chore: install GitHub-reward from idea2app/GitHub-reward

[Copilot]

Summary

• Installs the GitHub-reward toolkit into .github/ by copying its .github/ directory contents verbatim.
• Enables a reward-based contributor incentive workflow: issue creators can attach a monetary reward to a task issue; when the issue is closed by a merged PR, the reward is automatically distributed and tagged; a monthly cron aggregates stats into a release.
• Applies security hardening based on review feedback: fixes shell command injection, GraphQL injection, overly-permissive Deno sandbox, unpinned action versions, missing label filters, and token scope issues.

Files added:

• .github/ISSUE_TEMPLATE/reward-task.yml — structured issue form (currency, amount, optional payer)
• .github/scripts/type.ts — shared Reward TypeScript interface
• .github/scripts/deno.json — Deno runtime config (nodeModulesDir: none)
• .github/scripts/share-reward.ts — on issue close: finds merged PR via GraphQL variables (injection-safe), splits reward equally among author + assignees (bots excluded), creates a reward-<issue> git tag, posts comment
• .github/scripts/count-reward.ts — monthly: aggregates last month's reward-* tags per payee, creates statistic-YYYY-MM tag + GitHub release
• .github/workflows/claim-issue-reward.yml — triggers on issues: closed (label-filtered to reward), validates amount, runs share-reward.ts
• .github/workflows/statistic-member-reward.yml — runs 0 0 1 * *, runs count-reward.ts (skips if no new commits since last statistic tag)

Security fixes applied:

• All ${{ ... }} expressions in workflow run: blocks are now quoted to prevent shell command injection
• GraphQL query in share-reward.ts rewritten with named variables ($owner, $name, $number) passed via separate -f/-F flags — no user-controlled values interpolated into the query string
• deno --allow-all replaced with --allow-run --allow-env --allow-read --allow-net=api.github.com in both workflows
• All third-party actions pinned to commit SHAs: actions/checkout@de0fac2e (v6.0.2), denoland/setup-deno@667a34cd (v2.0.4), stefanbuck/github-issue-parser@10dcc541 (v3.2.3)
• GH_TOKEN moved from workflow-level env to step-level env only on the step that requires it
• Added if: contains(github.event.issue.labels.*.name, 'reward') job filter — workflow only runs on reward-labeled issues
• Added "Validate amount" step with regex check ^[0-9]+(\.[0-9]+)?$ before the Deno script executes
• Added concurrency group per issue number to prevent duplicate tags/comments on rapid re-close
• $(git rev-parse HEAD) in count-reward.ts replaced with a captured variable passed as a proper zx argument

Validation

• Backend tests passed
• Frontend typecheck/build passed
• OpenAPI SDK regenerated or checked when API contracts changed
• Smoke test run when relevant

Commands run:

# No build/test steps required — pure GitHub Actions / Deno scripting addition

Risk

• User-facing impact: None — additive only; no existing workflows or app code touched.
• Deployment or migration impact: Workflows activate automatically on merge; requires contents: write and issues: write permissions (already granted via github.token). Workflow only fires when a reward-labeled issue is closed.
• Rollback approach: Delete the 7 added files; workflows cease to trigger.

Notes

• Follow-up work: Add a reward label to the repository labels so the issue template's auto-label and the job-level label filter both work correctly.
• Docs or operator runbooks updated when behavior changed: N/A

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[TechQuery]

根据 iflytek#91 (comment) 修改

[Copilot]

根据 iflytek#91 (comment) 修改

Fixed in commit 7944896. Changes made based on the security review:

Critical (addressed):

1. All ${{ ... }} expressions in claim-issue-reward.yml are now quoted to prevent shell command injection
2. share-reward.ts now uses GraphQL variables (-f owner=, -f name=, -F number=) instead of direct string interpolation in the query body, preventing GraphQL injection
3. Replaced --allow-all with --allow-run --allow-env --allow-read --allow-net=api.github.com in both workflows

Important (addressed):
4. All three third-party actions pinned to commit SHAs: actions/checkout@de0fac2e (v6.0.2), denoland/setup-deno@667a34cd (v2.0.4), stefanbuck/github-issue-parser@10dcc541 (v3.2.3)
5. Added if: contains(github.event.issue.labels.*.name, 'reward') to the job — only fires for reward-labeled issues
6. GH_TOKEN moved from workflow-level env to the specific step that needs it
7. Added a "Validate amount" step with [[ "$AMOUNT" =~ ^[0-9]+(\.[0-9]+)?$ ]] before the Deno script runs

Minor (addressed):

• git rev-parse HEAD is now assigned to a headCommit variable before being used in count-reward.ts
• Added concurrency group to prevent duplicate tag/comment from rapid re-close