From 58feb0d777c5562eb8dd578614cd26f1fc408582 Mon Sep 17 00:00:00 2001
From: Sam Fitzgerald <sam@factory.ai>
Date: Mon, 15 Jun 2026 13:56:09 -0400
Subject: [PATCH 1/3] fix(ci): use valid Factory droid-action inputs for code
 review

The Code Review workflow passed org_id/api_key/prompt, which are not valid
droid-action inputs, so the action never received the API key and failed on
every PR. Use factory_api_key (and explicit github_token) and drop the
invalid inputs.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
---
 .github/workflows/factory-code-review.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/factory-code-review.yml b/.github/workflows/factory-code-review.yml
index 62bed33..4293d7a 100644
--- a/.github/workflows/factory-code-review.yml
+++ b/.github/workflows/factory-code-review.yml
@@ -18,9 +18,8 @@ jobs:
       - name: Run Factory droid-action
         uses: Factory-AI/droid-action@main
         with:
-          org_id: ${{ secrets.FACTORY_ORG_ID }}
-          api_key: ${{ secrets.FACTORY_API_KEY }}
+          factory_api_key: ${{ secrets.FACTORY_API_KEY }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           automatic_review: true
           automatic_security_review: true
           allowed_bots: dependabot
-          prompt: Automatic code review with security review enabled on pull requests.

From 56ab7a353768e2950c7f786b15a0ec813228ddeb Mon Sep 17 00:00:00 2001
From: Sam Fitzgerald <sam@factory.ai>
Date: Mon, 15 Jun 2026 14:22:48 -0400
Subject: [PATCH 2/3] fix(ci): add id-token:write permission and review PR
 updates

droid-action mints its GitHub token via OIDC, which requires id-token:write;
without it the review job failed after running. Also review on synchronize/
reopened so updated PRs get re-reviewed.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
---
 .github/workflows/factory-code-review.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/factory-code-review.yml b/.github/workflows/factory-code-review.yml
index 4293d7a..38d2c3f 100644
--- a/.github/workflows/factory-code-review.yml
+++ b/.github/workflows/factory-code-review.yml
@@ -5,10 +5,13 @@ name: Code Review
   pull_request:
     types:
       - opened
+      - synchronize
+      - reopened
 permissions:
   contents: read
   pull-requests: write
   issues: write
+  id-token: write
 jobs:
   run:
     runs-on: ubuntu-latest

From 46eb8297f3b77bc739b83e4f12631ed6bcb43662 Mon Sep 17 00:00:00 2001
From: Sam Fitzgerald <sam@factory.ai>
Date: Mon, 15 Jun 2026 15:05:45 -0400
Subject: [PATCH 3/3] fix(ci): pin Factory droid-action to an immutable commit
 SHA

Resolves the P1 security review finding: granting id-token:write to an
unpinned third-party action increases supply-chain blast radius. Pin
Factory-AI/droid-action to its current main SHA so the referenced code
cannot change underneath us. No functional change.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
---
 .github/workflows/factory-code-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/factory-code-review.yml b/.github/workflows/factory-code-review.yml
index 38d2c3f..8e858be 100644
--- a/.github/workflows/factory-code-review.yml
+++ b/.github/workflows/factory-code-review.yml
@@ -19,7 +19,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Run Factory droid-action
-        uses: Factory-AI/droid-action@main
+        uses: Factory-AI/droid-action@7c7bfea2aa3bb7ea87579402cc1d89dbcf6b13b3 # main
         with:
           factory_api_key: ${{ secrets.FACTORY_API_KEY }}
           github_token: ${{ secrets.GITHUB_TOKEN }}