Skip to content

chore(deps): bump devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0#258

Merged
botantler-1[bot] merged 1 commit into
mainfrom
dependabot/github_actions/devantler-tech/actions/dot-github/workflows/scan-for-todo-comments.yaml-9.0.0
Jul 6, 2026
Merged

chore(deps): bump devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0#258
botantler-1[bot] merged 1 commit into
mainfrom
dependabot/github_actions/devantler-tech/actions/dot-github/workflows/scan-for-todo-comments.yaml-9.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0.

Release notes

Sourced from devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml's releases.

v9.0.0

9.0.0 (2026-07-03)

⚠ BREAKING CHANGES

  • remove the sync-github-labels composite action (superseded by declarative IssueLabels) (#418)
  • All callers referencing old file names, input names, output names, or secret keys must be updated.
  • run-dotnet-tests: run-dotnet-tests no longer accepts app-id or app-private-key inputs. Callers pinning by SHA are unaffected; on repin any still-passed values are simply ignored (unexpected-input warning).
  • the setup-copilot-skills/update-copilot-skills action paths are removed and setup-agent-skills's agent input is renamed to agents. Consumers on a pinned major (e.g. @​v4) are unaffected until they bump; migration guides are in each action's README.
  • the codecov-token input is removed from both actions. Callers must stop passing it (the reusable workflows are updated in lockstep).
  • copilot-skills: setup-copilot-skills and update-copilot-skills both remove the skills-lock input; setup-copilot-skills also removes the source input and redefines skills as the sole list input. Delete any skills-lock.json and move each entry onto its own <owner/repo> <skill> line in setup-copilot-skills.with.skills.
  • Action directories and input names have been renamed.

Features

  • add .NET project and test configurations (#10) (1ce56da)
  • add require-checks-in-pr composite action (#113) (1f66c91)
  • add auto-merge composite action for PRs (#14) (a8f34bd)
  • add automation configuration for PR reviews and issue sessions (f4b7152)
  • add blocked label and update label sync configuration (3041247)
  • add Calculator class with basic arithmetic operations and corresponding unit tests (f5c21a1)
  • add collapsible sections for workflow details in README (2e8d0f9)
  • add docs (aba6c52)
  • add dotnet-test-action for testing .NET solutions with GitHub Actions (ad39d59)
  • add EditorConfig file and update Calculator and CalculatorTests for consistency and clarity (f032439)
  • add GitHub workflows (861d3e2)
  • add GitOps deployment workflow for managing Kubernetes resources (f6f0ce7)
  • add GitOps validation workflow (8505da2)
  • add Hadolint action for linting Dockerfiles (9f610a8)
  • add Homebrew setup and environment initialization to GitOps workflows (c4b0fe5)
  • add Homebrew setup step to GitOps workflows for consistent environment setup (e300bd6)
  • add initial release configuration for semantic-release (3c4f906)
  • add inputs for HOSTS_FILE and ROOT_CA_CERT_FILE in GitOps workflow (6eefeeb)
  • add pull_request and merge_group triggers to Zizmor workflow (1ce3f4b)
  • add pull_request trigger to auto-merge and dotnet-test workflows (63097da)
  • add pull_request trigger to GitOps lint and test workflows (dbd5fe8)
  • add released label to labels configuration (a803193)
  • add Repo Assist labels to central config (#161) (b41fbfe)
  • add reusable workflow to sync upstream Kyverno policies and update README with usage instructions (b119b9f)
  • add schedule trigger for sync labels workflow (5f3527e)
  • add shared workflows (0fe78df)
  • add step to append hosts file if it exists (6f22cd1)
  • add upload-coverage action for GitHub Code Quality (#170) (60d895a)
  • add upsert-issue composite action (#55) (e3a0bd5)
  • add VERSION_ARGS input to dotnet-embed-binaries workflow for version retrieval (a648561)
  • add workflow for cleaning up ghcr packages (856fea4)
  • add Zizmor composite action workflow (c0b70d3)
  • add Zizmor security analysis workflow and action documentation (dbae7c7)
  • add Zizmor workflow configuration (6e1f9b5)

... (truncated)

Changelog

Sourced from devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml's changelog.

Changelog

9.0.0 (2026-07-03)

⚠ BREAKING CHANGES

  • remove the sync-github-labels composite action (superseded by declarative IssueLabels) (#418)
  • All callers referencing old file names, input names, output names, or secret keys must be updated.
  • run-dotnet-tests: run-dotnet-tests no longer accepts app-id or app-private-key inputs. Callers pinning by SHA are unaffected; on repin any still-passed values are simply ignored (unexpected-input warning).
  • the setup-copilot-skills/update-copilot-skills action paths are removed and setup-agent-skills's agent input is renamed to agents. Consumers on a pinned major (e.g. @​v4) are unaffected until they bump; migration guides are in each action's README.
  • the codecov-token input is removed from both actions. Callers must stop passing it (the reusable workflows are updated in lockstep).
  • copilot-skills: setup-copilot-skills and update-copilot-skills both remove the skills-lock input; setup-copilot-skills also removes the source input and redefines skills as the sole list input. Delete any skills-lock.json and move each entry onto its own <owner/repo> <skill> line in setup-copilot-skills.with.skills.
  • Action directories and input names have been renamed.

Features

  • add .NET project and test configurations (#10) (1ce56da)
  • add require-checks-in-pr composite action (#113) (1f66c91)
  • add auto-merge composite action for PRs (#14) (a8f34bd)
  • add automation configuration for PR reviews and issue sessions (f4b7152)
  • add blocked label and update label sync configuration (3041247)
  • add Calculator class with basic arithmetic operations and corresponding unit tests (f5c21a1)
  • add collapsible sections for workflow details in README (2e8d0f9)
  • add docs (aba6c52)
  • add dotnet-test-action for testing .NET solutions with GitHub Actions (ad39d59)
  • add EditorConfig file and update Calculator and CalculatorTests for consistency and clarity (f032439)
  • add GitHub workflows (861d3e2)
  • add GitOps deployment workflow for managing Kubernetes resources (f6f0ce7)
  • add GitOps validation workflow (8505da2)
  • add Hadolint action for linting Dockerfiles (9f610a8)
  • add Homebrew setup and environment initialization to GitOps workflows (c4b0fe5)
  • add Homebrew setup step to GitOps workflows for consistent environment setup (e300bd6)
  • add initial release configuration for semantic-release (3c4f906)
  • add inputs for HOSTS_FILE and ROOT_CA_CERT_FILE in GitOps workflow (6eefeeb)
  • add pull_request and merge_group triggers to Zizmor workflow (1ce3f4b)
  • add pull_request trigger to auto-merge and dotnet-test workflows (63097da)
  • add pull_request trigger to GitOps lint and test workflows (dbd5fe8)
  • add released label to labels configuration (a803193)
  • add Repo Assist labels to central config (#161) (b41fbfe)
  • add reusable workflow to sync upstream Kyverno policies and update README with usage instructions (b119b9f)
  • add schedule trigger for sync labels workflow (5f3527e)
  • add shared workflows (0fe78df)
  • add step to append hosts file if it exists (6f22cd1)
  • add upload-coverage action for GitHub Code Quality (#170) (60d895a)
  • add upsert-issue composite action (#55) (e3a0bd5)
  • add VERSION_ARGS input to dotnet-embed-binaries workflow for version retrieval (a648561)
  • add workflow for cleaning up ghcr packages (856fea4)
  • add Zizmor composite action workflow (c0b70d3)
  • add Zizmor security analysis workflow and action documentation (dbae7c7)

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

…odo-comments.yaml

Bumps [devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml](https://github.com/devantler-tech/actions) from 8.0.0 to 9.0.0.
- [Release notes](https://github.com/devantler-tech/actions/releases)
- [Changelog](https://github.com/devantler-tech/actions/blob/main/CHANGELOG.md)
- [Commits](devantler-tech/actions@061b345...5aa2657)

---
updated-dependencies:
- dependency-name: devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This pull request updates the GitHub Actions workflow file todos.yaml, changing the pinned commit reference for the scan-for-todo-comments action used by the todos job from a commit corresponding to v8.0.0 to a commit corresponding to v9.0.0. No other changes are included.

Changes

Cohort / File(s) Summary
Workflow update — .github/workflows/todos.yaml Bumped pinned commit reference for scan-for-todo-comments action from v8.0.0 to v9.0.0

Sequence Diagram(s)

Not applicable for this change; it is a single-line version reference update with no behavioral flow to depict.

Estimated code review effort: 1 (out of 5)

Related issues: None specified.

Related PRs: None specified.

Suggested labels: ci, dependencies

Suggested reviewers: devantler

🐰 A tiny hop, a version bump,
from eight to nine in one small jump,
the todo-scanner stays up to date,
a rabbit's work, both small and great.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the dependency bump and version change for the reusable workflow, matching the PR's main update.
Description check ✅ Passed The description is directly related to the workflow version bump and includes relevant release notes and Dependabot context.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Comment @coderabbitai help to get the list of available commands.

@botantler-1 botantler-1 Bot enabled auto-merge (squash) July 6, 2026 09:33
@botantler-1 botantler-1 Bot merged commit 76913d9 into main Jul 6, 2026
7 of 8 checks passed
@botantler-1 botantler-1 Bot deleted the dependabot/github_actions/devantler-tech/actions/dot-github/workflows/scan-for-todo-comments.yaml-9.0.0 branch July 6, 2026 09:34

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/todos.yaml:
- Around line 12-14: The reusable workflow call in the todos GitHub Actions job
is still passing the old auth secret name, so update the secrets mapping in the
workflow that invokes scan-for-todo-comments.yaml to use the new kebab-case
GitHub App secret name expected by that reusable workflow. Keep the change
aligned with the workflow contract around app-private-key/app-id so the
authentication inputs match what the called workflow reads.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 944c2077-002d-4fae-bfb5-5a5fffec1a28

📥 Commits

Reviewing files that changed from the base of the PR and between 7a79a78 and f7b36a7.

📒 Files selected for processing (1)
  • .github/workflows/todos.yaml
📜 Review details
⚠️ CI failures not shown inline (2)

GitHub Actions: 🔀 Enable Auto-Merge / auto-merge: chore(deps): bump devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0

Conclusion: failure

View job details

##[group]Run set +e
 �[36;1mset +e�[0m
 �[36;1mREVIEW_OUTPUT=$(gh pr review "$PR_NUMBER" --approve --repo "$REPOSITORY" 2>&1)�[0m
 �[36;1mREVIEW_EXIT_CODE=$?�[0m
 �[36;1mset -e�[0m
 �[36;1m�[0m
 �[36;1mif [[ $REVIEW_EXIT_CODE -eq 0 ]]; then�[0m
 �[36;1m  echo "✅ PR #${PR_NUMBER} approved"�[0m
 �[36;1melif [[ "$REVIEW_OUTPUT" == *"Can not approve your own pull request"* ]]; then�[0m
 �[36;1m  echo "::warning::Could not approve PR #${PR_NUMBER} because GitHub does not allow self-approval. Skipping approval."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::Failed to approve PR #${PR_NUMBER}."�[0m

GitHub Actions: 🔀 Enable Auto-Merge / 0_auto-merge.txt: chore(deps): bump devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml from 8.0.0 to 9.0.0

Conclusion: failure

View job details

##[group]Run set +e
 �[36;1mset +e�[0m
 �[36;1mREVIEW_OUTPUT=$(gh pr review "$PR_NUMBER" --approve --repo "$REPOSITORY" 2>&1)�[0m
 �[36;1mREVIEW_EXIT_CODE=$?�[0m
 �[36;1mset -e�[0m
 �[36;1m�[0m
 �[36;1mif [[ $REVIEW_EXIT_CODE -eq 0 ]]; then�[0m
 �[36;1m  echo "✅ PR #${PR_NUMBER} approved"�[0m
 �[36;1melif [[ "$REVIEW_OUTPUT" == *"Can not approve your own pull request"* ]]; then�[0m
 �[36;1m  echo "::warning::Could not approve PR #${PR_NUMBER} because GitHub does not allow self-approval. Skipping approval."�[0m
 �[36;1melse�[0m
 �[36;1m  echo "::error::Failed to approve PR #${PR_NUMBER}."�[0m
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**/*.{yml,yaml}

📄 CodeRabbit inference engine (AGENTS.md)

Workflow YAML changes should pass actionlint.

Files:

  • .github/workflows/todos.yaml

Comment on lines +12 to 14
uses: devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml@5aa2657f976103d716f585266a0fa4e964594df2 # v9.0.0
secrets:
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

devantler-tech actions scan-for-todo-comments.yaml v9.0.0 secrets inputs changelog

💡 Result:

The GitHub workflow scan-for-todo-comments.yaml, maintained by devantler-tech within their reusable-workflows or actions repositories [1][2], is used to scan code for TODO comments and automatically generate GitHub issues [1][3]. Regarding your query about version 9.0.0 and specific details: Current Versioning: As of July 2026, the workflow is actively receiving version updates (e.g., version 5.6.4 was released in June 2026) [4][5]. There is no authoritative evidence of a version 9.0.0 for this specific reusable workflow at this time [4][6]. Secrets and Inputs: To utilize this workflow, you must provide the following [1][2]: Required Secrets: APP_PRIVATE_KEY: The GitHub App private key used for authentication [1][3]. Required Inputs (Variables): APP_CLIENT_ID: The GitHub App client ID used to mint the issue-creation token [1][2]. Optional Inputs: dry-run: A boolean input (default: false) that, when set to true, skips actual issue creation to validate the workflow interface [1][3]. Changelog: Changelog information for this workflow is maintained within the GitHub Releases section of the devantler-tech/reusable-workflows repository [4][1]. You can access the full history of bug fixes, features, and version updates directly through that repository's releases page [4][7].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== local workflow file =="
nl -ba .github/workflows/todos.yaml | sed -n '1,40p'

echo
echo "== search for reusable workflow reference and secret names =="
rg -n --hidden --glob '.github/workflows/**' 'APP_PRIVATE_KEY|APP_CLIENT_ID|scan-for-todo-comments\.yaml|reusable-workflows|devantler-tech/actions' .

echo
echo "== upstream docs / release hints from web if available in repo notes =="
rg -n --hidden 'scan-for-todo-comments|APP_PRIVATE_KEY|APP_CLIENT_ID|v9\.0\.0|9\.0\.0' README* .github docs . || true

Repository: devantler-tech/dotnet-template

Length of output: 234


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== .github/workflows/todos.yaml =="
sed -n '1,40p' .github/workflows/todos.yaml | cat -n

echo
echo "== local references to the reusable workflow contract =="
rg -n --hidden --glob '.github/workflows/**' 'APP_PRIVATE_KEY|APP_CLIENT_ID|scan-for-todo-comments\.yaml|devantler-tech/actions|devantler-tech/reusable-workflows|v9\.0\.0|9\.0\.0' .

Repository: devantler-tech/dotnet-template

Length of output: 1487


🌐 Web query:

devantler-tech/reusable-workflows scan-for-todo-comments.yaml v9.0.0 APP_PRIVATE_KEY APP_CLIENT_ID release notes

💡 Result:

The devantler-tech/reusable-workflows repository does not have a v9.0.0 release as of July 6, 2026; release versioning in the repository follows a different progression [1][2]. Regarding the scan-for-todo-comments.yaml workflow, there is a known issue involving the input names for GitHub App authentication [3]. Historically, this workflow utilized the uppercase, underscore-formatted secret names APP_PRIVATE_KEY and APP_CLIENT_ID [4][5][6]. However, these inputs are incompatible with the underlying actions/create-github-app-token action, which requires lowercase, hyphenated inputs (e.g., app-private-key and app-id) [7][3]. A breaking change was implemented in the repository (documented in commit a7c9303) that refactored workflow inputs and secrets to kebab-case to address these compatibility issues, transitioning from APP_PRIVATE_KEY to app-private-key [8]. Users experiencing failures should ensure their workflow configuration uses the updated kebab-case input names [8][3].

Citations:


Rename the GitHub App auth secret here
scan-for-todo-comments.yaml switched to kebab-case auth names (app-private-key / app-id), so passing APP_PRIVATE_KEY here no longer matches the reusable workflow and the job will fail to authenticate.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/todos.yaml around lines 12 - 14, The reusable workflow
call in the todos GitHub Actions job is still passing the old auth secret name,
so update the secrets mapping in the workflow that invokes
scan-for-todo-comments.yaml to use the new kebab-case GitHub App secret name
expected by that reusable workflow. Keep the change aligned with the workflow
contract around app-private-key/app-id so the authentication inputs match what
the called workflow reads.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants