Add webhook + fieldpath fuzz tests with scheduled CI

[BergCyrill]

Why

OSSF Scorecard Fuzzing (Medium) was unsatisfied — no Fuzz* functions in the repo. The webhook is the highest-value target: it decodes externally-supplied AdmissionReview JSON on the admission hot path, and a panic there fails admission for every gated API call.
Addresses issue #57

What

• FuzzResolve in internal/fieldpath/ — fuzzes the dot-path resolver called from the webhook's deletion-validator loop.
• FuzzObjectFromRequest in internal/webhook/ — fuzzes the admission-request JSON decode + the OldObject / Object selection.
• .github/workflows/fuzz.yaml — weekly schedule + workflow_dispatch with configurable fuzztime; matrix over both targets; uploads any discovered corpus on failure. Uses go-version-file: go.mod.

Test plan

• go test ./internal/fieldpath/... ./internal/webhook/... passes (seed corpus runs cleanly)
• FuzzResolve for 2m locally → 106M execs, 18 interesting inputs, no crash
• FuzzObjectFromRequest for 2m locally → 2.6M execs, 282 interesting inputs, no crash
• actionlint clean on the new workflow
• Next Scorecard run shows Fuzzing satisfied

Summary by CodeRabbit

• Tests
  • Added automated fuzz testing workflow via GitHub Actions with weekly scheduling and on-demand execution
  • Added fuzz tests for core request processing and path resolution to improve code robustness through continuous fuzzing

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: da8d0964-64b5-497e-8b72-086559feba36

📥 Commits

Reviewing files that changed from the base of the PR and between 5d2b00f and 7fdff79.

📒 Files selected for processing (3)

• .github/workflows/fuzz.yaml
• internal/fieldpath/fieldpath_test.go
• internal/webhook/deletion_validator_test.go

---

📝 Walkthrough

Walkthrough

This pull request adds comprehensive Go fuzzing infrastructure to the repository. Two new fuzz tests exercise input-parsing logic in fieldpath resolution and webhook request validation, while a new GitHub Actions workflow automates their execution on a schedule and captures any discovered fuzz corpus for analysis.

Changes

Fuzzing Infrastructure and Tests

Layer / File(s)	Summary
Fieldpath resolution fuzzing internal/fieldpath/fieldpath_test.go	FuzzResolve tests the Resolve function with seeded path variants (missing fields, non-map traversals, empty/malformed paths) against nested objects and nil inputs.
Webhook deletion validation fuzzing internal/webhook/deletion_validator_test.go	FuzzObjectFromRequest generates raw JSON byte inputs and fuzzes objectFromRequest by toggling their placement in AdmissionRequest.Object and OldObject, then exercises name, namespace, and annotation getters on success.
Fuzz test orchestration and artifact handling .github/workflows/fuzz.yaml	GitHub Actions workflow runs two fuzz targets via matrix on a weekly schedule and manual trigger, accepts configurable fuzz time budgets, and uploads discovered fuzz corpus artifacts on failure.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly Related Issues

• Issue #57: Direct implementation of "Fuzzing tests" feature request; adds native Go fuzz targets for webhook payload handling and fieldpath input parsing as requested.

Poem

🐰 Fuzzing the paths both short and long,
Testing inputs, catching what's wrong,
Fuzz corpus blooms in workflows so bright,
Property-based tests spring forth overnight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding fuzz tests for webhook and fieldpath modules with scheduled CI workflow.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/no-ref/add-webhook-fuzz-tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[BergCyrill]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.