fix(ci): use valid Factory droid-action inputs for code review#8
Conversation
The Code Review workflow passed org_id/api_key/prompt, which are not valid droid-action inputs, so the action never received the API key and failed on every PR. Use factory_api_key (and explicit github_token) and drop the invalid inputs. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
|
Droid encountered an error —— View job Droid is reviewing code and running a security check… |
droid-action mints its GitHub token via OIDC, which requires id-token:write; without it the review job failed after running. Also review on synchronize/ reopened so updated PRs get re-reviewed. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
|
Droid finished @factory-sam's task —— View job The workflow input fixes look correct and should unblock the Factory action, but the job currently grants OIDC token minting to an unpinned third-party action. Consider pinning the action and removing |
![factory-droid[bot]](https://avatars.githubusercontent.com/in/358017?s=60&v=4){kind=small}
| contents: read | ||
| pull-requests: write | ||
| issues: write | ||
| id-token: write |
There was a problem hiding this comment.
[P1] [security] Avoid granting OIDC id-token: write to an unpinned third-party action
Adding id-token: write enables GitHub OIDC tokens for this job, which materially increases blast radius if Factory-AI/droid-action@main (unpinned) is ever compromised, since the action already receives sensitive credentials (FACTORY_API_KEY and a write-scoped GITHUB_TOKEN) and could mint an OIDC token to access any external cloud roles trusted for this repo. Remove id-token: write unless the workflow strictly needs OIDC, and pin Factory-AI/droid-action to a specific commit SHA (plus keep permissions as minimal as possible).
There was a problem hiding this comment.
Addressed in 46eb829: pinned Factory-AI/droid-action to the immutable commit SHA 7c7bfea2aa3bb7ea87579402cc1d89dbcf6b13b3 (current main). id-token: write is required for the action's OIDC token, so pinning the action removes the unpinned-action blast-radius risk without changing functionality.
Resolves the P1 security review finding: granting id-token:write to an unpinned third-party action increases supply-chain blast radius. Pin Factory-AI/droid-action to its current main SHA so the referenced code cannot change underneath us. No functional change. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
|
Droid finished @factory-sam's task —— View job This PR correctly fixes the Factory droid-action inputs and pins the action SHA for reproducibility. No additional high-confidence, inline-anchorable issues found. |
1 participant
The Code Review workflow (added in #6) passed
org_id,api_key, andprompttoFactory-AI/droid-action@main, but those are not valid action inputs (the action expectsfactory_api_key). As a result the action never received the API key and theruncheck failed on every PR, even though theFACTORY_API_KEYsecret exists.This switches to
factory_api_key(plus an explicitgithub_token) and drops the invalidorg_id/promptinputs so the code-review bot can authenticate and run.