ci: track gadfly's v1 release tag instead of a pinned sha #7

Merged
steve merged 1 commits from ci/gadfly-v1 into main 2026-06-28 04:08:34 +00:00
+4 -3
View File
@@ -38,9 +38,10 @@ jobs:
&& (github.actor == 'steve' && (github.actor == 'steve'
|| github.actor == 'fizi' || github.actor == 'fizi'
|| github.actor == 'dazed')) || github.actor == 'dazed'))
# Pinned to an immutable gadfly commit (not @main): a push to gadfly can't # Tracks gadfly's v1 release tag — a curated pointer re-moved on each release
# silently change the code that runs with our forwarded secrets. # (unlike @main, which moves on every push). Central swarm tuning propagates
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@b02b11d69139843665da4cdbf776bc0b3583490d # here automatically; the tradeoff vs a full sha pin is that v1 is mutable.
uses: steve/gadfly/.gitea/workflows/review-reusable.yml@v1
# Least privilege: forward only the review secrets (not `secrets: inherit`, # Least privilege: forward only the review secrets (not `secrets: inherit`,
# which would expose every repo secret). GITEA_TOKEN is the automatic token. # which would expose every repo secret). GITEA_TOKEN is the automatic token.
secrets: secrets: