diff --git a/.gitea/ai-review/exclusions.json b/.gitea/ai-review/exclusions.json new file mode 100644 index 0000000..2ca1f18 --- /dev/null +++ b/.gitea/ai-review/exclusions.json @@ -0,0 +1,11 @@ +[ + { + "role": "Rex", + "location": "app/git.js", + "suggestion": "請避免將敏感資料(如 GITEA_TOKEN)直接寫入環境變數" + }, + { + "location": "app/git.js", + "suggestion": "GITEA_TOKEN 直接嵌入 URL 中" + } +] diff --git a/.gitea/ai-review/findings.json b/.gitea/ai-review/findings.json index 7dbcb7b..0637a08 100644 --- a/.gitea/ai-review/findings.json +++ b/.gitea/ai-review/findings.json @@ -1,58 +1 @@ -[ - { - "level": "critical", - "role": "Leo", - "location": "app/git.js:11", - "suggestion": "GITEA_TOKEN 直接嵌入 URL 中,可能導致憑證洩漏。建議使用環境變數或安全的憑證管理方式來處理敏感資訊。", - "is_new": true - }, - { - "level": "critical", - "role": "Maya", - "location": "app/git.js:1", - "suggestion": "缺少對 commitAndPush 函數的單元測試,應該為其添加測試以確保其正確性。", - "is_new": true - }, - { - "level": "warning", - "role": "Leo", - "location": "app/git.js:25", - "suggestion": "在使用 fs.existsSync 檢查目錄是否存在時,應考慮使用非同步方法以避免阻塞事件循環。", - "is_new": true - }, - { - "level": "warning", - "role": "Leo", - "location": "app/git.js:29", - "suggestion": "在 git clone 時使用 --depth=1 可能會導致未來需要完整歷史紀錄時的性能問題,建議根據實際需求調整。", - "is_new": true - }, - { - "level": "warning", - "role": "Leo", - "location": "app/git.js:11", - "suggestion": "在使用 fs.copyFileSync 時,未檢查目標檔案是否存在,可能會覆蓋重要資料。建議在複製之前檢查檔案是否存在。", - "is_new": true - }, - { - "level": "warning", - "role": "Leo", - "location": "app/git.js:11", - "suggestion": "在 commitAndPush 函數中,對於 git 操作的錯誤處理不夠完善,應該添加更多的測試來驗證不同情況下的行為。", - "is_new": true - }, - { - "level": "info", - "role": "Leo", - "location": ".gitea/workflows/review.yaml:5", - "suggestion": "建議在 'branches-ignore' 前加上空行,以提高可讀性。", - "is_new": true - }, - { - "level": "info", - "role": "Leo", - "location": "app/git.js:45", - "suggestion": "考慮使用 async/await 來處理 fs.copyFileSync,以提高可讀性和錯誤處理能力。", - "is_new": true - } -] \ No newline at end of file +[] \ No newline at end of file diff --git a/README.md b/README.md index e1c2026..11002fc 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,12 @@ 1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容),Comment 到 Push Request 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議) 3. 讀取所有未解決的舊問題(問題檔案存在於使用此 Action 的專案固定位置)加上新問題後,去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案 -4. 從PR問題表格中取出所有舊問題,依照等級排序後 Comment 到 Push Request -5. 從PR問題表格中取出所有新問題,排除嚴重等級的問題後 Comment 到 Push Request -6. 從PR問題表格中取出所有新問題,將每個嚴重等級的問題 Comment 到 Push Request -7. Commit 問題檔案 -8. 如果PR問題表格中有嚴重問題,則不要讓 workflow 執行成功(exit 1) +4. 讀取排除問題檔案,用來過濾PR問題表格中不需要處理的問題 +5. 從PR問題表格中取出所有舊問題,依照等級排序後 Comment 到 Push Request +6. 從PR問題表格中取出所有新問題,排除嚴重等級的問題後 Comment 到 Push Request +7. 從PR問題表格中取出所有新問題,將每個嚴重等級的問題 Comment 到 Push Request +8. Commit 問題檔案 +9. 如果PR問題表格中有嚴重問題,則不要讓 workflow 執行成功(exit 1) # 設計 @@ -139,116 +140,6 @@ jobs: issues: write ``` -### 6. Kilo Code -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - KILO_API_KEY: ${{ secrets.KILO_API_KEY }} - KILO_BASE_URL: https://api.kilocode.com/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 7. Roo Code -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - ROO_API_KEY: ${{ secrets.ROO_API_KEY }} - ROO_BASE_URL: https://api.roocode.com/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 8. Cline -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - CLINE_API_KEY: ${{ secrets.CLINE_API_KEY }} - CLINE_BASE_URL: https://api.cline.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 9. Continue -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }} - CONTINUE_BASE_URL: https://api.continue.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 10. Kade -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - KADE_API_KEY: ${{ secrets.KADE_API_KEY }} - KADE_BASE_URL: https://api.kade.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - ### - Ollama ```yaml diff --git a/TODO.md b/TODO.md index 9fe2599..e5115dc 100644 --- a/TODO.md +++ b/TODO.md @@ -8,26 +8,33 @@ ## 階段二:Findings 產生與合併 - 目標:各角色(style/security/performance/maintainability/testing)能產生 findings,並正確合併新舊 findings。 - 驗收:log 中能看到每個角色 findings 數量、合併後 findings 統計,並有「Step3: merged findings total=...」等訊息。 +- 完成 ## 階段三:AI 去重與角色確認 - 目標:嘗試呼叫 LLM 進行 findings 去重與角色確認,API 額度不足時要有降級處理 log。 - 驗收:log 中能看到 deduplication/resolution confirmation 成功或失敗(如 402),降級時有「保留所有問題」等明確訊息。 +- 完成 -## 階段四:findings 寫入與 comment 發布 +## 階段四:AI 排除問題過濾 +- 目標:讀取排除問題檔案(exclusions.json)進行規則過濾,並呼叫 AI 判斷剩餘問題是否為誤報或不適用,兩層過濾後產生最終問題清單。 +- 驗收:log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化,以及「AI 誤報過濾: N -> M 筆」或降級訊息。 +- 完成 + +## 階段五:findings 寫入與 comment 發布 - 目標:findings.jsonl 正確寫入,comment 發布順序正確(舊問題→非嚴重→嚴重),每步有 log。 -- 驗收:log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。 +- 驗收:log 中能看到 findings.json 寫入、comment sync 的詳細訊息與順序。 +- 完成 -## 階段五:記憶區 commit/push 與錯誤處理 +## 階段六:記憶區 commit/push 與錯誤處理 - 目標:記憶區能成功 commit/push,錯誤時有明確 log,流程結束有總結訊息。 - 驗收:log 有「persisted findings」、「commit=...」、「push=...」等訊息,錯誤時有「Runner failed: ...」等明確錯誤說明。 +- 完成 -## 階段六:阻擋嚴重問題 PR(第 8 點) +## 階段七:阻擋嚴重問題 PR(第 8 點) - 目標:如果 PR 問題表格中有嚴重(critical)問題,workflow 需直接 exit 1,不讓流程成功。 - 驗收:log 中能看到「critical 問題存在,workflow 結束(exit 1)」等明確訊息,且 workflow 狀態為失敗。 +- 完成 --- - -每個階段都會加上明確的 log,並確保即使部分功能未完成也能降級執行、不會中斷 pipeline。 - -每次執行後請貼 log,我會協助 debug。 \ No newline at end of file +所有階段驗收通過。 diff --git a/app/config.js b/app/config.js index ea20e2c..c5e7caa 100644 --- a/app/config.js +++ b/app/config.js @@ -6,6 +6,7 @@ export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || ''; export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || ''; export const FINDINGS_PATH = '.gitea/ai-review/findings.json'; +export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json'; export function getLLMConfig() { const checks = [ diff --git a/app/findings.js b/app/findings.js index 7c38515..7dcf060 100644 --- a/app/findings.js +++ b/app/findings.js @@ -1,7 +1,7 @@ import fs from 'fs'; import path from 'path'; import { chatJSON } from './llm.js'; -import { FINDINGS_PATH } from './config.js'; +import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js'; const LEVELS = ['critical', 'warning', 'info']; @@ -93,3 +93,74 @@ export async function deduplicateWithAI(findings) { return findings; } } + +/** + * 讀取排除問題檔案(從 workspace 的 EXCLUSIONS_PATH) + * 格式:[{ role, location, suggestion }],欄位可部分省略,省略表示萬用 + */ +export function loadExclusions(workspace) { + const fullPath = path.join(workspace, EXCLUSIONS_PATH); + if (!fs.existsSync(fullPath)) { + console.log(' 排除問題檔案不存在,跳過過濾'); + return []; + } + try { + const data = JSON.parse(fs.readFileSync(fullPath, 'utf8')); + const exclusions = Array.isArray(data) ? data : []; + console.log(` 讀取排除問題: ${exclusions.length} 筆`); + return exclusions; + } catch (e) { + console.log(` ⚠️ 讀取排除問題失敗: ${e.message},跳過過濾`); + return []; + } +} + +/** + * 套用排除規則,過濾掉符合排除條件的 findings + * 排除條件:role/location/suggestion 皆符合(省略的欄位視為萬用) + */ +export function applyExclusions(findings, exclusions) { + if (exclusions.length === 0) return findings; + const before = findings.length; + const filtered = findings.filter(f => !exclusions.some(ex => + (!ex.role || ex.role === f.role) && + (!ex.location || String(f.location).includes(ex.location)) && + (!ex.suggestion || String(f.suggestion).includes(String(ex.suggestion).slice(0, 20))) + )); + console.log(` 排除過濾: ${before} -> ${filtered.length} 筆(排除 ${before - filtered.length} 筆)`); + return filtered; +} + +/** + * 呼叫 AI 判斷哪些問題是誤報或不需處理,回傳需保留的 findings + * 失敗時降級回傳原始 findings + */ +export async function filterFalsePositivesWithAI(findings) { + if (findings.length === 0) return findings; + + const systemPrompt = `你是一位資深程式碼審查專家,負責判斷審查問題是否為誤報或不需處理。 +給你一份問題清單(JSON 陣列),每筆包含 level、role、location、suggestion。 +請移除以下類型的問題: +1. 誤報:問題描述與實際程式碼不符(例如:程式碼已正確使用環境變數或 secrets,卻被標記為硬編碼敏感資料) +2. 不適用:問題在此專案情境下不需處理(例如:CI/CD action 本來就需要透過環境變數傳遞 token) +只回傳需要保留的問題 JSON 陣列,不要有其他文字。`; + + const userContent = `請判斷以下問題清單,移除誤報或不需處理的問題:\n\n${JSON.stringify(findings, null, 2)}`; + + try { + const result = await chatJSON(systemPrompt, userContent); + if (Array.isArray(result)) { + console.log(` AI 誤報過濾: ${findings.length} -> ${result.length} 筆`); + return result; + } + throw new Error('AI 回傳非陣列'); + } catch (e) { + const status = e.response?.status; + if (status === 402 || status === 429) { + console.log(` ⚠️ AI 誤報過濾失敗(${status} 額度/限流),降級:保留所有問題`); + } else { + console.log(` ⚠️ AI 誤報過濾失敗(${e.message}),降級:保留所有問題`); + } + return findings; + } +} diff --git a/app/git.js b/app/git.js index c9bc837..5006d88 100644 --- a/app/git.js +++ b/app/git.js @@ -3,29 +3,68 @@ import fs from 'fs'; import path from 'path'; import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js'; -function git(args, cwd) { - const result = spawnSync('git', args, { cwd, encoding: 'utf8' }); - if (result.error) throw result.error; - if (result.status !== 0) throw new Error((result.stderr || result.stdout || '').trim()); - return (result.stdout || '').trim(); +function makeRunner(spawn) { + return function run(args, cwd, env) { + const opts = { cwd, encoding: 'utf8' }; + if (env) opts.env = env; + const result = spawn('git', args, opts); + if (result.error) throw result.error; + if (result.status !== 0) throw new Error((result.stderr || result.stdout || '').trim()); + return (result.stdout || '').trim(); + }; } -export async function commitAndPush(workspace) { - const remoteUrl = GITEA_SERVER_URL.replace(/\/$/, '') - .replace('https://', `https://${GITEA_TOKEN}@`) - .replace('http://', `http://${GITEA_TOKEN}@`) + `/${GITEA_REPOSITORY}.git`; - +/** + * Clone PR head branch to workspace/repo (idempotent) + */ +export function cloneRepo(workspace, _spawnSync = spawnSync) { + const run = makeRunner(_spawnSync); + const baseUrl = GITEA_SERVER_URL.replace(/\/$/, ''); + const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`; const repoDir = path.join(workspace, 'repo'); + const askpassScript = path.join(workspace, '.git-askpass.sh'); + fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 }); + const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN }; + try { if (!fs.existsSync(repoDir)) { - git(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace); + run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv); + console.log(` ✅ repo cloned to ${repoDir}`); + } else { + run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv); + run(['checkout', PR_HEAD_BRANCH], repoDir); + console.log(` ✅ repo already exists, fetched latest`); + } + } finally { + try { fs.unlinkSync(askpassScript); } catch {} + } + return repoDir; +} + +export async function commitAndPush(workspace, _spawnSync = spawnSync) { + const run = makeRunner(_spawnSync); + + const baseUrl = GITEA_SERVER_URL.replace(/\/$/, ''); + const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`; + const repoDir = path.join(workspace, 'repo'); + + // Write a temporary askpass script that reads the token from an env var, + // so the token value never appears in the script file itself + const askpassScript = path.join(workspace, '.git-askpass.sh'); + fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 }); + + const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN }; + + try { + if (!fs.existsSync(repoDir)) { + run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv); } - git(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir); - git(['config', 'user.name', 'AI Review Bot'], repoDir); - git(['fetch', 'origin', PR_HEAD_BRANCH], repoDir); - git(['checkout', PR_HEAD_BRANCH], repoDir); + run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir); + run(['config', 'user.name', 'AI Review Bot'], repoDir); + run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv); + run(['checkout', PR_HEAD_BRANCH], repoDir); // 將 findings.json 從 workspace 複製到 clone 的 repo const srcFindings = path.join(workspace, FINDINGS_PATH); @@ -33,19 +72,21 @@ export async function commitAndPush(workspace) { fs.mkdirSync(path.dirname(destFindings), { recursive: true }); fs.copyFileSync(srcFindings, destFindings); - git(['add', FINDINGS_PATH], repoDir); + run(['add', FINDINGS_PATH], repoDir); - const status = git(['status', '--porcelain'], repoDir); + const status = run(['status', '--porcelain'], repoDir); if (!status) { console.log(' findings.json 無變更,跳過 commit'); return; } - const out = git(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir); + const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir); const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown'; - git(['push', remoteUrl, PR_HEAD_BRANCH], repoDir); + run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv); console.log(` ✅ persisted findings commit=${commitHash} push=${PR_HEAD_BRANCH}`); } catch (e) { console.log(` ⚠️ Runner failed: commit/push 失敗: ${e.message}`); + } finally { + try { fs.unlinkSync(askpassScript); } catch {} } } diff --git a/app/git.test.js b/app/git.test.js new file mode 100644 index 0000000..0e7e85b --- /dev/null +++ b/app/git.test.js @@ -0,0 +1,149 @@ +import { describe, it, before, after, beforeEach } from 'node:test'; +import assert from 'node:assert/strict'; +import fs from 'fs'; +import os from 'os'; +import path from 'path'; +import { commitAndPush, cloneRepo } from './git.js'; + +// --- helpers --- +function makeTmpWorkspace() { + const ws = fs.mkdtempSync(path.join(os.tmpdir(), 'git-test-')); + // Pre-create repo dir so clone branch is skipped + fs.mkdirSync(path.join(ws, 'repo'), { recursive: true }); + // Create a findings.json to copy + const findingsDir = path.join(ws, '.gitea/ai-review'); + fs.mkdirSync(findingsDir, { recursive: true }); + fs.writeFileSync(path.join(findingsDir, 'findings.json'), '[]'); + return ws; +} + +// Default stub: all commands succeed, status returns changes +function makeSpawn(overrides = {}) { + const calls = []; + const spawn = (cmd, args, opts) => { + const key = args[0]; + calls.push({ cmd, args, opts }); + if (overrides[key]) return overrides[key](args, opts); + if (key === 'status') return { status: 0, stdout: 'M .gitea/ai-review/findings.json', stderr: '', error: null }; + if (key === 'commit') return { status: 0, stdout: '[feature-branch abc1234] chore', stderr: '', error: null }; + return { status: 0, stdout: '', stderr: '', error: null }; + }; + spawn.calls = calls; + return spawn; +} + +describe('commitAndPush', () => { + let workspace; + + before(() => { workspace = makeTmpWorkspace(); }); + after(() => { fs.rmSync(workspace, { recursive: true, force: true }); }); + beforeEach(() => { + // Remove leftover askpass scripts between tests + for (const f of fs.readdirSync(workspace)) { + if (f.endsWith('.git-askpass.sh')) fs.unlinkSync(path.join(workspace, f)); + } + }); + + it('does not embed token in any git command argument', async () => { + const spawn = makeSpawn(); + await commitAndPush(workspace, spawn); + + for (const { args } of spawn.calls) { + assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`); + } + }); + + it('uses GIT_ASKPASS env for network operations (fetch, push, clone)', async () => { + const spawn = makeSpawn(); + await commitAndPush(workspace, spawn); + + const networkOps = ['fetch', 'push', 'clone']; + const networkCalls = spawn.calls.filter(c => networkOps.includes(c.args[0])); + assert.ok(networkCalls.length > 0, 'expected at least one network git call'); + + for (const { args, opts } of networkCalls) { + assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`); + } + }); + + it('cleans up askpass script after successful run', async () => { + await commitAndPush(workspace, makeSpawn()); + const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh')); + assert.equal(leftover.length, 0, 'askpass script was not cleaned up'); + }); + + it('cleans up askpass script even when git fails', async () => { + const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null }); + await commitAndPush(workspace, failSpawn); + const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh')); + assert.equal(leftover.length, 0, 'askpass script was not cleaned up after failure'); + }); + + it('skips commit when status shows no changes', async () => { + const spawn = makeSpawn({ status: () => ({ status: 0, stdout: '', stderr: '', error: null }) }); + await commitAndPush(workspace, spawn); + const commitCalled = spawn.calls.some(c => c.args[0] === 'commit'); + assert.equal(commitCalled, false, 'commit should not run when there are no changes'); + }); + + it('does not throw when git command fails', async () => { + const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null }); + await assert.doesNotReject(() => commitAndPush(workspace, failSpawn)); + }); +}); + +describe('cloneRepo', () => { + let workspace; + + before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); }); + after(() => { fs.rmSync(workspace, { recursive: true, force: true }); }); + + it('clones repo when repoDir does not exist', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone'); + assert.ok(cloneCalled, 'expected git clone to be called'); + }); + + it('fetches and checks out when repoDir already exists', () => { + const repoDir = path.join(workspace, 'repo'); + fs.mkdirSync(repoDir, { recursive: true }); + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone'); + const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch'); + assert.ok(!cloneCalled, 'clone should not run when repoDir exists'); + assert.ok(fetchCalled, 'fetch should run when repoDir exists'); + }); + + it('does not embed token in any git command argument', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + for (const { args } of spawn.calls) { + assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`); + } + }); + + it('uses GIT_ASKPASS for network operations', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0])); + assert.ok(networkCalls.length > 0, 'expected at least one network git call'); + for (const { args, opts } of networkCalls) { + assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`); + } + }); + + it('cleans up askpass script after run', () => { + const spawn = makeSpawn(); + cloneRepo(workspace, spawn); + const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh')); + assert.equal(leftover.length, 0, 'askpass script was not cleaned up'); + }); + + it('returns repoDir path', () => { + const spawn = makeSpawn(); + const result = cloneRepo(workspace, spawn); + assert.equal(result, path.join(workspace, 'repo')); + }); +}); diff --git a/app/main.js b/app/main.js index 5e13dc8..7d0eef9 100644 --- a/app/main.js +++ b/app/main.js @@ -1,9 +1,9 @@ import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js'; import { loadRoles, getRoleIntro } from './roles.js'; import { getPRDiff, postComment } from './gitea.js'; -import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js'; +import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js'; import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js'; -import { commitAndPush } from './git.js'; +import { cloneRepo, commitAndPush } from './git.js'; const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace'; @@ -26,7 +26,6 @@ async function main() { console.log(` 已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`); // 取得 PR diff - console.log('\n📋 Step1: 取得 PR Diff'); let diff; try { diff = await getPRDiff(); @@ -42,7 +41,6 @@ async function main() { } // 發布角色介紹 comment - console.log('\n💬 Step1: 發布角色介紹 Comment'); try { const intro = getRoleIntro(roles) + `\n\n> 🔍 服務:${provider} 模型:${model}`; await postComment(intro); @@ -50,6 +48,7 @@ async function main() { } catch (e) { console.log(` ⚠️ comment 發布失敗(繼續執行): ${e.message}`); } + console.log(' Step1 完成'); // Step2: 各角色分析 diff 產生新 findings console.log('\n📊 Step2: Findings 產生'); @@ -64,38 +63,51 @@ async function main() { } console.log(` Step2 完成: 新 findings 總計 ${newFindings.length} 筆`); - // Step3: 讀取舊 findings,合併去重 + // Step3: 讀取舊 findings,合併去重(含 AI 語意去重) console.log('\n🔀 Step3: Findings 合併'); - const oldFindings = loadOldFindings(WORKSPACE); + // Clone repo 以讀取舊 findings 與排除清單 + let repoDir; + try { + repoDir = cloneRepo(WORKSPACE); + } catch (e) { + console.log(` ⚠️ clone repo 失敗(繼續執行): ${e.message}`); + } + const oldFindings = loadOldFindings(repoDir || WORKSPACE); const mergedFindings = mergeFindings(oldFindings, newFindings); console.log(` Step3 merged findings total=${mergedFindings.length}`); - // Step3b: AI 語意去重 console.log('\n🤖 Step3b: AI 語意去重'); const deduped = await deduplicateWithAI(mergedFindings); const sorted = sortByLevel(deduped); console.log(` Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`); - // Step4: 寫入 findings.json,依序發布 comment - console.log('\n📝 Step4: Findings 寫入與 Comment 發布'); - saveFindings(WORKSPACE, sorted); + // Step4: 讀取排除問題檔案,過濾 PR 問題表格,並請 AI 判斷誤報 + console.log('\n🚫 Step4: AI 排除問題過濾'); + const exclusions = loadExclusions(repoDir || WORKSPACE); + const ruleFiltered = applyExclusions(sorted, exclusions); + const filtered = await filterFalsePositivesWithAI(ruleFiltered); + console.log(` Step4 完成: findings total=${filtered.length}`); + + // Step5: 寫入 findings.json,依序發布 comment + console.log('\n📝 Step5: Findings 寫入與 Comment 發布'); + saveFindings(WORKSPACE, filtered); try { - await postOldFindingsComment(sorted); - await postNewNonCriticalComment(sorted); - await postNewCriticalComments(sorted); - console.log(' Step4 完成'); + await postOldFindingsComment(filtered); + await postNewNonCriticalComment(filtered); + await postNewCriticalComments(filtered); + console.log(' Step5 完成'); } catch (e) { console.log(` ⚠️ comment 發布失敗(繼續執行): ${e.message}`); } - // Step5: commit/push findings.json 到來源分支 - console.log('\n💾 Step5: 記憶區 Commit/Push'); + // Step6: commit/push findings.json 到來源分支 + console.log('\n💾 Step6: 記憶區 Commit/Push'); await commitAndPush(WORKSPACE); - // Step6: 有 critical 問題則 exit 1 - console.log('\n🚦 Step6: 嚴重問題檢查'); - const criticalCount = sorted.filter(f => f.level === 'critical').length; + // Step7: 有 critical 問題則 exit 1 + console.log('\n🚦 Step7: 嚴重問題檢查'); + const criticalCount = filtered.filter(f => f.level === 'critical').length; if (criticalCount > 0) { console.log(` ❌ 發現 ${criticalCount} 個嚴重問題,workflow 結束(exit 1)`); console.log('='.repeat(60)); diff --git a/app/package.json b/app/package.json index b5e3877..466e7c7 100644 --- a/app/package.json +++ b/app/package.json @@ -2,6 +2,9 @@ "name": "ai-code-review", "version": "1.0.0", "type": "module", + "scripts": { + "test": "node --test app/git.test.js" + }, "dependencies": { "axios": "^1.6.7", "js-yaml": "^4.1.0",