docs(code-review): pin examples to @main and drop unused security inputs#1039
Conversation
- Update Factory-AI/droid-action workflow examples from @V3 to @main, matching what the /install-code-review installer generates. - Remove security_block_on_critical, security_block_on_high, and security_notify_team from the security configuration and workflow inputs tables. These inputs are declared in action.yml but not currently consumed by the action's logic, so documenting them as functional is misleading. - Drop the 'PR blocking on critical findings' bullet from the cli/features code-review overview for the same reason. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
|
Droid finished @factory-nizar's task —— View job Docs changes look consistent and remove misleading/no-op security inputs; the main remaining suggestion is to add a brief security note near the |
Sweeps the github-app integration page and the github-integration-security enterprise page (EN + JP) to use Factory-AI/droid-action@main, matching the ref the /install-code-review installer generates. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
![factory-droid[bot]](https://avatars.githubusercontent.com/in/358017?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: Factory-AI/droid-action@v3 | ||
| - uses: Factory-AI/droid-action@main |
There was a problem hiding this comment.
[P2] [security] Add a pinning note for droid-action@main
The example now uses a mutable ref (@main), which is easy to copy/paste but also a supply-chain footgun in GitHub Actions. Consider adding a short inline note in the snippet to encourage pinning to an immutable ref (commit SHA/release) or to make the tradeoff explicit.
| - uses: Factory-AI/droid-action@main | |
| - uses: Factory-AI/droid-action@main # Security note: consider pinning to a commit SHA for immutable, auditable builds. |
TheFactoriousDROID
left a comment
TheFactoriousDROID
left a comment
There was a problem hiding this comment.
Looks good thanks. I'll fix the JP sync workflow so it comments in english
2 participants
Summary
Companion docs update to Factory-AI/droid-action#80. Cleans up the code-review and security-review docs to match what the action actually does today, and sweeps the rest of the docs for stale
Factory-AI/droid-action@vNreferences.Changes
Pinning to
@main(matches the workflow that/install-code-reviewgenerates):docs/guides/droid-exec/code-review.mdx—Factory-AI/droid-action@v3→@mainin the scheduled-scan example.docs/jp/guides/droid-exec/code-review.mdx— same.docs/integrations/github-app.mdx—@v3→@mainin the install-via-CLI workflow snippet.docs/jp/integrations/github-app.mdx— same.docs/enterprise/github-integration-security.mdx—@v1→@mainin the network-restrictions example.docs/jp/enterprise/github-integration-security.mdx— same.After this PR,
rg 'droid-action@v[0-9]' docs/returns zero matches.Drop misleading config:
security_block_on_critical,security_block_on_high, andsecurity_notify_teamare declared inaction.ymland parsed into context, but nothing in droid-action's prompt or review-submission code currently reads them — so they're effectively no-ops today. Documenting them as functional is misleading. Removed from:docs/guides/droid-exec/code-review.mdx— "Security configuration" and "All workflow inputs" tables.docs/jp/guides/droid-exec/code-review.mdx— same tables (Japanese).Drop "PR blocking on critical findings" claim from the code-review feature overview, for the same reason:
docs/cli/features/code-review.mdxdocs/jp/cli/features/code-review.mdxsecurity_severity_thresholdis kept everywhere because it is wired up — it's injected into the security scan prompt as the filter threshold.Validation
rg 'security_block_on_critical|security_block_on_high|security_notify_team' docs/→ no matches in the touched pages.rg 'droid-action@v[0-9]' docs/→ no matches anywhere underdocs/.