docs: recommend the @v1 release tag for reusable-workflow consumers #12
@@ -6,7 +6,7 @@
|
|||||||
# jobs:
|
# jobs:
|
||||||
# review:
|
# review:
|
||||||
# if: ... # actor gate for the comment trigger
|
# if: ... # actor gate for the comment trigger
|
||||||
# uses: steve/gadfly/.gitea/workflows/review-reusable.yml@<sha>
|
# uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1
|
||||||
# secrets: # forward ONLY what the reviewer needs
|
# secrets: # forward ONLY what the reviewer needs
|
||||||
# OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
# OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
||||||
# CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
# CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
||||||
@@ -25,8 +25,9 @@
|
|||||||
#
|
#
|
||||||
# Advisory only — never blocks a merge. The image is pinned to an immutable
|
# Advisory only — never blocks a merge. The image is pinned to an immutable
|
||||||
# :sha- tag here (act_runner caches :latest); bump it per Gadfly release.
|
# :sha- tag here (act_runner caches :latest); bump it per Gadfly release.
|
||||||
# Consumers should likewise pin `uses: ...@<sha>` (not @main) so a push to this
|
# Consumers should pin `uses: ...@v1` — a curated release tag moved on deliberate
|
||||||
# repo can't silently change the code that runs with their forwarded secrets.
|
# releases, so central tuning here propagates without per-consumer edits — or a
|
||||||
|
# full `@<sha>` for an immutable pin. Avoid `@main` (moves on every push).
|
||||||
|
|
||||||
name: Gadfly review (reusable)
|
name: Gadfly review (reusable)
|
||||||
|
|
||||||
|
|||||||
@@ -312,8 +312,10 @@ examples/ the ~15-line stub a consuming repo drops in
|
|||||||
|
|
||||||
The image is published to `gitea.stevedudenhoeffer.com/steve/gadfly`. Every push to `main`
|
The image is published to `gitea.stevedudenhoeffer.com/steve/gadfly`. Every push to `main`
|
||||||
rebuilds and republishes `:latest` (plus `:sha-<short>`); pushing a `v*` tag publishes that
|
rebuilds and republishes `:latest` (plus `:sha-<short>`); pushing a `v*` tag publishes that
|
||||||
pinned version (plus `:latest`). Pin consumers to a `:vN` tag for stability, or track
|
pinned version (plus `:latest`). Pin full-stub consumers to a `:vN` image tag for stability, or track
|
||||||
`:latest` to ride main.
|
`:latest` to ride main. Reusable-workflow consumers likewise pin the workflow ref —
|
||||||
|
`review-reusable.yml@v1` (a curated tag moved on releases, so central swarm tuning propagates) or
|
||||||
|
a full `@<sha>` for an immutable pin; avoid `@main`.
|
||||||
|
|
||||||
## Configuration (advanced)
|
## Configuration (advanced)
|
||||||
|
|
||||||
|
|||||||
@@ -14,9 +14,10 @@
|
|||||||
# Forward ONLY the secrets the reviewer uses (least privilege) — see the
|
# Forward ONLY the secrets the reviewer uses (least privilege) — see the
|
||||||
# `secrets:` block below. GITEA_TOKEN is automatic. `secrets: inherit` also works
|
# `secrets:` block below. GITEA_TOKEN is automatic. `secrets: inherit` also works
|
||||||
# but hands the reusable EVERY secret in your repo (registry/deploy/db creds the
|
# but hands the reusable EVERY secret in your repo (registry/deploy/db creds the
|
||||||
# review never touches), so prefer the explicit form. Pin @<sha> to an immutable
|
# review never touches), so prefer the explicit form. Pin @<ref>: use the @v1
|
||||||
# Gadfly commit (not @main) so a push there can't change what runs with your
|
# release tag (a curated pointer moved on deliberate releases) for auto-updating
|
||||||
# secrets.
|
# stability, or a full @<sha> for an immutable pin. Avoid @main — it moves on
|
||||||
|
# every push and would change what runs with your forwarded secrets.
|
||||||
#
|
#
|
||||||
# For custom named endpoints (GADFLY_ENDPOINT_<NAME>) or a provider the reusable
|
# For custom named endpoints (GADFLY_ENDPOINT_<NAME>) or a provider the reusable
|
||||||
# doesn't map, use the full stub in adversarial-review.yml instead.
|
# doesn't map, use the full stub in adversarial-review.yml instead.
|
||||||
@@ -48,9 +49,9 @@ jobs:
|
|||||||
if: >-
|
if: >-
|
||||||
github.event_name != 'issue_comment'
|
github.event_name != 'issue_comment'
|
||||||
|| (github.event.issue.pull_request && github.actor == 'your-username')
|
|| (github.event.issue.pull_request && github.actor == 'your-username')
|
||||||
# Pin @<sha> to an immutable Gadfly commit (replace @main below) so a push to
|
# @v1 = curated release tag (auto-updates on releases); swap for a full @<sha>
|
||||||
# gadfly can't silently change the code that runs with your forwarded secrets.
|
# if you want an immutable pin. Don't use @main (moves on every push).
|
||||||
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@main
|
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1
|
||||||
# Forward ONLY what the reviewer needs. Add provider keys you use
|
# Forward ONLY what the reviewer needs. Add provider keys you use
|
||||||
# (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, GADFLY_API_KEY) and/or
|
# (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, GADFLY_API_KEY) and/or
|
||||||
# GADFLY_ENDPOINT_M1/M5; drop the findings ones if you don't run telemetry.
|
# GADFLY_ENDPOINT_M1/M5; drop the findings ones if you don't run telemetry.
|
||||||
|
|||||||
Reference in New Issue
Block a user