Merge pull request 'feat: update workflow steps and add AI code review workflow' (#3) from develop into master
Reviewed-on: #3
This commit is contained in:
@@ -0,0 +1,47 @@
|
||||
[
|
||||
{
|
||||
"role": "Rex",
|
||||
"location": "action.yml",
|
||||
"suggestion": "此工作流程從非官方且未經充分審查的外部 Gitea 實例(gitea.jsc.idv.tw)引用多個 GitHub Actions,這存在嚴重的供應鏈攻擊風險,惡意行為者可能透過修改這些 Actions 來執行任意程式碼,竊取敏感資料或破壞建置流程。強烈建議將這些 Actions 內部化,讓僅到受信任的環境,或在每次更新時對其原始碼進行嚴格的安全審查。"
|
||||
},
|
||||
{
|
||||
"role": "Rex",
|
||||
"location": "action.yml:34",
|
||||
"suggestion": "將 RUNNER_TOKEN 傳遞給來自外部 Gitea 實例的 nuget-push Action 存在高度風險。如果該 Action 被惡意竄改,RUNNER_TOKEN 可能會被竊取並用於未經授權的操作。建議僅在 RUNNER_TOKEN 僅具有最小必要權限,並妥善防止外部 Actions 進行嚴格的原始碼審查。若可能,應考慮使用 OIDC 或其他更安全的憑證管理方式,或將此 Action 內部化。"
|
||||
},
|
||||
{
|
||||
"role": "Leo",
|
||||
"location": "action.yml",
|
||||
"suggestion": "當更新外部動作(actions)的版本時,建議在 Git commit 訊息或 Pull Request 描述中提供更新的理由,例如是為了修正錯誤、新增功能、安全性更新,或是為了與其他元件保持同步。這有助於未來的維護者理解變更的背景,並在遇到問題時能更快地溯源原因。"
|
||||
},
|
||||
{
|
||||
"role": "Maya",
|
||||
"location": "action.yml",
|
||||
"suggestion": "當更新外部動作(actions)的版本時,應有明確的測試流程來驗證新版本不會引入問題或破壞建置流程。此 Git Diff 中未見相關的測試說明或驗證紀錄。建議在更新後執行完整的整合測試或前測試,以降低整體 CI/CD 工作流程的潛在風險。"
|
||||
},
|
||||
{
|
||||
"role": "Maya",
|
||||
"location": "action.yml",
|
||||
"suggestion": "此 action.yml 定義了一個複合動作,但目前未看到對其他動作的整合測試。建議為此動作建立最簡的整合測試,模擬其實際環境與輸入和行為是否符合預期。這將有助於確保動作的可靠性和維護性長期穩定。"
|
||||
},
|
||||
{
|
||||
"role": "Zara",
|
||||
"location": "action.yml",
|
||||
"suggestion": "當更新外部 Actions 的版本時,務必審查其變動的明確來源日期,以了解是否有可依據相關的改版紀錄進行追蹤。即便小版本更新,也可給合併者提供更多資訊。對於經常性工作流程,建議在更新後有效產生測試,以確保整體穩定和有效率不受影響。"
|
||||
},
|
||||
{
|
||||
"role": "Rex",
|
||||
"location": "action.yml",
|
||||
"suggestion": "目前所有外部 GitHub Actions 都訂到可變動的版本標籤(e.g., v0.6.0),建議將 Actions 釘選到特定的 Git Commit SHA,以確保每次執行都能使用完全相同的程式碼,防止標籤被惡意更新而引入未經審查的變更,從而提高供應鏈安全性。"
|
||||
},
|
||||
{
|
||||
"role": "Aria",
|
||||
"location": "action.yml",
|
||||
"suggestion": "檔案結尾應包含一個換行符號。這有助於確保檔案在不同系統和工具間的一致性,並避免在合併或處理時產生不必要的差異。"
|
||||
},
|
||||
{
|
||||
"role": "Maya",
|
||||
"location": "action.yml",
|
||||
"suggestion": "當更新外部動作(actions)的版本時,應有明確的測試流程來驗證新版本不會引入問題或破壞建置流程。此 Git Diff 中未見相關的測試說明或驗證紀錄。建議在更新後執行完整的整合測試或前測試,以降低整體 CI/CD 工作流程的潛在風險。"
|
||||
}
|
||||
]
|
||||
@@ -1,10 +1,11 @@
|
||||
name: CD
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- master
|
||||
jobs:
|
||||
version:
|
||||
name: "CD > 計算版本號"
|
||||
name: 計算版本號
|
||||
runs-on: ubuntu
|
||||
outputs:
|
||||
version: ${{ steps.version.outputs.version }}
|
||||
@@ -13,7 +14,7 @@ jobs:
|
||||
id: version
|
||||
uses: https://gitea.jsc.idv.tw/actions/calculate-version@${{ vars.ACTION_CALCULATE_VERSION }}
|
||||
release:
|
||||
name: "CD > 發布專案"
|
||||
name: 發布專案
|
||||
runs-on: ubuntu
|
||||
needs: version
|
||||
steps:
|
||||
|
||||
@@ -0,0 +1,19 @@
|
||||
name: AI
|
||||
on:
|
||||
pull_request:
|
||||
types: [opened, synchronize]
|
||||
jobs:
|
||||
code-review:
|
||||
name: Code Review
|
||||
runs-on: ubuntu
|
||||
steps:
|
||||
- name: AI Code Review
|
||||
uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
|
||||
with:
|
||||
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
|
||||
GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
|
||||
GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
issues: write
|
||||
+3
-7
@@ -11,15 +11,11 @@ inputs:
|
||||
RUNNER_TOKEN:
|
||||
description: '存取權杖'
|
||||
required: true
|
||||
outputs:
|
||||
text:
|
||||
description: '輸出的文字'
|
||||
value: ${{ steps.display.outputs.text }}
|
||||
runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- name: 壓縮套件
|
||||
uses: https://gitea.jsc.idv.tw/actions/zip@v0.0.5
|
||||
uses: https://gitea.jsc.idv.tw/actions/zip@v0.0.6
|
||||
with:
|
||||
RELEASE_VERSION: ${{ inputs.RELEASE_VERSION }}
|
||||
- name: 發布套件
|
||||
@@ -31,9 +27,9 @@ runs:
|
||||
files: |
|
||||
${{ inputs.PROJECT_NAME }}.${{ inputs.RELEASE_VERSION }}.zip
|
||||
- name: 推送套件
|
||||
uses: https://gitea.jsc.idv.tw/actions/nuget-push@v0.1.5
|
||||
uses: https://gitea.jsc.idv.tw/actions/nuget-push@v0.1.6
|
||||
with:
|
||||
RELEASE_VERSION: "${{ inputs.RELEASE_VERSION }}"
|
||||
RUNNER_TOKEN: "${{ inputs.RUNNER_TOKEN }}"
|
||||
- name: 清理發布
|
||||
uses: https://gitea.jsc.idv.tw/actions/cleanup-release@v0.4.0
|
||||
uses: https://gitea.jsc.idv.tw/actions/cleanup-release@v0.4.1
|
||||
Reference in New Issue
Block a user