Dev (#15)

* 合并 (#8)

* chore: add comprehensive contributing guide (#10)

* chore: add comprehensive contributing guide

* Update CONTRIBUTING.md

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update CONTRIBUTING.md

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* ci: restore pr-check.yml workflow for dev branch

- Restore backend and frontend PR checks
- Enable Python syntax check and import test for backend
- Enable pnpm build check for frontend
- Fix 'Expected — Waiting for status to be reported' issue

* feat(ci): upgrade PR review + add CI auto-fix & review responder

- Upgrade codex-pr-review.md to 6-perspective review with confidence scoring
- Rewrite claude-pr-review.yml with Codex-first fallback pattern
- Add claude-ci-autofix.yml for auto-fixing CI failures + dev sync
- Add claude-review-responder.yml for auto-responding to PR reviews
- Update CI_CD_SETUP.md with new workflow documentation

* fix(ci): address Codex review security findings

- [Critical] auto-fix: restrict to same-repo PRs only (fork protection)
- [High] review-responder: require explicit @claude mention, restrict to same-repo
- [Medium] auto-fix: use `gh run view --log-failed` instead of broken API call
- [Medium] pr-review: fix Codex matching to use head_sha + pull_requests
- [Low] auto-fix: correct workflow name "Tests" → "Test Suite"

* fix(ci): restore workflow name to match branch protection rules

Rename "Claude PR Review (Fallback)" back to "Claude PR Review"
so the check name matches what branch protection expects.

* revert: restore workflow name to "Claude PR Review (Fallback)"

* ci: fix invalid workflow syntax

* ci: fix pnpm cache setup

* ci: fix test workflow step order

* ci: harden Claude workflows

* ci: pin review responder checkout to SHA

---------

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

Author: FutureUnreal

.github/workflows/claude-ci-autofix.yml

@@ -204,15 +204,57 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v5
         with:
-          ref: ${{ github.event.workflow_run.head_branch }}
+          ref: ${{ github.event.workflow_run.head_sha }}
           fetch-depth: 0
 
       - name: Fetch failed logs
         id: failed_logs
         env:
           GH_TOKEN: ${{ secrets.GH_PAT || github.token }}
+          GH_REPO: ${{ github.repository }}
         run: |
-          gh run view ${{ github.event.workflow_run.id }} --log-failed > failed.log 2>/dev/null || echo "Failed to fetch logs" > failed.log
+          set -euo pipefail
+
+          run_id="${{ github.event.workflow_run.id }}"
+          run_url="${{ github.event.workflow_run.html_url }}"
+
+          if [ -z "$run_id" ]; then
+            echo "::error::Missing workflow_run.id; this job only supports workflow_run triggers."
+            exit 1
+          fi
+
+          echo "Fetching failed logs for run $run_id ($run_url)"
+
+          tmp_err="$(mktemp)"
+          if gh run view "$run_id" --repo "$GH_REPO" --log-failed > failed.log 2>"$tmp_err"; then
+            if [ ! -s failed.log ]; then
+              echo "::error::Fetched logs are empty (run $run_id)."
+              {
+                echo "ERROR: fetched logs are empty."
+                echo "Run URL: $run_url"
+              } > failed.log
+              exit 1
+            fi
+          else
+            echo "::error::Failed to fetch logs for run $run_id."
+            {
+              echo "ERROR: failed to fetch logs for run $run_id."
+              echo "Run URL: $run_url"
+              echo ""
+              echo "--- gh stderr ---"
+              cat "$tmp_err"
+            } > failed.log
+            {
+              echo "### Claude CI Auto-Fix"
+              echo ""
+              echo "Failed to fetch logs for run $run_id."
+              echo ""
+              echo "- Run: $run_url"
+              echo "- Details captured in \`failed.log\` (runner workspace)"
+            } >> "$GITHUB_STEP_SUMMARY"
+            exit 1
+          fi
+ 
           echo "log_path=failed.log" >> "$GITHUB_OUTPUT"
 
       - name: Get CI failure details
@@ -243,7 +285,8 @@ jobs:
               failedJobs: failedJobs.map(j => j.name),
               hasPR: hasPR,
               prNumber: hasPR ? pullRequests[0].number : null,
-              headBranch: '${{ github.event.workflow_run.head_branch }}'
+              headBranch: '${{ github.event.workflow_run.head_branch }}',
+              headSha: '${{ github.event.workflow_run.head_sha }}'
             };
 
       - name: Run Claude Code for Auto-Fix
@@ -266,6 +309,7 @@ jobs:
             - **Workflow**: ${{ fromJSON(steps.failure_details.outputs.result).workflowName }}
             - **Failed Run**: ${{ fromJSON(steps.failure_details.outputs.result).runUrl }}
             - **Branch**: ${{ fromJSON(steps.failure_details.outputs.result).headBranch }}
+            - **SHA (pinned)**: ${{ fromJSON(steps.failure_details.outputs.result).headSha }}
             - **Has PR**: ${{ fromJSON(steps.failure_details.outputs.result).hasPR }}
             - **PR Number**: ${{ fromJSON(steps.failure_details.outputs.result).prNumber }}
             - **Failed Jobs**: ${{ join(fromJSON(steps.failure_details.outputs.result).failedJobs, ', ') }}

.github/workflows/claude-issue-duplicate-check.yml

@@ -7,8 +7,7 @@ on:
 jobs:
   check-duplicate:
     if: |
-      !endsWith(github.actor, '[bot]') &&
-      secrets.ANTHROPIC_API_KEY != ''
+      !endsWith(github.actor, '[bot]')
     runs-on: ubuntu-latest
     timeout-minutes: 10
     concurrency:
@@ -19,12 +18,18 @@ jobs:
       issues: write
 
     steps:
+      - name: Skip (missing ANTHROPIC_API_KEY)
+        if: ${{ secrets.ANTHROPIC_API_KEY == '' }}
+        run: echo "ANTHROPIC_API_KEY is not configured; skipping duplicate check."
+
       - name: Checkout repository
+        if: ${{ secrets.ANTHROPIC_API_KEY != '' }}
         uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
       - name: Ensure duplicate label exists
+        if: ${{ secrets.ANTHROPIC_API_KEY != '' }}
         uses: actions/github-script@v7
         with:
           github-token: ${{ github.token }}
@@ -50,6 +55,7 @@ jobs:
             }
 
       - name: Load prompt
+        if: ${{ secrets.ANTHROPIC_API_KEY != '' }}
         id: prompt
         shell: bash
         run: |
@@ -60,6 +66,7 @@ jobs:
           } >> "$GITHUB_OUTPUT"
 
       - name: Run Claude duplicate check
+        if: ${{ secrets.ANTHROPIC_API_KEY != '' }}
         uses: anthropics/claude-code-action@v1
         env:
           ISSUE_NUMBER: ${{ github.event.issue.number }}

.github/workflows/claude-pr-review.yml

@@ -52,10 +52,15 @@ jobs:
               });
 
               const prNumber = context.payload.pull_request.number;
-              const matchingRun = runs.data.workflow_runs.find(run =>
-                run.head_sha === context.payload.pull_request.head.sha &&
-                run.pull_requests?.some(pr => pr.number === prNumber)
-              );
+              const prSha = context.payload.pull_request.head.sha;
+              const prBranch = context.payload.pull_request.head.ref;
+
+              const matchingRun = runs.data.workflow_runs.find(run => {
+                if (run.head_sha !== prSha) return false;
+                if (run.head_branch && run.head_branch !== prBranch) return false;
+                if (!Array.isArray(run.pull_requests) || run.pull_requests.length === 0) return true;
+                return run.pull_requests.some(pr => pr.number === prNumber);
+              });
 
               if (matchingRun) {
                 if (matchingRun.status === 'completed') {

.github/workflows/claude-review-responder.yml

@@ -23,7 +23,21 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Verify PR branch matches reviewed SHA
+        run: |
+          set -euo pipefail
+          expected="${{ github.event.pull_request.head.sha }}"
+          branch="${{ github.event.pull_request.head.ref }}"
+
+          git fetch origin "$branch"
+          actual="$(git rev-parse FETCH_HEAD)"
+
+          if [ "$actual" != "$expected" ]; then
+            echo "::error::PR branch '$branch' moved since this review was submitted. Expected $expected but remote is $actual."
+            exit 1
+          fi
 
       - name: Run Claude Code for Review Response
         uses: anthropics/claude-code-action@v1
@@ -47,6 +61,7 @@ jobs:
             - **Review State**: ${{ github.event.review.state }}
             - **Review Body**: ${{ github.event.review.body }}
             - **PR Branch**: ${{ github.event.pull_request.head.ref }}
+            - **PR SHA (pinned)**: ${{ github.event.pull_request.head.sha }}
 
             ---
 
@@ -101,8 +116,10 @@ jobs:
             ### Phase 4: Implementation
 
             ```bash
-            git checkout ${{ github.event.pull_request.head.ref }}
-            git pull origin ${{ github.event.pull_request.head.ref }}
+            # IMPORTANT: The workspace is already checked out at the reviewed PR head SHA (pinned).
+            # DO NOT `git pull` or `git checkout` the branch by name.
+            git rev-parse HEAD
+            git switch -c claude-review-responder-${{ github.event.pull_request.number }}-${{ github.run_id }}
             ```
 
             For each change:
@@ -148,7 +165,8 @@ jobs:
 
             Addresses review comments on PR #${{ github.event.pull_request.number }}"
 
-            git push origin ${{ github.event.pull_request.head.ref }}
+            # Push commits back onto the PR branch ref (will fail if the branch advanced).
+            git push origin HEAD:${{ github.event.pull_request.head.ref }}
             ```
 
             ### Phase 7: Response

.github/workflows/codex-issue-triage.yml

@@ -7,8 +7,7 @@ on:
 jobs:
   triage:
     if: |
-      !endsWith(github.actor, '[bot]') &&
-      secrets.OPENAI_API_KEY != ''
+      !endsWith(github.actor, '[bot]')
     runs-on: ubuntu-latest
     concurrency:
       group: ${{ github.workflow }}-${{ github.event.issue.number }}
@@ -18,12 +17,18 @@ jobs:
       issues: write
 
     steps:
+      - name: Skip (missing OPENAI_API_KEY)
+        if: ${{ secrets.OPENAI_API_KEY == '' }}
+        run: echo "OPENAI_API_KEY is not configured; skipping issue triage."
+
       - name: Checkout repository (for docs context)
+        if: ${{ secrets.OPENAI_API_KEY != '' }}
         uses: actions/checkout@v5
         with:
           fetch-depth: 1
 
       - name: Compute Responses API endpoint override (optional)
+        if: ${{ secrets.OPENAI_API_KEY != '' }}
         id: responses_endpoint
         shell: bash
         run: |
@@ -38,6 +43,7 @@ jobs:
           fi
 
       - name: Run Codex triage
+        if: ${{ secrets.OPENAI_API_KEY != '' }}
         id: run_codex
         uses: openai/codex-action@v1
         env:
@@ -56,7 +62,7 @@ jobs:
           prompt-file: .github/prompts/codex-issue-triage.md
 
       - name: Apply labels and upsert comment
-        if: steps.run_codex.outputs.final-message != ''
+        if: ${{ secrets.OPENAI_API_KEY != '' && steps.run_codex.outputs.final-message != '' }}
         uses: actions/github-script@v7
         env:
           TRIAGE_JSON: ${{ steps.run_codex.outputs.final-message }}

.github/workflows/pr-check.yml

@@ -28,7 +28,8 @@ jobs:
       - name: Backend syntax check (compileall)
         run: python -m compileall -q backend/app
       - name: Backend import smoke test
-        run: python -c "from app.main import app; print('backend app import: ok')"
+        run: |
+          python -c "from app.main import app; print('backend app import: ok')"
 
   frontend:
     if: github.event.pull_request.draft == false
@@ -38,17 +39,17 @@ jobs:
         working-directory: frontend
     steps:
       - uses: actions/checkout@v5
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: "9.12.2"
+          run_install: false
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: "20"
           cache: "pnpm"
           cache-dependency-path: frontend/pnpm-lock.yaml
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: "9.12.2"
-          run_install: false
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
       - name: Build web app

.github/workflows/test.yml

@@ -45,7 +45,8 @@ jobs:
         run: python -m compileall -q backend/app
       - name: Backend import smoke test
         if: steps.detect.outputs.exists == 'true'
-        run: python -c "from app.main import app; print('backend app import: ok')"
+        run: |
+          python -c "from app.main import app; print('backend app import: ok')"
 
   frontend:
     runs-on: ubuntu-latest
@@ -65,19 +66,19 @@ jobs:
         if: steps.detect.outputs.exists != 'true'
         run: echo "No frontend/ found; skipping frontend checks."
 
+      - name: Setup pnpm
+        if: steps.detect.outputs.exists == 'true'
+        uses: pnpm/action-setup@v4
+        with:
+          version: "9.12.2"
+          run_install: false
       - name: Setup Node.js
         if: steps.detect.outputs.exists == 'true'
         uses: actions/setup-node@v4
         with:
           node-version: "20"
           cache: "pnpm"
           cache-dependency-path: frontend/pnpm-lock.yaml
-      - name: Setup pnpm
-        if: steps.detect.outputs.exists == 'true'
-        uses: pnpm/action-setup@v4
-        with:
-          version: "9.12.2"
-          run_install: false
       - name: Install dependencies
         if: steps.detect.outputs.exists == 'true'
         working-directory: frontend