fix: update GEMINI model version in configuration and workflows

Co-authored-by: Copilot <copilot@github.com>

.gitea/ai-review/exclusions.json

@@ -3,5 +3,9 @@
     "role": "Rex",
     "location": "app/git.js",
     "suggestion": "請避免將敏感資料（如 GITEA_TOKEN）直接寫入環境變數"
+  },
+  {
+    "location": "app/git.js",
+    "suggestion": "GITEA_TOKEN 直接嵌入 URL 中"
   }
 ]

.gitea/ai-review/findings.json

@@ -1,149 +1 @@
-[
+[]
-  {
-    "level": "critical",
-    "role": "Rex",
-    "location": "app/git.js:14",
-    "suggestion": "請避免將敏感資料（如 GITEA_TOKEN）直接寫入程式碼，應使用安全的秘密管理工具來管理這些敏感資訊。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Rex",
-    "location": "app/git.js:14",
-    "suggestion": "在 cloneRepo 函數中，請確保 GIT_TOKEN 不會被寫入到檔案系統中，避免敏感資訊洩漏。",
-    "is_new": true
-  },
-  {
-    "level": "warning",
-    "role": "Leo",
-    "location": "app/findings.js:93",
-    "suggestion": "建議在 loadExclusions 函式中增加對於 JSON 格式的驗證，確保讀取的資料符合預期格式，避免潛在的錯誤。",
-    "is_new": false
-  },
-  {
-    "level": "warning",
-    "role": "Leo",
-    "location": "app/findings.js:40",
-    "suggestion": "在 applyExclusions 函式中，建議增加對於 findings 和 exclusions 參數的有效性檢查，以提高程式的健壯性。",
-    "is_new": false
-  },
-  {
-    "level": "warning",
-    "role": "Zara",
-    "location": "app/findings.js:40",
-    "suggestion": "在 applyExclusions 函數中，使用 Array.prototype.some 進行過濾時，可能會導致性能問題，特別是當 findings 和 exclusions 的數量都很大時。建議使用更高效的資料結構（如 HashSet）來加速查詢。",
-    "is_new": false
-  },
-  {
-    "level": "warning",
-    "role": "Aria",
-    "location": "README.md:4",
-    "suggestion": "建議將「讀取排除問題檔案，用來過濾PR問題表格中不需要處理的問題」的描述改為「讀取排除問題檔案，過濾 PR 問題表格中不需要處理的問題」，以保持一致性。",
-    "is_new": false
-  },
-  {
-    "level": "warning",
-    "role": "Maya",
-    "location": "app/findings.js:40",
-    "suggestion": "建議在 applyExclusions 函數中增加對 findings 內容的驗證，確保其格式正確，以提高測試的穩定性和可靠性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Leo",
-    "location": "README.md",
-    "suggestion": "建議在 README 中增加對於新功能（如排除問題過濾）的詳細說明，以便未來的維護者能快速了解其功能。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Leo",
-    "location": "app/main.js",
-    "suggestion": "建議在 main 函式中增加對於每個步驟的詳細註解，讓未來的維護者能更容易理解程式邏輯。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Zara",
-    "location": "app/findings.js:39",
-    "suggestion": "在過濾 findings 時，建議將過濾條件的邏輯提取為獨立函數，以提高可讀性和可維護性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Zara",
-    "location": "app/main.js:64",
-    "suggestion": "在讀取排除問題檔案時，建議考慮使用非同步方法（如 fs.promises.readFile）來避免阻塞事件循環，提升效能。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "README.md:8",
-    "suggestion": "建議將「如果PR問題表格中有嚴重問題，則不要讓 workflow 執行成功(exit 1)」的描述改為「如果 PR 問題表格中有嚴重問題，則不要讓 workflow 執行成功（exit 1）」以提高可讀性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "TODO.md:4",
-    "suggestion": "建議將「階段四：findings 寫入與 comment 發布」的標題改為「階段四：排除問題過濾」，以更清楚地反映內容。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "TODO.md:6",
-    "suggestion": "建議將「階段五：findings 寫入與 comment 發布」的標題改為「階段五：findings 寫入與 comment 發布」，以保持一致性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "TODO.md:8",
-    "suggestion": "建議將「階段六：記憶區 commit/push 與錯誤處理」的標題改為「階段六：記憶區 commit/push 與錯誤處理」，以保持一致性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "TODO.md:10",
-    "suggestion": "建議將「階段七：阻擋嚴重問題 PR（第 8 點）」的標題改為「階段七：阻擋嚴重問題 PR（第 8 點）」以保持一致性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "app/config.js",
-    "suggestion": "建議在 EXCLUSIONS_PATH 的定義上方添加註解，說明該常數的用途，以提高可讀性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "app/findings.js",
-    "suggestion": "建議在 loadExclusions 函數的開頭添加註解，說明該函數的用途，以提高可讀性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Aria",
-    "location": "app/findings.js",
-    "suggestion": "建議在 applyExclusions 函數的開頭添加註解，說明該函數的用途，以提高可讀性。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Maya",
-    "location": "app/findings.js:7",
-    "suggestion": "建議為 loadExclusions 和 applyExclusions 函數撰寫單元測試，以確保其功能正確並能處理邊界條件。",
-    "is_new": false
-  },
-  {
-    "level": "info",
-    "role": "Maya",
-    "location": "app/main.js:48",
-    "suggestion": "建議在每個主要步驟之後增加測試用例，以驗證每個步驟的輸出是否符合預期。",
-    "is_new": false
-  }
-]

.gitea/workflows/review.yaml

@@ -33,8 +33,9 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@v${{ needs.version.outputs.version }}
       with:
-        OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
-        OPENAI_BASE_URL: https://openrouter.ai/api/v1
+        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
+        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
     permissions:
       contents: write
       pull-requests: write

README.md

@@ -6,8 +6,8 @@
 
 1. 服務名稱、模型名稱、角色資訊(個性、符合個性的英文名稱、工作內容)，Comment 到 Push Request
 2. 每個角色個別分析 Git Diff 的內容產生新問題表格(問題等級、角色名稱、問題位置或行數、修改建議)
-3. 讀取所有未解決的舊問題(問題檔案存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
+3. 讀取所有未解決的舊問題(問題檔案 `.gitea/ai-review/findings.json` 存在於使用此 Action 的專案固定位置)加上新問題後，去除重複產生本次 Push Request 的問題表格(PR問題表格)覆蓋問題檔案
-4. 讀取排除問題檔案，用來過濾PR問題表格中不需要處理的問題
+4. 讀取排除問題檔案(`.gitea/ai-review/exclusions.json` 存在於使用此 Action 的專案固定位置)，用來過濾PR問題表格中不需要處理的問題
 5. 從PR問題表格中取出所有舊問題，依照等級排序後 Comment 到 Push Request
 6. 從PR問題表格中取出所有新問題，排除嚴重等級的問題後 Comment 到 Push Request
 7. 從PR問題表格中取出所有新問題，將每個嚴重等級的問題 Comment 到 Push Request
@@ -28,7 +28,7 @@
 2. 在 `.gitea/workflows` 資料夾中建立 `ai-review.yaml'
 3. 在 `ai-review.yaml` 中填入以下內容(選擇一個使用)：
 
-### 1. OpenAI（OpenRouter）
+### 1. OpenAI
 ```yaml
 name: AI
 on:
@@ -42,9 +42,29 @@ jobs:
     - name: AI Code Review
       uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
       with:
-        # Github (h3285@evertrust.com.tw)
-        # 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
         OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
+        OPENAI_BASE_URL: https://api.openai.com/v1
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+```
+
+### 2. OpenRouter
+```yaml
+name: AI
+on:
+  pull_request:
+    types: [opened, synchronize]
+jobs:
+  code-review:
+    name: 'Code Review'
+    runs-on: ubuntu
+    steps:
+    - name: AI Code Review
+      uses: https://gitea.jsc.idv.tw/jiantw83/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      with:
+        OPENAI_API_KEY: ${{ secrets.OPENROUTER_API_KEY }}
         OPENAI_BASE_URL: https://openrouter.ai/api/v1
     permissions:
       contents: write
@@ -52,7 +72,7 @@ jobs:
       issues: write
 ```
 
-### 2. Anthropic Claude
+### 3. Anthropic Claude
 ```yaml
 name: AI
 on:
@@ -74,7 +94,7 @@ jobs:
       issues: write
 ```
 
-### 3. Google Gemini
+### 4. Google Gemini
 ```yaml
 name: AI
 on:
@@ -90,13 +110,14 @@ jobs:
       with:
         GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
         GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
+        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
     permissions:
       contents: write
       pull-requests: write
       issues: write
 ```
 
-### 4. Amazon Q
+### 5. Amazon Q
 ```yaml
 name: AI
 on:
@@ -118,7 +139,7 @@ jobs:
       issues: write
 ```
 
-### 5. SonarQube
+### 6. SonarQube
 ```yaml
 name: AI
 on:

TODO.md

@@ -15,14 +15,14 @@
 - 驗收：log 中能看到 deduplication/resolution confirmation 成功或失敗（如 402），降級時有「保留所有問題」等明確訊息。
 - 完成
 
-## 階段四：排除問題過濾
+## 階段四：AI 排除問題過濾
-- 目標：讀取排除問題檔案，過濾 PR 問題表格中不需要處理的問題。
+- 目標：讀取排除問題檔案（`.gitea/ai-review/exclusions.json`）進行規則過濾，並呼叫 AI 判斷剩餘問題是否為誤報或不適用，兩層過濾後產生最終問題清單。
-- 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息，以及過濾後 findings 數量變化。
+- 驗收：log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化，以及「AI 誤報過濾: N -> M 筆」或降級訊息。
 - 完成
 
 ## 階段五：findings 寫入與 comment 發布
-- 目標：findings.jsonl 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
+- 目標：`.gitea/ai-review/findings.json` 正確寫入，comment 發布順序正確（舊問題→非嚴重→嚴重），每步有 log。
-- 驗收：log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。
+- 驗收：log 中能看到 `.gitea/ai-review/findings.json` 寫入、comment sync 的詳細訊息與順序。
 - 完成
 
 ## 階段六：記憶區 commit/push 與錯誤處理

app/config.js

@@ -12,7 +12,7 @@ export function getLLMConfig() {
   const checks = [
     ['openai',   process.env.OPENAI_API_KEY,   process.env.OPENAI_BASE_URL || 'https://api.openai.com/v1',   process.env.OPENAI_MODEL || 'gpt-4o-mini'],
     ['claude',   process.env.CLAUDE_API_KEY,   process.env.CLAUDE_BASE_URL || 'https://api.anthropic.com/v1', process.env.CLAUDE_MODEL || 'claude-3-haiku-20240307'],
-    ['gemini',   process.env.GEMINI_API_KEY,   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-1.5-flash'],
+    ['gemini',   process.env.GEMINI_API_KEY,   process.env.GEMINI_BASE_URL || 'https://generativelanguage.googleapis.com/v1beta', process.env.GEMINI_MODEL || 'gemini-2.5-flash'],
     ['ollama',   'ollama',                      process.env.OLLAMA_BASE_URL,  process.env.OLLAMA_MODEL],
     ['amazonq',  process.env.AMAZONQ_API_KEY,  process.env.AMAZONQ_BASE_URL || 'https://q.api.aws', process.env.OPENAI_MODEL || 'amazon-q'],
     ['kilo',     process.env.KILO_API_KEY,     process.env.KILO_BASE_URL || 'https://api.kilocode.com/v1', process.env.OPENAI_MODEL || 'kilo-default'],

app/findings.js

@@ -130,3 +130,37 @@ export function applyExclusions(findings, exclusions) {
   console.log(`  排除過濾: ${before} -> ${filtered.length} 筆（排除 ${before - filtered.length} 筆）`);
   return filtered;
 }
+
+/**
+ * 呼叫 AI 判斷哪些問題是誤報或不需處理，回傳需保留的 findings
+ * 失敗時降級回傳原始 findings
+ */
+export async function filterFalsePositivesWithAI(findings) {
+  if (findings.length === 0) return findings;
+
+  const systemPrompt = `你是一位資深程式碼審查專家，負責判斷審查問題是否為誤報或不需處理。
+給你一份問題清單（JSON 陣列），每筆包含 level、role、location、suggestion。
+請移除以下類型的問題：
+1. 誤報：問題描述與實際程式碼不符（例如：程式碼已正確使用環境變數或 secrets，卻被標記為硬編碼敏感資料）
+2. 不適用：問題在此專案情境下不需處理（例如：CI/CD action 本來就需要透過環境變數傳遞 token）
+只回傳需要保留的問題 JSON 陣列，不要有其他文字。`;
+
+  const userContent = `請判斷以下問題清單，移除誤報或不需處理的問題：\n\n${JSON.stringify(findings, null, 2)}`;
+
+  try {
+    const result = await chatJSON(systemPrompt, userContent);
+    if (Array.isArray(result)) {
+      console.log(`  AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
+      return result;
+    }
+    throw new Error('AI 回傳非陣列');
+  } catch (e) {
+    const status = e.response?.status;
+    if (status === 402 || status === 429) {
+      console.log(`  ⚠️  AI 誤報過濾失敗（${status} 額度/限流），降級：保留所有問題`);
+    } else {
+      console.log(`  ⚠️  AI 誤報過濾失敗（${e.message}），降級：保留所有問題`);
+    }
+    return findings;
+  }
+}

app/git.test.js

@@ -3,7 +3,7 @@ import assert from 'node:assert/strict';
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
-import { commitAndPush } from './git.js';
+import { commitAndPush, cloneRepo } from './git.js';
 
 // --- helpers ---
 function makeTmpWorkspace() {
@@ -91,3 +91,59 @@ describe('commitAndPush', () => {
     await assert.doesNotReject(() => commitAndPush(workspace, failSpawn));
   });
 });
+
+describe('cloneRepo', () => {
+  let workspace;
+
+  before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); });
+  after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+
+  it('clones repo when repoDir does not exist', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    assert.ok(cloneCalled, 'expected git clone to be called');
+  });
+
+  it('fetches and checks out when repoDir already exists', () => {
+    const repoDir = path.join(workspace, 'repo');
+    fs.mkdirSync(repoDir, { recursive: true });
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
+    const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch');
+    assert.ok(!cloneCalled, 'clone should not run when repoDir exists');
+    assert.ok(fetchCalled, 'fetch should run when repoDir exists');
+  });
+
+  it('does not embed token in any git command argument', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    for (const { args } of spawn.calls) {
+      assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
+    }
+  });
+
+  it('uses GIT_ASKPASS for network operations', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0]));
+    assert.ok(networkCalls.length > 0, 'expected at least one network git call');
+    for (const { args, opts } of networkCalls) {
+      assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
+    }
+  });
+
+  it('cleans up askpass script after run', () => {
+    const spawn = makeSpawn();
+    cloneRepo(workspace, spawn);
+    const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
+    assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
+  });
+
+  it('returns repoDir path', () => {
+    const spawn = makeSpawn();
+    const result = cloneRepo(workspace, spawn);
+    assert.equal(result, path.join(workspace, 'repo'));
+  });
+});

app/main.js

@@ -1,7 +1,7 @@
 import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
 import { getPRDiff, postComment } from './gitea.js';
-import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions } from './findings.js';
+import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
 import { cloneRepo, commitAndPush } from './git.js';
 
@@ -81,10 +81,11 @@ async function main() {
   const sorted = sortByLevel(deduped);
   console.log(`  Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);
 
-  // Step4: 讀取排除問題檔案，過濾 PR 問題表格
+  // Step4: 讀取排除問題檔案，過濾 PR 問題表格，並請 AI 判斷誤報
-  console.log('\n🚫 Step4: 排除問題過濾');
+  console.log('\n🚫 Step4: AI 排除問題過濾');
   const exclusions = loadExclusions(repoDir || WORKSPACE);
-  const filtered = applyExclusions(sorted, exclusions);
+  const ruleFiltered = applyExclusions(sorted, exclusions);
+  const filtered = await filterFalsePositivesWithAI(ruleFiltered);
   console.log(`  Step4 完成: findings total=${filtered.length}`);
 
   // Step5: 寫入 findings.json，依序發布 comment

app/roles.js

@@ -12,9 +12,13 @@ export function loadRoles() {
 }
 
 export function getRoleIntro(roles) {
-  const lines = ['## 🤖 AI Code Review 團隊', ''];
+  const lines = [
+    '## 🤖 AI Code Review 團隊', '',
+    '| 👤 名稱 | 🎯 職責 | 🧠 個性 |',
+    '|--------|--------|--------|',
+  ];
   for (const r of roles) {
-    lines.push(`- **${r.name}** (${r.role})：${r.personality}`);
+    lines.push(`| **${r.name}** | ${r.role} | ${r.personality} |`);
   }
   return lines.join('\n');
 }