@@ -24,96 +24,98 @@ jobs:
2424 DEFAULT_BRANCH=$(gh api /repos/$OWNER/$REPO --jq '.default_branch')
2525 echo "Default branch: $DEFAULT_BRANCH"
2626
27- # 用 security_severity_level 过滤,对应界面上的 Critical/High/Medium
28- for SEC_LEVEL in "critical" "high" "medium"; do
29- echo "====== Processing security_severity_level: $SEC_LEVEL ======"
30-
31- # ← 关键改动:换成 security_severity_level 参数
32- ALERTS=$(gh api \
33- "/repos/$OWNER/$REPO/code-scanning/alerts?security_severity_level=$SEC_LEVEL&state=open&per_page=100" \
34- --jq '[.[] | .number]')
35-
36- COUNT=$(echo $ALERTS | jq 'length')
37- echo "Found $COUNT alerts with security_severity_level: $SEC_LEVEL"
27+ # 获取所有 open alert,用 jq 过滤 security_severity_level 为 high 或 medium 的
28+ ALERTS=$(gh api \
29+ "/repos/$OWNER/$REPO/code-scanning/alerts?state=open&per_page=100" \
30+ --jq '[.[] | select(.rule.security_severity_level == "high" or .rule.security_severity_level == "medium") | {number: .number, level: .rule.security_severity_level}]')
31+
32+ COUNT=$(echo $ALERTS | jq 'length')
33+ echo "Found $COUNT alerts with security_severity_level high or medium"
34+ echo "$ALERTS" | jq -r '.[] | " Alert #\(.number) [\(.level)]"'
35+
36+ if [ "$COUNT" -eq 0 ]; then
37+ echo "No alerts to process, exiting."
38+ exit 0
39+ fi
40+
41+ for ROW in $(echo $ALERTS | jq -r '.[] | @base64'); do
42+ _jq() { echo "$ROW" | base64 -d | jq -r "$1"; }
43+
44+ NUMBER=$(_jq '.number')
45+ SEC_LEVEL=$(_jq '.level')
46+
47+ echo "--- Alert #$NUMBER [$SEC_LEVEL] ---"
48+
49+ EXISTING=$(gh api \
50+ /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \
51+ --jq '.status' 2>/dev/null || echo "none")
52+
53+ if [ "$EXISTING" = "success" ]; then
54+ echo "✅ Fix already exists, committing directly..."
55+ else
56+ echo "⏳ Generating fix..."
57+ gh api -X POST \
58+ /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix || {
59+ echo "⚠️ Failed to trigger autofix for #$NUMBER, skipping"
60+ continue
61+ }
62+
63+ for i in 1 2 3; do
64+ sleep 30
65+ EXISTING=$(gh api \
66+ /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \
67+ --jq '.status' 2>/dev/null || echo "none")
68+ echo " Attempt $i: status = $EXISTING"
69+ [ "$EXISTING" = "success" ] && break
70+ done
71+ fi
3872
39- if [ "$COUNT" -eq 0 ]; then
40- continue
73+ if [ "$EXISTING" = "success" ]; then
74+ BRANCH="autofix/${SEC_LEVEL}/alert-${NUMBER}"
75+
76+ SHA=$(gh api /repos/$OWNER/$REPO/git/refs/heads/$DEFAULT_BRANCH \
77+ --jq '.object.sha')
78+
79+ gh api -X POST /repos/$OWNER/$REPO/git/refs \
80+ -f ref="refs/heads/$BRANCH" \
81+ -f sha="$SHA" 2>/dev/null && \
82+ echo "🌿 Created branch: $BRANCH" || \
83+ echo "🌿 Branch already exists: $BRANCH"
84+
85+ gh api -X POST \
86+ /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix/commits \
87+ -f target_ref="$BRANCH" || {
88+ echo "❌ Failed to commit fix for alert #$NUMBER"
89+ continue
90+ }
91+ echo "✅ Committed fix to branch: $BRANCH"
92+
93+ ALERT_TITLE=$(gh api \
94+ /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER \
95+ --jq '.rule.description')
96+
97+ gh pr create \
98+ --repo "$OWNER/$REPO" \
99+ --base "$DEFAULT_BRANCH" \
100+ --head "$BRANCH" \
101+ --draft \
102+ --title "[Autofix][$SEC_LEVEL] Alert #$NUMBER: $ALERT_TITLE" \
103+ --body "## 🤖 Copilot Autofix 自动修复
104+
105+ **Alert ID:** #$NUMBER
106+ **Security Severity:** $SEC_LEVEL
107+ **Rule:** $ALERT_TITLE
108+
109+ 此 PR 由 Copilot Autofix 自动生成,请审核后再 merge。
110+
111+ - [ ] 确认修复逻辑正确
112+ - [ ] 确认没有引入新问题
113+ - [ ] CI 测试通过" && \
114+ echo "🎉 PR created for alert #$NUMBER" || \
115+ echo "⚠️ PR already exists for alert #$NUMBER"
116+
117+ else
118+ echo "⚠️ Autofix not available for alert #$NUMBER (status: $EXISTING), skipping"
41119 fi
42120
43- for NUMBER in $(echo $ALERTS | jq -r '.[]'); do
44- echo "--- Alert #$NUMBER ($SEC_LEVEL) ---"
45-
46- EXISTING=$(gh api \
47- /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \
48- --jq '.status' 2>/dev/null || echo "none")
49-
50- if [ "$EXISTING" = "success" ]; then
51- echo "✅ Fix already exists, committing directly..."
52- else
53- echo "⏳ Generating fix..."
54- gh api -X POST \
55- /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix || {
56- echo "⚠️ Failed to trigger autofix for #$NUMBER, skipping"
57- continue
58- }
59-
60- for i in 1 2 3; do
61- sleep 30
62- EXISTING=$(gh api \
63- /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix \
64- --jq '.status' 2>/dev/null || echo "none")
65- echo " Attempt $i: status = $EXISTING"
66- [ "$EXISTING" = "success" ] && break
67- done
68- fi
69-
70- if [ "$EXISTING" = "success" ]; then
71- BRANCH="autofix/${SEC_LEVEL}/alert-${NUMBER}"
72-
73- SHA=$(gh api /repos/$OWNER/$REPO/git/refs/heads/$DEFAULT_BRANCH \
74- --jq '.object.sha')
75-
76- gh api -X POST /repos/$OWNER/$REPO/git/refs \
77- -f ref="refs/heads/$BRANCH" \
78- -f sha="$SHA" 2>/dev/null && \
79- echo "🌿 Created branch: $BRANCH" || \
80- echo "🌿 Branch already exists: $BRANCH"
81-
82- gh api -X POST \
83- /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER/autofix/commits \
84- -f target_ref="$BRANCH" || {
85- echo "❌ Failed to commit fix for alert #$NUMBER"
86- continue
87- }
88- echo "✅ Committed fix to branch: $BRANCH"
89-
90- ALERT_TITLE=$(gh api \
91- /repos/$OWNER/$REPO/code-scanning/alerts/$NUMBER \
92- --jq '.rule.description')
93-
94- gh pr create \
95- --repo "$OWNER/$REPO" \
96- --base "$DEFAULT_BRANCH" \
97- --head "$BRANCH" \
98- --draft \
99- --title "[Autofix][$SEC_LEVEL] Alert #$NUMBER: $ALERT_TITLE" \
100- --body "## 🤖 Copilot Autofix 自动修复
101-
102- **Alert ID:** #$NUMBER
103- **Security Severity:** $SEC_LEVEL
104- **Rule:** $ALERT_TITLE
105-
106- 此 PR 由 Copilot Autofix 自动生成,请审核后再 merge。
107-
108- - [ ] 确认修复逻辑正确
109- - [ ] 确认没有引入新问题
110- - [ ] CI 测试通过" && \
111- echo "🎉 PR created for alert #$NUMBER" || \
112- echo "⚠️ PR already exists for alert #$NUMBER"
113-
114- else
115- echo "⚠️ Autofix not available for alert #$NUMBER (status: $EXISTING), skipping"
116- fi
117-
118- done
119121 done
0 commit comments