docs(readme): add Authentication section#100
Conversation
Document the two kinds of access the action needs: the FACTORY_API_KEY secret to run Droid, and GitHub access via the Factory Droid GitHub App (default) or a custom github_token (override). Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
|
Droid finished @eric-factory's task —— View job Docs update is clear and helpful. Suggested follow-ups are to clarify least-privilege workflow permissions for GitHub App auth, and to consider pinning |
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| issues: write | ||
| id-token: write # required for GitHub App auth |
There was a problem hiding this comment.
[P1] Clarify required vs recommended workflow permissions in Authentication
The new GitHub App example says it “requires id-token: write” but then shows a broader permissions: block (including contents: write) that also differs from earlier README examples (some use contents: read); clarifying which permissions are truly required for “post reviews” vs which are only needed for branch-writing flows helps users apply least privilege and avoids confusion.
| permissions: | |
| contents: write | |
| pull-requests: write | |
| issues: write | |
| id-token: write # required for GitHub App auth | |
| permissions: | |
| contents: read # use write if you want Droid to push branches (e.g., @droid fill) | |
| pull-requests: write | |
| issues: write | |
| id-token: write # required for GitHub App auth |
| Droid runs using your Factory API key. Create one at [app.factory.ai/settings/api-keys](https://app.factory.ai/settings/api-keys) and save it as a `FACTORY_API_KEY` secret in your repository or organization. Pass it to the action on every run: | ||
|
|
||
| ```yaml | ||
| - uses: Factory-AI/droid-action@main |
There was a problem hiding this comment.
[P1] [security] Pin the action ref instead of using @main
The new examples use Factory-AI/droid-action@main, which is a mutable ref; pinning to an immutable tag or (preferably) a commit SHA in docs reduces supply-chain risk, since a compromised/updated branch would otherwise be executed automatically with your workflow permissions and access to secrets.
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
What
Adds a dedicated Authentication section to the README (before Configuration).
Why
The README only covered auth briefly inside 'Manual Setup' and a config table, which left users unclear on how the two pieces fit together. The new section explains them up front:
FACTORY_API_KEYsecret used to run Droid.id-token: write) or a customgithub_tokenoverride.Includes a short GitLab note. Companion to the docs.factory.ai code-review guide update.
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>