fix(workflows): standardize model/api-base-url params for custom LLM

.github/workflows/agent.yml

@@ -40,7 +40,7 @@ concurrency:
 
 jobs:
   agent:
-    uses: YiAgent/OpenCI/.github/workflows/reusable/agent.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/agent.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       task: ${{ inputs.task }}
       prompt: ${{ inputs.prompt }}

.github/workflows/ci.yml

@@ -22,7 +22,7 @@ concurrency:
 
 jobs:
   ci:
-    uses: YiAgent/OpenCI/.github/workflows/reusable/ci.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/ci.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       openci-ref:      ${{ github.sha }}
       registry:        ghcr.io

.github/workflows/dependencies.yml

@@ -15,6 +15,6 @@ concurrency:
 
 jobs:
   deps:
-    uses: YiAgent/OpenCI/.github/workflows/reusable/deps.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/deps.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       runner: blacksmith-32vcpu-ubuntu-2404

.github/workflows/deploy.yml

@@ -33,7 +33,7 @@ jobs:
         && github.event.workflow_run.name == 'ci'
         && github.event.workflow_run.conclusion == 'success')
       || (github.event_name == 'workflow_dispatch' && inputs.mode == 'stg')
-    uses: YiAgent/OpenCI/.github/workflows/reusable/stg.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/stg.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       app-name:            ${{ vars.APP_NAME || github.event.repository.name }}
       image-name:          ${{ vars.IMAGE_NAME || github.event.repository.name }}
@@ -54,7 +54,7 @@ jobs:
         && github.event.workflow_run.name == 'release'
         && github.event.workflow_run.conclusion == 'success')
       || (github.event_name == 'workflow_dispatch' && inputs.mode == 'prd')
-    uses: YiAgent/OpenCI/.github/workflows/reusable/prd.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/prd.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       app-name:            ${{ vars.APP_NAME || github.event.repository.name }}
       image-name:          ${{ vars.IMAGE_NAME || github.event.repository.name }}

.github/workflows/docs.yml

@@ -22,13 +22,14 @@ concurrency:
 
 jobs:
   docs:
-    uses: YiAgent/OpenCI/.github/workflows/reusable/docs.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/docs.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       build-cmd:    ${{ vars.DOCS_BUILD_CMD || '' }}
       docs-path:    ${{ vars.DOCS_DIR || 'docs' }}
       site-dir:     ${{ vars.DOCS_SITE_DIR || 'site' }}
       enable-agent: true
       runner:       blacksmith-32vcpu-ubuntu-2404
+      model:        ${{ vars.AI_MODEL || '' }}
     secrets:
       anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
       api-base-url:      ${{ secrets.ANTHROPIC_BASE_URL }}

.github/workflows/issue-ops.yml

@@ -17,6 +17,11 @@ on:
         type: choice
         default: lifecycle
         options: [lifecycle, maintenance, ingest]
+      model:
+        required: false
+        type: string
+        default: ""
+        description: "AI model override (e.g. glm-4-flash). Leave empty to use vars.AI_MODEL or the reusable default."
 
 permissions:
   contents: write
@@ -32,55 +37,59 @@ concurrency:
 jobs:
   lifecycle:
     if: github.event_name == 'issues' || github.event_name == 'issue_comment'
-    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode: lifecycle
       runner: blacksmith-32vcpu-ubuntu-2404
+      model: ${{ vars.AI_MODEL || '' }}
     secrets:
       anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
-      api-base-url: ${{ secrets.API_BASE_URL }}
+      api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }}
       sentry-token: ${{ secrets.SENTRY_TOKEN }}
       linear-token: ${{ secrets.LINEAR_TOKEN }}
       slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
       mcp-dispatch-token: ${{ secrets.MCP_DISPATCH_TOKEN }}
 
   ingest:
     if: github.event_name == 'repository_dispatch'
-    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode: ingest
       runner: blacksmith-32vcpu-ubuntu-2404
+      model: ${{ vars.AI_MODEL || '' }}
     secrets:
       anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
-      api-base-url: ${{ secrets.API_BASE_URL }}
+      api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }}
       sentry-token: ${{ secrets.SENTRY_TOKEN }}
       linear-token: ${{ secrets.LINEAR_TOKEN }}
       slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
       mcp-dispatch-token: ${{ secrets.MCP_DISPATCH_TOKEN }}
 
   maintenance:
     if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.mode == 'maintenance')
-    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode: maintenance
       runner: blacksmith-32vcpu-ubuntu-2404
+      model: ${{ vars.AI_MODEL || '' }}
     secrets:
       anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
-      api-base-url: ${{ secrets.API_BASE_URL }}
+      api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }}
       sentry-token: ${{ secrets.SENTRY_TOKEN }}
       linear-token: ${{ secrets.LINEAR_TOKEN }}
       slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
       mcp-dispatch-token: ${{ secrets.MCP_DISPATCH_TOKEN }}
 
   manual:
     if: github.event_name == 'workflow_dispatch' && inputs.mode != 'maintenance'
-    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/issue.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode: ${{ inputs.mode }}
       runner: blacksmith-32vcpu-ubuntu-2404
+      model: ${{ inputs.model || vars.AI_MODEL || '' }}
     secrets:
       anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
-      api-base-url: ${{ secrets.API_BASE_URL }}
+      api-base-url: ${{ secrets.ANTHROPIC_BASE_URL }}
       sentry-token: ${{ secrets.SENTRY_TOKEN }}
       linear-token: ${{ secrets.LINEAR_TOKEN }}
       slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/observability.yml

@@ -30,15 +30,15 @@ concurrency:
 jobs:
   observe-canary:
     if: ${{ github.event_name == 'schedule' && github.event.schedule == '*/15 * * * *' }}
-    uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode:   canary-watch
       runner: blacksmith-32vcpu-ubuntu-2404
     secrets: inherit
 
   observe-drift:
     if: ${{ github.event_name == 'schedule' && github.event.schedule == '0 4 * * *' }}
-    uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode:      terraform-drift
       infra-dir: ${{ vars.INFRA_DIR || 'infrastructure' }}
@@ -50,7 +50,7 @@ jobs:
       (github.event_name == 'workflow_run' && github.event.workflow_run.conclusion == 'success')
       || github.event_name == 'repository_dispatch'
       || (github.event_name == 'workflow_dispatch' && inputs.mode == 'verify-fix')
-    uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/observability.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode:   verify-fix
       runner: blacksmith-32vcpu-ubuntu-2404

.github/workflows/on-maintenance.yml

@@ -115,7 +115,7 @@ jobs:
     if: |
       !contains(fromJSON('["pr-review","flag-audit"]'),
         needs.resolve-mode.outputs.mode)
-    uses: YiAgent/OpenCI/.github/workflows/reusable/maintenance.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/maintenance.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode:       ${{ needs.resolve-mode.outputs.mode }}
       openci-ref: ${{ needs.resolve-mode.outputs.openci-ref }}

.github/workflows/pull-request.yml

@@ -28,9 +28,12 @@ concurrency:
 
 jobs:
   checks:
-    uses: YiAgent/OpenCI/.github/workflows/reusable/pr.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/pr.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       enable-ai-review: true
       enable-eval:      true
       runner:           blacksmith-32vcpu-ubuntu-2404
-    secrets: inherit
+      model:            ${{ vars.AI_MODEL || ''  }}
+    secrets:
+      anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+      api-base-url:      ${{ secrets.ANTHROPIC_BASE_URL }}

.github/workflows/release.yml

@@ -23,7 +23,7 @@ concurrency:
 
 jobs:
   release:
-    uses: YiAgent/OpenCI/.github/workflows/reusable/release.yml@ebe8fca3260dce68d34d51b74703169e776bc72d
+    uses: YiAgent/OpenCI/.github/workflows/reusable/release.yml@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
     with:
       mode: ${{ inputs.mode || 'both' }}
       image-name: ${{ vars.IMAGE_NAME || github.event.repository.name }}

.github/workflows/reusable/ci.yml

@@ -127,7 +127,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Probe secrets
@@ -155,7 +155,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - id: detect
@@ -183,7 +183,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - id: build
@@ -212,7 +212,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - id: scan
@@ -235,7 +235,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v3.4.0
@@ -282,7 +282,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - uses: ./.openci/actions/ci/check-migration
@@ -305,7 +305,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - uses: ./.openci/actions/ci/eval-smoke
@@ -485,7 +485,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with: { persist-credentials: false }
       - name: Resolve OpenCI ref and checkout
-        uses: YiAgent/OpenCI/actions/_common/resolve-openci@ebe8fca3260dce68d34d51b74703169e776bc72d
+        uses: YiAgent/OpenCI/actions/_common/resolve-openci@be43e4efd2f14f2a3da7d5264356a9e6774c8ef1
         with:
           openci-ref: ${{ inputs.openci-ref }}
       - name: Download ci-context artifact

.gitignore

@@ -39,4 +39,5 @@ gate-context/
 .history
 
 # act local testing
-.act.env
+.act.env*.yml-e
+*.yaml-e

manifest.yml

@@ -101,7 +101,7 @@ deps:
   softprops/action-gh-release:            "b4309332981a82ec1c5618f44dd2e27cc8bfbfda"  # v3.0.0
 
   # ── Self (OpenCI vendoring itself via remote action reference) ──────────
-  YiAgent/OpenCI:                         "ebe8fca3260dce68d34d51b74703169e776bc72d"  # resolve-openci bootstrap
+  YiAgent/OpenCI:                         "be43e4efd2f14f2a3da7d5264356a9e6774c8ef1"  # resolve-openci bootstrap
 
 # ─────────────────────────────────────────────────────────────────────────────
 # Reusable workflow catalog (consumed via `uses: YiAgent/OpenCI/.github/workflows/<id>.yml@<ref>`)

scripts/bump-self-sha.sh

@@ -95,15 +95,15 @@ if [ -z "$old_sha" ]; then
   die "YiAgent/OpenCI not found in manifest.yml .deps — add it manually first."
 fi
 
-sed -i'' -e "s|${old_sha}|${new_sha}|g" "$MANIFEST"
+perl -pi -e "s|\Q${old_sha}\E|${new_sha}|g" "$MANIFEST"
 info "Updated manifest.yml"
 
 # ── 5. Update all workflow files that reference the old SHA ──────────────────
 
 updated=0
 while IFS= read -r -d '' f; do
   if grep -q "$old_sha" "$f" 2>/dev/null; then
-    sed -i'' -e "s|${old_sha}|${new_sha}|g" "$f"
+    perl -pi -e "s|\Q${old_sha}\E|${new_sha}|g" "$f"
     info "Updated $f"
     updated=$((updated + 1))
   fi

tests/actions/on-pr-routing.bats

@@ -56,8 +56,8 @@ setup() {
   grep -q 'runner:.*blacksmith-32vcpu-ubuntu-2404' "$ENTRY"
 }
 
-@test "checks job inherits secrets" {
-  grep -q 'secrets: inherit' "$ENTRY"
+@test "checks job passes anthropic-api-key secret" {
+  grep -q 'anthropic-api-key:' "$ENTRY"
 }
 
 # ---------------------------------------------------------------------------