Files
gadfly/examples/README.md
T
Steve Dudenhoeffer f06fe5ef72
Adversarial Review (Gadfly) / review (pull_request) Failing after 2s
Build & push image / build-and-push (pull_request) Successful in 6s
security: scope reusable-workflow secrets (least privilege) over secrets: inherit
The swarm (reviewing the mort/executus rollout PRs) correctly flagged that
`secrets: inherit` forwards EVERY caller secret to the reusable review
workflow — registry/deploy/db creds the reviewer never touches. Fix:

- review-reusable.yml: declare workflow_call.secrets (all optional) so a
  caller can forward only what the reviewer needs.
- adversarial-review.yml (gadfly's own caller) + examples/reusable.yml:
  replace `secrets: inherit` with an explicit forward of just
  OLLAMA_CLOUD_API_KEY / CLAUDE_CODE_OAUTH_TOKEN / findings tokens.
  GITEA_TOKEN stays automatic.
- Docs (README, examples) updated; also advise pinning consumers to an
  immutable @<sha> instead of @main (supply-chain, the other finding).

gadfly's own review on this PR exercises the explicit-secrets path (local
reusable ref) — validating it on the act_runner before mort/executus adopt it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 20:45:18 -04:00

2.2 KiB

Example consumer workflows

Each file here is a complete, copy-paste stub workflow. Pick the one that matches your setup, copy it to .gitea/workflows/adversarial-review.yml in the repo you want reviewed, and set the secrets/vars it references. Gadfly is advisory only — it never blocks a merge.

File Backend Needs
reusable.yml slimmest stub — calls Gadfly's reusable workflow, forwarding only the secrets the reviewer needs (least privilege, not secrets: inherit); take the defaults or override a few inputs secret OLLAMA_CLOUD_API_KEY
adversarial-review.yml Ollama Cloud (default) + inline notes for every provider; full self-contained stub secret OLLAMA_CLOUD_API_KEY
local-ollama.yml a local/LAN Ollama daemon nothing (or GADFLY_BASE_URL for a remote host)
openai-compatible.yml any OpenAI-compatible endpoint (local Ollama /v1, gateway, vLLM, OpenRouter…) GADFLY_BASE_URL (+ a key for most gateways)
endpoint-aliases.yml several named backends at once (one comment each) repo vars GADFLY_ENDPOINT_<NAME>
claude-code.yml the bundled Claude Code CLI engine (claude-code/<model>) secret CLAUDE_CODE_OAUTH_TOKEN (or ANTHROPIC_API_KEY)
.gadfly.yml per-repo specialist config (not a workflow — goes at your repo root)

Common to all:

  • Triggers: new/reopened/ready non-draft PR (auto), @gadfly review comment (allowed users), or manual workflow_dispatch with a pr_number.
  • GITEA_TOKEN is provided automatically; comments post as gitea-actions.
  • Tested backends are the Ollama ones; OpenAI/Anthropic/Google are wired via majordomo but untested. See the repo README for the full config reference and the honest tested/untested status.

Gitea note: repo vars/secrets are not auto-exposed as env — anything you reference via ${{ vars.X }} / ${{ secrets.X }} must appear in the step's env: block (already wired in these examples).