Compare commits
6 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 jiantw83
|
4fd9a22aa0 | ||
 AI Review Bot
|
93c3d0ca66 | ||
|
jiantw83
|
35150cae8a | ||
|
AI Review Bot
|
e216ca08c5 | ||
|
jiantw83
|
888bf0b359 | ||
|
AI Review Bot
|
59e942f24b |
@@ -6,11 +6,25 @@
|
||||
"suggestion": "由於 `GITEA_TOKEN` 現在被設定為 `required: true` 且移除了 `secrets.GITEA_TOKEN` 的 fallback 機制,這是一個關鍵性的行為變更。請務必新增整合測試 (integration tests) 來驗證以下情境:\n1. 當 `inputs.GITEA_TOKEN` 未提供時,Action 應如預期般失敗。\n2. 當 `inputs.GITEA_TOKEN` 有提供時,Action 應能正常執行。\n這將確保新的輸入要求和邏輯變更不會導致意外的行為或破壞現有工作流程。",
|
||||
"is_new": false
|
||||
},
|
||||
{
|
||||
"level": "critical",
|
||||
"role": "Leo",
|
||||
"location": "action.yaml:12",
|
||||
"suggestion": "建議將 `GITEA_TOKEN` 的環境變數設定改回 `GITEA_TOKEN: ${{ inputs.GITEA_TOKEN || secrets.GITEA_TOKEN }}`。目前將其設定為 `required: true` 並移除 `secrets.GITEA_TOKEN` 的 fallback 機制,會導致現有依賴 `secrets.GITEA_TOKEN` 的工作流程中斷,並降低配置的彈性。如果目的是強制透過 `inputs` 傳遞,應在文件明確說明此重大變更及其原因。",
|
||||
"is_new": false
|
||||
},
|
||||
{
|
||||
"level": "warning",
|
||||
"role": "Leo",
|
||||
"location": "action.yaml:80",
|
||||
"suggestion": "在 `runs.env` 區塊中,`GITEA_TOKEN` 現在只從 `inputs` 取得,但 `GITEA_SERVER_URL` 和 `GITEA_REPOSITORY` 仍保留從 `gitea context` 取得的備用機制。這種處理方式的不一致性可能會造成未來的維護困擾。建議統一所有 Gitea 相關變數的取得邏輯,或提供明確的註解說明此差異的原因。",
|
||||
"is_new": false
|
||||
},
|
||||
{
|
||||
"level": "warning",
|
||||
"role": "Rex",
|
||||
"location": "action.yaml:81",
|
||||
"suggestion": "在 `action.yaml` 中,`GITEA_TOKEN` 的設定從 `secrets.GITEA_TOKEN` 的 fallback 移除,現在僅從 `inputs.GITEA_TOKEN` 取得。雖然 `inputs.GITEA_TOKEN` 可以透過 `secrets.MY_GITEA_TOKEN` 安全地傳遞,但此變更將確保敏感資料安全傳遞的責任完全轉移到工作流程的配置者。請確保所有使用此 action 的工作流程都透過 GitHub/Gitea secrets 將 `GITEA_TOKEN` 傳遞給 `inputs.GITEA_TOKEN`,以避免將敏感令牌硬編碼或暴露在日誌中。",
|
||||
"is_new": true
|
||||
}
|
||||
]
|
||||
|
||||
@@ -35,7 +35,7 @@
|
||||
|
||||
> **自動提交排除說明**:此 Action 會將自己的 commit message 標記為 `[ai-review-bot]`,而且 action 執行時會先透過 Gitea API 檢查這次觸發的 PR head commit(優先用 `pull_request.head.sha`)是否含有這個 marker,若有就直接成功結束,避免 bot commit 造成重複觸發。若外層 workflow 也能先檢查一次,效果最好。
|
||||
|
||||
> **權限說明**:此 Action 需要 `contents: write`(寫入 findings.json)、`pull-requests: write`(發佈 PR comment)、`issues: write`(發佈 issue comment)三項權限,為正常運作所必要,無法縮減。
|
||||
> **權限說明**:此 Action 需要 `contents: write`(寫入 findings.json)、`pull-requests: write`(發佈 PR comment)、`issues: write`(發佈 issue comment)、以及 commit status 寫入權限,為正常運作所必要,無法縮減。
|
||||
|
||||
### 1. OpenAI
|
||||
```yaml
|
||||
|
||||
+59
-8
@@ -6,6 +6,13 @@ const httpsAgent = GITEA_SKIP_TLS_VERIFY ? new https.Agent({ rejectUnauthorized:
|
||||
const headers = () => ({ Authorization: `token ${GITEA_TOKEN}`, 'Content-Type': 'application/json' });
|
||||
const api = (path) => `${GITEA_SERVER_URL.replace(/\/$/, '')}/api/v1${path}`;
|
||||
|
||||
function extractCommitMessage(payload) {
|
||||
return payload?.message
|
||||
|| payload?.commit?.message
|
||||
|| payload?.commit?.commit?.message
|
||||
|| '';
|
||||
}
|
||||
|
||||
/**
|
||||
* 取得 PR 的 Git Diff 內容,已自動排除 .gitea/ 資料夾。
|
||||
*/
|
||||
@@ -33,8 +40,11 @@ export async function getCommitMessageBySha(sha) {
|
||||
timeout: 30000,
|
||||
httpsAgent,
|
||||
});
|
||||
return resp.data?.message || '';
|
||||
} catch {
|
||||
const message = extractCommitMessage(resp.data);
|
||||
console.log(` 🔎 bot-check: commit api sha=${sha} keys=${Object.keys(resp.data || {}).join(',') || 'empty'} message=${message ? 'found' : 'empty'}`);
|
||||
return message;
|
||||
} catch (e) {
|
||||
console.log(` ⚠️ bot-check: 讀取 commit sha=${sha} 失敗: ${e.message}`);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
@@ -48,18 +58,59 @@ export async function getBranchHeadCommitMessage(branch = PR_HEAD_BRANCH) {
|
||||
httpsAgent,
|
||||
});
|
||||
const sha = resp.data?.commit?.id || resp.data?.commit?.sha || '';
|
||||
console.log(` 🔎 bot-check: branch api branch=${branch} keys=${Object.keys(resp.data || {}).join(',') || 'empty'} sha=${sha || 'empty'} message=${extractCommitMessage(resp.data?.commit) ? 'found' : 'empty'}`);
|
||||
return await getCommitMessageBySha(sha);
|
||||
} catch {
|
||||
} catch (e) {
|
||||
console.log(` ⚠️ bot-check: 讀取 branch=${branch} head commit 失敗: ${e.message}`);
|
||||
return '';
|
||||
}
|
||||
}
|
||||
|
||||
export async function shouldSkipBotCommit({ sha = PR_HEAD_SHA || process.env.GITHUB_SHA, branch = PR_HEAD_BRANCH } = {}) {
|
||||
const candidates = [
|
||||
await getCommitMessageBySha(sha),
|
||||
await getBranchHeadCommitMessage(branch),
|
||||
].filter(Boolean);
|
||||
return candidates.some(message => message.includes('[ai-review-bot]'));
|
||||
console.log(` 🔎 bot-check: start PR_HEAD_SHA=${PR_HEAD_SHA || 'empty'} GITHUB_SHA=${process.env.GITHUB_SHA || 'empty'} sha=${sha || 'empty'} branch=${branch || 'empty'}`);
|
||||
|
||||
const shaMessage = await getCommitMessageBySha(sha);
|
||||
if (sha) {
|
||||
console.log(` 🔎 bot-check: sha=${sha} message=${shaMessage ? 'found' : 'empty'}`);
|
||||
if (shaMessage.includes('[ai-review-bot]')) {
|
||||
console.log(' ✅ bot-check: matched commit sha marker');
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
console.log(' 🔎 bot-check: skip sha lookup because sha is empty');
|
||||
}
|
||||
|
||||
const branchMessage = await getBranchHeadCommitMessage(branch);
|
||||
if (branch) {
|
||||
console.log(` 🔎 bot-check: branch=${branch} head_message=${branchMessage ? 'found' : 'empty'}`);
|
||||
if (branchMessage.includes('[ai-review-bot]')) {
|
||||
console.log(' ✅ bot-check: matched branch head marker');
|
||||
return true;
|
||||
}
|
||||
} else {
|
||||
console.log(' 🔎 bot-check: skip branch lookup because branch is empty');
|
||||
}
|
||||
|
||||
console.log(' ℹ️ bot-check: no [ai-review-bot] marker found');
|
||||
return false;
|
||||
}
|
||||
|
||||
export async function setCommitStatus(sha, state, description, context = 'ai-review/critical', targetUrl = '') {
|
||||
if (!sha) throw new Error('commit sha is required for status update');
|
||||
const payload = {
|
||||
state,
|
||||
context,
|
||||
description,
|
||||
};
|
||||
if (targetUrl) payload.target_url = targetUrl;
|
||||
|
||||
const resp = await axios.post(api(`/repos/${GITEA_REPOSITORY}/statuses/${encodeURIComponent(sha)}`), payload, {
|
||||
headers: headers(),
|
||||
timeout: 30000,
|
||||
httpsAgent,
|
||||
});
|
||||
console.log(` ✅ status: sha=${sha} state=${state} context=${context} description=${description}`);
|
||||
return resp.data;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
+20
-1
@@ -1,7 +1,7 @@
|
||||
import { describe, it, afterEach, mock } from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import axios from 'axios';
|
||||
import { getPRDiff, filterDiff, postComment, getCommitMessageBySha, getBranchHeadCommitMessage, shouldSkipBotCommit } from './gitea.js';
|
||||
import { getPRDiff, filterDiff, postComment, getCommitMessageBySha, getBranchHeadCommitMessage, shouldSkipBotCommit, setCommitStatus } from './gitea.js';
|
||||
|
||||
afterEach(() => mock.restoreAll());
|
||||
|
||||
@@ -95,6 +95,25 @@ describe('gitea', () => {
|
||||
});
|
||||
await assert.equal(await shouldSkipBotCommit({ sha: 'sha-bot', branch: 'feat/test' }), true);
|
||||
});
|
||||
|
||||
it('setCommitStatus posts commit status to Gitea API', async () => {
|
||||
let capturedUrl, capturedBody, capturedOpts;
|
||||
mock.method(axios, 'post', async (url, body, opts) => {
|
||||
capturedUrl = url;
|
||||
capturedBody = body;
|
||||
capturedOpts = opts;
|
||||
return { data: { state: body.state } };
|
||||
});
|
||||
|
||||
const result = await setCommitStatus('sha-123', 'failure', 'found 2 critical issues', 'ai-review/critical', 'https://example.com/pr/1');
|
||||
assert.equal(result.state, 'failure');
|
||||
assert.ok(capturedUrl.includes('/statuses/sha-123'));
|
||||
assert.equal(capturedBody.state, 'failure');
|
||||
assert.equal(capturedBody.context, 'ai-review/critical');
|
||||
assert.equal(capturedBody.description, 'found 2 critical issues');
|
||||
assert.equal(capturedBody.target_url, 'https://example.com/pr/1');
|
||||
assert.ok(capturedOpts.headers['Authorization'].startsWith('token '));
|
||||
});
|
||||
});
|
||||
|
||||
describe('filterDiff', () => {
|
||||
|
||||
+24
-2
@@ -1,13 +1,22 @@
|
||||
import path from 'path';
|
||||
import { GITEA_REPOSITORY, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig, FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
|
||||
import { GITEA_REPOSITORY, GITEA_SERVER_URL, PR_NUMBER, PR_HEAD_BRANCH, PR_BASE_BRANCH, getLLMConfig, FINDINGS_PATH, EXCLUSIONS_PATH } from './config.js';
|
||||
import { loadRoles, getRoleIntro } from './roles.js';
|
||||
import { getPRDiff, postComment, shouldSkipBotCommit } from './gitea.js';
|
||||
import { getPRDiff, postComment, shouldSkipBotCommit, setCommitStatus } from './gitea.js';
|
||||
import { analyzeWithRole, loadOldFindings, mergeFindings, sortByLevel, deduplicateWithAI, loadExclusions, applyExclusions, filterFalsePositivesWithAI } from './findings.js';
|
||||
import { saveFindings, postOldFindingsComment, postNewNonCriticalComment, postNewCriticalComments } from './comments.js';
|
||||
import { cloneRepo, commitAndPush, getRepoState } from './git.js';
|
||||
import { validateJSONArrayFile, ensureJSONArrayFileExists } from './json.js';
|
||||
|
||||
const WORKSPACE = process.env.GITHUB_WORKSPACE || '/workspace';
|
||||
const REVIEW_STATUS_CONTEXT = 'ai-review/critical';
|
||||
|
||||
async function updateReviewStatus(sha, criticalCount) {
|
||||
const state = criticalCount > 0 ? 'failure' : 'success';
|
||||
const description = criticalCount > 0
|
||||
? `found ${criticalCount} critical issue${criticalCount === 1 ? '' : 's'}`
|
||||
: 'no critical issues found';
|
||||
await setCommitStatus(sha, state, description, REVIEW_STATUS_CONTEXT, `${GITEA_SERVER_URL.replace(/\/$/, '')}/${GITEA_REPOSITORY}/pulls/${PR_NUMBER}`);
|
||||
}
|
||||
|
||||
async function main() {
|
||||
console.log('='.repeat(60));
|
||||
@@ -17,6 +26,17 @@ async function main() {
|
||||
|
||||
if (await shouldSkipBotCommit()) {
|
||||
console.log(' 🤖 偵測到 [ai-review-bot] 自動提交,直接完成 action');
|
||||
let criticalCount = 0;
|
||||
try {
|
||||
const repoDir = cloneRepo(WORKSPACE);
|
||||
const findings = loadOldFindings(repoDir || WORKSPACE);
|
||||
criticalCount = findings.filter(f => f.level === 'critical').length;
|
||||
console.log(` 🔎 bot-check: current findings critical=${criticalCount}`);
|
||||
await updateReviewStatus(process.env.PR_HEAD_SHA || process.env.GITHUB_SHA, criticalCount);
|
||||
} catch (e) {
|
||||
console.error(` ❌ bot-check: 無法回報 status: ${e.message}`);
|
||||
process.exit(1);
|
||||
}
|
||||
console.log('='.repeat(60));
|
||||
process.exit(0);
|
||||
}
|
||||
@@ -42,6 +62,7 @@ async function main() {
|
||||
|
||||
if (!diff.trim()) {
|
||||
console.log(' ⚠️ diff 為空,無需審查');
|
||||
await updateReviewStatus(process.env.PR_HEAD_SHA || process.env.GITHUB_SHA, 0);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
@@ -133,6 +154,7 @@ async function main() {
|
||||
// Step9: 有 critical 問題則 exit 1
|
||||
console.log('\n🚦 Step8: 嚴重問題檢查');
|
||||
const criticalCount = filtered.filter(f => f.level === 'critical').length;
|
||||
await updateReviewStatus(process.env.PR_HEAD_SHA || process.env.GITHUB_SHA, criticalCount);
|
||||
if (criticalCount > 0) {
|
||||
console.log(` ❌ 發現 ${criticalCount} 個嚴重問題,workflow 結束(exit 1)`);
|
||||
console.log('='.repeat(60));
|
||||
|
||||
Reference in New Issue
Block a user