|
|
@@ -1,8 +1,8 @@
|
|
|
|
# Gadfly adversarial review — subscribes to steve/gadfly's reusable workflow and
|
|
|
|
# Gadfly adversarial review — subscribes to steve/gadfly's reusable workflow and
|
|
|
|
# INHERITS its default swarm (3 cloud models + Claude Code sonnet/opus/opus:max,
|
|
|
|
# INHERITS its default swarm. This stub holds only the triggers, the actor gate,
|
|
|
|
# 5-lens suite). This stub holds only the triggers, the actor gate, secret
|
|
|
|
# secret forwarding, and the allow-list; the swarm config (models, lenses,
|
|
|
|
# forwarding, and the allow-list; the swarm config lives centrally in gadfly's
|
|
|
|
# concurrency, timeouts) lives centrally in gadfly's review-reusable.yml so it is
|
|
|
|
# review-reusable.yml. Advisory only — never blocks a merge.
|
|
|
|
# tuned in ONE place. Advisory only — never blocks a merge.
|
|
|
|
|
|
|
|
|
|
|
|
name: Adversarial Review (Gadfly)
|
|
|
|
name: Adversarial Review (Gadfly)
|
|
|
|
|
|
|
|
|
|
|
@@ -29,8 +29,9 @@ concurrency:
|
|
|
|
jobs:
|
|
|
|
jobs:
|
|
|
|
review:
|
|
|
|
review:
|
|
|
|
# Security: only trusted users may trigger a secret-bearing run via a PR
|
|
|
|
# Security: only trusted users may trigger a secret-bearing run via a PR
|
|
|
|
# comment (pull_request + workflow_dispatch are already trusted). Mirrors
|
|
|
|
# comment (pull_request + workflow_dispatch are already trusted). Mirrors the
|
|
|
|
# the allowed_users input below (the in-container belt-and-suspenders check).
|
|
|
|
# allowed_users input below (the in-container belt-and-suspenders check) — both
|
|
|
|
|
|
|
|
# lists must stay in sync; a workflow if: can't read a workflow_call input.
|
|
|
|
if: >-
|
|
|
|
if: >-
|
|
|
|
github.event_name != 'issue_comment'
|
|
|
|
github.event_name != 'issue_comment'
|
|
|
|
|| (github.event.issue.pull_request
|
|
|
|
|| (github.event.issue.pull_request
|
|
|
@@ -40,13 +41,13 @@ jobs:
|
|
|
|
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
|
|
|
|
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't
|
|
|
|
# silently change the code that runs with our forwarded secrets.
|
|
|
|
# silently change the code that runs with our forwarded secrets.
|
|
|
|
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
|
|
|
|
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d
|
|
|
|
# Least privilege: forward ONLY the secrets the swarm uses (GITEA_TOKEN is auto).
|
|
|
|
# Least privilege: forward only the review secrets (not `secrets: inherit`,
|
|
|
|
|
|
|
|
# which would expose every repo secret). GITEA_TOKEN is the automatic token.
|
|
|
|
secrets:
|
|
|
|
secrets:
|
|
|
|
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
|
|
|
OLLAMA_CLOUD_API_KEY: ${{ secrets.OLLAMA_CLOUD_API_KEY }}
|
|
|
|
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
|
|
CLAUDE_CODE_OAUTH_TOKEN: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
|
|
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
|
|
|
|
GADFLY_FINDINGS_URL: ${{ secrets.GADFLY_FINDINGS_URL }}
|
|
|
|
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
|
|
|
|
GADFLY_FINDINGS_TOKEN: ${{ secrets.GADFLY_FINDINGS_TOKEN }}
|
|
|
|
with:
|
|
|
|
with:
|
|
|
|
# Inherit the default swarm from gadfly's review-reusable.yml; only the
|
|
|
|
# Consumer-specific allow-list; everything else is inherited.
|
|
|
|
# consumer-specific allow-list is set here.
|
|
|
|
|
|
|
|
allowed_users: "steve,fizi,dazed"
|
|
|
|
allowed_users: "steve,fizi,dazed"
|
|
|
|