chore(ci): add timeout-minutes, harden fuzz script, extend CVE audit

[Aureliolo]

Summary

• Add timeout-minutes to all 27 CI jobs across ci.yml, docker.yml, pages.yml, and cli.yml (5 for gates, 10 for lint/audit, 15-30 for test/build, 45 for fuzz, 60 for Docker builds)
• Add set -euo pipefail to CLI fuzz discovery script and separate go test -list from grep so compile errors propagate instead of being silently masked by 2>/dev/null | grep ... || true
• Extend CVE-2026-32767 Grype suppression audit date to 2026-06-17 (confirmed false positive: SiYuan Note CVE misattributed to libexpat)

Closes #605

Test plan

• Verify all 27 jobs have timeout-minutes set (validated via Python script parsing YAML)
• Verify fuzz script has set -euo pipefail and catches go test -list compile errors
• Verify Grype audit date updated to 2026-06-17, aligned with Trivy expired_at
• CI passes on this PR (workflow files are syntactically valid)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores

  • Added execution timeout limits across CI/CD jobs (5–60 minutes) to prevent hanging processes.
  • Improved fuzz testing error handling to surface failures instead of ignoring them.
  • Updated the audit/review date for a previously noted ignored vulnerability.

• Documentation

  • Clarified container scanning guidance to run the CIS Docker Benchmark scan against all three images.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0d625cfe-cb4a-44fa-a3fe-6cbe511007fb

📥 Commits

Reviewing files that changed from the base of the PR and between 871b386 and d1cbf28.

📒 Files selected for processing (1)

• docs/security.md

---

Walkthrough

Added timeout-minutes to multiple GitHub Actions jobs across ci.yml, cli.yml, docker.yml, and pages.yml to enforce runtime limits. Updated the CLI fuzz-target discovery script to enable strict shell behavior and surface go test -list failures instead of ignoring them. Extended the Grype suppression audit date for the libexpat entry.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'chore(ci): add timeout-minutes, harden fuzz script, extend CVE audit' directly and accurately summarizes the three main changes made across the changeset.
Linked Issues check	✅ Passed	All three coding objectives from issue #605 are fully addressed: timeout-minutes added to 27 CI jobs across four workflows [#605], fuzz script hardened with set -euo pipefail and error propagation [#605], and Grype CVE audit date extended to 2026-06-17 [#605].
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #605 requirements. The Trivy documentation update in docs/security.md clarifying the CIS benchmark scanning scope is a minor supporting change; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on improving the reliability and security of the CI/CD pipeline. It introduces timeouts to prevent indefinite job executions, hardens the fuzzing script to catch compile errors, and extends the CVE audit to address a false positive.

Highlights

• CI Job Timeouts: Added timeout-minutes to all 27 CI jobs across ci.yml, docker.yml, pages.yml, and cli.yml, with varying durations based on job type.
• Fuzz Script Hardening: Enhanced the CLI fuzz discovery script with set -euo pipefail to ensure compile errors propagate instead of being masked.
• CVE Audit Extension: Extended the CVE-2026-32767 Grype suppression audit date to 2026-06-17 due to a confirmed false positive.

Ignored Files

• Ignored by pattern: .github/workflows/** (4)
  • .github/workflows/ci.yml
  • .github/workflows/cli.yml
  • .github/workflows/docker.yml
  • .github/workflows/pages.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces several CI improvements, including adding timeouts to jobs, hardening a fuzz script, and extending a CVE suppression audit date. The provided patch only covers the update to the .github/.grype.yaml file, which extends the audit date for a CVE suppression. This change is well-documented in the pull request description and appears correct. I have no specific comments on this change.