feat(ci): add go-fuzz reusable workflow

[bedatty]

GitHub Actions Shared Workflows

---

Description

Add a new reusable workflow go-fuzz.yml for running Go fuzz tests across repositories.

Features:

• Configurable Go version, fuzz command, and artifact paths
• Automatic upload of fuzz failure artifacts on test failure
• dry_run support for previewing configuration without executing tests
• workflow_dispatch for manual testing

Files added:

• .github/workflows/go-fuzz.yml — reusable workflow
• docs/go-fuzz.md — documentation

Type of Change

• feat: New workflow or new input/output/step in an existing workflow

Breaking Changes

None.

Testing

• YAML syntax validated locally
• Verified all existing inputs still work with default values
• Checked that unrelated workflows are not affected

Caller repo / workflow run: flowker will consume this via @develop (PR pending)

Related Issues

N/A

Summary by CodeRabbit

• New Features

  • Added a reusable GitHub Actions workflow to run Go fuzz tests with configurable runner type, Go version, fuzz command, artifact path, retention days, timeout, and a dry-run preview mode that captures artifacts on failure.

• Documentation

  • Added user-facing docs describing inputs, usage scenarios (production/testing/custom), command requirements, permissions, and YAML examples for integrating the fuzz workflow.

[coderabbitai]

Walkthrough

Adds a new reusable GitHub Actions workflow .github/workflows/go-fuzz.yml to run Go fuzz tests with configurable inputs, dry-run mode, and conditional artifact upload on failure. Also adds docs/go-fuzz.md documenting inputs, usage scenarios, examples, and artifact handling.

Changes

Cohort / File(s)	Summary
Go Fuzz Workflow \.github/workflows/go-fuzz.yml	New reusable workflow (workflow_call + workflow_dispatch) exposing inputs: runner_type, go_version, fuzz_command, fuzz_artifacts_path, artifacts_retention_days, timeout_minutes, dry_run. Single fuzz job uses actions/checkout@v6, actions/setup-go@v6; conditionally runs a dry-run summary or the provided fuzz_command; on failure (when not dry-run) uploads artifacts to fuzz-failures via actions/upload-artifact@v7. Permissions: contents: read.
Fuzz Workflow Documentation docs/go-fuzz.md	New documentation detailing inputs, usage scenarios (production/testing/custom), required permissions, fuzz command requirements, artifact handling, and example YAML invocations of the reusable workflow.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description covers the main objectives and features but lacks critical testing details required by the template. The 'Caller repo / workflow run' field is incomplete with only a vague reference instead of an actual validated workflow run link.	Add a direct link to the validated workflow run from the flowker repository demonstrating that the new workflow executes correctly when consumed. Also confirm that secrets are not printed in logs.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a new reusable Go fuzz workflow. It is concise, specific, and clearly conveys the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/go-fuzz-workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/go-fuzz.yml:
- Around line 78-90: The dry-run branch for inputs.dry_run only prints a summary
and never invokes the fuzz tool, so it doesn't validate the resolved inputs or
surface command-level issues; update the Dry run summary step to also run the
fuzz command in preview/verbose mode by invoking the same command used in the
"Run Fuzz Tests" step but with tool-native preview flags (e.g., add a dedicated
preview input or append --dry-run/--debug/--check/--plan/--diff as supported) so
that ${{ inputs.fuzz_command }} is exercised during dry runs; ensure you print
all resolved inputs/computed variables (runner_type, go_version, fuzz_command,
fuzz_artifacts_path, artifacts_retention_days) with ::notice:: annotations and
keep the real execution in the "Run Fuzz Tests" step unchanged so dry_run
validates configuration safely without performing full test runs.
- Around line 92-98: The artifact upload step is gated on global failure() which
is true for any earlier failure; add an id to the fuzz step (e.g., id: fuzz) and
change the upload step's condition to check that specific step's outcome (e.g.,
if: ${{ !inputs.dry_run && steps.fuzz.outcome == 'failure' }}), so artifacts are
only uploaded when the fuzz step (referenced as steps.fuzz) actually failed.

In `@docs/go-fuzz.md`:
- Around line 23-64: The examples reference a release tag that doesn't include
the new workflow (go-fuzz.yml@v1.12.0); update the snippet references so they
don't point to a tag that lacks the file — either change the production and
custom examples to use `@develop` (or a branch ref like `@feat/`<branch>) until a
release is made, or replace `@v1.12.0` with the actual first published tag that
contains go-fuzz.yml; ensure the with keys (go_version, dry_run, fuzz_command,
fuzz_artifacts_path) remain unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5092ade0-4ef1-402a-924c-e91e457fcaf9

📥 Commits

Reviewing files that changed from the base of the PR and between f4f4f69 and 9ab0775.

📒 Files selected for processing (2)

• .github/workflows/go-fuzz.yml
• docs/go-fuzz.md

All comments addressed — 1 applied (artifact upload scope), 2 dismissed with justification (dry_run preview and version tag).

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/go-fuzz.yml (1)

17-20: ⚠️ Potential issue | 🟠 Major

dry_run still skips the only real validation path.

This branch only prints a summary and never exercises a preview/debug variant of the fuzz invocation, so caller misconfiguration in fuzz_command still won't surface until a real run. With fuzz_command modeled as an opaque shell string, the workflow also has no safe way to append tool-native preview flags itself. Either own the go test invocation in this workflow, or add a dedicated fuzz_preview_command input and execute that here; also emit each resolved value via ::notice:: instead of plain echo.
As per coding guidelines, "When dry_run: true, use ::notice:: annotations to indicate dry run state, print every resolved input and computed variable, enable tool-native verbose/preview flags (--dry-run --debug, --check, --plan, --diff), and never skip silently."

Also applies to: 78-91

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-fuzz.yml around lines 17 - 20, The workflow currently
treats fuzz_command as an opaque string (default 'make fuzz-ci') and when
dry_run is true it only echoes a summary, so misconfigurations aren't validated;
add a new input fuzz_preview_command (or replace opaque string by owning the go
test invocation) and, when dry_run is true, run the preview invocation with
tool-native preview/verbose flags (e.g., --dry-run/--debug/--check/--plan/--diff
as supported) instead of skipping, emit every resolved input and computed
variable using ::notice:: (not plain echo), and ensure the logic that handles
dry_run prints the resolved fuzz_command and fuzz_preview_command via ::notice::
so callers can validate the full command string before real execution.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/go-fuzz.yml:
- Around line 93-99: The upload step "Upload Fuzz Artifacts" is never reached
because the current if: expression implicitly requires earlier success; change
the condition to explicitly allow runs on failed workflow status by using the
failure() check. Update the step's if expression (the one using inputs.dry_run
and steps.fuzz.outcome) to include failure(), e.g. combine !inputs.dry_run with
failure() (and you may keep steps.fuzz.outcome == 'failure' if you want both
checks) so the "Upload Fuzz Artifacts" step will run when the fuzz step
(steps.fuzz) fails.

---

Duplicate comments:
In @.github/workflows/go-fuzz.yml:
- Around line 17-20: The workflow currently treats fuzz_command as an opaque
string (default 'make fuzz-ci') and when dry_run is true it only echoes a
summary, so misconfigurations aren't validated; add a new input
fuzz_preview_command (or replace opaque string by owning the go test invocation)
and, when dry_run is true, run the preview invocation with tool-native
preview/verbose flags (e.g., --dry-run/--debug/--check/--plan/--diff as
supported) instead of skipping, emit every resolved input and computed variable
using ::notice:: (not plain echo), and ensure the logic that handles dry_run
prints the resolved fuzz_command and fuzz_preview_command via ::notice:: so
callers can validate the full command string before real execution.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d262ca1f-1e0f-4d1b-85b2-c573b8786c31

📥 Commits

Reviewing files that changed from the base of the PR and between 9ab0775 and 70f8d87.

📒 Files selected for processing (1)

• .github/workflows/go-fuzz.yml

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (1)

.github/workflows/go-fuzz.yml (1)

103-109: ⚠️ Potential issue | 🔴 Critical

Include failure() in the artifact-upload guard.

This condition is still implicitly wrapped in success(), so the step is skipped when Run Fuzz Tests fails. The fuzz artifacts never upload on the path they are meant to handle.

Suggested fix

       - name: Upload Fuzz Artifacts
-        if: ${{ !inputs.dry_run && steps.fuzz.outcome == 'failure' }}
+        if: ${{ !inputs.dry_run && failure() && steps.fuzz.outcome == 'failure' }}
         uses: actions/upload-artifact@v7
         with:
           name: fuzz-failures
           path: ${{ inputs.fuzz_artifacts_path }}
           retention-days: ${{ inputs.artifacts_retention_days }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/go-fuzz.yml around lines 103 - 109, The Upload Fuzz
Artifacts step guard skips on job failure because it is implicitly wrapped in
success(); update the if condition on the "Upload Fuzz Artifacts" step to
include GitHub Actions' failure() check so artifacts upload when the fuzz step
or the job fails—for example, change the if to include failure(), e.g. replace
the existing condition using steps.fuzz.outcome with one that includes
failure(): if: ${{ !inputs.dry_run && (failure() || steps.fuzz.outcome ==
'failure') }}, keeping the existing inputs checks intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/go-fuzz.yml:
- Around line 87-96: The "Dry run summary" workflow step currently injects
caller-controlled inputs directly into the run script (echoing `${{ inputs.*
}}`), which is unsafe; change the step to pass each input via the step's env
mapping (e.g., map runner_type, go_version, fuzz_command, fuzz_artifacts_path,
artifacts_retention_days, timeout_minutes into environment variables) and in the
run script reference those env vars rather than interpolating inputs, printing
them with a safe formatter such as printf and "%q" (or printf "%s\n" "$VAR") to
avoid shell injection and preserve newlines/quotes; ensure all occurrences of
`${{ inputs.* }}` in the "Dry run summary" step are removed from the run block
and replaced by the corresponding environment variable references.

In `@docs/go-fuzz.md`:
- Line 8: Add a short "Rationale" section to docs/go-fuzz.md that explains why
we use the third-party actions actions/checkout, actions/setup-go, and
actions/upload-artifact (what each provides in the workflow: checking out code,
installing Go toolchain, and collecting failure artifacts), and call out that
these actions must be pinned to a specific tag or SHA (not `@main/`@master) with a
brief note on why each action/version was chosen (stability, community
maintenance, or required features) so callers understand the dependency choices
and upgrade surface.
- Around line 72-75: The fenced YAML block showing the example for fuzz_command
lacks surrounding blank lines which triggers markdownlint MD031; update the
documentation around the 'fuzz_command' example by inserting a blank line before
the opening ```yaml fence and a blank line after the closing ``` fence so the
nested code block is properly separated and renders correctly.

---

Duplicate comments:
In @.github/workflows/go-fuzz.yml:
- Around line 103-109: The Upload Fuzz Artifacts step guard skips on job failure
because it is implicitly wrapped in success(); update the if condition on the
"Upload Fuzz Artifacts" step to include GitHub Actions' failure() check so
artifacts upload when the fuzz step or the job fails—for example, change the if
to include failure(), e.g. replace the existing condition using
steps.fuzz.outcome with one that includes failure(): if: ${{ !inputs.dry_run &&
(failure() || steps.fuzz.outcome == 'failure') }}, keeping the existing inputs
checks intact.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: ASSERTIVE

Plan: Pro

Run ID: b1100acf-3d63-4a47-a977-67372cb165b0

📥 Commits

Reviewing files that changed from the base of the PR and between 70f8d87 and c389b2a.

📒 Files selected for processing (2)

• .github/workflows/go-fuzz.yml
• docs/go-fuzz.md

All comments addressed — failure() bug acknowledged, will fix.