security: scope reusable-workflow secrets (least privilege) over secrets: inherit
The swarm (reviewing the mort/executus rollout PRs) correctly flagged that `secrets: inherit` forwards EVERY caller secret to the reusable review workflow — registry/deploy/db creds the reviewer never touches. Fix: - review-reusable.yml: declare workflow_call.secrets (all optional) so a caller can forward only what the reviewer needs. - adversarial-review.yml (gadfly's own caller) + examples/reusable.yml: replace `secrets: inherit` with an explicit forward of just OLLAMA_CLOUD_API_KEY / CLAUDE_CODE_OAUTH_TOKEN / findings tokens. GITEA_TOKEN stays automatic. - Docs (README, examples) updated; also advise pinning consumers to an immutable @<sha> instead of @main (supply-chain, the other finding). gadfly's own review on this PR exercises the explicit-secrets path (local reusable ref) — validating it on the act_runner before mort/executus adopt it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -38,8 +38,8 @@ it. Drop one file in your repo and set a couple of secrets/vars:
|
||||
|
||||
1. Copy a stub from [`examples/`](examples/) to `.gitea/workflows/adversarial-review.yml` in
|
||||
your repo. Two flavors: the slim [`reusable.yml`](examples/reusable.yml) — a tiny caller of
|
||||
Gadfly's **reusable workflow** (`uses: steve/gadfly/.gitea/workflows/review-reusable.yml@…`
|
||||
+ `secrets: inherit`), best when you take the defaults — or the full self-contained
|
||||
Gadfly's **reusable workflow** (`uses: steve/gadfly/.gitea/workflows/review-reusable.yml@…`,
|
||||
forwarding only the secrets the reviewer needs), best when you take the defaults — or the full self-contained
|
||||
[`adversarial-review.yml`](examples/adversarial-review.yml) (Ollama Cloud default, with inline
|
||||
notes for every provider / local Ollama / OpenAI-compatible / endpoint aliases). See the
|
||||
[examples index](examples/README.md).
|
||||
|
||||
Reference in New Issue
Block a user