Compare commits
1 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| d5a24c6f6e |
@@ -1,8 +1,8 @@
|
|||||||
# Gadfly adversarial review — subscribes to steve/gadfly's reusable workflow and
|
# Gadfly adversarial review — subscribes to steve/gadfly's reusable workflow and
|
||||||
# INHERITS its default swarm (3 cloud models + Claude Code sonnet/opus/opus:max,
|
# INHERITS its default swarm. This stub holds only the triggers, the actor gate,
|
||||||
# 5-lens suite). This stub holds only the triggers, the actor gate, secret
|
# secret forwarding, and the allow-list; the swarm config (models, lenses,
|
||||||
# forwarding, and the allow-list; the swarm config lives centrally in gadfly's
|
# concurrency, timeouts) lives centrally in gadfly's review-reusable.yml so it is
|
||||||
# review-reusable.yml. Advisory only — never blocks a merge.
|
# tuned in ONE place. Advisory only — never blocks a merge.
|
||||||
|
|
||||||
name: Adversarial Review (Gadfly)
|
name: Adversarial Review (Gadfly)
|
||||||
|
|
||||||
@@ -29,8 +29,9 @@ concurrency:
|
|||||||
jobs:
|
jobs:
|
||||||
review:
|
review:
|
||||||
# Security: only trusted users may trigger a secret-bearing run via a PR
|
# Security: only trusted users may trigger a secret-bearing run via a PR
|
||||||
# comment (pull_request + workflow_dispatch are already trusted). Mirrors
|
# comment (pull_request + workflow_dispatch are already trusted). Mirrors the
|
||||||
# the allowed_users input below (the in-container belt-and-suspenders check).
|
# allowed_users input below (the in-container belt-and-suspenders check) — both
|
||||||
|
# lists must stay in sync; a workflow if: can't read a workflow_call input.
|
||||||
if: >-
|
if: >-
|
||||||
github.event_name != 'issue_comment'
|
github.event_name != 'issue_comment'
|
||||||
|| (github.event.issue.pull_request
|
|| (github.event.issue.pull_request
|
||||||
@@ -40,13 +41,13 @@ jobs:
|
|||||||
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
|
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
|
||||||
# silently change the code that runs with our forwarded secrets.
|
# silently change the code that runs with our forwarded secrets.
|
||||||
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
|
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
|
||||||
# Least privilege: forward ONLY the secrets the swarm uses (GITEA_TOKEN is auto).
|
# Least privilege: forward only the review secrets (not `secrets: inherit`,
|
||||||
|
# which would expose every repo secret). GITEA_TOKEN is the automatic token.
|
||||||
secrets:
|
secrets:
|
||||||
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
||||||
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
||||||
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
|
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
|
||||||
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
|
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
|
||||||
with:
|
with:
|
||||||
# Inherit the default swarm from gadfly's review-reusable.yml; only the
|
# Consumer-specific allow-list; everything else is inherited.
|
||||||
# consumer-specific allow-list is set here.
|
|
||||||
allowed_users: "steve,fizi,dazed"
|
allowed_users: "steve,fizi,dazed"
|
||||||
|
|||||||
Reference in New Issue
Block a user