feat: Phase 4 — reusable "subscribe" workflow (+ dogfood it) #8

Merged
steve merged 2 commits from feat/phase4-reusable-wf into main 2026-06-27 23:42:02 +00:00

2 Commits

Author SHA1 Message Date
steve 27aa92a6e0 fix: fold in PR #8 review findings (reusable workflow)
Build & push image / build-and-push (pull_request) Successful in 7s
The swarm reviewed PR #8 *through the reusable path itself* — proving
github.event context propagates into a workflow_call reusable workflow on
this act_runner (the one part the probes hadn't covered). Folded in the
warranted findings:

- review-reusable.yml: bump timeout_minutes default 30 -> 45 (a multi-
  model/slow-lens review can exceed 30); map the generic GADFLY_API_KEY
  secret (was missing); add an explicit permissions block; drop the dead
  `specialist_suite` input.
- examples/reusable.yml: actor gate now also requires
  github.event.issue.pull_request (so an issue-comment on a plain issue
  doesn't waste a runner), and a note to pin @<ref> to a release tag.

Graded ~70 findings (heavy clustering): the real ones above + several
by-design/documented (inputs replace vars-overrides; only M1/M5 named
endpoints mapped) and many false positives (IS_DRAFT pattern, GITEA_TOKEN
via inherit, "empty specialists" misread — empty does default).

YAML validated; Go unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 19:41:45 -04:00
steve 0a01c3ae91 feat: Phase 4 — reusable workflow ("subscribe") + dogfood it
Build & push image / build-and-push (pull_request) Successful in 5s
Adversarial Review (Gadfly) / review (pull_request) Successful in 14m49s
Centralizes the ~90-line consumer stub into a reusable Gitea workflow so a
repo can subscribe to Gadfly with a tiny caller. Feasibility was probe-
verified on this act_runner: workflow_call runs, secrets: inherit
delivers, and a fully-qualified owner/repo/path@ref resolves.

- .gitea/workflows/review-reusable.yml: `on: workflow_call` job holding
  the image pin + all env plumbing. Inputs (models/specialists/provider/
  concurrency/timeouts/allowed_users/…) default to "" so an empty value
  falls back to the image's own default — caller overrides only what it
  wants. Secrets via `secrets: inherit` (optional ones resolve empty).
- adversarial-review.yml: gadfly's own dogfood is now a thin CALLER of the
  reusable (proves it end-to-end; advisory so safe to dogfood).
- examples/reusable.yml: the slim ~8-line consumer stub.
- README / examples/README / CLAUDE.md document the subscribe path.

Caveat: consumers with arbitrary GADFLY_ENDPOINT_<NAME>s still need the
full stub (a reusable workflow can't enumerate dynamic secret names).
YAML validated; Go unchanged (build + test green).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 19:14:03 -04:00