ci: track gadfly's v1 release tag instead of a pinned sha
Adversarial Review (Gadfly) / review (pull_request) Successful in 2m48s
CI / Tidy (pull_request) Successful in 9m25s
CI / Build & Test (pull_request) Successful in 9m44s

Switch uses: steve/gadfly/.gitea/workflows/review-reusable.yml from a sha pin
(@b02b11d) to the moving @v1 release tag, so central swarm tuning propagates
without re-pinning this file each time. Tradeoff: v1 is mutable (re-moved on
deliberate releases), vs a sha which is immutable — accepted to cut re-pin churn.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Steve Dudenhoeffer
2026-06-28 00:04:36 -04:00
parent 78a1d1c3bb
commit cfa6469d38
+4 -3
View File
@@ -38,9 +38,10 @@ jobs:
&& (github.actor == 'steve'
|| github.actor == 'fizi'
|| github.actor == 'dazed'))
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
# silently change the code that runs with our forwarded secrets.
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
# Tracks gadfly's v1 release tag — a curated pointer re-moved on each release
# (unlike @main, which moves on every push). Central swarm tuning propagates
# here automatically; the tradeoff vs a full sha pin is that v1 is mutable.
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1
# Least privilege: forward only the review secrets (not `secrets: inherit`,
# which would expose every repo secret). GITEA_TOKEN is the automatic token.
secrets: