From bca72009c02eededc3cdfdf5226f65d18b474b9a Mon Sep 17 00:00:00 2001 From: Jeffery Date: Wed, 13 May 2026 03:21:44 +0000 Subject: [PATCH 1/2] feat: update workflow steps and add AI code review workflow --- .gitea/workflows/master.yaml | 5 +++-- .gitea/workflows/review.yaml | 19 +++++++++++++++++++ action.yml | 6 +++--- 3 files changed, 25 insertions(+), 5 deletions(-) create mode 100644 .gitea/workflows/review.yaml diff --git a/.gitea/workflows/master.yaml b/.gitea/workflows/master.yaml index b54c903..1be7a87 100644 --- a/.gitea/workflows/master.yaml +++ b/.gitea/workflows/master.yaml @@ -1,10 +1,11 @@ +name: CD on: push: branches: - master jobs: version: - name: "CD > 計算版本號" + name: 計算版本號 runs-on: ubuntu outputs: version: ${{ steps.version.outputs.version }} @@ -13,7 +14,7 @@ jobs: id: version uses: https://gitea.jsc.idv.tw/actions/calculate-version@${{ vars.ACTION_CALCULATE_VERSION }} release: - name: "CD > 發布專案" + name: 發布專案 runs-on: ubuntu needs: version steps: diff --git a/.gitea/workflows/review.yaml b/.gitea/workflows/review.yaml new file mode 100644 index 0000000..a24c7be --- /dev/null +++ b/.gitea/workflows/review.yaml @@ -0,0 +1,19 @@ +name: AI +on: + pull_request: + types: [opened, synchronize] +jobs: + code-review: + name: Code Review + runs-on: ubuntu + steps: + - name: AI Code Review + uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }} + with: + GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }} + GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta + GEMINI_MODEL: ${{ vars.GEMINI_MODEL }} + permissions: + contents: write + pull-requests: write + issues: write \ No newline at end of file diff --git a/action.yml b/action.yml index 18ee5dd..235b5f1 100644 --- a/action.yml +++ b/action.yml @@ -19,7 +19,7 @@ runs: using: 'composite' steps: - name: 壓縮套件 - uses: https://gitea.jsc.idv.tw/actions/zip@v0.0.5 + uses: https://gitea.jsc.idv.tw/actions/zip@v0.0.6 with: RELEASE_VERSION: ${{ inputs.RELEASE_VERSION }} - name: 發布套件 @@ -31,9 +31,9 @@ runs: files: | ${{ inputs.PROJECT_NAME }}.${{ inputs.RELEASE_VERSION }}.zip - name: 推送套件 - uses: https://gitea.jsc.idv.tw/actions/nuget-push@v0.1.5 + uses: https://gitea.jsc.idv.tw/actions/nuget-push@v0.1.6 with: RELEASE_VERSION: "${{ inputs.RELEASE_VERSION }}" RUNNER_TOKEN: "${{ inputs.RUNNER_TOKEN }}" - name: 清理發布 - uses: https://gitea.jsc.idv.tw/actions/cleanup-release@v0.4.0 \ No newline at end of file + uses: https://gitea.jsc.idv.tw/actions/cleanup-release@v0.4.1 \ No newline at end of file From 47f545dee40ef85caf8d2d6b1456665d777add2d Mon Sep 17 00:00:00 2001 From: Jeffery Date: Wed, 13 May 2026 05:47:21 +0000 Subject: [PATCH 2/2] feat: remove unused outputs from action.yml and add exclusions for AI review suggestions --- .gitea/ai-review/exclusions.json | 47 ++++++++++++++++++++++++++++++++ action.yml | 4 --- 2 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 .gitea/ai-review/exclusions.json diff --git a/.gitea/ai-review/exclusions.json b/.gitea/ai-review/exclusions.json new file mode 100644 index 0000000..9a36474 --- /dev/null +++ b/.gitea/ai-review/exclusions.json @@ -0,0 +1,47 @@ +[ + { + "role": "Rex", + "location": "action.yml", + "suggestion": "此工作流程從非官方且未經充分審查的外部 Gitea 實例(gitea.jsc.idv.tw)引用多個 GitHub Actions,這存在嚴重的供應鏈攻擊風險,惡意行為者可能透過修改這些 Actions 來執行任意程式碼,竊取敏感資料或破壞建置流程。強烈建議將這些 Actions 內部化,讓僅到受信任的環境,或在每次更新時對其原始碼進行嚴格的安全審查。" + }, + { + "role": "Rex", + "location": "action.yml:34", + "suggestion": "將 RUNNER_TOKEN 傳遞給來自外部 Gitea 實例的 nuget-push Action 存在高度風險。如果該 Action 被惡意竄改,RUNNER_TOKEN 可能會被竊取並用於未經授權的操作。建議僅在 RUNNER_TOKEN 僅具有最小必要權限,並妥善防止外部 Actions 進行嚴格的原始碼審查。若可能,應考慮使用 OIDC 或其他更安全的憑證管理方式,或將此 Action 內部化。" + }, + { + "role": "Leo", + "location": "action.yml", + "suggestion": "當更新外部動作(actions)的版本時,建議在 Git commit 訊息或 Pull Request 描述中提供更新的理由,例如是為了修正錯誤、新增功能、安全性更新,或是為了與其他元件保持同步。這有助於未來的維護者理解變更的背景,並在遇到問題時能更快地溯源原因。" + }, + { + "role": "Maya", + "location": "action.yml", + "suggestion": "當更新外部動作(actions)的版本時,應有明確的測試流程來驗證新版本不會引入問題或破壞建置流程。此 Git Diff 中未見相關的測試說明或驗證紀錄。建議在更新後執行完整的整合測試或前測試,以降低整體 CI/CD 工作流程的潛在風險。" + }, + { + "role": "Maya", + "location": "action.yml", + "suggestion": "此 action.yml 定義了一個複合動作,但目前未看到對其他動作的整合測試。建議為此動作建立最簡的整合測試,模擬其實際環境與輸入和行為是否符合預期。這將有助於確保動作的可靠性和維護性長期穩定。" + }, + { + "role": "Zara", + "location": "action.yml", + "suggestion": "當更新外部 Actions 的版本時,務必審查其變動的明確來源日期,以了解是否有可依據相關的改版紀錄進行追蹤。即便小版本更新,也可給合併者提供更多資訊。對於經常性工作流程,建議在更新後有效產生測試,以確保整體穩定和有效率不受影響。" + }, + { + "role": "Rex", + "location": "action.yml", + "suggestion": "目前所有外部 GitHub Actions 都訂到可變動的版本標籤(e.g., v0.6.0),建議將 Actions 釘選到特定的 Git Commit SHA,以確保每次執行都能使用完全相同的程式碼,防止標籤被惡意更新而引入未經審查的變更,從而提高供應鏈安全性。" + }, + { + "role": "Aria", + "location": "action.yml", + "suggestion": "檔案結尾應包含一個換行符號。這有助於確保檔案在不同系統和工具間的一致性,並避免在合併或處理時產生不必要的差異。" + }, + { + "role": "Maya", + "location": "action.yml", + "suggestion": "當更新外部動作(actions)的版本時,應有明確的測試流程來驗證新版本不會引入問題或破壞建置流程。此 Git Diff 中未見相關的測試說明或驗證紀錄。建議在更新後執行完整的整合測試或前測試,以降低整體 CI/CD 工作流程的潛在風險。" + } +] diff --git a/action.yml b/action.yml index 235b5f1..8c6351e 100644 --- a/action.yml +++ b/action.yml @@ -11,10 +11,6 @@ inputs: RUNNER_TOKEN: description: '存取權杖' required: true -outputs: - text: - description: '輸出的文字' - value: ${{ steps.display.outputs.text }} runs: using: 'composite' steps: