proof-pr 0.1.10 → 0.1.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +12 -4
- package/dist/index.js +59 -5
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -12,7 +12,15 @@ ProofPR 是给开源维护者和工程团队使用的 PR 证据门禁。它在
|
|
|
12
12
|
npx proof-pr@latest --version
|
|
13
13
|
```
|
|
14
14
|
|
|
15
|
-
当前应输出 `0.1.
|
|
15
|
+
当前应输出 `0.1.12`。
|
|
16
|
+
|
|
17
|
+
不知道用哪个功能时:
|
|
18
|
+
|
|
19
|
+
```bash
|
|
20
|
+
npx proof-pr@latest
|
|
21
|
+
# 或
|
|
22
|
+
npx proof-pr@latest guide
|
|
23
|
+
```
|
|
16
24
|
|
|
17
25
|
初始化配置和 GitHub Action:
|
|
18
26
|
|
|
@@ -37,7 +45,7 @@ npx proof-pr@latest scan --diff-file examples/cases/workflow-untrusted-checkout.
|
|
|
37
45
|
生成独立 HTML 可视化报告:
|
|
38
46
|
|
|
39
47
|
```bash
|
|
40
|
-
npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html
|
|
48
|
+
npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html --output proofpr-report.html
|
|
41
49
|
```
|
|
42
50
|
|
|
43
51
|
运行 benchmark:
|
|
@@ -49,7 +57,7 @@ npx proof-pr@latest benchmark --cases benchmarks/cases
|
|
|
49
57
|
## GitHub Action
|
|
50
58
|
|
|
51
59
|
```yaml
|
|
52
|
-
- uses: linsk27/proof-pr@v0.1.
|
|
60
|
+
- uses: linsk27/proof-pr@v0.1.12
|
|
53
61
|
with:
|
|
54
62
|
fail-on: high
|
|
55
63
|
comment: "true"
|
|
@@ -62,7 +70,7 @@ npx proof-pr@latest benchmark --cases benchmarks/cases
|
|
|
62
70
|
- 证据评分:0-100 分。
|
|
63
71
|
- Review 门禁:正常 review、重点 review、先补证据、风险处理前不要合并。
|
|
64
72
|
- Review 行动清单:维护者可直接执行的 checklist。
|
|
65
|
-
- 可选输出:GitHub annotations、SARIF、benchmark report、独立 HTML
|
|
73
|
+
- 可选输出:GitHub annotations、SARIF、benchmark report、独立 HTML 可视化报告;CLI 可用 `--output` 直接写文件。
|
|
66
74
|
|
|
67
75
|
## 常用预设
|
|
68
76
|
|
package/dist/index.js
CHANGED
|
@@ -25732,7 +25732,13 @@ const build_program = new Command();
|
|
|
25732
25732
|
build_program
|
|
25733
25733
|
.name("proof-pr")
|
|
25734
25734
|
.description("Review pull request evidence, scope, and safety before maintainers spend time on it.")
|
|
25735
|
-
.version("0.1.
|
|
25735
|
+
.version("0.1.12");
|
|
25736
|
+
build_program
|
|
25737
|
+
.command("guide")
|
|
25738
|
+
.description("Show a copy-paste friendly guide for common ProofPR tasks.")
|
|
25739
|
+
.action(() => {
|
|
25740
|
+
process.stdout.write(renderGuide());
|
|
25741
|
+
});
|
|
25736
25742
|
build_program
|
|
25737
25743
|
.command("scan", { isDefault: true })
|
|
25738
25744
|
.description("Scan a git diff and print a ProofPR report.")
|
|
@@ -25744,6 +25750,7 @@ build_program
|
|
|
25744
25750
|
.option("--pr-body-file <path>", "Read a pull request body from a Markdown file.")
|
|
25745
25751
|
.option("--config <path>", "Path to .proofpr.yml.", ".proofpr.yml")
|
|
25746
25752
|
.option("--format <format>", "Output format: markdown, json, sarif, or html.", parseFormat, "markdown")
|
|
25753
|
+
.option("--output <path>", "Write report output to a file instead of stdout.")
|
|
25747
25754
|
.option("--locale <locale>", "Report language: en or zh-CN.")
|
|
25748
25755
|
.option("--fail-on <level>", "Exit with code 1 on risk level: low, medium, high, or never.", parseFailLevel, "never")
|
|
25749
25756
|
.action(async (options) => {
|
|
@@ -25758,7 +25765,13 @@ build_program
|
|
|
25758
25765
|
const result = scanDiff(diffText, { config, pullRequest });
|
|
25759
25766
|
const locale = parseLocale(options.locale, config.locale);
|
|
25760
25767
|
const output = renderOutput(result, options.format, locale);
|
|
25761
|
-
|
|
25768
|
+
if (options.output) {
|
|
25769
|
+
await writeOutput(options.output, `${output}\n`);
|
|
25770
|
+
process.stdout.write(`ProofPR ${options.format} report written to ${options.output}\n`);
|
|
25771
|
+
}
|
|
25772
|
+
else {
|
|
25773
|
+
process.stdout.write(`${output}\n`);
|
|
25774
|
+
}
|
|
25762
25775
|
if (riskMeetsThreshold(result.risk, options.failOn)) {
|
|
25763
25776
|
process.exitCode = 1;
|
|
25764
25777
|
}
|
|
@@ -25774,7 +25787,7 @@ build_program
|
|
|
25774
25787
|
.action(async (options) => {
|
|
25775
25788
|
await writeIfMissing(options.configPath, renderConfigTemplate(options.preset), options.force);
|
|
25776
25789
|
await writeIfMissing(options.workflowPath, renderWorkflowTemplate(options.failOn), options.force);
|
|
25777
|
-
process.stdout.write(`ProofPR initialized.\n\nCreated:\n- ${options.configPath}\n- ${options.workflowPath}\n\nNext:\n1. Commit these files.\n2. Open or update a pull request.\n3. Read the ProofPR comment or Actions summary.\n\nLocal check:\nnpx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN\n`);
|
|
25790
|
+
process.stdout.write(`ProofPR initialized.\n\nCreated:\n- ${options.configPath}\n- ${options.workflowPath}\n\nNext:\n1. Commit these files.\n2. Open or update a pull request.\n3. Read the ProofPR comment or Actions summary.\n\nLocal check:\nnpx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN\n\nNeed another task?\nnpx proof-pr@latest guide\n`);
|
|
25778
25791
|
});
|
|
25779
25792
|
build_program
|
|
25780
25793
|
.command("benchmark")
|
|
@@ -25805,11 +25818,52 @@ build_program
|
|
|
25805
25818
|
process.exitCode = 1;
|
|
25806
25819
|
}
|
|
25807
25820
|
});
|
|
25808
|
-
|
|
25821
|
+
const args = process.argv.slice(2);
|
|
25822
|
+
const parseTask = args.length === 0
|
|
25823
|
+
? Promise.resolve(process.stdout.write(renderGuide()))
|
|
25824
|
+
: build_program.parseAsync(process.argv);
|
|
25825
|
+
parseTask.catch((error) => {
|
|
25809
25826
|
const message = error instanceof Error ? error.message : String(error);
|
|
25810
25827
|
process.stderr.write(`ProofPR failed: ${message}\n`);
|
|
25811
25828
|
process.exitCode = 1;
|
|
25812
25829
|
});
|
|
25830
|
+
function renderGuide() {
|
|
25831
|
+
return `ProofPR 功能菜单
|
|
25832
|
+
|
|
25833
|
+
最推荐先做第 1 步。已经接入过的项目,按目标复制下面的命令即可。
|
|
25834
|
+
|
|
25835
|
+
1. 接入 GitHub PR 自动检查
|
|
25836
|
+
npx proof-pr@latest init
|
|
25837
|
+
然后提交 .proofpr.yml 和 .github/workflows/proofpr.yml,打开 PR 后看评论和 Actions summary。
|
|
25838
|
+
|
|
25839
|
+
2. 本地检查当前分支
|
|
25840
|
+
npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN
|
|
25841
|
+
适合在发 PR 前先看风险、证据评分和 Review 行动清单。
|
|
25842
|
+
|
|
25843
|
+
3. 生成可分享 HTML 报告
|
|
25844
|
+
npx proof-pr@latest scan --base origin/main --head HEAD --locale zh-CN --format html --output proofpr-report.html
|
|
25845
|
+
生成后用浏览器打开 proofpr-report.html。
|
|
25846
|
+
|
|
25847
|
+
4. 生成 GitHub Code Scanning 的 SARIF
|
|
25848
|
+
npx proof-pr@latest scan --base origin/main --head HEAD --format sarif --output proofpr.sarif
|
|
25849
|
+
适合在 CI 里配合 github/codeql-action/upload-sarif 使用。
|
|
25850
|
+
|
|
25851
|
+
5. 试跑内置风险案例
|
|
25852
|
+
npx proof-pr@latest scan --diff-file examples/cases/workflow-untrusted-checkout.diff --locale zh-CN
|
|
25853
|
+
不需要改项目代码,也能快速看到 ProofPR 会抓什么风险。
|
|
25854
|
+
|
|
25855
|
+
6. 验证规则样本是否仍然命中
|
|
25856
|
+
npx proof-pr@latest benchmark --cases benchmarks/cases
|
|
25857
|
+
适合维护 ProofPR 规则或发版前回归。
|
|
25858
|
+
|
|
25859
|
+
7. 调整审查强度
|
|
25860
|
+
打开 .proofpr.yml,把 preset 改成 security-strict、dependency-careful 或 mcp-security。
|
|
25861
|
+
|
|
25862
|
+
结果在哪里看:
|
|
25863
|
+
- GitHub Action:PR Conversation 评论、Actions summary、Checks 状态。
|
|
25864
|
+
- 本地 CLI:终端输出;如果用了 --output,就看写出的 HTML / JSON / SARIF / Markdown 文件。
|
|
25865
|
+
`;
|
|
25866
|
+
}
|
|
25813
25867
|
async function readGitDiff(base, head) {
|
|
25814
25868
|
const args = ["diff", "--no-ext-diff", "--unified=0"];
|
|
25815
25869
|
if (base) {
|
|
@@ -25871,7 +25925,7 @@ jobs:
|
|
|
25871
25925
|
runs-on: ubuntu-latest
|
|
25872
25926
|
steps:
|
|
25873
25927
|
- uses: actions/checkout@v4
|
|
25874
|
-
- uses: linsk27/proof-pr@v0.1.
|
|
25928
|
+
- uses: linsk27/proof-pr@v0.1.12
|
|
25875
25929
|
with:
|
|
25876
25930
|
fail-on: ${failOn}
|
|
25877
25931
|
comment: "true"
|