ci(gemini): pin model to gemini-2.5-flash for routine review duty #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Gemini PR Review | |
| # Thin caller of the Gemini reusable in HarperFast/ai-review-prompts. | |
| # Runs in parallel with claude-review.yml so the two reviewers can be | |
| # compared on the same PRs. | |
| # | |
| # Layer inputs and `repo-specific-checks:` MIRROR claude-review.yml | |
| # in this repo. Output comparability between the two providers | |
| # depends on them seeing the same review scope — keep them in sync | |
| # when bumping the pin or editing the checks block. | |
| # | |
| # Pre-requisites: | |
| # - HARPERFAST_AI_CLIENT_ID (org-level App Client ID) | |
| # - HARPERFAST_AI_APP_PRIVATE_KEY (org-level App private key) | |
| # - GEMINI_API_KEY (per-repo; optional — missing | |
| # key cleanly skips the review | |
| # with a workflow notice) | |
| # - AI_REVIEW_LOG_TOKEN (optional — threads each run | |
| # into a per-(PR, provider) issue | |
| # in HarperFast/ai-review-log | |
| # with `provider:gemini` label) | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| concurrency: | |
| # Different group key from claude-review so the two providers can | |
| # run in parallel on the same PR. cancel-in-progress is per-group, | |
| # so a synchronize push cancels the in-flight Gemini run without | |
| # touching the Claude run (and vice versa). | |
| group: gemini-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| review: | |
| uses: HarperFast/ai-review-prompts/.github/workflows/_gemini-review.yml@9471cd8026bbbf6b0eb2a75143071c533811c52e # main 2026-05-12 (post #22 — Gemini reusable + shared provider scripts + auth-gate validator generalization) | |
| with: | |
| # Same SHA as the `uses:` ref above. See claude-review.yml | |
| # in this repo for why the duplication is unavoidable | |
| # (reusable workflows can't introspect their own ref in | |
| # workflow_call context). | |
| ai-review-prompts-ref: 9471cd8026bbbf6b0eb2a75143071c533811c52e | |
| # Match Claude's tier (Sonnet) — Flash is Gemini's mid-tier | |
| # peer. The reusable's current default is `gemini-2.5-pro` | |
| # (flagship), which is the tier mismatch we want to avoid for | |
| # routine review duty. Once the reusable's default flips to | |
| # Flash this override becomes redundant. | |
| model: gemini-2.5-flash | |
| review-layers: | | |
| universal | |
| harper/common | |
| harper/v5 | |
| repo-type/plugin | |
| repo-specific-checks: | | |
| ## Repo-specific checks (OAuth plugin) | |
| On top of the layered scope above, these are OAuth-only | |
| semantics not covered by the shared layers: | |
| - CSRF state tokens present on every OAuth flow; 10-minute | |
| expiry is enforced; state is single-use | |
| - Redirect URI validation on callback endpoints | |
| - Provider-of-record enforcement (cross-provider CSRF | |
| protection should redirect with error, not 403) | |
| - Session field preservation across token refresh | |
| (`provider`, `providerConfigId`, `providerType`) | |
| - Path length validation (≤ 2048 chars) where user input | |
| can reach a path | |
| secrets: | |
| GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} | |
| AI_REVIEW_LOG_TOKEN: ${{ secrets.AI_REVIEW_LOG_TOKEN }} | |
| HARPERFAST_AI_CLIENT_ID: ${{ secrets.HARPERFAST_AI_CLIENT_ID }} | |
| HARPERFAST_AI_APP_PRIVATE_KEY: ${{ secrets.HARPERFAST_AI_APP_PRIVATE_KEY }} |