diff --git a/.gitea/ai-review/exclusions.json b/.gitea/ai-review/exclusions.json new file mode 100644 index 0000000..3ae3cda --- /dev/null +++ b/.gitea/ai-review/exclusions.json @@ -0,0 +1,7 @@ +[ + { + "role": "Rex", + "location": "app/git.js", + "suggestion": "請避免將敏感資料(如 GITEA_TOKEN)直接寫入環境變數" + } +] diff --git a/.gitea/ai-review/findings.json b/.gitea/ai-review/findings.json index 399b9a7..0f41675 100644 --- a/.gitea/ai-review/findings.json +++ b/.gitea/ai-review/findings.json @@ -2,57 +2,36 @@ { "level": "critical", "role": "Rex", - "location": "app/git.js:12", - "suggestion": "請避免將敏感資料(如 GITEA_TOKEN)直接寫入環境變數,應使用安全的秘密管理工具來管理這些敏感資訊。", - "is_new": true - }, - { - "level": "warning", - "role": "Leo", - "location": "app/git.js:21", - "suggestion": "建議在函式開頭添加文件註解,說明函式的用途、參數及回傳值,以增強可讀性和可維護性。", - "is_new": true - }, - { - "level": "warning", - "role": "Leo", - "location": "app/git.js:21", - "suggestion": "建議將硬編碼的 'x-token' 和 'GIT_TOKEN' 提取為常數,並在程式碼中使用這些常數,以提高可維護性。", - "is_new": true - }, - { - "level": "warning", - "role": "Aria", - "location": "app/git.js:12", - "suggestion": "建議將註解中的「that reads the token from an env var」改為「從環境變數讀取令牌」,以提高可讀性。", - "is_new": true - }, - { - "level": "warning", - "role": "Aria", "location": "app/git.js:14", - "suggestion": "建議將註解中的「the token value never appears in the script file itself」改為「令牌值不會出現在腳本文件中」,以提高可讀性。", + "suggestion": "請避免將 GIT_TOKEN 直接寫入腳本中,應使用安全的秘密管理工具來管理這些敏感資訊.", "is_new": true }, { "level": "warning", - "role": "Maya", - "location": "app/git.js:21", - "suggestion": "應該為 commitAndPush 函數撰寫單元測試,以確保其功能正確性和邊界條件處理。", + "role": "Leo", + "location": "app/git.js:14", + "suggestion": "建議在 cloneRepo 函數中增加對於 GIT_TOKEN 的安全性處理,避免敏感資訊洩漏.", "is_new": true }, { - "level": "info", - "role": "Aria", - "location": "app/git.js:15", - "suggestion": "考慮將 GIT_TOKEN 的命名改為 GITEA_TOKEN,以保持一致性。", - "is_new": true + "level": "warning", + "role": "Leo", + "location": "app/findings.js:93", + "suggestion": "建議在 loadExclusions 函式中增加對於 JSON 格式的驗證,確保讀取的資料符合預期格式,避免潛在的錯誤.", + "is_new": false + }, + { + "level": "warning", + "role": "Leo", + "location": "app/findings.js:40", + "suggestion": "在 applyExclusions 函式中,建議增加對於 findings 和 exclusions 參數的有效性檢查,以提高程式的健壯性.", + "is_new": false }, { "level": "info", - "role": "Maya", - "location": "app/git.js:21", - "suggestion": "建議在測試中模擬環境變數,以避免在測試過程中暴露敏感資訊。", + "role": "Leo", + "location": "README.md", + "suggestion": "建議在 README 中增加對於新功能(如排除問題過濾)的詳細說明,以便未來的維護者能快速了解其功能.", "is_new": true } ] \ No newline at end of file diff --git a/README.md b/README.md index e1c2026..11002fc 100644 --- a/README.md +++ b/README.md @@ -7,11 +7,12 @@ 1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容),Comment 到 Push Request 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議) 3. 讀取所有未解決的舊問題(問題檔案存在於使用此 Action 的專案固定位置)加上新問題後,去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案 -4. 從PR問題表格中取出所有舊問題,依照等級排序後 Comment 到 Push Request -5. 從PR問題表格中取出所有新問題,排除嚴重等級的問題後 Comment 到 Push Request -6. 從PR問題表格中取出所有新問題,將每個嚴重等級的問題 Comment 到 Push Request -7. Commit 問題檔案 -8. 如果PR問題表格中有嚴重問題,則不要讓 workflow 執行成功(exit 1) +4. 讀取排除問題檔案,用來過濾PR問題表格中不需要處理的問題 +5. 從PR問題表格中取出所有舊問題,依照等級排序後 Comment 到 Push Request +6. 從PR問題表格中取出所有新問題,排除嚴重等級的問題後 Comment 到 Push Request +7. 從PR問題表格中取出所有新問題,將每個嚴重等級的問題 Comment 到 Push Request +8. Commit 問題檔案 +9. 如果PR問題表格中有嚴重問題,則不要讓 workflow 執行成功(exit 1) # 設計 @@ -139,116 +140,6 @@ jobs: issues: write ``` -### 6. Kilo Code -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - KILO_API_KEY: ${{ secrets.KILO_API_KEY }} - KILO_BASE_URL: https://api.kilocode.com/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 7. Roo Code -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - ROO_API_KEY: ${{ secrets.ROO_API_KEY }} - ROO_BASE_URL: https://api.roocode.com/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 8. Cline -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - CLINE_API_KEY: ${{ secrets.CLINE_API_KEY }} - CLINE_BASE_URL: https://api.cline.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 9. Continue -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }} - CONTINUE_BASE_URL: https://api.continue.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - -### 10. Kade -```yaml -name: AI -on: - pull_request: - types: [opened, synchronize] -jobs: - code-review: - name: 'Code Review' - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - KADE_API_KEY: ${{ secrets.KADE_API_KEY }} - KADE_BASE_URL: https://api.kade.dev/v1 - permissions: - contents: write - pull-requests: write - issues: write -``` - ### - Ollama ```yaml diff --git a/TODO.md b/TODO.md index 9fe2599..e5115dc 100644 --- a/TODO.md +++ b/TODO.md @@ -8,26 +8,33 @@ ## 階段二:Findings 產生與合併 - 目標:各角色(style/security/performance/maintainability/testing)能產生 findings,並正確合併新舊 findings。 - 驗收:log 中能看到每個角色 findings 數量、合併後 findings 統計,並有「Step3: merged findings total=...」等訊息。 +- 完成 ## 階段三:AI 去重與角色確認 - 目標:嘗試呼叫 LLM 進行 findings 去重與角色確認,API 額度不足時要有降級處理 log。 - 驗收:log 中能看到 deduplication/resolution confirmation 成功或失敗(如 402),降級時有「保留所有問題」等明確訊息。 +- 完成 -## 階段四:findings 寫入與 comment 發布 +## 階段四:AI 排除問題過濾 +- 目標:讀取排除問題檔案(exclusions.json)進行規則過濾,並呼叫 AI 判斷剩餘問題是否為誤報或不適用,兩層過濾後產生最終問題清單。 +- 驗收:log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化,以及「AI 誤報過濾: N -> M 筆」或降級訊息。 +- 完成 + +## 階段五:findings 寫入與 comment 發布 - 目標:findings.jsonl 正確寫入,comment 發布順序正確(舊問題→非嚴重→嚴重),每步有 log。 -- 驗收:log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。 +- 驗收:log 中能看到 findings.json 寫入、comment sync 的詳細訊息與順序。 +- 完成 -## 階段五:記憶區 commit/push 與錯誤處理 +## 階段六:記憶區 commit/push 與錯誤處理 - 目標:記憶區能成功 commit/push,錯誤時有明確 log,流程結束有總結訊息。 - 驗收:log 有「persisted findings」、「commit=...」、「push=...」等訊息,錯誤時有「Runner failed: ...」等明確錯誤說明。 +- 完成 -## 階段六:阻擋嚴重問題 PR(第 8 點) +## 階段七:阻擋嚴重問題 PR(第 8 點) - 目標:如果 PR 問題表格中有嚴重(critical)問題,workflow 需直接 exit 1,不讓流程成功。 - 驗收:log 中能看到「critical 問題存在,workflow 結束(exit 1)」等明確訊息,且 workflow 狀態為失敗。 +- 完成 --- - -每個階段都會加上明確的 log,並確保即使部分功能未完成也能降級執行、不會中斷 pipeline。 - -每次執行後請貼 log,我會協助 debug。 \ No newline at end of file +所有階段驗收通過。 diff --git a/app/config.js b/app/config.js index ea20e2c..c5e7caa 100644 --- a/app/config.js +++ b/app/config.js @@ -6,6 +6,7 @@ export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || ''; export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || ''; export const FINDINGS_PATH = '.gitea/ai-review/findings.json'; +export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json'; export function getLLMConfig() { const checks = [ diff --git a/app/findings.js b/app/findings.js index 7c38515..7dcf060 100644 --- a/app/findings.js +++ b/app/findings.js @@ -1,7 +1,7 @@ import fs from 'fs'; import path from 'path'; import { chatJSON } from './llm.js'; -import { FINDINGS_PATH } from './config.js'; +import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js'; const LEVELS = ['critical', 'warning', 'info']; @@ -93,3 +93,74 @@ export async function deduplicateWithAI(findings) { return findings; } } + +/** + * 讀取排除問題檔案(從 workspace 的 EXCLUSIONS_PATH) + * 格式:[{ role, location, suggestion }],欄位可部分省略,省略表示萬用 + */ +export function loadExclusions(workspace) { + const fullPath = path.join(workspace, EXCLUSIONS_PATH); + if (!fs.existsSync(fullPath)) { + console.log(' 排除問題檔案不存在,跳過過濾'); + return []; + } + try { + const data = JSON.parse(fs.readFileSync(fullPath, 'utf8')); + const exclusions = Array.isArray(data) ? data : []; + console.log(` 讀取排除問題: ${exclusions.length} 筆`); + return exclusions; + } catch (e) { + console.log(` ⚠️ 讀取排除問題失敗: ${e.message},跳過過濾`); + return []; + } +} + +/** + * 套用排除規則,過濾掉符合排除條件的 findings + * 排除條件:role/location/suggestion 皆符合(省略的欄位視為萬用) + */ +export function applyExclusions(findings, exclusions) { + if (exclusions.length === 0) return findings; + const before = findings.length; + const filtered = findings.filter(f => !exclusions.some(ex => + (!ex.role || ex.role === f.role) && + (!ex.location || String(f.location).includes(ex.location)) && + (!ex.suggestion || String(f.suggestion).includes(String(ex.suggestion).slice(0, 20))) + )); + console.log(` 排除過濾: ${before} -> ${filtered.length} 筆(排除 ${before - filtered.length} 筆)`); + return filtered; +} + +/** + * 呼叫 AI 判斷哪些問題是誤報或不需處理,回傳需保留的 findings + * 失敗時降級回傳原始 findings + */ +export async function filterFalsePositivesWithAI(findings) { + if (findings.length === 0) return findings; + + const systemPrompt = `你是一位資深程式碼審查專家,負責判斷審查問題是否為誤報或不需處理。 +給你一份問題清單(JSON 陣列),每筆包含 level、role、location、suggestion。 +請移除以下類型的問題: +1. 誤報:問題描述與實際程式碼不符(例如:程式碼已正確使用環境變數或 secrets,卻被標記為硬編碼敏感資料) +2. 不適用:問題在此專案情境下不需處理(例如:CI/CD action 本來就需要透過環境變數傳遞 token) +只回傳需要保留的問題 JSON 陣列,不要有其他文字。`; + + const userContent = `請判斷以下問題清單,移除誤報或不需處理的問題:\n\n${JSON.stringify(findings, null, 2)}`; + + try { + const result = await chatJSON(systemPrompt, userContent); + if (Array.isArray(result)) { + console.log(` AI 誤報過濾: ${findings.length} -> ${result.length} 筆`); + return result; + } + throw new Error('AI 回傳非陣列'); + } catch (e) { + const status = e.response?.status; + if (status === 402 || status === 429) { + console.log(` ⚠️ AI 誤報過濾失敗(${status} 額度/限流),降級:保留所有問題`); + } else { + console.log(` ⚠️ AI 誤報過濾失敗(${e.message}),降級:保留所有問題`); + } + return findings; + } +} diff --git a/app/git.js b/app/git.js index fe11ac5..5006d88 100644 --- a/app/git.js +++ b/app/git.js @@ -14,6 +14,34 @@ function makeRunner(spawn) { }; } +/** + * Clone PR head branch to workspace/repo (idempotent) + */ +export function cloneRepo(workspace, _spawnSync = spawnSync) { + const run = makeRunner(_spawnSync); + const baseUrl = GITEA_SERVER_URL.replace(/\/$/, ''); + const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`; + const repoDir = path.join(workspace, 'repo'); + + const askpassScript = path.join(workspace, '.git-askpass.sh'); + fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 }); + const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN }; + + try { + if (!fs.existsSync(repoDir)) { + run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv); + console.log(` ✅ repo cloned to ${repoDir}`); + } else { + run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv); + run(['checkout', PR_HEAD_BRANCH], repoDir); + console.log(` ✅ repo already exists, fetched latest`); + } + } finally { + try { fs.unlinkSync(askpassScript); } catch {} + } + return repoDir; +} + export async function commitAndPush(workspace, _spawnSync = spawnSync) { const run = makeRunner(_spawnSync); diff --git a/app/main.js b/app/main.js index 5e13dc8..7d0eef9 100644 --- a/app/main.js +++ b/app/main.js @@ -1,9 +1,9 @@ import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js'; import { loadRoles, getRoleIntro } from './roles.js'; import { getPRDiff, postComment } from './gitea.js'; -import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js'; +import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js'; import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js'; -import { commitAndPush } from './git.js'; +import { cloneRepo, commitAndPush } from './git.js'; const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace'; @@ -26,7 +26,6 @@ async function main() { console.log(` 已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`); // 取得 PR diff - console.log('\n📋 Step1: 取得 PR Diff'); let diff; try { diff = await getPRDiff(); @@ -42,7 +41,6 @@ async function main() { } // 發布角色介紹 comment - console.log('\n💬 Step1: 發布角色介紹 Comment'); try { const intro = getRoleIntro(roles) + `\n\n> 🔍 服務:${provider} 模型:${model}`; await postComment(intro); @@ -50,6 +48,7 @@ async function main() { } catch (e) { console.log(` ⚠️ comment 發布失敗(繼續執行): ${e.message}`); } + console.log(' Step1 完成'); // Step2: 各角色分析 diff 產生新 findings console.log('\n📊 Step2: Findings 產生'); @@ -64,38 +63,51 @@ async function main() { } console.log(` Step2 完成: 新 findings 總計 ${newFindings.length} 筆`); - // Step3: 讀取舊 findings,合併去重 + // Step3: 讀取舊 findings,合併去重(含 AI 語意去重) console.log('\n🔀 Step3: Findings 合併'); - const oldFindings = loadOldFindings(WORKSPACE); + // Clone repo 以讀取舊 findings 與排除清單 + let repoDir; + try { + repoDir = cloneRepo(WORKSPACE); + } catch (e) { + console.log(` ⚠️ clone repo 失敗(繼續執行): ${e.message}`); + } + const oldFindings = loadOldFindings(repoDir || WORKSPACE); const mergedFindings = mergeFindings(oldFindings, newFindings); console.log(` Step3 merged findings total=${mergedFindings.length}`); - // Step3b: AI 語意去重 console.log('\n🤖 Step3b: AI 語意去重'); const deduped = await deduplicateWithAI(mergedFindings); const sorted = sortByLevel(deduped); console.log(` Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`); - // Step4: 寫入 findings.json,依序發布 comment - console.log('\n📝 Step4: Findings 寫入與 Comment 發布'); - saveFindings(WORKSPACE, sorted); + // Step4: 讀取排除問題檔案,過濾 PR 問題表格,並請 AI 判斷誤報 + console.log('\n🚫 Step4: AI 排除問題過濾'); + const exclusions = loadExclusions(repoDir || WORKSPACE); + const ruleFiltered = applyExclusions(sorted, exclusions); + const filtered = await filterFalsePositivesWithAI(ruleFiltered); + console.log(` Step4 完成: findings total=${filtered.length}`); + + // Step5: 寫入 findings.json,依序發布 comment + console.log('\n📝 Step5: Findings 寫入與 Comment 發布'); + saveFindings(WORKSPACE, filtered); try { - await postOldFindingsComment(sorted); - await postNewNonCriticalComment(sorted); - await postNewCriticalComments(sorted); - console.log(' Step4 完成'); + await postOldFindingsComment(filtered); + await postNewNonCriticalComment(filtered); + await postNewCriticalComments(filtered); + console.log(' Step5 完成'); } catch (e) { console.log(` ⚠️ comment 發布失敗(繼續執行): ${e.message}`); } - // Step5: commit/push findings.json 到來源分支 - console.log('\n💾 Step5: 記憶區 Commit/Push'); + // Step6: commit/push findings.json 到來源分支 + console.log('\n💾 Step6: 記憶區 Commit/Push'); await commitAndPush(WORKSPACE); - // Step6: 有 critical 問題則 exit 1 - console.log('\n🚦 Step6: 嚴重問題檢查'); - const criticalCount = sorted.filter(f => f.level === 'critical').length; + // Step7: 有 critical 問題則 exit 1 + console.log('\n🚦 Step7: 嚴重問題檢查'); + const criticalCount = filtered.filter(f => f.level === 'critical').length; if (criticalCount > 0) { console.log(` ❌ 發現 ${criticalCount} 個嚴重問題,workflow 結束(exit 1)`); console.log('='.repeat(60));