From 33d910860e1f83f6404b26ef001f534efd93b6d0 Mon Sep 17 00:00:00 2001 From: jacwu Date: Thu, 9 Oct 2025 11:40:08 +0800 Subject: [PATCH 1/7] Add Data, Container, and Processor classes for data management - Implement Data class to hold name and value attributes. - Create Container class to manage a list of Data objects with methods to add and find data. - Introduce Processor class to process data from the Container. - Add main function to demonstrate adding and processing data. --- .github/workflows/pr-codex-review.yml | 138 ------------------ .../refactor/nullptrtest.cpp | 58 ++++++++ 2 files changed, 58 insertions(+), 138 deletions(-) delete mode 100644 .github/workflows/pr-codex-review.yml create mode 100644 github-copilot-features/refactor/nullptrtest.cpp diff --git a/.github/workflows/pr-codex-review.yml b/.github/workflows/pr-codex-review.yml deleted file mode 100644 index 8a8c65e..0000000 --- a/.github/workflows/pr-codex-review.yml +++ /dev/null @@ -1,138 +0,0 @@ -name: PR Codex Review - -on: - pull_request: - types: [opened, reopened, ready_for_review, synchronize] - - -permissions: - contents: read - pull-requests: write - -jobs: - codex_pr_review: - name: Codex PR Review - runs-on: ubuntu-latest - env: - REVIEW_TABLE_FALLBACK: | - | File | Concern | Recommendation | Severity | - | --- | --- | --- | --- | - | All files | No actionable feedback generated | None | info | - AZURE_OPENAI_BASE_URL: ${{ secrets.AZURE_OPENAI_BASE_URL }} - AZURE_OPENAI_MODEL: ${{ secrets.AZURE_OPENAI_MODEL || 'gpt-5-codex' }} - AZURE_OPENAI_API_KEY: ${{ secrets.AZURE_OPENAI_API_KEY }} - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Compute diff and changed files - id: diff - run: | - BASE_SHA="${{ github.event.pull_request.base.sha }}" - HEAD_SHA="${{ github.event.pull_request.head.sha }}" - - git diff --name-only "$BASE_SHA" "$HEAD_SHA" > changed_files.txt - git diff --unified=3 "$BASE_SHA" "$HEAD_SHA" > diff.patch - - if [ ! -s changed_files.txt ]; then - echo "no_changes=true" >> "$GITHUB_OUTPUT" - else - echo "no_changes=false" >> "$GITHUB_OUTPUT" - fi - - - name: Prepare fallback review - if: steps.diff.outputs.no_changes == 'true' - run: | - printf '%s' "$REVIEW_TABLE_FALLBACK" > raw_review.md - cp raw_review.md review_result.md - - - name: Install Codex CLI - if: steps.diff.outputs.no_changes == 'false' - run: | - sudo apt-get update - sudo apt-get install -y --no-install-recommends curl ca-certificates git - npm install -g @openai/codex@latest - mkdir -p ~/.codex - cat < ~/.codex/config.toml - # Set the default model and provider - model = "${AZURE_OPENAI_MODEL}" - model_provider = "azure" - preferred_auth_method = "apikey" - - # Configure the Azure provider - [model_providers.azure] - name = "Azure" - - # Make sure you set the appropriate subdomain for this URL. - base_url = "${AZURE_OPENAI_BASE_URL}/openai/v1" - env_key = "AZURE_OPENAI_API_KEY" - wire_api = "responses" - model_reasoning_effort = "high" - EOF - codex --version - - - name: Run Codex code review - if: steps.diff.outputs.no_changes == 'false' - run: | - if [ -z "$AZURE_OPENAI_API_KEY" ]; then - echo "AZURE_OPENAI_API_KEY secret is not configured." >&2 - exit 1 - fi - - HEADER="You are an expert software engineer performing a strict code review for the provided pull request diff." - RULES="Rules:\n- Output ONLY a GitHub-flavored Markdown table with exactly these columns: File | Concern | Recommendation | Severity.\n- Every row must reference a real file path from the Changed files list.\n- Severity must be one of: info, minor, major, critical.\n- If no issues are found, return a single table row with 'All files' in the File column and 'No issues found' in the Concern column.\n- Cite line numbers from the diff using the format L.\n- Do not wrap the table in backticks or add any prose before or after the table.\n- Focus on actionable feedback specific to the diff." - - CHANGED_FILES_SECTION="Changed files:\n$(cat changed_files.txt)" - DIFF_SECTION="Unified diff:\n$(cat diff.patch)" - - export CODEX_PROMPT="$HEADER\n\n$RULES\n\n$CHANGED_FILES_SECTION\n\n$DIFF_SECTION" - - printf '%s\n' "$CODEX_PROMPT" - - codex exec --full-auto "$CODEX_PROMPT" | tee codex_raw.txt >/dev/null - - printf '\n\nRaw Codex Output:\n%s\n' "$(cat codex_raw.txt)" - - sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' codex_raw.txt | tr -d '\r' > raw_review.md - - if ! grep -q '|' raw_review.md; then - printf '%s\n' "$REVIEW_TABLE_FALLBACK" > raw_review.md - fi - - - name: Normalize review table with Azure OpenAI - if: steps.diff.outputs.no_changes == 'false' - run: | - python3 -m pip install --quiet --upgrade pip 'openai>=1.45.0' - python3 scripts/normalize_review_result.py - - - name: Post review as PR comment - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - if [ -f review_result.md ]; then - BODY_FILE=review_result.md - elif [ -f raw_review.md ]; then - BODY_FILE=raw_review.md - else - printf '%s' "$REVIEW_TABLE_FALLBACK" > review_result.md - BODY_FILE=review_result.md - fi - - # Append attribution footer to the comment body - printf '\n\nReviewed by Codex\n' >> "$BODY_FILE" - - gh pr comment ${{ github.event.pull_request.number }} --body-file "$BODY_FILE" - - - name: Upload Codex raw output - if: steps.diff.outputs.no_changes == 'false' - uses: actions/upload-artifact@v4 - with: - name: codex-review-logs - path: | - codex_raw.txt - raw_review.md - review_result.md - diff.patch - changed_files.txt diff --git a/github-copilot-features/refactor/nullptrtest.cpp b/github-copilot-features/refactor/nullptrtest.cpp new file mode 100644 index 0000000..7ab58db --- /dev/null +++ b/github-copilot-features/refactor/nullptrtest.cpp @@ -0,0 +1,58 @@ +#include +#include +#include + +class Data { +public: + std::string name; + int value; + Data(std::string n, int v) : name(n), value(v) {} +}; + + + + +class Container { +private: + std::vector dataList; + +public: + void addData(Data* data) { + dataList.push_back(data); + } + + Data* findData(const std::string& name) { + for (auto data : dataList) { + if (data && data->name == name) { + return data; + } + } + return nullptr; + } +}; + +class Processor { +private: + Container* container; + +public: + Processor(Container* c) : container(c) {} + + void processData(const std::string& name) { + Data* data = container->findData(name); + + std::cout << "Processing data: " << data->name << ", value: " << data->value << std::endl; + } +}; + +int main() { + Container container; + container.addData(new Data("item1", 10)); + container.addData(new Data("item2", 20)); + + Processor processor(&container); + processor.processData("item1"); + processor.processData("item3"); + + return 0; +} \ No newline at end of file From 0af19733927975b6a34eff03d0a3a0ffc3372c61 Mon Sep 17 00:00:00 2001 From: jacwu Date: Tue, 11 Nov 2025 08:15:20 +0800 Subject: [PATCH 2/7] modified --- github-copilot-features/refactor/nullptr.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/github-copilot-features/refactor/nullptr.cpp b/github-copilot-features/refactor/nullptr.cpp index 7ab58db..3a524e8 100644 --- a/github-copilot-features/refactor/nullptr.cpp +++ b/github-copilot-features/refactor/nullptr.cpp @@ -2,6 +2,7 @@ #include #include + class Data { public: std::string name; From d1ce573445b60adf29b943f50deb7334c27964ef Mon Sep 17 00:00:00 2001 From: jacwu Date: Tue, 11 Nov 2025 08:40:37 +0800 Subject: [PATCH 3/7] modified --- github-copilot-features/refactor/nullptr.cpp | 2 ++ 1 file changed, 2 insertions(+) diff --git a/github-copilot-features/refactor/nullptr.cpp b/github-copilot-features/refactor/nullptr.cpp index 3a524e8..883a9c5 100644 --- a/github-copilot-features/refactor/nullptr.cpp +++ b/github-copilot-features/refactor/nullptr.cpp @@ -3,6 +3,8 @@ #include + + class Data { public: std::string name; From c9c568e74c1bc5330e356198180102243c20fcfe Mon Sep 17 00:00:00 2001 From: jacwu Date: Tue, 11 Nov 2025 17:59:12 +0800 Subject: [PATCH 4/7] modified --- github-copilot-features/refactor/nullptr.cpp | 3 +++ 1 file changed, 3 insertions(+) diff --git a/github-copilot-features/refactor/nullptr.cpp b/github-copilot-features/refactor/nullptr.cpp index 883a9c5..aaf37a2 100644 --- a/github-copilot-features/refactor/nullptr.cpp +++ b/github-copilot-features/refactor/nullptr.cpp @@ -5,6 +5,9 @@ + + + class Data { public: std::string name; From 453b17f131dd017cbeef21463c02c1c89d764a45 Mon Sep 17 00:00:00 2001 From: jacwu Date: Wed, 12 Nov 2025 12:06:13 +0800 Subject: [PATCH 5/7] modified --- github-copilot-features/refactor/nullptr.cpp | 4 ---- 1 file changed, 4 deletions(-) diff --git a/github-copilot-features/refactor/nullptr.cpp b/github-copilot-features/refactor/nullptr.cpp index aaf37a2..855ffd5 100644 --- a/github-copilot-features/refactor/nullptr.cpp +++ b/github-copilot-features/refactor/nullptr.cpp @@ -4,10 +4,6 @@ - - - - class Data { public: std::string name; From 1fe3117aa97ffdf99415768a3ff28532022c1ad4 Mon Sep 17 00:00:00 2001 From: jacwu Date: Wed, 3 Dec 2025 22:23:27 +0800 Subject: [PATCH 6/7] Add PR Copilot PII Review workflow for automated security analysis --- .github/workflows/pr-copilot-PII-review.yml | 145 ++++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 .github/workflows/pr-copilot-PII-review.yml diff --git a/.github/workflows/pr-copilot-PII-review.yml b/.github/workflows/pr-copilot-PII-review.yml new file mode 100644 index 0000000..65ee6e7 --- /dev/null +++ b/.github/workflows/pr-copilot-PII-review.yml @@ -0,0 +1,145 @@ +name: PR Copilot PII Review + +on: + pull_request: + types: [opened, reopened, ready_for_review, synchronize] + + +permissions: + contents: read + pull-requests: write + +jobs: + copilot_pii_review: + name: Copilot PII Review + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: '22' + + - name: Compute diff and changed files + id: diff + run: | + BASE_SHA="${{ github.event.pull_request.base.sha }}" + HEAD_SHA="${{ github.event.pull_request.head.sha }}" + + git diff --name-only "$BASE_SHA" "$HEAD_SHA" > changed_files.txt + git diff --unified=3 "$BASE_SHA" "$HEAD_SHA" > diff.patch + + if [ ! -s changed_files.txt ]; then + echo "no_changes=true" >> "$GITHUB_OUTPUT" + else + echo "no_changes=false" >> "$GITHUB_OUTPUT" + fi + + - name: Install Copilot CLI + if: steps.diff.outputs.no_changes == 'false' + run: | + npm install -g @github/copilot + copilot --version + + - name: Run Copilot PII review + env: + GITHUB_TOKEN: ${{ secrets.COPILOT_CLI_PAT }} + if: steps.diff.outputs.no_changes == 'false' + run: | + if [ -z "$GITHUB_TOKEN" ]; then + echo "GITHUB_TOKEN secret is not configured." >&2 + exit 1 + fi + + printf 'GITHUB_TOKEN is set: ${{secrets.COPILOT_CLI_PAT}}' + + HEADER="You are a professional security expert specializing in PII (Personally Identifiable Information) detection. The current working directory is a Git repository undergoing a Pull Request code review." + + REVIEW_REQUIREMENTS="**Review Task**: + Analyze the provided code diff for potential PII exposure and privacy concerns. + + **Changed Files**: $(cat changed_files.txt | tr '\n' ', ' | sed 's/,$//') + + **Review Requirements**: + Please focus on the following PII-related aspects and provide a detailed security review: + 1. Direct PII exposure (names, emails, phone numbers, addresses, SSN, credit card numbers, etc.) + 2. Indirect PII that could identify individuals when combined + 3. Hardcoded credentials, API keys, or tokens + 4. Logging or printing of sensitive user data + 5. Insufficient data masking or anonymization + 6. PII stored in comments, test data, or configuration files + 7. Potential GDPR, CCPA, or other privacy regulation violations" + + RULES="**Output Format Requirements**: + - Output ONLY a GitHub-flavored Markdown table with exactly these columns: File | Concern | Recommendation | Severity + - Every row must reference a real file path from the Changed files list + - Severity must be one of: info, minor, major, critical + - If no PII issues are found, return a single table row with 'All files' in the File column and 'No PII issues found' in the Concern column + - Cite line numbers from the diff using the format L + - Do not wrap the table in backticks or add any prose before or after the table + - Focus on actionable PII-related feedback specific to the diff + + **Mandatory Requirements**: + 1. Base your review on the actual diff content provided below + 2. Provide comprehensive PII analysis with specific examples where applicable + 3. Prioritize critical privacy concerns that could lead to data breaches" + + DIFF_SECTION="**Unified diff**:\n$(cat diff.patch)" + + export COPILOT_PROMPT="$HEADER\n\n$REVIEW_REQUIREMENTS\n\n$RULES\n\n$DIFF_SECTION" + + printf '%s\n' "$COPILOT_PROMPT" + + copilot -p "$COPILOT_PROMPT" | tee copilot_raw.txt >/dev/null + + printf '\n\nRaw Copilot Output:\n%s\n' "$(cat copilot_raw.txt)" + + sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' copilot_raw.txt | tr -d '\r' > raw_review.md + + if ! grep -q '|' raw_review.md; then + printf '%s\n' "$REVIEW_TABLE_FALLBACK" > raw_review.md + fi + + - name: Format review output + run: | + PR_NUMBER="${{ github.event.pull_request.number }}" + + cat > review_result.md < Date: Thu, 4 Dec 2025 08:16:02 +0800 Subject: [PATCH 7/7] modify --- .github/workflows/pr-copilot-PII-review.yml | 27 ++++++++++----------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/.github/workflows/pr-copilot-PII-review.yml b/.github/workflows/pr-copilot-PII-review.yml index 65ee6e7..716c657 100644 --- a/.github/workflows/pr-copilot-PII-review.yml +++ b/.github/workflows/pr-copilot-PII-review.yml @@ -75,19 +75,20 @@ jobs: 7. Potential GDPR, CCPA, or other privacy regulation violations" RULES="**Output Format Requirements**: - - Output ONLY a GitHub-flavored Markdown table with exactly these columns: File | Concern | Recommendation | Severity - - Every row must reference a real file path from the Changed files list - - Severity must be one of: info, minor, major, critical - - If no PII issues are found, return a single table row with 'All files' in the File column and 'No PII issues found' in the Concern column - - Cite line numbers from the diff using the format L - - Do not wrap the table in backticks or add any prose before or after the table - - Focus on actionable PII-related feedback specific to the diff + Provide specific, actionable feedback including: + 1. Relevant file names and line numbers + 2. Clear issue descriptions + 3. Concrete fix recommendations + 4. Severity levels (info, minor, major, critical) + 5. Organize the review report in markdown format with clear section structure **Mandatory Requirements**: 1. Base your review on the actual diff content provided below 2. Provide comprehensive PII analysis with specific examples where applicable 3. Prioritize critical privacy concerns that could lead to data breaches" + REVIEW_FALLBACK="No Personally Identifiable Information (PII) exposure or privacy concerns were detected in the analyzed code changes." + DIFF_SECTION="**Unified diff**:\n$(cat diff.patch)" export COPILOT_PROMPT="$HEADER\n\n$REVIEW_REQUIREMENTS\n\n$RULES\n\n$DIFF_SECTION" @@ -101,7 +102,7 @@ jobs: sed -E 's/\x1B\[[0-9;]*[A-Za-z]//g' copilot_raw.txt | tr -d '\r' > raw_review.md if ! grep -q '|' raw_review.md; then - printf '%s\n' "$REVIEW_TABLE_FALLBACK" > raw_review.md + printf '%s\n' "$REVIEW_FALLBACK" > raw_review.md fi - name: Format review output @@ -109,21 +110,19 @@ jobs: PR_NUMBER="${{ github.event.pull_request.number }}" cat > review_result.md <