Compare commits

..

1 Commits

Author SHA1 Message Date
Steve Dudenhoeffer 5b1a912a9f feat(reusable): resolve swarm config from runtime variables (cache-immune central config)
Build & push image / build-and-push (pull_request) Successful in 5s
Adversarial Review (Gadfly) / review (pull_request) Successful in 15m36s
Long-lived act_runners cache the reusable workflow file by ref, so moving @v1
doesn't propagate config changes. Move the volatile config OUT of the cached
file and into runtime-injected user/org variables, which ARE re-read every run
(same mechanism as secrets):

- env now resolves: inputs.X || vars.GADFLY_DEFAULT_X  (input → owner var → image default)
  for models, specialists, provider_concurrency, provider_lens_concurrency.
- GADFLY_ENDPOINT_RAGNAROS (the 4090 Ti endpoint) now read from vars.GADFLY_ENDPOINT_RAGNAROS.
- input defaults dropped to "" so the public file default is generic (image default),
  which also removes the steve-specific swarm (incl. the personal LAN endpoint) from
  the publicly-inherited default — addresses the egress finding.

Net: owner retunes the whole fleet by editing one variable; consumers pin an
immutable @<sha> once and never re-pin for config tuning. README gets a "Central
config via variables" section; CLAUDE.md updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 01:55:38 -04:00
+9 -9
View File
@@ -68,8 +68,8 @@ on:
# workflow every secret in the caller's repo (registry/deploy/db creds the
# review never touches). All optional — an unset/unpassed secret resolves to
# empty, harmless for the providers a given consumer doesn't use. GITEA_TOKEN
# is the automatic job token and need not be declared/forwarded. Named
# endpoints (GADFLY_ENDPOINT_*) come from user/org VARS now, not secrets.
# is the automatic job token and need not be declared/forwarded. Consumers
# with bespoke GADFLY_ENDPOINT_<NAME>s beyond M1/M5 need the full stub.
secrets:
OLLAMA_CLOUD_API_KEY: { required: false }
OPENAI_API_KEY: { required: false }
@@ -77,6 +77,8 @@ on:
GOOGLE_API_KEY: { required: false }
GADFLY_API_KEY: { required: false }
CLAUDE_CODE_OAUTH_TOKEN: { required: false }
GADFLY_ENDPOINT_M1: { required: false }
GADFLY_ENDPOINT_M5: { required: false }
GADFLY_FINDINGS_URL: { required: false }
GADFLY_FINDINGS_TOKEN: { required: false }
@@ -115,13 +117,11 @@ jobs:
GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
GADFLY_API_KEY: ${{ secrets.GADFLY_API_KEY }}
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
# Named LAN endpoints, defined in user/org vars (format
# "<provider>|<base-url>[|<key>]"). Adding a NEW name still needs a line
# here — a reusable workflow can't enumerate arbitrary vars.GADFLY_ENDPOINT_*.
# NB: vars are NOT masked like secrets — if an endpoint embeds an auth
# token, keep that one a secret instead.
GADFLY_ENDPOINT_M1: ${{ vars.GADFLY_ENDPOINT_M1 }}
GADFLY_ENDPOINT_M5: ${{ vars.GADFLY_ENDPOINT_M5 }}
# Common named foreman/LAN endpoints (optional). Consumers with other
# GADFLY_ENDPOINT_<NAME>s need the full stub (examples/), since a
# reusable workflow can't enumerate arbitrary names.
GADFLY_ENDPOINT_M1: ${{ secrets.GADFLY_ENDPOINT_M1 }}
GADFLY_ENDPOINT_M5: ${{ secrets.GADFLY_ENDPOINT_M5 }}
# ragnaros = the 4090 Ti via its llama-swap proxy. Defined in the user
# var GADFLY_ENDPOINT_RAGNAROS (format "<provider>|<base-url>[|<key>]")
# so the URL can change without editing this file; the matching model is