From 02f8680ff3fe692def3af99e13b8b6b2295fc840 Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Wed, 7 Jan 2026 15:42:29 -0800 Subject: [PATCH 1/7] updated readme with new changes --- README.md | 271 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 243 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index b3cfb4d..87ffdde 100644 --- a/README.md +++ b/README.md @@ -1,28 +1,44 @@ # Droid Actions for GitHub -This GitHub Action powers the Factory **Droid** app. It watches your pull requests for the two supported commands and runs a full Droid Exec session to help you ship faster: +This GitHub Action powers the Factory **Droid** app. It watches your pull requests for supported commands and runs a full Droid Exec session to help you ship faster: -* `@droid fill` — turns a bare pull request into a polished description that matches your template or our opinionated fallback. -* `@droid review` — performs an automated code review, surfaces potential bugs, and leaves inline comments directly on the diff. +- `@droid fill` — turns a bare pull request into a polished description that matches your template or our opinionated fallback. +- `@droid review` — performs an automated code review, surfaces potential bugs, and leaves inline comments directly on the diff. +- `@droid security` — performs a security-focused code review using STRIDE methodology, identifying vulnerabilities and suggesting fixes. +- `@droid review security` — runs both code review and security review in parallel for comprehensive feedback. +- `@droid security --full` — performs a full repository security scan and creates a PR with the report. Everything runs inside GitHub Actions using your Factory API key, so the bot never leaves your repository and operates with the permissions you grant. ## What Happens When You Tag `@droid` -1. **Trigger detection** – The action scans issue comments, PR descriptions, and review comments for `@droid fill` or `@droid review`. +1. **Trigger detection** – The action scans issue comments, PR descriptions, and review comments for `@droid` commands. 2. **Context gathering** – Droid collects the PR metadata, existing comments, changed files, and any PR description template in your repository. -3. **Prompt generation** – We compose a precise prompt instructing Droid what to do (fill or review) and which GitHub MCP tools it may use. -4. **Execution** – The action runs `droid exec` with full repository context. MPU tools are pre-registered so Droid can call the GitHub APIs safely. -5. **Results** – For fill, Droid updates the PR body. For review, it posts inline feedback and a summary comment under the original request. +3. **Prompt generation** – We compose a precise prompt instructing Droid what to do and which GitHub MCP tools it may use. +4. **Execution** – The action runs `droid exec` with full repository context. MCP tools are pre-registered so Droid can call the GitHub APIs safely. +5. **Results** – For fill, Droid updates the PR body. For review/security, it posts inline feedback and a summary comment. + +### Parallel Review Flow + +When both code review and security review are enabled (via `@droid review security` or automatic flags), the action uses a parallel workflow: + +1. **Prepare** – Creates a tracking comment and detects which reviews to run +2. **Code Review** – Analyzes code quality, bugs, and best practices (runs in parallel) +3. **Security Review** – Analyzes security vulnerabilities using STRIDE methodology (runs in parallel) +4. **Combine** – Merges results from both reviews, deduplicates findings, and posts inline comments + +The combine step only runs when both reviews are enabled. If only one review type is active, it posts results directly without the combine step. ## Installation 1. **Install the Droid GitHub App** - * Install from the Factory dashboard and grant it access to the repositories where you want Droid to operate. + - Install from the Factory dashboard and grant it access to the repositories where you want Droid to operate. 2. **Create a Factory API Key** - * Generate a token at [https://app.factory.ai/settings/api-keys](https://app.factory.ai/settings/api-keys) and save it as `FACTORY_API_KEY` in your repository or organization secrets. + - Generate a token at [https://app.factory.ai/settings/api-keys](https://app.factory.ai/settings/api-keys) and save it as `FACTORY_API_KEY` in your repository or organization secrets. 3. **Add the Action Workflows** - * Create two workflow files under `.github/workflows/` to separate on-demand tagging from automatic PR reviews. + - Create workflow files under `.github/workflows/` based on your needs. + +### Basic Setup (Single Action) `droid.yml` (responds to explicit `@droid` mentions): @@ -68,7 +84,7 @@ jobs: factory_api_key: ${{ secrets.FACTORY_API_KEY }} ``` -`droid-review.yml` (runs automatic reviews when PRs are ready): +`droid-review.yml` (automatic reviews on PRs): ```yaml name: Droid Auto Review @@ -98,33 +114,232 @@ jobs: with: factory_api_key: ${{ secrets.FACTORY_API_KEY }} automatic_review: true + automatic_security_review: true # Enable both for comprehensive reviews ``` -Once committed, tagging `@droid fill` or `@droid review` on an open PR will trigger the bot automatically, and non-draft PRs will also receive automatic reviews if `droid-review.yml` is enabled. +### Advanced Setup (Parallel Workflow with Sub-Actions) + +For maximum efficiency with both code and security reviews, use the modular sub-actions to run reviews in parallel: + +```yaml +name: Droid Parallel Review + +on: + pull_request: + types: [opened, ready_for_review, reopened] + +jobs: + prepare: + if: github.event.pull_request.draft == false + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + outputs: + comment_id: ${{ steps.prepare.outputs.comment_id }} + run_code_review: ${{ steps.prepare.outputs.run_code_review }} + run_security_review: ${{ steps.prepare.outputs.run_security_review }} + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Prepare + id: prepare + uses: Factory-AI/droid-action/prepare@v1 + with: + factory_api_key: ${{ secrets.FACTORY_API_KEY }} + automatic_review: true + automatic_security_review: true + + code-review: + needs: prepare + if: needs.prepare.outputs.run_code_review == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Run Code Review + uses: Factory-AI/droid-action/review@v1 + with: + factory_api_key: ${{ secrets.FACTORY_API_KEY }} + tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} + output_file: ${{ runner.temp }}/code-review-results.json + + - name: Upload Results + uses: actions/upload-artifact@v4 + with: + name: code-review-results + path: ${{ runner.temp }}/code-review-results.json + + security-review: + needs: prepare + if: needs.prepare.outputs.run_security_review == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Run Security Review + uses: Factory-AI/droid-action/security@v1 + with: + factory_api_key: ${{ secrets.FACTORY_API_KEY }} + tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} + security_severity_threshold: medium + output_file: ${{ runner.temp }}/security-results.json + + - name: Upload Results + uses: actions/upload-artifact@v4 + with: + name: security-results + path: ${{ runner.temp }}/security-results.json + + combine: + needs: [prepare, code-review, security-review] + # Only run combine when BOTH reviews were executed + if: | + always() && + needs.prepare.outputs.run_code_review == 'true' && + needs.prepare.outputs.run_security_review == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v5 + + - name: Download Code Review Results + uses: actions/download-artifact@v4 + with: + name: code-review-results + path: ${{ runner.temp }} + continue-on-error: true + + - name: Download Security Results + uses: actions/download-artifact@v4 + with: + name: security-results + path: ${{ runner.temp }} + continue-on-error: true + + - name: Combine Results + uses: Factory-AI/droid-action/combine@v1 + with: + factory_api_key: ${{ secrets.FACTORY_API_KEY }} + tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} + code_review_results: ${{ runner.temp }}/code-review-results.json + security_results: ${{ runner.temp }}/security-results.json + code_review_status: ${{ needs.code-review.result }} + security_review_status: ${{ needs.security-review.result }} +``` ## Using the Commands ### `@droid fill` -* Place the command in the PR description or in a top-level comment. -* Droid searches for common PR template locations (`.github/pull_request_template.md`, etc.). When a template exists, it fills the sections; otherwise it writes a structured summary (overview, changes, testing, rollout). -* The original request is replaced with the generated description so reviewers can merge immediately. + +- Place the command in the PR description or in a top-level comment. +- Droid searches for common PR template locations (`.github/pull_request_template.md`, etc.). When a template exists, it fills the sections; otherwise it writes a structured summary (overview, changes, testing, rollout). +- The original request is replaced with the generated description so reviewers can merge immediately. ### `@droid review` -* Mention `@droid review` in a PR comment. -* Droid inspects the diff, prioritizes potential bugs or high-impact issues, and leaves inline comments directly on the changed lines. -* A short summary comment is posted in the original thread highlighting the findings and linking to any inline feedback. -## Configuration Essentials +- Mention `@droid review` in a PR comment. +- Droid inspects the diff, prioritizes potential bugs or high-impact issues, and leaves inline comments directly on the changed lines. +- A short summary comment is posted in the original thread highlighting the findings and linking to any inline feedback. + +### `@droid security` + +- Mention `@droid security` in a PR comment. +- Droid performs a security-focused review using STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). +- Findings include severity levels, CWE references, and suggested fixes. +- Security reviews run once per PR to avoid duplicate scans on subsequent commits. + +### `@droid review security` or `@droid security review` + +- Triggers both code review and security review to run in parallel. +- Results are combined and deduplicated before posting inline comments. +- Provides comprehensive coverage of both code quality and security concerns. + +### `@droid security --full` + +- Performs a full repository security scan (not just PR changes). +- Creates a new branch with a security report at `.factory/security/reports/security-report-{date}.md`. +- Opens a PR with findings and auto-generated patches where possible. +- Useful for scheduled security audits. + +## Configuration + +### Core Inputs + +| Input | Purpose | +| ----------------- | ------------------------------------------------------------------------------------------------------ | +| `factory_api_key` | **Required.** Grants Droid Exec permission to run via Factory. | +| `github_token` | Optional override if you prefer a custom GitHub App/token. By default the installed app token is used. | + +### Review Configuration + +| Input | Default | Purpose | +| ------------------ | ------- | ----------------------------------------------------------------------------- | +| `automatic_review` | `false` | Automatically run code review on PRs without requiring `@droid review`. | +| `review_model` | `""` | Override the model used for code review (e.g., `claude-sonnet-4-5-20250929`). | +| `fill_model` | `""` | Override the model used for PR description fill. | + +### Security Configuration + +| Input | Default | Purpose | +| ----------------------------- | -------- | ----------------------------------------------------------------------------------------------------------------- | +| `automatic_security_review` | `false` | Automatically run security review on PRs without requiring `@droid security`. | +| `security_model` | `""` | Override the model used for security review. Falls back to `review_model` if not set. | +| `security_severity_threshold` | `medium` | Minimum severity to report (`critical`, `high`, `medium`, `low`). Findings below this threshold are filtered out. | +| `security_block_on_critical` | `true` | Submit `REQUEST_CHANGES` review when critical severity findings are detected. | +| `security_block_on_high` | `false` | Submit `REQUEST_CHANGES` review when high severity findings are detected. | +| `security_notify_team` | `""` | GitHub team to @mention on critical findings (e.g., `@org/security-team`). | +| `security_scan_schedule` | `false` | Enable scheduled security scans for `schedule` events. | +| `security_scan_days` | `7` | Number of days of commits to scan for scheduled security scans. | + +## Sub-Actions + +For advanced workflows, you can use the modular sub-actions directly: + +| Sub-Action | Purpose | +| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | +| `Factory-AI/droid-action/prepare` | Creates tracking comment and detects which review modes to run. Outputs `comment_id`, `run_code_review`, `run_security_review`. | +| `Factory-AI/droid-action/review` | Runs code review. Requires `tracking_comment_id`. Outputs findings to `output_file`. | +| `Factory-AI/droid-action/security` | Runs security review. Requires `tracking_comment_id`. Installs security skills automatically. | +| `Factory-AI/droid-action/combine` | Combines results from parallel reviews, deduplicates findings, posts inline comments. Only needed when both reviews run. | + +## Security Skills + +The security review uses specialized Factory skills installed from the public `Factory-AI/skills` repository: + +- **threat-model-generation** – Generates STRIDE-based threat models for repositories +- **commit-security-scan** – Scans code changes for security vulnerabilities +- **vulnerability-validation** – Validates findings and filters false positives +- **security-review** – Comprehensive security review and patch generation -| Input | Purpose | -| --- | --- | -| `factory_api_key` | **Required.** Grants Droid Exec permission to run via Factory. | -| `github_token` | Optional override if you prefer a custom GitHub App/token. By default the installed app token is used. | -| `review_model` | Optional. Override the model used for code review (e.g., `claude-sonnet-4-5-20250929`, `gpt-5.1-codex`). Only applies to review flows. | -| `fill_model` | Optional. Override the model used for PR description fill (e.g., `claude-sonnet-4-5-20250929`, `gpt-5.1-codex`). Only applies to fill flows. | +These skills are automatically installed when running security reviews. ## Troubleshooting & Support -* Check the workflow run linked from the Droid tracking comment for execution logs. -* Verify that the workflow file and repository allow the GitHub App to run (branch protections can block bots). -* Need more detail? Start with the [Setup Guide](./docs/setup.md) or [FAQ](./docs/faq.md). +- Check the workflow run linked from the Droid tracking comment for execution logs. +- Verify that the workflow file and repository allow the GitHub App to run (branch protections can block bots). +- Security reviews run once per PR. If you need to re-run, close and reopen the PR or use `@droid security` explicitly. +- Need more detail? Start with the [Setup Guide](./docs/setup.md) or [FAQ](./docs/faq.md). From 11cd9c267f0cd3cb2bb76ae6599363f501334efc Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Mon, 12 Jan 2026 12:05:34 -0800 Subject: [PATCH 2/7] updated readme to simplify the flow --- README.md | 167 +----------------------------------------------------- 1 file changed, 2 insertions(+), 165 deletions(-) diff --git a/README.md b/README.md index 87ffdde..bd1c3a6 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,7 @@ This GitHub Action powers the Factory **Droid** app. It watches your pull reques - `@droid fill` — turns a bare pull request into a polished description that matches your template or our opinionated fallback. - `@droid review` — performs an automated code review, surfaces potential bugs, and leaves inline comments directly on the diff. -- `@droid security` — performs a security-focused code review using STRIDE methodology, identifying vulnerabilities and suggesting fixes. -- `@droid review security` — runs both code review and security review in parallel for comprehensive feedback. +- `@droid security` — performs an automated security review using STRIDE methodology, identifying vulnerabilities and suggesting fixes. - `@droid security --full` — performs a full repository security scan and creates a PR with the report. Everything runs inside GitHub Actions using your Factory API key, so the bot never leaves your repository and operates with the permissions you grant. @@ -18,17 +17,6 @@ Everything runs inside GitHub Actions using your Factory API key, so the bot nev 4. **Execution** – The action runs `droid exec` with full repository context. MCP tools are pre-registered so Droid can call the GitHub APIs safely. 5. **Results** – For fill, Droid updates the PR body. For review/security, it posts inline feedback and a summary comment. -### Parallel Review Flow - -When both code review and security review are enabled (via `@droid review security` or automatic flags), the action uses a parallel workflow: - -1. **Prepare** – Creates a tracking comment and detects which reviews to run -2. **Code Review** – Analyzes code quality, bugs, and best practices (runs in parallel) -3. **Security Review** – Analyzes security vulnerabilities using STRIDE methodology (runs in parallel) -4. **Combine** – Merges results from both reviews, deduplicates findings, and posts inline comments - -The combine step only runs when both reviews are enabled. If only one review type is active, it posts results directly without the combine step. - ## Installation 1. **Install the Droid GitHub App** @@ -38,7 +26,7 @@ The combine step only runs when both reviews are enabled. If only one review typ 3. **Add the Action Workflows** - Create workflow files under `.github/workflows/` based on your needs. -### Basic Setup (Single Action) +### Setup `droid.yml` (responds to explicit `@droid` mentions): @@ -117,140 +105,6 @@ jobs: automatic_security_review: true # Enable both for comprehensive reviews ``` -### Advanced Setup (Parallel Workflow with Sub-Actions) - -For maximum efficiency with both code and security reviews, use the modular sub-actions to run reviews in parallel: - -```yaml -name: Droid Parallel Review - -on: - pull_request: - types: [opened, ready_for_review, reopened] - -jobs: - prepare: - if: github.event.pull_request.draft == false - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - issues: write - id-token: write - outputs: - comment_id: ${{ steps.prepare.outputs.comment_id }} - run_code_review: ${{ steps.prepare.outputs.run_code_review }} - run_security_review: ${{ steps.prepare.outputs.run_security_review }} - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Prepare - id: prepare - uses: Factory-AI/droid-action/prepare@v1 - with: - factory_api_key: ${{ secrets.FACTORY_API_KEY }} - automatic_review: true - automatic_security_review: true - - code-review: - needs: prepare - if: needs.prepare.outputs.run_code_review == 'true' - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - issues: write - id-token: write - actions: read - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Run Code Review - uses: Factory-AI/droid-action/review@v1 - with: - factory_api_key: ${{ secrets.FACTORY_API_KEY }} - tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} - output_file: ${{ runner.temp }}/code-review-results.json - - - name: Upload Results - uses: actions/upload-artifact@v4 - with: - name: code-review-results - path: ${{ runner.temp }}/code-review-results.json - - security-review: - needs: prepare - if: needs.prepare.outputs.run_security_review == 'true' - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - issues: write - id-token: write - actions: read - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Run Security Review - uses: Factory-AI/droid-action/security@v1 - with: - factory_api_key: ${{ secrets.FACTORY_API_KEY }} - tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} - security_severity_threshold: medium - output_file: ${{ runner.temp }}/security-results.json - - - name: Upload Results - uses: actions/upload-artifact@v4 - with: - name: security-results - path: ${{ runner.temp }}/security-results.json - - combine: - needs: [prepare, code-review, security-review] - # Only run combine when BOTH reviews were executed - if: | - always() && - needs.prepare.outputs.run_code_review == 'true' && - needs.prepare.outputs.run_security_review == 'true' - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - issues: write - id-token: write - actions: read - steps: - - name: Checkout repository - uses: actions/checkout@v5 - - - name: Download Code Review Results - uses: actions/download-artifact@v4 - with: - name: code-review-results - path: ${{ runner.temp }} - continue-on-error: true - - - name: Download Security Results - uses: actions/download-artifact@v4 - with: - name: security-results - path: ${{ runner.temp }} - continue-on-error: true - - - name: Combine Results - uses: Factory-AI/droid-action/combine@v1 - with: - factory_api_key: ${{ secrets.FACTORY_API_KEY }} - tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} - code_review_results: ${{ runner.temp }}/code-review-results.json - security_results: ${{ runner.temp }}/security-results.json - code_review_status: ${{ needs.code-review.result }} - security_review_status: ${{ needs.security-review.result }} -``` - ## Using the Commands ### `@droid fill` @@ -272,12 +126,6 @@ jobs: - Findings include severity levels, CWE references, and suggested fixes. - Security reviews run once per PR to avoid duplicate scans on subsequent commits. -### `@droid review security` or `@droid security review` - -- Triggers both code review and security review to run in parallel. -- Results are combined and deduplicated before posting inline comments. -- Provides comprehensive coverage of both code quality and security concerns. - ### `@droid security --full` - Performs a full repository security scan (not just PR changes). @@ -315,17 +163,6 @@ jobs: | `security_scan_schedule` | `false` | Enable scheduled security scans for `schedule` events. | | `security_scan_days` | `7` | Number of days of commits to scan for scheduled security scans. | -## Sub-Actions - -For advanced workflows, you can use the modular sub-actions directly: - -| Sub-Action | Purpose | -| ---------------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | -| `Factory-AI/droid-action/prepare` | Creates tracking comment and detects which review modes to run. Outputs `comment_id`, `run_code_review`, `run_security_review`. | -| `Factory-AI/droid-action/review` | Runs code review. Requires `tracking_comment_id`. Outputs findings to `output_file`. | -| `Factory-AI/droid-action/security` | Runs security review. Requires `tracking_comment_id`. Installs security skills automatically. | -| `Factory-AI/droid-action/combine` | Combines results from parallel reviews, deduplicates findings, posts inline comments. Only needed when both reviews run. | - ## Security Skills The security review uses specialized Factory skills installed from the public `Factory-AI/skills` repository: From 1ac5fc15f1d311db632920d72ca42519e7b8b723 Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Mon, 12 Jan 2026 12:08:36 -0800 Subject: [PATCH 3/7] updated readme to simplify the flow 2 --- README.md | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/README.md b/README.md index bd1c3a6..680d739 100644 --- a/README.md +++ b/README.md @@ -9,14 +9,6 @@ This GitHub Action powers the Factory **Droid** app. It watches your pull reques Everything runs inside GitHub Actions using your Factory API key, so the bot never leaves your repository and operates with the permissions you grant. -## What Happens When You Tag `@droid` - -1. **Trigger detection** – The action scans issue comments, PR descriptions, and review comments for `@droid` commands. -2. **Context gathering** – Droid collects the PR metadata, existing comments, changed files, and any PR description template in your repository. -3. **Prompt generation** – We compose a precise prompt instructing Droid what to do and which GitHub MCP tools it may use. -4. **Execution** – The action runs `droid exec` with full repository context. MCP tools are pre-registered so Droid can call the GitHub APIs safely. -5. **Results** – For fill, Droid updates the PR body. For review/security, it posts inline feedback and a summary comment. - ## Installation 1. **Install the Droid GitHub App** @@ -102,7 +94,7 @@ jobs: with: factory_api_key: ${{ secrets.FACTORY_API_KEY }} automatic_review: true - automatic_security_review: true # Enable both for comprehensive reviews + automatic_security_review: true ``` ## Using the Commands From a8d786918a901878ad58cc9909b500d6213f346e Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Mon, 12 Jan 2026 12:13:26 -0800 Subject: [PATCH 4/7] updated readme to simplify the flow 3 --- README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/README.md b/README.md index 680d739..a36f611 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,14 @@ This GitHub Action powers the Factory **Droid** app. It watches your pull reques Everything runs inside GitHub Actions using your Factory API key, so the bot never leaves your repository and operates with the permissions you grant. +## What Happens When You Tag `@droid` + +1. **Trigger detection** – The action scans issue comments, PR descriptions, and review comments for `@droid` commands. +2. **Context gathering** – Droid collects the PR metadata, existing comments, changed files, and any PR description template in your repository. +3. **Prompt generation** – We compose a precise prompt instructing Droid what to do and which GitHub MCP tools it may use. +4. **Execution** – The action runs `droid exec` with full repository context. MCP tools are pre-registered so Droid can call the GitHub APIs safely. +5. **Results** – For fill, Droid updates the PR body. For review/security, it posts inline feedback and a summary comment. + ## Installation 1. **Install the Droid GitHub App** @@ -97,6 +105,8 @@ jobs: automatic_security_review: true ``` +Once committed, tagging `@droid fill`, `@droid review`, or `@droid security` on an open PR will trigger the bot automatically, and non-draft PRs will also receive automatic reviews if `droid-review.yml` is enabled. + ## Using the Commands ### `@droid fill` From d5cf08444fe523cf9c986ae73c8f88fee4b772a3 Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Mon, 12 Jan 2026 14:49:29 -0800 Subject: [PATCH 5/7] updated readme 4 --- README.md | 127 +++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 122 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a36f611..e68a703 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,8 @@ jobs: factory_api_key: ${{ secrets.FACTORY_API_KEY }} ``` +Once committed, tagging `@droid fill`, `@droid review`, or `@droid security` on an open PR will trigger the bot automatically. + `droid-review.yml` (automatic reviews on PRs): ```yaml @@ -82,7 +84,7 @@ on: types: [opened, ready_for_review, reopened] jobs: - droid-review: + prepare: if: github.event.pull_request.draft == false runs-on: ubuntu-latest permissions: @@ -90,22 +92,137 @@ jobs: pull-requests: write issues: write id-token: write - actions: read + outputs: + comment_id: ${{ steps.prepare.outputs.comment_id }} + run_code_review: ${{ steps.prepare.outputs.run_code_review }} + run_security_review: ${{ steps.prepare.outputs.run_security_review }} steps: - name: Checkout repository uses: actions/checkout@v5 with: fetch-depth: 1 - - name: Run Droid Auto Review - uses: Factory-AI/droid-action@v1 + - name: Prepare + id: prepare + uses: Factory-AI/droid-action/prepare@v1 with: factory_api_key: ${{ secrets.FACTORY_API_KEY }} automatic_review: true automatic_security_review: true + + code-review: + needs: prepare + if: needs.prepare.outputs.run_code_review == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v5 + with: + fetch-depth: 1 + + - name: Run Code Review + uses: Factory-AI/droid-action/review@v1 + with: + factory_api_key: ${{ secrets.FACTORY_API_KEY }} + tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} + output_file: ${{ runner.temp }}/code-review-results.json + + - name: Upload Results + uses: actions/upload-artifact@v4 + with: + name: code-review-results + path: ${{ runner.temp }}/code-review-results.json + if-no-files-found: ignore + + security-review: + needs: prepare + if: needs.prepare.outputs.run_security_review == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v5 + with: + fetch-depth: 1 + + - name: Run Security Review + uses: Factory-AI/droid-action/security@v1 + with: + factory_api_key: ${{ secrets.FACTORY_API_KEY }} + tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} + output_file: ${{ runner.temp }}/security-review-results.json + + - name: Upload Results + uses: actions/upload-artifact@v4 + with: + name: security-review-results + path: ${{ runner.temp }}/security-review-results.json + if-no-files-found: ignore + + combine: + needs: [prepare, code-review, security-review] + if: | + always() && + needs.prepare.outputs.run_code_review == 'true' && + needs.prepare.outputs.run_security_review == 'true' + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write + id-token: write + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v5 + with: + fetch-depth: 1 + + - name: Download Code Review Results + uses: actions/download-artifact@v4 + with: + name: code-review-results + path: ${{ runner.temp }} + continue-on-error: true + + - name: Download Security Review Results + uses: actions/download-artifact@v4 + with: + name: security-review-results + path: ${{ runner.temp }} + continue-on-error: true + + - name: Combine Results + uses: Factory-AI/droid-action/combine@v1 + with: + factory_api_key: ${{ secrets.FACTORY_API_KEY }} + tracking_comment_id: ${{ needs.prepare.outputs.comment_id }} + code_review_results: ${{ runner.temp }}/code-review-results.json + code_review_status: ${{ needs.code-review.result }} + security_review_results: ${{ runner.temp }}/security-review-results.json + security_review_status: ${{ needs.security-review.result }} ``` -Once committed, tagging `@droid fill`, `@droid review`, or `@droid security` on an open PR will trigger the bot automatically, and non-draft PRs will also receive automatic reviews if `droid-review.yml` is enabled. +Set `automatic_review` and `automatic_security_review` to control which reviews run automatically on non-draft PRs: + +| `automatic_review` | `automatic_security_review` | Behavior | +| ------------------ | --------------------------- | ------------------------------- | +| `true` | `false` | Code review only | +| `false` | `true` | Security review only | +| `true` | `true` | Both reviews + combined summary | + +The combine step only runs when both reviews are enabled, merging findings into a single summary comment. ## Using the Commands From ef51192a1a136d46f0de5cb992a888831e311911 Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Mon, 12 Jan 2026 14:52:08 -0800 Subject: [PATCH 6/7] updated readme 5 --- README.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/README.md b/README.md index e68a703..3ba6e3a 100644 --- a/README.md +++ b/README.md @@ -214,16 +214,6 @@ jobs: security_review_status: ${{ needs.security-review.result }} ``` -Set `automatic_review` and `automatic_security_review` to control which reviews run automatically on non-draft PRs: - -| `automatic_review` | `automatic_security_review` | Behavior | -| ------------------ | --------------------------- | ------------------------------- | -| `true` | `false` | Code review only | -| `false` | `true` | Security review only | -| `true` | `true` | Both reviews + combined summary | - -The combine step only runs when both reviews are enabled, merging findings into a single summary comment. - ## Using the Commands ### `@droid fill` From 0053d719b0f0a3448106ce51b05e249e2ccc7080 Mon Sep 17 00:00:00 2001 From: Shashank Sharma Date: Mon, 12 Jan 2026 14:53:45 -0800 Subject: [PATCH 7/7] updated readme 5 --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3ba6e3a..1bbcc70 100644 --- a/README.md +++ b/README.md @@ -214,6 +214,8 @@ jobs: security_review_status: ${{ needs.security-review.result }} ``` +Set `automatic_review` and `automatic_security_review` to control which reviews run automatically on non-draft PRs. + ## Using the Commands ### `@droid fill`