feat: support random suffix

[yuzichen12123]

将 gitlab-cli 生成的后缀由秒级时间戳改为 毫秒级时间戳 与 4位随机后缀，改动后的用户名长度不会超出 gitlab 限制。

已运行单元测试，全部通过。并在 tektoncd-operator 中执行过 make prepare-gitlab-data，成功。

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

[alaudabot]

Review Summary

Reviewed the PR for random suffix support. Found 2 warnings and 3 suggestions - no blocking issues.

Key Changes

• Millisecond timestamp: yyyyMMddHHmmssSSS
• Random 4-char suffix with optional custom override via --suffix flag
• Updated docs and CLI to support the new naming format

Warnings

1. Modulo bias in random suffix generation (utils.go:121)
2. Regex re-compilation on every call (utils.go:99,130,145)

Suggestions

1. Add unit tests for new utility functions
2. Improve fallback randomness
3. Translate --suffix flag description in Chinese docs

See inline comments for details.

[alaudabot]

Warning (performance/uniform-distribution): Modulo bias detected. Using byte % 36 introduces slight statistical bias since 256 values don't divide evenly by 36. Consider rejection sampling or a larger alphabet.

// Alternative approach using rejection sampling:
idx := int(rawRandomBytes[i]) * len(shortSuffixAlphabet) / 256
randomSuffix[i] = shortSuffixAlphabet[idx]

[alaudabot]

Warning (performance/regex-compilation): Regex is compiled on every call. Consider pre-compiling at package level:

var safeCharsRegex = regexp.MustCompile(`[^a-zA-Z0-9_-]`)

[alaudabot]

Warning (performance/regex-compilation): Same issue - regex compiled on every call. Pre-compile at package level for better performance.

[alaudabot]

Warning (performance/regex-compilation): Same issue - regex compiled on every call.

[alaudabot]

Suggestion (test/missing): Consider adding unit tests for GenerateTemporalSuffix, generateShortRandomSuffix, and normalizeCustomSuffix to ensure timestamp format and random generation work correctly.

[alaudabot]

Suggestion (refactor/fallback): The fallback uses time.Now().UnixNano() which could theoretically collide in high-concurrency. Consider adding a counter or additional entropy in the fallback path.

[alaudabot]

Suggestion (docs/consistency): The --suffix flag description is in English while surrounding text is Chinese. Consider adding Chinese translation: --suffix: 可选自定义后缀（在 prefix 模式下替换随机后缀）

[alaudabot]

🤖 AI Code Review

Property	Value
Model	opencode/minimax-m2.5-free
Style	strict
Issues Found	0
Config Source	centralized
Profile	❌ Not Found
Personalized Prompt	❌ No
Prompt Path	.github/review/profiles/alaudadevops/gitlab-cli/pr-review.md
Alauda Skills	✅ base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade
Reviewed at	2026-04-30 02:43:31 UTC

---

Summary

This PR changes the suffix generation from second-level timestamp to millisecond-level timestamp + 4-character random suffix, and adds a new --suffix flag for custom suffix support. The implementation is functional and addresses the GitLab username length limitation issue.

Review Statistics

Category	Count
Critical Issues	0
Warnings	5
Suggestions	2
Files Reviewed	7

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None.

Warnings

Issues that SHOULD be addressed but are not blocking

• [internal/utils/utils.go:121] (performance/uniform-distribution): Modulo bias detected. Using byte % 36 introduces slight statistical bias since 256 values don't divide evenly by 36. Consider using rejection sampling or a more uniform distribution method.

• [internal/utils/utils.go:99] (performance/regex-compilation): Regex is compiled on every call in sanitizeUsername. Consider pre-compiling at package level for better performance.

• [internal/utils/utils.go:130] (performance/regex-compilation): Same issue - regex compiled on every call in sanitizeGroupPath. Pre-compile at package level.

• [internal/utils/utils.go:145] (performance/regex-compilation): Same issue in normalizeCustomSuffix. Pre-compile at package level.

Suggestions

Recommendations for improvement (nice to have)

• [internal/utils/utils.go:104] (test/missing): Consider adding unit tests for GenerateTemporalSuffix, generateShortRandomSuffix, and normalizeCustomSuffix to ensure correctness and maintainability.

• [internal/utils/utils.go:111] (refactor/fallback): The fallback uses time.Now().UnixNano() which could theoretically collide in high-concurrency scenarios. Consider adding additional entropy or a unique ID.

• [docs/TEMPLATE.md:23] (docs/consistency): The --suffix flag description is in English while surrounding text is Chinese. Consider adding Chinese translation for consistency.

Positive Feedback

• Good use of crypto/rand for cryptographically secure random suffix generation
• Proper input validation with normalizeCustomSuffix function
• Graceful fallback when random generation fails
• Clean separation of concerns in utility functions
• Comprehensive documentation updates across multiple files

---

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• Config source: centralized
• Profile path: Not Found
• Profile ref: ebb6c9593926ecbd0b2b1d3ebde0c09c862ff8bf
• No repository-specific prompt configured
• Alauda skills: base-acp-operator-list, base-acp-operator-release, base-authoring, base-m365, base-ocp-operator-list, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-prd-to-testcase, builders-publish-errata, builders-roadmap-studio, builders-story-split, cross-repo-add-mirror, cross-repo-publish, devops-autodns, devops-candidate-version-supervisor, devops-connectors-acceptance-test, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-upgrade-test, devops-connectors-write-user-docs, devops-fix-go-vulns, devops-fork-alauda-binary-release, devops-gen-advanced-form-descriptors, devops-knowledge-adoption, devops-refresh-containerfile-digests, devops-refresh-containerfile-tags, devops-replace-strings, devops-scan-docker-keywords, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-upgrade-go, devops-upstream-backport-cve, devops-upstream-upgrade