fix: fold in PR #8 review findings (reusable workflow)
Build & push image / build-and-push (pull_request) Successful in 7s

The swarm reviewed PR #8 *through the reusable path itself* — proving
github.event context propagates into a workflow_call reusable workflow on
this act_runner (the one part the probes hadn't covered). Folded in the
warranted findings:

- review-reusable.yml: bump timeout_minutes default 30 -> 45 (a multi-
  model/slow-lens review can exceed 30); map the generic GADFLY_API_KEY
  secret (was missing); add an explicit permissions block; drop the dead
  `specialist_suite` input.
- examples/reusable.yml: actor gate now also requires
  github.event.issue.pull_request (so an issue-comment on a plain issue
  doesn't waste a runner), and a note to pin @<ref> to a release tag.

Graded ~70 findings (heavy clustering): the real ones above + several
by-design/documented (inputs replace vars-overrides; only M1/M5 named
endpoints mapped) and many false positives (IS_DRAFT pattern, GITEA_TOKEN
via inherit, "empty specialists" misread — empty does default).

YAML validated; Go unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-27 19:41:45 -04:00
parent 0a01c3ae91
commit 27aa92a6e0
2 changed files with 13 additions and 3 deletions
+11 -2
View File
@@ -31,13 +31,21 @@ on:
base_url: { type: string, default: "" } # GADFLY_BASE_URL
provider_concurrency: { type: string, default: "" } # GADFLY_PROVIDER_CONCURRENCY
provider_lens_concurrency: { type: string, default: "" } # GADFLY_PROVIDER_LENS_CONCURRENCY
specialist_suite: { type: string, default: "" } # reserved / future
timeout_secs: { type: string, default: "" } # GADFLY_TIMEOUT_SECS (per lens)
max_steps: { type: string, default: "" } # GADFLY_MAX_STEPS
worker_model: { type: string, default: "" } # GADFLY_WORKER_MODEL
allowed_users: { type: string, default: "" } # GADFLY_ALLOWED_USERS
trigger_phrase: { type: string, default: "" } # GADFLY_TRIGGER_PHRASE
timeout_minutes: { type: number, default: 30 } # job wall-clock cap
# Job wall-clock cap. 45 > 30 as a default: a multi-model swarm or a slow
# lens (e.g. claude-code with extended thinking) can exceed 30 minutes.
timeout_minutes: { type: number, default: 45 }
# The reusable job posts the review comment, so it needs issues/PR write. Gitea
# caps these by the caller's granted permissions; declaring them here is explicit.
permissions:
contents: read
issues: write
pull-requests: write
jobs:
review:
@@ -61,6 +69,7 @@ jobs:
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
GADFLY_API_KEY: ${{ secrets.GADFLY_API_KEY }}
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
# Common named foreman/LAN endpoints (optional). Consumers with other
# GADFLY_ENDPOINT_<NAME>s need the full stub (examples/), since a
+2 -1
View File
@@ -39,7 +39,8 @@ jobs:
# the allowed_users override below).
if: >-
github.event_name != 'issue_comment'
|| github.actor == 'your-username'
|| (github.event.issue.pull_request && github.actor == 'your-username')
# Pin @<ref> to a Gadfly release tag for stability (@main tracks latest).
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@main
secrets: inherit
with: