Skip to content

fix(ci): stop TODO scanner from matching its own workflow comments#15

Merged
devantler merged 1 commit into
mainfrom
claude/fix-todos-self-match
Jun 3, 2026
Merged

fix(ci): stop TODO scanner from matching its own workflow comments#15
devantler merged 1 commit into
mainfrom
claude/fix-todos-self-match

Conversation

@devantler

Copy link
Copy Markdown
Contributor

🤖 Generated by the Daily AI Assistant

Problem

The TODO-scanning workflow (.github/workflows/todos.yaml) opens a tracking issue for every TODO comment it finds via alstr/todo-to-issue-action. That action matches the literal token TODO in any comment.

When this repo moved its workflow permissions to the job level, it added two inline documentation comments that themselves contain the word TODO:

      contents: read # checkout to scan for TODO comments
      issues: write # open/maintain TODO tracking issues

So on every push to main the scanner matched its own workflow and opened two junk tracking issues — #1 "tracking issues" (from ...maintain **TODO** tracking issues) and #2 "comments" (from ...scan for **TODO** comments). The upstream platform repo avoids this by declaring permissions at the workflow level with no inline comments and therefore has no such issues.

Because this is a template, every repository generated from it inherits the same two junk issues.

Fix

Reword the two job-level permission comments so they no longer contain the scanner's TODO identifier, while keeping the (good, least-privilege) job-level permission scoping:

      contents: read # checkout so the scanner can read the source files
      issues: write # open/maintain the tracking issues the scanner manages

Effect

  • No behaviour change to the workflow itself (same triggers, permissions, called reusable workflow, secret).
  • After this merges, the next scan run no longer matches these comments; the action then closes the now-resolved tracking issues #1 and comments #2 automatically.
  • Genuine # TODO: comments in real source files are unaffected and still tracked.

Notes

The todos.yaml job-level permission comments contained the literal word
"TODO", which alstr/todo-to-issue-action matches as task comments. On every
push this opened two junk tracking issues (titled "tracking issues" and
"comments") from the workflow's own documentation. Reword the comments so
they no longer contain the scanner's identifier. As a template, every
generated repo inherited this noise.

> 🤖 Generated by the Daily AI Assistant
Copilot AI review requested due to automatic review settings June 3, 2026 16:19
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts inline comments in the TODO-scanning GitHub Actions workflow so the alstr/todo-to-issue-action scanner no longer matches its own workflow permission comments and opens junk tracking issues in template-derived repos.

Changes:

  • Reworded the contents: read permission comment to avoid the literal TODO token.
  • Reworded the issues: write permission comment to avoid the literal TODO token while keeping intent/clarity.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@devantler devantler marked this pull request as ready for review June 3, 2026 16:22
@devantler devantler merged commit f2573e6 into main Jun 3, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

tracking issues

3 participants