Release 2026-02-12#31
Merged
varin-nair-factory merged 33 commits intomainfrom Feb 13, 2026
Merged
Conversation
…tion (#15) * fix: add P2 and P3 issues back to reviews * prefer merge-base git diff for review prompt * chore: allow no-inline reviews for formatting-only and P2/P3 findings * fix: prevent review from deleting its own tracking comment * enforce rule to never resolve review threads in comments * feat: default review to gpt-5.2 with high reasoning effort
- Apply consistent formatting across base-action tests - Format README.md bullet points consistently - Minor whitespace and formatting fixes in various files Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Add support for security-focused code review commands: - @droid security - Security review on PR changes - @droid security --full - Full repository security scan New features: - Security command parser (security, review-security, security-full) - Security review prompt with STRIDE methodology - Security scan prompt with threat model generation - Security configuration inputs in action.yml - Security-specific tracking comment message Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
- Fix SECURITY_SCAN_DAYS to avoid NaN (clamp to positive integer, default 7) - Remove instructions to commit threat model to PR branch during review - Remove instructions to commit patches to PR branch - Align security review with JSON output pattern (no direct inline comments) Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Update review prompt to output findings to JSON file instead of posting inline comments directly. This enables the parallel workflow to combine code review and security review findings before posting. Changes: - Review writes findings to code-review-results.json - Tracking comment updated with summary table - Inline comments deferred to finalize step Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Implement parallel workflow architecture that runs code review and security review simultaneously, then combines results. New Composite Actions: - prepare/ - Initialize review, create tracking comment, detect modes - review/ - Standalone code review action - security/ - Standalone security review action - combine/ - Combine results and post inline comments New Features: - Parallel execution of code and security reviews - Combined summary with deduplication - Install security skills step in main action - PR branch checkout for full file access Workflow Changes: - .github/workflows/droid-review.yml now uses multi-job parallel workflow - @droid review security triggers both reviews - run_code_review and run_security_review output flags Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Restrict parallel review execution to automatic mode only (via automaticReview + automaticSecurityReview flags). For manual tagging, users must explicitly choose ONE of: - @droid review - Code review only - @droid security - Security review only @droid review security now parses as just @droid review. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
- Fix combine job to run when EITHER review ran (not both) - Set run_security_review=false when skipping existing security review - Validate DROID_COMMENT_ID is non-zero in generate-review-prompt Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
- Apply consistent formatting across base-action tests - Format README.md bullet points consistently - Minor whitespace and formatting fixes in various files Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
Add support for security-focused code review commands: - @droid security - Security review on PR changes - @droid security --full - Full repository security scan New features: - Security command parser (security, review-security, security-full) - Security review prompt with STRIDE methodology - Security scan prompt with threat model generation - Security configuration inputs in action.yml - Security-specific tracking comment message Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
- Fix SECURITY_SCAN_DAYS to avoid NaN (clamp to positive integer, default 7) - Remove instructions to commit threat model to PR branch during review - Remove instructions to commit patches to PR branch - Align security review with JSON output pattern (no direct inline comments) Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
feat: add @droid security commands
feat: change review output to JSON format
- Merge dev branch into parallel workflow branch - Remove redundant appendFileSync for github_token output - core.setOutput() already handles GITHUB_OUTPUT internally Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
feat: add parallel workflow for code and security reviews
chore(cli): Readme changes for security workflows
* remove P2/P3 suppression instruction add import verification step Add structured analysis phases Add Thorough Analysis Checklist consolidate instructions into structured phases and remove redundant sections remove contradicting instructions about resolving existing threads reorganize Phase 3, remove duplicates, fix diff position params Add robustness improvements to review prompt Consolidate inline comment tool guidance with multi-line support Refine code review prompt to improve precision Use local /review prompt Revert "Use local /review prompt" This reverts commit 37d9992. add no pager to get full diff, exclude P2/P3 issues Add common analysis patterns for reviews Pre-compute PR diff and comments, enforce thorough review with xhigh reasoning remove revoking of gh app token switch gpt-5.2 reasoning effort back to high fix tests test validator run increase candidate volume/coverage increase candidate volume/coverage 2 Revert "increase candidate volume/coverage 2" This reverts commit 03d7bc8. Revert "increase candidate volume/coverage" This reverts commit a7066fb. add thoroughness improvements to candidate and validator prompts add common classes of bugs to candidate prompt old validator prompt Parallel Review: Phase 1 - Add file-group-reviewer subagent Parallel Review: Phase 2 - Add Triage Phase section in Candidates Prompt Parallel Review: Phase 3 - Add parallel subagent calls phase Parallel Review: Phase 4 - Aggregation Phase Parallel Review: Phase 5 - Move subagent to ~/.factory/droids enable task tool * fix: gate validator steps on run_code_review to prevent running for non-review commands
* feat: default review model to claude-opus-4-6 and enable two-pass validator * feat: pass PR description as review artifact and fetch linked tickets * use gpt-5.2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.