Files
gadfly/examples/README.md
T
Steve Dudenhoeffer f06fe5ef72
Adversarial Review (Gadfly) / review (pull_request) Failing after 2s
Build & push image / build-and-push (pull_request) Successful in 6s
security: scope reusable-workflow secrets (least privilege) over secrets: inherit
The swarm (reviewing the mort/executus rollout PRs) correctly flagged that
`secrets: inherit` forwards EVERY caller secret to the reusable review
workflow — registry/deploy/db creds the reviewer never touches. Fix:

- review-reusable.yml: declare workflow_call.secrets (all optional) so a
  caller can forward only what the reviewer needs.
- adversarial-review.yml (gadfly's own caller) + examples/reusable.yml:
  replace `secrets: inherit` with an explicit forward of just
  OLLAMA_CLOUD_API_KEY / CLAUDE_CODE_OAUTH_TOKEN / findings tokens.
  GITEA_TOKEN stays automatic.
- Docs (README, examples) updated; also advise pinning consumers to an
  immutable @<sha> instead of @main (supply-chain, the other finding).

gadfly's own review on this PR exercises the explicit-secrets path (local
reusable ref) — validating it on the act_runner before mort/executus adopt it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 20:45:18 -04:00

28 lines
2.2 KiB
Markdown

# Example consumer workflows
Each file here is a complete, copy-paste **stub workflow**. Pick the one that matches your
setup, copy it to `.gitea/workflows/adversarial-review.yml` in the repo you want reviewed, and
set the secrets/vars it references. Gadfly is advisory only — it never blocks a merge.
| File | Backend | Needs |
|------|---------|-------|
| [`reusable.yml`](reusable.yml) | **slimmest stub** — calls Gadfly's reusable workflow, forwarding only the secrets the reviewer needs (least privilege, not `secrets: inherit`); take the defaults or override a few inputs | secret `OLLAMA_CLOUD_API_KEY` |
| [`adversarial-review.yml`](adversarial-review.yml) | **Ollama Cloud** (default) + inline notes for every provider; full self-contained stub | secret `OLLAMA_CLOUD_API_KEY` |
| [`local-ollama.yml`](local-ollama.yml) | a **local/LAN Ollama** daemon | nothing (or `GADFLY_BASE_URL` for a remote host) |
| [`openai-compatible.yml`](openai-compatible.yml) | any **OpenAI-compatible** endpoint (local Ollama `/v1`, gateway, vLLM, OpenRouter…) | `GADFLY_BASE_URL` (+ a key for most gateways) |
| [`endpoint-aliases.yml`](endpoint-aliases.yml) | **several named backends** at once (one comment each) | repo vars `GADFLY_ENDPOINT_<NAME>` |
| [`claude-code.yml`](claude-code.yml) | the bundled **Claude Code CLI** engine (`claude-code/<model>`) | secret `CLAUDE_CODE_OAUTH_TOKEN` (or `ANTHROPIC_API_KEY`) |
| [`.gadfly.yml`](.gadfly.yml) | **per-repo specialist config** (not a workflow — goes at your repo root) | — |
Common to all:
- **Triggers:** new/reopened/ready non-draft PR (auto), `@gadfly review` comment (allowed users),
or manual `workflow_dispatch` with a `pr_number`.
- `GITEA_TOKEN` is provided automatically; comments post as `gitea-actions`.
- Tested backends are the **Ollama** ones; OpenAI/Anthropic/Google are wired via majordomo but
untested. See the repo [README](../README.md#models--providers) for the full config reference
and the honest tested/untested status.
> **Gitea note:** repo `vars`/`secrets` are not auto-exposed as env — anything you reference
> via `${{ vars.X }}` / `${{ secrets.X }}` must appear in the step's `env:` block (already wired
> in these examples).