[task] Add fuzz tests for GitHub expression parser

[github-actions]

Objective

Implement fuzz testing for the GitHub expression parser to validate security controls against malicious expression injection attempts.

Context

This is part of the testing quality improvement initiative (discussion #3811). The expression parser validates GitHub Actions expressions in workflow files, which is security-critical for preventing injection attacks. Fuzz testing helps ensure the allowlist-based validation is robust.

Approach

1. Create pkg/workflow/expression_parser_fuzz_test.go
2. Implement func FuzzExpressionParser(f *testing.F)
3. Seed the fuzzer with:
   • Allowed GitHub expressions from the security allowlist
   • Potentially malicious injection attempts (script tags, command injection patterns)
   • Edge cases (empty expressions, very long expressions, nested delimiters)
4. Verify unauthorized expressions are properly rejected
5. Ensure no panic on malformed input

Files to Modify

• Create: pkg/workflow/expression_parser_fuzz_test.go
• Reference: pkg/workflow/expression_safety.go (validation logic)
• Reference: pkg/workflow/expression_safety_test.go (for seed data)

Acceptance Criteria

• Fuzz test function created with appropriate seed corpus
• Seeds include both allowed and disallowed expression patterns
• Unauthorized expressions are consistently rejected
• Parser handles all fuzzer-generated inputs without panic
• Test runs successfully with go test -fuzz=FuzzExpressionParser -fuzztime=10s
• Any discovered bypasses or edge cases are documented

Related

Part of testing improvement task 1 from discussion #3811
Related to #3811

AI generated by Plan Command for discussion #3811