Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 jiantw83
|
baa5d0cb64 | ||
|
jiantw83
|
ba46224209 | ||
|
jiantw83
|
c69fe4a8a4 | ||
|
jiantw83
|
c275261ed1 | ||
|
jiantw83
|
57285ce145 |
@@ -1,11 +0,0 @@
|
||||
[
|
||||
{
|
||||
"role": "Rex",
|
||||
"location": "app/git.js",
|
||||
"suggestion": "請避免將敏感資料(如 GITEA_TOKEN)直接寫入環境變數"
|
||||
},
|
||||
{
|
||||
"location": "app/git.js",
|
||||
"suggestion": "GITEA_TOKEN 直接嵌入 URL 中"
|
||||
}
|
||||
]
|
||||
@@ -1 +1,58 @@
|
||||
[]
|
||||
[
|
||||
{
|
||||
"level": "critical",
|
||||
"role": "Leo",
|
||||
"location": "app/git.js:11",
|
||||
"suggestion": "GITEA_TOKEN 直接嵌入 URL 中,可能導致憑證洩漏。建議使用環境變數或安全的憑證管理方式來處理敏感資訊。",
|
||||
"is_new": true
|
||||
},
|
||||
{
|
||||
"level": "critical",
|
||||
"role": "Maya",
|
||||
"location": "app/git.js:1",
|
||||
"suggestion": "缺少對 commitAndPush 函數的單元測試,應該為其添加測試以確保其正確性。",
|
||||
"is_new": true
|
||||
},
|
||||
{
|
||||
"level": "warning",
|
||||
"role": "Leo",
|
||||
"location": "app/git.js:25",
|
||||
"suggestion": "在使用 fs.existsSync 檢查目錄是否存在時,應考慮使用非同步方法以避免阻塞事件循環。",
|
||||
"is_new": true
|
||||
},
|
||||
{
|
||||
"level": "warning",
|
||||
"role": "Leo",
|
||||
"location": "app/git.js:29",
|
||||
"suggestion": "在 git clone 時使用 --depth=1 可能會導致未來需要完整歷史紀錄時的性能問題,建議根據實際需求調整。",
|
||||
"is_new": true
|
||||
},
|
||||
{
|
||||
"level": "warning",
|
||||
"role": "Leo",
|
||||
"location": "app/git.js:11",
|
||||
"suggestion": "在使用 fs.copyFileSync 時,未檢查目標檔案是否存在,可能會覆蓋重要資料。建議在複製之前檢查檔案是否存在。",
|
||||
"is_new": true
|
||||
},
|
||||
{
|
||||
"level": "warning",
|
||||
"role": "Leo",
|
||||
"location": "app/git.js:11",
|
||||
"suggestion": "在 commitAndPush 函數中,對於 git 操作的錯誤處理不夠完善,應該添加更多的測試來驗證不同情況下的行為。",
|
||||
"is_new": true
|
||||
},
|
||||
{
|
||||
"level": "info",
|
||||
"role": "Leo",
|
||||
"location": ".gitea/workflows/review.yaml:5",
|
||||
"suggestion": "建議在 'branches-ignore' 前加上空行,以提高可讀性。",
|
||||
"is_new": true
|
||||
},
|
||||
{
|
||||
"level": "info",
|
||||
"role": "Leo",
|
||||
"location": "app/git.js:45",
|
||||
"suggestion": "考慮使用 async/await 來處理 fs.copyFileSync,以提高可讀性和錯誤處理能力。",
|
||||
"is_new": true
|
||||
}
|
||||
]
|
||||
@@ -15,26 +15,25 @@
|
||||
- 驗收:log 中能看到 deduplication/resolution confirmation 成功或失敗(如 402),降級時有「保留所有問題」等明確訊息。
|
||||
- 完成
|
||||
|
||||
## 階段四:AI 排除問題過濾
|
||||
- 目標:讀取排除問題檔案(exclusions.json)進行規則過濾,並呼叫 AI 判斷剩餘問題是否為誤報或不適用,兩層過濾後產生最終問題清單。
|
||||
- 驗收:log 中能看到排除問題檔案讀取成功或不存在的訊息、規則過濾數量變化,以及「AI 誤報過濾: N -> M 筆」或降級訊息。
|
||||
## 階段四:排除問題過濾
|
||||
- 目標:讀取排除問題檔案,過濾 PR 問題表格中不需要處理的問題。
|
||||
- 驗收:log 中能看到排除問題檔案讀取成功或不存在的訊息,以及過濾後 findings 數量變化。
|
||||
- 完成
|
||||
|
||||
## 階段五:findings 寫入與 comment 發布
|
||||
- 目標:findings.jsonl 正確寫入,comment 發布順序正確(舊問題→非嚴重→嚴重),每步有 log。
|
||||
- 驗收:log 中能看到 findings.json 寫入、comment sync 的詳細訊息與順序。
|
||||
- 完成
|
||||
- 驗收:log 中能看到 findings 寫入、comment sync 的詳細訊息與順序。
|
||||
|
||||
## 階段六:記憶區 commit/push 與錯誤處理
|
||||
- 目標:記憶區能成功 commit/push,錯誤時有明確 log,流程結束有總結訊息。
|
||||
- 驗收:log 有「persisted findings」、「commit=...」、「push=...」等訊息,錯誤時有「Runner failed: ...」等明確錯誤說明。
|
||||
- 完成
|
||||
|
||||
## 階段七:阻擋嚴重問題 PR(第 8 點)
|
||||
- 目標:如果 PR 問題表格中有嚴重(critical)問題,workflow 需直接 exit 1,不讓流程成功。
|
||||
- 驗收:log 中能看到「critical 問題存在,workflow 結束(exit 1)」等明確訊息,且 workflow 狀態為失敗。
|
||||
- 完成
|
||||
|
||||
---
|
||||
|
||||
所有階段驗收通過。
|
||||
每個階段都會加上明確的 log,並確保即使部分功能未完成也能降級執行、不會中斷 pipeline。
|
||||
|
||||
每次執行後請貼 log,我會協助 debug。
|
||||
|
||||
+2
-36
@@ -124,43 +124,9 @@ export function applyExclusions(findings, exclusions) {
|
||||
const before = findings.length;
|
||||
const filtered = findings.filter(f => !exclusions.some(ex =>
|
||||
(!ex.role || ex.role === f.role) &&
|
||||
(!ex.location || String(f.location).includes(ex.location)) &&
|
||||
(!ex.suggestion || String(f.suggestion).includes(String(ex.suggestion).slice(0, 20)))
|
||||
(!ex.location || ex.location === f.location) &&
|
||||
(!ex.suggestion || String(f.suggestion).startsWith(String(ex.suggestion).slice(0, 50)))
|
||||
));
|
||||
console.log(` 排除過濾: ${before} -> ${filtered.length} 筆(排除 ${before - filtered.length} 筆)`);
|
||||
return filtered;
|
||||
}
|
||||
|
||||
/**
|
||||
* 呼叫 AI 判斷哪些問題是誤報或不需處理,回傳需保留的 findings
|
||||
* 失敗時降級回傳原始 findings
|
||||
*/
|
||||
export async function filterFalsePositivesWithAI(findings) {
|
||||
if (findings.length === 0) return findings;
|
||||
|
||||
const systemPrompt = `你是一位資深程式碼審查專家,負責判斷審查問題是否為誤報或不需處理。
|
||||
給你一份問題清單(JSON 陣列),每筆包含 level、role、location、suggestion。
|
||||
請移除以下類型的問題:
|
||||
1. 誤報:問題描述與實際程式碼不符(例如:程式碼已正確使用環境變數或 secrets,卻被標記為硬編碼敏感資料)
|
||||
2. 不適用:問題在此專案情境下不需處理(例如:CI/CD action 本來就需要透過環境變數傳遞 token)
|
||||
只回傳需要保留的問題 JSON 陣列,不要有其他文字。`;
|
||||
|
||||
const userContent = `請判斷以下問題清單,移除誤報或不需處理的問題:\n\n${JSON.stringify(findings, null, 2)}`;
|
||||
|
||||
try {
|
||||
const result = await chatJSON(systemPrompt, userContent);
|
||||
if (Array.isArray(result)) {
|
||||
console.log(` AI 誤報過濾: ${findings.length} -> ${result.length} 筆`);
|
||||
return result;
|
||||
}
|
||||
throw new Error('AI 回傳非陣列');
|
||||
} catch (e) {
|
||||
const status = e.response?.status;
|
||||
if (status === 402 || status === 429) {
|
||||
console.log(` ⚠️ AI 誤報過濾失敗(${status} 額度/限流),降級:保留所有問題`);
|
||||
} else {
|
||||
console.log(` ⚠️ AI 誤報過濾失敗(${e.message}),降級:保留所有問題`);
|
||||
}
|
||||
return findings;
|
||||
}
|
||||
}
|
||||
|
||||
-28
@@ -14,34 +14,6 @@ function makeRunner(spawn) {
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Clone PR head branch to workspace/repo (idempotent)
|
||||
*/
|
||||
export function cloneRepo(workspace, _spawnSync = spawnSync) {
|
||||
const run = makeRunner(_spawnSync);
|
||||
const baseUrl = GITEA_SERVER_URL.replace(/\/$/, '');
|
||||
const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
|
||||
const repoDir = path.join(workspace, 'repo');
|
||||
|
||||
const askpassScript = path.join(workspace, '.git-askpass.sh');
|
||||
fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
|
||||
const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
|
||||
|
||||
try {
|
||||
if (!fs.existsSync(repoDir)) {
|
||||
run(['clone', '--depth=1', '--branch', PR_HEAD_BRANCH, remoteUrl, repoDir], workspace, credEnv);
|
||||
console.log(` ✅ repo cloned to ${repoDir}`);
|
||||
} else {
|
||||
run(['fetch', 'origin', PR_HEAD_BRANCH], repoDir, credEnv);
|
||||
run(['checkout', PR_HEAD_BRANCH], repoDir);
|
||||
console.log(` ✅ repo already exists, fetched latest`);
|
||||
}
|
||||
} finally {
|
||||
try { fs.unlinkSync(askpassScript); } catch {}
|
||||
}
|
||||
return repoDir;
|
||||
}
|
||||
|
||||
export async function commitAndPush(workspace, _spawnSync = spawnSync) {
|
||||
const run = makeRunner(_spawnSync);
|
||||
|
||||
|
||||
+1
-57
@@ -3,7 +3,7 @@ import assert from 'node:assert/strict';
|
||||
import fs from 'fs';
|
||||
import os from 'os';
|
||||
import path from 'path';
|
||||
import { commitAndPush, cloneRepo } from './git.js';
|
||||
import { commitAndPush } from './git.js';
|
||||
|
||||
// --- helpers ---
|
||||
function makeTmpWorkspace() {
|
||||
@@ -91,59 +91,3 @@ describe('commitAndPush', () => {
|
||||
await assert.doesNotReject(() => commitAndPush(workspace, failSpawn));
|
||||
});
|
||||
});
|
||||
|
||||
describe('cloneRepo', () => {
|
||||
let workspace;
|
||||
|
||||
before(() => { workspace = fs.mkdtempSync(path.join(os.tmpdir(), 'clone-test-')); });
|
||||
after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
|
||||
|
||||
it('clones repo when repoDir does not exist', () => {
|
||||
const spawn = makeSpawn();
|
||||
cloneRepo(workspace, spawn);
|
||||
const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
|
||||
assert.ok(cloneCalled, 'expected git clone to be called');
|
||||
});
|
||||
|
||||
it('fetches and checks out when repoDir already exists', () => {
|
||||
const repoDir = path.join(workspace, 'repo');
|
||||
fs.mkdirSync(repoDir, { recursive: true });
|
||||
const spawn = makeSpawn();
|
||||
cloneRepo(workspace, spawn);
|
||||
const cloneCalled = spawn.calls.some(c => c.args[0] === 'clone');
|
||||
const fetchCalled = spawn.calls.some(c => c.args[0] === 'fetch');
|
||||
assert.ok(!cloneCalled, 'clone should not run when repoDir exists');
|
||||
assert.ok(fetchCalled, 'fetch should run when repoDir exists');
|
||||
});
|
||||
|
||||
it('does not embed token in any git command argument', () => {
|
||||
const spawn = makeSpawn();
|
||||
cloneRepo(workspace, spawn);
|
||||
for (const { args } of spawn.calls) {
|
||||
assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
|
||||
}
|
||||
});
|
||||
|
||||
it('uses GIT_ASKPASS for network operations', () => {
|
||||
const spawn = makeSpawn();
|
||||
cloneRepo(workspace, spawn);
|
||||
const networkCalls = spawn.calls.filter(c => ['clone', 'fetch'].includes(c.args[0]));
|
||||
assert.ok(networkCalls.length > 0, 'expected at least one network git call');
|
||||
for (const { args, opts } of networkCalls) {
|
||||
assert.ok(opts?.env?.GIT_ASKPASS, `GIT_ASKPASS missing for git ${args[0]}`);
|
||||
}
|
||||
});
|
||||
|
||||
it('cleans up askpass script after run', () => {
|
||||
const spawn = makeSpawn();
|
||||
cloneRepo(workspace, spawn);
|
||||
const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
|
||||
assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
|
||||
});
|
||||
|
||||
it('returns repoDir path', () => {
|
||||
const spawn = makeSpawn();
|
||||
const result = cloneRepo(workspace, spawn);
|
||||
assert.equal(result, path.join(workspace, 'repo'));
|
||||
});
|
||||
});
|
||||
|
||||
+7
-15
@@ -1,9 +1,9 @@
|
||||
import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig } from './config.js';
|
||||
import { loadRoles, getRoleIntro } from './roles.js';
|
||||
import { getPRDiff, postComment } from './gitea.js';
|
||||
import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
|
||||
import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions } from './findings.js';
|
||||
import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
|
||||
import { cloneRepo, commitAndPush } from './git.js';
|
||||
import { commitAndPush } from './git.js';
|
||||
|
||||
const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';
|
||||
|
||||
@@ -65,14 +65,7 @@ async function main() {
|
||||
|
||||
// Step3: 讀取舊 findings,合併去重(含 AI 語意去重)
|
||||
console.log('\n🔀 Step3: Findings 合併');
|
||||
// Clone repo 以讀取舊 findings 與排除清單
|
||||
let repoDir;
|
||||
try {
|
||||
repoDir = cloneRepo(WORKSPACE);
|
||||
} catch (e) {
|
||||
console.log(` ⚠️ clone repo 失敗(繼續執行): ${e.message}`);
|
||||
}
|
||||
const oldFindings = loadOldFindings(repoDir || WORKSPACE);
|
||||
const oldFindings = loadOldFindings(WORKSPACE);
|
||||
const mergedFindings = mergeFindings(oldFindings, newFindings);
|
||||
console.log(` Step3 merged findings total=${mergedFindings.length}`);
|
||||
|
||||
@@ -81,11 +74,10 @@ async function main() {
|
||||
const sorted = sortByLevel(deduped);
|
||||
console.log(` Step3b dedup findings total=${sorted.length} (critical=${sorted.filter(f=>f.level==='critical').length} warning=${sorted.filter(f=>f.level==='warning').length} info=${sorted.filter(f=>f.level==='info').length})`);
|
||||
|
||||
// Step4: 讀取排除問題檔案,過濾 PR 問題表格,並請 AI 判斷誤報
|
||||
console.log('\n🚫 Step4: AI 排除問題過濾');
|
||||
const exclusions = loadExclusions(repoDir || WORKSPACE);
|
||||
const ruleFiltered = applyExclusions(sorted, exclusions);
|
||||
const filtered = await filterFalsePositivesWithAI(ruleFiltered);
|
||||
// Step4: 讀取排除問題檔案,過濾 PR 問題表格
|
||||
console.log('\n🚫 Step4: 排除問題過濾');
|
||||
const exclusions = loadExclusions(WORKSPACE);
|
||||
const filtered = applyExclusions(sorted, exclusions);
|
||||
console.log(` Step4 完成: findings total=${filtered.length}`);
|
||||
|
||||
// Step5: 寫入 findings.json,依序發布 comment
|
||||
|
||||
Reference in New Issue
Block a user