Merge pull request 'chore: bump nuget-push action' (#8) from feat/ai_code_review into develop

Reviewed-on: #8

.amazonq/rules/triage-findings.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+When the task is to triage review findings, follow this workflow:
+
+1. Merge all findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1 after sorting.
+5. Fix real issues with the smallest safe change.
+6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check the issue after each fix.
+
+Use the repo-local `triage-findings` skill for the same workflow when running in Codex.

.claude/skills/triage-findings/SKILL.md

@@ -0,0 +1,30 @@
+---
+name: triage-findings
+description: Triage findings, fix real issues, and exclude false positives.
+---
+
+# Triage Findings
+
+## Use
+
+直接輸入：`triage-findings 問題原始檔(文字或截圖)`
+
+## Workflow
+
+1. Merge all findings.
+2. Sort by severity:
+   - critical
+   - warning
+   - info
+3. Renumber from 1.
+4. Fix real issues.
+5. Put false positives into `.gitea/ai-review/exclusions.json` as a top-level JSON array, preserving the original wording, language, and semantics as much as possible. Do not wrap the array in `exclusions` or `excluded_findings`.
+6. Add tests when behavior changes.
+
+## Output Rules
+
+- Keep the final list short.
+- Keep numbering contiguous.
+- Preserve file path, location, and fix.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text over paraphrased rewrites.

.codex/skills/triage-findings/SKILL.md

@@ -0,0 +1,46 @@
+---
+name: triage-findings
+description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
+---
+
+# Triage Findings
+
+## When To Use
+
+Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
+It is also used when some findings are false positives and should be moved into the exclusions list.
+
+## Workflow
+
+1. Collect all findings into one list.
+2. Merge duplicates into a single finding when they describe the same issue.
+3. Sort the final list by severity:
+   - critical
+   - warning
+   - info
+4. Renumber the sorted list from 1 upward.
+5. Rewrite each finding concisely so the final list reads cleanly and consistently.
+6. If a finding is a false positive, do not keep it in the final list.
+7. Add false positives to the exclusions list as a top-level JSON array in `.gitea/ai-review/exclusions.json`, and preserve the original finding wording as much as possible, including language and semantics. Do not wrap the array in `exclusions` or `excluded_findings`.
+
+## Resolution Flow
+
+After the list is merged and ordered, resolve the remaining findings one by one.
+
+1. Start from the highest severity item.
+2. Identify the root cause in the relevant file or context.
+3. Apply the smallest safe change that fixes the issue.
+4. Add or update tests when behavior changes.
+5. Re-check the issue after the change.
+6. If the item is confirmed false positive, move it to exclusions instead of changing code.
+7. Continue until the list is either fixed or explicitly excluded.
+
+## Output Rules
+
+- Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
+- Keep numbering contiguous after filtering and merging.
+- Preserve useful details like file path, location, and suggested fix.
+- Keep exclusions entries minimal and consistent with the project schema.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
+- If the source already provides a severity or title, keep it unless it conflicts with the final ordering.

.codex/skills/triage-findings/agents/openai.yaml

@@ -0,0 +1,4 @@
+interface:
+  display_name: "Triage Findings"
+  short_description: "Triage, sort, fix, and exclude review findings"
+  default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to `.gitea/ai-review/exclusions.json` as a top-level JSON array."

.gemini/skills/triage-findings/SKILL.md

@@ -0,0 +1,30 @@
+---
+name: triage-findings
+description: Triage findings, fix real issues, and exclude false positives.
+---
+
+# Triage Findings
+
+## Use
+
+直接輸入：`triage-findings 問題原始檔(文字或截圖)`
+
+## Workflow
+
+1. Merge all findings.
+2. Sort by severity:
+   - critical
+   - warning
+   - info
+3. Renumber from 1.
+4. Fix real issues.
+5. Put false positives into `.gitea/ai-review/exclusions.json` as a top-level JSON array, preserving the original wording, language, and semantics as much as possible. Do not wrap the array in `exclusions` or `excluded_findings`.
+6. Add tests when behavior changes.
+
+## Output Rules
+
+- Keep the final list short.
+- Keep numbering contiguous.
+- Preserve file path, location, and fix.
+- When writing exclusions, always output a top-level JSON array.
+- When writing exclusions, prefer the original issue text over paraphrased rewrites.

.gitea/ai-review/exclusions.json

@@ -0,0 +1,47 @@
+[
+  {
+    "role": "Rex",
+    "location": "action.yml",
+    "suggestion": "此工作流程從非官方且未經充分審查的外部 Gitea 實例（gitea.jsc.idv.tw）引用多個 GitHub Actions，這存在嚴重的供應鏈攻擊風險，惡意行為者可能透過修改這些 Actions 來執行任意程式碼，竊取敏感資料或破壞建置流程。強烈建議將這些 Actions 內部化，讓僅到受信任的環境，或在每次更新時對其原始碼進行嚴格的安全審查。"
+  },
+  {
+    "role": "Rex",
+    "location": "action.yml:34",
+    "suggestion": "將 RUNNER_TOKEN 傳遞給來自外部 Gitea 實例的 nuget-push Action 存在高度風險。如果該 Action 被惡意竄改，RUNNER_TOKEN 可能會被竊取並用於未經授權的操作。建議僅在 RUNNER_TOKEN 僅具有最小必要權限，並妥善防止外部 Actions 進行嚴格的原始碼審查。若可能，應考慮使用 OIDC 或其他更安全的憑證管理方式，或將此 Action 內部化。"
+  },
+  {
+    "role": "Leo",
+    "location": "action.yml",
+    "suggestion": "當更新外部動作（actions）的版本時，建議在 Git commit 訊息或 Pull Request 描述中提供更新的理由，例如是為了修正錯誤、新增功能、安全性更新，或是為了與其他元件保持同步。這有助於未來的維護者理解變更的背景，並在遇到問題時能更快地溯源原因。"
+  },
+  {
+    "role": "Maya",
+    "location": "action.yml",
+    "suggestion": "當更新外部動作（actions）的版本時，應有明確的測試流程來驗證新版本不會引入問題或破壞建置流程。此 Git Diff 中未見相關的測試說明或驗證紀錄。建議在更新後執行完整的整合測試或前測試，以降低整體 CI/CD 工作流程的潛在風險。"
+  },
+  {
+    "role": "Maya",
+    "location": "action.yml",
+    "suggestion": "此 action.yml 定義了一個複合動作，但目前未看到對其他動作的整合測試。建議為此動作建立最簡的整合測試，模擬其實際環境與輸入和行為是否符合預期。這將有助於確保動作的可靠性和維護性長期穩定。"
+  },
+  {
+    "role": "Zara",
+    "location": "action.yml",
+    "suggestion": "當更新外部 Actions 的版本時，務必審查其變動的明確來源日期，以了解是否有可依據相關的改版紀錄進行追蹤。即便小版本更新，也可給合併者提供更多資訊。對於經常性工作流程，建議在更新後有效產生測試，以確保整體穩定和有效率不受影響。"
+  },
+  {
+    "role": "Rex",
+    "location": "action.yml",
+    "suggestion": "目前所有外部 GitHub Actions 都訂到可變動的版本標籤（e.g., v0.6.0），建議將 Actions 釘選到特定的 Git Commit SHA，以確保每次執行都能使用完全相同的程式碼，防止標籤被惡意更新而引入未經審查的變更，從而提高供應鏈安全性。"
+  },
+  {
+    "role": "Aria",
+    "location": "action.yml",
+    "suggestion": "檔案結尾應包含一個換行符號。這有助於確保檔案在不同系統和工具間的一致性，並避免在合併或處理時產生不必要的差異。"
+  },
+  {
+    "role": "Maya",
+    "location": "action.yml",
+    "suggestion": "當更新外部動作（actions）的版本時，應有明確的測試流程來驗證新版本不會引入問題或破壞建置流程。此 Git Diff 中未見相關的測試說明或驗證紀錄。建議在更新後執行完整的整合測試或前測試，以降低整體 CI/CD 工作流程的潛在風險。"
+  }
+]

.gitea/ai-review/findings.json

@@ -0,0 +1 @@
+[]

.gitea/workflows/master.yaml

@@ -1,10 +1,11 @@
+name: CD
 on:
   push:
     branches:
     - master
 jobs:
   version:
-    name: "CD > 計算版本號"
+    name: 計算版本號
     runs-on: ubuntu
     outputs:
       version: ${{ steps.version.outputs.version }}
@@ -13,14 +14,14 @@ jobs:
       id: version
       uses: https://gitea.jsc.idv.tw/actions/calculate-version@${{ vars.ACTION_CALCULATE_VERSION }}
   release:
-    name: "CD > 發布專案"
+    name: 發布專案
     runs-on: ubuntu
     needs: version
     steps:
     - name: 發布專案
       uses: akkuman/gitea-release-action@${{ vars.ACTION_RELEASE_VERSION }}
       with:
-        tag_name: "v${{ needs.version.outputs.version }}"
+        tag_name: v${{ needs.version.outputs.version }}
     - name: 清理成品
       uses: https://gitea.jsc.idv.tw/actions/cleanup-release@${{ vars.ACTION_CLEANUP_RELEASE_VERSION }}
       with:

.gitea/workflows/review.yaml

@@ -0,0 +1,23 @@
+name: AI
+on:
+  pull_request:
+    branches-ignore:
+      - master
+    types: [opened, synchronize]
+jobs:
+  code-review:
+    name: Code Review
+    runs-on: ubuntu
+    steps:
+    - name: AI Code Review
+      uses: https://gitea.jsc.idv.tw/actions/code-review@${{ vars.ACTION_CODE_REVIEW_VERSION }}
+      with:
+        GITEA_TOKEN: ${{ secrets.RUNNER_TOKEN }}
+        GITEA_COMMENT_TOKEN: ${{ secrets.GITEA_TOKEN }}
+        GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }},${{ secrets.GEMINI_API_KEY_1 }},${{ secrets.GEMINI_API_KEY_2 }},${{ secrets.GEMINI_API_KEY_3 }},${{ secrets.GEMINI_API_KEY_4 }},${{ secrets.GEMINI_API_KEY_5 }},${{ secrets.GEMINI_API_KEY_6 }},${{ secrets.GEMINI_API_KEY_7 }},${{ secrets.GEMINI_API_KEY_8 }},${{ secrets.GEMINI_API_KEY_9 }},${{ secrets.GEMINI_API_KEY_10 }},${{ secrets.GEMINI_API_KEY_11 }},${{ secrets.GEMINI_API_KEY_12 }},${{ secrets.GEMINI_API_KEY_13 }},${{ secrets.GEMINI_API_KEY_14 }},${{ secrets.GEMINI_API_KEY_15 }},${{ secrets.GEMINI_API_KEY_16 }},${{ secrets.GEMINI_API_KEY_17 }},${{ secrets.GEMINI_API_KEY_18 }},${{ secrets.GEMINI_API_KEY_19 }}
+        GEMINI_BASE_URL: https://generativelanguage.googleapis.com/v1beta
+        GEMINI_MODEL: ${{ vars.GEMINI_MODEL }}
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write

.github/copilot-instructions.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+Use the triage-finding workflow for review issue lists:
+
+1. Merge findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1.
+5. Fix real issues with the smallest safe change.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check after each fix.
+
+The full reusable skill lives in `.claude/skills/triage-findings/SKILL.md`.

.github/skills/triage-findings/SKILL.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+Use the triage-finding workflow for review issue lists:
+
+1. Merge findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1.
+5. Fix real issues with the smallest safe change.
+6. Put false positives into `.gitea/ai-review/exclusions.json` as a top-level JSON array, preserving the original wording, language, and semantics as much as possible. Do not wrap the array in `exclusions` or `excluded_findings`.
+7. Add or update tests when behavior changes.
+8. Re-check after each fix.
+
+The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.

CLAUDE.md

@@ -0,0 +1,16 @@
+# Triage Findings
+
+When the task is to triage review findings, follow this workflow:
+
+1. Merge all findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1 after sorting.
+5. Fix real issues with the smallest safe change.
+6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check the issue after each fix.
+
+Use the repo-local `triage-findings` skill for the same workflow when running in Codex.
+
+Trigger it with `/triage-findings`.

GEMINI.md

@@ -0,0 +1,14 @@
+# Triage Findings
+
+Use the triage-finding workflow for review issue lists:
+
+1. Merge findings into one list.
+2. Remove duplicates.
+3. Sort by severity: `critical` -> `warning` -> `info`.
+4. Renumber from 1.
+5. Fix real issues with the smallest safe change.
+6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
+7. Add or update tests when behavior changes.
+8. Re-check after each fix.
+
+The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.

action.yml

@@ -8,24 +8,28 @@ inputs:
   RELEASE_VERSION:
     description: '專案版本'
     required: true
-outputs:
-  text:
-    description: '輸出的文字'
-    value: ${{ steps.display.outputs.text }}
+  RUNNER_TOKEN:
+    description: '存取權杖'
+    required: true
 runs:
   using: 'composite'
   steps:
-  - uses: https://gitea.jsc.idv.tw/actions/zip@v0.0.5
+  - name: 壓縮套件
+    uses: https://gitea.jsc.idv.tw/actions/zip@v0.0.7
     with:
       RELEASE_VERSION: ${{ inputs.RELEASE_VERSION }}
-  - uses: akkuman/gitea-release-action@v1
+  - name: 發布套件
+    uses: akkuman/gitea-release-action@v1
     with:
-      name: "${{ inputs.PROJECT_NAME }} v${{ inputs.RELEASE_VERSION }}"
-      tag_name: "v${{ inputs.RELEASE_VERSION }}"
+      name: ${{ inputs.PROJECT_NAME }} v${{ inputs.RELEASE_VERSION }}
+      tag_name: v${{ inputs.RELEASE_VERSION }}
       target_commitish: master
       files: |
         ${{ inputs.PROJECT_NAME }}.${{ inputs.RELEASE_VERSION }}.zip
-  - uses: https://gitea.jsc.idv.tw/actions/nuget-push@v0.1.4
+  - name: 推送套件
+    uses: https://gitea.jsc.idv.tw/actions/nuget-push@v0.1.9
     with:
-      RELEASE_VERSION: "${{ inputs.RELEASE_VERSION }}"
-  - uses: https://gitea.jsc.idv.tw/actions/cleanup-release@v0.4.0
+      RELEASE_VERSION: ${{ inputs.RELEASE_VERSION }}
+      RUNNER_TOKEN: ${{ inputs.RUNNER_TOKEN }}
+  - name: 清理發布
+    uses: https://gitea.jsc.idv.tw/actions/cleanup-release@v0.4.2