Skip to content

Enable Factory Droid automated code review#164

Closed
EffortlessSteven wants to merge 2 commits into
mainfrom
add-factory-workflows-20260504024339
Closed

Enable Factory Droid automated code review#164
EffortlessSteven wants to merge 2 commits into
mainfrom
add-factory-workflows-20260504024339

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

This PR adds Factory Droid automated code review workflows.

  • droid.yml: Responds to @droid mentions
  • droid-review.yml: Automatic code review on new PRs

Generate a key at https://app.factory.ai/settings/api-keys
Docs: https://docs.factory.ai

@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@coderabbitai

coderabbitai Bot commented May 4, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@EffortlessSteven has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 37 minutes and 2 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c63c15ef-a3c1-46b4-8216-8f5d17fb435c

📥 Commits

Reviewing files that changed from the base of the PR and between 72270fd and d331187.

📒 Files selected for processing (2)
  • .github/workflows/droid-review.yml
  • .github/workflows/droid.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch add-factory-workflows-20260504024339

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
Review rate limit: 0/1 reviews remaining, refill in 37 minutes and 2 seconds.

Comment @coderabbitai help to get the list of available commands and usage tips.

@factory-droid

factory-droid Bot commented May 4, 2026

Copy link
Copy Markdown

Droid encountered an error —— View job


Droid is reviewing code and running a security check…

@factory-droid

factory-droid Bot commented May 4, 2026

Copy link
Copy Markdown

Droid encountered an error —— View job


@codecov

codecov Bot commented May 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@EffortlessSteven

Copy link
Copy Markdown
Member Author

Superseded by #172, which replaces this PR with the BYOK-safe Factory Droid template: MiniMax M2.7 via Droid BYOK, SHA-pinned safe action, same-repo guard, trusted-actor manual @droid, scheduled security scan, and repair-queue review guidance.

Background: the Droid jobs on this PR failed on 2026-05-04 with Error: FACTORY_API_KEY is required to run Droid Exec — the GitHub App was installed (OIDC handshake succeeded) but the secret was missing. The replacement also adds same-repo + trusted-actor guards, pinned action SHAs, debug-artifact suppression, and Shipper-specific review guidance.

Leaving open for now; will close on merge of #172.

EffortlessSteven added a commit that referenced this pull request May 11, 2026
Replaces the prior Factory Droid setup (#164) that was failing on every
run because FACTORY_API_KEY was missing and the workflows used
Factory-AI/droid-action@main with no same-repo guard, no trusted-actor
guard, and no debug-artifact controls.

The new rollout follows the BYOK-safe template documented in the
Factory Droid rollout spec:

Workflows
- .github/workflows/droid-review.yml — automatic same-repo PR review on
  opened/synchronize/ready_for_review/reopened. Same-repo guard. Draft
  PRs reviewable. [skip-review] title opt-out. cancel-in-progress: false.
- .github/workflows/droid.yml — manual @droid for OWNER/MEMBER/
  COLLABORATOR. Same-repo guard on the pull_request branch.
- .github/workflows/droid-security-scan.yml — scheduled (Mon 08:00 UTC)
  and workflow_dispatch. 7-day window, medium threshold, critical
  blocking, high non-blocking.

All three workflows
- MiniMax M2.7 via Factory Droid BYOK. Runtime settings written to
  $HOME/.factory/settings.local.json via single-quoted heredoc so
  ${MINIMAX_API_KEY} stays literal in the file.
- review_model and security_model: custom:MiniMax-M2.7-0.
- review_depth: shallow on review/tag paths.
- show_full_output: false.
- upload_debug_artifacts: false.
- actions/checkout@93cb6ef # v5.
- EffortlessMetrics/droid-action-safe@7c1377c.
- No pull_request_target. No raw debug artifacts. No
  ANTHROPIC_AUTH_TOKEN / ANTHROPIC_BASE_URL.

Review guidance
- .factory/skills/review-guidelines/SKILL.md — Shipper product contract,
  required context, [P0|P1|P2] finding format, no-naked-LGTM record,
  evidence provenance (Observed / Reported / Not verified), notification
  hygiene.
- .factory/rules/droid-review.md — compact rules, Shipper priority
  surfaces (registry correctness, reconciliation, resume/idempotency,
  events/state/receipt coherence, token redaction, release workflow).
- docs/agent-context/review-invariants.md — durable product, CI, and
  Droid-workflow invariants.
- docs/agent-context/droid-smoke-tests.md — post-merge verification
  procedure.
- AGENTS.md — adds an "Automated review" section linking the four files.

Prerequisites
- FACTORY_API_KEY and MINIMAX_API_KEY must be available to this repo
  (org-scoped or repo-scoped) before merge.
- Factory Droid GitHub App is already installed (OIDC handshake
  succeeded on the prior #164 run; only the API key was missing).

Static validation
- YAML parse passed for all three workflows.
- No Factory-AI/droid-action reference.
- No pull_request_target.
- Safe Droid action SHA + checkout SHA pinned in all three workflows.
- upload_debug_artifacts: false and show_full_output: false in all
  three workflows.
- Same-repo guard present on auto-review and on the pull_request branch
  of the manual workflow.
- Trusted-actor (OWNER/MEMBER/COLLABORATOR) guard on every event branch
  of the manual workflow.
- cancel-in-progress: false on review and security-scan.
- Quoted heredoc with literal ${MINIMAX_API_KEY} in all three workflows.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant