Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/todos.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ on:

jobs:
todos:
uses: devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml@061b345a7351b0caf23055caea63ccd08b75e20e # v8.0.0
uses: devantler-tech/actions/.github/workflows/scan-for-todo-comments.yaml@5aa2657f976103d716f585266a0fa4e964594df2 # v9.0.0
secrets:
APP_PRIVATE_KEY: ${{ secrets.APP_PRIVATE_KEY }}
Comment on lines +12 to 14

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

devantler-tech actions scan-for-todo-comments.yaml v9.0.0 secrets inputs changelog

💡 Result:

The GitHub workflow scan-for-todo-comments.yaml, maintained by devantler-tech within their reusable-workflows or actions repositories [1][2], is used to scan code for TODO comments and automatically generate GitHub issues [1][3]. Regarding your query about version 9.0.0 and specific details: Current Versioning: As of July 2026, the workflow is actively receiving version updates (e.g., version 5.6.4 was released in June 2026) [4][5]. There is no authoritative evidence of a version 9.0.0 for this specific reusable workflow at this time [4][6]. Secrets and Inputs: To utilize this workflow, you must provide the following [1][2]: Required Secrets: APP_PRIVATE_KEY: The GitHub App private key used for authentication [1][3]. Required Inputs (Variables): APP_CLIENT_ID: The GitHub App client ID used to mint the issue-creation token [1][2]. Optional Inputs: dry-run: A boolean input (default: false) that, when set to true, skips actual issue creation to validate the workflow interface [1][3]. Changelog: Changelog information for this workflow is maintained within the GitHub Releases section of the devantler-tech/reusable-workflows repository [4][1]. You can access the full history of bug fixes, features, and version updates directly through that repository's releases page [4][7].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== local workflow file =="
nl -ba .github/workflows/todos.yaml | sed -n '1,40p'

echo
echo "== search for reusable workflow reference and secret names =="
rg -n --hidden --glob '.github/workflows/**' 'APP_PRIVATE_KEY|APP_CLIENT_ID|scan-for-todo-comments\.yaml|reusable-workflows|devantler-tech/actions' .

echo
echo "== upstream docs / release hints from web if available in repo notes =="
rg -n --hidden 'scan-for-todo-comments|APP_PRIVATE_KEY|APP_CLIENT_ID|v9\.0\.0|9\.0\.0' README* .github docs . || true

Repository: devantler-tech/dotnet-template

Length of output: 234


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== .github/workflows/todos.yaml =="
sed -n '1,40p' .github/workflows/todos.yaml | cat -n

echo
echo "== local references to the reusable workflow contract =="
rg -n --hidden --glob '.github/workflows/**' 'APP_PRIVATE_KEY|APP_CLIENT_ID|scan-for-todo-comments\.yaml|devantler-tech/actions|devantler-tech/reusable-workflows|v9\.0\.0|9\.0\.0' .

Repository: devantler-tech/dotnet-template

Length of output: 1487


🌐 Web query:

devantler-tech/reusable-workflows scan-for-todo-comments.yaml v9.0.0 APP_PRIVATE_KEY APP_CLIENT_ID release notes

💡 Result:

The devantler-tech/reusable-workflows repository does not have a v9.0.0 release as of July 6, 2026; release versioning in the repository follows a different progression [1][2]. Regarding the scan-for-todo-comments.yaml workflow, there is a known issue involving the input names for GitHub App authentication [3]. Historically, this workflow utilized the uppercase, underscore-formatted secret names APP_PRIVATE_KEY and APP_CLIENT_ID [4][5][6]. However, these inputs are incompatible with the underlying actions/create-github-app-token action, which requires lowercase, hyphenated inputs (e.g., app-private-key and app-id) [7][3]. A breaking change was implemented in the repository (documented in commit a7c9303) that refactored workflow inputs and secrets to kebab-case to address these compatibility issues, transitioning from APP_PRIVATE_KEY to app-private-key [8]. Users experiencing failures should ensure their workflow configuration uses the updated kebab-case input names [8][3].

Citations:


Rename the GitHub App auth secret here
scan-for-todo-comments.yaml switched to kebab-case auth names (app-private-key / app-id), so passing APP_PRIVATE_KEY here no longer matches the reusable workflow and the job will fail to authenticate.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/todos.yaml around lines 12 - 14, The reusable workflow
call in the todos GitHub Actions job is still passing the old auth secret name,
so update the secrets mapping in the workflow that invokes
scan-for-todo-comments.yaml to use the new kebab-case GitHub App secret name
expected by that reusable workflow. Keep the change aligned with the workflow
contract around app-private-key/app-id so the authentication inputs match what
the called workflow reads.