ci(droid): replace #164 with BYOK-safe Factory Droid rollout#172
Conversation
Replaces the prior Factory Droid setup (#164) that was failing on every run because FACTORY_API_KEY was missing and the workflows used Factory-AI/droid-action@main with no same-repo guard, no trusted-actor guard, and no debug-artifact controls. The new rollout follows the BYOK-safe template documented in the Factory Droid rollout spec: Workflows - .github/workflows/droid-review.yml — automatic same-repo PR review on opened/synchronize/ready_for_review/reopened. Same-repo guard. Draft PRs reviewable. [skip-review] title opt-out. cancel-in-progress: false. - .github/workflows/droid.yml — manual @droid for OWNER/MEMBER/ COLLABORATOR. Same-repo guard on the pull_request branch. - .github/workflows/droid-security-scan.yml — scheduled (Mon 08:00 UTC) and workflow_dispatch. 7-day window, medium threshold, critical blocking, high non-blocking. All three workflows - MiniMax M2.7 via Factory Droid BYOK. Runtime settings written to $HOME/.factory/settings.local.json via single-quoted heredoc so ${MINIMAX_API_KEY} stays literal in the file. - review_model and security_model: custom:MiniMax-M2.7-0. - review_depth: shallow on review/tag paths. - show_full_output: false. - upload_debug_artifacts: false. - actions/checkout@93cb6ef # v5. - EffortlessMetrics/droid-action-safe@7c1377c. - No pull_request_target. No raw debug artifacts. No ANTHROPIC_AUTH_TOKEN / ANTHROPIC_BASE_URL. Review guidance - .factory/skills/review-guidelines/SKILL.md — Shipper product contract, required context, [P0|P1|P2] finding format, no-naked-LGTM record, evidence provenance (Observed / Reported / Not verified), notification hygiene. - .factory/rules/droid-review.md — compact rules, Shipper priority surfaces (registry correctness, reconciliation, resume/idempotency, events/state/receipt coherence, token redaction, release workflow). - docs/agent-context/review-invariants.md — durable product, CI, and Droid-workflow invariants. - docs/agent-context/droid-smoke-tests.md — post-merge verification procedure. - AGENTS.md — adds an "Automated review" section linking the four files. Prerequisites - FACTORY_API_KEY and MINIMAX_API_KEY must be available to this repo (org-scoped or repo-scoped) before merge. - Factory Droid GitHub App is already installed (OIDC handshake succeeded on the prior #164 run; only the API key was missing). Static validation - YAML parse passed for all three workflows. - No Factory-AI/droid-action reference. - No pull_request_target. - Safe Droid action SHA + checkout SHA pinned in all three workflows. - upload_debug_artifacts: false and show_full_output: false in all three workflows. - Same-repo guard present on auto-review and on the pull_request branch of the manual workflow. - Trusted-actor (OWNER/MEMBER/COLLABORATOR) guard on every event branch of the manual workflow. - cancel-in-progress: false on review and security-scan. - Quoted heredoc with literal ${MINIMAX_API_KEY} in all three workflows.
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Droid finished @EffortlessSteven's task —— View job Droid Review — Validation complete Review summary: Clean review — no actionable findings. Inspected all three Droid workflow YAMLs, heredoc quoting in all three Configure MiniMax steps, permissions blocks, same-repo and trusted-actor guards on all event branches, cancel-in-progress settings, security_scan_schedule parameters, AGENTS.md additions, review-invariants.md Droid workflow invariants section, droid-smoke-tests.md. Heredoc uses single-quoted Validation result: Reviewed by: validator agent |
|
Droid finished @EffortlessSteven's task —— View job Droid Review — Phase 2 Validation CompletePR #172 — Outcome: Approved — No actionable findingsInspected surfaces
Checks performed
Why no commentsNo Rust source code was changed. All workflow files satisfy the safety and security posture defined in Residual riskRegistry-side publish ambiguity remains; this PR does not address Reconcile. Live smoke-test of the Droid workflows is planned post-merge per Validation signal
|
|
ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (8)
Summary by CodeRabbitRelease Notes
WalkthroughThis PR enables Factory Droid automated code review by introducing three GitHub Actions workflows (automatic PR review, manual ChangesFactory Droid Automated Review System
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes The PR is primarily documentation and workflow configuration with consistent patterns across three similar GitHub Actions workflows. Moderate complexity stems from the need to verify BYOK credential handling, event trigger guards (author association, repo origin,
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Droid encountered an error —— View job Droid is reviewing code and running a security check… |
The droid-action-safe action rejects non-human actors by default with: Workflow initiated by non-human actor: dependabot (type: Bot). Add bot to allowed_bots list or use '*' to allow all bots. This caused every Dependabot rebase to report a failed `droid-review` check — informational but noisy and confusing in the PR check list. Add `allowed_bots: dependabot[bot]` so Dependabot dependency-bump PRs receive Droid Auto Review. The list is narrow on purpose; do not change to `'*'`. Adding additional bots requires an explicit follow-up PR. Discovered when running the BYOK setup against #160 (assert_cmd 2.2.0 → 2.2.1) — the first real Dependabot PR after the workflows landed in #172.
Summary
Replaces #164 with a BYOK-safe Factory Droid rollout. #164's workflows used
Factory-AI/droid-action@mainwith mutable refs, no same-repo guard, no trusted-actor guard, and no debug-artifact controls — and were not running anyway becauseFACTORY_API_KEYwas missing (droid-reviewfailed withError: FACTORY_API_KEY is required to run Droid Exec).This PR replaces that setup with the BYOK-safe template:
@droid, scheduled security scan.$HOME/.factory/settings.local.jsonwith a single-quoted heredoc so${MINIMAX_API_KEY}stays literal in the file.EffortlessMetrics/droid-action-safe@7c1377ccbacddc95560d1570547a5baa51de01ecandactions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.pull_requestbranch; trusted-actor guard (OWNER/MEMBER/COLLABORATOR) on every event branch of the manual workflow;show_full_output: false;upload_debug_artifacts: false; nopull_request_target; no raw debug artifacts..factory/skills/review-guidelines/SKILL.md,.factory/rules/droid-review.md,docs/agent-context/review-invariants.md,docs/agent-context/droid-smoke-tests.md, plus anAGENTS.mdsection. Treats Droid output as a repair queue for follow-up agents, not a human approval signal. No nakedLGTM,[P0|P1|P2]finding format,Observed:/Reported:/Not verified:provenance, no@mentions.This PR will close #164 on merge.
Required repo/org secrets
This workflow requires:
FACTORY_API_KEYMINIMAX_API_KEYBoth must be available to this repository before merge. Repo-scoped or selected-org secrets both work.
Status check: repo-scoped
gh secret listshows onlyCODECOV_TOKEN. The user has confirmed both Droid secrets are stored at the org level, scoped to selected repos. Confirm Shipper is on the selected-repos list before marking this PR ready.Safety posture
droid-review.ymland on thepull_requestbranch ofdroid.yml).draft == falsefilter).[skip-review]in the PR title opts out of automatic review.@droid reviewand@droid securityrequireOWNER,MEMBER, orCOLLABORATORauthor association.show_full_output: falsecontrols Droid log verbosity.upload_debug_artifacts: falseprevents raw Droid debug artifact upload.cancel-in-progress: falseon auto-review and security-scan so active runs are not interrupted by new pushes.Validation
Static validation completed:
git diff --checkpasses.Factory-AI/droid-actionreference in the new workflows.pull_request_targetreference.actions/checkoutpinned to SHA in all three workflows.upload_debug_artifacts: falsepresent in all three workflows.show_full_output: falsepresent in all three workflows.droid-review.ymland on thepull_requestbranch ofdroid.yml.OWNER/MEMBER/COLLABORATOR) present on every event branch ofdroid.yml.cancel-in-progress: falseondroid-review.ymlanddroid-security-scan.yml.<<'JSON') with literal${MINIMAX_API_KEY}in all three workflows.Live smoke planned after merge (see
docs/agent-context/droid-smoke-tests.md):@droid reviewfrom a trusted actor;@droid securityfrom a trusted actor;Droid Security Scanviaworkflow_dispatch;droid-review-debug-<run_id>artifact, no expandedMINIMAX_API_KEYin logs).Test plan
FACTORY_API_KEYandMINIMAX_API_KEYare visible to this repo (repo-scoped or selected-org).Droid Auto Reviewruns on this PR and produces a repair-queue-format review (or a no-naked-LGTM inspection record).[skip-review]opt-out works.@droid reviewas a trusted actor; confirm it triggers and produces structured findings.@droid securityas a trusted actor; confirm it produces security findings without unrelated edits.Droid Security Scan; confirm 7-day window, medium threshold, critical blocking, high non-blocking, no raw debug artifact.MINIMAX_API_KEYorAuthorization: Bearer ...lines.