fix(ci): drop musl target from fuzz.yml + add id-token to mythos-auto (#168)

.github/workflows/fuzz.yml

@@ -48,10 +48,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      # Do NOT install the `x86_64-unknown-linux-musl` toolchain target.
+      # musl statically links libc, which is incompatible with the
+      # AddressSanitizer that `cargo-fuzz` injects via
+      # `-Z sanitizer=address`. The build then fails with
+      #   error: sanitizer is incompatible with statically linked libc,
+      #          disable it using `-C target-feature=-crt-static`
+      # cargo-fuzz's `--release` reuse path can pick up a musl target if
+      # a stale `fuzz/target/` is restored from cache. We default to the
+      # host gnu target (no `targets:` line, no `--target` flag on
+      # `cargo fuzz run`) so the sanitizer stays compatible.
+      # Inputs here are workflow-static (no untrusted event payloads):
+      # `matrix.target` is hardcoded in the strategy matrix and
+      # `runner.os` is GitHub-provided runner metadata.
+      # See pulseengine/meld#168 for the recurring failure pattern.
       - name: Install nightly Rust
         uses: dtolnay/rust-toolchain@nightly
-        with:
-          targets: x86_64-unknown-linux-musl
 
       - name: Install cargo-fuzz
         run: cargo install cargo-fuzz --locked
@@ -64,8 +76,12 @@ jobs:
             ~/.cargo/registry/index/
             ~/.cargo/registry/cache/
             ~/.cargo/git/db/
-          key: ${{ runner.os }}-fuzz-${{ matrix.target }}-${{ hashFiles('fuzz/Cargo.toml', 'meld-core/Cargo.toml') }}
-          restore-keys: ${{ runner.os }}-fuzz-${{ matrix.target }}-
+          # Cache key version-bumped to `v2-` once to bust any snapshots
+          # taken while the toolchain still had musl as an extra target
+          # (#168). Bump again if a future change should invalidate all
+          # existing caches in lock-step.
+          key: ${{ runner.os }}-fuzz-v2-${{ matrix.target }}-${{ hashFiles('fuzz/Cargo.toml', 'meld-core/Cargo.toml') }}
+          restore-keys: ${{ runner.os }}-fuzz-v2-${{ matrix.target }}-
 
       - name: Run target for 60 s
         run: cargo +nightly fuzz run --release "$FUZZ_TARGET" -- -max_total_time=60

.github/workflows/mythos-auto.yml

@@ -60,6 +60,15 @@ concurrency:
 permissions:
   contents: read
   pull-requests: write
+  # `id-token: write` lets the action mint an OIDC token from the
+  # GitHub Actions OIDC issuer. claude-code-action calls
+  # `core.getIDToken()` (`@actions/core/lib/oidc-utils.js:71`) early in
+  # `setupGitHubToken`; without this permission the call throws
+  # "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable" and the
+  # action aborts before running its prompt. The token is workflow-
+  # scoped and signed by GitHub; it does not grant access to anything
+  # beyond what the workflow already has.
+  id-token: write
 
 jobs:
   detect:

CHANGELOG.md

@@ -24,6 +24,32 @@ All notable changes to this project will be documented in this file.
   18/19 verified to **19/19 — full coverage**. The advisory
   missing-bucket is now empty.
 
+- **Fuzz smoke `sanitizer is incompatible with statically linked
+  libc` recurrence** (`.github/workflows/fuzz.yml`, #168). The
+  toolchain install was requesting `x86_64-unknown-linux-musl` as
+  an extra target. cargo-fuzz's `--release` reuse path can pick up
+  that musl target on cache restore, and musl statically links libc
+  which is incompatible with the AddressSanitizer cargo-fuzz
+  injects. The fuzz_parse_component / fuzz_resolver_terminates
+  failures attributed to runner config-drift (#139 §3) were
+  actually workflow-side: same failure on the "good" runner-7 once
+  the musl cache hit. Drops the `targets: x86_64-unknown-linux-musl`
+  line and version-bumps the `actions/cache` key to `v2-` to
+  invalidate any contaminated snapshots. Root-cause analysis
+  contributed by smithy team on the #168 thread.
+
+- **mythos-auto.yml missing `id-token: write` permission**
+  (`.github/workflows/mythos-auto.yml`). After the unzip block on
+  rust-cpu runners cleared (#167), the next mythos-auto run
+  surfaced a third plumbing issue: claude-code-action calls
+  `core.getIDToken()` early in `setupGitHubToken`, which requires
+  the OIDC token issuer URL. Without `id-token: write` in
+  `permissions:`, the action gets "Unable to get
+  ACTIONS_ID_TOKEN_REQUEST_URL env variable" and aborts before
+  running its prompt. Adds the permission with an inline comment
+  explaining the requirement. Discovered by PR #169's matrix scan
+  on the now-unzip-fixed runner image.
+
 - **LS-A-9 regression coverage** (`meld-core/src/adapter/fact.rs`).
   PR fixed the callback-mode `if code == WAIT` branch that silently
   treated `POLL (3)` as a YIELD fall-through (dropping host-ready