ci: track gadfly's v1 release tag instead of a pinned sha (#7)
This commit was merged in pull request #7.
This commit is contained in:
@@ -38,9 +38,10 @@ jobs:
|
||||
&& (github.actor == 'steve'
|
||||
|| github.actor == 'fizi'
|
||||
|| github.actor == 'dazed'))
|
||||
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
|
||||
# silently change the code that runs with our forwarded secrets.
|
||||
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
|
||||
# Tracks gadfly's v1 release tag — a curated pointer re-moved on each release
|
||||
# (unlike @main, which moves on every push). Central swarm tuning propagates
|
||||
# here automatically; the tradeoff vs a full sha pin is that v1 is mutable.
|
||||
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1
|
||||
# Least privilege: forward only the review secrets (not `secrets: inherit`,
|
||||
# which would expose every repo secret). GITEA_TOKEN is the automatic token.
|
||||
secrets:
|
||||
|
||||
Reference in New Issue
Block a user