ci/cd(frontend): fix deploy web on

[LiusCraft]

• Add createReleasePlan, updateReleasePlan, and cancelReleasePlan API methods
• Define AlarmChangeItem interface for alarm change records
• Initialize yarn.lock for dependency management

变更背景和解决方案

关联issue: #

文档更新（架构文档、API文档、升级文档）

Checklist

• 确认是否有文档更新
• 确认是否自测
• 确认是否考虑兼容升级，不兼容升级需要有对应的解决方案
• 确认是否考虑添加监控指标
• API 设计是否符合 API 设计规范, 如果没有 API 变更，请忽略
• 我已经添加了相关人员到 Reviewers 列表中
• 我已经设置了 Development 关联的 Issue

[niupilot]

PR Review Progress

• Read repository guidelines (CLAUDE.md)
• Review client/src/api/index.ts changes
• Review client/src/stores/app.ts changes
• Analyze yarn.lock addition
• Check for documentation consistency
• Provide comprehensive review feedback

📋 Code Review Summary

This PR adds release plan management functionality to the frontend client. The changes are well-structured and follow existing patterns. Here's my detailed review:

✅ Positive Aspects

1. Consistent API Design: The new release plan endpoints follow the same RESTful pattern as existing APIs (POST for create, PUT for update, DELETE for cancel).

2. Type Safety: The AlarmChangeItem interface is properly typed and already has corresponding UI components (AlarmChangeCard.vue), showing good planning.

3. Error Handling: The store methods properly implement try/catch blocks with loading states and error messages.

4. Code Organization: Changes are logically placed - API methods in api/index.ts and state management in stores/app.ts.

🔍 Issues and Improvements

High Priority Issues

1. Type Safety Violations (client/src/api/index.ts:104, 112)

   // ❌ Current implementation
   createReleasePlan: (planData: any) => {
   updateReleasePlan: (id: string, planData: any) => {

   Problem: Using any type defeats TypeScript's purpose and makes the API unsafe.

   Recommendation: Define proper interfaces:

   interface ReleasePlanData {
     version: string;
     startTime: string;
     serviceName?: string;
     description?: string;
   }
   
   createReleasePlan: (planData: ReleasePlanData) => {
   updateReleasePlan: (id: string, planData: Partial<ReleasePlanData>) => {

2. Missing Error Response Handling (client/src/stores/app.ts:198, 216, 233)

   // ❌ Current implementation  
   } catch (err: any) {
     error.value = err.message || '创建发布计划失败'

   Problem: Assumes err.message exists, but HTTP errors might have different structure.

   Recommendation:

   } catch (err: any) {
     error.value = err.response?.data?.message || err.message || '创建发布计划失败'

Medium Priority Issues

3. API Endpoint Inconsistency (client/src/api/index.ts:104-115)

   • Existing endpoints use patterns like /v1/deployments and /v1/services
   • New endpoints use /v1/release-plans (with hyphens)
   • Recommendation: Verify backend API design follows the same convention

4. Missing Integration with Existing Code (client/src/stores/app.ts:189-238)

   • The new methods are defined but may not be connected to UI components
   • Consider if these should trigger data refresh for existing deployment/service lists

Low Priority Issues

5. yarn.lock Addition
   • The 2700+ line yarn.lock suggests either:
     • First-time dependency installation (good for reproducible builds)
     • Potentially unexpected dependency changes
   • Recommendation: Verify no unexpected package version bumps occurred

🏗️ Architecture Considerations

1. State Management Pattern: The implementation correctly follows the Pinia store pattern used elsewhere in the codebase.

2. API Layer Separation: Good separation between API calls (api/index.ts) and state management (stores/app.ts).

📚 Documentation Consistency

Status: ✅ Good - No documentation updates required for this change as:

• The client README focuses on development setup, not API usage
• The AlarmChangeItem interface already has corresponding UI components
• This appears to be internal API additions rather than public interface changes

🧪 Testing Recommendations

1. Test the new API endpoints with various payload structures
2. Verify error handling with network failures and HTTP error responses
3. Test the loading states in the UI during API calls
4. Validate the store state updates correctly after each operation

📝 Minor Suggestions

1. Consider adding JSDoc comments for the new API methods
2. The Chinese error messages are fine for a Chinese application, but ensure consistency
3. Consider adding validation for required fields in the planData

🎯 Overall Assessment

Score: B+ (Good with room for improvement)

This is a solid implementation that follows existing patterns well. The main concerns are around type safety and robust error handling. The code is functional and well-organized, but addressing the type safety issues would significantly improve maintainability and developer experience.

The changes align well with the existing codebase architecture and the AlarmChangeItem interface shows good forward-thinking as the UI components are already in place.

---

👉 Want me to re-run this review? Just type /review in the comments! For more usage examples, visit CodeAgent GitHub Repository.

[gemini-code-assist]

Summary of Changes

Hello @LiusCraft, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces new functionalities for managing release plans through dedicated API endpoints and defines a new data structure for handling alarm change records. The changes aim to expand the system's capabilities for release management and provide a clear type definition for alarm-related data.

Highlights

• New Release Plan API Endpoints: Added createReleasePlan, updateReleasePlan, and cancelReleasePlan methods to the apiService in client/src/api/index.ts to manage release plans.
• Alarm Change Type Definition: Introduced the AlarmChangeItem interface in client/src/stores/app.ts to define the structure for alarm change records.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

本次 PR 主要添加了用于管理发布计划的 API 端点（创建、更新、取消）以及定义了告警变更记录的 AlarmChangeItem 接口。

代码变更总体上是清晰的，并且遵循了项目现有的模式。我的评审意见主要集中在提高代码的类型安全和长期可维护性方面：

1. 在 api/index.ts 中，建议为 API 方法的参数提供具体的类型，而不是使用 any，以充分利用 TypeScript 的优势。
2. 在 stores/app.ts 中，我注意到类型定义和 store 逻辑耦合在一起。建议将共享的类型定义（如 ReleasePlan, AlarmChangeItem）提取到专门的类型文件中，以改善代码结构并避免潜在的循环依赖。

这些调整将有助于提高代码质量和项目的可扩展性。请查看具体的评论以获取详细信息和代码建议。

[gemini-code-assist]

为了提高代码的可维护性和类型安全，建议避免使用 any 类型。planData 的类型应该更具体。ReleasePlan 接口已在 client/src/stores/app.ts 中定义。我们可以使用 TypeScript 的 import() 类型查询来引用它，而不会产生运行时循环依赖。

对于 createReleasePlan，planData 的类型应该是 ReleasePlan 中除去 id 的所有字段。对于 updateReleasePlan，它应该是这些字段的部分集合（Partial）。

Suggested change

	createReleasePlan: (planData: any) => {
	return api.post('/v1/release-plans', planData)
	},
	// 更新发布计划
	updateReleasePlan: (id: string, planData: any) => {
	return api.put(`/v1/release-plans/${id}`, planData)
	},
	createReleasePlan: (planData: Omit<import('@/stores/app').ReleasePlan, 'id'>) => {
	return api.post('/v1/release-plans', planData)
	},
	// 更新发布计划
	updateReleasePlan: (id: string, planData: Partial<Omit<import('@/stores/app').ReleasePlan, 'id'>>) => {
	return api.put(`/v1/release-plans/${id}`, planData)
	},

[gemini-code-assist]

此文件 stores/app.ts 正在变成一个包含所有类型定义的地方。虽然对于小型项目来说这很方便，但随着项目规模的增长，将类型定义（如 AlarmChangeItem, ReleasePlan 等）与 Pinia store 的实现混合在一起会降低代码的可维护性。

为了更好的代码组织和避免潜在的循环依赖问题（例如 api 层需要使用类型但不能导入 store），建议将这些共享的类型定义移动到一个专门的目录中，例如 src/types/。这个 PR 引入了新的类型，是进行此项重构的好时机。

[niupilot]

PR Review Progress

• Read repository guidelines (CLAUDE.md)
• Review GitHub workflow changes (.github/workflows/deploy-frontend.yml)
• Review client/src/api/index.ts changes
• Review client/src/stores/app.ts changes
• Analyze yarn.lock addition
• Check workflow security and best practices
• Check for documentation consistency
• Provide comprehensive review feedback

📋 Comprehensive Code Review

This PR adds release plan management functionality to the frontend client and introduces a GitHub Actions deployment workflow. Here's my detailed analysis:

✅ Positive Aspects

1. Automated Deployment: The GitHub Actions workflow provides automated frontend deployment to Vercel for PR previews.

2. Proper Caching: The workflow uses Node.js and Yarn caching for faster builds.

3. Consistent API Design: The release plan endpoints follow RESTful patterns matching existing APIs.

4. Type Safety Foundation: The AlarmChangeItem interface is properly structured.

🚨 Critical Security Issues

High Priority - Security Vulnerabilities

1. Dangerous Workflow Trigger (.github/workflows/deploy-frontend.yml:4)

   # ❌ CRITICAL SECURITY ISSUE
   on:
     pull_request_target:
       branches: [develop]

   Problem: pull_request_target runs in the context of the target repository with access to secrets, even for forks. This is a major security vulnerability that allows malicious fork PRs to access secrets.

   Recommendation: Use pull_request instead:

   on:
     pull_request:
       branches: [develop]
       paths: ['client/**']

2. Secret Exposure (.github/workflows/deploy-frontend.yml:16-28)

   # ❌ SECURITY RISK - Debug step exposes secrets
   - name: Debug Vercel secrets
     run: |
       echo "VERCEL_TOKEN exists: ${{ secrets.VERCEL_TOKEN != '' }}"
       echo "VERCEL_TOKEN length: ${#VERCEL_TOKEN}"

   Problem: Debug steps that output secret information should never be in production workflows.

   Recommendation: Remove the entire debug step or use it only in development.

Medium Priority Issues

3. Type Safety Violations (client/src/api/index.ts:104, 112)

   // ❌ Current implementation
   createReleasePlan: (planData: any) => {
   updateReleasePlan: (id: string, planData: any) => {

   Problem: Using any type defeats TypeScript's purpose.

   Recommendation: Define proper interfaces:

   interface ReleasePlanData {
     version: string;
     startTime: string;
     serviceName?: string;
     description?: string;
   }
   
   createReleasePlan: (planData: ReleasePlanData) => {
   updateReleasePlan: (id: string, planData: Partial<ReleasePlanData>) => {

4. Missing Error Response Handling (client/src/stores/app.ts:198, 216, 233)

   // ❌ Inadequate error handling
   } catch (err: any) {
     error.value = err.message || '创建发布计划失败'

   Recommendation:

   } catch (err: any) {
     error.value = err.response?.data?.message || err.message || '创建发布计划失败'

5. Workflow Permissions (.github/workflows/deploy-frontend.yml:11-12)

   permissions:
     contents: read
     pull-requests: write

   Consideration: With pull_request_target, these permissions are overly broad. If switching to pull_request, you may need to handle deployment differently for security.

🏗️ Architecture & Best Practices

Workflow Issues

6. Outdated Action Version (.github/workflows/deploy-frontend.yml:36)

   uses: amondnet/vercel-action@v25

   Problem: This action is no longer actively maintained.

   Recommendation: Consider using the official Vercel CLI or newer community actions.

7. Missing Error Handling: The workflow lacks proper error handling and rollback strategies.

8. Hardcoded Environment: The workflow assumes Vercel deployment but doesn't handle configuration flexibility.

Frontend Code Issues

9. API Endpoint Inconsistency:

   • Existing: /v1/deployments, /v1/services
   • New: /v1/release-plans (with hyphens)
   • Verify backend consistency

10. Missing Integration: New store methods aren't connected to UI components yet.

📚 Documentation Consistency

Status: ⚠️ Needs Updates

• The main README doesn't mention the frontend client deployment process
• No documentation about the new release plan APIs
• Missing setup instructions for Vercel deployment secrets

Recommendations:

• Add client deployment documentation to README
• Document required Vercel environment secrets
• Consider adding API documentation for new endpoints

🧪 Testing & Deployment Considerations

1. No Test Step: The workflow builds but doesn't run tests
2. No Linting: Missing code quality checks
3. Single Environment: Only targets one deployment environment

Recommended workflow improvements:

- name: Run tests
  run: |
    cd client
    yarn test

- name: Run linting
  run: |
    cd client
    yarn lint

🎯 Overall Assessment

Score: C+ (Needs Security Fixes)

While the functionality is well-structured, the critical security vulnerability with pull_request_target and secret exposure makes this PR dangerous to merge as-is. The frontend code changes are solid but need type safety improvements.

🚨 Immediate Action Required

BEFORE MERGING:

1. Fix the security vulnerability by changing pull_request_target to pull_request
2. Remove the debug secrets step entirely
3. Consider deployment strategy for fork PRs (may need separate workflow)

The release plan functionality is well-implemented, but the workflow security issues must be addressed immediately.

---

👉 Want me to re-run this review? Just type /review in the comments! For more usage examples, visit CodeAgent GitHub Repository.