feat: refactor commitAndPush to use a runner function and improve token security; add tests for git operations

app/git.js

@@ -3,29 +3,39 @@ import fs from 'fs';
 import path from 'path';
 import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
 
-function git(args, cwd) {
-  const result = spawnSync('git', args, { cwd, encoding: 'utf8' });
-  if (result.error) throw result.error;
-  if (result.status !== 0) throw new Error((result.stderr || result.stdout || '').trim());
-  return (result.stdout || '').trim();
+function makeRunner(spawn) {
+  return function run(args, cwd, env) {
+    const opts = { cwd, encoding: 'utf8' };
+    if (env) opts.env = env;
+    const result = spawn('git', args, opts);
+    if (result.error) throw result.error;
+    if (result.status !== 0) throw new Error((result.stderr || result.stdout || '').trim());
+    return (result.stdout || '').trim();
+  };
 }
 
-export async function commitAndPush(workspace) {
-  const remoteUrl = GITEA_SERVER_URL.replace(/\/$/, '')
-    .replace('https://', `https://${GITEA_TOKEN}@`)
-    .replace('http://', `http://${GITEA_TOKEN}@`) + `/${GITEA_REPOSITORY}.git`;
+export async function commitAndPush(workspace, _spawnSync = spawnSync) {
+  const run = makeRunner(_spawnSync);
 
+  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
+  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
   const repoDir = path.join(workspace, 'repo');
 
+  // Write a temporary askpass script so the token never appears in the URL or process list
+  const askpassScript = path.join(workspace, '.git-askpass.sh');
+  fs.writeFileSync(askpassScript, `#!/bin/sh\necho "${GITEA_TOKEN}"\n`, { mode: 0o700 });
+
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token' };
+
   try {
     if (!fs.existsSync(repoDir)) {
-      git(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace);
+      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
     }
 
-    git(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
-    git(['config', 'user.name', 'AI Review Bot'], repoDir);
-    git(['fetch', 'origin', PR_HEAD_BRANCH], repoDir);
-    git(['checkout', PR_HEAD_BRANCH], repoDir);
+    run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
+    run(['config', 'user.name', 'AI Review Bot'], repoDir);
+    run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
+    run(['checkout', PR_HEAD_BRANCH], repoDir);
 
     // 將 findings.json 從 workspace 複製到 clone 的 repo
     const srcFindings = path.join(workspace, FINDINGS_PATH);
@@ -33,19 +43,21 @@ export async function commitAndPush(workspace) {
     fs.mkdirSync(path.dirname(destFindings), { recursive: true });
     fs.copyFileSync(srcFindings, destFindings);
 
-    git(['add', FINDINGS_PATH], repoDir);
+    run(['add', FINDINGS_PATH], repoDir);
 
-    const status = git(['status', '--porcelain'], repoDir);
+    const status = run(['status', '--porcelain'], repoDir);
     if (!status) {
       console.log('  findings.json 無變更，跳過 commit');
       return;
     }
 
-    const out = git(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
+    const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
     const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
-    git(['push', remoteUrl, PR_HEAD_BRANCH], repoDir);
+    run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
     console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
   } catch (e) {
     console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
+  } finally {
+    try { fs.unlinkSync(askpassScript); } catch {}
   }
 }