From 20053504ef159e319f5e1c703b3ac5ad745b5395 Mon Sep 17 00:00:00 2001 From: AI Review Bot Date: Sat, 16 May 2026 12:24:52 +0000 Subject: [PATCH] chore: update ai-review findings [ai-review-bot][failure] --- .amazonq/rules/triage-findings.md | 14 ++ .claude/skills/triage-findings/SKILL.md | 29 ++++ .codex/skills/triage-findings/SKILL.md | 45 ++++++ .../skills/triage-findings/agents/openai.yaml | 4 + .gemini/skills/triage-findings/SKILL.md | 29 ++++ .gitea/ai-review/findings.json | 128 ++++++++++++++++++ .github/copilot-instructions.md | 14 ++ .github/skills/triage-findings/SKILL.md | 14 ++ CLAUDE.md | 16 +++ GEMINI.md | 14 ++ 10 files changed, 307 insertions(+) create mode 100644 .amazonq/rules/triage-findings.md create mode 100644 .claude/skills/triage-findings/SKILL.md create mode 100644 .codex/skills/triage-findings/SKILL.md create mode 100644 .codex/skills/triage-findings/agents/openai.yaml create mode 100644 .gemini/skills/triage-findings/SKILL.md create mode 100644 .gitea/ai-review/findings.json create mode 100644 .github/copilot-instructions.md create mode 100644 .github/skills/triage-findings/SKILL.md create mode 100644 CLAUDE.md create mode 100644 GEMINI.md diff --git a/.amazonq/rules/triage-findings.md b/.amazonq/rules/triage-findings.md new file mode 100644 index 0000000..4b65ce1 --- /dev/null +++ b/.amazonq/rules/triage-findings.md @@ -0,0 +1,14 @@ +# Triage Findings + +When the task is to triage review findings, follow this workflow: + +1. Merge all findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1 after sorting. +5. Fix real issues with the smallest safe change. +6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check the issue after each fix. + +Use the repo-local `triage-findings` skill for the same workflow when running in Codex. diff --git a/.claude/skills/triage-findings/SKILL.md b/.claude/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..c4ab450 --- /dev/null +++ b/.claude/skills/triage-findings/SKILL.md @@ -0,0 +1,29 @@ +--- +name: triage-findings +description: Triage findings, fix real issues, and exclude false positives. +--- + +# Triage Findings + +## Use + +直接輸入:`triage-findings 問題原始檔(文字或截圖)` + +## Workflow + +1. Merge all findings. +2. Sort by severity: + - critical + - warning + - info +3. Renumber from 1. +4. Fix real issues. +5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +6. Add tests when behavior changes. + +## Output Rules + +- Keep the final list short. +- Keep numbering contiguous. +- Preserve file path, location, and fix. +- When writing exclusions, prefer the original issue text over paraphrased rewrites. diff --git a/.codex/skills/triage-findings/SKILL.md b/.codex/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..21476cb --- /dev/null +++ b/.codex/skills/triage-findings/SKILL.md @@ -0,0 +1,45 @@ +--- +name: triage-findings +description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions. +--- + +# Triage Findings + +## When To Use + +Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list. +It is also used when some findings are false positives and should be moved into the exclusions list. + +## Workflow + +1. Collect all findings into one list. +2. Merge duplicates into a single finding when they describe the same issue. +3. Sort the final list by severity: + - critical + - warning + - info +4. Renumber the sorted list from 1 upward. +5. Rewrite each finding concisely so the final list reads cleanly and consistently. +6. If a finding is a false positive, do not keep it in the final list. +7. Add false positives to the exclusions list using the existing schema in the repo or task context, and preserve the original finding wording as much as possible, including language and semantics. + +## Resolution Flow + +After the list is merged and ordered, resolve the remaining findings one by one. + +1. Start from the highest severity item. +2. Identify the root cause in the relevant file or context. +3. Apply the smallest safe change that fixes the issue. +4. Add or update tests when behavior changes. +5. Re-check the issue after the change. +6. If the item is confirmed false positive, move it to exclusions instead of changing code. +7. Continue until the list is either fixed or explicitly excluded. + +## Output Rules + +- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable. +- Keep numbering contiguous after filtering and merging. +- Preserve useful details like file path, location, and suggested fix. +- Keep exclusions entries minimal and consistent with the project schema. +- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema. +- If the source already provides a severity or title, keep it unless it conflicts with the final ordering. diff --git a/.codex/skills/triage-findings/agents/openai.yaml b/.codex/skills/triage-findings/agents/openai.yaml new file mode 100644 index 0000000..6f59e2c --- /dev/null +++ b/.codex/skills/triage-findings/agents/openai.yaml @@ -0,0 +1,4 @@ +interface: + display_name: "Triage Findings" + short_description: "Triage, sort, fix, and exclude review findings" + default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to exclusions." diff --git a/.gemini/skills/triage-findings/SKILL.md b/.gemini/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..c4ab450 --- /dev/null +++ b/.gemini/skills/triage-findings/SKILL.md @@ -0,0 +1,29 @@ +--- +name: triage-findings +description: Triage findings, fix real issues, and exclude false positives. +--- + +# Triage Findings + +## Use + +直接輸入:`triage-findings 問題原始檔(文字或截圖)` + +## Workflow + +1. Merge all findings. +2. Sort by severity: + - critical + - warning + - info +3. Renumber from 1. +4. Fix real issues. +5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +6. Add tests when behavior changes. + +## Output Rules + +- Keep the final list short. +- Keep numbering contiguous. +- Preserve file path, location, and fix. +- When writing exclusions, prefer the original issue text over paraphrased rewrites. diff --git a/.gitea/ai-review/findings.json b/.gitea/ai-review/findings.json new file mode 100644 index 0000000..e4c5001 --- /dev/null +++ b/.gitea/ai-review/findings.json @@ -0,0 +1,128 @@ +[ + { + "level": "critical", + "role": "Zara", + "location": "entrypoint.sh:91", + "suggestion": "目前的 `curl` 呼叫 (`release_json=\"$(curl -fsS \"${auth_header[@]}\" \"$release_api_url\")\"`) 沒有處理 Gitea API 的分頁機制。Gitea 的發布 API (`/api/v1/repos/{owner}/{repo}/releases`) 通常會限制單次請求返回的發布數量(例如,預設可能只返回 30 個)。這會導致腳本無法取得所有發布資訊,進而無法正確計算總發布數量 (`release_count`),也無法刪除超出第一頁限制的舊版本成品。這是一個嚴重的正確性問題,會導致清理功能失效。建議修改腳本,透過迴圈多次呼叫 API,每次增加 `page` 參數,並將所有頁面的發布資訊合併成一個完整的 JSON 陣列,直到 API 返回空列表為止。這將確保腳本能夠全面且正確地執行清理任務。", + "is_new": true + }, + { + "level": "critical", + "role": "Rex", + "location": "Dockerfile:4", + "suggestion": "移除 `apk add` 命令中的 `--no-check-certificate` 旗標。禁用憑證檢查會使 Docker 映像檔的建置過程容易受到中間人攻擊,導致惡意套件注入。請確保套件來源的信任鏈完整性。", + "is_new": true + }, + { + "level": "critical", + "role": "Aria", + "location": "a/Dockerfile", + "suggestion": "Dockerfile 檔案結尾應包含一個換行符,以符合 POSIX 規範並避免某些工具處理時發生問題。", + "is_new": true + }, + { + "level": "critical", + "role": "Aria", + "location": "a/entrypoint.sh", + "suggestion": "Shell 腳本檔案結尾應包含一個換行符,以符合 POSIX 規範並避免某些工具處理時發生問題。", + "is_new": true + }, + { + "level": "critical", + "role": "Maya", + "location": "entrypoint.sh", + "suggestion": "此腳本缺少單元測試。建議引入一個 shell 腳本測試框架(例如 `bats` 或 `shunit2`),並為 `is_empty_or_null`、`require_value`、`require_integer` 等輔助函數以及主要邏輯流程編寫單元測試,以確保其行為符合預期。", + "is_new": true + }, + { + "level": "critical", + "role": "Maya", + "location": "entrypoint.sh", + "suggestion": "此腳本與外部 Gitea API 互動,但缺少整合測試。建議建立整合測試,使用模擬 Gitea 伺服器(或測試環境)來驗證腳本的端到端流程,包括成功刪除、錯誤處理(例如無效的 RUNNER_TOKEN、API 錯誤響應)以及邊界條件。", + "is_new": true + }, + { + "level": "warning", + "role": "Rex", + "location": "entrypoint.sh:100", + "suggestion": "環境變數 `GITEA_SERVER_URL` 被直接用於 `curl` 命令中,以構建 API 請求。如果此變數可被攻擊者控制,可能導致伺服器端請求偽造 (SSRF) 漏洞,使程式向任意內部或外部主機發送請求。建議對 `GITEA_SERVER_URL` 進行嚴格的驗證,確保其指向預期且受信任的 Gitea 實例,例如使用白名單限制允許的網域或 IP 範圍。", + "is_new": true + }, + { + "level": "warning", + "role": "Aria", + "location": "a/Dockerfile:6", + "suggestion": "`COPY` 指令的縮排不一致,建議保持統一的縮排風格(例如,與 `RUN` 指令對齊),以提高程式碼可讀性。", + "is_new": true + }, + { + "level": "warning", + "role": "Aria", + "location": "a/entrypoint.sh", + "suggestion": "腳本中存在不一致的縮排風格,建議統一使用 2 或 4 個空格進行縮排,以提高程式碼可讀性。", + "is_new": true + }, + { + "level": "warning", + "role": "Aria", + "location": "a/entrypoint.sh:4-20", + "suggestion": "參數檢查和錯誤處理邏輯重複且分散,建議將常見的驗證和日誌輸出邏輯抽象為輔助函數,以提高程式碼的模組化和可維護性。", + "is_new": true + }, + { + "level": "warning", + "role": "Aria", + "location": "a/entrypoint.sh", + "suggestion": "腳本中所有變數都使用大寫命名,這可能導致環境變數與腳本內部變數難以區分。建議對腳本內部使用的變數採用小寫加底線 (snake_case) 命名,而環境變數則保持大寫,以增強命名語義的清晰度。", + "is_new": true + }, + { + "level": "warning", + "role": "Maya", + "location": "entrypoint.sh:75", + "suggestion": "在取得成品資訊的 `curl` 請求中,雖然使用了 `-fsS`,但並未明確檢查 HTTP 狀態碼。如果 Gitea API 返回 401/403 等認證或權限錯誤,腳本可能會因為 `jq` 處理空或錯誤 JSON 而失敗,但錯誤訊息不夠明確。建議在 `curl` 請求後檢查 HTTP 狀態碼,特別是對於認證相關的錯誤,提供更清晰的錯誤提示。", + "is_new": true + }, + { + "level": "warning", + "role": "Maya", + "location": "entrypoint.sh:58", + "suggestion": "對於 `KEEP_COUNT` 參數,雖然 `require_integer` 確保了非負整數,但建議在整合測試中特別包含 `KEEP_COUNT=0`(應刪除所有成品)和 `KEEP_COUNT=1`(應保留最新一個成品)的測試案例,以確保這些邊界條件下的刪除邏輯正確無誤。", + "is_new": true + }, + { + "level": "warning", + "role": "Maya", + "location": "entrypoint.sh:75, 76, 100", + "suggestion": "腳本中有多處 `curl` 和 `jq` 的調用,雖然 `set -Eeuo pipefail` 有助於錯誤處理,但對於網路瞬時錯誤或 API 服務不穩定,腳本會直接退出。建議考慮為 `curl` 請求添加重試機制,並為 `curl` 和 `jq` 的失敗提供更具體的錯誤處理邏輯,例如捕獲錯誤並輸出詳細訊息,而不是僅依賴 `pipefail`。", + "is_new": true + }, + { + "level": "info", + "role": "Leo", + "location": "entrypoint.sh", + "suggestion": "雖然程式碼的可讀性已大幅提升,但考慮為新引入的輔助函式(如 `separator`, `section`, `info`, `success`, `warn`, `fail`, `is_empty_or_null`, `require_value`, `require_integer`)添加簡要的註解,說明其用途,這將有助於新開發者快速理解。", + "is_new": true + }, + { + "level": "info", + "role": "Rex", + "location": "entrypoint.sh:116", + "suggestion": "從 JSON 回應中提取的值(如 `release_id`、`release_tag`、`release_name`)被用於構建 URL 和日誌訊息。儘管 `jq` 和 shell 引用提供了一定保護,但如果 JSON 回應本身不可信或被惡意篡改,這些值仍可能被用於注入惡意資料。建議對這些提取的值進行額外的驗證或淨化(例如,確保 `release_id` 是整數,`release_tag` 和 `release_name` 符合預期模式),尤其是在將它們用於關鍵操作或日誌記錄之前。", + "is_new": true + }, + { + "level": "info", + "role": "Maya", + "location": "entrypoint.sh:54", + "suggestion": "對於 `GITEA_SERVER_URL` 參數,除了檢查是否為空或 'null',建議增加基本的 URL 格式驗證,以確保其為有效的 URL 格式,避免 `curl` 在無效 URL 時產生非預期的行為。", + "is_new": true + }, + { + "level": "info", + "role": "Maya", + "location": "entrypoint.sh:55", + "suggestion": "對於 `GITEA_REPOSITORY` 參數,建議增加格式驗證,確保其符合 `owner/repo` 的預期格式,避免因格式錯誤導致 API 請求失敗。", + "is_new": true + } +] diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md new file mode 100644 index 0000000..f1a77ef --- /dev/null +++ b/.github/copilot-instructions.md @@ -0,0 +1,14 @@ +# Triage Findings + +Use the triage-finding workflow for review issue lists: + +1. Merge findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1. +5. Fix real issues with the smallest safe change. +6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check after each fix. + +The full reusable skill lives in `.claude/skills/triage-findings/SKILL.md`. diff --git a/.github/skills/triage-findings/SKILL.md b/.github/skills/triage-findings/SKILL.md new file mode 100644 index 0000000..8ca4117 --- /dev/null +++ b/.github/skills/triage-findings/SKILL.md @@ -0,0 +1,14 @@ +# Triage Findings + +Use the triage-finding workflow for review issue lists: + +1. Merge findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1. +5. Fix real issues with the smallest safe change. +6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check after each fix. + +The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`. diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..fa2403d --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,16 @@ +# Triage Findings + +When the task is to triage review findings, follow this workflow: + +1. Merge all findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1 after sorting. +5. Fix real issues with the smallest safe change. +6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check the issue after each fix. + +Use the repo-local `triage-findings` skill for the same workflow when running in Codex. + +Trigger it with `/triage-findings`. diff --git a/GEMINI.md b/GEMINI.md new file mode 100644 index 0000000..8ca4117 --- /dev/null +++ b/GEMINI.md @@ -0,0 +1,14 @@ +# Triage Findings + +Use the triage-finding workflow for review issue lists: + +1. Merge findings into one list. +2. Remove duplicates. +3. Sort by severity: `critical` -> `warning` -> `info`. +4. Renumber from 1. +5. Fix real issues with the smallest safe change. +6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible. +7. Add or update tests when behavior changes. +8. Re-check after each fix. + +The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.