ci:update

xengine-qyt · xengine-qyt · commit 095f22d54b75 · 2026-04-30T15:25:57.000+08:00
diff --git a/.github/workflows/codeql-to-commit.yml b/.github/workflows/codeql-to-commit.yml
@@ -76,12 +76,14 @@ jobs:
               SHA=$(gh api /repos/$OWNER/$REPO/git/refs/heads/$DEFAULT_BRANCH \
                 --jq '.object.sha')
 
+              # 创建分支
               gh api -X POST /repos/$OWNER/$REPO/git/refs \
                 -f ref="refs/heads/$BRANCH" \
                 -f sha="$SHA" 2>/dev/null && \
                 echo "🌿 Created branch: $BRANCH" || \
                 echo "🌿 Branch already exists: $BRANCH"
 
+              # 提交 fix
               gh api -X POST \
                 /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix/commits \
                 -f target_ref="$BRANCH" || {
@@ -90,27 +92,71 @@ jobs:
               }
               echo "✅ Committed fix to branch: $BRANCH"
 
-              ALERT_TITLE=$(gh api \
-                /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER \
-                --jq '.rule.description')
+              # 获取 alert 详情
+              ALERT_INFO=$(gh api \
+                /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER)
 
+              ALERT_TITLE=$(echo $ALERT_INFO | jq -r '.rule.description')
+              ALERT_HELP=$(echo $ALERT_INFO | jq -r '.rule.help // "暂无详细说明"' | head -c 800)
+              ALERT_TAGS=$(echo $ALERT_INFO | jq -r '.rule.tags // [] | join(", ")')
+              ALERT_FILE=$(echo $ALERT_INFO | jq -r '.most_recent_instance.location.path // "未知文件"')
+              ALERT_LINE=$(echo $ALERT_INFO | jq -r '.most_recent_instance.location.start_line // "未知行"')
+              ALERT_URL=$(echo $ALERT_INFO | jq -r '.html_url')
+              CWE_TAGS=$(echo $ALERT_INFO | jq -r '[.rule.tags[] | select(startswith("external/cwe/"))] | join(", ")')
+
+              # 获取 Autofix AI 修复说明
+              AUTOFIX_DESC=$(gh api \
+                /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \
+                --jq '.description // "暂无 AI 修复说明"')
+
+              # 创建 Draft PR
               gh pr create \
                 --repo "$OWNER/$REPO" \
                 --base "$DEFAULT_BRANCH" \
                 --head "$BRANCH" \
                 --draft \
                 --title "[Autofix][$SEC_LEVEL] Alert #$NUMBER: $ALERT_TITLE" \
-                --body "## 🤖 Copilot Autofix 自动修复
+                --body "## 🤖 Copilot Autofix 自动修复报告
+
+          ---
+
+          ### 📋 基本信息
+
+          | 字段 | 内容 |
+          |------|------|
+          | **Alert ID** | [#$NUMBER]($ALERT_URL) |
+          | **安全级别** | $SEC_LEVEL |
+          | **规则名称** | $ALERT_TITLE |
+          | **问题文件** | \`$ALERT_FILE\` 第 $ALERT_LINE 行 |
+          | **CWE 分类** | $CWE_TAGS |
+          | **规则标签** | $ALERT_TAGS |
+
+          ---
+
+          ### 🔍 问题说明
+
+          $ALERT_HELP
+
+          ---
+
+          ### 🤖 AI 修复思路
+
+          $AUTOFIX_DESC
+
+          ---
+
+          ### ✅ Review 检查清单
 
-              **Alert ID:** #$NUMBER
-              **Security Severity:** $SEC_LEVEL
-              **Rule:** $ALERT_TITLE
+          - [ ] 理解了漏洞的成因和影响范围
+          - [ ] 确认 AI 修复逻辑正确，没有遗漏边界情况
+          - [ ] 确认修复没有改变原有业务逻辑
+          - [ ] 确认没有引入新的安全问题
+          - [ ] CI / 单元测试全部通过
+          - [ ] 如有必要，已补充对应的测试用例
 
-              此 PR 由 Copilot Autofix 自动生成，请审核后再 merge。
+          ---
 
-              - [ ] 确认修复逻辑正确
-              - [ ] 确认没有引入新问题
-              - [ ] CI 测试通过" && \
+          > 此 PR 由 GitHub Copilot Autofix 自动生成，请仔细审核后再 merge。" && \
               echo "🎉 PR created for alert #$NUMBER" || \
               echo "⚠️ PR already exists for alert #$NUMBER"
 
