Files
gadfly/examples/endpoint-aliases.yml
T
Steve Dudenhoeffer a1e9d109e5
Build & push image / build-and-push (push) Successful in 5s
security: add job-level if-guard to example stubs (gate comment trigger by actor)
Per a Gadfly self-review finding (kimi-k2.7-code): an issue_comment can start a
secret-bearing run before the in-container allowed-users check. Add a workflow
if: that only lets trusted actors trigger via comment (PR/dispatch already
trusted); keep GADFLY_ALLOWED_USERS as the belt-and-suspenders layer. README
documents it + the default-branch caveat for comment triggers. (Docs/examples
only — paths-ignored, no image rebuild.)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
EOF
2026-06-25 21:49:23 -04:00

62 lines
2.6 KiB
YAML

# Gadfly with named ENDPOINT ALIASES — review with several backends at once,
# each posting its own comment. Copy to .gitea/workflows/adversarial-review.yml.
#
# GADFLY_ENDPOINT_<NAME>="<provider>|<base-url>[|<key>]" registers a provider you
# can then reference as "<name>/<model>" (NAME lowercases: BIGBOX -> bigbox).
# The base URL is used verbatim, so plaintext http LAN endpoints work.
#
# Gitea note: vars/secrets aren't auto-exposed as env, so map each alias here.
# Suggested repo vars:
# GADFLY_ENDPOINT_BIGBOX = ollama|http://192.168.1.50:11434
# GADFLY_ENDPOINT_GPU = openai|http://gpu.lan:8000/v1
name: Adversarial Review (Gadfly)
on:
pull_request:
types: [opened, reopened, ready_for_review]
issue_comment:
types: [created]
workflow_dispatch:
inputs:
pr_number: { description: "PR number to review", required: true }
permissions:
contents: read
issues: write
pull-requests: write
concurrency:
group: gadfly-${{ github.event.issue.number || github.event.pull_request.number || github.event.inputs.pr_number }}
cancel-in-progress: true
jobs:
review:
# Security: only trusted users may trigger a secret-bearing run via a PR
# comment (pull_request + workflow_dispatch are already trusted). Replace the
# username(s) below with your maintainers — keep them in sync with
# GADFLY_ALLOWED_USERS (the in-container belt-and-suspenders check).
if: >-
github.event_name != 'issue_comment'
|| github.actor == 'your-username'
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: docker://gitea.stevedudenhoeffer.com/steve/gadfly:latest
env:
GITEA_API: ${{ github.server_url }}/api/v1/repos/${{ github.repository }}
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
# --- named endpoints (mapped from repo vars) ---
GADFLY_ENDPOINT_BIGBOX: ${{ vars.GADFLY_ENDPOINT_BIGBOX }} # "ollama|http://192.168.1.50:11434"
GADFLY_ENDPOINT_GPU: ${{ vars.GADFLY_ENDPOINT_GPU }} # "openai|http://gpu.lan:8000/v1"
# one reviewer (one comment) per model, across the aliased endpoints:
GADFLY_MODELS: "bigbox/qwen2.5-coder:7b,gpu/llama3.1"
# --- event context (leave as-is) ---
EVENT_NAME: ${{ github.event_name }}
PR: ${{ github.event.pull_request.number || github.event.issue.number || github.event.inputs.pr_number }}
PR_BRANCH: ${{ github.head_ref }}
IS_DRAFT: ${{ github.event.pull_request.draft }}
COMMENT_BODY: ${{ github.event.comment.body }}
COMMENT_ID: ${{ github.event.comment.id }}
ACTOR: ${{ github.actor }}