Skip to content

ci(droid): replace #164 with BYOK-safe Factory Droid rollout#172

Merged
EffortlessSteven merged 1 commit into
mainfrom
ci/droid-byok-minimax-rollout-20260511
May 11, 2026
Merged

ci(droid): replace #164 with BYOK-safe Factory Droid rollout#172
EffortlessSteven merged 1 commit into
mainfrom
ci/droid-byok-minimax-rollout-20260511

Conversation

@EffortlessSteven

Copy link
Copy Markdown
Member

Summary

Replaces #164 with a BYOK-safe Factory Droid rollout. #164's workflows used Factory-AI/droid-action@main with mutable refs, no same-repo guard, no trusted-actor guard, and no debug-artifact controls — and were not running anyway because FACTORY_API_KEY was missing (droid-review failed with Error: FACTORY_API_KEY is required to run Droid Exec).

This PR replaces that setup with the BYOK-safe template:

  • Three workflows — automatic same-repo review, manual @droid, scheduled security scan.
  • MiniMax M2.7 via Factory Droid BYOK, configured at job time via $HOME/.factory/settings.local.json with a single-quoted heredoc so ${MINIMAX_API_KEY} stays literal in the file.
  • Pinned action SHAs: EffortlessMetrics/droid-action-safe@7c1377ccbacddc95560d1570547a5baa51de01ec and actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.
  • Safety posture: same-repo guard on auto-review and on the manual pull_request branch; trusted-actor guard (OWNER/MEMBER/COLLABORATOR) on every event branch of the manual workflow; show_full_output: false; upload_debug_artifacts: false; no pull_request_target; no raw debug artifacts.
  • Review guidance.factory/skills/review-guidelines/SKILL.md, .factory/rules/droid-review.md, docs/agent-context/review-invariants.md, docs/agent-context/droid-smoke-tests.md, plus an AGENTS.md section. Treats Droid output as a repair queue for follow-up agents, not a human approval signal. No naked LGTM, [P0|P1|P2] finding format, Observed:/Reported:/Not verified: provenance, no @mentions.

This PR will close #164 on merge.

Required repo/org secrets

This workflow requires:

  • FACTORY_API_KEY
  • MINIMAX_API_KEY

Both must be available to this repository before merge. Repo-scoped or selected-org secrets both work.

Status check: repo-scoped gh secret list shows only CODECOV_TOKEN. The user has confirmed both Droid secrets are stored at the org level, scoped to selected repos. Confirm Shipper is on the selected-repos list before marking this PR ready.

Safety posture

  • Fork PRs are intentionally skipped for secrets-backed Droid review (same-repo guard on droid-review.yml and on the pull_request branch of droid.yml).
  • Draft PRs are intentionally reviewable (no draft == false filter).
  • [skip-review] in the PR title opts out of automatic review.
  • @droid review and @droid security require OWNER, MEMBER, or COLLABORATOR author association.
  • show_full_output: false controls Droid log verbosity.
  • upload_debug_artifacts: false prevents raw Droid debug artifact upload.
  • cancel-in-progress: false on auto-review and security-scan so active runs are not interrupted by new pushes.
  • Droid review comments are repair queues for follow-up agents, not empty approval signals.

Validation

Static validation completed:

  • git diff --check passes.
  • YAML parse passes for all three Droid workflows.
  • No Factory-AI/droid-action reference in the new workflows.
  • No pull_request_target reference.
  • Safe Droid action SHA pinned in all three workflows.
  • actions/checkout pinned to SHA in all three workflows.
  • upload_debug_artifacts: false present in all three workflows.
  • show_full_output: false present in all three workflows.
  • Same-repo guard present on droid-review.yml and on the pull_request branch of droid.yml.
  • Trusted-actor guard (OWNER/MEMBER/COLLABORATOR) present on every event branch of droid.yml.
  • cancel-in-progress: false on droid-review.yml and droid-security-scan.yml.
  • Quoted heredoc (<<'JSON') with literal ${MINIMAX_API_KEY} in all three workflows.

Live smoke planned after merge (see docs/agent-context/droid-smoke-tests.md):

  • same-repo draft PR auto review;
  • @droid review from a trusted actor;
  • @droid security from a trusted actor;
  • manual Droid Security Scan via workflow_dispatch;
  • artifact and log hygiene inspection (no droid-review-debug-<run_id> artifact, no expanded MINIMAX_API_KEY in logs).

Test plan

  • Confirm FACTORY_API_KEY and MINIMAX_API_KEY are visible to this repo (repo-scoped or selected-org).
  • Mark PR ready for review.
  • Confirm Droid Auto Review runs on this PR and produces a repair-queue-format review (or a no-naked-LGTM inspection record).
  • Open a follow-up trivial PR and confirm [skip-review] opt-out works.
  • Comment @droid review as a trusted actor; confirm it triggers and produces structured findings.
  • Comment @droid security as a trusted actor; confirm it produces security findings without unrelated edits.
  • Manually dispatch Droid Security Scan; confirm 7-day window, medium threshold, critical blocking, high non-blocking, no raw debug artifact.
  • Inspect logs for any leaked MINIMAX_API_KEY or Authorization: Bearer ... lines.
  • Close Enable Factory Droid automated code review #164 (the prior PR being replaced).

Replaces the prior Factory Droid setup (#164) that was failing on every
run because FACTORY_API_KEY was missing and the workflows used
Factory-AI/droid-action@main with no same-repo guard, no trusted-actor
guard, and no debug-artifact controls.

The new rollout follows the BYOK-safe template documented in the
Factory Droid rollout spec:

Workflows
- .github/workflows/droid-review.yml — automatic same-repo PR review on
  opened/synchronize/ready_for_review/reopened. Same-repo guard. Draft
  PRs reviewable. [skip-review] title opt-out. cancel-in-progress: false.
- .github/workflows/droid.yml — manual @droid for OWNER/MEMBER/
  COLLABORATOR. Same-repo guard on the pull_request branch.
- .github/workflows/droid-security-scan.yml — scheduled (Mon 08:00 UTC)
  and workflow_dispatch. 7-day window, medium threshold, critical
  blocking, high non-blocking.

All three workflows
- MiniMax M2.7 via Factory Droid BYOK. Runtime settings written to
  $HOME/.factory/settings.local.json via single-quoted heredoc so
  ${MINIMAX_API_KEY} stays literal in the file.
- review_model and security_model: custom:MiniMax-M2.7-0.
- review_depth: shallow on review/tag paths.
- show_full_output: false.
- upload_debug_artifacts: false.
- actions/checkout@93cb6ef # v5.
- EffortlessMetrics/droid-action-safe@7c1377c.
- No pull_request_target. No raw debug artifacts. No
  ANTHROPIC_AUTH_TOKEN / ANTHROPIC_BASE_URL.

Review guidance
- .factory/skills/review-guidelines/SKILL.md — Shipper product contract,
  required context, [P0|P1|P2] finding format, no-naked-LGTM record,
  evidence provenance (Observed / Reported / Not verified), notification
  hygiene.
- .factory/rules/droid-review.md — compact rules, Shipper priority
  surfaces (registry correctness, reconciliation, resume/idempotency,
  events/state/receipt coherence, token redaction, release workflow).
- docs/agent-context/review-invariants.md — durable product, CI, and
  Droid-workflow invariants.
- docs/agent-context/droid-smoke-tests.md — post-merge verification
  procedure.
- AGENTS.md — adds an "Automated review" section linking the four files.

Prerequisites
- FACTORY_API_KEY and MINIMAX_API_KEY must be available to this repo
  (org-scoped or repo-scoped) before merge.
- Factory Droid GitHub App is already installed (OIDC handshake
  succeeded on the prior #164 run; only the API key was missing).

Static validation
- YAML parse passed for all three workflows.
- No Factory-AI/droid-action reference.
- No pull_request_target.
- Safe Droid action SHA + checkout SHA pinned in all three workflows.
- upload_debug_artifacts: false and show_full_output: false in all
  three workflows.
- Same-repo guard present on auto-review and on the pull_request branch
  of the manual workflow.
- Trusted-actor (OWNER/MEMBER/COLLABORATOR) guard on every event branch
  of the manual workflow.
- cancel-in-progress: false on review and security-scan.
- Quoted heredoc with literal ${MINIMAX_API_KEY} in all three workflows.
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@factory-droid

factory-droid Bot commented May 11, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Droid Review — Validation complete

Review summary: Clean review — no actionable findings. Inspected all three Droid workflow YAMLs, heredoc quoting in all three Configure MiniMax steps, permissions blocks, same-repo and trusted-actor guards on all event branches, cancel-in-progress settings, security_scan_schedule parameters, AGENTS.md additions, review-invariants.md Droid workflow invariants section, droid-smoke-tests.md. Heredoc uses single-quoted <<'JSON' so ${MINIMAX_API_KEY} remains literal; action SHAs are immutable; upload_debug_artifacts and show_full_output are false throughout; model is custom:MiniMax-M2.7-0 everywhere. No violations of review-invariants.md or droid-review.md rules.

Validation result: status: approved — no comments emitted.

Reviewed by: validator agent
Validated: 2026-05-11T12:00:00Z

@factory-droid

factory-droid Bot commented May 11, 2026

Copy link
Copy Markdown

Droid finished @EffortlessSteven's task —— View job


Droid Review — Phase 2 Validation Complete

PR #172ci/droid-byok-minimax-rollout-20260511

Outcome: Approved — No actionable findings

Inspected surfaces

  • .github/workflows/droid-review.yml — auto-review workflow (BYOK heredoc, same-repo guard, cancel-in-progress, debug-artifact/output controls)
  • .github/workflows/droid.yml — manual @droid workflow (trusted-actor guard on all event branches)
  • .github/workflows/droid-security-scan.yml — scheduled security scan (7-day window, medium threshold, critical-blocking)
  • .factory/skills/review-guidelines/SKILL.md — new Droid review skill
  • .factory/rules/droid-review.md — new Droid review rules
  • docs/agent-context/review-invariants.md — Droid workflow invariants
  • docs/agent-context/droid-smoke-tests.md — smoke-test procedures
  • AGENTS.md — added Droid review section

Checks performed

  • Pinned action SHAs: droid-action-safe@7c1377c, checkout@93cb6ef (both immutable)
  • BYOK heredoc: single-quoted <<'JSON' keeps ${MINIMAX_API_KEY} literal in settings.local.json
  • Same-repo guard on auto-review and pull_request branch of manual workflow
  • Trusted-actor guard (OWNER/MEMBER/COLLABORATOR) on every event branch of manual workflow
  • show_full_output: false and upload_debug_artifacts: false on all Droid action steps
  • cancel-in-progress: false on auto-review and security-scan
  • Scheduled scan: security_scan_schedule: true, security_scan_days: 7, security_severity_threshold: medium, security_block_on_critical: true, security_block_on_high: false
  • No pull_request_target, no Factory-AI/droid-action, no raw debug artifact upload

Why no comments

No Rust source code was changed. All workflow files satisfy the safety and security posture defined in docs/agent-context/review-invariants.md. The BYOK heredoc is correctly single-quoted. Action SHAs are immutable. Guards are in place on all applicable branches. No regressions introduced.

Residual risk

Registry-side publish ambiguity remains; this PR does not address Reconcile. Live smoke-test of the Droid workflows is planned post-merge per droid-smoke-tests.md.

Validation signal

  • Observed: diff inspected in full; all workflow YAML parses valid; heredoc quoting confirmed; action SHA immutability confirmed.
  • Reported: PR description states FACTORY_API_KEY and MINIMAX_API_KEY are org-scoped secrets.
  • Not verified: live Droid workflow execution (planned post-merge per smoke-test doc).

@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown

Review Change Stack
No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 564de6cd-cf81-4d80-bd4a-9e4771acd8c3

📥 Commits

Reviewing files that changed from the base of the PR and between e5ff917 and 9ae2564.

📒 Files selected for processing (8)
  • .factory/rules/droid-review.md
  • .factory/skills/review-guidelines/SKILL.md
  • .github/workflows/droid-review.yml
  • .github/workflows/droid-security-scan.yml
  • .github/workflows/droid.yml
  • AGENTS.md
  • docs/agent-context/droid-smoke-tests.md
  • docs/agent-context/review-invariants.md

Summary by CodeRabbit

Release Notes

  • New Features

    • Automated review system now analyzes pull requests in real-time, providing structured feedback on code changes
    • Scheduled security scanning now runs automatically and supports on-demand execution for repository assessment
  • Documentation

    • Comprehensive documentation added for automated review workflows, testing procedures, quality standards, and baseline invariants

Walkthrough

This PR enables Factory Droid automated code review by introducing three GitHub Actions workflows (automatic PR review, manual @droid trigger, scheduled security scanning), backed by structured review rules/guidelines, MiniMax BYOK model configuration, and comprehensive validation documentation including smoke tests and durable review invariants.

Changes

Factory Droid Automated Review System

Layer / File(s) Summary
Review Rules & Guidelines
.factory/rules/droid-review.md, .factory/skills/review-guidelines/SKILL.md
Defines structured Droid review output format (P0–P2 priority, evidence provenance labels, validation commands), mandates "no naked LGTM" with inspection record fallback, specifies notification hygiene (no @mentions, neutral references), and lists shipper-specific review focus surfaces in priority order.
Automatic PR Review Workflow
.github/workflows/droid-review.yml
New workflow triggering on PR open/sync/reopen for same-repo PRs without [skip-review] in title. Configures MiniMax BYOK API credentials, prevents concurrency, and invokes droid-action-safe for automatic review and security scoring.
Manual @droid Trigger Workflow
.github/workflows/droid.yml
New workflow responding to @droid mentions in PR comments, issue events, and review submissions. Gated by trusted-actor author association (OWNER/MEMBER/COLLABORATOR) and same-repo PR constraint, with shallow review depth and custom model wiring.
Scheduled Security Scan Workflow
.github/workflows/droid-security-scan.yml
New workflow for manual dispatch and Monday 08:00 UTC cron-triggered security scans. Configures 7-day history window, medium severity threshold, blocks on critical findings, and disables debug artifacts and full output logging.
Validation & Integration Documentation
AGENTS.md, docs/agent-context/droid-smoke-tests.md, docs/agent-context/review-invariants.md
Documents the Droid automated review role, prerequisite API keys, and five smoke-test scenarios (automatic review, manual review, manual security review, full scan, artifact hygiene). Specifies durable review invariants for product behavior, CI gates, Droid workflow configuration, output formatting, and out-of-scope changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

The PR is primarily documentation and workflow configuration with consistent patterns across three similar GitHub Actions workflows. Moderate complexity stems from the need to verify BYOK credential handling, event trigger guards (author association, repo origin, @droid mention parsing), and alignment between workflow configuration invariants and smoke-test validation steps.

🐰 Factory Droid's here to stay,
Reviews your code day after day,
With P0 findings, never bare,
No LGTM—just thoughtful care!
Repair-queue ready, fix your way! 🔧

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The PR title 'ci(droid): replace #164 with BYOK-safe Factory Droid rollout' accurately summarizes the main change—replacing the prior Factory Droid setup with a BYOK-safe rollout using MiniMax M2.7.
Description check ✅ Passed The PR description comprehensively details the changes, objectives, safety measures, validation steps, and test plan—directly addressing the Factory Droid rollout and its relationship to issue #164.
Linked Issues check ✅ Passed The PR fully addresses issue #164's objectives: adds droid.yml for @droid mentions, droid-review.yml for automatic review, configures BYOK setup with MiniMax M2.7, and integrates automated review into repository workflows.
Out of Scope Changes check ✅ Passed All changes directly relate to implementing Factory Droid workflows and supporting documentation. No unrelated modifications to production code, dependencies, or unrelated features are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/droid-byok-minimax-rollout-20260511

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@EffortlessSteven EffortlessSteven marked this pull request as ready for review May 11, 2026 12:31
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@EffortlessSteven EffortlessSteven merged commit aa7391f into main May 11, 2026
20 checks passed
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

@EffortlessSteven EffortlessSteven deleted the ci/droid-byok-minimax-rollout-20260511 branch May 11, 2026 12:31
@factory-droid

factory-droid Bot commented May 11, 2026

Copy link
Copy Markdown

Droid encountered an error —— View job

Failed to checkout PR #172 branch for review

Droid is reviewing code and running a security check…

EffortlessSteven added a commit that referenced this pull request May 11, 2026
The droid-action-safe action rejects non-human actors by default with:
  Workflow initiated by non-human actor: dependabot (type: Bot).
  Add bot to allowed_bots list or use '*' to allow all bots.

This caused every Dependabot rebase to report a failed `droid-review`
check — informational but noisy and confusing in the PR check list.

Add `allowed_bots: dependabot[bot]` so Dependabot dependency-bump PRs
receive Droid Auto Review. The list is narrow on purpose; do not change
to `'*'`. Adding additional bots requires an explicit follow-up PR.

Discovered when running the BYOK setup against #160 (assert_cmd 2.2.0
→ 2.2.1) — the first real Dependabot PR after the workflows landed in
#172.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant