Merge pull request 'fix: clean up release workflows' (#16) from feat/ai_code_review into develop

Reviewed-on: #16

.amazonq/rules/triage-findings.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+When the task is to triage review findings, follow this workflow:
+
+1. Merge all findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1 after sorting.
+5. Fix real issues with the smallest safe change.
+6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check the issue after each fix.
+
+Use the repo-local `triage-findings` skill for the same workflow when running in Codex.

.claude/skills/triage-findings/SKILL.md

@@ -0,0 +1,29 @@
+---
+name: triage-findings
+description: Triage findings, fix real issues, and exclude false positives.
+---
+
+# Triage Findings
+
+## Use
+
+直接輸入：`triage-findings 問題原始檔(文字或截圖)`
+
+## Workflow
+
+1. Merge all findings.
+2. Sort by severity:
+   - critical
+   - warning
+   - info
+3. Renumber from 1.
+4. Fix real issues.
+5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+6. Add tests when behavior changes.
+
+## Output Rules
+
+- Keep the final list short.
+- Keep numbering contiguous.
+- Preserve file path, location, and fix.
+- When writing exclusions, prefer the original issue text over paraphrased rewrites.

.codex/skills/triage-findings/SKILL.md

@@ -0,0 +1,45 @@
+---
+name: triage-findings
+description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
+---
+
+# Triage Findings
+
+## When To Use
+
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.
+
+## Workflow
+
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
+   - critical
+   - warning
+   - info
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list using the existing schema in the repo or task context, and preserve the original finding wording as much as possible, including language and semantics.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.
+
+## Output Rules
+
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.

.codex/skills/triage-findings/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Triage Findings"
+  short_description: "Triage, sort, fix, and exclude review findings"
+  default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to exclusions."

.gemini/skills/triage-findings/SKILL.md

@@ -0,0 +1,29 @@
+---
+name: triage-findings
+description: Triage findings, fix real issues, and exclude false positives.
+---
+
+# Triage Findings
+
+## Use
+
+直接輸入：`triage-findings 問題原始檔(文字或截圖)`
+
+## Workflow
+
+1. Merge all findings.
+2. Sort by severity:
+   - critical
+   - warning
+   - info
+3. Renumber from 1.
+4. Fix real issues.
+5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+6. Add tests when behavior changes.
+
+## Output Rules
+
+- Keep the final list short.
+- Keep numbering contiguous.
+- Preserve file path, location, and fix.
+- When writing exclusions, prefer the original issue text over paraphrased rewrites.

.gitea/ai-review/exclusions.json

@@ -0,0 +1,177 @@
+[
+  {
+    "level": "critical",
+    "role": "Rex",
+    "location": "Dockerfile:4",
+    "suggestion": "移除 `apk add` 命令中的 `--no-check-certificate` 旗標。禁用憑證檢查會使 Docker 映像檔的建置過程容易受到中間人攻擊，導致惡意套件注入。請確保套件來源的信任鏈完整性。",
+    "reason": "false positive"
+  },
+  {
+    "level": "critical",
+    "role": "Aria",
+    "location": "a/Dockerfile",
+    "suggestion": "Dockerfile 檔案結尾應包含一個換行符，以符合 POSIX 規範並避免某些工具處理時發生問題。",
+    "reason": "false positive"
+  },
+  {
+    "level": "critical",
+    "role": "Aria",
+    "location": "a/entrypoint.sh",
+    "suggestion": "Shell 腳本檔案結尾應包含一個換行符，以符合 POSIX 規範並避免某些工具處理時發生問題。",
+    "reason": "false positive"
+  },
+  {
+    "level": "critical",
+    "role": "Maya",
+    "location": "entrypoint.sh",
+    "suggestion": "此腳本缺少單元測試。建議引入一個 shell 腳本測試框架（例如 `bats` 或 `shunit2`），並為 `is_empty_or_null`、`require_value`、`require_integer` 等輔助函數以及主要邏輯流程編寫單元測試，以確保其行為符合預期。",
+    "reason": "false positive"
+  },
+  {
+    "level": "critical",
+    "role": "Maya",
+    "location": "entrypoint.sh",
+    "suggestion": "此腳本與外部 Gitea API 互動，但缺少整合測試。建議建立整合測試，使用模擬 Gitea 伺服器（或測試環境）來驗證腳本的端到端流程，包括成功刪除、錯誤處理（例如無效的 RUNNER_TOKEN、API 錯誤響應）以及邊界條件。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Rex",
+    "location": "entrypoint.sh:100",
+    "suggestion": "環境變數 `GITEA_SERVER_URL` 被直接用於 `curl` 命令中，以構建 API 請求。如果此變數可被攻擊者控制，可能導致伺服器端請求偽造 (SSRF) 漏洞，使程式向任意內部或外部主機發送請求。建議對 `GITEA_SERVER_URL` 進行嚴格的驗證，確保其指向預期且受信任的 Gitea 實例，例如使用白名單限制允許的網域或 IP 範圍。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "a/Dockerfile:6",
+    "suggestion": "`COPY` 指令的縮排不一致，建議保持統一的縮排風格（例如，與 `RUN` 指令對齊），以提高程式碼可讀性。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "a/entrypoint.sh",
+    "suggestion": "腳本中存在不一致的縮排風格，建議統一使用 2 或 4 個空格進行縮排，以提高程式碼可讀性。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "a/entrypoint.sh:4-20",
+    "suggestion": "參數檢查和錯誤處理邏輯重複且分散，建議將常見的驗證和日誌輸出邏輯抽象為輔助函數，以提高程式碼的模組化和可維護性。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "a/entrypoint.sh",
+    "suggestion": "腳本中所有變數都使用大寫命名，這可能導致環境變數與腳本內部變數難以區分。建議對腳本內部使用的變數採用小寫加底線 (snake_case) 命名，而環境變數則保持大寫，以增強命名語義的清晰度。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Maya",
+    "location": "entrypoint.sh:75",
+    "suggestion": "在取得成品資訊的 `curl` 請求中，雖然使用了 `-fsS`，但並未明確檢查 HTTP 狀態碼。如果 Gitea API 返回 401/403 等認證或權限錯誤，腳本可能會因為 `jq` 處理空或錯誤 JSON 而失敗，但錯誤訊息不夠明確。建議在 `curl` 請求後檢查 HTTP 狀態碼，特別是對於認證相關的錯誤，提供更清晰的錯誤提示。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Maya",
+    "location": "entrypoint.sh:58",
+    "suggestion": "對於 `KEEP_COUNT` 參數，雖然 `require_integer` 確保了非負整數，但建議在整合測試中特別包含 `KEEP_COUNT=0`（應刪除所有成品）和 `KEEP_COUNT=1`（應保留最新一個成品）的測試案例，以確保這些邊界條件下的刪除邏輯正確無誤。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Maya",
+    "location": "entrypoint.sh:75, 76, 100",
+    "suggestion": "腳本中有多處 `curl` 和 `jq` 的調用，雖然 `set -Eeuo pipefail` 有助於錯誤處理，但對於網路瞬時錯誤或 API 服務不穩定，腳本會直接退出。建議考慮為 `curl` 請求添加重試機制，並為 `curl` 和 `jq` 的失敗提供更具體的錯誤處理邏輯，例如捕獲錯誤並輸出詳細訊息，而不是僅依賴 `pipefail`。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Leo",
+    "location": "entrypoint.sh",
+    "suggestion": "雖然程式碼的可讀性已大幅提升，但考慮為新引入的輔助函式（如 `separator`, `section`, `info`, `success`, `warn`, `fail`, `is_empty_or_null`, `require_value`, `require_integer`）添加簡要的註解，說明其用途，這將有助於新開發者快速理解。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Rex",
+    "location": "entrypoint.sh:116",
+    "suggestion": "從 JSON 回應中提取的值（如 `release_id`、`release_tag`、`release_name`）被用於構建 URL 和日誌訊息。儘管 `jq` 和 shell 引用提供了一定保護，但如果 JSON 回應本身不可信或被惡意篡改，這些值仍可能被用於注入惡意資料。建議對這些提取的值進行額外的驗證或淨化（例如，確保 `release_id` 是整數，`release_tag` 和 `release_name` 符合預期模式），尤其是在將它們用於關鍵操作或日誌記錄之前。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Maya",
+    "location": "entrypoint.sh:54",
+    "suggestion": "對於 `GITEA_SERVER_URL` 參數，除了檢查是否為空或 'null'，建議增加基本的 URL 格式驗證，以確保其為有效的 URL 格式，避免 `curl` 在無效 URL 時產生非預期的行為。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Maya",
+    "location": "entrypoint.sh:55",
+    "suggestion": "對於 `GITEA_REPOSITORY` 參數，建議增加格式驗證，確保其符合 `owner/repo` 的預期格式，避免因格式錯誤導致 API 請求失敗。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Zara",
+    "location": "entrypoint.sh:67",
+    "suggestion": "儘管已引入分頁機制，但腳本仍將所有分頁的發布資訊（`release_json`）聚合到記憶體中。對於擁有極大量發布（例如數萬個）的儲存庫，這可能導致記憶體使用量過高，進而影響效能或導致記憶體不足。建議考慮在處理大量資料時，避免將所有資料一次性載入記憶體，例如只提取必要的欄位（如ID和時間戳）進行排序和篩選，或在可能的情況下，利用API的伺服器端排序和過濾功能來減少客戶端處理的負擔。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "Dockerfile",
+    "suggestion": "檔案結尾應包含一個空行 (newline)，以符合 POSIX 規範並避免某些工具處理時發生問題。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "entrypoint.sh",
+    "suggestion": "檔案結尾應包含一個空行 (newline)，以符合 POSIX 規範並避免某些工具處理時發生問題。",
+    "reason": "false positive"
+  },
+  {
+    "level": "warning",
+    "role": "Aria",
+    "location": "tests/entrypoint_pagination.sh",
+    "suggestion": "檔案結尾應包含一個空行 (newline)，以符合 POSIX 規範並避免某些工具處理時發生問題。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Leo",
+    "location": "tests/entrypoint_pagination.sh",
+    "suggestion": "測試中 `jq` 的模擬實作（`jq.py`）雖然有效，但它重新實作了 `jq` 的部分功能。如果 `entrypoint.sh` 中 `jq` 的使用方式變得更複雜，這個模擬可能需要頻繁更新或變得脆弱。未來可以考慮使用更通用的方式來模擬 `jq` 的行為，例如透過環境變數或檔案輸入/輸出來控制其行為，而不是重新實作其邏輯。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Zara",
+    "location": "entrypoint.sh",
+    "suggestion": "腳本中頻繁呼叫 `jq` 命令（例如在循環中或多次處理同一變數時），每次呼叫都會啟動一個新的 `jq` 處理程序，這會產生一定的處理程序啟動開銷。雖然對於一般情況影響不大，但在處理大量資料或需要極致效能時，可以考慮減少 `jq` 的呼叫次數，例如將多個 `jq` 操作合併為一個更複雜的表達式，或使用其他語言（如Python）來處理JSON，以減少處理程序間的上下文切換成本。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Maya",
+    "location": "tests/entrypoint_pagination.sh:137",
+    "suggestion": "腳本執行時將標準輸出重定向到 `/dev/null`。為了更全面地驗證錯誤處理邏輯，應捕獲標準錯誤輸出 (stderr) 並檢查 `fail` 函數輸出的錯誤訊息是否符合預期，同時驗證腳本在錯誤情況下是否以非零狀態碼退出。",
+    "reason": "false positive"
+  },
+  {
+    "level": "info",
+    "role": "Maya",
+    "location": "Dockerfile",
+    "suggestion": "考慮新增一個整合測試，該測試會建置 Docker 映像檔，並在容器內部執行 `entrypoint.sh`。這將有助於驗證所有必要的依賴項（如 bash, curl, jq）是否已正確安裝，並且腳本在目標容器環境中能正常執行，確保部署的穩定性。",
+    "reason": "false positive"
+  }
+]

.gitea/ai-review/findings.json

@@ -0,0 +1 @@
+[]

.gitea/workflows/master.yaml

@@ -1,28 +1,28 @@
+name: CD
 on:
   push:
     branches:
     - master
 jobs:
-  cd:
-    name: "CD > 發布專案"
-    runs-on: docker
-    env:
-      RUNNER_TOOL_CACHE: /toolcache
+  version:
+    name: 計算版本號
+    runs-on: ubuntu
+    outputs:
+      version: ${{ steps.version.outputs.version }}
     steps:
     - name: 計算版本號
       id: version
-      uses: https://gitea.jsc.idv.tw/jiantw83/calculate-version-action@v${{ vars.CALCULATE_VERSION }}
-      with:
-        gitea-server: ${{ gitea.server_url }}
-        repository: ${{ gitea.repository }}
-        token: ${{ secrets.GITEA_TOKEN }}
+      uses: https://gitea.jsc.idv.tw/actions/calculate-version@${{ vars.ACTION_CALCULATE_VERSION }}
+  release:
+    name: 發布專案
+    runs-on: ubuntu
+    needs: version
+    steps:
     - name: 發布專案
-      uses: akkuman/gitea-release-action@v1
+      uses: akkuman/gitea-release-action@${{ vars.ACTION_RELEASE_VERSION }}
       with:
-        tag_name: "v${{ steps.version.outputs.VERSION }}"
-    - name: 清理舊版本 (保留最新2個)
-      uses: https://gitea.jsc.idv.tw/jiantw83/cleanup-release-action@v${{ vars.CLEANUP_RELEASE_VERSION }}
+        tag_name: v${{ needs.version.outputs.version }}
+    - name: 清理成品
+      uses: https://gitea.jsc.idv.tw/actions/cleanup-release@${{ vars.ACTION_CLEANUP_RELEASE_VERSION }}
       with:
-        gitea-server: ${{ gitea.server_url }}
-        repository: ${{ gitea.repository }}
-        token: ${{ secrets.GITEA_TOKEN }}
+        RUNNER_TOKEN: ${{ secrets.RUNNER_TOKEN }}

.gitea/workflows/review.yaml

@@ -0,0 +1,23 @@
+name: AI
+on:
+  pull_request:
+    branches-ignore:
+    - master
+    types: [opened, synchronize]
+jobs:
+  code-review:
+    name: Code Review
+    runs-on: ubuntu
+    steps:
+    - name: AI Code Review
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
+        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
+        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write

.github/copilot-instructions.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+Use the triage-finding workflow for review issue lists:
+
+1. Merge findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1.
+5. Fix real issues with the smallest safe change.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check after each fix.
+
+The full reusable skill lives in `.claude/skills/triage-findings/SKILL.md`.

.github/skills/triage-findings/SKILL.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+Use the triage-finding workflow for review issue lists:
+
+1. Merge findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1.
+5. Fix real issues with the smallest safe change.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check after each fix.
+
+The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.

CLAUDE.md

@@ -0,0 +1,16 @@
+# Triage Findings
+
+When the task is to triage review findings, follow this workflow:
+
+1. Merge all findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1 after sorting.
+5. Fix real issues with the smallest safe change.
+6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check the issue after each fix.
+
+Use the repo-local `triage-findings` skill for the same workflow when running in Codex.
+
+Trigger it with `/triage-findings`.

Dockerfile

@@ -0,0 +1,8 @@
+FROM alpine:latest
+
+RUN apk add --no-cache --no-check-certificate bash curl jq
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/entrypoint.sh"]

GEMINI.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+Use the triage-finding workflow for review issue lists:
+
+1. Merge findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1.
+5. Fix real issues with the smallest safe change.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check after each fix.
+
+The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.

action.yml

@@ -1,127 +1,17 @@
-name: 'Cleanup Old Releases'
-description: '自動清理舊版本的 releases，保留指定數量的最新版本'
+name: 'CLEANUP OLD RELEASES'
+description: '清理舊版成品'
+author: 'Jeffery'
 inputs:
-  gitea-server:
-    description: 'Gitea 伺服器 URL'
-    required: true
-  repository:
-    description: '儲存庫名稱 (格式: owner/repo)'
-    required: true
-  token:
-    description: 'Gitea API Token'
-    required: true
-  keep-count:
-    description: '保留的最新版本數量'
-    required: false
+  RUNNER_TOKEN:
+    description: 'GitHub Runner Token'
+  KEEP_COUNT:
+    description: '保留的版本數量'
     default: '2'
-  dry-run:
-    description: '是否為模擬執行 (只顯示會刪除的版本，不實際刪除)'
-    required: false
-    default: 'false'
-outputs:
-  deleted-count:
-    description: '已刪除的版本數量'
-    value: ${{ steps.cleanup.outputs.deleted-count }}
-  deleted-releases:
-    description: '已刪除的版本列表 (JSON 格式)'
-    value: ${{ steps.cleanup.outputs.deleted-releases }}
 runs:
-  using: 'composite'
-  steps:
-    - name: 清理舊版本
-      id: cleanup
-      shell: bash
-      run: |
-        echo "開始清理舊版本，保留最新 ${{ inputs.keep-count }} 個版本"
-        
-        # 獲取所有 releases 並按創建時間排序
-        RELEASES_JSON=$(curl -s "${{ inputs.gitea-server }}/api/v1/repos/${{ inputs.repository }}/releases" \
-          -H "Authorization: token ${{ inputs.token }}" \
-          -H "Accept: application/json")
-        
-        # 檢查是否成功獲取 releases
-        if [ $? -ne 0 ] || [ -z "$RELEASES_JSON" ]; then
-          echo "錯誤：無法獲取 releases 列表"
-          exit 1
-        fi
-        
-        # 計算總數量
-        TOTAL_COUNT=$(echo "$RELEASES_JSON" | jq 'length')
-        echo "目前總共有 $TOTAL_COUNT 個 releases"
-        
-        # 如果總數量小於等於保留數量，則無需清理
-        if [ $TOTAL_COUNT -le ${{ inputs.keep-count }} ]; then
-          echo "releases 數量 ($TOTAL_COUNT) 未超過保留數量 (${{ inputs.keep-count }})，無需清理"
-          echo "deleted-count=0" >> $GITHUB_OUTPUT
-          echo "deleted-releases=[]" >> $GITHUB_OUTPUT
-          exit 0
-        fi
-        
-        # 計算需要刪除的數量
-        DELETE_COUNT=$((TOTAL_COUNT - ${{ inputs.keep-count }}))
-        echo "需要刪除 $DELETE_COUNT 個舊版本"
-        
-        # 獲取要刪除的 releases (跳過前 keep-count 個)
-        TO_DELETE=$(echo "$RELEASES_JSON" | jq -r ".[${{ inputs.keep-count }}:] | .[] | {id: .id, tag: .tag_name, name: .name}")
-        
-        # 初始化刪除計數器和列表
-        DELETED_COUNT=0
-        DELETED_LIST="[]"
-        
-        # 處理每個要刪除的 release
-        echo "$TO_DELETE" | jq -c '.' | while read -r release; do
-          if [ -z "$release" ] || [ "$release" = "null" ]; then
-            continue
-          fi
-          
-          RELEASE_ID=$(echo "$release" | jq -r '.id')
-          RELEASE_TAG=$(echo "$release" | jq -r '.tag')
-          RELEASE_NAME=$(echo "$release" | jq -r '.name')
-          
-          if [ -z "$RELEASE_ID" ] || [ "$RELEASE_ID" = "null" ]; then
-            continue
-          fi
-          
-          echo "準備刪除: ID=$RELEASE_ID, Tag=$RELEASE_TAG, Name=$RELEASE_NAME"
-          
-          if [ "${{ inputs.dry-run }}" = "true" ]; then
-            echo "🔍 [模擬執行] 會刪除 release: $RELEASE_TAG ($RELEASE_NAME)"
-            DELETED_COUNT=$((DELETED_COUNT + 1))
-          else
-            # 實際刪除
-            DELETE_RESPONSE=$(curl -s -w "HTTP_STATUS:%{http_code}" \
-              -X DELETE "${{ inputs.gitea-server }}/api/v1/repos/${{ inputs.repository }}/releases/$RELEASE_ID" \
-              -H "Authorization: token ${{ inputs.token }}")
-            
-            HTTP_STATUS=$(echo "$DELETE_RESPONSE" | grep -o "HTTP_STATUS:[0-9]*" | cut -d: -f2)
-            
-            if [ "$HTTP_STATUS" = "204" ] || [ "$HTTP_STATUS" = "200" ]; then
-              echo "✅ 成功刪除 release: $RELEASE_TAG ($RELEASE_NAME)"
-              DELETED_COUNT=$((DELETED_COUNT + 1))
-              
-              # 更新已刪除列表
-              DELETED_LIST=$(echo "$DELETED_LIST" | jq ". + [{\"id\": \"$RELEASE_ID\", \"tag\": \"$RELEASE_TAG\", \"name\": \"$RELEASE_NAME\"}]")
-            else
-              echo "❌ 刪除失敗 release: $RELEASE_TAG ($RELEASE_NAME), HTTP狀態: $HTTP_STATUS"
-            fi
-          fi
-        done
-        
-        # 由於 while 迴圈在子 shell 中執行，需要重新計算
-        if [ "${{ inputs.dry-run }}" = "true" ]; then
-          FINAL_DELETE_COUNT=$(echo "$TO_DELETE" | jq -s 'length')
-          echo "deleted-count=$FINAL_DELETE_COUNT" >> $GITHUB_OUTPUT
-          echo "deleted-releases=[]" >> $GITHUB_OUTPUT
-          echo "🔍 [模擬執行] 總共會刪除 $FINAL_DELETE_COUNT 個版本"
-        else
-          # 重新獲取並計算實際刪除的數量
-          NEW_RELEASES_JSON=$(curl -s "${{ inputs.gitea-server }}/api/v1/repos/${{ inputs.repository }}/releases" \
-            -H "Authorization: token ${{ inputs.token }}" \
-            -H "Accept: application/json")
-          NEW_TOTAL_COUNT=$(echo "$NEW_RELEASES_JSON" | jq 'length')
-          ACTUAL_DELETED=$((TOTAL_COUNT - NEW_TOTAL_COUNT))
-          
-          echo "deleted-count=$ACTUAL_DELETED" >> $GITHUB_OUTPUT
-          echo "deleted-releases=$DELETED_LIST" >> $GITHUB_OUTPUT
-          echo "✅ 清理完成，實際刪除了 $ACTUAL_DELETED 個版本"
-        fi
+  using: 'docker'
+  image: 'Dockerfile'
+  env:
+    GITEA_SERVER_URL: ${{ gitea.server_url }}
+    GITEA_REPOSITORY: ${{ gitea.repository }}
+    RUNNER_TOKEN: ${{ inputs.RUNNER_TOKEN || secrets.GITEA_TOKEN || secrets.RUNNER_TOKEN }}
+    KEEP_COUNT: ${{ inputs.KEEP_COUNT }}

entrypoint.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+separator() {
+  printf '\n%s\n' '=================================================='
+}
+
+section() {
+  separator
+  printf '%s\n' "$1"
+  printf '%s\n' '--------------------------------------------------'
+}
+
+info() {
+  printf '[INFO] %s\n' "$1"
+}
+
+success() {
+  printf '[OK]   %s\n' "$1"
+}
+
+warn() {
+  printf '[WARN] %s\n' "$1"
+}
+
+fail() {
+  printf '[ERR]  %s\n' "$1" >&2
+}
+
+is_empty_or_null() {
+  [ -z "${1:-}" ] || [ "${1:-}" = "null" ]
+}
+
+require_value() {
+  local name="$1"
+  local value="$2"
+
+  info "$name=$value"
+  if is_empty_or_null "$value"; then
+    fail "$name is required"
+    exit 1
+  fi
+}
+
+require_integer() {
+  local name="$1"
+  local value="$2"
+
+  if ! [[ "$value" =~ ^[0-9]+$ ]]; then
+    fail "$name must be a non-negative integer"
+    exit 1
+  fi
+}
+
+section "參數檢查"
+require_value "GITEA_SERVER_URL" "$GITEA_SERVER_URL"
+require_value "GITEA_REPOSITORY" "$GITEA_REPOSITORY"
+require_value "KEEP_COUNT" "$KEEP_COUNT"
+require_integer "KEEP_COUNT" "$KEEP_COUNT"
+
+if is_empty_or_null "${RUNNER_TOKEN:-}"; then
+  warn "RUNNER_TOKEN is empty; release API calls will be anonymous"
+else
+  info "RUNNER_TOKEN=[redacted]"
+fi
+
+release_api_url="$GITEA_SERVER_URL/api/v1/repos/$GITEA_REPOSITORY/releases"
+auth_header=()
+
+if ! is_empty_or_null "${RUNNER_TOKEN:-}"; then
+  auth_header=(-H "Authorization: token $RUNNER_TOKEN")
+fi
+
+section "取得成品資訊"
+info "GET $release_api_url"
+
+release_json='[]'
+page=1
+
+while :; do
+  page_url="$release_api_url?page=$page"
+  page_json="$(curl -fsS "${auth_header[@]}" "$page_url")"
+
+  if [ "$(jq 'length' <<<"$page_json")" -eq 0 ]; then
+    break
+  fi
+
+  release_json="$(jq -s 'add' <<<"$release_json"$'\n'"$page_json")"
+  page=$((page + 1))
+done
+
+release_json="$(jq -e 'sort_by(.created_at) | reverse' <<<"$release_json")"
+release_count="$(jq 'length' <<<"$release_json")"
+
+info "RELEASE_COUNT=$release_count"
+info "KEEP_COUNT=$KEEP_COUNT"
+
+if [ "$release_count" -le "$KEEP_COUNT" ]; then
+  success "沒有需要清理的舊版本成品"
+  exit 0
+fi
+
+section "刪除舊版本成品"
+
+release_to_delete="$(jq -c ".[$KEEP_COUNT:]" <<<"$release_json")"
+
+while IFS= read -r release_item; do
+  [ -z "$release_item" ] && continue
+
+  release_id="$(jq -r '.id' <<<"$release_item")"
+  release_tag="$(jq -r '.tag_name' <<<"$release_item")"
+  release_name="$(jq -r '.name' <<<"$release_item")"
+
+  if is_empty_or_null "$release_id"; then
+    warn "略過沒有 id 的成品: $release_tag ($release_name)"
+    continue
+  fi
+
+  delete_url="$GITEA_SERVER_URL/api/v1/repos/$GITEA_REPOSITORY/releases/$release_id"
+  info "DELETE $release_tag ($release_name)"
+
+  delete_code="$(curl -sS -o /dev/null -w "%{http_code}" -X DELETE "${auth_header[@]}" "$delete_url")"
+
+  if [ "$delete_code" -eq 204 ]; then
+    success "成功刪除: $release_tag ($release_name)"
+  else
+    fail "刪除失敗: $release_tag ($release_name), HTTP $delete_code"
+  fi
+done < <(jq -c '.[]' <<<"$release_to_delete")
+
+separator

readme.md

@@ -1,118 +0,0 @@
-# Cleanup Old Releases Action
-
-這是一個自動清理舊版本 releases 的 GitHub Action，可以保留指定數量的最新版本，刪除多餘的舊版本。
-
-## 功能特色
-
-- 🗑️ 自動清理舊版本 releases
-- 🔢 可配置保留的版本數量
-- 🔍 支援模擬執行模式
-- 📊 詳細的執行報告
-- 🛡️ 安全的錯誤處理
-
-## 輸入參數
-
-| 參數名稱 | 必要 | 預設值 | 描述 |
-|---------|------|--------|------|
-| `gitea-server` | ✅ | - | Gitea 伺服器 URL |
-| `repository` | ✅ | - | 儲存庫名稱 (格式: owner/repo) |
-| `token` | ✅ | - | Gitea API Token |
-| `keep-count` | ❌ | `2` | 保留的最新版本數量 |
-| `dry-run` | ❌ | `false` | 是否為模擬執行 (只顯示會刪除的版本，不實際刪除) |
-
-## 輸出參數
-
-| 參數名稱 | 描述 |
-|---------|------|
-| `deleted-count` | 已刪除的版本數量 |
-| `deleted-releases` | 已刪除的版本列表 (JSON 格式) |
-
-## 使用範例
-
-### 基本用法 (保留最新2個版本)
-
-```yaml
-- name: 清理舊版本
-  uses: ./.gitea/actions/cleanup-releases
-  with:
-    gitea-server: ${{ gitea.server_url }}
-    repository: ${{ gitea.repository }}
-    token: ${{ secrets.GITEA_TOKEN }}
-```
-
-### 自定義保留數量
-
-```yaml
-- name: 清理舊版本 (保留最新5個)
-  uses: ./.gitea/actions/cleanup-releases
-  with:
-    gitea-server: ${{ gitea.server_url }}
-    repository: ${{ gitea.repository }}
-    token: ${{ secrets.GITEA_TOKEN }}
-    keep-count: '5'
-```
-
-### 模擬執行模式
-
-```yaml
-- name: 檢查要清理的版本
-  id: check-cleanup
-  uses: ./.gitea/actions/cleanup-releases
-  with:
-    gitea-server: ${{ gitea.server_url }}
-    repository: ${{ gitea.repository }}
-    token: ${{ secrets.GITEA_TOKEN }}
-    keep-count: '3'
-    dry-run: 'true'
-
-- name: 顯示模擬結果
-  run: |
-    echo "模擬執行會刪除 ${{ steps.check-cleanup.outputs.deleted-count }} 個版本"
-```
-
-### 使用輸出結果
-
-```yaml
-- name: 清理舊版本
-  id: cleanup
-  uses: ./.gitea/actions/cleanup-releases
-  with:
-    gitea-server: ${{ gitea.server_url }}
-    repository: ${{ gitea.repository }}
-    token: ${{ secrets.GITEA_TOKEN }}
-    keep-count: '2'
-
-- name: 報告清理結果
-  run: |
-    echo "清理完成，刪除了 ${{ steps.cleanup.outputs.deleted-count }} 個舊版本"
-    echo "刪除的版本詳情: ${{ steps.cleanup.outputs.deleted-releases }}"
-```
-
-## 運作邏輯
-
-1. **獲取版本列表**：從 Gitea API 獲取所有 releases，按創建時間排序
-2. **計算刪除範圍**：保留最新的 `keep-count` 個版本，標記其餘版本為待刪除
-3. **執行清理**：
-   - 模擬模式：只顯示會刪除的版本，不實際執行
-   - 正常模式：逐一刪除標記的版本
-4. **回報結果**：提供刪除數量和詳細列表
-
-## 安全特性
-
-- ✅ **防護機制**：如果總版本數 ≤ 保留數量，則不執行任何刪除
-- ✅ **錯誤處理**：API 請求失敗時會顯示錯誤訊息並停止執行
-- ✅ **模擬模式**：可以先模擬執行，確認要刪除的版本無誤
-- ✅ **詳細日誌**：每個步驟都有清楚的日誌輸出
-
-## 注意事項
-
-- 需要有 `GITEA_TOKEN` secret 且具備刪除 releases 的權限
-- 刪除操作是不可逆的，建議先使用模擬模式確認
-- Action 按照創建時間排序，保留最新的版本
-- 建議在 release 創建之後執行此 action
-
-## 錯誤處理
-
-- 如果無法連接到 Gitea API，action 會失敗並顯示錯誤訊息
-- 如果某個版本刪除失敗，會記錄錯誤但繼續處理其他版本
-- 如果 token 權限不足，會顯示相應的 HTTP 錯誤狀態

tests/entrypoint_pagination.sh

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+tmpdir="$(mktemp -d)"
+trap 'rm -rf "$tmpdir"' EXIT
+
+curl_log="$tmpdir/curl.log"
+bin_dir="$tmpdir/bin"
+mkdir -p "$bin_dir"
+
+cat >"$bin_dir/curl" <<'EOF'
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+log_file="${CURL_LOG:?}"
+printf '%s\n' "$*" >>"$log_file"
+
+last_arg="${!#}"
+
+if [[ " $* " == *" -X DELETE "* ]]; then
+  printf '204'
+  exit 0
+fi
+
+case "$last_arg" in
+  *page=1)
+    printf '%s' '[{"id":4,"tag_name":"v4","name":"release-4","created_at":"2024-04-01T00:00:00Z"},{"id":3,"tag_name":"v3","name":"release-3","created_at":"2024-03-01T00:00:00Z"}]'
+    ;;
+  *page=2)
+    printf '%s' '[{"id":2,"tag_name":"v2","name":"release-2","created_at":"2024-02-01T00:00:00Z"},{"id":1,"tag_name":"v1","name":"release-1","created_at":"2024-01-01T00:00:00Z"}]'
+    ;;
+  *page=3)
+    printf '%s' '[]'
+    ;;
+  *)
+    printf 'unexpected request: %s\n' "$last_arg" >&2
+    exit 1
+    ;;
+esac
+EOF
+chmod +x "$bin_dir/curl"
+
+cat >"$bin_dir/jq.py" <<'PY'
+#!/usr/bin/env python3
+import json
+import re
+import sys
+
+expr = ""
+flags = set()
+args = sys.argv[1:]
+
+while args:
+    current = args.pop(0)
+    if current in {"-e", "-c", "-r", "-s"}:
+        flags.add(current)
+        continue
+    if current == "--":
+        if not args:
+            raise SystemExit("missing jq expression")
+        expr = args.pop(0)
+        break
+    if current.startswith("-"):
+        flags.add(current)
+        continue
+    expr = current
+    break
+
+raw = sys.stdin.read()
+
+def dump(value):
+    if "-r" in flags and isinstance(value, (str, int, float)) and not isinstance(value, bool):
+        sys.stdout.write(str(value))
+    else:
+        sys.stdout.write(json.dumps(value, separators=(",", ":")))
+
+if expr == "length":
+    data = json.loads(raw or "null")
+    print(len(data))
+    raise SystemExit(0)
+
+if expr == "add":
+    arrays = [json.loads(line) for line in raw.splitlines() if line.strip()]
+    merged = []
+    for item in arrays:
+        merged.extend(item)
+    dump(merged)
+    raise SystemExit(0)
+
+if expr == "sort_by(.created_at) | reverse":
+    data = json.loads(raw or "[]")
+    dump(sorted(data, key=lambda item: item["created_at"], reverse=True))
+    raise SystemExit(0)
+
+match = re.fullmatch(r"\.\[(\d+):\]", expr)
+if match:
+    data = json.loads(raw or "[]")
+    dump(data[int(match.group(1)):])
+    raise SystemExit(0)
+
+if expr == ".[]":
+    data = json.loads(raw or "[]")
+    for item in data:
+        dump(item)
+        sys.stdout.write("\n")
+    raise SystemExit(0)
+
+match = re.fullmatch(r"\.(id|tag_name|name)", expr)
+if match:
+    data = json.loads(raw or "null")
+    value = data.get(match.group(1))
+    dump(value)
+    raise SystemExit(0)
+
+raise SystemExit(f"unsupported jq expression: {expr}")
+PY
+chmod +x "$bin_dir/jq.py"
+
+cat >"$bin_dir/jq" <<'EOF'
+#!/usr/bin/env bash
+set -Eeuo pipefail
+exec python3 "$0.py" "$@"
+EOF
+chmod +x "$bin_dir/jq"
+
+PATH="$bin_dir:$PATH" \
+CURL_LOG="$curl_log" \
+GITEA_SERVER_URL="https://gitea.example.test" \
+GITEA_REPOSITORY="owner/repo" \
+KEEP_COUNT="2" \
+RUNNER_TOKEN="" \
+bash ./entrypoint.sh >/dev/null
+
+grep -q 'page=1' "$curl_log"
+grep -q 'page=2' "$curl_log"
+grep -q 'page=3' "$curl_log"
+grep -q '/releases/2' "$curl_log"
+grep -q '/releases/1' "$curl_log"
+
+if grep -q '/releases/3' "$curl_log" || grep -q '/releases/4' "$curl_log"; then
+  printf 'unexpected deletion request in %s\n' "$curl_log" >&2
+  exit 1
+fi