From 4a38f83631efc450a9ebb0aa52aa545eaa1120aa Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Thu, 9 Apr 2026 13:10:51 +0100
Subject: [PATCH 1/3] Test building in CI

---
 .github/workflows/build.yml | 53 +++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)
 create mode 100644 .github/workflows/build.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..f21ef34
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,53 @@
+name: Build
+
+permissions:
+  contents: read
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - '**.md'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+      cancel-in-progress: true
+    strategy:
+      fail-fast: false
+      matrix:
+        sanitizer:
+          - address
+          - memory
+          - undefined
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          repository: google/oss-fuzz
+          path: oss-fuzz
+
+      - name: Patch Dockerfile to use this ref
+        run: |
+          sed -i "s|git clone --depth 1 --branch main https://github.com/python/library-fuzzers.git|git clone --depth 1 --branch ${{ github.head_ref }} ${{ github.event.pull_request.head.repo.clone_url }} library-fuzzers|" \
+            oss-fuzz/projects/python3-libraries/Dockerfile
+
+      - name: Build fuzzers
+        run: |
+          cd oss-fuzz
+          python infra/helper.py build_fuzzers python3-libraries \
+            --engine libfuzzer \
+            --sanitizer ${{ matrix.sanitizer }} \
+            --architecture x86_64
+
+      # XXX: This may take too long?
+      - name: Check build
+        run: |
+          cd oss-fuzz
+          python infra/helper.py check_build python3-libraries \
+            --engine libfuzzer \
+            --sanitizer ${{ matrix.sanitizer }} \
+            --architecture x86_64

From f6528618158d334cf82bd45a3f56be3177557443 Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Thu, 9 Apr 2026 13:55:51 +0100
Subject: [PATCH 2/3] Timeout + remove `memory` for now

---
 .github/workflows/build.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f21ef34..3735a5d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,6 +13,7 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    timeout-minutes: 45
     concurrency:
       group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
       cancel-in-progress: true
@@ -21,7 +22,7 @@ jobs:
       matrix:
         sanitizer:
           - address
-          - memory
+          # - memory  Too slow for CI
           - undefined
 
     steps:
@@ -43,7 +44,6 @@ jobs:
             --sanitizer ${{ matrix.sanitizer }} \
             --architecture x86_64
 
-      # XXX: This may take too long?
       - name: Check build
         run: |
           cd oss-fuzz

From bca35f905e31f416513147b75e32e2ad9ef71f6f Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Thu, 9 Apr 2026 19:09:13 +0100
Subject: [PATCH 3/3] Apply suggestion from @hugovk

Co-authored-by: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
---
 .github/workflows/build.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 3735a5d..df1f3f4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,6 @@
 name: Build
 
-permissions:
-  contents: read
+permissions: {}
 
 on:
   pull_request: