feat: split gitea comment token

2026-05-15 14:59:15 +00:00
parent 066b21aa5c
commit b0c4d5a0bc
4 changed files with 13 additions and 4 deletions
@@ -35,7 +35,7 @@
 > **自動提交排除說明**：此 Action 會將自己的 commit message 標記為 `[ai-review-bot][success]` 或 `[ai-review-bot][failure]`，而且 action 執行時會先透過 Gitea API 檢查這次觸發的 PR head commit（優先用 `pull_request.head.sha`）是否含有這個 marker，若有就直接成功結束，避免 bot commit 造成重複觸發。若外層 workflow 也能先檢查一次，效果最好。
-> **權限說明**：此 Action 需要 `contents: write`（寫入 findings.json）、`pull-requests: write`（發佈 PR comment）、`issues: write`（發佈 issue comment）三項權限，為正常運作所必要，無法縮減。
+> **權限說明**：此 Action 需要 `contents: write`（寫入 findings.json）、`pull-requests: write`（發佈 PR comment）、`issues: write`（發佈 issue comment）三項權限，為正常運作所必要，無法縮減。若你想讓 comment 用不同權限的 token，可額外傳 `GITEA_COMMENT_TOKEN`，其餘 Gitea 操作仍使用 `GITEA_TOKEN`。
 ### 1. OpenAI
 ```yaml
@@ -6,6 +6,9 @@ inputs:
  GITEA_TOKEN:
    description: 'Gitea API Token'
    required: true
  GITEA_COMMENT_TOKEN:
    description: 'Gitea API Token for posting comments only'
    required: false
  GITEA_SERVER_URL:
    description: 'Gitea Server URL'
    required: false
@@ -82,6 +85,7 @@ runs:
  env:
    # Gitea context（改為只從 inputs 取得）
    GITEA_TOKEN: ${{ inputs.GITEA_TOKEN }}
    GITEA_COMMENT_TOKEN: ${{ inputs.GITEA_COMMENT_TOKEN }}
    GITEA_SERVER_URL: ${{ inputs.GITEA_SERVER_URL || gitea.server_url }}
    GITEA_REPOSITORY: ${{ inputs.GITEA_REPOSITORY || gitea.repository }}
    GITEA_SKIP_TLS_VERIFY: ${{ inputs.GITEA_SKIP_TLS_VERIFY }}
@@ -1,4 +1,5 @@
 export const GITEA_TOKEN = process.env.GITEA_TOKEN || '';
 export const GITEA_COMMENT_TOKEN = process.env.GITEA_COMMENT_TOKEN || '';
 export const GITEA_SERVER_URL = process.env.GITEA_SERVER_URL || 'https://gitea.com';
 export const GITEA_REPOSITORY = process.env.GITEA_REPOSITORY || '';
 export const GITEA_SKIP_TLS_VERIFY = process.env.GITEA_SKIP_TLS_VERIFY === 'true';
@@ -1,9 +1,9 @@
 import axios from 'axios';
 import https from 'https';
-import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_SKIP_TLS_VERIFY, PR_NUMBER, PR_HEAD_SHA, PR_HEAD_BRANCH } from './config.js';
+import { GITEA_TOKEN, GITEA_COMMENT_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_SKIP_TLS_VERIFY, PR_NUMBER, PR_HEAD_SHA, PR_HEAD_BRANCH } from './config.js';
 const httpsAgent = GITEA_SKIP_TLS_VERIFY ? new https.Agent({ rejectUnauthorized: false }) : undefined;
-const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
+const headers = (token = GITEA_TOKEN) => ({ Authorization: `token ${token}`, 'Content-Type': 'application/json' });
 const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;
 function extractCommitMessage(payload) {
@@ -115,6 +115,10 @@ export function filterDiff(diff, excludePrefixes) {
 }
 export async function postComment(body) {
-  const resp = await axios.post(api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`), { body }, { headers: headers(), timeout: 30000, httpsAgent });
+  const resp = await axios.post(
    api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`),
    { body },
    { headers: headers(GITEA_COMMENT_TOKEN || GITEA_TOKEN), timeout: 30000, httpsAgent },
  );
  return resp.data;
 }