Merge pull request 'feat: refactor commitAndPush to use a runner function and improve token security; add tests for git operations' (#69 ) from feat/refactor/kiro/fix into feat/refactor/main

Reviewed-on: jiantw83/code-review#69
Merge pull request 'feat/refactor/kiro/fix-1' (#75 ) from feat/refactor/kiro/fix-1 into feat/refactor/kiro/fix
2026-05-12 02:28:33 +00:00 · 2026-05-12 02:27:31 +00:00 · 2026-05-12 02:26:16 +00:00 · 2026-05-12 02:26:16 +00:00 · 2026-05-12 02:26:16 +00:00 · 2026-05-12 02:26:16 +00:00
12 changed files with 382 additions and 201 deletions
@@ -0,0 +1,11 @@
 [
  {
    "role": "Rex",
    "location": "app/git.js",
    "suggestion": "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
  },
  {
    "location": "app/git.js",
    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中"
  }
 ]
@@ -1,6 +1,11 @@
 name: AI
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref }}
  cancel-in-progress: true
 on:
  pull_request:
    branches-ignore:
    - master
    types: [opened, synchronize]
 jobs:
  version:
@@ -1,8 +1,9 @@
-FROM node:20-slim
+FROM alpine
-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN apk add --no-cache bash nodejs npm git \
-    git \
+    && node --version \
-    && rm -rf /var/lib/apt/lists/*
+    && npm --version \
    && git --version
 WORKDIR /action
@@ -7,11 +7,12 @@
 1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容)，Comment 到 Push Request
 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議)
 3. 讀取所有未解決的舊問題(問題檔案存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
-4. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
+4. 讀取排除問題檔案，用來過濾PR問題表格中不需要處理的問題
-5. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
+5. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
-6. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
+6. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
-7. Commit 問題檔案
+7. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
-8. 如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)
+8. Commit 問題檔案
 9. 如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)
 # 設計
@@ -139,116 +140,6 @@ jobs:
      issues: write
 ```
 ### 6. Kilo Code
 ```yaml
 name: AI
 on:
  pull_request:
    types: [opened, synchronize]
 jobs:
  code-review:
    name: 'Code Review'
    runs-on: ubuntu
    steps:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        KILO_API_KEY: ${{ secrets.KILO_API_KEY }}
        KILO_BASE_URL: https://api.kilocode.com/v1
    permissions:
      contents: write
      pull-requests: write
      issues: write
 ```
 ### 7. Roo Code
 ```yaml
 name: AI
 on:
  pull_request:
    types: [opened, synchronize]
 jobs:
  code-review:
    name: 'Code Review'
    runs-on: ubuntu
    steps:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        ROO_API_KEY: ${{ secrets.ROO_API_KEY }}
        ROO_BASE_URL: https://api.roocode.com/v1
    permissions:
      contents: write
      pull-requests: write
      issues: write
 ```
 ### 8. Cline
 ```yaml
 name: AI
 on:
  pull_request:
    types: [opened, synchronize]
 jobs:
  code-review:
    name: 'Code Review'
    runs-on: ubuntu
    steps:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        CLINE_API_KEY: ${{ secrets.CLINE_API_KEY }}
        CLINE_BASE_URL: https://api.cline.dev/v1
    permissions:
      contents: write
      pull-requests: write
      issues: write
 ```
 ### 9. Continue
 ```yaml
 name: AI
 on:
  pull_request:
    types: [opened, synchronize]
 jobs:
  code-review:
    name: 'Code Review'
    runs-on: ubuntu
    steps:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        CONTINUE_API_KEY: ${{ secrets.CONTINUE_API_KEY }}
        CONTINUE_BASE_URL: https://api.continue.dev/v1
    permissions:
      contents: write
      pull-requests: write
      issues: write
 ```
 ### 10. Kade
 ```yaml
 name: AI
 on:
  pull_request:
    types: [opened, synchronize]
 jobs:
  code-review:
    name: 'Code Review'
    runs-on: ubuntu
    steps:
    - name: AI Code Review
      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
      with:
        KADE_API_KEY: ${{ secrets.KADE_API_KEY }}
        KADE_BASE_URL: https://api.kade.dev/v1
    permissions:
      contents: write
      pull-requests: write
      issues: write
 ```
 ### - Ollama
 ```yaml
@@ -8,26 +8,33 @@
 ## 階段二：Findings 產生與合併
 - 目標：各角色（style/security/performance/maintainability/testing）能產生 findings，並正確合併新舊 findings。
 - 驗收：log 中能看到每個角色 findings 數量、合併後 findings 統計，並有「Step3: merged findings total=...」等訊息。
 - 完成
 ## 階段三：AI 去重與角色確認
 - 目標：嘗試呼叫 LLM 進行 findings 去重與角色確認，API 額度不足時要有降級處理 log。
 - 驗收：log 中能看到 deduplication/resolution confirmation 成功或失敗（如 402），降級時有「保留所有問題」等明確訊息。
 - 完成
-## 階段四：findings 寫入與 comment 發布
+## 階段四：AI 排除問題過濾
 - 目標：讀取排除問題檔案（exclusions.json）進行規則過濾，並呼叫 AI 判斷剩餘問題是否為誤報或不適用，兩層過濾後產生最終問題清單。
 - 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化，以及「AI 誤報過濾: N -> M 筆」或降級訊息。
 - 完成
 ## 階段五：findings 寫入與 comment 發布
 - 目標：findings.jsonl 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
- 驗收：log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。
+- 驗收：log 中能看到 findings.json 寫入、comment sync 的詳細訊息與順序。
 - 完成
-## 階段五：記憶區 commit/push 與錯誤處理
+## 階段六：記憶區 commit/push 與錯誤處理
 - 目標：記憶區能成功 commit/push，錯誤時有明確 log，流程結束有總結訊息。
 - 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，錯誤時有「Runner failed: ...」等明確錯誤說明。
 - 完成
-## 階段六：阻擋嚴重問題 PR（第 8 點）
+## 階段七：阻擋嚴重問題 PR（第 8 點）
 - 目標：如果 PR 問題表格中有嚴重（critical）問題，workflow 需直接 exit 1，不讓流程成功。
 - 驗收：log 中能看到「critical 問題存在，workflow 結束（exit 1）」等明確訊息，且 workflow 狀態為失敗。
 - 完成
 ---
-每個階段都會加上明確的 log，並確保即使部分功能未完成也能降級執行、不會中斷 pipeline。
+所有階段驗收通過。
 每次執行後請貼 log，我會協助 debug。
@@ -6,6 +6,7 @@ export const PR_HEAD_BRANCH = process.env.PR_HEAD_BRANCH || '';
 export const PR_BASE_BRANCH = process.env.PR_BASE_BRANCH || '';
 export const FINDINGS_PATH = '.gitea/ai-review/findings.json';
 export const EXCLUSIONS_PATH = '.gitea/ai-review/exclusions.json';
 export function getLLMConfig() {
  const checks = [
@@ -1,7 +1,7 @@
 import fs from 'fs';
 import path from 'path';
 import { chatJSON } from './llm.js';
-import { FINDINGS_PATH } from './config.js';
+import { FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 const LEVELS = ['critical', 'warning', 'info'];
@@ -93,3 +93,74 @@ export async function deduplicateWithAI(findings) {
    return findings;
  }
 }
 /**
 * 讀取排除問題檔案（從 workspace 的 EXCLUSIONS_PATH）
 * 格式：[{ role, location, suggestion }]，欄位可部分省略，省略表示萬用
 */
 export function loadExclusions(workspace) {
  const fullPath = path.join(workspace, EXCLUSIONS_PATH);
  if (!fs.existsSync(fullPath)) {
    console.log('  排除問題檔案不存在，跳過過濾');
    return [];
  }
  try {
    const data = JSON.parse(fs.readFileSync(fullPath, 'utf8'));
    const exclusions = Array.isArray(data) ? data : [];
    console.log(`  讀取排除問題: ${exclusions.length} 筆`);
    return exclusions;
  } catch (e) {
    console.log(`  ⚠️  讀取排除問題失敗: ${e.message}，跳過過濾`);
    return [];
  }
 }
 /**
 * 套用排除規則，過濾掉符合排除條件的 findings
 * 排除條件：role/location/suggestion 皆符合（省略的欄位視為萬用）
 */
 export function applyExclusions(findings, exclusions) {
  if (exclusions.length === 0) return findings;
  const before = findings.length;
  const filtered = findings.filter(f => !exclusions.some(ex =>
    (!ex.role || ex.role === f.role) &&
    (!ex.location || String(f.location).includes(ex.location)) &&
    (!ex.suggestion || String(f.suggestion).includes(String(ex.suggestion).slice(0, 20)))
  ));
  console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
  return filtered;
 }
 /**
 * 呼叫 AI 判斷哪些問題是誤報或不需處理，回傳需保留的 findings
 * 失敗時降級回傳原始 findings
 */
 export async function filterFalsePositivesWithAI(findings) {
  if (findings.length === 0) return findings;
  const systemPrompt = `你是一位資深程式碼審查專家，負責判斷審查問題是否為誤報或不需處理。
 給你一份問題清單（JSON 陣列），每筆包含 level、role、location、suggestion。
 請移除以下類型的問題：
 1. 誤報：問題描述與實際程式碼不符（例如：程式碼已正確使用環境變數或 secrets，卻被標記為硬編碼敏感資料）
 2. 不適用：問題在此專案情境下不需處理（例如：CI/CD action 本來就需要透過環境變數傳遞 token）
 只回傳需要保留的問題 JSON 陣列，不要有其他文字。`;
  const userContent = `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`;
  try {
    const result = await chatJSON(systemPrompt, userContent);
    if (Array.isArray(result)) {
      console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
      return result;
    }
    throw new Error('AI 回傳非陣列');
  } catch (e) {
    const status = e.response?.status;
    if (status === 402 || status === 429) {
      console.log(`  ⚠️  AI 誤報過濾失敗（${status} 額度/限流），降級：保留所有問題`);
    } else {
      console.log(`  ⚠️  AI 誤報過濾失敗（${e.message}），降級：保留所有問題`);
    }
    return findings;
  }
 }
@@ -1,25 +1,92 @@
 import { spawnSync } from 'child_process';
 import fs from 'fs';
 import path from 'path';
-import { commitFile } from './gitea.js';
+import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
-import { FINDINGS_PATH } from './config.js';
+
 function makeRunner(spawn) {
  return function run(args, cwd, env) {
    const opts = { cwd, encoding: 'utf8' };
    if (env) opts.env = env;
    const result = spawn('git', args, opts);
    if (result.error) throw result.error;
    if (result.status !== 0) throw new Error((result.stderr || result.stdout || '').trim());
    return (result.stdout || '').trim();
  };
 }
 /**
- * 透過 Gitea API 將 findings.json push 到來源分支（不需要 git binary）
+ * Clone PR head branch to workspace/repo (idempotent)
 */
-export async function commitAndPush(workspace) {
+export function cloneRepo(workspace, _spawnSync = spawnSync) {
  const run = makeRunner(_spawnSync);
  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
  const repoDir = path.join(workspace, 'repo');
  const askpassScript = path.join(workspace, '.git-askpass.sh');
  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
  try {
-    const fullPath = path.join(workspace, FINDINGS_PATH);
+    if (!fs.existsSync(repoDir)) {
-    const content = fs.readFileSync(fullPath, 'utf8');
+      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
-    console.log(`  [debug] FINDINGS_PATH=${FINDINGS_PATH} branch=${process.env.PR_HEAD_BRANCH} token=${process.env.GITEA_TOKEN ? '***' : 'EMPTY'}`);
+      console.log(`  ✅ repo cloned to ${repoDir}`);
-    const result = await commitFile(
+    } else {
-      FINDINGS_PATH,
+      run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
-      content,
+      run(['checkout', PR_HEAD_BRANCH], repoDir);
-      'chore: update ai-review findings [skip ci]'
+      console.log(`  ✅ repo already exists, fetched latest`);
-    );
+    }
-    const commitHash = result.commit?.sha?.slice(0, 7) || 'unknown';
+  } finally {
-    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${process.env.PR_HEAD_BRANCH}`);
+    try { fs.unlinkSync(askpassScript); } catch {}
  }
  return repoDir;
 }
 export async function commitAndPush(workspace, _spawnSync = spawnSync) {
  const run = makeRunner(_spawnSync);
  const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
  const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
  const repoDir = path.join(workspace, 'repo');
  // Write a temporary askpass script that reads the token from an env var,
  // so the token value never appears in the script file itself
  const askpassScript = path.join(workspace, '.git-askpass.sh');
  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
  try {
    if (!fs.existsSync(repoDir)) {
      run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
    }
    run(['config', 'user.email', 'ai-review[bot]@gitea'], repoDir);
    run(['config', 'user.name', 'AI Review Bot'], repoDir);
    run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
    run(['checkout', PR_HEAD_BRANCH], repoDir);
    // 將 findings.json 從 workspace 複製到 clone 的 repo
    const srcFindings = path.join(workspace, FINDINGS_PATH);
    const destFindings = path.join(repoDir, FINDINGS_PATH);
    fs.mkdirSync(path.dirname(destFindings), { recursive: true });
    fs.copyFileSync(srcFindings, destFindings);
    run(['add', FINDINGS_PATH], repoDir);
    const status = run(['status', '--porcelain'], repoDir);
    if (!status) {
      console.log('  findings.json 無變更，跳過 commit');
      return;
    }
    const out = run(['commit', '-m', 'chore: update ai-review findings [skip ci]'], repoDir);
    const commitHash = out.match(/\[.+ ([a-f0-9]+)\]/)?.[1] || 'unknown';
    run(['push', remoteUrl, PR_HEAD_BRANCH], repoDir, credEnv);
    console.log(`  ✅ persisted findings  commit=${commitHash}  push=${PR_HEAD_BRANCH}`);
  } catch (e) {
-    const detail = e.response?.data ? JSON.stringify(e.response.data) : e.message;
+    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.message}`);
-    console.log(`  ⚠️  Runner failed: commit/push 失敗: ${e.response?.status || ''} ${detail}`);
+  } finally {
    try { fs.unlinkSync(askpassScript); } catch {}
  }
 }
@@ -0,0 +1,149 @@
 import { describe, it, before, after, beforeEach } from 'node:test';
 import assert from 'node:assert/strict';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
 import { commitAndPush, cloneRepo } from './git.js';
 // --- helpers ---
 function makeTmpWorkspace() {
  const ws = fs.mkdtempSync(path.join(os.tmpdir(), 'git-test-'));
  // Pre-create repo dir so clone branch is skipped
  fs.mkdirSync(path.join(ws, 'repo'), { recursive: true });
  // Create a findings.json to copy
  const findingsDir = path.join(ws, '.gitea/ai-review');
  fs.mkdirSync(findingsDir, { recursive: true });
  fs.writeFileSync(path.join(findingsDir, 'findings.json'), '[]');
  return ws;
 }
 // Default stub: all commands succeed, status returns changes
 function makeSpawn(overrides = {}) {
  const calls = [];
  const spawn = (cmd, args, opts) => {
    const key = args[0];
    calls.push({ cmd, args, opts });
    if (overrides[key]) return overrides[key](args, opts);
    if (key === 'status') return { status: 0, stdout: 'M .gitea/ai-review/findings.json', stderr: '', error: null };
    if (key === 'commit') return { status: 0, stdout: '[feature-branch abc1234] chore', stderr: '', error: null };
    return { status: 0, stdout: '', stderr: '', error: null };
  };
  spawn.calls = calls;
  return spawn;
 }
 describe('commitAndPush', () => {
  let workspace;
  before(() => { workspace = makeTmpWorkspace(); });
  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
  beforeEach(() => {
    // Remove leftover askpass scripts between tests
    for (const f of fs.readdirSync(workspace)) {
      if (f.endsWith('.git-askpass.sh')) fs.unlinkSync(path.join(workspace, f));
    }
  });
  it('does not embed token in any git command argument', async () => {
    const spawn = makeSpawn();
    await commitAndPush(workspace, spawn);
    for (const { args } of spawn.calls) {
      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
    }
  });
  it('uses GIT_ASKPASS env for network operations (fetch, push, clone)', async () => {
    const spawn = makeSpawn();
    await commitAndPush(workspace, spawn);
    const networkOps = ['fetch', 'push', 'clone'];
    const networkCalls = spawn.calls.filter(c => networkOps.includes(c.args[0]));
    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
    for (const { args, opts } of networkCalls) {
      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
    }
  });
  it('cleans up askpass script after successful run', async () => {
    await commitAndPush(workspace, makeSpawn());
    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
  });
  it('cleans up askpass script even when git fails', async () => {
    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
    await commitAndPush(workspace, failSpawn);
    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
    assert.equal(leftover.length, 0, 'askpass script was not cleaned up after failure');
  });
  it('skips commit when status shows no changes', async () => {
    const spawn = makeSpawn({ status: () => ({ status: 0, stdout: '', stderr: '', error: null }) });
    await commitAndPush(workspace, spawn);
    const commitCalled = spawn.calls.some(c => c.args[0] === 'commit');
    assert.equal(commitCalled, false, 'commit should not run when there are no changes');
  });
  it('does not throw when git command fails', async () => {
    const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
    await assert.doesNotReject(() => commitAndPush(workspace, failSpawn));
  });
 });
 describe('cloneRepo', () => {
  let workspace;
  before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); });
  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
  it('clones repo when repoDir does not exist', () => {
    const spawn = makeSpawn();
    cloneRepo(workspace, spawn);
    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
    assert.ok(cloneCalled, 'expected git clone to be called');
  });
  it('fetches and checks out when repoDir already exists', () => {
    const repoDir = path.join(workspace, 'repo');
    fs.mkdirSync(repoDir, { recursive: true });
    const spawn = makeSpawn();
    cloneRepo(workspace, spawn);
    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
    const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch');
    assert.ok(!cloneCalled, 'clone should not run when repoDir exists');
    assert.ok(fetchCalled, 'fetch should run when repoDir exists');
  });
  it('does not embed token in any git command argument', () => {
    const spawn = makeSpawn();
    cloneRepo(workspace, spawn);
    for (const { args } of spawn.calls) {
      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
    }
  });
  it('uses GIT_ASKPASS for network operations', () => {
    const spawn = makeSpawn();
    cloneRepo(workspace, spawn);
    const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0]));
    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
    for (const { args, opts } of networkCalls) {
      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
    }
  });
  it('cleans up askpass script after run', () => {
    const spawn = makeSpawn();
    cloneRepo(workspace, spawn);
    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
  });
  it('returns repoDir path', () => {
    const spawn = makeSpawn();
    const result = cloneRepo(workspace, spawn);
    assert.equal(result, path.join(workspace, 'repo'));
  });
 });
@@ -1,6 +1,6 @@
 import axios from 'axios';
 import https from 'https';
-import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH } from './config.js';
+import { GITEA_TOKEN, GITEA_SERVER_URL, GITEA_REPOSITORY, PR_NUMBER } from './config.js';
 const httpsAgent = new https.Agent({ rejectUnauthorized: false });
 const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
@@ -15,40 +15,3 @@ export async function postComment(body) {
  const resp = await axios.post(api(`/repos/${GITEA_REPOSITORY}/issues/${PR_NUMBER}/comments`), { body }, { headers: headers(), timeout: 30000, httpsAgent });
  return resp.data;
 }
 /**
 * 透過 Gitea API 建立或更新檔案（不需要 git binary）
 */
 export async function commitFile(filePath, content, message) {
  const encoded = Buffer.from(content).toString('base64');
  const url = api(`/repos/${GITEA_REPOSITORY}/contents/${filePath}`);
  // 先嘗試取得現有檔案的 SHA
  let sha;
  try {
    const existing = await axios.get(`${url}?ref=${PR_HEAD_BRANCH}`, { headers: headers(), httpsAgent, timeout: 15000 });
    sha = existing.data.sha;
    console.log(`  [debug] 取得現有檔案 SHA=${sha}`);
  } catch (e) {
    console.log(`  [debug] 檔案不存在，將建立新檔案: ${e.response?.status || e.message}`);
    sha = undefined;
  }
  const payload = {
    message,
    content: encoded,
    branch: PR_HEAD_BRANCH,
    ...(sha ? { sha } : {}),
  };
  console.log(`  [debug] ${sha ? 'PUT' : 'POST'} ${url} branch=${PR_HEAD_BRANCH}`);
  const resp = await axios.request({
    method: sha ? 'put' : 'post',
    url,
    headers: headers(),
    httpsAgent,
    timeout: 30000,
    data: payload,
  });
  return resp.data;
 }
@@ -1,9 +1,9 @@
 import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
 import { getPRDiff, postComment } from './gitea.js';
-import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI } from './findings.js';
+import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
-import { commitAndPush } from './git.js';
+import { cloneRepo, commitAndPush } from './git.js';
 const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';
@@ -26,7 +26,6 @@ async function main() {
  console.log(`  已載入 ${roles.length} 個角色: [${roles.map(r => r.name).join(', ')}]`);
  // 取得 PR diff
  console.log('\n📋 Step1: 取得 PR Diff');
  let diff;
  try {
    diff = await getPRDiff();
@@ -42,7 +41,6 @@ async function main() {
  }
  // 發布角色介紹 comment
  console.log('\n💬 Step1: 發布角色介紹 Comment');
  try {
    const intro = getRoleIntro(roles) + `\n\n> 🔍 服務：${provider}  模型：${model}`;
    await postComment(intro);
@@ -50,6 +48,7 @@ async function main() {
  } catch (e) {
    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
  }
  console.log('  Step1 完成');
  // Step2: 各角色分析 diff 產生新 findings
  console.log('\n📊 Step2: Findings 產生');
@@ -64,38 +63,51 @@ async function main() {
  }
  console.log(`  Step2 完成: 新 findings 總計 ${newFindings.length} 筆`);
-  // Step3: 讀取舊 findings，合併去重
+  // Step3: 讀取舊 findings，合併去重（含 AI 語意去重）
  console.log('\n🔀 Step3: Findings 合併');
-  const oldFindings = loadOldFindings(WORKSPACE);
+  // Clone repo 以讀取舊 findings 與排除清單
  let repoDir;
  try {
    repoDir = cloneRepo(WORKSPACE);
  } catch (e) {
    console.log(`  ⚠️  clone repo 失敗（繼續執行）: ${e.message}`);
  }
  const oldFindings = loadOldFindings(repoDir || WORKSPACE);
  const mergedFindings = mergeFindings(oldFindings, newFindings);
  console.log(`  Step3 merged findings total=${mergedFindings.length}`);
  // Step3b: AI 語意去重
  console.log('\n🤖 Step3b: AI 語意去重');
  const deduped = await deduplicateWithAI(mergedFindings);
  const sorted = sortByLevel(deduped);
  console.log(`  Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);
-  // Step4: 寫入 findings.json，依序發布 comment
+  // Step4: 讀取排除問題檔案，過濾 PR 問題表格，並請 AI 判斷誤報
-  console.log('\n📝 Step4: Findings 寫入與 Comment 發布');
+  console.log('\n🚫 Step4: AI 排除問題過濾');
-  saveFindings(WORKSPACE, sorted);
+  const exclusions = loadExclusions(repoDir || WORKSPACE);
  const ruleFiltered = applyExclusions(sorted, exclusions);
  const filtered = await filterFalsePositivesWithAI(ruleFiltered);
  console.log(`  Step4 完成: findings total=${filtered.length}`);
  // Step5: 寫入 findings.json，依序發布 comment
  console.log('\n📝 Step5: Findings 寫入與 Comment 發布');
  saveFindings(WORKSPACE, filtered);
  try {
-    await postOldFindingsComment(sorted);
+    await postOldFindingsComment(filtered);
-    await postNewNonCriticalComment(sorted);
+    await postNewNonCriticalComment(filtered);
-    await postNewCriticalComments(sorted);
+    await postNewCriticalComments(filtered);
-    console.log('  Step4 完成');
+    console.log('  Step5 完成');
  } catch (e) {
    console.log(`  ⚠️  comment 發布失敗（繼續執行）: ${e.message}`);
  }
-  // Step5: commit/push findings.json 到來源分支
+  // Step6: commit/push findings.json 到來源分支
-  console.log('\n💾 Step5: 記憶區 Commit/Push');
+  console.log('\n💾 Step6: 記憶區 Commit/Push');
  await commitAndPush(WORKSPACE);
-  // Step6: 有 critical 問題則 exit 1
+  // Step7: 有 critical 問題則 exit 1
-  console.log('\n🚦 Step6: 嚴重問題檢查');
+  console.log('\n🚦 Step7: 嚴重問題檢查');
-  const criticalCount = sorted.filter(f => f.level === 'critical').length;
+  const criticalCount = filtered.filter(f => f.level === 'critical').length;
  if (criticalCount > 0) {
    console.log(`  ❌ 發現 ${criticalCount} 個嚴重問題，workflow 結束（exit 1）`);
    console.log('='.repeat(60));
@@ -2,6 +2,9 @@
  "name": "ai-code-review",
  "version": "1.0.0",
  "type": "module",
  "scripts": {
    "test": "node --test app/git.test.js"
  },
  "dependencies": {
    "axios": "^1.6.7",
    "js-yaml": "^4.1.0",
Author	SHA1	Message	Date
jiantw83	d690773fa8	Merge pull request 'feat: refactor commitAndPush to use a runner function and improve token security; add tests for git operations' (#69 ) from feat/refactor/kiro/fix into feat/refactor/main Reviewed-on: jiantw83/code-review#69	2026-05-12 02:28:33 +00:00
jiantw83	02a6a109da	Merge pull request 'feat/refactor/kiro/fix-1' (#75 ) from feat/refactor/kiro/fix-1 into feat/refactor/kiro/fix Reviewed-on: jiantw83/code-review#75	2026-05-12 02:27:31 +00:00
AI Review Bot	67e1e83210	chore: update ai-review findings [skip ci]	2026-05-12 02:26:16 +00:00
jiantw83	0116bad4e3	fix: add Leo/Zara false positive exclusion; add cloneRepo unit tests	2026-05-12 02:26:16 +00:00
AI Review Bot	60a4854d56	chore: update ai-review findings [skip ci]	2026-05-12 02:26:16 +00:00
AI Review Bot	1e82594db2	chore: update ai-review findings [skip ci]	2026-05-12 02:26:16 +00:00
jiantw83	f0f417bd2e	refactor: rename Step4 to AI 排除問題過濾	2026-05-12 02:26:16 +00:00
AI Review Bot	bf1c081c40	chore: update ai-review findings [skip ci]	2026-05-12 02:26:16 +00:00
jiantw83	4ac614686c	docs: update TODO stage4 description and fix findings filename typo	2026-05-12 02:26:16 +00:00
jiantw83	e07f1f8a03	feat: add AI false positive filtering in Step4	2026-05-12 02:26:16 +00:00
jiantw83	f3f24f0af2	fix: use includes matching for exclusions location and suggestion	2026-05-12 02:26:16 +00:00
AI Review Bot	b020cbe9e1	chore: update ai-review findings [skip ci]	2026-05-12 02:26:16 +00:00
jiantw83	8779df9e8d	fix: clone repo before Step3/4 to read findings and exclusions from head branch	2026-05-12 02:26:16 +00:00
AI Review Bot	7333f0a98a	chore: update ai-review findings [skip ci]	2026-05-12 02:26:16 +00:00
jiantw83	ab688b4764	chore: add exclusions for Rex false positive on git.js token handling	2026-05-12 02:26:16 +00:00
jiantw83	1633a9ef7b	docs: mark all TODO stages complete	2026-05-12 02:26:16 +00:00
jiantw83	0bf90d44df	fix: align flow with README, add Step4 exclusions filter, fix step numbers	2026-05-12 02:26:16 +00:00
jiantw83	799d398b95	refactor: reorganize TODO stages for clarity and accuracy in workflow steps Co-authored-by: Copilot <copilot@github.com>	2026-05-12 02:26:16 +00:00
jiantw83	1c2fc679b4	refactor: update processing steps in README for clarity and accuracy	2026-05-12 02:26:16 +00:00
jiantw83	75d4a44fa6	refactor: remove outdated AI Code configurations for Kilo, Roo, Cline, Continue, and Kade	2026-05-12 02:26:16 +00:00
AI Review Bot	ca6edea43d	chore: update ai-review findings [skip ci]	2026-05-12 02:26:16 +00:00
jiantw83	e22223e501	fix: update askpass script to securely read token from env var	2026-05-12 02:26:08 +00:00
AI Review Bot	3fef7df7a5	chore: update ai-review findings [skip ci]	2026-05-12 01:09:42 +00:00
jiantw83	0aefa66224	feat: refactor commitAndPush to use a runner function and improve token security; add tests for git operations	2026-05-12 01:08:39 +00:00
jiantw83	66d93abe24	Merge pull request 'feat: master 不會觸發 review.yaml' (#66 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#66	2026-05-11 14:12:38 +00:00
AI Review Bot	a4b87f9108	chore: update ai-review findings [skip ci]	2026-05-11 14:11:43 +00:00
jiantw83	09533ff741	feat: 改用分支名稱鎖定 review 工作流	2026-05-11 14:10:57 +00:00
AI Review Bot	e217b18c62	chore: update ai-review findings [skip ci]	2026-05-11 14:09:25 +00:00
jiantw83	cd0ced1b7f	feat: 同時只能有一個 review.yaml 執行	2026-05-11 14:08:40 +00:00
AI Review Bot	65cf45c558	chore: update ai-review findings [skip ci]	2026-05-11 14:06:55 +00:00
AI Review Bot	09c78835e7	chore: update ai-review findings [skip ci]	2026-05-11 14:06:17 +00:00
jiantw83	ec05ce7869	feat: 調整設定的順序	2026-05-11 14:06:09 +00:00
jiantw83	323be94a72	feat: master 不會觸發 review.yaml	2026-05-11 14:04:32 +00:00
jiantw83	0063f3282f	Merge pull request 'refactor: 改用 execSync' (#65 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#65	2026-05-11 13:56:13 +00:00
AI Review Bot	d7336dbe6c	chore: update ai-review findings [skip ci]	2026-05-11 13:55:46 +00:00
jiantw83	c1f8aa3c72	feat: git 操作 clone 的 repo	2026-05-11 13:54:44 +00:00
jiantw83	8a28d1f1ef	test: 修正路徑	2026-05-11 13:50:54 +00:00
jiantw83	d04f4dd2bb	feat: 回復使用 spawnSync 執行指令	2026-05-11 13:47:40 +00:00
jiantw83	f5cf5950bd	refactor: 改用 execSync	2026-05-11 13:29:31 +00:00
jiantw83	8c3d0d9a6d	Merge pull request 'fix: add bash to Dockerfile dependencies' (#64 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#64	2026-05-11 10:54:08 +00:00
jiantw83	eae73092ad	fix: streamline commitAndPush function by removing redundant code and improving error handling	2026-05-11 10:53:59 +00:00
jiantw83	69624a542e	fix: refactor commitAndPush function to improve clarity and maintainability	2026-05-11 10:50:16 +00:00
jiantw83	8aa273b8bd	fix: add bash to Dockerfile dependencies	2026-05-11 10:46:58 +00:00
jiantw83	3849bb2168	Merge pull request 'fix: switch Dockerfile base image to alpine and install dependencies using apk' (#63 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#63	2026-05-11 10:46:43 +00:00
jiantw83	00458d4eb2	fix: switch Dockerfile base image to alpine and install dependencies using apk	2026-05-11 10:43:58 +00:00
jiantw83	379938d6dc	Merge pull request 'fix: Dockerfile 加入 git 安裝驗證，git.js 改回 git binary' (#62 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#62	2026-05-11 10:38:59 +00:00
jiantw83	894ece033b	fix: Dockerfile 加入 git 安裝驗證，git.js 改回 git binary	2026-05-11 10:34:23 +00:00
jiantw83	5bf39966d0	Merge pull request 'fix: 換用 node:20 完整版（內建 git，不需要 apt-get）' (#61 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#61	2026-05-11 10:34:11 +00:00
jiantw83	fe2a513fbb	fix: 修正 findings.json 路徑重複問題	2026-05-11 10:31:43 +00:00
jiantw83	2193bdd4d6	fix: 改回 Gitea API commit，修正 URL encode 與 JSON.stringify	2026-05-11 10:30:07 +00:00
jiantw83	af51ffacee	fix: 換用 node:20 完整版（內建 git，不需要 apt-get）	2026-05-11 10:24:24 +00:00
jiantw83	3509a882e1	Merge pull request 'chore: add newline at end of TODO.md for better formatting' (#60 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#60	2026-05-11 10:19:46 +00:00
jiantw83	d9c55ca347	chore: add newline at end of TODO.md for better formatting	2026-05-11 10:18:34 +00:00
jiantw83	1d2e8236de	Merge pull request 'chore: remove duplicate log assistance note in TODO.md' (#59 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#59	2026-05-11 10:18:13 +00:00
jiantw83	21fb9c1d94	fix: 改回 git commit/push，強制 Dockerfile rebuild 確保 git binary 存在	2026-05-11 10:15:36 +00:00
jiantw83	607c9b82ea	debug: log content_len，改用 JSON.stringify	2026-05-11 10:13:57 +00:00
jiantw83	8acea007e7	chore: remove duplicate log assistance note in TODO.md	2026-05-11 10:12:47 +00:00
jiantw83	d8423c74b1	Merge pull request 'chore: remove test findings' (#58 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#58	2026-05-11 10:12:32 +00:00
jiantw83	953951145f	chore: remove test findings	2026-05-11 10:11:56 +00:00
jiantw83	94e974b5dc	Merge pull request 'feat/refactor/kiro/1' (#57 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#57	2026-05-11 10:10:23 +00:00
jiantw83	a9a0b43ea5	Merge pull request 'debug: commit/push 失敗時顯示詳細錯誤' (#56 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#56	2026-05-11 10:04:49 +00:00
jiantw83	aa8234b5c7	Merge pull request 'fix: commitAndPush 加上 await' (#55 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#55	2026-05-11 10:01:12 +00:00
jiantw83	b0f2d45c11	Merge pull request 'fix: add newline at end of TODO.md for proper formatting' (#54 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#54	2026-05-11 09:59:14 +00:00
jiantw83	3fd9a7e13d	Merge pull request 'feat: 階段五六 - findings commit/push 到來源分支，critical 問題 exit 1' (#53 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#53	2026-05-11 09:54:39 +00:00
jiantw83	39cc5c932c	Merge pull request 'feat: 階段四 - findings 寫入與 comment 依序發布（舊問題→非嚴重→嚴重）' (#52 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#52	2026-05-11 09:48:41 +00:00
jiantw83	255adbabe4	Merge pull request 'feat: 階段三 - AI 語意去重，失敗時降級保留所有問題' (#51 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#51	2026-05-11 09:44:10 +00:00
jiantw83	a10fc8f176	Merge pull request 'feat/refactor/kiro/1' (#50 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#50	2026-05-11 09:40:12 +00:00
jiantw83	9b39908394	Merge pull request 'feat: 階段一 - 基本流程串接骨架' (#47 ) from feat/refactor/kiro/1 into feat/refactor/main Reviewed-on: jiantw83/code-review#47	2026-05-11 07:53:38 +00:00