From f30f8905ec734ee2a38809745af42d4f6a675613 Mon Sep 17 00:00:00 2001 From: wucm667 Date: Sat, 28 Feb 2026 10:20:57 +0800 Subject: [PATCH] =?UTF-8?q?fix(ci):=20=E4=BF=AE=E5=A4=8D=20gosec=20?= =?UTF-8?q?=E6=89=AB=E6=8F=8F=E5=9B=A0=20ent=20=E7=94=9F=E6=88=90=E4=BB=A3?= =?UTF-8?q?=E7=A0=81=E5=AF=BC=E8=87=B4=E8=B6=85=E6=97=B6=E7=9A=84=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 【问题描述】 backend-security CI job 持续运行约 6 小时后被 GitHub Actions 强制取消, 表现为 'Run gosec' 步骤挂起,最终以 cancelled 状态结束。 【根本原因】 gosec 对 ./... 执行 AST 静态分析时,包含了 ent/ 目录下的 自动生成文件(如 mutation.go 共 24800 行),导致分析时间 超出 GitHub Actions 默认的 6 小时上限。 【修复方案】 1. gosec 命令增加 -exclude-dir=ent 跳过自动生成代码目录 2. backend-security job 增加 timeout-minutes: 15,避免未来 类似问题再次长时间卡死后才被发现 ent/ 目录内容全部由 Ent ORM 框架自动生成,开发者不直接编写, 不需要纳入人工安全审计范围,排除后不影响扫描有效性。 --- .github/workflows/security-scan.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index fd0c7a41..830b2667 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -12,6 +12,7 @@ permissions: jobs: backend-security: runs-on: ubuntu-latest + timeout-minutes: 15 steps: - uses: actions/checkout@v4 - name: Set up Go @@ -32,7 +33,8 @@ jobs: working-directory: backend run: | go install github.com/securego/gosec/v2/cmd/gosec@latest - gosec -conf .gosec.json -severity high -confidence high ./... + # exclude ent/ — auto-generated ORM code, not subject to manual security review + gosec -conf .gosec.json -severity high -confidence high -exclude-dir=ent ./... frontend-security: runs-on: ubuntu-latest