chore(deps): bump devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0#258
Conversation
…odo-comments.yaml Bumps [devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml](https://github.com/devantler-tech/actions) from 8.0.0 to 9.0.0. - [Release notes](https://github.com/devantler-tech/actions/releases) - [Changelog](https://github.com/devantler-tech/actions/blob/main/CHANGELOG.md) - [Commits](devantler-tech/actions@061b345...5aa2657) --- updated-dependencies: - dependency-name: devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
📝 WalkthroughWalkthroughThis pull request updates the GitHub Actions workflow file Changes
Sequence Diagram(s)Not applicable for this change; it is a single-line version reference update with no behavioral flow to depict. Estimated code review effort: 1 (out of 5) Related issues: None specified. Related PRs: None specified. Suggested labels: ci, dependencies Suggested reviewers: devantler 🐰 A tiny hop, a version bump, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/todos.yaml:
- Around line 12-14: The reusable workflow call in the todos GitHub Actions job
is still passing the old auth secret name, so update the secrets mapping in the
workflow that invokes scan-for-todo-comments.yaml to use the new kebab-case
GitHub App secret name expected by that reusable workflow. Keep the change
aligned with the workflow contract around app-private-key/app-id so the
authentication inputs match what the called workflow reads.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 944c2077-002d-4fae-bfb5-5a5fffec1a28
📒 Files selected for processing (1)
.github/workflows/todos.yaml
📜 Review details
⚠️ CI failures not shown inline (2)
GitHub Actions: 🔀 Enable Auto-Merge / auto-merge: chore(deps): bump devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0
Conclusion: failure
##[group]Run set +e
�[36;1mset +e�[0m
�[36;1mREVIEW_OUTPUT=$(gh pr review "$PR_NUMBER" --approve --repo "$REPOSITORY" 2>&1)�[0m
�[36;1mREVIEW_EXIT_CODE=$?�[0m
�[36;1mset -e�[0m
�[36;1m�[0m
�[36;1mif [[ $REVIEW_EXIT_CODE -eq 0 ]]; then�[0m
�[36;1m echo "✅ PR #${PR_NUMBER} approved"�[0m
�[36;1melif [[ "$REVIEW_OUTPUT" == *"Can not approve your own pull request"* ]]; then�[0m
�[36;1m echo "::warning::Could not approve PR #${PR_NUMBER} because GitHub does not allow self-approval. Skipping approval."�[0m
�[36;1melse�[0m
�[36;1m echo "::error::Failed to approve PR #${PR_NUMBER}."�[0m
GitHub Actions: 🔀 Enable Auto-Merge / 0_auto-merge.txt: chore(deps): bump devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0
Conclusion: failure
##[group]Run set +e
�[36;1mset +e�[0m
�[36;1mREVIEW_OUTPUT=$(gh pr review "$PR_NUMBER" --approve --repo "$REPOSITORY" 2>&1)�[0m
�[36;1mREVIEW_EXIT_CODE=$?�[0m
�[36;1mset -e�[0m
�[36;1m�[0m
�[36;1mif [[ $REVIEW_EXIT_CODE -eq 0 ]]; then�[0m
�[36;1m echo "✅ PR #${PR_NUMBER} approved"�[0m
�[36;1melif [[ "$REVIEW_OUTPUT" == *"Can not approve your own pull request"* ]]; then�[0m
�[36;1m echo "::warning::Could not approve PR #${PR_NUMBER} because GitHub does not allow self-approval. Skipping approval."�[0m
�[36;1melse�[0m
�[36;1m echo "::error::Failed to approve PR #${PR_NUMBER}."�[0m
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**/*.{yml,yaml}
📄 CodeRabbit inference engine (AGENTS.md)
Workflow YAML changes should pass
actionlint.
Files:
.github/workflows/todos.yaml
| uses: devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml@5aa2657f976103d716f585266a0fa4e964594df2 # v9.0.0 | ||
| secrets: | ||
| APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }} |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
devantler-tech actions scan-for-todo-comments.yaml v9.0.0 secrets inputs changelog
💡 Result:
The GitHub workflow scan-for-todo-comments.yaml, maintained by devantler-tech within their reusable-workflows or actions repositories [1][2], is used to scan code for TODO comments and automatically generate GitHub issues [1][3]. Regarding your query about version 9.0.0 and specific details: Current Versioning: As of July 2026, the workflow is actively receiving version updates (e.g., version 5.6.4 was released in June 2026) [4][5]. There is no authoritative evidence of a version 9.0.0 for this specific reusable workflow at this time [4][6]. Secrets and Inputs: To utilize this workflow, you must provide the following [1][2]: Required Secrets: APP_PRIVATE_KEY: The GitHub App private key used for authentication [1][3]. Required Inputs (Variables): APP_CLIENT_ID: The GitHub App client ID used to mint the issue-creation token [1][2]. Optional Inputs: dry-run: A boolean input (default: false) that, when set to true, skips actual issue creation to validate the workflow interface [1][3]. Changelog: Changelog information for this workflow is maintained within the GitHub Releases section of the devantler-tech/reusable-workflows repository [4][1]. You can access the full history of bug fixes, features, and version updates directly through that repository's releases page [4][7].
Citations:
- 1: https://github.com/devantler-tech/reusable-workflows
- 2: https://github.com/devantler-tech/actions
- 3: https://github.com/devantler-tech/reusable-workflows/tree/d5a2a29ea668b39f796a548b4e294f0d3a556cc0
- 4: chore(deps): Bump devantler-tech/reusable-workflows/.github/workflows/scan-for-todo-comments.yaml from 5.6.3 to 5.6.4 go-template#118
- 5: chore(deps): Bump devantler-tech/reusable-workflows/.github/workflows/scan-for-todo-comments.yaml from 5.5.10 to 5.6.0 go-template#111
- 6: Bump devantler-tech/reusable-workflows/.github/workflows/scan-for-todo-comments.yaml from 5.0.0 to 5.1.0 homebrew-tap#737
- 7: devantler-tech/go-template@e15263f
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== local workflow file =="
nl -ba .github/workflows/todos.yaml | sed -n '1,40p'
echo
echo "== search for reusable workflow reference and secret names =="
rg -n --hidden --glob '.github/workflows/**' 'APP_PRIVATE_KEY|APP_CLIENT_ID|scan-for-todo-comments\.yaml|reusable-workflows|devantler-tech/actions' .
echo
echo "== upstream docs / release hints from web if available in repo notes =="
rg -n --hidden 'scan-for-todo-comments|APP_PRIVATE_KEY|APP_CLIENT_ID|v9\.0\.0|9\.0\.0' README* .github docs . || trueRepository: devantler-tech/dotnet-template
Length of output: 234
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== .github/workflows/todos.yaml =="
sed -n '1,40p' .github/workflows/todos.yaml | cat -n
echo
echo "== local references to the reusable workflow contract =="
rg -n --hidden --glob '.github/workflows/**' 'APP_PRIVATE_KEY|APP_CLIENT_ID|scan-for-todo-comments\.yaml|devantler-tech/actions|devantler-tech/reusable-workflows|v9\.0\.0|9\.0\.0' .Repository: devantler-tech/dotnet-template
Length of output: 1487
🌐 Web query:
devantler-tech/reusable-workflows scan-for-todo-comments.yaml v9.0.0 APP_PRIVATE_KEY APP_CLIENT_ID release notes
💡 Result:
The devantler-tech/reusable-workflows repository does not have a v9.0.0 release as of July 6, 2026; release versioning in the repository follows a different progression [1][2]. Regarding the scan-for-todo-comments.yaml workflow, there is a known issue involving the input names for GitHub App authentication [3]. Historically, this workflow utilized the uppercase, underscore-formatted secret names APP_PRIVATE_KEY and APP_CLIENT_ID [4][5][6]. However, these inputs are incompatible with the underlying actions/create-github-app-token action, which requires lowercase, hyphenated inputs (e.g., app-private-key and app-id) [7][3]. A breaking change was implemented in the repository (documented in commit a7c9303) that refactored workflow inputs and secrets to kebab-case to address these compatibility issues, transitioning from APP_PRIVATE_KEY to app-private-key [8]. Users experiencing failures should ensure their workflow configuration uses the updated kebab-case input names [8][3].
Citations:
- 1: https://github.com/devantler-tech/reusable-workflows/releases
- 2: https://github.com/devantler-tech/reusable-workflows/releases/tag/v3.1.4
- 3: CI Doctor - TODOs Workflow Failure - Run #3174 (Recurring: APP_PRIVATE_KEY input mismatch) ksail#4295
- 4: https://github.com/devantler-tech/reusable-workflows/tree/9e293a279935a1be79c26af1034786ed75b4bda0
- 5: https://github.com/devantler-tech/reusable-workflows/tree/v3.0.0
- 6: https://github.com/devantler-tech/reusable-workflows/tree/9a195f46c7638c277352709621e0a640fb6bb648
- 7: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
- 8: devantler-tech/reusable-workflows@a7c9303
Rename the GitHub App auth secret here
scan-for-todo-comments.yaml switched to kebab-case auth names (app-private-key / app-id), so passing APP_PRIVATE_KEY here no longer matches the reusable workflow and the job will fail to authenticate.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/todos.yaml around lines 12 - 14, The reusable workflow
call in the todos GitHub Actions job is still passing the old auth secret name,
so update the secrets mapping in the workflow that invokes
scan-for-todo-comments.yaml to use the new kebab-case GitHub App secret name
expected by that reusable workflow. Keep the change aligned with the workflow
contract around app-private-key/app-id so the authentication inputs match what
the called workflow reads.
Bumps devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0.
Release notes
Sourced from devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml's releases.
... (truncated)
Changelog
Sourced from devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml's changelog.
... (truncated)
Commits
5aa2657chore(main): release 9.0.0 (#442)d817fa2chore(main): release 8.0.2 (#441)6f07366fix(scan-for-todo-comments): restore self-checkout for post-cleanup (#437)bd78711chore(main): release 8.0.1 (#436)96b8f82fix: resolve first-party self-references at the same commit (#427)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)