Commit graph

29 commits

Author SHA1 Message Date
kite
0881ad87b8 fix(ci): use --replace-all for git safe.directory to prevent self-hosted runner failure
Some checks are pending
CI / test (push) Waiting to run
On self-hosted runners, _github_home/.gitconfig persists across jobs.
The ocr-review workflow used --add which accumulated multiple safe.directory
values over time. Once multiple values existed, other workflows using plain
git config (without --add/--replace-all) failed with "cannot overwrite
multiple values with a single value".

Unify all workflows to use --replace-all, which clears previous values and
writes exactly one entry regardless of prior state.
2026-06-29 11:37:23 +08:00
kite
f2a6f7c5c7 ci: add 80% statement coverage threshold check
Add coverage threshold enforcement in CI workflow and Makefile to satisfy
OpenSSF Best Practices Silver badge test_statement_coverage80 criterion.
2026-06-27 11:13:22 +08:00
kite
e1a6a404ba feat(ci): add Sigstore attestation for release artifacts
Add build provenance attestation to the release workflow using
actions/attest-build-provenance with OIDC keyless signing.
Document release signature verification in SECURITY.md.
2026-06-26 22:18:03 +08:00
kite
3f4155170e ci: add govulncheck, job timeout, dependabot and preserve debug symbols in dev builds
- Add govulncheck step to CI pipeline for vulnerability scanning
- Set 15-minute timeout on CI test job
- Add dependabot config for weekly Go module and GitHub Actions updates
- Split LD_FLAGS so dev builds retain debug symbols while release
  builds remain stripped with -s -w
2026-06-26 21:02:33 +08:00
Lei Zhang
b196ee053c
ci(workflow): add rate-limit-aware retry for PR review comment posting (#183)
* ci(workflow): add rate-limit-aware retry for PR review comment posting

Add GitHub REST API rate-limit handling to the ocr-review workflow:

- Implement computeRetryDelayMs() following GitHub's documented strategy:
  * Honor retry-after header (seconds or HTTP-date)
  * Wait until x-ratelimit-reset when primary limit is exhausted (remaining=0)
  * Exponential backoff (>=60s base) for secondary limits without a header
  * Backoff for transient 5xx/408 errors
- Add per-comment retry loop with configurable attempts and delays
- Add logRateLimitQuota() to log and proactively throttle on low remaining quota
- Honor batch createReview rate-limit headers before per-comment retry
- Cap all waits (including header-derived) to avoid stalling the CI job
- Expose tuning via OCR_* env vars (retries, delays, thresholds)
- Update example workflow docs with retry/delay configuration reference

* fix(workflow): use shorter transient backoff base and dedupe header lookup

- Transient server errors (5xx/408) now use a 2s base delay instead of
  the 60s rate-limit base, matching the comment's stated intent and
  avoiding unnecessary CI stalls on short-lived server hiccups.
- Extract a shared getHeader() helper for case-insensitive header
  lookup, reused by both computeRetryDelayMs and logRateLimitQuota to
  eliminate duplicated logic and ensure consistent robustness.

* doc: revert example doc
2026-06-23 21:07:04 +08:00
kite
757b359673 fix(ci): use bash shell for release notes generation step
The ubuntu:24.04 container defaults to sh (dash) which does not support
process substitution (< <(...)). Add shell: bash to the step.
2026-06-23 20:09:43 +08:00
kite
a86389c5e5 fix(ci): install git in release job container to fix workflow failure
The release job uses ubuntu:24.04 which lacks git. After adding
commit-based release notes generation, git commands (config/describe/log)
fail with "git: not found". Install git before checkout so the full
history is available for release notes.
2026-06-23 19:57:09 +08:00
kite
1c68c551ab ci: add CI workflow to run vet and tests on push/PR
Add continuous integration pipeline that runs go vet, tests with
race detection, and a build check on every push to main and PR.
Satisfies the OpenSSF Best Practices test_continuous_integration criterion.
2026-06-22 16:26:29 +08:00
kite
0ceffc87f4 feat(release): auto-generate structured release notes from conventional commits
Satisfy the OpenSSF Best Practices "release_notes" criterion by parsing
commits between tags and categorizing them into Features, Bug Fixes,
Refactoring, and Documentation sections.
2026-06-22 15:52:06 +08:00
kite
810af47d4d fix(ci): prefix local path with ./ to prevent npm GitHub shorthand resolution
npm interprets "npm/darwin-arm64" as a GitHub user/repo shorthand
instead of a local directory, causing git ls-remote failures.
2026-06-17 15:00:08 +08:00
kite
b46f48e40d fix(ci): replace bash here-string with POSIX parameter expansion
The CI container uses sh (not bash), which doesn't support the <<<
here-string syntax, causing "Syntax error: redirection unexpected".
2026-06-17 14:43:06 +08:00
kite
f76d4266ed feat: add platform-specific npm packages to eliminate postinstall download
Ship Go binaries inside per-platform npm packages (@alibaba-group/ocr-{os}-{arch})
so npm install resolves the correct binary via optionalDependencies + os/cpu fields.
This removes the need for a postinstall download from GitHub Releases, which is
extremely slow for users behind restricted networks (e.g. China mainland).

The postinstall download is retained as a fallback for --no-optional installs.
2026-06-17 14:17:03 +08:00
kite
f577742c04 ci: drop npm provenance flag incompatible with self-hosted runners
Sigstore provenance verification only supports GitHub-hosted runners,
causing E422 on publish. Remove --provenance and the unused id-token
permission.
2026-06-13 11:08:45 +08:00
kite
372802d294 ci: fix npm publish auth failure on self-hosted runners
The node:20 container lacks automatic NODE_AUTH_TOKEN mapping to npm
registry credentials. Add explicit .npmrc configuration step before
npm publish.
2026-06-13 11:08:45 +08:00
Lei Zhang
76b4d5a3b5
ci: use self-hosted runners with container images for build and deplo… (#107)
* ci: use self-hosted runners with container images for build and deploy workflows

- deploy-pages: switch to self-hosted runner with node:20 container, remove redundant setup-node

- release: use self-hosted runner with golang:1.26.4 container for build job, remove redundant setup-go

- release: use self-hosted runner with ubuntu:24.04 container for release job

- release: use self-hosted runner with node:20 container for npm-publish job, remove redundant setup-node

- release: add jq installation step for version injection in npm-publish

* ci: fix dubious ownership in self-hosted container jobs

- Add git safe.directory trust step after checkout in release.yml build and npm-publish jobs
- Add git safe.directory trust step after checkout in deploy-pages.yml build job
- Switch deploy-pages deploy job from ubuntu-latest to self-hosted with node:20 container
2026-06-12 14:30:51 +08:00
Lei Zhang
3239640df4
ci: fix dubious ownership error on self-hosted runners (#106)
Add safe.directory '*' to git config before running git operations.
Self-hosted runners may run jobs under a different OS user than the
one that owns the workspace, causing git to refuse operations with a
'dubious ownership' error.
2026-06-12 11:41:08 +08:00
Lei Zhang
022800c876
ci: optimize ocr-review workflow for self-hosted runners (#97) 2026-06-12 10:34:13 +08:00
zhouzhihao
c323c6b40c
fix(actions): preserve failed inline review comments (#81) 2026-06-10 17:50:08 +08:00
Lei Zhang
6b7038b3d3
ci: add GitHub Actions workflow for automated PR review (#61)
* ci: add GitHub Actions workflow for automated PR review

- Trigger on PR opened and issue_comment (/open-code-review)
- Install OCR via npm, configure LLM secrets, run review
- Post inline review comments via GitHub PR review API
- Fallback to individual comments if batch posting fails
- Use commit SHA instead of branch ref to support fork PRs

* ci: use pull_request_target to support fork PR secret access

- Switch from pull_request to pull_request_target trigger
- Add synchronize and reopened event types
- Explicitly checkout PR head SHA (pull_request_target defaults to base)
- This ensures secrets are available for PRs from forked repos

* ci: fix pull_request_target handling for fork PRs

- Narrow trigger types to 'opened' only to reduce redundant runs
- Add explicit fetch of PR head ref to ensure fork commits are available
- Fix event name check from 'pull_request' to 'pull_request_target'
2026-06-06 18:16:08 +08:00
Bison Xu
89effb6b22
feat(build): add Windows platform support (#13)
* feat(build): add Windows platform support

Add windows/amd64 and windows/arm64 to CI build matrix, Makefile
cross-platform targets, and handle .exe suffix in install/update
scripts and binary wrapper. Skip chmod on Windows where unsupported.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* docs(README): add Windows download instructions

Add Windows x86_64 and ARM64 binary download commands to both
English and Chinese README install sections.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-02 21:57:31 +08:00
Lei Zhang
d0a24c4de3
Add issue and PR templates with bilingual contributing guide (#9)
* docs: add GitHub issue and PR templates

Add structured issue templates for bug reports, feature requests, and docs reports with YAML forms. Include a pull request template with checklist for contribution quality.

* docs: add bilingual contributing guide (EN & zh-CN)

Provide detailed contribution guidelines covering development setup, coding standards, commit conventions, PR workflow, and community conduct in both English and Chinese.
2026-05-30 14:22:50 +08:00
kite
95b77e2b48 fix: Update project branding and improve documentation links 2026-05-28 14:47:53 +08:00
kite
bbf673d4d1 chore(workflow): Add environment variables for npm publish step 2026-05-25 22:52:21 +08:00
kite
db5bc4b8a9 feat(rules): add include/exclude file filter support in rule.json
Allow users to configure include/exclude glob patterns in
  .open-code-review/rule.json (global or project-level) to control
  which files are reviewed. Exclude has highest priority, include
  penetrates default path exclusions but not the extension allowlist.
  Only one layer takes effect following --rule > project > global priority.
2026-05-25 20:19:02 +08:00
kite
44120e28b6 fix: fix some bug 2026-05-22 21:27:39 +08:00
kite
3940e1af3f fix(ci): remove registry-url to allow npm OIDC authentication
setup-node's registry-url generates .npmrc with a token placeholder
that overrides npm's OIDC flow, causing 404 on publish.
2026-05-21 21:50:33 +08:00
kite
80d5121d88 ci: inject version from git tag before npm publish
Use git tag as the single source of truth for version number.
Eliminates the need to keep package.json version in sync manually.
2026-05-21 21:20:48 +08:00
kite
365c9ee9a4 ci: switch npm publish to OIDC trusted publishing
Remove NPM_TOKEN secret dependency and use GitHub Actions OIDC
id-token for npm authentication with provenance attestation.
2026-05-21 19:28:53 +08:00
kite
7c8b8562aa feat: init 2026-05-20 22:03:52 +08:00