refactor: improve comment formatting and streamline AI handling in findings processing

Reviewed-on: jiantw83/code-review#85

.gitea/ai-review/exclusions.json

@@ -183,5 +183,25 @@
     "role": "Maya",
     "location": "app/roles.js",
     "suggestion": "roles.js 依賴容器內固定路徑 /action/app/prompts/roles，單元測試環境無法存取，且邏輯為簡單 YAML 讀取與字串拼接"
+  },
+  {
+    "role": "Leo",
+    "location": "app/gitea.js",
+    "suggestion": "gitea.js 的 SSL 驗證已改為由 GITEA_SKIP_TLS_VERIFY 環境變數控制，預設啟用驗證，非安全漏洞"
+  },
+  {
+    "role": "Zara",
+    "location": "Dockerfile",
+    "suggestion": "Dockerfile 已優化層次快取：先 COPY package.json 再 npm install，最後才 COPY 其餘檔案"
+  },
+  {
+    "role": "Aria",
+    "location": "app/package.json",
+    "suggestion": "test 腳本已改為 node --test *.test.js，在 app/ 目錄下執行可自動發現所有測試檔案"
+  },
+  {
+    "role": "Zara",
+    "location": "app/main.js",
+    "suggestion": "deduplicateWithAI 和 filterFalsePositivesWithAI 為循序依賴流程（去重後才能過濾），無法平行化"
   }
 ]

.gitea/ai-review/findings.json

@@ -1,65 +1,9 @@
 [
-  {
-    "level": "critical",
-    "role": "Leo",
-    "location": "app/gitea.js:10",
-    "suggestion": "在 `app/gitea.js` 中，`https.Agent` 設定了 `rejectUnauthorized: false`，這會禁用 SSL/TLS 憑證驗證。這是一個嚴重的安全漏洞，會使應用程式容易受到中間人攻擊，並嚴重影響系統的安全性與可維護性。強烈建議移除此設定，或在必要時配置正確的憑證信任鏈。",
-    "is_new": true
-  },
-  {
-    "level": "critical",
-    "role": "Aria",
-    "location": "Dockerfile",
-    "suggestion": "檔案結尾缺少換行符號（newline character），這不符合 POSIX 慣例，建議在檔案末尾新增一個空行。",
-    "is_new": true
-  },
-  {
-    "level": "critical",
-    "role": "Aria",
-    "location": "entrypoint.sh",
-    "suggestion": "檔案結尾缺少換行符號（newline character），這不符合 POSIX 慣例，建議在檔案末尾新增一個空行。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Leo",
-    "location": "Dockerfile:2",
-    "suggestion": "在 `Dockerfile` 中，基礎映像檔使用了 `FROM alpine` 而沒有指定具體的版本標籤（例如 `alpine:3.18`）。這可能導致未來 `alpine:latest` 更新時，建置環境發生非預期的變更，影響建置的可重現性和穩定性。為了長期維護性，建議明確指定基礎映像檔的版本。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Zara",
-    "location": "Dockerfile",
-    "suggestion": "建議調整 Dockerfile 的層次，將 `COPY app/package.json app/package-lock.json /action/app/` 放在 `npm install` 之前，然後再 `COPY app/ /action/app/`。這樣可以利用 Docker 的層次快取，當 `package.json` 或 `package-lock.json` 未變更時，`npm install` 步驟就不會重複執行，顯著加快 Docker 映像檔的建置速度。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Maya",
-    "location": "app/main.js",
-    "suggestion": "儘管各單元模組（`config`, `git`, `llm`）已有良好的單元測試，但 `app/main.js` 作為整個 Action 的協調者，其整合邏輯和端到端流程缺乏測試。特別是 `TODO.md` 中提到的「阻擋嚴重問題 PR（exit 1）」等關鍵行為，應透過整合測試或端到端測試來驗證，確保各模組協同運作正確，且整體流程符合預期。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Maya",
-    "location": "app/comments.js",
-    "suggestion": "`app/comments.js` 模組負責生成評論內容和儲存 findings 檔案。其中 `buildTable` 等函式負責 Markdown 表格的生成，以及 `postOldFindingsComment`, `postNewNonCriticalComment`, `postNewCriticalComments` 中的過濾邏輯，應補齊單元測試，以確保評論內容的格式正確性及問題分類的準確性。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Maya",
-    "location": "app/roles.js",
-    "suggestion": "`app/roles.js` 模組負責載入和處理角色定義。`loadRoles` 函式應增加單元測試，以驗證其能正確解析 YAML 檔案，並處理檔案不存在或格式錯誤等異常情況。`getRoleIntro` 函式也應測試其生成的 Markdown 介紹內容是否符合預期格式。",
-    "is_new": true
-  },
   {
     "level": "info",
-    "role": "Maya",
-    "location": "app/package.json",
-    "suggestion": "目前的 `test` 腳本 (`node --test git.test.js config.test.js llm.test.js`) 僅涵蓋了部分單元測試。建議更新此腳本，使其能自動發現並執行所有 `*.test.js` 檔案，以確保所有新增的測試都能被納入 CI 流程中執行。",
+    "role": "Rex",
+    "location": "action.yaml",
+    "suggestion": "此 Action 需要 `contents: write`、`pull-requests: write` 和 `issues: write` 權限。這些權限對於 Action 的正常運作是必要的（例如寫入 findings.json、發布評論），但屬於較廣泛的權限。建議在文件或使用說明中明確指出這些權限的需求及其潛在影響，確保使用者了解並接受。",
     "is_new": true
   }
 ]

.gitea/workflows/review.yaml

@@ -26,12 +26,12 @@ jobs:
         tag_name: v${{ steps.version.outputs.version }}
         target_commitish: ${{ github.head_ref }}
   code-review:
-    name: 'Code Review'
+    name: Code Review
     runs-on: ubuntu
     needs: [version]
     steps:
     - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@v${{ needs.version.outputs.version }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@v${{ needs.version.outputs.version }}
       with:
         GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
         GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta

README.md

@@ -22,6 +22,7 @@
 4. 盡量將應用程式放在 ./app，修改 entrypoint.sh 與 Dockerfile 讓程式可以正常運行
 5. 將提示詞放到 ./app/prompts 內供程式讀取
 6. API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，全部失敗則 exit 1
+7. 讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，避免 AI 分析 workflow 設定等非業務程式碼
 
 # 使用說明
 
@@ -32,16 +33,21 @@
 ### 1. OpenAI
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
   pull_request:
+    branches-ignore:
+    - master
     types: [opened, synchronize]
 jobs:
   code-review:
-    name: 'Code Review'
+    name: Code Review
     runs-on: ubuntu
     steps:
     - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
         OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}  # 支援逗號分隔多個 Key
         OPENAI_BASE_URL: https://api.openai.com/v1
@@ -55,16 +61,21 @@ jobs:
 ### 2. OpenRouter
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
   pull_request:
+    branches-ignore:
+    - master
     types: [opened, synchronize]
 jobs:
   code-review:
-    name: 'Code Review'
+    name: Code Review
     runs-on: ubuntu
     steps:
     - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
         OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }},${{ secrets.OPENROUTER_API_KEY_1 }}
         OPENAI_BASE_URL: https://openrouter.ai/api/v1
@@ -78,16 +89,21 @@ jobs:
 ### 3. Anthropic Claude
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
   pull_request:
+    branches-ignore:
+    - master
     types: [opened, synchronize]
 jobs:
   code-review:
-    name: 'Code Review'
+    name: Code Review
     runs-on: ubuntu
     steps:
     - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
         CLAUDE_API_KEY: ${{ secrets.CLAUDE_API_KEY }}  # 支援逗號分隔多個 Key
         CLAUDE_BASE_URL: https://api.anthropic.com/v1
@@ -100,16 +116,21 @@ jobs:
 ### 4. Google Gemini
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
   pull_request:
+    branches-ignore:
+    - master
     types: [opened, synchronize]
 jobs:
   code-review:
-    name: 'Code Review'
+    name: Code Review
     runs-on: ubuntu
     steps:
     - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
         GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
         GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
@@ -123,16 +144,21 @@ jobs:
 ### 5. Amazon Q
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
   pull_request:
+    branches-ignore:
+    - master
     types: [opened, synchronize]
 jobs:
   code-review:
-    name: 'Code Review'
+    name: Code Review
     runs-on: ubuntu
     steps:
     - name: AI Code Review
-      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
         AMAZONQ_API_KEY: ${{ secrets.AMAZONQ_API_KEY }}  # 支援逗號分隔多個 Key
         AMAZONQ_BASE_URL: https://q.api.aws
@@ -146,22 +172,26 @@ jobs:
 
 ```yaml
 name: AI
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref }}
+  cancel-in-progress: true
 on:
   pull_request:
+    branches-ignore:
+    - master
     types: [opened, synchronize]
 jobs:
   code-review:
-    name: 'Code Review'
+    name: Code Review
     runs-on: ubuntu
     steps:
     - name: AI Code Review
-        uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+        uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
         with:
           OLLAMA_BASE_URL: https://ollama.jsc.idv.me/v1
           OLLAMA_MODEL: ${{ vars.OLLAMA_MODEL }}
     permissions:
       contents: write
       pull-requests: write
-
       issues: write
 ```

TODO.md

@@ -40,6 +40,11 @@
 - 驗收：log 中能看到「key[N/M] 失敗」等訊息，換 key 後繼續執行；傳入單一 Key 時行為與原本相同；全部 Key 失敗時 log「所有 API Key 均失敗，終止流程」且 workflow 狀態為失敗。
 - 完成
 
+## 階段九：Git Diff 排除 .gitea/ 資料夾
+- 目標：讀取 Git Diff 時排除 `.gitea/` 資料夾內的所有檔案，避免 AI 分析 workflow 設定等非業務程式碼。
+- 驗收：PR 中有 `.gitea/` 路徑的變更時，diff 內容不包含該路徑的區塊，AI 分析結果不含 `.gitea/` 相關問題。
+- 完成
+
 ---
 
 所有階段驗收通過。

app/comments.js

@@ -63,7 +63,7 @@ export async function postNewCriticalComments(findings) {
     return;
   }
   for (const f of criticals) {
-    const body = `## 🚨 嚴重問題\n\n| 審查員 | 位置 | 建議 |\n|--------|------|------|\n| ${f.role} | ${f.location} | ${f.suggestion} |`;
+    const body = `## 🚨 嚴重問題\n\n${buildTable([f])}`;
     await postComment(body);
     console.log(`  ✅ 嚴重問題 comment 發布: [${f.role}] ${f.location}`);
   }

app/findings.js

@@ -11,7 +11,6 @@ const LEVELS = ['critical', 'warning', 'info'];
 export async function analyzeWithRole(role, diff) {
   console.log(`  [${role.name}] 開始分析...`);
   const findings = await chatJSON(role.system_prompt, `以下是 Git Diff 內容：\n\n${diff}`);
-  // 確保每筆都有必要欄位，並標記為新問題
   const valid = findings.filter(f => f.level && f.role && f.location && f.suggestion)
     .map(f => ({ ...f, is_new: true }));
   console.log(`  [${role.name}] 找到 ${valid.length} 個問題`);
@@ -40,7 +39,6 @@ export function loadOldFindings(workspace) {
 
 /**
  * 合併新舊 findings，以 (role + location + suggestion前50字) 為 key 去除重複
- * 舊問題保留，新問題若與舊問題重複則捨棄
  */
 export function mergeFindings(oldFindings, newFindings) {
   const key = f => `${f.role}|${f.location}|${String(f.suggestion).slice(0, 50)}`;
@@ -63,8 +61,17 @@ export function sortByLevel(findings) {
 }
 
 /**
- * 呼叫 LLM 進行語意去重，回傳去重後的 findings
- * 失敗時降級回傳原始 findings
+ * AI 呼叫失敗時的統一降級處理
+ */
+function fallback(label, findings, e) {
+  const status = e.response?.status;
+  const reason = (status === 402 || status === 429) ? `${status} 額度/限流` : e.message;
+  console.log(`  ⚠️  ${label}失敗（${reason}），降級：保留所有問題`);
+  return findings;
+}
+
+/**
+ * 呼叫 LLM 進行語意去重，失敗時降級回傳原始 findings
  */
 export async function deduplicateWithAI(findings) {
   if (findings.length === 0) return findings;
@@ -74,29 +81,20 @@ export async function deduplicateWithAI(findings) {
 保留等級較高的版本，優先保留 critical > warning > info。
 只回傳去重後的 JSON 陣列，不要有其他文字。`;
 
-  const userContent = `以下是問題清單，請去除語意重複的項目：\n\n${JSON.stringify(findings, null, 2)}`;
-
   try {
-    const result = await chatJSON(systemPrompt, userContent);
+    const result = await chatJSON(systemPrompt, `以下是問題清單，請去除語意重複的項目：\n\n${JSON.stringify(findings, null, 2)}`);
     if (Array.isArray(result) && result.length > 0) {
       console.log(`  AI 去重: ${findings.length} -> ${result.length} 筆`);
       return result;
     }
     throw new Error('AI 回傳空陣列');
   } catch (e) {
-    const status = e.response?.status;
-    if (status === 402 || status === 429) {
-      console.log(`  ⚠️  AI 去重失敗（${status} 額度/限流），降級：保留所有問題`);
-    } else {
-      console.log(`  ⚠️  AI 去重失敗（${e.message}），降級：保留所有問題`);
-    }
-    return findings;
+    return fallback('AI 去重', findings, e);
   }
 }
 
 /**
  * 讀取排除問題檔案（從 workspace 的 EXCLUSIONS_PATH）
- * 格式：[{ role, location, suggestion }]，欄位可部分省略，省略表示萬用
  */
 export function loadExclusions(workspace) {
   const fullPath = path.join(workspace, EXCLUSIONS_PATH);
@@ -125,17 +123,14 @@ export function applyExclusions(findings, exclusions) {
   const filtered = findings.filter(f => !exclusions.some(ex => {
     const fPath = String(f.location).split(':')[0];
     const exPath = ex.location ? String(ex.location).split(':')[0] : null;
-    return (!exPath || fPath === exPath) &&
-           (!ex.role || ex.role === f.role);
+    return (!exPath || fPath === exPath) && (!ex.role || ex.role === f.role);
   }));
   console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
   return filtered;
 }
 
 /**
- * 呼叫 AI 判斷哪些問題是誤報或不需處理，回傳需保留的 findings
- * exclusions 為已知誤報清單，供 AI 參考判斷
- * 失敗時降級回傳原始 findings
+ * 呼叫 AI 判斷哪些問題是誤報或不需處理，失敗時降級回傳原始 findings
  */
 export async function filterFalsePositivesWithAI(findings, exclusions = []) {
   if (findings.length === 0) return findings;
@@ -152,22 +147,14 @@ export async function filterFalsePositivesWithAI(findings, exclusions = []) {
 3. 與已知誤報清單語意相近的問題（檔案路徑相同且建議內容相似）
 只回傳需要保留的問題 JSON 陣列，不要有其他文字。${exclusionHint}`;
 
-  const userContent = `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`;
-
   try {
-    const result = await chatJSON(systemPrompt, userContent);
+    const result = await chatJSON(systemPrompt, `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`);
     if (Array.isArray(result) && result.length > 0) {
       console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
       return result;
     }
     throw new Error('AI 回傳空陣列或非陣列');
   } catch (e) {
-    const status = e.response?.status;
-    if (status === 402 || status === 429) {
-      console.log(`  ⚠️  AI 誤報過濾失敗（${status} 額度/限流），降級：保留所有問題`);
-    } else {
-      console.log(`  ⚠️  AI 誤報過濾失敗（${e.message}），降級：保留所有問題`);
-    }
-    return findings;
+    return fallback('AI 誤報過濾', findings, e);
   }
 }

app/git.js

@@ -14,20 +14,26 @@ function makeRunner(spawn) {
   };
 }
 
+function withAskpass(workspace, fn) {
+  const askpassScript = path.join(workspace, '.git-askpass.sh');
+  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
+  try {
+    return fn(credEnv);
+  } finally {
+    try { fs.unlinkSync(askpassScript); } catch {}
+  }
+}
+
 /**
  * Clone PR head branch to workspace/repo (idempotent)
  */
 export function cloneRepo(workspace, _spawnSync = spawnSync) {
   const run = makeRunner(_spawnSync);
-  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
-  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
+  const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`;
   const repoDir = path.join(workspace, 'repo');
 
-  const askpassScript = path.join(workspace, '.git-askpass.sh');
-  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
-  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
-
-  try {
+  return withAskpass(workspace, credEnv => {
     if (!fs.existsSync(repoDir)) {
       run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
       console.log(`  ✅ repo cloned to ${repoDir}`);
@@ -36,57 +42,40 @@ export function cloneRepo(workspace, _spawnSync = spawnSync) {
       run(['checkout', PR_HEAD_BRANCH], repoDir);
       console.log(`  ✅ repo already exists, fetched latest`);
     }
-  } finally {
-    try { fs.unlinkSync(askpassScript); } catch {}
-  }
-  return repoDir;
+    return repoDir;
+  });
 }
 
 export async function commitAndPush(workspace, _spawnSync = spawnSync) {
   const run = makeRunner(_spawnSync);
-
-  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
-  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
-  const repoDir = path.join(workspace, 'repo');
-
-  // Write a temporary askpass script that reads the token from an env var,
-  // so the token value never appears in the script file itself
-  const askpassScript = path.join(workspace, '.git-askpass.sh');
-  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
-
-  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
+  const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`;
 
   try {
-    if (!fs.existsSync(repoDir)) {
-      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
-    }
+    const repoDir = cloneRepo(workspace, _spawnSync);
 
-    run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
-    run(['config', 'user.name', 'AI Review Bot'], repoDir);
-    run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
-    run(['checkout', PR_HEAD_BRANCH], repoDir);
+    await withAskpass(workspace, async credEnv => {
+      run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
+      run(['config', 'user.name', 'AI Review Bot'], repoDir);
 
-    // 將 findings.json 從 workspace 複製到 clone 的 repo
-    const srcFindings = path.join(workspace, FINDINGS_PATH);
-    const destFindings = path.join(repoDir, FINDINGS_PATH);
-    fs.mkdirSync(path.dirname(destFindings), { recursive: true });
-    fs.copyFileSync(srcFindings, destFindings);
+      const srcFindings = path.join(workspace, FINDINGS_PATH);
+      const destFindings = path.join(repoDir, FINDINGS_PATH);
+      fs.mkdirSync(path.dirname(destFindings), { recursive: true });
+      fs.copyFileSync(srcFindings, destFindings);
 
-    run(['add', FINDINGS_PATH], repoDir);
+      run(['add', FINDINGS_PATH], repoDir);
 
-    const status = run(['status', '--porcelain'], repoDir);
-    if (!status) {
-      console.log('  findings.json 無變更，跳過 commit');
-      return;
-    }
+      const status = run(['status', '--porcelain'], repoDir);
+      if (!status) {
+        console.log('  findings.json 無變更，跳過 commit');
+        return;
+      }
 
-    const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
-    const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
-    run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
-    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+      const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
+      const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
+      run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
+      console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
+    });
   } catch (e) {
     console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
-  } finally {
-    try { fs.unlinkSync(askpassScript); } catch {}
   }
 }

app/gitea.js

@@ -8,7 +8,13 @@ const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;
 
 export async function getPRDiff() {
   const resp = await axios.get(api(`/repos/${GITEA_REPOSITORY}/pulls/${PR_NUMBER}.diff`), { headers: headers(), timeout: 60000, httpsAgent });
-  return resp.data;
+  return filterDiff(resp.data, ['.gitea/']);
+}
+
+function filterDiff(diff, excludePrefixes) {
+  return diff.split(/(?=^diff --git )/m)
+    .filter(block => !excludePrefixes.some(p => block.startsWith(`diff --git a/${p}`)))
+    .join('');
 }
 
 export async function postComment(body) {

app/gitea.test.js

@@ -0,0 +1,64 @@
+import { describe, it, afterEach, mock } from 'node:test';
+import assert from 'node:assert/strict';
+import axios from 'axios';
+
+// gitea.js reads env vars at module load time (ESM cache), so we test
+// the actual values baked in at import time and verify behavior via axios mocks.
+
+afterEach(() => mock.restoreAll());
+
+describe('gitea', async () => {
+  const { getPRDiff, postComment } = await import('./gitea.js');
+
+  it('getPRDiff calls Gitea diff API with Authorization header', async () => {
+    let capturedUrl, capturedOpts;
+    mock.method(axios, 'get', async (url, opts) => {
+      capturedUrl = url;
+      capturedOpts = opts;
+      return { data: 'diff content' };
+    });
+    const result = await getPRDiff();
+    assert.equal(result, 'diff content');
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('.diff'));
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+    assert.equal(capturedOpts.headers['Content-Type'], 'application/json');
+  });
+
+  it('postComment calls Gitea issues comments API with body', async () => {
+    let capturedUrl, capturedBody, capturedOpts;
+    mock.method(axios, 'post', async (url, body, opts) => {
+      capturedUrl = url;
+      capturedBody = body;
+      capturedOpts = opts;
+      return { data: { id: 1 } };
+    });
+    const result = await postComment('hello world');
+    assert.deepEqual(result, { id: 1 });
+    assert.ok(capturedUrl.includes('/api/v1/repos/'));
+    assert.ok(capturedUrl.endsWith('/comments'));
+    assert.equal(capturedBody.body, 'hello world');
+    assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
+  });
+
+  it('does not set httpsAgent by default (GITEA_SKIP_TLS_VERIFY not true)', async () => {
+    let capturedOpts;
+    mock.method(axios, 'get', async (_url, opts) => {
+      capturedOpts = opts;
+      return { data: '' };
+    });
+    await getPRDiff();
+    // httpsAgent is undefined when GITEA_SKIP_TLS_VERIFY !== 'true'
+    assert.equal(capturedOpts.httpsAgent, undefined);
+  });
+
+  it('getPRDiff propagates axios errors', async () => {
+    mock.method(axios, 'get', async () => { throw new Error('network error'); });
+    await assert.rejects(() => getPRDiff(), /network error/);
+  });
+
+  it('postComment propagates axios errors', async () => {
+    mock.method(axios, 'post', async () => { throw new Error('api error'); });
+    await assert.rejects(() => postComment('test'), /api error/);
+  });
+});

app/llm.js

@@ -29,12 +29,11 @@ export async function chat(systemPrompt, userContent) {
 }
 
 export async function chatJSON(systemPrompt, userContent) {
+  const text = await chat(systemPrompt, userContent);
   try {
-    let text = await chat(systemPrompt, userContent);
-    text = text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim();
-    return JSON.parse(text);
+    return JSON.parse(text.trim().replace(/^```[^\n]*\n?/, '').replace(/```$/, '').trim());
   } catch (e) {
-    console.log(`  [LLM] 解析失敗: ${e.message}`);
+    console.log(`  [LLM] JSON 解析失敗: ${e.message}`);
     return [];
   }
 }

app/main.js

@@ -13,7 +13,6 @@ async function main() {
   console.log(`  repo=${GITEA_REPOSITORY}  PR=#${PR_NUMBER}`);
   console.log(`  ${PR_HEAD_BRANCH} -> ${PR_BASE_BRANCH}`);
 
-  // 偵測 LLM
   const { provider, baseURL, model } = getLLMConfig();
   if (!provider) {
     console.error('❌ 未設定任何 LLM API Key，請檢查 action inputs');
@@ -21,11 +20,9 @@ async function main() {
   }
   console.log(`  LLM: provider=${provider}  model=${model}  base_url=${baseURL}`);
 
-  // 載入角色
   const roles = loadRoles();
   console.log(`  已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`);
 
-  // 取得 PR diff
   let diff;
   try {
     diff = await getPRDiff();
@@ -40,7 +37,6 @@ async function main() {
     process.exit(0);
   }
 
-  // 發布角色介紹 comment
   try {
     const intro = getRoleIntro(roles) + `\n\n> 🔍 服務：${provider}  模型：${model}`;
     await postComment(intro);
@@ -48,24 +44,22 @@ async function main() {
   } catch (e) {
     console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
   }
-  console.log('  Step1 完成');
 
   // Step2: 各角色分析 diff 產生新 findings
   console.log('\n📊 Step2: Findings 產生');
+  const results = await Promise.allSettled(roles.map(role => analyzeWithRole(role, diff)));
   const newFindings = [];
-  for (const role of roles) {
-    try {
-      const found = await analyzeWithRole(role, diff);
-      newFindings.push(...found);
-    } catch (e) {
-      console.log(`  ⚠️  [${role.name}] 分析失敗（跳過）: ${e.message}`);
+  for (let i = 0; i < results.length; i++) {
+    if (results[i].status === 'fulfilled') {
+      newFindings.push(...results[i].value);
+    } else {
+      console.log(`  ⚠️  [${roles[i].name}] 分析失敗（跳過）: ${results[i].reason?.message}`);
     }
   }
   console.log(`  Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);
 
   // Step3: 讀取舊 findings，合併去重（含 AI 語意去重）
   console.log('\n🔀 Step3: Findings 合併');
-  // Clone repo 以讀取舊 findings 與排除清單
   let repoDir;
   try {
     repoDir = cloneRepo(WORKSPACE);
@@ -91,7 +85,6 @@ async function main() {
   // Step5: 寫入 findings.json，依序發布 comment
   console.log('\n📝 Step5: Findings 寫入與 Comment 發布');
   saveFindings(WORKSPACE, filtered);
-
   try {
     await postOldFindingsComment(filtered);
     await postNewNonCriticalComment(filtered);
@@ -114,7 +107,6 @@ async function main() {
     process.exit(1);
   }
   console.log('  ✅ 無嚴重問題');
-
   console.log('\n✅ Pipeline 完成');
   console.log('='.repeat(60));
 }

app/roles.js

@@ -1,8 +1,9 @@
 import fs from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 import yaml from 'js-yaml';
 
-const ROLES_DIR = '/action/app/prompts/roles';
+const ROLES_DIR = path.join(fileURLToPath(import.meta.url), '..', 'prompts', 'roles');
 
 export function loadRoles() {
   return fs.readdirSync(ROLES_DIR)