docs: require skill sync for new platforms

Reviewed-on: #105

.gitea/ai-review/exclusions.json

@@ -164,6 +164,18 @@
     "location": "app/llm.js",
     "suggestion": "此 action 為 CLI 工具，process.exit(1) 是設計意圖讓 CI/CD workflow 失敗。改拋錯會被 chatJSON 的 catch 吞掉回傳 []，破壞現有行為"
   },
+  {
+    "location": "Dockerfile, app/git.js, app/git.test.js",
+    "suggestion": "`SYNC_PATHS` 已包含 `.claude/skills/triage-findings/SKILL.md` 與 `.gemini/skills/triage-findings/SKILL.md`，Docker image 也已打包這些 skill 資產；現有測試已覆蓋複製與覆寫行為，並不存在同步不一致問題。"
+  },
+  {
+    "location": "Dockerfile",
+    "suggestion": "此目錄中的檔案是 triage skill 與入口文件，不含敏感資料；若未來加入秘密資訊，應另外從 build context 排除，而不是把目前的 skill 資產視為風險。"
+  },
+  {
+    "location": "Dockerfile",
+    "suggestion": "多個 COPY 指令是刻意設計，用來區分 app 與 skill 資產並維持 layer cache 可讀性，不是維護問題。"
+  },
   {
     "role": "Aria",
     "location": "Dockerfile",

Dockerfile

@@ -10,6 +10,14 @@ WORKDIR /action
 COPY app/package.json /action/app/
 RUN cd /action/app && npm install
 
+COPY .amazonq/ /action/.amazonq/
+COPY .codex/ /action/.codex/
+COPY .claude/ /action/.claude/
+COPY .gemini/ /action/.gemini/
+COPY .github/ /action/.github/
+COPY CLAUDE.md /action/
+COPY GEMINI.md /action/
+
 COPY app/ /action/app/
 COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh

README.md

@@ -227,4 +227,4 @@ Amazon Q：直接輸入 `triage-findings 問題原始檔(文字或截圖)`
 
 ### 版本包含
 
-提交時一併包含 `triage-findings` skill 與各平台入口檔；已存在檔案一律覆蓋，同步到最新內容；若 workspace 沒有某個同步檔，記憶區會保留原檔，不做刪除。
+提交時一併包含 `triage-findings` skill 與各平台入口檔；已存在檔案一律覆蓋，同步到最新內容；若 workspace 沒有某個同步檔，記憶區會保留原檔，不做刪除。未來若新增任何 skill 或新增其他平台的 skill 入口，必須同時把對應檔案複製進 Docker image，並把同步清單更新到會使用此 action 的目標專案，避免 action 與目標專案內容脫節。

TODO.md

@@ -40,13 +40,13 @@
 ## 階段八：記憶區 commit/push 與錯誤處理
 - 目標：記憶區能成功 commit/push，且一併包含 `triage-findings` skill 與各平台入口檔；skill 檔案已存在時一律以來源覆蓋，workspace 沒有的同步檔則保留記憶區既有內容，不做刪除；錯誤時有明確 log，流程結束有總結訊息。
 - 驗收：log 有「persisted findings」、「commit=...」、「push=...」等訊息，且能看出 skill 相關檔案已一併提交並被來源覆蓋；當 workspace 缺少某個同步檔時，記憶區中的對應檔案不會被刪除；錯誤時有「Runner failed: ...」等明確錯誤說明。
-- 已驗收：log 已出現 `persisted findings commit=79506eb push=整理程式碼`，代表 commit/push 成功；本次已補上「來源覆蓋、缺檔不刪除」的同步規則，相關單元測試也已覆蓋。
+- 已驗收：log 已出現 `persisted findings commit=b867eaa push=feat/解決問題`，代表 commit/push 成功；本次已補上「來源覆蓋、缺檔不刪除」的同步規則，相關單元測試也已覆蓋。
 
 ## 階段九：阻擋嚴重問題 PR（第 8 點）
 - 目標：如果 PR 問題表格中有嚴重（critical）問題，workflow 需直接 exit 1，不讓流程成功。
 - 驗收：log 中能看到「critical 問題存在，workflow 結束（exit 1）」等明確訊息，且 workflow 狀態為失敗。
-- 部分驗收：這次 log 顯示 `✅ 無嚴重問題`，因此只驗到正常放行路徑；`exit 1` 的阻擋分支仍需另一次含 critical 的 PR log 驗證。
+- 已驗收：這次 log 已明確出現 `❌ 發現 2 個嚴重問題，workflow 結束（exit 1）`，且 job 以失敗結束，證明阻擋分支確實生效。
-- 可驗收紀錄情境：只要 `Step8` 出現 `發現 X 個嚴重問題，workflow 結束（exit 1）`，且 job 以失敗結束，就能驗收這一項；如果該次 PR 的 `filtered` 清單含 `critical`，就應該會看到這段 log。
+- 補充紀錄：`Step8` 的退出訊息屬於預期行為，不代表 Step7 commit/push 失敗。
 
 ## 階段十：API Key 輪替
 - 目標：所有平台的 API Key 支援逗號分隔傳入多個，隨機順序各嘗試一次，單一 Key 失敗時自動換下一個，全部失敗則 exit 1。

app/git.js

@@ -1,12 +1,16 @@
 import { spawnSync } from 'child_process';
 import fs from 'fs';
 import path from 'path';
+import { fileURLToPath } from 'url';
 import { GITEA_SERVER_URL, GITEA_REPOSITORY, GITEA_TOKEN, PR_HEAD_BRANCH, FINDINGS_PATH } from './config.js';
 
+const ACTION_ROOT = path.resolve(path.dirname(fileURLToPath(import.meta.url)), '..');
 const remoteUrl = `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}.git`;
 export const SYNC_PATHS = [
   FINDINGS_PATH,
   '.amazonq/rules/triage-findings.md',
+  '.codex/skills/triage-findings/SKILL.md',
+  '.codex/skills/triage-findings/agents/openai.yaml',
   '.claude/skills/triage-findings/SKILL.md',
   '.gemini/skills/triage-findings/SKILL.md',
   '.github/copilot-instructions.md',
@@ -57,7 +61,7 @@ export function cloneRepo(workspace, _spawnSync = spawnSync) {
   });
 }
 
-export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync) {
+export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync, sourceRoot = ACTION_ROOT) {
   const run = makeRunner(_spawnSync);
 
   try {
@@ -70,7 +74,7 @@ export async function commitAndPush(workspace, repoDir, _spawnSync = spawnSync)
       // Copy action skill files into the target repo. Existing files are overwritten;
       // missing source files are ignored so we do not delete target repo content.
       for (const relPath of SYNC_PATHS) {
-        const src = path.join(workspace, relPath);
+        const src = path.join(sourceRoot, relPath);
         const dest = path.join(repoDir, relPath);
         if (fs.existsSync(src)) {
           fs.mkdirSync(path.dirname(dest), { recursive: true });

app/git.test.js

@@ -8,14 +8,18 @@ import { commitAndPush, cloneRepo, SYNC_PATHS } from './git.js';
 // --- helpers ---
 function makeTmpWorkspace() {
   const ws = fs.mkdtempSync(path.join(os.tmpdir(), 'git-test-'));
-  // Pre-create repo dir so clone branch is skipped
   fs.mkdirSync(path.join(ws, 'repo'), { recursive: true });
+  return ws;
+}
+
+function makeActionSource() {
+  const sourceRoot = fs.mkdtempSync(path.join(os.tmpdir(), 'git-source-'));
   for (const relPath of SYNC_PATHS) {
-    const fullPath = path.join(ws, relPath);
+    const fullPath = path.join(sourceRoot, relPath);
     fs.mkdirSync(path.dirname(fullPath), { recursive: true });
     fs.writeFileSync(fullPath, relPath);
   }
-  return ws;
+  return sourceRoot;
 }
 
 // Default stub: all commands succeed, status returns changes
@@ -35,9 +39,12 @@ function makeSpawn(overrides = {}) {
 
 describe('commitAndPush', () => {
   let workspace;
+  let sourceRoot;
 
   before(() => { workspace = makeTmpWorkspace(); });
   after(() => { fs.rmSync(workspace, { recursive: true, force: true }); });
+  before(() => { sourceRoot = makeActionSource(); });
+  after(() => { fs.rmSync(sourceRoot, { recursive: true, force: true }); });
   beforeEach(() => {
     for (const f of fs.readdirSync(workspace)) {
       if (f.endsWith('.git-askpass.sh')) fs.unlinkSync(path.join(workspace, f));
@@ -46,7 +53,7 @@ describe('commitAndPush', () => {
 
   it('does not embed token in any git command argument', async () => {
     const spawn = makeSpawn();
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
 
     for (const { args } of spawn.calls) {
       assert.ok(!args.join(' ').includes('test-token'), `Token leaked in git args: ${args.join(' ')}`);
@@ -55,7 +62,7 @@ describe('commitAndPush', () => {
 
   it('uses GIT_ASKPASS env for network operations (fetch, push, clone)', async () => {
     const spawn = makeSpawn();
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
 
     const networkOps = ['fetch', 'push', 'clone'];
     const networkCalls = spawn.calls.filter(c => networkOps.includes(c.args[0]));
@@ -67,31 +74,33 @@ describe('commitAndPush', () => {
   });
 
   it('cleans up askpass script after successful run', async () => {
-    await commitAndPush(workspace, path.join(workspace, 'repo'), makeSpawn());
+    await commitAndPush(workspace, path.join(workspace, 'repo'), makeSpawn(), sourceRoot);
     const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
     assert.equal(leftover.length, 0, 'askpass script was not cleaned up');
   });
 
   it('cleans up askpass script even when git fails', async () => {
     const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
-    await commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn, sourceRoot);
     const leftover = fs.readdirSync(workspace).filter(f => f.endsWith('.git-askpass.sh'));
     assert.equal(leftover.length, 0, 'askpass script was not cleaned up after failure');
   });
 
   it('skips commit when status shows no changes', async () => {
     const spawn = makeSpawn({ status: () => ({ status: 0, stdout: '', stderr: '', error: null }) });
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
     const commitCalled = spawn.calls.some(c => c.args[0] === 'commit');
     assert.equal(commitCalled, false, 'commit should not run when there are no changes');
   });
 
   it('adds skill and entry files together with findings', async () => {
     const spawn = makeSpawn();
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
     const addCall = spawn.calls.find(c => c.args[0] === 'add');
     assert.ok(addCall, 'expected git add to run');
     assert.ok(addCall.args.includes('.github/skills/triage-findings/SKILL.md'));
+    assert.ok(addCall.args.includes('.codex/skills/triage-findings/SKILL.md'));
+    assert.ok(addCall.args.includes('.codex/skills/triage-findings/agents/openai.yaml'));
     assert.ok(addCall.args.includes('.claude/skills/triage-findings/SKILL.md'));
     assert.ok(addCall.args.includes('.gemini/skills/triage-findings/SKILL.md'));
     assert.ok(addCall.args.includes('.github/copilot-instructions.md'));
@@ -102,13 +111,13 @@ describe('commitAndPush', () => {
   });
 
   it('keeps repo copies when the source sync file is missing', async () => {
-    const missingPath = path.join(workspace, '.amazonq/rules/triage-findings.md');
+    const missingPath = path.join(sourceRoot, '.amazonq/rules/triage-findings.md');
     fs.rmSync(missingPath, { force: true });
     const repoPath = path.join(workspace, 'repo', '.amazonq/rules/triage-findings.md');
     fs.writeFileSync(repoPath, 'stale');
     const spawn = makeSpawn();
 
-    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn);
+    await commitAndPush(workspace, path.join(workspace, 'repo'), spawn, sourceRoot);
 
     const rmCall = spawn.calls.find(c => c.args[0] === 'rm');
     assert.equal(rmCall, undefined, 'git rm should not run for missing source files');
@@ -120,7 +129,7 @@ describe('commitAndPush', () => {
     fs.writeFileSync(path.join(repoDir, '.github/skills/triage-findings/SKILL.md'), 'stale');
     fs.writeFileSync(path.join(repoDir, 'CLAUDE.md'), 'stale');
 
-    await commitAndPush(workspace, repoDir, makeSpawn());
+    await commitAndPush(workspace, repoDir, makeSpawn(), sourceRoot);
 
     assert.equal(fs.readFileSync(path.join(repoDir, '.github/skills/triage-findings/SKILL.md'), 'utf8'), '.github/skills/triage-findings/SKILL.md');
     assert.equal(fs.readFileSync(path.join(repoDir, 'CLAUDE.md'), 'utf8'), 'CLAUDE.md');
@@ -128,7 +137,7 @@ describe('commitAndPush', () => {
 
   it('does not throw when git command fails', async () => {
     const failSpawn = () => ({ status: 1, stdout: '', stderr: 'fatal: error', error: null });
-    await assert.doesNotReject(() => commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn));
+    await assert.doesNotReject(() => commitAndPush(workspace, path.join(workspace, 'repo'), failSpawn, sourceRoot));
   });
 });