diff --git a/.gitea/workflows/review-reusable.yml b/.gitea/workflows/review-reusable.yml index ae6625f..c97a1e0 100644 --- a/.gitea/workflows/review-reusable.yml +++ b/.gitea/workflows/review-reusable.yml @@ -6,7 +6,7 @@ # jobs: # review: # if: ... # actor gate for the comment trigger -# uses: steve/gadfly/.gitea/workflows/review-reusable.yml@ +# uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1 # secrets: # forward ONLY what the reviewer needs # OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }} # CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} @@ -25,8 +25,9 @@ # # Advisory only — never blocks a merge. The image is pinned to an immutable # :sha- tag here (act_runner caches :latest); bump it per Gadfly release. -# Consumers should likewise pin `uses: ...@` (not @main) so a push to this -# repo can't silently change the code that runs with their forwarded secrets. +# Consumers should pin `uses: ...@v1` — a curated release tag moved on deliberate +# releases, so central tuning here propagates without per-consumer edits — or a +# full `@` for an immutable pin. Avoid `@main` (moves on every push). name: Gadfly review (reusable)