chore: triage review findings

chore: update ai-review findings [ai-review-bot][failure]
fix: fail workflow on bot failure marker
2026-05-15 15:13:07 +00:00 · 2026-05-15 15:07:27 +00:00 · 2026-05-15 15:05:52 +00:00 · 2026-05-15 15:02:45 +00:00 · 2026-05-15 15:01:11 +00:00 · 2026-05-15 15:01:06 +00:00
4 changed files with 26 additions and 5 deletions
@@ -319,5 +319,15 @@
  {
    "location": "app/json.test.js:10",
    "suggestion": "`MAX_JSON_BYTES` 是 `json.js` 的內部限制常數，不需要匯出成公開 API。"
+  },
+  {
+    "role": "Maya",
+    "location": "action.yaml:6, action.yaml:12, action.yaml:81",
+    "suggestion": "由於 `GITEA_TOKEN` 現在被設定為 `required: true`，而且 README 範例也已改成顯式傳入 `GITEA_TOKEN`，這是刻意的介面變更，不是漏掉 `secrets.GITEA_TOKEN` fallback 的缺陷；因此不需要另外加整合測試來驗證這個既定行為。"
+  },
+  {
+    "role": "Leo",
+    "location": "action.yaml:80",
+    "suggestion": "在 `runs.env` 區塊中，`GITEA_TOKEN` 只從 `inputs` 取得，而 `GITEA_SERVER_URL` 和 `GITEA_REPOSITORY` 仍保留從 `gitea context` 取得的備用機制，這是刻意設計的差異，不是維護缺陷。"
  }
 ]
@@ -21,10 +21,10 @@
    "is_new": false
  },
  {
-    "level": "warning",
+    "level": "info",
    "role": "Rex",
-    "location": "action.yaml:81",
-    "suggestion": "在 `action.yaml` 中，`GITEA_TOKEN` 的設定從 `secrets.GITEA_TOKEN` 的 fallback 移除，現在僅從 `inputs.GITEA_TOKEN` 取得。雖然 `inputs.GITEA_TOKEN` 可以透過 `secrets.MY_GITEA_TOKEN` 安全地傳遞，但此變更將確保敏感資料安全傳遞的責任完全轉移到工作流程的配置者。請確保所有使用此 action 的工作流程都透過 GitHub/Gitea secrets 將 `GITEA_TOKEN` 傳遞給 `inputs.GITEA_TOKEN`，以避免將敏感令牌硬編碼或暴露在日誌中。",
-    "is_new": false
+    "location": "action.yaml:18",
+    "suggestion": "引入 GITEA_COMMENT_TOKEN 是一個很好的實踐，遵循最小權限原則。請確保為此 token 配置的權限確實僅限於發布評論。同時，與 GITEA_TOKEN 類似，建議使用者始終從 workflow 的 secrets context 傳遞此 token，以避免硬編碼敏感資料。",
+    "is_new": true
  }
 ]
@@ -31,6 +31,7 @@ jobs:
      uses: https://gitea.jsc.idv.tw/actions/code-review@v${{ needs.version.outputs.version }}
      with:
        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
@@ -1,7 +1,7 @@
 import path from 'path';
 import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig, FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
-import { getPRDiff, postComment, shouldSkipBotCommit } from './gitea.js';
+import { getPRDiff, postComment, getCommitMessageBySha, getBotReviewOutcome, shouldSkipBotCommit } from './gitea.js';
 import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
 import { cloneRepo, commitAndPush, getRepoState } from './git.js';
@@ -15,6 +15,16 @@ async function main() {
  console.log(`  repo=${GITEA_REPOSITORY}  PR=#${PR_NUMBER}`);
  console.log(`  ${PR_HEAD_BRANCH} -> ${PR_BASE_BRANCH}`);

+  const headSha = process.env.PR_HEAD_SHA || process.env.GITHUB_SHA || '';
+  const headMessage = await getCommitMessageBySha(headSha);
+  const headOutcome = getBotReviewOutcome(headMessage);
+  console.log(`  🔎 head check: sha=${headSha || 'empty'} outcome=${headOutcome}`);
+  if (headMessage.includes('[ai-review-bot]') && headOutcome === 'failure') {
+    console.log('  ❌ 偵測到 [ai-review-bot][failure]，直接讓 workflow 失敗');
+    console.log('='.repeat(60));
+    process.exit(1);
+  }
+
  if (await shouldSkipBotCommit()) {
    console.log('  🤖 偵測到 [ai-review-bot] 自動提交，直接完成 action');
    console.log('='.repeat(60));
Author	SHA1	Message	Date
jiantw83	45e875153c	chore: triage review findings	2026-05-15 15:13:07 +00:00
AI Review Bot	140c5059f1	chore: update ai-review findings [ai-review-bot][failure]	2026-05-15 15:07:27 +00:00
jiantw83	ce53c67cac	fix: fail workflow on bot failure marker	2026-05-15 15:05:52 +00:00
AI Review Bot	4702f3814e	chore: update ai-review findings [ai-review-bot][failure]	2026-05-15 15:02:45 +00:00
jiantw83	069e43c689	chore: pass separate gitea comment token	2026-05-15 15:01:11 +00:00
AI Review Bot	259d0e42c4	chore: update ai-review findings [ai-review-bot][failure]	2026-05-15 15:01:06 +00:00