f06fe5ef72
The swarm (reviewing the mort/executus rollout PRs) correctly flagged that `secrets: inherit` forwards EVERY caller secret to the reusable review workflow — registry/deploy/db creds the reviewer never touches. Fix: - review-reusable.yml: declare workflow_call.secrets (all optional) so a caller can forward only what the reviewer needs. - adversarial-review.yml (gadfly's own caller) + examples/reusable.yml: replace `secrets: inherit` with an explicit forward of just OLLAMA_CLOUD_API_KEY / CLAUDE_CODE_OAUTH_TOKEN / findings tokens. GITEA_TOKEN stays automatic. - Docs (README, examples) updated; also advise pinning consumers to an immutable @<sha> instead of @main (supply-chain, the other finding). gadfly's own review on this PR exercises the explicit-secrets path (local reusable ref) — validating it on the act_runner before mort/executus adopt it. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
63 lines
2.7 KiB
YAML
63 lines
2.7 KiB
YAML
# Gadfly — SLIM consumer stub via the reusable workflow.
|
|
# Copy to .gitea/workflows/adversarial-review.yml in your repo.
|
|
#
|
|
# This is the shortest way to subscribe: it calls Gadfly's centralized reusable
|
|
# workflow, which holds the image pin + all the env plumbing. You only declare
|
|
# the triggers, the comment-trigger actor gate, and any overrides you want.
|
|
#
|
|
# Needs: secret OLLAMA_CLOUD_API_KEY (the default Ollama Cloud provider).
|
|
# Forward ONLY the secrets the reviewer uses (least privilege) — see the
|
|
# `secrets:` block below. GITEA_TOKEN is automatic. `secrets: inherit` also works
|
|
# but hands the reusable EVERY secret in your repo (registry/deploy/db creds the
|
|
# review never touches), so prefer the explicit form. Pin @<sha> to an immutable
|
|
# Gadfly commit (not @main) so a push there can't change what runs with your
|
|
# secrets.
|
|
#
|
|
# Prefer this when you're happy with the defaults. For custom named endpoints
|
|
# (GADFLY_ENDPOINT_<NAME>) or a provider the reusable doesn't map, use the full
|
|
# stub in adversarial-review.yml instead.
|
|
|
|
name: Adversarial Review (Gadfly)
|
|
|
|
on:
|
|
pull_request:
|
|
types: [opened, reopened, ready_for_review]
|
|
issue_comment:
|
|
types: [created]
|
|
workflow_dispatch:
|
|
inputs:
|
|
pr_number: { description: "PR number to review", required: true }
|
|
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
pull-requests: write
|
|
|
|
concurrency:
|
|
group: gadfly-${{ github.event.issue.number || github.event.pull_request.number || github.event.inputs.pr_number }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
review:
|
|
# Only let your maintainers re-trigger via a PR comment (keep in sync with
|
|
# the allowed_users override below).
|
|
if: >-
|
|
github.event_name != 'issue_comment'
|
|
|| (github.event.issue.pull_request && github.actor == 'your-username')
|
|
# Pin @<sha> to an immutable Gadfly commit (replace @main below) so a push to
|
|
# gadfly can't silently change the code that runs with your forwarded secrets.
|
|
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@main
|
|
# Forward ONLY what the reviewer needs. Add provider keys you use
|
|
# (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, GADFLY_API_KEY) and/or
|
|
# GADFLY_ENDPOINT_M1/M5; drop the findings ones if you don't run telemetry.
|
|
secrets:
|
|
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
|
# CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
# GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
|
|
# GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
|
|
with:
|
|
# All optional — omit to take Gadfly's defaults. Examples:
|
|
# models: "qwen3-coder:480b-cloud,gpt-oss:120b-cloud"
|
|
# specialists: "security,correctness,error-handling"
|
|
allowed_users: "your-username"
|