From c8ed4645eba26932f8730c6fadd9a87fe947d03b Mon Sep 17 00:00:00 2001 From: Jeffery Date: Tue, 12 May 2026 10:22:17 +0000 Subject: [PATCH 1/7] =?UTF-8?q?=E6=96=B0=E5=A2=9E=20.gitea/workflows/revie?= =?UTF-8?q?w.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/review.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .gitea/workflows/review.yaml diff --git a/.gitea/workflows/review.yaml b/.gitea/workflows/review.yaml new file mode 100644 index 0000000..e4e473f --- /dev/null +++ b/.gitea/workflows/review.yaml @@ -0,0 +1,24 @@ +name: AI +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref }} + cancel-in-progress: true +on: + pull_request: + branches-ignore: + - master + types: [opened, synchronize] +jobs: + code-review: + name: Code Review + runs-on: ubuntu + steps: + - name: AI Code Review + uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} + with: + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }} + GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta + GEMINI_MODEL: ${{ vars.GEMINI_MODEL }} + permissions: + contents: write + pull-requests: write + issues: write \ No newline at end of file From 53a57583565cae60264585eb1a2c9175e0c5a92a Mon Sep 17 00:00:00 2001 From: Jeffery Date: Tue, 12 May 2026 10:22:43 +0000 Subject: [PATCH 2/7] =?UTF-8?q?=E5=88=AA=E9=99=A4=20.gitea/workflows/revie?= =?UTF-8?q?w.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/review.yaml | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 .gitea/workflows/review.yaml diff --git a/.gitea/workflows/review.yaml b/.gitea/workflows/review.yaml deleted file mode 100644 index e4e473f..0000000 --- a/.gitea/workflows/review.yaml +++ /dev/null @@ -1,24 +0,0 @@ -name: AI -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} - cancel-in-progress: true -on: - pull_request: - branches-ignore: - - master - types: [opened, synchronize] -jobs: - code-review: - name: Code Review - runs-on: ubuntu - steps: - - name: AI Code Review - uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} - with: - GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }} - GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta - GEMINI_MODEL: ${{ vars.GEMINI_MODEL }} - permissions: - contents: write - pull-requests: write - issues: write \ No newline at end of file From 7dd61d58a6aaf4ce35f37f23f418bcdc58174bde Mon Sep 17 00:00:00 2001 From: Jeffery Date: Tue, 12 May 2026 10:23:13 +0000 Subject: [PATCH 3/7] =?UTF-8?q?=E6=96=B0=E5=A2=9E=20.gitea/workflows/revie?= =?UTF-8?q?w.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/review.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .gitea/workflows/review.yaml diff --git a/.gitea/workflows/review.yaml b/.gitea/workflows/review.yaml new file mode 100644 index 0000000..e4e473f --- /dev/null +++ b/.gitea/workflows/review.yaml @@ -0,0 +1,24 @@ +name: AI +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref }} + cancel-in-progress: true +on: + pull_request: + branches-ignore: + - master + types: [opened, synchronize] +jobs: + code-review: + name: Code Review + runs-on: ubuntu + steps: + - name: AI Code Review + uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} + with: + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }} + GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta + GEMINI_MODEL: ${{ vars.GEMINI_MODEL }} + permissions: + contents: write + pull-requests: write + issues: write \ No newline at end of file From 4c00e43b071d27c63a6204a3478ed65c5300121b Mon Sep 17 00:00:00 2001 From: Jeffery Date: Tue, 12 May 2026 10:26:34 +0000 Subject: [PATCH 4/7] =?UTF-8?q?=E6=9B=B4=E6=96=B0=20.gitea/workflows/maste?= =?UTF-8?q?r.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/master.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.gitea/workflows/master.yaml b/.gitea/workflows/master.yaml index b54c903..1be7a87 100644 --- a/.gitea/workflows/master.yaml +++ b/.gitea/workflows/master.yaml @@ -1,10 +1,11 @@ +name: CD on: push: branches: - master jobs: version: - name: "CD > 計算版本號" + name: 計算版本號 runs-on: ubuntu outputs: version: ${{ steps.version.outputs.version }} @@ -13,7 +14,7 @@ jobs: id: version uses: https://gitea.jsc.idv.tw/actions/calculate-version@${{ vars.ACTION_CALCULATE_VERSION }} release: - name: "CD > 發布專案" + name: 發布專案 runs-on: ubuntu needs: version steps: From 5046ec88c1134799449567b9b07ace2fadca55a4 Mon Sep 17 00:00:00 2001 From: Jeffery Date: Tue, 12 May 2026 10:26:47 +0000 Subject: [PATCH 5/7] =?UTF-8?q?=E6=9B=B4=E6=96=B0=20.gitea/workflows/revie?= =?UTF-8?q?w.yaml?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/review.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.gitea/workflows/review.yaml b/.gitea/workflows/review.yaml index e4e473f..307e46b 100644 --- a/.gitea/workflows/review.yaml +++ b/.gitea/workflows/review.yaml @@ -1,7 +1,4 @@ name: AI -concurrency: - group: ${{ github.workflow }}-${{ github.head_ref }} - cancel-in-progress: true on: pull_request: branches-ignore: From 523fe213a8d6c610a2ac24f51e75f3b0bdfdd27c Mon Sep 17 00:00:00 2001 From: AI Review Bot Date: Tue, 12 May 2026 10:42:32 +0000 Subject: [PATCH 6/7] chore: update ai-review findings [skip ci] --- .gitea/ai-review/findings.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .gitea/ai-review/findings.json diff --git a/.gitea/ai-review/findings.json b/.gitea/ai-review/findings.json new file mode 100644 index 0000000..ae60d84 --- /dev/null +++ b/.gitea/ai-review/findings.json @@ -0,0 +1,23 @@ +[ + { + "level": "critical", + "role": "Leo", + "location": ".gitea/workflows/review.yaml:13", + "suggestion": "將 `GEMINI_API_KEY` 參數中串接 20 個 API 金鑰的方式進行重構。這種寫法極度冗長,難以閱讀、維護和除錯。如果 Gitea Action 支援多個金鑰,應考慮使用更結構化的方式傳遞(例如,如果 Action 支援 YAML 列表或單一包含所有金鑰的 Secret)。如果 Action 預期單一金鑰,則此配置可能導致錯誤。建議與 Action 的開發者確認其支援的多金鑰機制,或考慮在 Action 內部處理金鑰輪替邏輯,以簡化工作流程配置。", + "is_new": true + }, + { + "level": "critical", + "role": "Rex", + "location": ".gitea/workflows/review.yaml:18-20", + "suggestion": "新建立的 `review.yaml` 工作流程賦予 `code-review` action 過於寬泛的權限,特別是 `contents: write`。這允許該 action 修改程式碼庫內容,若 action 存在漏洞或被惡意利用,可能導致程式碼注入、竄改或刪除。請重新評估 `code-review` action 所需的最小權限。如果僅需評論 PR,`pull-requests: write` 和 `issues: write` 可能已足夠,但仍需謹慎。建議限制為只讀權限,或僅授予評論 PR 的權限,並確保 action 不會執行不必要的寫入操作。", + "is_new": true + }, + { + "level": "warning", + "role": "Rex", + "location": ".gitea/workflows/master.yaml:13\n.gitea/workflows/review.yaml:12", + "suggestion": "兩個工作流程都使用了來自 `https://gitea.jsc.idv.tw` 的外部 action (`calculate-version` 和 `code-review`)。這引入了供應鏈風險,因為這些 action 的安全性直接影響到整個 CI/CD 流程。如果 `gitea.jsc.idv.tw` 受到損害,或這些 action 包含惡意程式碼,可能會導致嚴重的安全問題。建議對這些外部 action 的原始碼進行嚴格審查,確保其安全性,並考慮將其託管在內部或使用更受信任的來源。同時,確保使用固定的版本號(例如 `v1.2.3` 而非 `main` 或 `latest`)來避免意外的行為變更。", + "is_new": true + } +] From 8edb66b504fb44daf4f8a05383b1cdc8cdd6df4c Mon Sep 17 00:00:00 2001 From: Jeffery Date: Wed, 13 May 2026 02:48:37 +0000 Subject: [PATCH 7/7] fix: remove branches-ignore for master in review workflow --- .gitea/workflows/review.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.gitea/workflows/review.yaml b/.gitea/workflows/review.yaml index 307e46b..a24c7be 100644 --- a/.gitea/workflows/review.yaml +++ b/.gitea/workflows/review.yaml @@ -1,8 +1,6 @@ name: AI on: pull_request: - branches-ignore: - - master types: [opened, synchronize] jobs: code-review: