feat: support add random suffix for repo

[yuzichen12123]

支持为创建的 repositories 自动添加后缀，与此前 gitlab-cli 那边的行为保持一致

[codecov-commenter]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

ℹ️ You can also turn on project coverage checks and project coverage reporting on Pull Request comment

Thanks for integrating Codecov - We've got you covered ☂️

[alaudabot]

🤖 AI Code Review

Property	Value
Model	codex/gpt-5.3-codex
Style	strict
Personalized Prompt	❌ No
Reviewed at	2026-03-26 04:53:00 UTC

---

Summary

This PR adds nameMode-based name resolution and wiring in create so resources can be suffixed (with a timestamp suffix) before apply, including reference remapping across users/roles/privileges/repositories. The core implementation is well-structured and has solid unit coverage for resolver behavior, but one credential-exposure issue remains blocking. Given the PR size (>500 changed lines), this review focused on high-priority correctness and security items.

Review Statistics

Category	Count
Critical Issues	1
Warnings	1
Suggestions	2
Files Reviewed	5

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

• [pkg/config/loader.go:41] security/secrets ERROR: Save() writes resolved config with file mode 0644; this file may contain plaintext user passwords and proxy credentials, making it readable by other local users. Use 0600 (or stricter) for secret-bearing files.

Warnings

Issues that SHOULD be addressed but are not blocking

• [pkg/config/name_resolver.go:44] performance/collision WARNING: GenerateTimestampSuffix() has only second-level precision, so concurrent/rapid runs can generate identical suffixes and collide on resource names; add sub-second precision or a random component.

Suggestions

Recommendations for improvement (nice to have)

• [cmd/create.go:66] docs/missing INFO: Extend CLI docs/examples to show end-to-end create --resolved-config ... then delete -c <resolved-file> workflow, since prefix mode changes identifiers used for cleanup.
• [pkg/config/name_resolver_test.go:197] test/coverage INFO: Add table-driven cases asserting invalid per-resource nameMode errors (e.g., users[i].nameMode: invalid) to ensure each override path is validated consistently.

Positive Feedback

The resolver is thoughtfully implemented: deep-copying avoids mutating source config, cross-resource reference remapping is comprehensive, and tests cover key scenarios like override behavior and idempotent re-run semantics after clearing nameMode fields.

---

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• No repository-specific prompt configured

[alaudabot]

performance/collision WARNING: GenerateTimestampSuffix() has second-level granularity, so two runs within the same second can produce identical suffixes and collide on resource names. Consider adding higher precision (.000) or a short random component to make collisions practically impossible.

[alaudabot]

security/secrets ERROR: resolved-config writes the full resolved YAML, which includes sensitive fields such as user passwords and proxy credentials. Writing with mode 0644 makes it world-readable on multi-user systems. Please write with 0600 (and document that the file contains secrets) to avoid credential exposure.