fix(ci): drop musl target from fuzz.yml + add id-token to mythos-auto (#168)#170
Merged
Conversation
avrabe
changed the title
LS-N verification gate✅ 19/19 approved LS entries verified
Approved Failed LS entries(none) Missing regression tests(none) Updated automatically by |
Fixes #168 root cause per smithy's analysis on the issue thread: The "sanitizer is incompatible with statically linked libc" error on fuzz_parse_component / fuzz_resolver_terminates jobs was NOT runner config drift. All 7 rust-cpu runners have identical toolchains and configs. The actual problem: `dtolnay/rust-toolchain@nightly with: targets: x86_64-unknown-linux-musl` installed the musl toolchain target. cargo-fuzz's `--release` reuse path can pick up a musl-built artifact on cache restore, and musl statically links libc which is incompatible with the AddressSanitizer cargo-fuzz injects via `-Z sanitizer=address`. The failure mode then propagates from any runner that happened to receive a musl-contaminated cache key. Fix: - Drop `targets: x86_64-unknown-linux-musl` from the toolchain install step. cargo-fuzz uses the host gnu target by default, which is sanitizer-compatible. - Version-bump the actions/cache key from `${{ runner.os }}-fuzz-` to `${{ runner.os }}-fuzz-v2-` to invalidate ALL existing cache snapshots once, including any that captured musl artifacts. - Document the rationale inline so a future change doesn't reintroduce the targets line without checking. The musl target isn't referenced anywhere else in the repo — verified with `grep -r musl meld-core/ fuzz/` (no matches outside this workflow). Dropping it is a strict simplification. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
After the unzip block on rust-cpu runners cleared (#167), PR #169's mythos-auto matrix scan ran far enough to expose a third plumbing issue: ``` error: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable at <anonymous> (.../@actions/core/lib/oidc-utils.js:71:27) ... Attempt 3 failed: Could not fetch an OIDC token. Did you remember to add `id-token: write` to your workflow permissions? ``` claude-code-action calls `core.getIDToken()` early in `setupGitHubToken` (entry point: `src/github/token.ts:15`). The OIDC issuer URL is injected as the `ACTIONS_ID_TOKEN_REQUEST_URL` environment variable, but only when the workflow has `permissions.id-token: write`. mythos-auto.yml's permissions block had `contents: read` and `pull-requests: write` but not `id-token: write`. The action retries 3× via its `retryWithBackoff` helper and then aborts before running its prompt. The sticky-comment + label flow then short-circuits and the placeholder-FINDING fallback fires. Adds the permission with an inline comment explaining the requirement. The token is workflow-scoped and signed by GitHub; it does not grant access to anything beyond what the workflow already has. Bundled with the fuzz.yml musl drop on this PR — both are CI workflow plumbing fixes uncovered by the same Tier-5 PR (#169).
avrabe
force-pushed
the
fix/fuzz-yml-drop-musl-target
branch
from
a749168 to
d31880d
Compare
This was referenced May 20, 2026
Merged
avrabe
added a commit
that referenced
this pull request
May 21, 2026
P3 cross-component stream-pair detection foundation + a fully operational Mythos delta-pass auto-runner. 12 commits since v0.8.1. Headline changes: - Cross-component stream<T> pairing detection (#141, ADR-3). The StreamPairGraph foundation for the in-module stream adapter: meld now inventories at resolve time which fused components form producer -> consumer stream pairings. The ring-buffer / copy-chain emitter is a runtime-verified follow-up (ADR-3 Path N). - Mythos delta-pass auto-runner (#162, #164, #170, #173, #175). The AI-driven discover protocol now runs automatically on every Tier-5 PR by the maintainer, via claude-code-action on a Max-plan OAuth token. Five plumbing fixes brought it to a working end-to-end state: scan -> NO_FINDINGS verdict -> sticky comment -> mythos-pass-done label. - LS-N verification gate (#161, #165). Every approved loss-scenario in safety/stpa/loss-scenarios.yaml is now enforced to have a matching ls_<letter>_<num>_* regression test; 19/19 verified. - DWARF / witness-mapping discovery (#131) — Phase 1 of the #130 epic; pins today's lossy passthrough as the green-to-red oracle for the Phase 2 remap work. - Regression coverage for LS-A-8/9/19 and LS-CP-4 (#163/165/166/169) — closed every missing-test entry the LS-N gate surfaced. - CI footprint reduction (#171) — bench/fuzz/ci skip on docs- and safety-only PRs; meld is a leaner consumer of the shared fleet. - fuzz.yml musl-target drop (#170, closes #168) — fixes the recurring "sanitizer incompatible with statically linked libc" fuzz failures. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two CI workflow plumbing fixes bundled. Both surfaced by PR #169's matrix scan once smithy's #167 (unzip) fix landed on the runner image.
Fix 1: drop musl target from
fuzz.yml(closes #168)Per smithy team's root-cause analysis on #168:
The "sanitizer is incompatible with statically linked libc" error was NOT runner config drift. All 7 rust-cpu runners have identical toolchains. The actual problem:
dtolnay/rust-toolchain@nightly with: targets: x86_64-unknown-linux-muslinstalled the musl toolchain target. cargo-fuzz's--releasereuse path can pick up a musl-built artifact on cache restore, and musl statically links libc which is incompatible with the AddressSanitizer cargo-fuzz injects.targets: x86_64-unknown-linux-muslfrom toolchain installactions/cachekey prefix tov2-The musl target isn't referenced anywhere else in the repo (
grep -rn musl meld-core/ fuzz/→ 0 matches outside the dropped line).Fix 2: add
id-token: writetomythos-auto.ymlAfter #167's unzip fix landed and PR #169's matrix scan ran far enough to invoke claude-code-action, a third plumbing issue surfaced:
claude-code-action calls
core.getIDToken()early insetupGitHubToken. The OIDC issuer URL is injected asACTIONS_ID_TOKEN_REQUEST_URLenv var only when the workflow haspermissions.id-token: write. Adds the permission with inline rationale.The token is workflow-scoped and signed by GitHub; doesn't grant access beyond what the workflow already has.
Test plan
gh run rerun --failedSequencing
🤖 Generated with Claude Code