Skip to content

docs(readme): add Authentication section#100

Merged
eric-factory merged 2 commits into
devfrom
eric/readme-auth-section
Jun 29, 2026
Merged

docs(readme): add Authentication section#100
eric-factory merged 2 commits into
devfrom
eric/readme-auth-section

Conversation

@eric-factory

Copy link
Copy Markdown
Contributor

What

Adds a dedicated Authentication section to the README (before Configuration).

Why

The README only covered auth briefly inside 'Manual Setup' and a config table, which left users unclear on how the two pieces fit together. The new section explains them up front:

  1. Factory API key — the FACTORY_API_KEY secret used to run Droid.
  2. GitHub access — posting reviews via the Factory Droid GitHub App (default, needs id-token: write) or a custom github_token override.

Includes a short GitLab note. Companion to the docs.factory.ai code-review guide update.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

Document the two kinds of access the action needs: the FACTORY_API_KEY
secret to run Droid, and GitHub access via the Factory Droid GitHub App
(default) or a custom github_token (override).

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
@factory-droid

factory-droid Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Droid finished @eric-factory's task —— View job


Security Review

Docs update is clear and helpful. Suggested follow-ups are to clarify least-privilege workflow permissions for GitHub App auth, and to consider pinning Factory-AI/droid-action to a tag or SHA in workflow examples to reduce supply-chain risk.

Comment thread README.md
Comment on lines +266 to +270
permissions:
contents: write
pull-requests: write
issues: write
id-token: write # required for GitHub App auth

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1] Clarify required vs recommended workflow permissions in Authentication

The new GitHub App example says it “requires id-token: write” but then shows a broader permissions: block (including contents: write) that also differs from earlier README examples (some use contents: read); clarifying which permissions are truly required for “post reviews” vs which are only needed for branch-writing flows helps users apply least privilege and avoids confusion.

Suggested change
permissions:
contents: write
pull-requests: write
issues: write
id-token: write # required for GitHub App auth
permissions:
contents: read # use write if you want Droid to push branches (e.g., @droid fill)
pull-requests: write
issues: write
id-token: write # required for GitHub App auth

Comment thread README.md
Droid runs using your Factory API key. Create one at [app.factory.ai/settings/api-keys](https://app.factory.ai/settings/api-keys) and save it as a `FACTORY_API_KEY` secret in your repository or organization. Pass it to the action on every run:

```yaml
- uses: Factory-AI/droid-action@main

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1] [security] Pin the action ref instead of using @main

The new examples use Factory-AI/droid-action@main, which is a mutable ref; pinning to an immutable tag or (preferably) a commit SHA in docs reduces supply-chain risk, since a compromised/updated branch would otherwise be executed automatically with your workflow permissions and access to secrets.

Comment thread README.md Outdated
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
@eric-factory eric-factory merged commit aaa1cd3 into dev Jun 29, 2026
3 checks passed
@eric-factory eric-factory deleted the eric/readme-auth-section branch June 29, 2026 23:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants