From 27aa92a6e01e55d9567e7bfdd2b95430fce106d4 Mon Sep 17 00:00:00 2001 From: Steve Dudenhoeffer Date: Sat, 27 Jun 2026 19:41:45 -0400 Subject: [PATCH] fix: fold in PR #8 review findings (reusable workflow) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The swarm reviewed PR #8 *through the reusable path itself* — proving github.event context propagates into a workflow_call reusable workflow on this act_runner (the one part the probes hadn't covered). Folded in the warranted findings: - review-reusable.yml: bump timeout_minutes default 30 -> 45 (a multi- model/slow-lens review can exceed 30); map the generic GADFLY_API_KEY secret (was missing); add an explicit permissions block; drop the dead `specialist_suite` input. - examples/reusable.yml: actor gate now also requires github.event.issue.pull_request (so an issue-comment on a plain issue doesn't waste a runner), and a note to pin @ to a release tag. Graded ~70 findings (heavy clustering): the real ones above + several by-design/documented (inputs replace vars-overrides; only M1/M5 named endpoints mapped) and many false positives (IS_DRAFT pattern, GITEA_TOKEN via inherit, "empty specialists" misread — empty does default). YAML validated; Go unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/review-reusable.yml | 13 +++++++++++-- examples/reusable.yml | 3 ++- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/review-reusable.yml b/.gitea/workflows/review-reusable.yml index 9784b68..470b519 100644 --- a/.gitea/workflows/review-reusable.yml +++ b/.gitea/workflows/review-reusable.yml @@ -31,13 +31,21 @@ on: base_url: { type: string, default: "" } # GADFLY_BASE_URL provider_concurrency: { type: string, default: "" } # GADFLY_PROVIDER_CONCURRENCY provider_lens_concurrency: { type: string, default: "" } # GADFLY_PROVIDER_LENS_CONCURRENCY - specialist_suite: { type: string, default: "" } # reserved / future timeout_secs: { type: string, default: "" } # GADFLY_TIMEOUT_SECS (per lens) max_steps: { type: string, default: "" } # GADFLY_MAX_STEPS worker_model: { type: string, default: "" } # GADFLY_WORKER_MODEL allowed_users: { type: string, default: "" } # GADFLY_ALLOWED_USERS trigger_phrase: { type: string, default: "" } # GADFLY_TRIGGER_PHRASE - timeout_minutes: { type: number, default: 30 } # job wall-clock cap + # Job wall-clock cap. 45 > 30 as a default: a multi-model swarm or a slow + # lens (e.g. claude-code with extended thinking) can exceed 30 minutes. + timeout_minutes: { type: number, default: 45 } + +# The reusable job posts the review comment, so it needs issues/PR write. Gitea +# caps these by the caller's granted permissions; declaring them here is explicit. +permissions: + contents: read + issues: write + pull-requests: write jobs: review: @@ -61,6 +69,7 @@ jobs: OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }} + GADFLY_API_KEY: ${{ secrets.GADFLY_API_KEY }} CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} # Common named foreman/LAN endpoints (optional). Consumers with other # GADFLY_ENDPOINT_s need the full stub (examples/), since a diff --git a/examples/reusable.yml b/examples/reusable.yml index 0dc66e3..fe0b284 100644 --- a/examples/reusable.yml +++ b/examples/reusable.yml @@ -39,7 +39,8 @@ jobs: # the allowed_users override below). if: >- github.event_name != 'issue_comment' - || github.actor == 'your-username' + || (github.event.issue.pull_request && github.actor == 'your-username') + # Pin @ to a Gadfly release tag for stability (@main tracks latest). uses: steve/gadfly/.gitea/workflows/review-reusable.yml@main secrets: inherit with: