Add fuzzing workflow for OSSF Scorecard compliance

[Copilot]

Implements fuzzing infrastructure to satisfy OSSF Scorecard "Fuzzing" check without OSS-Fuzz integration.

Python fuzzing

• Fuzzes dependatool CLI entrypoint using atheris
• Runs 10k iterations in CI to verify harness works
• Catches expected exceptions (SystemExit, RuntimeError, etc.) while allowing crashes to surface

Rust fuzzing

• Fuzzes toolshed-core library's Primitive enum using cargo-fuzz
• Exercises clone, equality, and Debug formatting operations
• Runs 10 seconds in CI with nightly toolchain (required for sanitizers)

Workflow

• Two jobs: python-fuzzing and rust-fuzzing (names match Scorecard detection pattern)
• Pinned to ubuntu-24.04 and action commit hashes
• Triggers on push to main and PRs

Example Python fuzz harness:

with atheris.instrument_imports():
    from dependatool.cmd import main

def TestOneInput(data: bytes) -> None:
    args = data.decode('utf-8', errors='ignore').strip().split()
    if not args:
        return
    try:
        main(*args)
    except (ValueError, TypeError, SystemExit, RuntimeError):
        pass  # Expected from invalid CLI inputs

Example Rust fuzz target:

fuzz_target!(|data: &[u8]| {
    if let Ok(s) = std::str::from_utf8(data) {
        let p = Primitive::String(s.to_string());
        let _ = p.clone();
        let _ = p == p.clone();
        let _ = format!("{:?}", p);
    }
});

Original prompt

The user wants to satisfy the OSSF Scorecard "Fuzzing" check for the phlax/toolshed repository.
The repository contains Python (in aio.core) and Rust (in rust/ workspace).
The user wants "proper" but "minimal" checks and specifically requested to AVOID Google OSS-Fuzz integration.

Please create a Pull Request that adds the following:

1. GitHub Actions Workflow: Create .github/workflows/fuzzing.yml.

   • Trigger on push to main/master and pull_request.
   • Job 1: Python Fuzzing
     • Runs on ubuntu-latest.
     • Steps: Checkout, Setup Python, Install atheris (e.g., pip install atheris), Run the fuzz harness for a short duration (e.g., 10-30 seconds or 10000 runs) to verify it works.
   • Job 2: Rust Fuzzing
     • Runs on ubuntu-latest.
     • Steps: Checkout, Setup Rust (stable), Install cargo-fuzz (cargo install cargo-fuzz), Run the fuzz target (e.g., cargo fuzz run fuzz_target_1 -- -max_total_time=10) inside the rust/core directory.

2. Python Fuzz Harness: Create aio.core/fuzz_test.py.

   • Content should import atheris.
   • Define a TestOneInput function.
   • Ideally, import aio.core and do something trivial with the input data (even just printing it or checking length) to simulate a test.
   • Call atheris.Setup and atheris.Fuzz.

3. Rust Fuzz Harness: Create the necessary files for cargo-fuzz in rust/core.

   • Create rust/core/fuzz/Cargo.toml with libfuzzer-sys dependency and a dependency on the local toolshed-core (path ..).
   • Create rust/core/fuzz/fuzz_targets/fuzz_target_1.rs with a minimal fuzz_target! block that accepts &[u8] and does something trivial (e.g. let _ = data;).

Important: Ensure the workflow job names include the word "Fuzzing" so Scorecard detects them easily.

This pull request was created as a result of the following prompt from Copilot chat.

The user wants to satisfy the OSSF Scorecard "Fuzzing" check for the phlax/toolshed repository.
The repository contains Python (in aio.core) and Rust (in rust/ workspace).
The user wants "proper" but "minimal" checks and specifically requested to AVOID Google OSS-Fuzz integration.

Please create a Pull Request that adds the following:

1. GitHub Actions Workflow: Create .github/workflows/fuzzing.yml.

   • Trigger on push to main/master and pull_request.
   • Job 1: Python Fuzzing
     • Runs on ubuntu-latest.
     • Steps: Checkout, Setup Python, Install atheris (e.g., pip install atheris), Run the fuzz harness for a short duration (e.g., 10-30 seconds or 10000 runs) to verify it works.
   • Job 2: Rust Fuzzing
     • Runs on ubuntu-latest.
     • Steps: Checkout, Setup Rust (stable), Install cargo-fuzz (cargo install cargo-fuzz), Run the fuzz target (e.g., cargo fuzz run fuzz_target_1 -- -max_total_time=10) inside the rust/core directory.

2. Python Fuzz Harness: Create aio.core/fuzz_test.py.

   • Content should import atheris.
   • Define a TestOneInput function.
   • Ideally, import aio.core and do something trivial with the input data (even just printing it or checking length) to simulate a test.
   • Call atheris.Setup and atheris.Fuzz.

3. Rust Fuzz Harness: Create the necessary files for cargo-fuzz in rust/core.

   • Create rust/core/fuzz/Cargo.toml with libfuzzer-sys dependency and a dependency on the local toolshed-core (path ..).
   • Create rust/core/fuzz/fuzz_targets/fuzz_target_1.rs with a minimal fuzz_target! block that accepts &[u8] and does something trivial (e.g. let _ = data;).

Important: Ensure the workflow job names include the word "Fuzzing" so Scorecard detects them easily.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.