fix: fail workflow on bot failure marker

.gitea/ai-review/findings.json

@@ -25,6 +25,6 @@
     "role": "Rex",
     "location": "action.yaml:7-9, app/gitea.js:100-104",
     "suggestion": "引入 `GITEA_COMMENT_TOKEN` 並在 `postComment` 函數中優先使用它，這是一個很好的安全實踐，遵循最小權限原則。建議為此 token 配置僅限於發布評論的權限，以降低潛在洩漏的風險。",
-    "is_new": true
+    "is_new": false
   }
 ]

app/main.js

@@ -1,7 +1,7 @@
 import path from 'path';
 import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig, FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
 import { loadRoles, getRoleIntro } from './roles.js';
-import { getPRDiff, postComment, shouldSkipBotCommit } from './gitea.js';
+import { getPRDiff, postComment, getCommitMessageBySha, getBotReviewOutcome, shouldSkipBotCommit } from './gitea.js';
 import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
 import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
 import { cloneRepo, commitAndPush, getRepoState } from './git.js';
@@ -15,6 +15,16 @@ async function main() {
   console.log(`  repo=${GITEA_REPOSITORY}  PR=#${PR_NUMBER}`);
   console.log(`  ${PR_HEAD_BRANCH} -> ${PR_BASE_BRANCH}`);
 
+  const headSha = process.env.PR_HEAD_SHA || process.env.GITHUB_SHA || '';
+  const headMessage = await getCommitMessageBySha(headSha);
+  const headOutcome = getBotReviewOutcome(headMessage);
+  console.log(`  🔎 head check: sha=${headSha || 'empty'} outcome=${headOutcome}`);
+  if (headMessage.includes('[ai-review-bot]') && headOutcome === 'failure') {
+    console.log('  ❌ 偵測到 [ai-review-bot][failure]，直接讓 workflow 失敗');
+    console.log('='.repeat(60));
+    process.exit(1);
+  }
+
   if (await shouldSkipBotCommit()) {
     console.log('  🤖 偵測到 [ai-review-bot] 自動提交，直接完成 action');
     console.log('='.repeat(60));