diff --git a/.gitea/workflows/gentoo-utils.yml b/.gitea/workflows/gentoo-utils.yml
index 836c150..968bac4 100644
--- a/.gitea/workflows/gentoo-utils.yml
+++ b/.gitea/workflows/gentoo-utils.yml
@@ -4,7 +4,11 @@ on: [push]
 
 defaults:
   run:
-    shell: bash -l {0}
+    shell: bash -el -o pipefail {0}
+
+# fixes rare instances of git commands failing because TERM isnt set
+env:
+  TERM: xterm
 
 jobs:
   build-oci-image:
@@ -98,10 +102,6 @@ jobs:
 
       - name: build and check
         run: |
-          echo $USER
-          echo "CC=$CC"
-          echo "CXX=$CXX"
-          source /etc/profile
           meson setup -Dfuzz=enabled -Dtests=enabled -Dbuildtype=debugoptimized -Ddocs=enabled build
           meson compile -C build
 
@@ -125,6 +125,38 @@ jobs:
           meson compile -C build
           ninja test -C build
 
+  fuzz:
+    runs-on: brutalisk
+    env:
+      CC: 'clang'
+      CXX: 'clang++'
+      FUZZER_TIMEOUT_S: 300
+    needs: [build-oci-image, build]
+    container:
+      image: ${{ vars.REGISTRY_URL }}/${{ gitea.repository }}:${{ needs.build-oci-image.outputs.image_tag }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+
+      # FIXME: Get rid of this step when portage has fixes merged?
+      # needed because portage has fixes upstream we need that arent stable yet
+      - name: Checkout tip of portage
+        run: |
+          git clone https://github.com/gentoo/portage.git
+          cd portage
+          python -m venv .venv && ./.venv/bin/pip install -e .
+          source ./.venv/bin/activate
+          which emerge
+
+      - name: build and fuzz
+        run: |
+          source ./portage/.venv/bin/activate
+          which emerge
+          meson setup -Dfuzz=enabled -Dtests=enabled -Dbuildtype=debugoptimized build
+          meson compile atom_parser_fuzzer:alias -C build
+          timeout 10m ./scripts/atom_parser_fuzz.sh
+        continue-on-error: true
+
   check-format:
     runs-on: brutalisk
     needs: [build-oci-image]
@@ -164,5 +196,6 @@ jobs:
         uses: actions/checkout@v5
 
       - name: grep for patterns
+        # negate git grep ret code because 1 means no findings
         run: |
           git grep -E 'todo!|dbg!' -- '*.rs' && exit 1 || exit 0
diff --git a/scripts/atom_parser_fuzz.sh b/scripts/atom_parser_fuzz.sh
new file mode 100755
index 0000000..3222a51
--- /dev/null
+++ b/scripts/atom_parser_fuzz.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+in=$(mktemp -u) || exit $?
+out=$(mktemp -u) || exit $?
+
+mkfifo ${in} ${out} || exit $?
+
+./scripts/atom.py <${in} >${out} \
+    | ./build/fuzz/atom/parser/fuzzer >${in} <${out} \
+                                      ./build/atom_parser_fuzzer_corpus \
+                                      -max_total_time=${FUZZER_TIMEOUT_S:-600} \
+                                      -only_ascii=1 \
+                                      -timeout=2 \
+                                      -timeout_exitcode=0 \
+                                      "$@"