community_platform/.github/workflows/ai-code-review.yml at 7db0816d93ce19fd633bbdca682059d85ce81a91 · juwenzhang/community_platform · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
name: AI Code Review

on:
  push:
    branches: [master, main, develop]
    paths-ignore:
      - '**.md'
      - 'docs/**'
      - '.github/**'
  pull_request:
    branches: [master, main, develop]
    types: [opened, synchronize, reopened]

# 防止重复运行
concurrency:
  group: ai-review-${{ github.ref }}
  cancel-in-progress: true

jobs:
  # ========================================
  # DeepSource 静态分析（通过 GitHub App 自动工作）
  # 注：此 job 仅用于测试覆盖率上传（可选）
  # ========================================
  deepsource-coverage:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install DeepSource CLI
        run: curl -fsSL https://cli.deepsource.com/install | BINDIR=./bin sh

      - name: Run Frontend Tests with Coverage
        run: |
          # 如果有测试覆盖率文件，上传到 DeepSource
          if [ -f "coverage/lcov.info" ]; then
            ./bin/deepsource report --analyzer test-coverage \
              --key javascript \
              --value-file coverage/lcov.info
          fi
        env:
          DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }}

      - name: Run Rust Tests with Coverage
        run: |
          # 如果有 Rust 测试覆盖率，上传到 DeepSource
          if command -v cargo-tarpaulin &> /dev/null; then
            cargo tarpaulin --out Xml
            if [ -f "cobertura.xml" ]; then
              ./bin/deepsource report --analyzer test-coverage \
                --key rust \
                --value-file cobertura.xml
            fi
          fi
        env:
          DEEPSOURCE_DSN: ${{ secrets.DEEPSOURCE_DSN }}

  # ========================================
  # 自定义 GPT-4 分析（Push 触发）
  # ========================================
  custom-ai-review:
    runs-on: ubuntu-latest
    if: github.event_name == 'push'
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Get Changed Files
        id: changed-files
        uses: tj-actions/changed-files@v44
        with:
          since_last_remote_commit: true
          separator: ','
          files: |
            **/*.{ts,tsx,js,jsx,rs,py,go}
            !**/*.test.*
            !**/*.spec.*
            !**/docs/**

      - name: AI Code Analysis
        if: steps.changed-files.outputs.any_changed == 'true'
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          # 获取变更文件列表
          FILES="${{ steps.changed-files.outputs.all_changed_files }}"

          if [ -z "$FILES" ]; then
            echo "No relevant files changed"
            exit 0
          fi

          # 构建分析提示词
          PROMPT="请分析以下代码变更的质量、潜在问题和改进建议：
          $FILES

          请从以下角度分析：
          1. 代码质量和可读性
          2. 潜在的 Bug 和边界条件
          3. 性能问题
          4. 安全隐患
          5. 测试覆盖建议

          请用中文回复，简洁明了。"

          # 调用 OpenAI API
          RESPONSE=$(curl -s https://api.openai.com/v1/chat/completions \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer $OPENAI_API_KEY" \
            -d "{
              \"model\": \"gpt-4o-mini\",
              \"messages\": [{\"role\": \"user\", \"content\": \"$PROMPT\"}],
              \"max_tokens\": 2000,
              \"temperature\": 0.3
            }")

          # 提取分析结果
          ANALYSIS=$(echo $RESPONSE | jq -r '.choices[0].message.content')

          # 发布到 GitHub Commit Comment
          curl -s -X POST \
            -H "Authorization: token $GITHUB_TOKEN" \
            -H "Accept: application/vnd.github.v3+json" \
            https://api.github.com/repos/${{ github.repository }}/commits/${{ github.sha }}/comments \
            -d "{\"body\": \"## 🤖 AI 代码分析\n\n$ANALYSIS\"}"

  # ========================================
  # PR 合并时的最终检查
  # ========================================
  pre-merge-check:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.event.action == 'closed' && github.event.pull_request.merged == true
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Final AI Security Check
        env:
          OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
        run: |
          # 获取合并的文件
          MERGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }})

          PROMPT="以下代码即将合并到主分支，请进行最终安全审查：
          $MERGED_FILES

          重点检查：
          1. 敏感信息泄露（API keys, tokens, passwords）
          2. SQL 注入、XSS 等安全漏洞
          3. 权限验证缺失
          4. 依赖项安全问题

          如果发现问题，请立即指出。否则回复：✅ 安全检查通过"

          curl -s https://api.openai.com/v1/chat/completions \
            -H "Content-Type: application/json" \
            -H "Authorization: Bearer $OPENAI_API_KEY" \
            -d "{
              \"model\": \"gpt-4o-mini\",
              \"messages\": [{\"role\": \"user\", \"content\": \"$PROMPT\"}],
              \"max_tokens\": 1000,
              \"temperature\": 0
            }" | jq -r '.choices[0].message.content'