ci: buffer fuzz timeout above max_total_time so libFuzzer self-exits

[27Bslash6]

What

Widen the outer timeout wrapping cargo fuzz run in both the Quick Fuzz and Deep Fuzzing jobs so it sits above libFuzzer's -max_total_time, not equal to it.

Job	timeout	-max_total_time	Slack
Quick Fuzz	120 → 150	120	+30s
Deep Fuzzing	28800 → 28980	28800	+3min (within 540min job cap)

Why

libFuzzer self-exits gracefully at -max_total_time with a final Done N runs + corpus consolidation. Its clock starts after build + corpus-load, so an equal outer timeout always wins the race — it SIGTERMs the process first, every run logs run interrupted, and a genuine hang becomes indistinguishable from normal end-of-budget completion. The buffer makes timeout a hang safety-net only.

Exit code 124 (timeout fired = real hang) remains tolerated.

Notes

• ci: type — non-releasing, does not trigger release-please.
• ⚠️ Merge ordering: hold until release PR chore(main): release cachekit-core 0.2.1 #38 is merged. Any push to main makes release-please regenerate chore(main): release cachekit-core 0.2.1 #38's CHANGELOG.

Summary by CodeRabbit

Release Notes

• Chores
  • Improved timeout handling in security workflow fuzzing tests to enhance graceful exit behaviour and prevent premature job termination. Updated timeout configurations and added clarifying documentation for fuzzing process management.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6e04a24f-50dd-4e0b-af66-70587004d046

📥 Commits

Reviewing files that changed from the base of the PR and between 80355a4 and cab6ba3.

📒 Files selected for processing (1)

• .github/workflows/security.yml

---

Walkthrough

Updated security workflow timeout handling for libFuzzer fuzzing jobs. Quick Fuzz outer timeout increased from 120 to 150 seconds, Deep Fuzz from 28800 to 28980 seconds, both preserving their inner -max_total_time limits. Added explanatory comments detailing the timing race and exit code 124 tolerance rationale.

Changes

Fuzzing workflow timeout tuning

Layer / File(s)	Summary
Quick Fuzz timeout adjustment .github/workflows/security.yml	Outer timeout increased to 150 seconds (from 120) while keeping -max_total_time=120, with comments explaining how the timing gap prevents misinterpreting normal libFuzzer completion as an interrupt or hang; exit code 124 tolerance preserved.
Deep Fuzz timeout adjustment .github/workflows/security.yml	Outer timeout increased to 28980 seconds (from 28800) while keeping -max_total_time=28800, with expanded comments documenting the 180-second slack to avoid job cap early termination and to keep hang/kill behaviour distinguishable from normal completion.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• cachekit-io/cachekit-core#33: Prior PR modified Deep Fuzzing timeout configuration; this PR builds on those changes by adding timeout slack and expanded documentation about libFuzzer clock timing.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly summarises the main change: buffering fuzz timeout above max_total_time to allow libFuzzer self-exits.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/fuzz-timeout-buffer

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}