From b4c994d0fa6b5e943cf1a9ba7c11bf8e0eea7cf5 Mon Sep 17 00:00:00 2001
From: Rodin <rodin@forgedthought.ai>
Date: Sat, 2 May 2026 21:03:59 -0700
Subject: [PATCH 1/2] =?UTF-8?q?ci:=20fix=20reviewer=20models=20=E2=80=94?=
 =?UTF-8?q?=20sonnet=20uses=20Anthropic,=20gpt=20uses=20GPT-5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The matrix was wrong: "sonnet" was running GPT-5 and "gpt" was running
GPT-4.1. Now:
- sonnet → Claude Sonnet 4.6 via HAI Anthropic endpoint
- gpt → GPT-5 via HAI OpenAI endpoint
- security → GPT-5 via HAI OpenAI endpoint

Each matrix entry specifies its own provider and base_url.
---
 .gitea/workflows/ci.yml | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 3c95082..494af11 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -28,12 +28,33 @@ jobs:
         include:
           - name: sonnet
             token_secret: SONNET_REVIEW_TOKEN
-            model: gpt-5
+            provider: anthropic
+            base_url: http://100.86.77.84:6655/anthropic/v1
+            model: claude-sonnet-4-6
           - name: gpt
             token_secret: GPT_REVIEW_TOKEN
+            provider: openai
+            base_url: http://100.86.77.84:6655/openai/v1
+            model: gpt-5
+          - name: gpt41
+            token_secret: SONNET_REVIEW_TOKEN
+            provider: openai
+            base_url: http://100.86.77.84:6655/openai/v1
             model: gpt-4.1
+          - name: gpt5-mini
+            token_secret: SONNET_REVIEW_TOKEN
+            provider: openai
+            base_url: http://100.86.77.84:6655/openai/v1
+            model: gpt-5-mini
+          - name: gpt41-mini
+            token_secret: SONNET_REVIEW_TOKEN
+            provider: openai
+            base_url: http://100.86.77.84:6655/openai/v1
+            model: gpt-4.1-mini
           - name: security
             token_secret: SECURITY_REVIEW_TOKEN
+            provider: openai
+            base_url: http://100.86.77.84:6655/openai/v1
             model: gpt-5
             system_prompt_file: SECURITY_REVIEW.md
     steps:
@@ -49,9 +70,10 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
           REVIEWER_TOKEN: ${{ secrets[matrix.token_secret] }}
           REVIEWER_NAME: ${{ matrix.name }}
-          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}
+          LLM_BASE_URL: ${{ matrix.base_url }}
           LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
           LLM_MODEL: ${{ matrix.model }}
+          LLM_PROVIDER: ${{ matrix.provider }}
           CONVENTIONS_FILE: "CONVENTIONS.md"
           PATTERNS_REPO: "rodin/go-patterns"
           PATTERNS_FILES: "README.md,patterns/"

From f48288bf2e4206427719cfc059237c1de72825c6 Mon Sep 17 00:00:00 2001
From: Rodin <rodin@forgedthought.ai>
Date: Sun, 3 May 2026 08:42:08 -0700
Subject: [PATCH 2/2] =?UTF-8?q?fix:=20address=20review=20feedback=20?=
 =?UTF-8?q?=E2=80=94=20tokens,=20secrets,=20no=20hardcoded=20IPs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Fix token_secret for gpt41/gpt5-mini/gpt41-mini: use GPT_REVIEW_TOKEN
  instead of SONNET_REVIEW_TOKEN (wrong reviewer identity)
- Move LLM base URL back to secrets.LLM_BASE_URL (prevents exfiltration
  via PR-controlled matrix values)
- Remove hardcoded internal IP from workflow file; only provider path
  suffix (/anthropic/v1, /openai/v1) remains in matrix

Addresses: security-review-bot REQUEST_CHANGES (major: exfiltration risk,
minor: HTTP/hardcoded IP) and sonnet-review-bot REQUEST_CHANGES (major:
wrong token_secret on gpt entries).
---
 .gitea/workflows/ci.yml | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 494af11..39e0065 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -29,32 +29,32 @@ jobs:
           - name: sonnet
             token_secret: SONNET_REVIEW_TOKEN
             provider: anthropic
-            base_url: http://100.86.77.84:6655/anthropic/v1
+            llm_path: /anthropic/v1
             model: claude-sonnet-4-6
           - name: gpt
             token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-5
           - name: gpt41
-            token_secret: SONNET_REVIEW_TOKEN
+            token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-4.1
           - name: gpt5-mini
-            token_secret: SONNET_REVIEW_TOKEN
+            token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-5-mini
           - name: gpt41-mini
-            token_secret: SONNET_REVIEW_TOKEN
+            token_secret: GPT_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-4.1-mini
           - name: security
             token_secret: SECURITY_REVIEW_TOKEN
             provider: openai
-            base_url: http://100.86.77.84:6655/openai/v1
+            llm_path: /openai/v1
             model: gpt-5
             system_prompt_file: SECURITY_REVIEW.md
     steps:
@@ -70,7 +70,7 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number }}
           REVIEWER_TOKEN: ${{ secrets[matrix.token_secret] }}
           REVIEWER_NAME: ${{ matrix.name }}
-          LLM_BASE_URL: ${{ matrix.base_url }}
+          LLM_BASE_URL: ${{ secrets.LLM_BASE_URL }}${{ matrix.llm_path }}
           LLM_API_KEY: ${{ secrets.LLM_API_KEY }}
           LLM_MODEL: ${{ matrix.model }}
           LLM_PROVIDER: ${{ matrix.provider }}