1a2a2364ec
Address the swarm's findings on this rollout: - Replace `secrets: inherit` (which forwarded ALL repo secrets — registry/ Komodo/Discord/DB creds the reviewer never uses) with explicit forwarding of only OLLAMA_CLOUD_API_KEY / CLAUDE_CODE_OAUTH_TOKEN / findings tokens. GITEA_TOKEN is the automatic job token (github.token in the reusable). - Pin uses: ...@main -> @20a5c43 (immutable) so a push to gadfly can't change the code that runs with our forwarded secrets. Requires gadfly's review-reusable.yml secrets contract (steve/gadfly#9, merged). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>