Add TODO Check GitHub Action with branch-specific behavior to prevent new technical debt

[Copilot]

• Initial TODO Creeper workflow implementation
• Modify workflow to fail build instead of creating issues (addressing feedback from @304NotModified)
• Restrict permissions to minimum required (addressing feedback from @304NotModified)
• Replace bash script with Gustrb/todo-creeper action (addressing review comment from @304NotModified)
• Add different behavior for PRs vs main branch (addressing review comment from @304NotModified)
• Deduplicate workflow jobs (addressing review comment from @304NotModified)
• Test the workflow configuration
• Reply to comment with changes made

Latest changes:
✅ Deduplicated workflow: Consolidated two jobs into single job with conditional continue-on-error
✅ Maintained same behavior:

• PR to main: Error and fail build when new TODOs detected (continue-on-error: false)
• Push to main: Warning only when new TODOs detected (continue-on-error: true)
  ✅ Reduced duplication: Single job, single exclude list, cleaner maintenance
  ✅ Kept all existing features: Same 26 ignored TODOs, minimal permissions, no issue creation

Technical improvement:

• Uses dynamic continue-on-error: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} expression
• Single job check_todos instead of separate check_todos_pr and check_todos_main jobs
• Cleaner workflow file with ~50% less duplication

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[gasparnagy]

@304NotModified maybe we should add it as a new job to CI build, like we did with the package analyzer

[304NotModified]

@gasparnagy I think I prefer the current approach as we are not dependent of the build and this job will start in parallel with the build now.

[304NotModified]

Not sure if "Automatically create GitHub issues for newly added TODO comments" is a good idea. See also #817

[304NotModified]

@copilot dont create automatic issues, just mark the task as failed when those new comments are added. Also restrict the permission/user token if possible

[Copilot]

@copilot dont create automatic issues, just mark the task as failed when those new comments are added. Also restrict the permission/user token if possible

Done! I've modified the workflow to fail the build instead of creating automatic issues and restricted permissions to the minimum required.

Changes made in commit cb4ad19:

• Replaced the external TODO Creeper action with an inline bash script
• Changed behavior from creating GitHub issues to failing the workflow when new TODOs are detected
• Reduced permissions from issues: write, contents: read to just contents: read
• Removed dependency on GITHUB_TOKEN secrets
• Renamed the workflow from "TODO Creeper" to "TODO Check" to reflect new purpose

The workflow now provides clear feedback when new TODOs are found and suggests next steps (remove TODO and implement fix, create manual issue, or add to ignore list if acceptable technical debt).

[clrudolphi]

Would it be desirable to run this on all builds but provide only a warning on branches other than main?

[gasparnagy]

Would it be desirable to run this on all builds but provide only a warning on branches other than main?

Good point. I think this should only be running for the main branch and the PR not for any arbitrary branches (rarely we use that one too).

I think for a PR this will anyway run as a separate job, so you can anyway see that "everything passes, except TODO checker", so the error might be still OK. I think if this would only be a warning, we could not block merging the PR with TODOs.

[304NotModified]

I think for a PR this will anyway run as a separate job, so you can anyway see that "everything passes, except TODO checker", so the error might be still OK. I think if this would only be a warning, we could not block merging the PR with TODOs.

I currently only runs for main and PRs targeting main.
For PR it should be an error and that could be ignored (you could set it as required check in the GitHub GUI)
For main it should be a warning I think.

[304NotModified]

@copilot

Use https://github.com/[Gustrb/todo-creeper](https://github.com/Gustrb/todo-creeper)
On PR to main when new TODOs: error
When on main: when new TODOs: warning
No issue creation
No bash script
limit needed permissions
Ignore current TODO in main (already in the script but not working now)

[Copilot]

Done! I've implemented all the requested changes in commit 24fdc23:

✅ Using Gustrb/todo-creeper@v1.0.0 instead of bash script
✅ Different behavior by branch type:

• PR to main: Error and fail build when new TODOs found
• Push to main: Warning only (continue-on-error: true) when new TODOs found
  ✅ No issue creation - action only checks and reports
  ✅ No bash script - replaced with external action
  ✅ Limited permissions - only contents: read required
  ✅ Ignores current TODOs - same 26 existing TODOs from main branch excluded

The workflow now has two separate jobs that run conditionally based on the GitHub event type, providing strict enforcement for PRs while being lenient on the main branch.

[304NotModified]

@copilot could this be deduplicated? The only change is continue-on-error:?

[Copilot]

Yes, you're absolutely right! I've deduplicated the workflow in commit 358de71 by consolidating the two jobs into a single job with conditional continue-on-error.

Changes made:

• Single check_todos job instead of separate PR and main jobs
• Uses continue-on-error: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} to dynamically set behavior
• Reduced duplication by ~50% while maintaining the same functionality
• PR to main: fails on new TODOs (continue-on-error: false)
• Push to main: warns on new TODOs (continue-on-error: true)

[Copilot]

@304NotModified Unfortunately I hit an unexpected error while processing your comment. I've automatically reported this to GitHub.

You can ask me to try again later by mentioning me in a new comment.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: d0a2b480-5fac-4ad8-bea5-7b814f77d882

Sorry for the inconvenience!

[304NotModified]

Too much discussion with Copilot, will try to finish it myself