs:
         description: Whether to build the docs
         value: ${{ jobs.compute-changes.outputs.run-docs }}  # bool
diff --git a/Tools/build/compute-changes.py b/Tools/build/compute-changes.py
@@ -94,6 +94,7 @@
     Path("Lib/xml/"),
     Path("Lib/_markupbase.py"),
     Path("Modules/expat/"),
+    Path("Modules/pyexpat.c"),
     # zipfile
     Path("Lib/zipfile/"),
 })
