chore: update ai-review findings [ai-review-bot][failure]

2026-05-16 15:52:23 +00:00
parent 444c2bd840
commit e905028354
10 changed files with 272 additions and 0 deletions
@@ -0,0 +1,14 @@
 # Triage Findings
 When the task is to triage review findings, follow this workflow:
 1. Merge all findings into one list.
 2. Remove duplicates.
 3. Sort by severity: `critical` -> `warning` -> `info`.
 4. Renumber from 1 after sorting.
 5. Fix real issues with the smallest safe change.
 6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
 8. Re-check the issue after each fix.
 Use the repo-local `triage-findings` skill for the same workflow when running in Codex.
@@ -0,0 +1,29 @@
 ---
 name: triage-findings
 description: Triage findings, fix real issues, and exclude false positives.
 ---
 # Triage Findings
 ## Use
 直接輸入：`triage-findings 問題原始檔(文字或截圖)`
 ## Workflow
 1. Merge all findings.
 2. Sort by severity:
   - critical
   - warning
   - info
 3. Renumber from 1.
 4. Fix real issues.
 5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 6. Add tests when behavior changes.
 ## Output Rules
 - Keep the final list short.
 - Keep numbering contiguous.
 - Preserve file path, location, and fix.
 - When writing exclusions, prefer the original issue text over paraphrased rewrites.
@@ -0,0 +1,45 @@
 ---
 name: triage-findings
 description: Merge code-review findings, sort and renumber them by severity, resolve real issues, and move false positives into exclusions.
 ---
 # Triage Findings
 ## When To Use
 Use this skill when you receive multiple review findings, screenshots, comments, or issue lists that need to become one final triaged list.
 It is also used when some findings are false positives and should be moved into the exclusions list.
 ## Workflow
 1. Collect all findings into one list.
 2. Merge duplicates into a single finding when they describe the same issue.
 3. Sort the final list by severity:
   - critical
   - warning
   - info
 4. Renumber the sorted list from 1 upward.
 5. Rewrite each finding concisely so the final list reads cleanly and consistently.
 6. If a finding is a false positive, do not keep it in the final list.
 7. Add false positives to the exclusions list using the existing schema in the repo or task context, and preserve the original finding wording as much as possible, including language and semantics.
 ## Resolution Flow
 After the list is merged and ordered, resolve the remaining findings one by one.
 1. Start from the highest severity item.
 2. Identify the root cause in the relevant file or context.
 3. Apply the smallest safe change that fixes the issue.
 4. Add or update tests when behavior changes.
 5. Re-check the issue after the change.
 6. If the item is confirmed false positive, move it to exclusions instead of changing code.
 7. Continue until the list is either fixed or explicitly excluded.
 ## Output Rules
 - Keep the final findings list in severity order, then by any stable secondary order needed to make it readable.
 - Keep numbering contiguous after filtering and merging.
 - Preserve useful details like file path, location, and suggested fix.
 - Keep exclusions entries minimal and consistent with the project schema.
 - When writing exclusions, prefer the original issue text and language; only paraphrase if needed to fit the schema.
 - If the source already provides a severity or title, keep it unless it conflicts with the final ordering.
@@ -0,0 +1,4 @@
 interface:
  display_name: "Triage Findings"
  short_description: "Triage, sort, fix, and exclude review findings"
  default_prompt: "Use $triage-findings to merge review findings, sort and renumber them by severity, resolve real issues one by one, and add false positives to exclusions."
@@ -0,0 +1,29 @@
 ---
 name: triage-findings
 description: Triage findings, fix real issues, and exclude false positives.
 ---
 # Triage Findings
 ## Use
 直接輸入：`triage-findings 問題原始檔(文字或截圖)`
 ## Workflow
 1. Merge all findings.
 2. Sort by severity:
   - critical
   - warning
   - info
 3. Renumber from 1.
 4. Fix real issues.
 5. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 6. Add tests when behavior changes.
 ## Output Rules
 - Keep the final list short.
 - Keep numbering contiguous.
 - Preserve file path, location, and fix.
 - When writing exclusions, prefer the original issue text over paraphrased rewrites.
@@ -0,0 +1,93 @@
 [
  {
    "level": "critical",
    "role": "Rex",
    "location": "entrypoint.sh:40 (舊版)",
    "suggestion": "舊版程式碼中的 `zip -r \"$(basename \"$PWD\").$RELEASE_VERSION.zip\" $RELEASE_FOLDER/*` 存在嚴重的命令注入風險。`$RELEASE_FOLDER/*` 未被引用 (unquoted)，若 `$RELEASE_FOLDER` 包含惡意檔案名稱（例如含有特殊字元、命令替換），或檔案數量過多導致參數列表溢出，可能導致任意命令執行或服務阻斷。新版程式碼透過 `(cd \"$RELEASE_FOLDER\"; zip -qr \"$archive_path\" .)` 的方式，安全地切換目錄並壓縮當前目錄內容，有效避免了此類風險，這是非常重要的安全改進。",
    "is_new": true
  },
  {
    "level": "warning",
    "role": "Zara",
    "location": "b/entrypoint.sh:66",
    "suggestion": "新增的 `file_count=\"$(find \"$RELEASE_FOLDER\" -type f | wc -l | tr -d ' ')\"` 指令會對 `$RELEASE_FOLDER` 進行一次完整的檔案系統遍歷以計算檔案數量。對於包含大量檔案或深層目錄的資料夾，這會增加額外的 I/O 開銷和執行時間，可能在壓縮前造成明顯的延遲。請評估此檔案計數是否為必要資訊，若僅用於日誌記錄，可考慮移除或採用更輕量級的估算方式，以避免不必要的效能損耗。",
    "is_new": true
  },
  {
    "level": "warning",
    "role": "Rex",
    "location": "entrypoint.sh:1 (舊版)",
    "suggestion": "舊版程式碼缺少 `set -euo pipefail`。`set -e` 確保指令失敗時腳本立即退出，防止在錯誤狀態下繼續執行；`set -u` 確保使用未定義變數時腳本報錯，避免潛在的意外行為或注入；`set -o pipefail` 確保管道命令的錯誤能被正確捕獲。新版程式碼已加入這些設定，顯著提升了腳本的安全性與穩定性，降低了因未預期錯誤導致的安全風險。",
    "is_new": true
  },
  {
    "level": "warning",
    "role": "Rex",
    "location": "entrypoint.sh:34 (新版)",
    "suggestion": "舊版程式碼在壓縮前未檢查 `$RELEASE_FOLDER` 是否為一個有效的目錄。若 `$RELEASE_FOLDER` 不存在或指向非目錄路徑，可能導致腳本執行失敗或產生非預期的行為，甚至在某些情況下可能被利用。新版程式碼已新增 `if [[ ! -d \"$RELEASE_FOLDER\" ]]` 檢查，提升了腳本的健壯性與安全性。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Leo",
    "location": "entrypoint.sh:10",
    "suggestion": "為新定義的函式 `log_section` 添加簡短的註解，說明其用途（例如：用於輸出帶有邊框和分隔線的區塊標題）。這有助於未來維護者快速理解函式功能。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Leo",
    "location": "entrypoint.sh:14",
    "suggestion": "為新定義的函式 `log_kv` 添加簡短的註解，說明其用途（例如：用於輸出鍵值對資訊，並確保對齊）。這有助於未來維護者快速理解函式功能。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Leo",
    "location": "entrypoint.sh:18",
    "suggestion": "為新定義的函式 `fail` 添加簡短的註解，說明其用途（例如：用於輸出錯誤訊息並以非零狀態碼退出腳本）。這有助於未來維護者快速理解函式功能。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Leo",
    "location": "entrypoint.sh:22",
    "suggestion": "為新定義的函式 `require_value` 添加簡短的註解，說明其用途（例如：用於檢查指定變數是否為空或 'null'，若否則呼叫 `fail` 函式退出）。這有助於未來維護者快速理解函式功能。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Rex",
    "location": "entrypoint.sh:38 (新版)",
    "suggestion": "舊版程式碼未檢查 `zip` 命令是否存在。若執行環境中缺少 `zip` 工具，腳本將會失敗，影響可靠性。新版程式碼已加入 `command -v zip` 檢查，確保必要工具的存在，提升了腳本的可靠性，這是一個良好的安全實踐。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Aria",
    "location": "entrypoint.sh:13",
    "suggestion": "在 `log_kv` 函數中，`printf` 的格式字串 `%-16s` 硬編碼了鍵的寬度為 16。若鍵的字串長度超過此值，對齊效果將會失效。建議考慮動態計算最大鍵寬度，或使用更具彈性的對齊方式，以提高日誌輸出的健壯性。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Aria",
    "location": "entrypoint.sh:44",
    "suggestion": "建議將 `archive_name` 宣告為 `readonly`，以明確其為常數且不應被修改，增加程式碼的清晰度與維護性。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Aria",
    "location": "entrypoint.sh:45",
    "suggestion": "建議將 `archive_path` 宣告為 `readonly`，以明確其為常數且不應被修改，增加程式碼的清晰度與維護性。",
    "is_new": true
  },
  {
    "level": "info",
    "role": "Aria",
    "location": "entrypoint.sh:46",
    "suggestion": "建議將 `file_count` 宣告為 `readonly`，以明確其為常數且不應被修改，增加程式碼的清晰度與維護性。",
    "is_new": true
  }
 ]
@@ -0,0 +1,14 @@
 # Triage Findings
 Use the triage-finding workflow for review issue lists:
 1. Merge findings into one list.
 2. Remove duplicates.
 3. Sort by severity: `critical` -> `warning` -> `info`.
 4. Renumber from 1.
 5. Fix real issues with the smallest safe change.
 6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
 8. Re-check after each fix.
 The full reusable skill lives in `.claude/skills/triage-findings/SKILL.md`.
@@ -0,0 +1,14 @@
 # Triage Findings
 Use the triage-finding workflow for review issue lists:
 1. Merge findings into one list.
 2. Remove duplicates.
 3. Sort by severity: `critical` -> `warning` -> `info`.
 4. Renumber from 1.
 5. Fix real issues with the smallest safe change.
 6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
 8. Re-check after each fix.
 The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.
@@ -0,0 +1,16 @@
 # Triage Findings
 When the task is to triage review findings, follow this workflow:
 1. Merge all findings into one list.
 2. Remove duplicates.
 3. Sort by severity: `critical` -> `warning` -> `info`.
 4. Renumber from 1 after sorting.
 5. Fix real issues with the smallest safe change.
 6. Add false positives to `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
 8. Re-check the issue after each fix.
 Use the repo-local `triage-findings` skill for the same workflow when running in Codex.
 Trigger it with `/triage-findings`.
@@ -0,0 +1,14 @@
 # Triage Findings
 Use the triage-finding workflow for review issue lists:
 1. Merge findings into one list.
 2. Remove duplicates.
 3. Sort by severity: `critical` -> `warning` -> `info`.
 4. Renumber from 1.
 5. Fix real issues with the smallest safe change.
 6. Put false positives into `.gitea/ai-review/exclusions.json`, preserving the original wording, language, and semantics as much as possible.
 7. Add or update tests when behavior changes.
 8. Re-check after each fix.
 The reusable skill lives in `.gemini/skills/triage-findings/SKILL.md`.