docs: correct examples/reusable.yml pin guidance (prefer @sha; runners cache @v1) #15

Merged
steve merged 1 commits from test/trigger-check into main 2026-06-28 22:09:07 +00:00
Owner

Small doc fix — the examples/reusable.yml comment said @v1 "auto-updates on releases," but long-lived act_runners cache the reusable by ref, so a moved tag isn't re-fetched. Recommend an immutable @<sha>; routine swarm tuning rides owner variables instead.

Also serving as a trigger smoke-test of the new runtime-variable reusable: this PR's own review should launch the full swarm assembled entirely from the GADFLY_DEFAULT_* / GADFLY_ENDPOINT_* variables (including ragnaros).

🤖 Generated with Claude Code

Small doc fix — the `examples/reusable.yml` comment said `@v1` "auto-updates on releases," but long-lived act_runners cache the reusable by ref, so a moved tag isn't re-fetched. Recommend an immutable `@<sha>`; routine swarm tuning rides owner variables instead. Also serving as a **trigger smoke-test** of the new runtime-variable reusable: this PR's own review should launch the full swarm assembled entirely from the `GADFLY_DEFAULT_*` / `GADFLY_ENDPOINT_*` variables (including `ragnaros`). 🤖 Generated with [Claude Code](https://claude.com/claude-code)
steve added 1 commit 2026-06-28 06:10:50 +00:00
docs: correct examples/reusable.yml pin guidance (runners cache @v1; prefer @sha)
Adversarial Review (Gadfly) / review (pull_request) Successful in 3m4s
6e87a3e73f
The @v1 comment claimed it auto-updates on releases, but long-lived act_runners
cache the reusable by ref so a moved tag isn't re-fetched. Recommend an
immutable @<sha>; routine tuning rides owner variables.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

🪰 Gadfly — live review status

7/7 reviewers finished · updated 2026-06-28 06:13:55Z

claude-code/opus · claude-code — done

  • security — No material issues found
  • correctness — Minor issues
  • maintainability — Minor issues
  • performance — No material issues found
  • error-handling — No material issues found

claude-code/opus:max · claude-code — done

  • security — No material issues found
  • correctness — Minor issues
  • maintainability — Minor issues
  • performance — No material issues found
  • error-handling — No material issues found

claude-code/sonnet · claude-code — done

  • security — No material issues found
  • correctness — Minor issues
  • maintainability — Minor issues
  • performance — No material issues found
  • error-handling — No material issues found

deepseek-v4-pro:cloud · ollama-cloud — done

  • security — Minor issues
  • correctness — Minor issues
  • ⚠️ maintainability — could not complete
  • ⚠️ performance — could not complete
  • ⚠️ error-handling — could not complete

glm-5.2:cloud · ollama-cloud — done

  • security — No material issues found
  • correctness — Minor issues
  • maintainability — Minor issues
  • performance — No material issues found
  • error-handling — No material issues found

minimax-m3:cloud · ollama-cloud — done

  • security — Minor issues
  • ⚠️ correctness — could not complete
  • maintainability — Minor issues
  • ⚠️ performance — could not complete
  • ⚠️ error-handling — could not complete

ragnaros/qwen3.6-27b · ragnaros — done

  • ⚠️ security — could not complete
  • ⚠️ correctness — could not complete
  • ⚠️ maintainability — could not complete
  • ⚠️ performance — could not complete
  • ⚠️ error-handling — could not complete

Live status board. Findings are posted in each model's own comment. Advisory only — does not block merge.

<!-- gadfly-status-board --> ## 🪰 Gadfly — live review status 7/7 reviewers finished · updated 2026-06-28 06:13:55Z #### `claude-code/opus` · claude-code — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — Minor issues - ✅ **maintainability** — Minor issues - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `claude-code/opus:max` · claude-code — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — Minor issues - ✅ **maintainability** — Minor issues - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `claude-code/sonnet` · claude-code — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — Minor issues - ✅ **maintainability** — Minor issues - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `deepseek-v4-pro:cloud` · ollama-cloud — ✅ done - ✅ **security** — Minor issues - ✅ **correctness** — Minor issues - ⚠️ **maintainability** — could not complete - ⚠️ **performance** — could not complete - ⚠️ **error-handling** — could not complete #### `glm-5.2:cloud` · ollama-cloud — ✅ done - ✅ **security** — No material issues found - ✅ **correctness** — Minor issues - ✅ **maintainability** — Minor issues - ✅ **performance** — No material issues found - ✅ **error-handling** — No material issues found #### `minimax-m3:cloud` · ollama-cloud — ✅ done - ✅ **security** — Minor issues - ⚠️ **correctness** — could not complete - ✅ **maintainability** — Minor issues - ⚠️ **performance** — could not complete - ⚠️ **error-handling** — could not complete #### `ragnaros/qwen3.6-27b` · ragnaros — ✅ done - ⚠️ **security** — could not complete - ⚠️ **correctness** — could not complete - ⚠️ **maintainability** — could not complete - ⚠️ **performance** — could not complete - ⚠️ **error-handling** — could not complete <sub>Live status board. Findings are posted in each model's own comment. Advisory only — does not block merge.</sub>

🪰 Gadfly review — glm-5.2:cloud (ollama-cloud)

Verdict: Minor issues — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

VERDICT: No material issues found

  • Reviewed examples/reusable.yml in full. This is a comment-only change; no workflow logic, secrets forwarding, permissions, triggers, or uses: ref were modified. The security-relevant guidance (least-privilege secrets: forwarding, immutable @<sha> pinning to avoid stale-cache execution with forwarded credentials, avoiding @main) is sound and accurately describes the risk.
  • Minor note (not blocking, and arguably intended): the updated comment at examples/reusable.yml:53-54 now tells users to "pin to an immutable @<sha>" because @v1/@main can run stale, yet the actual uses: line at examples/reusable.yml:55 is still …review-reusable.yml@v1. As an example stub this is a placeholder, so it's not a vulnerability — but a reader copying the template verbatim keeps the ref the comment just warned against. Verified by reading the file; no code-level security impact.
🎯 Correctness — Minor issues

Verdict: Minor issues

This is a documentation/comment-only change. Through the correctness lens, the substantive question is whether the new guidance is technically correct and internally consistent with the rest of the repo.

  • Internal contradiction with the reusable workflow's own header. examples/reusable.yml:17-21 now tells consumers to pin an immutable @<sha> and warns that @v1 "is often not re-fetched and silently runs a stale copy." But the reusable workflow file itself, .gitea/workflows/review-reusable.yml:29-31, still asserts the opposite: "Consumers should pin uses: ...@v1 — a curated release tag moved on deliberate releases, so central tuning here propagates without per-consumer edits." Its example snippet at line 9 also uses @v1. These two files now give directly conflicting pinning guidance for the same uses: line. The example's premise ("runners cache the ref, so @v1 can run stale") refutes the reusable's stated rationale ("so central tuning propagates without per-consumer edits"). The PR fixes one doc surface and leaves the authoritative one self-contradictory.

  • The uses: line still pins @v1 while the surrounding comment says pin @<sha>. examples/reusable.yml:53-55: the new comment (lines 53-54) says "Pin to an immutable @," but the unchanged uses: on line 55 is …review-reusable.yml@v1. The example as shipped — what a consumer copies — still demonstrates the @v1 the comment now warns against. A copy-paste consumer gets stale-copy risk the comment exists to warn about, with nothing flagging the contradiction.

Both are correctness-of-guidance issues (the file's job is to be copied as a working stub). Suggested fixes:

  • Make the two files agree. Either update .gitea/workflows/review-reusable.yml:9,29-31 to match the new @<sha> guidance, or reconcile the caching claim.
  • Either change examples/reusable.yml:55 to an actual @<sha> placeholder (e.g. @<full-sha> with a note to substitute) so the shipped example matches its own advice, or add a one-line "replace @v1 below with a @" note so the contradiction isn't silent.

No runtime/logic code is touched, so no execution-path bugs.

🧹 Code cleanliness & maintainability — Minor issues

Verdict: Minor issues

  • examples/reusable.yml:53-55 — the example contradicts its own freshly-corrected advice. The new comment at lines 53-54 says "Pin to an immutable @ (runners cache the ref, so @v1/@main can run stale)," but line 55 still reads uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1. The stub demonstrates exactly the pattern it now warns against. A user copy-pasting this consumer copies @v1, which the comment labels stale-prone. Either swap the uses: to a @<sha> placeholder (e.g. @<full-sha> with a note to replace) or add a one-line acknowledgement that the example keeps @v1 only as a stand-in for the reader's pinned sha. Verified by reading the file (lines 50-55).

  • examples/reusable.yml:18 — "CACHE" in all-caps is a stylistic outlier. The surrounding comments use normal prose capitalization (e.g. "Forward ONLY the secrets" only emphasizes the key word). "CACHE" mid-sentence reads like a leftover emphasis marker; "cache" fits the tone better. Trivial, but it's the kind of noise that makes the comment feel copy-pasted. Verified by reading lines 14-21.

No other cleanliness/maintainability issues: the README cross-reference ("Central config via variables") resolves correctly, and the rewritten comment block is coherent and no longer claims @v1 auto-updates.

Performance — No material issues found

No material issues found.

The diff is documentation-only (comment text changes in examples/reusable.yml), so there's no code-path, hot loop, allocation, query, or any runtime behavior change to scrutinize for performance regressions. Verified by reading the full file — lines 14–21 and 50–54 are pure prose; the uses: ref at line 55 is unchanged (@v1), so no call-frequency or work-per-run change results from this PR. Nothing in the performance lens applies.

🧯 Error handling & edge cases — No material issues found

VERDICT: No material issues found

This is a comment-only documentation change in examples/reusable.yml. From the error-handling / edge-case lens:

  • No code, logic, or control flow is changed — only the advisory prose in comment blocks. There are no new unhappy paths, no swallowed errors, no missing cleanup, no panics or boundary conditions introduced.
  • The uses: line itself is untouched (@v1 still present at line 55); only the comment above it was rewritten. So the new guidance ("pin to an immutable @<sha>") is advisory and doesn't alter what the workflow actually resolves. Whether the runner-cache-staleness claim is factually accurate is a documentation-correctness concern, not an error-handling one.
  • No nil/empty/zero-value handling or rollback behavior is affected anywhere in the diff.

Nothing in my lane is materially wrong.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 58s

<!-- gadfly-review:ollama:glm-5.2:cloud --> ### 🪰 Gadfly review — `glm-5.2:cloud` (ollama-cloud) **Verdict: Minor issues** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> VERDICT: No material issues found - Reviewed `examples/reusable.yml` in full. This is a comment-only change; no workflow logic, secrets forwarding, permissions, triggers, or `uses:` ref were modified. The security-relevant guidance (least-privilege `secrets:` forwarding, immutable `@<sha>` pinning to avoid stale-cache execution with forwarded credentials, avoiding `@main`) is sound and accurately describes the risk. - Minor note (not blocking, and arguably intended): the updated comment at `examples/reusable.yml:53-54` now tells users to "pin to an immutable `@<sha>`" because `@v1`/`@main` can run stale, yet the actual `uses:` line at `examples/reusable.yml:55` is still `…review-reusable.yml@v1`. As an example stub this is a placeholder, so it's not a vulnerability — but a reader copying the template verbatim keeps the ref the comment just warned against. Verified by reading the file; no code-level security impact. </details> <details><summary><b>🎯 Correctness</b> — Minor issues</summary> ## Verdict: Minor issues This is a documentation/comment-only change. Through the correctness lens, the substantive question is whether the new guidance is *technically correct* and *internally consistent* with the rest of the repo. - **Internal contradiction with the reusable workflow's own header.** `examples/reusable.yml:17-21` now tells consumers to pin an immutable `@<sha>` and warns that `@v1` "is often not re-fetched and silently runs a stale copy." But the reusable workflow file itself, `.gitea/workflows/review-reusable.yml:29-31`, still asserts the opposite: *"Consumers should pin `uses: ...@v1` — a curated release tag moved on deliberate releases, so central tuning here propagates without per-consumer edits."* Its example snippet at line 9 also uses `@v1`. These two files now give directly conflicting pinning guidance for the same `uses:` line. The example's premise ("runners cache the ref, so @v1 can run stale") refutes the reusable's stated rationale ("so central tuning propagates without per-consumer edits"). The PR fixes one doc surface and leaves the authoritative one self-contradictory. - **The `uses:` line still pins `@v1` while the surrounding comment says pin `@<sha>`.** `examples/reusable.yml:53-55`: the new comment (lines 53-54) says "Pin to an immutable @<sha>," but the unchanged `uses:` on line 55 is `…review-reusable.yml@v1`. The example as shipped — what a consumer copies — still demonstrates the `@v1` the comment now warns against. A copy-paste consumer gets stale-copy risk the comment exists to warn about, with nothing flagging the contradiction. Both are correctness-of-guidance issues (the file's job is to be copied as a working stub). Suggested fixes: - Make the two files agree. Either update `.gitea/workflows/review-reusable.yml:9,29-31` to match the new `@<sha>` guidance, or reconcile the caching claim. - Either change `examples/reusable.yml:55` to an actual `@<sha>` placeholder (e.g. `@<full-sha>` with a note to substitute) so the shipped example matches its own advice, or add a one-line "replace @v1 below with a @<sha>" note so the contradiction isn't silent. No runtime/logic code is touched, so no execution-path bugs. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — Minor issues</summary> **Verdict: Minor issues** - **`examples/reusable.yml:53-55` — the example contradicts its own freshly-corrected advice.** The new comment at lines 53-54 says "Pin to an immutable @<sha> (runners cache the ref, so @v1/@main can run stale)," but line 55 still reads `uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1`. The stub demonstrates exactly the pattern it now warns against. A user copy-pasting this consumer copies `@v1`, which the comment labels stale-prone. Either swap the `uses:` to a `@<sha>` placeholder (e.g. `@<full-sha>` with a note to replace) or add a one-line acknowledgement that the example keeps `@v1` only as a stand-in for the reader's pinned sha. Verified by reading the file (lines 50-55). - **`examples/reusable.yml:18` — "CACHE" in all-caps is a stylistic outlier.** The surrounding comments use normal prose capitalization (e.g. "Forward ONLY the secrets" only emphasizes the key word). "CACHE" mid-sentence reads like a leftover emphasis marker; "cache" fits the tone better. Trivial, but it's the kind of noise that makes the comment feel copy-pasted. Verified by reading lines 14-21. No other cleanliness/maintainability issues: the README cross-reference ("Central config via variables") resolves correctly, and the rewritten comment block is coherent and no longer claims `@v1` auto-updates. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> **No material issues found.** The diff is documentation-only (comment text changes in `examples/reusable.yml`), so there's no code-path, hot loop, allocation, query, or any runtime behavior change to scrutinize for performance regressions. Verified by reading the full file — lines 14–21 and 50–54 are pure prose; the `uses:` ref at line 55 is unchanged (`@v1`), so no call-frequency or work-per-run change results from this PR. Nothing in the performance lens applies. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> VERDICT: No material issues found This is a comment-only documentation change in `examples/reusable.yml`. From the error-handling / edge-case lens: - No code, logic, or control flow is changed — only the advisory prose in comment blocks. There are no new unhappy paths, no swallowed errors, no missing cleanup, no panics or boundary conditions introduced. - The `uses:` line itself is untouched (`@v1` still present at line 55); only the comment above it was rewritten. So the new guidance ("pin to an immutable `@<sha>`") is advisory and doesn't alter what the workflow actually resolves. Whether the runner-cache-staleness claim is factually accurate is a documentation-correctness concern, not an error-handling one. - No nil/empty/zero-value handling or rollback behavior is affected anywhere in the diff. Nothing in my lane is materially wrong. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 58s</sub>

🪰 Gadfly review — claude-code/opus (claude-code)

Verdict: Minor issues — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

This is a documentation-only diff to comment text in examples/reusable.yml. I've read the full file to evaluate it through the security lens.

VERDICT: No material issues found

Through the security (supply-chain) lens, this change is sound and, if anything, improves security posture:

  • The diff replaces "use @v1 for auto-updating stability" with "pin to an immutable @<sha>." Pinning a third-party reusable workflow to an immutable commit SHA is the standard supply-chain hardening recommendation — a mutable tag (@v1) or branch (@main) can be repointed at attacker-controlled code that then executes with the consumer's forwarded secrets. Recommending the immutable pin is the more secure guidance. Verified against the file: the surrounding secrets: block (lines 59–63) practices least-privilege forwarding, consistent with the advice.

Two honest observations, neither blocking:

  • examples/reusable.yml:18-21 — The rewrite drops the explicit security rationale the old text carried ("a moved tag … would change what runs with your forwarded secrets") in favor of a staleness/caching rationale. The recommendation lands in the same (secure) place, but the threat-model justification for the SHA pin is now implicit. Re-adding a half-clause on the secrets-execution risk would keep the why security-grounded, not just operational. Minor.
  • examples/reusable.yml:55 — The prose now says "pin to an immutable @<sha>," but the example's actual uses: line still ships @v1. A copy-paster following the example verbatim inherits a mutable pin despite the advice. This is a pre-existing line untouched by the diff (and the file is a placeholder template, e.g. your-username), so it's a doc-consistency nit more than a security defect — and consistency belongs more to the docs lens than mine. Flagging only because it's the exact gap the diff is trying to close.

Nothing in the security lane is materially wrong here.

🎯 Correctness — Minor issues

I've verified the finding against the actual file. Lines 17-21 and 53-54 mandate an immutable @<sha> and explicitly warn that @v1/@main can run stale, yet line 55 still uses uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1. The inconsistency is real and confirmed.


VERDICT: Minor issues

  • examples/reusable.yml:55 — The prose now strongly mandates an immutable @<sha> and explicitly warns that @v1 "can run stale" (lines 17-21 and 53-54), but the actual uses: line still pins @v1: uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1. A consumer copy-pasting this stub gets exactly the stale-prone behavior the new comment warns against — the example contradicts its own corrected advice. This PR updated the guidance text but not the demonstrated pin it documents, so the fix is half-applied. Suggested fix: change line 55 to a placeholder consistent with the file's existing style (it already uses your-username), e.g. ...review-reusable.yml@<full-40-char-sha>, so the demonstrated pin matches the recommendation.
🧹 Code cleanliness & maintainability — Minor issues

VERDICT: Minor issues

  • examples/reusable.yml:55 — the demonstrated uses: line contradicts the example's own rewritten advice. This PR flips the prose (lines 17–21 and 53–54) to "Pin to an immutable @<sha>… a moved tag (@v1) … is often not re-fetched and silently runs a stale copy," but the actual reference a consumer copies still reads uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1. Before this change the @v1 was consistent with the old guidance ("@v1 = curated release tag (auto-updates)"); now the comment immediately above line 55 tells the reader to avoid @v1 while the line itself demonstrates exactly that anti-pattern. A consumer who copies the file verbatim inherits the stale-cache behavior the new docs warn against. Suggested fix: change line 55 to a placeholder @<sha> (with a "replace with a real commit sha" note) so the demonstrated value matches the guidance.
Performance — No material issues found

VERDICT: No material issues found

This PR changes only documentation comments in examples/reusable.yml (the pin-guidance text and the inline uses: comment). There is no executable code, no query, loop, allocation, or hot path involved — nothing within the Performance lens to evaluate.

  • The diff touches only YAML comment lines (examples/reusable.yml:14-21 and :53-54); the actual uses: reference and job logic are unchanged, so there is no runtime or efficiency impact whatsoever.

Nothing in my area. (No "Outside my lens" note either — a docs-only comment change carries no severe cross-cutting issue.)

🧯 Error handling & edge cases — No material issues found

VERDICT: No material issues found

This PR changes only comment text in examples/reusable.yml (pin-guidance wording: @v1 → immutable @<sha>). There is no code, control flow, or runtime behavior in the diff — both hunks are YAML # comments.

Through the error-handling & edge-cases lens there is nothing to evaluate: no error paths, cleanup, nil/empty/boundary conditions, or input handling are introduced or altered. The example's actual logic (the if: gate, uses:, secrets: block) is untouched.

Nothing in my lane here.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 44s

<!-- gadfly-review:ollama:claude-code/opus --> ### 🪰 Gadfly review — `claude-code/opus` (claude-code) **Verdict: Minor issues** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> This is a documentation-only diff to comment text in `examples/reusable.yml`. I've read the full file to evaluate it through the security lens. **VERDICT: No material issues found** Through the security (supply-chain) lens, this change is sound and, if anything, *improves* security posture: - The diff replaces "use `@v1` for auto-updating stability" with "pin to an immutable `@<sha>`." Pinning a third-party reusable workflow to an immutable commit SHA is the standard supply-chain hardening recommendation — a mutable tag (`@v1`) or branch (`@main`) can be repointed at attacker-controlled code that then executes with the consumer's forwarded secrets. Recommending the immutable pin is the more secure guidance. Verified against the file: the surrounding `secrets:` block (lines 59–63) practices least-privilege forwarding, consistent with the advice. Two honest observations, neither blocking: - `examples/reusable.yml:18-21` — The rewrite drops the explicit *security* rationale the old text carried ("a moved tag … would change what runs with your forwarded secrets") in favor of a staleness/caching rationale. The recommendation lands in the same (secure) place, but the threat-model justification for the SHA pin is now implicit. Re-adding a half-clause on the secrets-execution risk would keep the *why* security-grounded, not just operational. Minor. - `examples/reusable.yml:55` — The prose now says "pin to an immutable `@<sha>`," but the example's actual `uses:` line still ships `@v1`. A copy-paster following the example verbatim inherits a mutable pin despite the advice. This is a pre-existing line untouched by the diff (and the file is a placeholder template, e.g. `your-username`), so it's a doc-consistency nit more than a security defect — and consistency belongs more to the docs lens than mine. Flagging only because it's the exact gap the diff is trying to close. Nothing in the security lane is materially wrong here. </details> <details><summary><b>🎯 Correctness</b> — Minor issues</summary> I've verified the finding against the actual file. Lines 17-21 and 53-54 mandate an immutable `@<sha>` and explicitly warn that `@v1`/`@main` can run stale, yet line 55 still uses `uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1`. The inconsistency is real and confirmed. --- **VERDICT: Minor issues** - `examples/reusable.yml:55` — The prose now strongly mandates an immutable `@<sha>` and explicitly warns that `@v1` "can run stale" (lines 17-21 and 53-54), but the actual `uses:` line still pins `@v1`: `uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1`. A consumer copy-pasting this stub gets exactly the stale-prone behavior the new comment warns against — the example contradicts its own corrected advice. This PR updated the guidance text but not the demonstrated pin it documents, so the fix is half-applied. Suggested fix: change line 55 to a placeholder consistent with the file's existing style (it already uses `your-username`), e.g. `...review-reusable.yml@<full-40-char-sha>`, so the demonstrated pin matches the recommendation. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — Minor issues</summary> ## VERDICT: Minor issues - **`examples/reusable.yml:55` — the demonstrated `uses:` line contradicts the example's own rewritten advice.** This PR flips the prose (lines 17–21 and 53–54) to "Pin to an immutable `@<sha>`… a moved tag (`@v1`) … is often not re-fetched and silently runs a stale copy," but the actual reference a consumer copies still reads `uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1`. Before this change the `@v1` was consistent with the old guidance ("@v1 = curated release tag (auto-updates)"); now the comment immediately above line 55 tells the reader to avoid `@v1` while the line itself demonstrates exactly that anti-pattern. A consumer who copies the file verbatim inherits the stale-cache behavior the new docs warn against. Suggested fix: change line 55 to a placeholder `@<sha>` (with a "replace with a real commit sha" note) so the demonstrated value matches the guidance. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> **VERDICT: No material issues found** This PR changes only documentation comments in `examples/reusable.yml` (the pin-guidance text and the inline `uses:` comment). There is no executable code, no query, loop, allocation, or hot path involved — nothing within the Performance lens to evaluate. - The diff touches only YAML comment lines (`examples/reusable.yml:14-21` and `:53-54`); the actual `uses:` reference and job logic are unchanged, so there is no runtime or efficiency impact whatsoever. Nothing in my area. (No "Outside my lens" note either — a docs-only comment change carries no severe cross-cutting issue.) </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> **VERDICT: No material issues found** This PR changes only comment text in `examples/reusable.yml` (pin-guidance wording: `@v1` → immutable `@<sha>`). There is no code, control flow, or runtime behavior in the diff — both hunks are YAML `#` comments. Through the error-handling & edge-cases lens there is nothing to evaluate: no error paths, cleanup, nil/empty/boundary conditions, or input handling are introduced or altered. The example's actual logic (the `if:` gate, `uses:`, `secrets:` block) is untouched. Nothing in my lane here. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 44s</sub>

🪰 Gadfly review — minimax-m3:cloud (ollama-cloud)

Verdict: Minor issues · ⚠️ 3/5 lens(es) errored — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — Minor issues

VERDICT: Minor issues

Security findings (verified):

  • examples/reusable.yml:55 — The new comment block (lines 17–21 and 53–54) now strongly recommends pinning to an immutable @<sha> and explicitly warns that @v1 can be silently stale due to runner caching. But the actionable uses: line on line 55 still reads steve/gadfly/.gitea/workflows/review-reusable.yml@v1. A consumer who copy-pastes this canonical "shortest way to subscribe" stub gets the exact pattern the comment is warning against — a mutable moving tag executed against their forwarded secrets (OLLAMA_CLOUD_API_KEY, optional CLAUDE_CODE_OAUTH_TOKEN, GADFLY_FINDINGS_TOKEN, etc.). From a supply-chain/integrity angle this defeats the new guidance: the doc now argues for SHA-pinning but the example demonstrates the tag-pin it just argued against. Fix: either change line 55 to @<sha> (a real full SHA) to model the recommended posture, or downgrade the comment to "prefer @<sha>; this example uses @v1 for brevity" so the file is self-consistent. Verified by reading lines 17–21, 53–55 of examples/reusable.yml and grep-confirming there is no other @<sha> example in examples/.
🎯 Correctness⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ollama-cloud/minimax-m3☁️ ollama-cloud/minimax-m3☁️ HTTP 429: too many concurrent requests

🧹 Code cleanliness & maintainability — Minor issues

VERDICT: Minor issues

  • examples/reusable.yml:17–21 and examples/reusable.yml:53–54 carry near-identical guidance about @<sha> pinning plus owner-variable tuning; the inline uses: comment is largely a restatement of the header block. From a cleanliness angle the inline comment could be trimmed to just the actionable instruction (e.g. the pin syntax) and let the header carry the rationale. Verified by reading the whole file.
  • examples/reusable.yml:53 actively contradicts .gitea/workflows/review-reusable.yml:29–31, which still endorses @v1 as a curated-pointer alternative ("Consumers should pin uses: ...@v1 — a curated release tag moved on deliberate releases, so central tuning here propagates without per-consumer edits — or a full @<sha> for an immutable pin. Avoid @main"). The new stub now warns @v1/@main can run stale while the upstream reusable still tells consumers @v1 is fine. Note: this drift is only with review-reusable.ymlREADME.md:316–319 and CLAUDE.md:53–54 actually agree with the stub's new framing (they both already say caching makes moved tags stale and @<sha> is the reliable pin). The corrected claim is therefore narrower than the draft stated: one upstream file (review-reusable.yml) needs alignment, not three.
Performance⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ollama-cloud/minimax-m3☁️ skipped (backed off until 06:10:59.202)

🧯 Error handling & edge cases⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ollama-cloud/minimax-m3☁️ skipped (backed off until 06:10:59.202)

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 3m 0s

<!-- gadfly-review:ollama:minimax-m3:cloud --> ### 🪰 Gadfly review — `minimax-m3:cloud` (ollama-cloud) **Verdict: Minor issues · ⚠️ 3/5 lens(es) errored** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — Minor issues</summary> ## VERDICT: Minor issues **Security findings (verified):** - `examples/reusable.yml:55` — The new comment block (lines 17–21 and 53–54) now strongly recommends pinning to an immutable `@<sha>` and explicitly warns that `@v1` can be silently stale due to runner caching. But the actionable `uses:` line on line 55 still reads `steve/gadfly/.gitea/workflows/review-reusable.yml@v1`. A consumer who copy-pastes this canonical "shortest way to subscribe" stub gets the exact pattern the comment is warning against — a mutable moving tag executed against their forwarded secrets (`OLLAMA_CLOUD_API_KEY`, optional `CLAUDE_CODE_OAUTH_TOKEN`, `GADFLY_FINDINGS_TOKEN`, etc.). From a supply-chain/integrity angle this defeats the new guidance: the doc now argues for SHA-pinning but the example demonstrates the tag-pin it just argued against. Fix: either change line 55 to `@<sha>` (a real full SHA) to model the recommended posture, or downgrade the comment to "prefer `@<sha>`; this example uses `@v1` for brevity" so the file is self-consistent. Verified by reading lines 17–21, 53–55 of `examples/reusable.yml` and grep-confirming there is no other `@<sha>` example in `examples/`. </details> <details><summary><b>🎯 Correctness</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ollama-cloud/minimax-m3:cloud: ollama-cloud/minimax-m3:cloud: HTTP 429: too many concurrent requests </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — Minor issues</summary> VERDICT: Minor issues - `examples/reusable.yml:17–21` and `examples/reusable.yml:53–54` carry near-identical guidance about `@<sha>` pinning plus owner-variable tuning; the inline `uses:` comment is largely a restatement of the header block. From a cleanliness angle the inline comment could be trimmed to just the actionable instruction (e.g. the pin syntax) and let the header carry the rationale. Verified by reading the whole file. - `examples/reusable.yml:53` actively contradicts `.gitea/workflows/review-reusable.yml:29–31`, which still endorses `@v1` as a curated-pointer alternative ("Consumers should pin `uses: ...@v1` — a curated release tag moved on deliberate releases, so central tuning here propagates without per-consumer edits — or a full `@<sha>` for an immutable pin. Avoid `@main`"). The new stub now warns `@v1/@main can run stale` while the upstream reusable still tells consumers `@v1` is fine. Note: this drift is only with `review-reusable.yml` — `README.md:316–319` and `CLAUDE.md:53–54` actually agree with the stub's new framing (they both already say caching makes moved tags stale and `@<sha>` is the reliable pin). The corrected claim is therefore narrower than the draft stated: one upstream file (`review-reusable.yml`) needs alignment, not three. </details> <details><summary><b>⚡ Performance</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ollama-cloud/minimax-m3:cloud: skipped (backed off until 06:10:59.202) </details> <details><summary><b>🧯 Error handling & edge cases</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ollama-cloud/minimax-m3:cloud: skipped (backed off until 06:10:59.202) </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 3m 0s</sub>

🪰 Gadfly review — claude-code/sonnet (claude-code)

Verdict: Minor issues — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

Verdict: No material issues found

This diff is purely a documentation/comment update. Through the security lens:

  • uses: pin unchanged (@v1 on line 55): The diff correctly warns in comments that @v1 and @main can silently run stale copies due to act_runner caching — but notably, the uses: line itself still reads @v1, consistent with this being a consumer example that the adopter is expected to swap for a real SHA. The new comment text makes this guidance unambiguous. No security regression here.
  • Secret forwarding (lines 59–63): Unchanged. Explicit least-privilege forwarding; no new secrets added or exposed.
  • No shell interpolation or tainted input introduced by this change.
  • No credentials, tokens, or sensitive values appear anywhere in the diff.

The change correctly strengthens supply-chain guidance (immutable SHA over mutable tag), which is a net security improvement in the documentation.

🎯 Correctness — Minor issues

The finding is confirmed. Line 55 reads uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1 while lines 53–54 instruct the reader to "Pin to an immutable @<sha>" — a direct contradiction in copy-paste example code.

Minor issues

  • examples/reusable.yml:53-55 — The inline comment says "Pin to an immutable @<sha>" (imperative), but the uses: line immediately below it still reads @v1:

    # Pin to an immutable @<sha> (runners cache the ref, so @v1/@main can run
    # stale). Bump it for structural changes; tune the swarm via owner variables.
    uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1   # ← contradicts the comment
    

    The same inconsistency appears in the block comment at lines 17–21, which also instructs @<sha> while the operative uses: line stays at @v1. A consumer copying this stub verbatim will do exactly what the comment says not to do.

    Fix: Either update the uses: line to a real immutable SHA (with a note to substitute the current one), or soften the comment to "prefer @<sha>; this example uses @v1 as a readable placeholder — replace it with an immutable SHA before deploying."

🧹 Code cleanliness & maintainability — Minor issues

The finding is confirmed. Line 55 reads uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1 while the comment immediately above (lines 53-54) advises pinning to an immutable @<sha>.

Minor issues

  • examples/reusable.yml:53-55 — comment contradicts the example code it introduces

    The updated comment says "Pin to an immutable @<sha>" but the very next line still reads:

    uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1
    

    This is the primary file users are told to copy verbatim ("Copy to .gitea/workflows/adversarial-review.yml in your repo"). After this PR, a reader who follows the comment advice will expect a sha, but will copy @v1 anyway — the exact thing the comment just warned against. The old comment at least matched the code it sat above.

    Suggested fix: change the uses: line to a sha-shaped placeholder so the example and the comment are consistent:

    uses: steve/gadfly/.gitea/workflows/review-reusable.yml@<sha>
    

    (or document a real immutable sha and keep it updated). The inline comment on lines 14-21 has the same issue but is less acute because it isn't immediately adjacent to executable code.

Performance — No material issues found

All changes in this PR are pure comment edits inside a YAML example file. No executable code, no data structures, no algorithms, no runtime paths of any kind were touched.


No material issues found

This PR modifies only inline comments in examples/reusable.yml — no logic, no data flow, no runtime behavior exists to evaluate. Performance lens has nothing to assess here.

🧯 Error handling & edge cases — No material issues found

Verdict: No material issues found

This PR is a documentation-only change — both hunks modify only YAML comments explaining how to pin the reusable workflow reference. There is no code, logic, error handling, or control flow touched. My lens (error handling & edge cases) has nothing to evaluate here.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 14s

<!-- gadfly-review:ollama:claude-code/sonnet --> ### 🪰 Gadfly review — `claude-code/sonnet` (claude-code) **Verdict: Minor issues** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> **Verdict: No material issues found** This diff is purely a documentation/comment update. Through the security lens: - **`uses:` pin unchanged** (`@v1` on line 55): The diff correctly warns in comments that `@v1` and `@main` can silently run stale copies due to act_runner caching — but notably, the `uses:` line itself still reads `@v1`, consistent with this being a *consumer example* that the adopter is expected to swap for a real SHA. The new comment text makes this guidance unambiguous. No security regression here. - **Secret forwarding** (lines 59–63): Unchanged. Explicit least-privilege forwarding; no new secrets added or exposed. - **No shell interpolation or tainted input** introduced by this change. - **No credentials, tokens, or sensitive values** appear anywhere in the diff. The change correctly strengthens supply-chain guidance (immutable SHA over mutable tag), which is a net security improvement in the documentation. </details> <details><summary><b>🎯 Correctness</b> — Minor issues</summary> The finding is confirmed. Line 55 reads `uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1` while lines 53–54 instruct the reader to "Pin to an immutable `@<sha>`" — a direct contradiction in copy-paste example code. **Minor issues** - **`examples/reusable.yml:53-55`** — The inline comment says **"Pin to an immutable `@<sha>`"** (imperative), but the `uses:` line immediately below it still reads `@v1`: ```yaml # Pin to an immutable @<sha> (runners cache the ref, so @v1/@main can run # stale). Bump it for structural changes; tune the swarm via owner variables. uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1 # ← contradicts the comment ``` The same inconsistency appears in the block comment at lines 17–21, which also instructs `@<sha>` while the operative `uses:` line stays at `@v1`. A consumer copying this stub verbatim will do exactly what the comment says not to do. **Fix:** Either update the `uses:` line to a real immutable SHA (with a note to substitute the current one), or soften the comment to "prefer `@<sha>`; this example uses `@v1` as a readable placeholder — replace it with an immutable SHA before deploying." </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — Minor issues</summary> The finding is confirmed. Line 55 reads `uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1` while the comment immediately above (lines 53-54) advises pinning to an immutable `@<sha>`. **Minor issues** - **`examples/reusable.yml:53-55` — comment contradicts the example code it introduces** The updated comment says "Pin to an immutable `@<sha>`" but the very next line still reads: ```yaml uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1 ``` This is the primary file users are told to copy verbatim ("Copy to `.gitea/workflows/adversarial-review.yml` in your repo"). After this PR, a reader who follows the comment advice will expect a sha, but will copy `@v1` anyway — the exact thing the comment just warned against. The old comment at least matched the code it sat above. Suggested fix: change the `uses:` line to a sha-shaped placeholder so the example and the comment are consistent: ```yaml uses: steve/gadfly/.gitea/workflows/review-reusable.yml@<sha> ``` (or document a real immutable sha and keep it updated). The inline comment on lines 14-21 has the same issue but is less acute because it isn't immediately adjacent to executable code. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> All changes in this PR are pure comment edits inside a YAML example file. No executable code, no data structures, no algorithms, no runtime paths of any kind were touched. --- **No material issues found** This PR modifies only inline comments in `examples/reusable.yml` — no logic, no data flow, no runtime behavior exists to evaluate. Performance lens has nothing to assess here. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> **Verdict: No material issues found** This PR is a documentation-only change — both hunks modify only YAML comments explaining how to pin the reusable workflow reference. There is no code, logic, error handling, or control flow touched. My lens (error handling & edge cases) has nothing to evaluate here. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 14s</sub>

🪰 Gadfly review — ragnaros/qwen3.6-27b (ragnaros)

Review incomplete — all lenses errored — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ragnaros/qwen3.6-27b: ragnaros/qwen3.6-27b: HTTP 500: {"error":{"code":500,"message":"Context size has been exceeded.","type":"server_error"}}

🎯 Correctness⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643)

🧹 Code cleanliness & maintainability⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643)

Performance⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643)

🧯 Error handling & edge cases⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643)

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 27s

<!-- gadfly-review:ollama:ragnaros/qwen3.6-27b --> ### 🪰 Gadfly review — `ragnaros/qwen3.6-27b` (ragnaros) **Review incomplete — all lenses errored** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ragnaros/qwen3.6-27b: ragnaros/qwen3.6-27b: HTTP 500: {"error":{"code":500,"message":"Context size has been exceeded.","type":"server_error"}} </details> <details><summary><b>🎯 Correctness</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643) </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643) </details> <details><summary><b>⚡ Performance</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643) </details> <details><summary><b>🧯 Error handling & edge cases</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ragnaros/qwen3.6-27b: skipped (backed off until 06:11:25.643) </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 27s</sub>

🪰 Gadfly review — deepseek-v4-pro:cloud (ollama-cloud)

Verdict: Minor issues · ⚠️ 3/5 lens(es) errored — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — Minor issues

Verdict: Minor issues

  • examples/reusable.yml:55 — Example still uses the now-discouraged @v1. The comment on lines 53–54 says "Pin to an immutable @<sha> (runners cache the ref, so @v1/@main can run stale)," but the actual uses: line right below it still reads uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1. A user who copies this template and only substitutes the repo path — without reading the surrounding prose — will ship the very mutable-ref pattern the new comments warn against. The example should practice what it preaches: either swap @v1 for a real @<sha> (and note that the user must update it), or at minimum add an inline # FIXME: replace @v1 with @<sha> on that line so the insecure default is impossible to miss. (Confirmed against the checked-out file.)

No other security issues (injection, credential leakage, authz gaps, unsafe deserialization, SSRF) are present in this docs-only diff.

🎯 Correctness — Minor issues

The finding is confirmed. The comment on lines 53-54 explicitly advises pinning to an immutable @<sha>, yet the uses: directive on line 55 still references @v1. This is a genuine self-contradiction in the example file.

Verdict: Minor issues

  • examples/reusable.yml:53-55 — Self-contradictory example: comment says "Pin to an immutable @" but the uses: line still references @v1. A user who copies this file as a template is told to do one thing while the actual line models the opposite. The uses: reference should be updated to a real or placeholder @<sha> so the example is internally consistent with its own guidance.
🧹 Code cleanliness & maintainability⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ollama-cloud/deepseek-v4-pro☁️ ollama-cloud/deepseek-v4-pro☁️ HTTP 429: too many concurrent requests

Performance⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ollama-cloud/deepseek-v4-pro☁️ skipped (backed off until 06:10:59.172)

🧯 Error handling & edge cases⚠️ could not complete

⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed
ollama-cloud/deepseek-v4-pro☁️ skipped (backed off until 06:10:59.172)

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 53s

<!-- gadfly-review:ollama:deepseek-v4-pro:cloud --> ### 🪰 Gadfly review — `deepseek-v4-pro:cloud` (ollama-cloud) **Verdict: Minor issues · ⚠️ 3/5 lens(es) errored** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — Minor issues</summary> ## Verdict: Minor issues - **`examples/reusable.yml:55` — Example still uses the now-discouraged `@v1`.** The comment on lines 53–54 says "Pin to an immutable @\<sha\> (runners cache the ref, so @v1/@main can run stale)," but the actual `uses:` line right below it still reads `uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1`. A user who copies this template and only substitutes the repo path — without reading the surrounding prose — will ship the very mutable-ref pattern the new comments warn against. The example should practice what it preaches: either swap `@v1` for a real `@<sha>` (and note that the user must update it), or at minimum add an inline `# FIXME: replace @v1 with @<sha>` on that line so the insecure default is impossible to miss. *(Confirmed against the checked-out file.)* No other security issues (injection, credential leakage, authz gaps, unsafe deserialization, SSRF) are present in this docs-only diff. </details> <details><summary><b>🎯 Correctness</b> — Minor issues</summary> The finding is confirmed. The comment on lines 53-54 explicitly advises pinning to an immutable `@<sha>`, yet the `uses:` directive on line 55 still references `@v1`. This is a genuine self-contradiction in the example file. **Verdict: Minor issues** - **`examples/reusable.yml:53-55` — Self-contradictory example: comment says "Pin to an immutable @<sha>" but the `uses:` line still references `@v1`.** A user who copies this file as a template is told to do one thing while the actual line models the opposite. The `uses:` reference should be updated to a real or placeholder `@<sha>` so the example is internally consistent with its own guidance. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ollama-cloud/deepseek-v4-pro:cloud: ollama-cloud/deepseek-v4-pro:cloud: HTTP 429: too many concurrent requests </details> <details><summary><b>⚡ Performance</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ollama-cloud/deepseek-v4-pro:cloud: skipped (backed off until 06:10:59.172) </details> <details><summary><b>🧯 Error handling & edge cases</b> — ⚠️ could not complete</summary> ⚠️ This reviewer failed to complete: agent: step 0: all chain targets failed ollama-cloud/deepseek-v4-pro:cloud: skipped (backed off until 06:10:59.172) </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 1m 53s</sub>

🪰 Gadfly review — claude-code/opus:max (claude-code)

Verdict: Minor issues — 5 reviewers: security, correctness, maintainability, performance, error-handling

🔒 Security — No material issues found

This is a documentation-only change to an example workflow's comments. I've verified it against the actual file. Delivering my security-lens review.


VERDICT: No material issues found

Through the 🔒 Security lens, this change is net-positive and introduces nothing exploitable:

  • examples/reusable.yml:17-21 — The diff replaces "prefer @v1 for auto-updating stability" with a recommendation to pin to an immutable @<sha>. From a supply-chain/security standpoint this strengthens the guidance: pinning a third-party reusable workflow to an immutable commit is the secure posture, since a moved tag (@v1/@main) can silently change what executes with the consumer's forwarded secrets. No tainted-input, injection, authz, or secret-leakage surface is touched — it's comment text only. Verified by reading the full file.

  • Minor observation (not blocking, and arguably outside this lens): the prose now justifies avoiding @v1/@main purely as a caching/staleness concern and drops the old explicit security rationale ("would change what runs with your forwarded secrets"). The secret-exposure angle was the stronger reason to pin immutably; folding it entirely into a staleness argument slightly weakens the security framing even though the recommended action is correct. Optional: keep one clause noting that a moved ref also changes what runs against your forwarded secrets.

  • Consistency note for another lens (docs/maintainability, not security): the uses: line at examples/reusable.yml:55 still pins @v1 while the surrounding comments now tell users to use @<sha>. Not a security defect — just a teach-by-example mismatch a docs reviewer should catch.

No authn/authz gaps, injection, SSRF, deserialization, secret leakage, or input-validation issues are in scope for this diff — it changes only YAML comments.

🎯 Correctness — Minor issues

I've verified the draft's claims against the actual source. Both the diff and the surrounding files confirm the central finding.

VERDICT: Minor issues

This is a docs-only change to a copy-paste consumer stub. The new prose is factually accurate, but the change leaves the example internally inconsistent with its own new recommendation.

Findings

  • examples/reusable.yml:55 — the example still ships @v1, the exact ref the new comment tells you not to use. Lines 17-21 and 53-54 now recommend "Pin to an immutable @<sha>" and warn that "a moved tag (@v1) or @main is often not re-fetched and silently runs a stale copy" — yet the actual uses: line is still steve/gadfly/.gitea/workflows/review-reusable.yml@v1. A consumer who copies this stub verbatim (its stated purpose, line 2) gets exactly the cache-stale behavior the comment warns against. The prior version was self-consistent ("@v1 … or swap for a full @", matching the @v1 in code); this PR updates the advice but not the demonstration. README confirms the intended guidance (README.md:316-318: reusable-workflow consumers "should pin the workflow ref to an immutable review-reusable.yml@<sha>").
    • Fix: make the example demonstrate the advice, e.g. ...@<sha> # replace with the SHA from a Gadfly release, or keep @v1 with an explicit # example only — pin a real @<sha> so the placeholder is clearly a placeholder.

Outside the diff

The sibling reusable workflow .gitea/workflows/review-reusable.yml:29-31 still carries the older advice this PR deprecates ("Consumers should pin uses: ...@v1 — a curated release tag … or a full @<sha>"). Not in this diff, but it now contradicts both the README and this corrected example — worth a follow-up so the pin guidance is consistent project-wide.

🧹 Code cleanliness & maintainability — Minor issues

Both findings check out against the actual files. Line 55 of examples/reusable.yml still reads @v1 while the comment block (lines 17–19, 53–54) now explicitly warns against @v1 and tells readers to pin to an immutable @<sha>. And review-reusable.yml lines 29–31 still recommend @v1 for "auto-updating" propagation, which contradicts lines 42–43 of the same file (moved tag is NOT re-fetched; only a runtime value or fresh @<sha> bypasses the cache), and lines 9/55 of the skeleton carry @v1. Both are confirmed.

VERDICT: Minor issues

  • examples/reusable.yml:55 — the example contradicts its own freshly-corrected guidance. The updated comments now state "Pin to an immutable @<sha>" and explicitly flag @v1 as a moved tag that "is often not re-fetched and silently runs a stale copy" (lines 17–19, 53–54), yet the actual directive on line 55 still reads ...review-reusable.yml@v1. A consumer who copies this stub verbatim — the file's stated purpose (line 2) — gets exactly the stale-run behavior the comment warns against. Fix: change line 55 to a placeholder like ...review-reusable.yml@<commit-sha>, keeping @v1 only as the "bad example" in prose.

  • .gitea/workflows/review-reusable.yml:9, 29–31 — sibling doc still carries the old, now-contradicted guidance. Lines 29–31 still say "Consumers should pin uses: ...@v1 — a curated release tag moved on deliberate releases, so central tuning here propagates without per-consumer edits." That claim is the one this change corrects elsewhere, and it already contradicts lines 42–43 of the same file ("a moved tag is NOT re-fetched; only a runtime value or a fresh @<sha> bypasses the cache"). CLAUDE.md's maintenance rule treats stale docs as a bug and asks for doc updates "in the same change"; this header (and the @v1 in the skeleton at line 9) was left behind. Fix: align lines 9 and 29–31 with the immutable-@<sha> recommendation now in the README and example.

Net: the prose edits are correct, but the change updated the narrative text while leaving the two concrete @v1 references (the copy-pasted example directive and the reusable's own header) saying the opposite — readers following either literally land in the stale-cache trap.

Performance — No material issues found

VERDICT: No material issues found

This is a documentation-only change — it rewrites two comment blocks in examples/reusable.yml (the pin-guidance prose and the inline uses: comment). There is no executable code, no query path, no loop, no allocation, and no runtime behavior altered by this diff.

  • Nothing in the Performance lens applies: comment text in an example workflow has zero efficiency surface (no hot path, no N+1, no unbounded growth, no blocking call).
  • I did not need repository tools to confirm this — the diff touches only #-prefixed lines and the existing uses: line is unchanged in effect.

Outside my lens: the substance of the guidance change (runners cache @v1 by ref → prefer @<sha>) is consistent with the documented Lessons/architecture notes in CLAUDE.md, so it reads as accurate, but correctness/docs is another reviewer's call.

🧯 Error handling & edge cases — No material issues found

VERDICT: No material issues found

This diff changes only comment text in examples/reusable.yml (the pin-guidance lines at examples/reusable.yml:17-21 and :53-54). I read the full file to confirm there is no accompanying code change — no scripts, no logic, no error paths, no input parsing.

Through the error handling & edge cases lens there is nothing to evaluate: no swallowed errors, no cleanup/rollback, no nil/empty/zero/boundary conditions, and no unhappy paths are introduced or altered by a comment-only edit. Verified by reading examples/reusable.yml end to end.

Outside my lens (one line, severe-ish only as doc accuracy, not error handling): the new comment at examples/reusable.yml:53 advises pinning to an immutable @<sha>, but the actual uses: on :55 still resolves to @v1 — a correctness/docs reviewer should confirm that's intended for an example stub rather than a copy that contradicts its own guidance.

Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 2m 0s

<!-- gadfly-review:ollama:claude-code/opus:max --> ### 🪰 Gadfly review — `claude-code/opus:max` (claude-code) **Verdict: Minor issues** — 5 reviewers: security, correctness, maintainability, performance, error-handling <details><summary><b>🔒 Security</b> — No material issues found</summary> This is a documentation-only change to an example workflow's comments. I've verified it against the actual file. Delivering my security-lens review. --- **VERDICT: No material issues found** Through the 🔒 Security lens, this change is net-positive and introduces nothing exploitable: - `examples/reusable.yml:17-21` — The diff replaces "prefer `@v1` for auto-updating stability" with a recommendation to pin to an immutable `@<sha>`. From a supply-chain/security standpoint this *strengthens* the guidance: pinning a third-party reusable workflow to an immutable commit is the secure posture, since a moved tag (`@v1`/`@main`) can silently change what executes with the consumer's forwarded secrets. No tainted-input, injection, authz, or secret-leakage surface is touched — it's comment text only. Verified by reading the full file. - Minor observation (not blocking, and arguably outside this lens): the prose now justifies avoiding `@v1`/`@main` purely as a *caching/staleness* concern and drops the old explicit security rationale ("would change what runs with your forwarded secrets"). The secret-exposure angle was the stronger reason to pin immutably; folding it entirely into a staleness argument slightly weakens the security framing even though the recommended action is correct. Optional: keep one clause noting that a moved ref also changes what runs against your forwarded secrets. - Consistency note for another lens (docs/maintainability, not security): the `uses:` line at `examples/reusable.yml:55` still pins `@v1` while the surrounding comments now tell users to use `@<sha>`. Not a security defect — just a teach-by-example mismatch a docs reviewer should catch. No authn/authz gaps, injection, SSRF, deserialization, secret leakage, or input-validation issues are in scope for this diff — it changes only YAML comments. </details> <details><summary><b>🎯 Correctness</b> — Minor issues</summary> I've verified the draft's claims against the actual source. Both the diff and the surrounding files confirm the central finding. ## VERDICT: Minor issues This is a docs-only change to a copy-paste consumer stub. The new prose is factually accurate, but the change leaves the example internally inconsistent with its own new recommendation. ### Findings - **`examples/reusable.yml:55` — the example still ships `@v1`, the exact ref the new comment tells you not to use.** Lines 17-21 and 53-54 now recommend *"Pin to an immutable `@<sha>`"* and warn that *"a moved tag (`@v1`) or `@main` is often not re-fetched and silently runs a stale copy"* — yet the actual `uses:` line is still `steve/gadfly/.gitea/workflows/review-reusable.yml@v1`. A consumer who copies this stub verbatim (its stated purpose, line 2) gets exactly the cache-stale behavior the comment warns against. The prior version was self-consistent ("@v1 … or swap for a full @<sha>", matching the `@v1` in code); this PR updates the advice but not the demonstration. README confirms the intended guidance (`README.md:316-318`: reusable-workflow consumers *"should pin the workflow ref to an immutable `review-reusable.yml@<sha>`"*). - *Fix:* make the example demonstrate the advice, e.g. `...@<sha> # replace with the SHA from a Gadfly release`, or keep `@v1` with an explicit `# example only — pin a real @<sha>` so the placeholder is clearly a placeholder. ### Outside the diff The sibling reusable workflow `.gitea/workflows/review-reusable.yml:29-31` still carries the older advice this PR deprecates (*"Consumers should pin `uses: ...@v1` — a curated release tag … or a full `@<sha>`"*). Not in this diff, but it now contradicts both the README and this corrected example — worth a follow-up so the pin guidance is consistent project-wide. </details> <details><summary><b>🧹 Code cleanliness & maintainability</b> — Minor issues</summary> Both findings check out against the actual files. Line 55 of `examples/reusable.yml` still reads `@v1` while the comment block (lines 17–19, 53–54) now explicitly warns against `@v1` and tells readers to pin to an immutable `@<sha>`. And `review-reusable.yml` lines 29–31 still recommend `@v1` for "auto-updating" propagation, which contradicts lines 42–43 of the same file (moved tag is NOT re-fetched; only a runtime value or fresh `@<sha>` bypasses the cache), and lines 9/55 of the skeleton carry `@v1`. Both are confirmed. ## VERDICT: Minor issues - **`examples/reusable.yml:55` — the example contradicts its own freshly-corrected guidance.** The updated comments now state "Pin to an immutable `@<sha>`" and explicitly flag `@v1` as a moved tag that "is often not re-fetched and silently runs a stale copy" (lines 17–19, 53–54), yet the actual directive on line 55 still reads `...review-reusable.yml@v1`. A consumer who copies this stub verbatim — the file's stated purpose (line 2) — gets exactly the stale-run behavior the comment warns against. Fix: change line 55 to a placeholder like `...review-reusable.yml@<commit-sha>`, keeping `@v1` only as the "bad example" in prose. - **`.gitea/workflows/review-reusable.yml:9, 29–31` — sibling doc still carries the old, now-contradicted guidance.** Lines 29–31 still say *"Consumers should pin `uses: ...@v1` — a curated release tag moved on deliberate releases, so central tuning here propagates without per-consumer edits."* That claim is the one this change corrects elsewhere, and it already contradicts lines 42–43 of the *same file* ("a moved tag is NOT re-fetched; only a runtime value or a fresh `@<sha>` bypasses the cache"). CLAUDE.md's maintenance rule treats stale docs as a bug and asks for doc updates "in the *same* change"; this header (and the `@v1` in the skeleton at line 9) was left behind. Fix: align lines 9 and 29–31 with the immutable-`@<sha>` recommendation now in the README and example. Net: the prose edits are correct, but the change updated the narrative text while leaving the two concrete `@v1` references (the copy-pasted example directive and the reusable's own header) saying the opposite — readers following either literally land in the stale-cache trap. </details> <details><summary><b>⚡ Performance</b> — No material issues found</summary> **VERDICT: No material issues found** This is a documentation-only change — it rewrites two comment blocks in `examples/reusable.yml` (the pin-guidance prose and the inline `uses:` comment). There is no executable code, no query path, no loop, no allocation, and no runtime behavior altered by this diff. - Nothing in the Performance lens applies: comment text in an example workflow has zero efficiency surface (no hot path, no N+1, no unbounded growth, no blocking call). - I did not need repository tools to confirm this — the diff touches only `#`-prefixed lines and the existing `uses:` line is unchanged in effect. Outside my lens: the substance of the guidance change (runners cache `@v1` by ref → prefer `@<sha>`) is consistent with the documented `Lessons`/architecture notes in `CLAUDE.md`, so it reads as accurate, but correctness/docs is another reviewer's call. </details> <details><summary><b>🧯 Error handling & edge cases</b> — No material issues found</summary> **VERDICT: No material issues found** This diff changes only comment text in `examples/reusable.yml` (the pin-guidance lines at `examples/reusable.yml:17-21` and `:53-54`). I read the full file to confirm there is no accompanying code change — no scripts, no logic, no error paths, no input parsing. Through the **error handling & edge cases** lens there is nothing to evaluate: no swallowed errors, no cleanup/rollback, no nil/empty/zero/boundary conditions, and no unhappy paths are introduced or altered by a comment-only edit. Verified by reading `examples/reusable.yml` end to end. Outside my lens (one line, severe-ish only as doc accuracy, not error handling): the new comment at `examples/reusable.yml:53` advises pinning to an immutable `@<sha>`, but the actual `uses:` on `:55` still resolves to `@v1` — a correctness/docs reviewer should confirm that's intended for an example stub rather than a copy that contradicts its own guidance. </details> <sub>Automated adversarial review by Gadfly. Advisory only — does not block merge. · ⏱️ reviewed in 2m 0s</sub>
steve merged commit f49699fc12 into main 2026-06-28 22:09:07 +00:00
steve deleted branch test/trigger-check 2026-06-28 22:09:07 +00:00
Sign in to join this conversation.
No Reviewers
No Label
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: steve/gadfly#15