security: scope reusable-workflow secrets (least privilege) over secrets: inherit #9

Merged
steve merged 3 commits from sec/scope-secrets into main 2026-06-28 01:17:16 +00:00
2 changed files with 2 additions and 2 deletions
Showing only changes of commit daff6d08a1 - Show all commits
+1 -1
View File
@@ -92,7 +92,7 @@ jobs:
COMMENT_BODY: ${{ github.event.comment.body }}
COMMENT_ID: ${{ github.event.comment.id }}
ACTOR: ${{ github.actor }}
# --- provider auth (via secrets: inherit; empty if consumer unset) -
# --- provider auth (forwarded workflow_call secrets; empty if the caller doesn't forward it) -
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+1 -1
View File
@@ -47,7 +47,7 @@ entrypoint.sh container brains: trigger gating, PR clone, model loop (t
Dockerfile multi-stage; private-module creds via BuildKit secrets never reach the final image
.gitea/workflows/build-image.yml push main → :latest; tag v* → :<tag>+:latest; PR → build-only
.gitea/workflows/review-reusable.yml reusable (workflow_call) review job; consumers subscribe with
an ~8-line caller + `secrets: inherit` (Phase 4). gadfly's own
an ~8-line caller forwarding only the secrets the reviewer needs (Phase 4). gadfly's own
adversarial-review.yml is a thin caller of it (dogfoods the path).
examples/ copy-paste consumer stub workflows for different providers
```