ci(gemini): pin model to gemini-2.5-flash for routine review duty #91
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Claude PR Review | |
| # Thin caller of the reusable in HarperFast/ai-review-prompts. The single | |
| # `uses:` ref pin below controls everything that moves together — workflow | |
| # logic, layer files, bash scripts, auth-gate behavior. Bumping the pin | |
| # is the entire upgrade motion. | |
| # | |
| # Pre-requisites (org-level secrets, configured once on HarperFast): | |
| # - HARPERFAST_AI_CLIENT_ID (the App's Client ID, like Iv23li…) | |
| # - HARPERFAST_AI_APP_PRIVATE_KEY (.pem file contents) | |
| # | |
| # Plus the per-repo / inherited: | |
| # - ANTHROPIC_API_KEY (required) | |
| # - AI_REVIEW_LOG_TOKEN (optional — if set, threads each run | |
| # into a per-PR issue in HarperFast/ai-review-log) | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| concurrency: | |
| group: claude-review-${{ github.event.pull_request.number }} | |
| cancel-in-progress: true | |
| jobs: | |
| review: | |
| uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@3278ce4e63c5af33cd1db68602aad9580e60dce7 # main 2026-05-09 (post #20 — title format + areas-not-traced + dev/prod dep rule) | |
| with: | |
| # Same SHA as the `uses:` ref above. The reusable uses this to | |
| # check out HarperFast/ai-review-prompts (layer files + bash | |
| # scripts) at the same ref as the workflow logic itself — keeps | |
| # the upgrade motion atomic. | |
| # | |
| # The duplication is unavoidable: reusable workflows can't | |
| # introspect their own ref (`github.workflow_ref` resolves to the | |
| # CALLER's ref in `workflow_call` context), and `uses: …@<ref>` | |
| # is parsed literally so we can't interpolate a variable. | |
| ai-review-prompts-ref: 3278ce4e63c5af33cd1db68602aad9580e60dce7 | |
| review-layers: | | |
| universal | |
| harper/common | |
| harper/v5 | |
| repo-type/plugin | |
| repo-specific-checks: | | |
| ## Repo-specific checks (OAuth plugin) | |
| On top of the layered scope above, these are OAuth-only | |
| semantics not covered by the shared layers: | |
| - CSRF state tokens present on every OAuth flow; 10-minute | |
| expiry is enforced; state is single-use | |
| - Redirect URI validation on callback endpoints | |
| - Provider-of-record enforcement (cross-provider CSRF | |
| protection should redirect with error, not 403) | |
| - Session field preservation across token refresh | |
| (`provider`, `providerConfigId`, `providerType`) | |
| - Path length validation (≤ 2048 chars) where user input | |
| can reach a path | |
| secrets: | |
| ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} | |
| AI_REVIEW_LOG_TOKEN: ${{ secrets.AI_REVIEW_LOG_TOKEN }} | |
| HARPERFAST_AI_CLIENT_ID: ${{ secrets.HARPERFAST_AI_CLIENT_ID }} | |
| HARPERFAST_AI_APP_PRIVATE_KEY: ${{ secrets.HARPERFAST_AI_APP_PRIVATE_KEY }} |