diff --git a/.gitea/workflows/adversarial-review.yml b/.gitea/workflows/adversarial-review.yml index fa2d5a3..3a6c1ea 100644 --- a/.gitea/workflows/adversarial-review.yml +++ b/.gitea/workflows/adversarial-review.yml @@ -36,8 +36,15 @@ jobs: && (github.actor == 'steve' || github.actor == 'fizi' || github.actor == 'dazed')) - uses: steve/gadfly/.gitea/workflows/review-reusable.yml@main - secrets: inherit + # Pinned to an immutable gadfly commit (not @main): a push to gadfly can't + # silently change the code that runs with our forwarded secrets. + uses: steve/gadfly/.gitea/workflows/review-reusable.yml@20a5c431f22d43bab0f711c14ce74de3a735c110 + # Least privilege: forward ONLY the secrets this swarm uses (GITEA_TOKEN is auto). + secrets: + OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }} + CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} + GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }} + GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }} with: models: "minimax-m3:cloud,glm-5.2:cloud,glm-5.1:cloud,deepseek-v4-pro:cloud,nemotron-3-super:cloud,qwen3-coder:480b-cloud,claude-code/sonnet,claude-code/opus,claude-code/opus:max" specialists: "security,correctness,error-handling"