security: scope reusable-workflow secrets (least privilege) over secrets: inherit #9
@@ -92,7 +92,7 @@ jobs:
|
||||
COMMENT_BODY: ${{ github.event.comment.body }}
|
||||
COMMENT_ID: ${{ github.event.comment.id }}
|
||||
ACTOR: ${{ github.actor }}
|
||||
# --- provider auth (via secrets: inherit; empty if consumer unset) -
|
||||
# --- provider auth (forwarded workflow_call secrets; empty if the caller doesn't forward it) -
|
||||
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
||||
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
|
||||
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
|
||||
|
||||
@@ -47,7 +47,7 @@ entrypoint.sh container brains: trigger gating, PR clone, model loop (t
|
||||
Dockerfile multi-stage; private-module creds via BuildKit secrets never reach the final image
|
||||
.gitea/workflows/build-image.yml push main → :latest; tag v* → :<tag>+:latest; PR → build-only
|
||||
.gitea/workflows/review-reusable.yml reusable (workflow_call) review job; consumers subscribe with
|
||||
an ~8-line caller + `secrets: inherit` (Phase 4). gadfly's own
|
||||
an ~8-line caller forwarding only the secrets the reviewer needs (Phase 4). gadfly's own
|
||||
adversarial-review.yml is a thin caller of it (dogfoods the path).
|
||||
examples/ copy-paste consumer stub workflows for different providers
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user