From 6605d47e2926115dae554cdb55bcd364940f0611 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 24 Mar 2026 02:14:51 +0000 Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=B0=EF=B8=8F=20[Sky-Eye=20Audit]=20add?= =?UTF-8?q?ress=20code=20review:=20email=20regex,=20log=20fallback,=20sani?= =?UTF-8?q?tize=20receipts,=20use=20Node.js=20validation?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: qinfendebingshuo <207279273+qinfendebingshuo@users.noreply.github.com> Agent-Logs-Url: https://github.com/qinfendebingshuo/guanghulab/sessions/8bc25538-ab95-4520-a72b-ff0d8405c7c7 --- .github/workflows/skyeye-credential-audit.yml | 2 +- .github/workflows/sync-repo-to-drive.yml | 2 +- scripts/grid-db/deploy-drive-bridge.js | 2 +- scripts/skyeye/credential-validator.js | 3 ++- scripts/tcs-semantic-landing.js | 3 ++- 5 files changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/skyeye-credential-audit.yml b/.github/workflows/skyeye-credential-audit.yml index cf762806..c52d98e8 100644 --- a/.github/workflows/skyeye-credential-audit.yml +++ b/.github/workflows/skyeye-credential-audit.yml @@ -16,7 +16,7 @@ name: "🛰️ 天眼密钥流审计 (Sky-Eye Credential Audit)" on: schedule: - # 每天 UTC 14:00 (CST 22:00) 执行一次审计 + # 每天 UTC 14:00 (UTC+8 22:00) 执行一次审计 - cron: "0 14 * * *" workflow_dispatch: diff --git a/.github/workflows/sync-repo-to-drive.yml b/.github/workflows/sync-repo-to-drive.yml index 973445f7..9a66dcf4 100644 --- a/.github/workflows/sync-repo-to-drive.yml +++ b/.github/workflows/sync-repo-to-drive.yml @@ -50,7 +50,7 @@ jobs: chmod 600 "${SA_FILE}" # 天眼密钥流校验:验证 JSON 完整性 - if ! python3 -c "import json,sys; json.load(open(sys.argv[1]))" "${SA_FILE}" 2>/dev/null; then + if ! node -e "JSON.parse(require('fs').readFileSync(process.argv[1],'utf8'))" "${SA_FILE}" 2>/dev/null; then echo "::error::GOOGLE_DRIVE_SERVICE_ACCOUNT contains invalid JSON (possible truncation)" rm -f "${SA_FILE}" exit 1 diff --git a/scripts/grid-db/deploy-drive-bridge.js b/scripts/grid-db/deploy-drive-bridge.js index 1a0e0ff9..79834f18 100644 --- a/scripts/grid-db/deploy-drive-bridge.js +++ b/scripts/grid-db/deploy-drive-bridge.js @@ -311,7 +311,7 @@ async function deploy(commandFilePath) { if (!validation.valid) { console.error('[deploy] 🔴 Credential validation failed:'); console.error(formatDiagnosticReport(validation)); - writeReceipt(deploy_id, dev_id, 'failed', `Credential validation failed: ${validation.issues.join('; ')}`); + writeReceipt(deploy_id, dev_id, 'failed', 'Credential validation failed: invalid service account JSON format'); return; } credentials = validation.credentials; diff --git a/scripts/skyeye/credential-validator.js b/scripts/skyeye/credential-validator.js index de72b3a2..4a210300 100644 --- a/scripts/skyeye/credential-validator.js +++ b/scripts/skyeye/credential-validator.js @@ -146,7 +146,8 @@ function validateServiceAccountJSON(jsonStr) { } if (parsed.client_email) { - const emailOk = String(parsed.client_email).includes('@') && String(parsed.client_email).includes('.iam.gserviceaccount.com'); + const emailStr = String(parsed.client_email); + const emailOk = /^[^@]+@[^@]+\.iam\.gserviceaccount\.com$/.test(emailStr); result.diagnostics.field_checks.client_email_format = emailOk ? 'ok' : 'not a valid service account email'; if (!emailOk) result.issues.push('Field \'client_email\' does not match service account email pattern'); } diff --git a/scripts/tcs-semantic-landing.js b/scripts/tcs-semantic-landing.js index 2a556a45..764557b0 100644 --- a/scripts/tcs-semantic-landing.js +++ b/scripts/tcs-semantic-landing.js @@ -53,7 +53,8 @@ function buildAuth(serviceAccountJson) { console.log('[semantic-landing] ✅ Service account credentials validated'); } catch (err) { if (err.message === 'Service account credential validation failed') throw err; - // Fallback: if validator module is unavailable, try direct parse + // Fallback: validator module unavailable, try direct parse + console.log('[semantic-landing] Validator unavailable, using direct JSON.parse'); credentials = JSON.parse(serviceAccountJson); } return new google.auth.GoogleAuth({