ci: harden workflows and sponsor code review config

2026-06-11 02:33:10 +08:00 · 2026-06-09 21:20:17 -04:00
parent 10c303e609
commit 3e30f1a56a
7 changed files with 119 additions and 58 deletions
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -83,10 +83,11 @@ Use AAA structure (Arrange / Act / Assert) and descriptive test names that expla

 Types: `feat`, `fix`, `refactor`, `docs`, `test`, `chore`, `perf`, `ci`

-PR checklist before requesting review:
+PR checklist before requesting sponsored review:
 - CI passing, merge conflicts resolved, branch up to date with target
 - Full diff reviewed (`git diff [base-branch]...HEAD`)
 - Test plan included in PR description
+- Code review is handled by CodeRabbit and Greptile. Do not add or route PR code review through Copilot, Claude, Codex, or other reviewer bots.

 ## Code Quality Checklist

@@ -107,7 +108,6 @@ Use these prompts in Copilot Chat for deeper workflows:
 |--------|-------------|---------|
 | `/plan` | Complex feature | Phased implementation plan |
 | `/tdd` | New feature or bug fix | Test-driven development cycle |
-| `/code-review` | After writing code | Quality and security review |
 | `/security-review` | Before a release | Deep security analysis |
 | `/build-fix` | Build/CI failure | Systematic error resolution |
 | `/refactor` | Code maintenance | Dead code cleanup and simplification |
--- a/.github/prompts/code-review.prompt.md
+++ b/.github/prompts/code-review.prompt.md
@@ -1,56 +0,0 @@
---
-agent: agent
-description: Comprehensive code quality and security review of the selected code or recent changes
---
-
-# Code Review
-
-Review the selected code (or the current diff if nothing is selected) across four dimensions. Only report issues you are **confident about** — flag uncertainty explicitly rather than guessing.
-
-## Dimensions
-
-### 1. Security (CRITICAL — block ship if found)
- Hardcoded secrets, tokens, API keys, passwords
- Missing input validation or sanitization at system boundaries
- SQL/NoSQL injection risk (string interpolation in queries)
- XSS risk (unsanitized HTML output)
- Auth/authz checks missing or client-side only
- Sensitive data in logs or error messages exposed to clients
- Missing rate limiting on public endpoints
-
-### 2. Code Quality (HIGH)
- Mutation of existing state instead of creating new objects
- Functions over 50 lines or files over 800 lines
- Nesting deeper than 4 levels
- Duplicated logic that should be extracted
- Misleading or non-descriptive names
-
-### 3. Error Handling (HIGH)
- Silently swallowed errors (`catch {}`, empty catch blocks)
- Missing error handling at async boundaries
- Errors returned but not checked by callers
- User-facing error messages leaking internal details
-
-### 4. Test Coverage (MEDIUM)
- Missing tests for new logic
- Tests that only test happy paths (missing error/edge cases)
- Assertions that always pass
-
-## Output Format
-
-For each issue found:
-
-```
-**[CRITICAL|HIGH|MEDIUM|LOW]** — [File:Line if known]
-Issue: [What is wrong]
-Fix: [Concrete suggestion]
-```
-
-End with a summary:
-```
-## Summary
- Critical: N
- High: N
- Medium: N
- Approved to ship: yes / no (fix CRITICAL and HIGH first)
-```
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -36,6 +36,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js ${{ matrix.node }}
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -114,6 +116,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -175,6 +179,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -200,6 +206,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
@@ -227,6 +235,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
--- a/.github/workflows/reusable-test.yml
+++ b/.github/workflows/reusable-test.yml
@@ -28,6 +28,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
--- a/.github/workflows/reusable-validate.yml
+++ b/.github/workflows/reusable-validate.yml
@@ -18,6 +18,8 @@ jobs:
    steps:
      - name: Checkout
        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0