diff --git a/.gitea/ai-review/exclusions.json b/.gitea/ai-review/exclusions.json new file mode 100644 index 0000000..2ca1f18 --- /dev/null +++ b/.gitea/ai-review/exclusions.json @@ -0,0 +1,11 @@ +[ + { + "role": "Rex", + "location": "app/git.js", + "suggestion": "請避免將敏感資料(如 GITEA_TOKEN)直接寫入環境變數" + }, + { + "location": "app/git.js", + "suggestion": "GITEA_TOKEN 直接嵌入 URL 中" + } +] diff --git a/.gitea/ai-review/findings.json b/.gitea/ai-review/findings.json index e4a78e8..0637a08 100644 --- a/.gitea/ai-review/findings.json +++ b/.gitea/ai-review/findings.json @@ -1,135 +1 @@ -[ - { - "level": "critical", - "role": "Rex", - "location": "app/git.js:20", - "suggestion": "請避免在程式碼中硬編碼敏感資料,如 GITEA_TOKEN。應使用環境變數或安全的秘密管理工具來管理這些敏感資料。", - "is_new": true - }, - { - "level": "warning", - "role": "Leo", - "location": "app/git.js:39", - "suggestion": "建議在函式 `makeRunner` 中增加對於 `spawn` 函式的參數檢查,以確保其為有效的函式,避免未來可能的錯誤。", - "is_new": true - }, - { - "level": "warning", - "role": "Zara", - "location": "app/git.js:39", - "suggestion": "在使用 git clone 時,建議使用 --single-branch 參數來避免下載不必要的分支,這樣可以節省時間和空間。", - "is_new": true - }, - { - "level": "warning", - "role": "Rex", - "location": "app/git.js:39", - "suggestion": "在使用 git 命令時,請確保適當處理錯誤,避免潛在的資訊洩漏。", - "is_new": true - }, - { - "level": "warning", - "role": "Aria", - "location": "app/git.js:3", - "suggestion": "檔案開頭應該有一行空白行,以提高可讀性。", - "is_new": true - }, - { - "level": "warning", - "role": "Maya", - "location": "app/git.test.js:1", - "suggestion": "建議在測試檔案中加入更多的測試案例,以涵蓋不同的邊界條件和異常情況。", - "is_new": true - }, - { - "level": "info", - "role": "Leo", - "location": "app/git.js:43", - "suggestion": "考慮將 `askpassScript` 的寫入過程封裝成一個獨立的函式,以提高程式碼的模組化和可讀性。", - "is_new": true - }, - { - "level": "info", - "role": "Leo", - "location": "app/git.js:53", - "suggestion": "在 `catch` 區塊中,建議記錄更詳細的錯誤資訊,以便於未來的除錯和維護。", - "is_new": true - }, - { - "level": "info", - "role": "Leo", - "location": "app/git.js:58", - "suggestion": "在 `finally` 區塊中,建議增加對於 `fs.unlinkSync` 的錯誤處理,以避免在刪除檔案時發生未捕獲的錯誤。", - "is_new": true - }, - { - "level": "info", - "role": "Zara", - "location": "app/git.js:43", - "suggestion": "在寫入 askpass 腳本時,考慮使用 fs.promises.writeFile 來避免阻塞事件循環,提升效能。", - "is_new": true - }, - { - "level": "info", - "role": "Zara", - "location": "app/git.js:53", - "suggestion": "在使用 fs.mkdirSync 時,建議使用 fs.promises.mkdir 來避免阻塞,提升效能。", - "is_new": true - }, - { - "level": "info", - "role": "Zara", - "location": "app/git.js:65", - "suggestion": "在 git push 時,考慮使用 --quiet 參數來減少不必要的輸出,這樣可以提升效能。", - "is_new": true - }, - { - "level": "info", - "role": "Rex", - "location": "app/git.js:43", - "suggestion": "建議在使用完 askpass 腳本後,確保其被刪除,以減少潛在的安全風險。", - "is_new": true - }, - { - "level": "info", - "role": "Aria", - "location": "app/git.js:39", - "suggestion": "考慮將 'run' 函數的命名改為更具描述性的名稱,例如 'executeGitCommand',以提高可讀性。", - "is_new": true - }, - { - "level": "info", - "role": "Aria", - "location": "app/git.js:43", - "suggestion": "在 'try' 區塊的結尾添加註解,說明 'finally' 區塊的目的,以提高可讀性。", - "is_new": true - }, - { - "level": "info", - "role": "Aria", - "location": "app/git.js:51", - "suggestion": "在 'catch' 區塊中,考慮使用更具描述性的錯誤訊息,以便於除錯。", - "is_new": true - }, - { - "level": "info", - "role": "Aria", - "location": "app/git.test.js:1", - "suggestion": "考慮在檔案開頭添加檔案描述註解,以提高可讀性。", - "is_new": true - }, - { - "level": "info", - "role": "Aria", - "location": "app/git.test.js:93", - "suggestion": "考慮在測試結束後添加註解,說明測試的目的,以提高可讀性。", - "is_new": true - }, - { - "level": "info", - "role": "Maya", - "location": "app/git.test.js:1", - "suggestion": "建議使用更具描述性的測試名稱,以提高測試的可讀性和可維護性。", - "is_new": true - } -] \ No newline at end of file +[] \ No newline at end of file diff --git a/README.md b/README.md index e1c2026..11002fc 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,12 @@ 1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容),Comment 到 Push Request 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議) 3. 讀取所有未解決的舊問題(問題檔案存在於使用此 Action 的專案固定位置)加上新問題後,去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案 -4. 從PR問題表格中取出所有舊問題,依照等級排序後 Comment 到 Push Request -5. 從PR問題表格中取出所有新問題,排除嚴重等級的問題後 Comment 到 Push Request -6. 從PR問題表格中取出所有新問題,將每個嚴重等級的問題 Comment 到 Push Request -7. Commit 問題檔案 -8. 如果PR問題表格中有嚴重問題,則不要讓 workflow 執行成功(exit 1) +4. 讀取排除問題檔案,用來過濾PR問題表格中不需要處理的問題 +5. 從PR問題表格中取出所有舊問題,依照等級排序後 Comment 到 Push Request +6. 從PR問題表格中取出所有新問題,排除嚴重等級的問題後 Comment 到 Push Request +7. 從PR問題表格中取出所有新問題,將每個嚴重等級的問題 Comment 到 Push Request +8. Commit 問題檔案 +9. 如果PR問題表格中有嚴重問題,則不要讓 workflow 執行成功(exit 1) # 設計 @@ -139,116 +140,6 @@ jobs: issues: write ``` -### 6. Kilo Code -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - KILO_API_KEY: ${{ secrets.KILO_API_KEY }} - KILO_BASE_URL: https://api.kilocode.com/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 7. Roo Code -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - ROO_API_KEY: ${{ secrets.ROO_API_KEY }} - ROO_BASE_URL: https://api.roocode.com/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 8. Cline -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - CLINE_API_KEY: ${{ secrets.CLINE_API_KEY }} - CLINE_BASE_URL: https://api.cline.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 9. Continue -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }} - CONTINUE_BASE_URL: https://api.continue.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 10. Kade -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - KADE_API_KEY: ${{ secrets.KADE_API_KEY }} - KADE_BASE_URL: https://api.kade.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - ### - Ollama ```yaml diff --git a/TODO.md b/TODO.md index 9fe2599..e5115dc 100644 --- a/TODO.md +++ b/TODO.md @@ -8,26 +8,33 @@ ## 階段二:Findings 產生與合併 - 目標:各角色(style/security/performance/maintainability/testing)能產生 findings,並正確合併新舊 findings。 - 驗收:log 中能看到每個角色 findings 數量、合併後 findings 統計,並有「Step3: merged findings total=...」等訊息。 +- 完成 ## 階段三:AI 去重與角色確認 - 目標:嘗試呼叫 LLM 進行 findings 去重與角色確認,API 額度不足時要有降級處理 log。 - 驗收:log 中能看到 deduplication/resolution confirmation 成功或失敗(如 402),降級時有「保留所有問題」等明確訊息。 +- 完成 -## 階段四:findings 寫入與 comment 發布 +## 階段四:AI 排除問題過濾 +- 目標:讀取排除問題檔案(exclusions.json)進行規則過濾,並呼叫 AI 判斷剩餘問題是否為誤報或不適用,兩層過濾後產生最終問題清單。 +- 驗收:log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化,以及「AI 誤報過濾: N -> M 筆」或降級訊息。 +- 完成 + +## 階段五:findings 寫入與 comment 發布 - 目標:findings.jsonl 正確寫入,comment 發布順序正確(舊問題→非嚴重→嚴重),每步有 log。 -- 驗收:log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。 +- 驗收:log 中能看到 findings.json 寫入、comment sync 的詳細訊息與順序。 +- 完成 -## 階段五:記憶區 commit/push 與錯誤處理 +## 階段六:記憶區 commit/push 與錯誤處理 - 目標:記憶區能成功 commit/push,錯誤時有明確 log,流程結束有總結訊息。 - 驗收:log 有「persisted findings」、「commit=...」、「push=...」等訊息,錯誤時有「Runner failed: ...」等明確錯誤說明。 +- 完成 -## 階段六:阻擋嚴重問題 PR(第 8 點) +## 階段七:阻擋嚴重問題 PR(第 8 點) - 目標:如果 PR 問題表格中有嚴重(critical)問題,workflow 需直接 exit 1,不讓流程成功。 - 驗收:log 中能看到「critical 問題存在,workflow 結束(exit 1)」等明確訊息,且 workflow 狀態為失敗。 +- 完成 --- - -每個階段都會加上明確的 log,並確保即使部分功能未完成也能降級執行、不會中斷 pipeline。 - -每次執行後請貼 log,我會協助 debug。 \ No newline at end of file +所有階段驗收通過。 diff --git a/app/config.js b/app/config.js index ea20e2c..c5e7caa 100644 --- a/app/config.js +++ b/app/config.js @@ -6,6 +6,7 @@ export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || ''; export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || ''; export const FINDINGS_PATH = '.gitea/ai-review/findings.json'; +export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json'; export function getLLMConfig() { const checks = [ diff --git a/app/findings.js b/app/findings.js index 7c38515..7dcf060 100644 --- a/app/findings.js +++ b/app/findings.js @@ -1,7 +1,7 @@ import fs from 'fs'; import path from 'path'; import { chatJSON } from './llm.js'; -import { FINDINGS_PATH } from './config.js'; +import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js'; const LEVELS = ['critical', 'warning', 'info']; @@ -93,3 +93,74 @@ export async function deduplicateWithAI(findings) { return findings; } } + +/** + * 讀取排除問題檔案(從 workspace 的 EXCLUSIONS_PATH) + * 格式:[{ role, location, suggestion }],欄位可部分省略,省略表示萬用 + */ +export function loadExclusions(workspace) { + const fullPath = path.join(workspace, EXCLUSIONS_PATH); + if (!fs.existsSync(fullPath)) { + console.log(' 排除問題檔案不存在,跳過過濾'); + return []; + } + try { + const data = JSON.parse(fs.readFileSync(fullPath, 'utf8')); + const exclusions = Array.isArray(data) ? data : []; + console.log(` 讀取排除問題: ${exclusions.length} 筆`); + return exclusions; + } catch (e) { + console.log(` ⚠️ 讀取排除問題失敗: ${e.message},跳過過濾`); + return []; + } +} + +/** + * 套用排除規則,過濾掉符合排除條件的 findings + * 排除條件:role/location/suggestion 皆符合(省略的欄位視為萬用) + */ +export function applyExclusions(findings, exclusions) { + if (exclusions.length === 0) return findings; + const before = findings.length; + const filtered = findings.filter(f => !exclusions.some(ex => + (!ex.role || ex.role === f.role) && + (!ex.location || String(f.location).includes(ex.location)) && + (!ex.suggestion || String(f.suggestion).includes(String(ex.suggestion).slice(0, 20))) + )); + console.log(` 排除過濾: ${before} -> ${filtered.length} 筆(排除 ${before - filtered.length} 筆)`); + return filtered; +} + +/** + * 呼叫 AI 判斷哪些問題是誤報或不需處理,回傳需保留的 findings + * 失敗時降級回傳原始 findings + */ +export async function filterFalsePositivesWithAI(findings) { + if (findings.length === 0) return findings; + + const systemPrompt = `你是一位資深程式碼審查專家,負責判斷審查問題是否為誤報或不需處理。 +給你一份問題清單(JSON 陣列),每筆包含 level、role、location、suggestion。 +請移除以下類型的問題: +1. 誤報:問題描述與實際程式碼不符(例如:程式碼已正確使用環境變數或 secrets,卻被標記為硬編碼敏感資料) +2. 不適用:問題在此專案情境下不需處理(例如:CI/CD action 本來就需要透過環境變數傳遞 token) +只回傳需要保留的問題 JSON 陣列,不要有其他文字。`; + + const userContent = `請判斷以下問題清單,移除誤報或不需處理的問題:\n\n${JSON.stringify(findings, null, 2)}`; + + try { + const result = await chatJSON(systemPrompt, userContent); + if (Array.isArray(result)) { + console.log(` AI 誤報過濾: ${findings.length} -> ${result.length} 筆`); + return result; + } + throw new Error('AI 回傳非陣列'); + } catch (e) { + const status = e.response?.status; + if (status === 402 || status === 429) { + console.log(` ⚠️ AI 誤報過濾失敗(${status} 額度/限流),降級:保留所有問題`); + } else { + console.log(` ⚠️ AI 誤報過濾失敗(${e.message}),降級:保留所有問題`); + } + return findings; + } +} diff --git a/app/git.js b/app/git.js index 143e848..5006d88 100644 --- a/app/git.js +++ b/app/git.js @@ -14,6 +14,34 @@ function makeRunner(spawn) { }; } +/** + * Clone PR head branch to workspace/repo (idempotent) + */ +export function cloneRepo(workspace, _spawnSync = spawnSync) { + const run = makeRunner(_spawnSync); + const baseUrl = GITEA_SERVER_URL.replace(/\/$/, ''); + const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`; + const repoDir = path.join(workspace, 'repo'); + + const askpassScript = path.join(workspace, '.git-askpass.sh'); + fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 }); + const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN }; + + try { + if (!fs.existsSync(repoDir)) { + run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv); + console.log(` ✅ repo cloned to ${repoDir}`); + } else { + run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv); + run(['checkout', PR_HEAD_BRANCH], repoDir); + console.log(` ✅ repo already exists, fetched latest`); + } + } finally { + try { fs.unlinkSync(askpassScript); } catch {} + } + return repoDir; +} + export async function commitAndPush(workspace, _spawnSync = spawnSync) { const run = makeRunner(_spawnSync); @@ -21,11 +49,12 @@ export async function commitAndPush(workspace, _spawnSync = spawnSync) { const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`; const repoDir = path.join(workspace, 'repo'); - // Write a temporary askpass script so the token never appears in the URL or process list + // Write a temporary askpass script that reads the token from an env var, + // so the token value never appears in the script file itself const askpassScript = path.join(workspace, '.git-askpass.sh'); - fs.writeFileSync(askpassScript, `#!/bin/sh\necho "${GITEA_TOKEN}"\n`, { mode: 0o700 }); + fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 }); - const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token' }; + const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN }; try { if (!fs.existsSync(repoDir)) { diff --git a/app/git.test.js b/app/git.test.js index d96efce..0e7e85b 100644 --- a/app/git.test.js +++ b/app/git.test.js @@ -3,7 +3,7 @@ import assert from 'node:assert/strict'; import fs from 'fs'; import os from 'os'; import path from 'path'; -import { commitAndPush } from './git.js'; +import { commitAndPush, cloneRepo } from './git.js'; // --- helpers --- function makeTmpWorkspace() { @@ -91,3 +91,59 @@ describe('commitAndPush', () => { await assert.doesNotReject(() => commitAndPush(workspace, failSpawn)); }); }); + +describe('cloneRepo', () => { + let workspace; + + before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); }); + after(() => { fs.rmSync(workspace, { recursive: true, force: true }); }); + + it('clones repo when repoDir does not exist', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone'); + assert.ok(cloneCalled, 'expected git clone to be called'); + }); + + it('fetches and checks out when repoDir already exists', () => { + const repoDir = path.join(workspace, 'repo'); + fs.mkdirSync(repoDir, { recursive: true }); + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone'); + const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch'); + assert.ok(!cloneCalled, 'clone should not run when repoDir exists'); + assert.ok(fetchCalled, 'fetch should run when repoDir exists'); + }); + + it('does not embed token in any git command argument', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + for (const { args } of spawn.calls) { + assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`); + } + }); + + it('uses GIT_ASKPASS for network operations', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0])); + assert.ok(networkCalls.length > 0, 'expected at least one network git call'); + for (const { args, opts } of networkCalls) { + assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`); + } + }); + + it('cleans up askpass script after run', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh')); + assert.equal(leftover.length, 0, 'askpass script was not cleaned up'); + }); + + it('returns repoDir path', () => { + const spawn = makeSpawn(); + const result = cloneRepo(workspace, spawn); + assert.equal(result, path.join(workspace, 'repo')); + }); +}); diff --git a/app/main.js b/app/main.js index 5e13dc8..7d0eef9 100644 --- a/app/main.js +++ b/app/main.js @@ -1,9 +1,9 @@ import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js'; import { loadRoles, getRoleIntro } from './roles.js'; import { getPRDiff, postComment } from './gitea.js'; -import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js'; +import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js'; import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js'; -import { commitAndPush } from './git.js'; +import { cloneRepo, commitAndPush } from './git.js'; const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace'; @@ -26,7 +26,6 @@ async function main() { console.log(` 已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`); // 取得 PR diff - console.log('\n📋 Step1: 取得 PR Diff'); let diff; try { diff = await getPRDiff(); @@ -42,7 +41,6 @@ async function main() { } // 發布角色介紹 comment - console.log('\n💬 Step1: 發布角色介紹 Comment'); try { const intro = getRoleIntro(roles) + `\n\n> 🔍 服務:${provider} 模型:${model}`; await postComment(intro); @@ -50,6 +48,7 @@ async function main() { } catch (e) { console.log(` ⚠️ comment 發布失敗(繼續執行): ${e.message}`); } + console.log(' Step1 完成'); // Step2: 各角色分析 diff 產生新 findings console.log('\n📊 Step2: Findings 產生'); @@ -64,38 +63,51 @@ async function main() { } console.log(` Step2 完成: 新 findings 總計 ${newFindings.length} 筆`); - // Step3: 讀取舊 findings,合併去重 + // Step3: 讀取舊 findings,合併去重(含 AI 語意去重) console.log('\n🔀 Step3: Findings 合併'); - const oldFindings = loadOldFindings(WORKSPACE); + // Clone repo 以讀取舊 findings 與排除清單 + let repoDir; + try { + repoDir = cloneRepo(WORKSPACE); + } catch (e) { + console.log(` ⚠️ clone repo 失敗(繼續執行): ${e.message}`); + } + const oldFindings = loadOldFindings(repoDir || WORKSPACE); const mergedFindings = mergeFindings(oldFindings, newFindings); console.log(` Step3 merged findings total=${mergedFindings.length}`); - // Step3b: AI 語意去重 console.log('\n🤖 Step3b: AI 語意去重'); const deduped = await deduplicateWithAI(mergedFindings); const sorted = sortByLevel(deduped); console.log(` Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`); - // Step4: 寫入 findings.json,依序發布 comment - console.log('\n📝 Step4: Findings 寫入與 Comment 發布'); - saveFindings(WORKSPACE, sorted); + // Step4: 讀取排除問題檔案,過濾 PR 問題表格,並請 AI 判斷誤報 + console.log('\n🚫 Step4: AI 排除問題過濾'); + const exclusions = loadExclusions(repoDir || WORKSPACE); + const ruleFiltered = applyExclusions(sorted, exclusions); + const filtered = await filterFalsePositivesWithAI(ruleFiltered); + console.log(` Step4 完成: findings total=${filtered.length}`); + + // Step5: 寫入 findings.json,依序發布 comment + console.log('\n📝 Step5: Findings 寫入與 Comment 發布'); + saveFindings(WORKSPACE, filtered); try { - await postOldFindingsComment(sorted); - await postNewNonCriticalComment(sorted); - await postNewCriticalComments(sorted); - console.log(' Step4 完成'); + await postOldFindingsComment(filtered); + await postNewNonCriticalComment(filtered); + await postNewCriticalComments(filtered); + console.log(' Step5 完成'); } catch (e) { console.log(` ⚠️ comment 發布失敗(繼續執行): ${e.message}`); } - // Step5: commit/push findings.json 到來源分支 - console.log('\n💾 Step5: 記憶區 Commit/Push'); + // Step6: commit/push findings.json 到來源分支 + console.log('\n💾 Step6: 記憶區 Commit/Push'); await commitAndPush(WORKSPACE); - // Step6: 有 critical 問題則 exit 1 - console.log('\n🚦 Step6: 嚴重問題檢查'); - const criticalCount = sorted.filter(f => f.level === 'critical').length; + // Step7: 有 critical 問題則 exit 1 + console.log('\n🚦 Step7: 嚴重問題檢查'); + const criticalCount = filtered.filter(f => f.level === 'critical').length; if (criticalCount > 0) { console.log(` ❌ 發現 ${criticalCount} 個嚴重問題,workflow 結束(exit 1)`); console.log('='.repeat(60));