[Fuzzing] add cifuzz

[0x34d]

Add cifuzz for Continuous Integration of fuzzing in PR.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[0x34d]

@shukitchan can you merge?

[shukitchan]

A couple points to discuss:

1. In this early stage, we don't want the PR to be unmergeable if it is failing the cifuzz. Are you ok with that? We can check later on if we want to change that or not
2. The run took quite a while and it may be taking quite some resources. I am under the impression that all ASF shares some resources for running github actions and we may not want to run an action that took too much resources. I am checking with infrastructure team first.

[0x34d]

1. In this early stage, we don't want the PR to be unmergeable if it is failing the cifuzz. Are you ok with that? We can check later on if we want to change that or not

I think this is very normal; you can set aside the build failure. If there is an actual bug in the PR, you can try to fix it.
On that note, I think I have to make some changes in build.sh.

The run took quite a while and it may be taking quite some resources. I am under the impression that all ASF shares some resources for running github actions and we may not want to run an action that took too much resources. I am checking with infrastructure team first.

Yes, that's true. If you want then I can change the three sanitizers to only one ASAN, which is more important.

[shukitchan]

I was told that in other ASF projects with github actions, their PRs has to wait till a runner is available.
Perhaps we don't start off running these for every PRs? How about we start running them just every week to begin with?

[0x34d]

I was told that in other ASF projects with github actions, their PRs has to wait till a runner is available. Perhaps we don't start off running these for every PRs? How about we start running them just every week to begin with?

The core essence of cifuzz is to find bugs in PRs before they are merged.

[shukitchan]

Also it is failing "clang-format" now. That's because there is a trailing whitespace somewhere in your latest change.

[shukitchan]

I think we can give it a go.