diff --git a/.github/workflows/claude-review.yml b/.github/workflows/claude-review.yml index 1f9aa04..186f5ec 100644 --- a/.github/workflows/claude-review.yml +++ b/.github/workflows/claude-review.yml @@ -26,7 +26,7 @@ concurrency: jobs: review: - uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@f22bf7dcb7d22d5de94c938daa9d790f2b5c776b # main 2026-05-18 (post #37 + #38 + #40 — calibration layer update + label-gated bot-PR review; gemini-review.yml pin intentionally NOT in lockstep here — Gemini reviewer has known issues being worked separately, no need to drag it along) + uses: HarperFast/ai-review-prompts/.github/workflows/_claude-review.yml@ea190091328bcee674c4739ccc97dda177ecf0c5 # main 2026-05-20 (post #41 — Gemini calibration promoted; both reviewers back in lockstep on the same ai-review-prompts SHA, no _claude-review.yml changes vs the prior pin) # Caller-side permissions, scoped at the calling-job level (NOT # workflow-level — that placement caps the reusable's per-job # grants below what they need and breaks the workflow at startup; @@ -51,7 +51,7 @@ jobs: # introspect their own ref (`github.workflow_ref` resolves to the # CALLER's ref in `workflow_call` context), and `uses: …@` # is parsed literally so we can't interpolate a variable. - ai-review-prompts-ref: f22bf7dcb7d22d5de94c938daa9d790f2b5c776b + ai-review-prompts-ref: ea190091328bcee674c4739ccc97dda177ecf0c5 review-layers: | universal harper/common diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml index 936a315..b13d5b4 100644 --- a/.github/workflows/gemini-review.yml +++ b/.github/workflows/gemini-review.yml @@ -34,13 +34,29 @@ concurrency: jobs: review: - uses: HarperFast/ai-review-prompts/.github/workflows/_gemini-review.yml@128656e40c87c0e1293c542a5500df4f68dbff85 # main 2026-05-12 (post #25 — workflow posts Gemini response, output-name fix, default model gemini-3-flash-preview) + uses: HarperFast/ai-review-prompts/.github/workflows/_gemini-review.yml@ea190091328bcee674c4739ccc97dda177ecf0c5 # main 2026-05-20 (post #41 — Gemini calibration from oauth#87 promoted; single-shot supersedes the MCP rewrite, prior-body continuity, marker-check robustness) + # Caller-side permissions, scoped at the calling-job level (NOT + # workflow-level — that placement caps the reusable's per-job + # grants below what they need and breaks the workflow at startup; + # see ai-review-prompts#39/#40 for the incident). Union of what + # the reusable's `authorize` (`contents: read`) and `review` + # (`contents: read + pull-requests: write + id-token: write`) + # jobs declare. GitHub's rule: caller's GITHUB_TOKEN permissions + # can only be DOWNGRADED (not elevated) by the called workflow, + # so the caller must grant at least the union the reusable needs. + # Mirrors claude-review.yml in this repo — surfaced as a finding + # by Gemini's own review on PR #88. + # Reference: https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations + permissions: + contents: read + pull-requests: write + id-token: write with: # Same SHA as the `uses:` ref above. See claude-review.yml # in this repo for why the duplication is unavoidable # (reusable workflows can't introspect their own ref in # workflow_call context). - ai-review-prompts-ref: 128656e40c87c0e1293c542a5500df4f68dbff85 + ai-review-prompts-ref: ea190091328bcee674c4739ccc97dda177ecf0c5 review-layers: | universal harper/common