From 55356f9350e97adc8ce1ae1dc9dccf7ac8492bc5 Mon Sep 17 00:00:00 2001
From: M B <mehdi@blagui.com>
Date: Sun, 15 Feb 2026 00:55:20 +0000
Subject: [PATCH 1/2] Add centralized manual review workflow wrappers

---
 .github/workflows/claude-review-manual.yml   | 32 +++++++++++++
 .github/workflows/opencode-review-manual.yml | 50 ++++++++++++++++++++
 2 files changed, 82 insertions(+)
 create mode 100644 .github/workflows/claude-review-manual.yml
 create mode 100644 .github/workflows/opencode-review-manual.yml

diff --git a/.github/workflows/claude-review-manual.yml b/.github/workflows/claude-review-manual.yml
new file mode 100644
index 0000000..d3afd0c
--- /dev/null
+++ b/.github/workflows/claude-review-manual.yml
@@ -0,0 +1,32 @@
+name: Claude Manual PR Review
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Pull request number to review
+        required: true
+        type: number
+      force_review:
+        description: Run review even when the PR is below default size thresholds
+        required: false
+        default: false
+        type: boolean
+
+permissions: {}
+
+jobs:
+  claude-review:
+    uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-claude-review.yml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ inputs.pr_number }}
+      force_review: ${{ inputs.force_review }}
+      allowed_actors: ${{ vars.ALLOWED_ACTORS }}
+      azure_client_id: ${{ vars.AZURE_CLIENT_ID }}
+      azure_tenant_id: ${{ vars.AZURE_TENANT_ID }}
+      azure_subscription_id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      azure_key_vault_name: ${{ vars.AZURE_KEYVAULT_NAME || vars.AZURE_KEY_VAULT_NAME }}
+      claude_secret_name: ${{ vars.CLAUDE_TOKEN_SECRET_NAME || 'token-cicd' }}
+      min_changed_files: 5
+      min_total_changes: 20
diff --git a/.github/workflows/opencode-review-manual.yml b/.github/workflows/opencode-review-manual.yml
new file mode 100644
index 0000000..52e332c
--- /dev/null
+++ b/.github/workflows/opencode-review-manual.yml
@@ -0,0 +1,50 @@
+name: OpenCode Manual PR Review
+
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Pull request number to review
+        required: true
+        type: number
+      model:
+        description: Single OpenCode model in provider/model format (used when models is empty)
+        required: false
+        default: zai-coding-plan/glm-4.7
+        type: string
+      models:
+        description: Optional comma or newline separated model list (overrides model)
+        required: false
+        default: ""
+        type: string
+      max_parallel:
+        description: Maximum parallel model reviews
+        required: true
+        default: 1
+        type: number
+      force_review:
+        description: Run review even when the PR is below default size thresholds
+        required: false
+        default: false
+        type: boolean
+
+permissions: {}
+
+jobs:
+  opencode-review:
+    uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-opencode-review.yml@main
+    secrets: inherit
+    with:
+      pr_number: ${{ inputs.pr_number }}
+      force_review: ${{ inputs.force_review }}
+      model: ${{ inputs.model }}
+      models: ${{ inputs.models }}
+      max_parallel: ${{ inputs.max_parallel }}
+      allowed_actors: ${{ vars.ALLOWED_ACTORS }}
+      azure_client_id: ${{ vars.AZURE_CLIENT_ID }}
+      azure_tenant_id: ${{ vars.AZURE_TENANT_ID }}
+      azure_subscription_id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
+      azure_key_vault_name: ${{ vars.AZURE_KEYVAULT_NAME || vars.AZURE_KEY_VAULT_NAME }}
+      zhipu_secret_name: ${{ vars.OPENCODE_ZHIPU_API_KEY_SECRET_NAME || 'zhipu-api-key' }}
+      min_changed_files: 5
+      min_total_changes: 20

From 4288fe45e760de7bbba904c03e7f44ecbe9cf561 Mon Sep 17 00:00:00 2001
From: M B <mehdi@blagui.com>
Date: Sun, 15 Feb 2026 00:56:43 +0000
Subject: [PATCH 2/2] Pin central reusable workflow refs by SHA

---
 .github/workflows/claude-review-manual.yml   | 3 +--
 .github/workflows/opencode-review-manual.yml | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/claude-review-manual.yml b/.github/workflows/claude-review-manual.yml
index d3afd0c..11bfc09 100644
--- a/.github/workflows/claude-review-manual.yml
+++ b/.github/workflows/claude-review-manual.yml
@@ -17,8 +17,7 @@ permissions: {}
 
 jobs:
   claude-review:
-    uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-claude-review.yml@main
-    secrets: inherit
+    uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-claude-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}
       force_review: ${{ inputs.force_review }}
diff --git a/.github/workflows/opencode-review-manual.yml b/.github/workflows/opencode-review-manual.yml
index 52e332c..aad74ff 100644
--- a/.github/workflows/opencode-review-manual.yml
+++ b/.github/workflows/opencode-review-manual.yml
@@ -32,8 +32,7 @@ permissions: {}
 
 jobs:
   opencode-review:
-    uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-opencode-review.yml@main
-    secrets: inherit
+    uses: codingworkflow/codingworkflow-security-policies/.github/workflows/reusable-opencode-review.yml@55070d1bc124fbe46d9a8edbc8d536826d4e15ed
     with:
       pr_number: ${{ inputs.pr_number }}
       force_review: ${{ inputs.force_review }}