Finish Fuzzer integration

[dholbach]

• Review and merge fuzzing PRs from https://github.com/orgs/fluxcd/projects/5
• Work with Ada Logics on switching
  > the git source in Flux’s OSS-fuzz integration from our forks to Flux’s own git
  > repositories (here).
  They
  > will furthermore complete the CIFuzz set up which is supported by OSS-fuzz.
• Enable static linking of C dependencies (missing source-controller and image-automation-controller)
  According to @hiddeco this is done, but
  > first needs to confirm it solves Libgit2 ED25519 check & clone respect context source-controller#445
  there is now
  > prepared work in Update libgit2 to v1.3.0 golang-with-libgit2#6
• Once all of the above is complete add the following manifest to .github/workflows in all repositories with fuzzers

name: CIFuzz
on: [pull_request]
jobs:
  Fuzzing:
    runs-on: ubuntu-latest
    steps:
    - name: Build Fuzzers
      id: build
      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
      with:
        oss-fuzz-project-name: 'fluxcd'
        language: go
    - name: Run Fuzzers
      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
      with:
        oss-fuzz-project-name: 'fluxcd'
        language: go
       fuzz-seconds: 60
    - name: Upload Crash
      uses: actions/upload-artifact@v1
      if: failure() && steps.build.outcome == 'success'
      with:
        name: artifacts
        path: ./out/artifacts

[pjbgf]

An additional item may be to update primary_contact to cncf-flux-security@lists.cncf.io here:
https://github.com/google/oss-fuzz/blob/master/projects/fluxcd/project.yaml#L3

[pjbgf]

The initial fuzzing coverage as requested by the audit is now done and fully integrated with the upstream oss-fuzz project.

Several improvements around this are in the backlog, including the migration to the fuzzing support natively supported by go 1.18, and the extension of coverage to other parts of the code base. Both of which will be tracked separately to this as they outlive the scope of the audit recommendations.

This can now be closed.