Fix hardening workflow and libFuzzer probe

themuffinator · themuffinator · commit 35968068edae · 2026-04-27T10:51:16.000+01:00
diff --git a/.github/release-notes-instructions.md b/.github/release-notes-instructions.md
diff --git a/.github/workflows/hardening.yml b/.github/workflows/hardening.yml
@@ -2,9 +2,6 @@ name: parser-hardening
 
 on:
   pull_request:
-  push:
-    branches:
-      - main
   workflow_dispatch:
 
 jobs:
@@ -19,10 +16,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: "3.x"
 
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -392,59 +392,6 @@ jobs:
             --commit-range "${{ needs.prepare.outputs.commit_range }}" \
             --output release_notes.md
 
-      - name: Check Copilot Release Notes Availability
-        shell: bash
-        env:
-          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-        run: |
-          if [[ -n "${COPILOT_GITHUB_TOKEN:-}" && -n "${{ needs.prepare.outputs.latest_nightly_tag }}" ]]; then
-            echo "PAKFU_USE_COPILOT_RELEASE_NOTES=true" >> "$GITHUB_ENV"
-          else
-            echo "PAKFU_USE_COPILOT_RELEASE_NOTES=false" >> "$GITHUB_ENV"
-          fi
-
-      - name: Generate Copilot Release Notes
-        id: copilot-notes
-        if: env.PAKFU_USE_COPILOT_RELEASE_NOTES == 'true'
-        continue-on-error: true
-        uses: github/copilot-release-notes@v1.0.1
-        with:
-          base-ref: ${{ needs.prepare.outputs.latest_nightly_tag }}
-          head-ref: ${{ needs.prepare.outputs.head_sha }}
-          instructions: .github/release-notes-instructions.md
-          pr-strategy: github-api
-        env:
-          COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
-          GITHUB_TOKEN: ${{ github.token }}
-
-      - name: Use Copilot Release Notes
-        if: env.PAKFU_USE_COPILOT_RELEASE_NOTES == 'true' && steps.copilot-notes.outputs.release-notes != ''
-        shell: bash
-        env:
-          COPILOT_RELEASE_NOTES: ${{ steps.copilot-notes.outputs.release-notes }}
-          PAKFU_COMMIT_RANGE: ${{ needs.prepare.outputs.commit_range }}
-          PAKFU_VERSION: ${{ needs.prepare.outputs.version }}
-        run: |
-          python - <<'PY'
-          import datetime as dt
-          import os
-          from pathlib import Path
-
-          body = os.environ["COPILOT_RELEASE_NOTES"].strip()
-          version = os.environ["PAKFU_VERSION"]
-          commit_range = os.environ.get("PAKFU_COMMIT_RANGE", "")
-          generated = dt.datetime.now(dt.UTC).strftime("%Y-%m-%d %H:%M UTC")
-          lines = [
-              f"# PakFu Nightly v{version}",
-              "",
-              f"Generated: {generated}",
-          ]
-          if commit_range:
-              lines.append(f"Commit range: `{commit_range}`")
-          lines.extend(["", body, ""])
-          Path("release_notes.md").write_text("\n".join(lines), encoding="utf-8")
-          PY
-
       - name: Generate Distribution Manifest
         shell: bash
         run: |
diff --git a/.gitignore b/.gitignore
@@ -34,6 +34,10 @@
 # Clang
 .cache
 
+# Python
+__pycache__/
+*.py[cod]
+
 # Meson build outputs
 build/
 builddir/
diff --git a/docs/RELEASES.md b/docs/RELEASES.md
@@ -30,9 +30,6 @@ Stable/beta/dev manual version generation:
   behavior, or CLI workflows.
 - Related commits should be grouped into one user benefit instead of listed as
   separate implementation steps.
-- If the `COPILOT_GITHUB_TOKEN` secret is configured, nightly releases can use
-  `github/copilot-release-notes` with `.github/release-notes-instructions.md` as
-  an editorial pass. The deterministic local scripts remain the fallback path.
 - Changelog/release-note rendering scripts:
 1. `scripts/update_changelog.py`
 2. `scripts/nightly_release_notes.py`
diff --git a/scripts/__pycache__/update_changelog.cpython-311.pyc b/scripts/__pycache__/update_changelog.cpython-311.pyc
diff --git a/src/meson.build b/src/meson.build
@@ -77,9 +77,21 @@ pakfu_includes = [include_directories('.')] + qt_rhi_includes
 fuzzing_opt = get_option('fuzzing')
 fuzz_compile_args = ['-fsanitize=fuzzer', '-fno-omit-frame-pointer']
 fuzz_link_args = ['-fsanitize=fuzzer']
+fuzz_link_probe = '''
+#include <cstddef>
+#include <cstdint>
+
+extern "C" int LLVMFuzzerTestOneInput(const std::uint8_t*, std::size_t) {
+  return 0;
+}
+'''
 fuzzing_supported = (
   cpp_compiler.has_multi_arguments(fuzz_compile_args) and
-  cpp_compiler.has_multi_link_arguments(fuzz_link_args)
+  cpp_compiler.links(
+    fuzz_link_probe,
+    args: fuzz_compile_args + fuzz_link_args,
+    name: 'libFuzzer entrypoint',
+  )
 )
 if fuzzing_opt.enabled() and not fuzzing_supported
   error('Parser fuzz targets require compiler support for -fsanitize=fuzzer.')
