fix(create-issues-from-todos): TODOs workflow crashes on ambiguous issue match (upstream web_url KeyError)

[devantler]

🤖 Generated by the Daily AI Assistant

Summary

The create-issues-from-todos composite action (which pins alstr/todo-to-issue-action@v5.1.13) crashes the TODOs workflow whenever a removed # TODO: comment matches multiple existing GitHub issues (an "ambiguous match"). The crash is a KeyError in the upstream action's diagnostic print, not in the issue-closure logic itself — closure is already (correctly) skipped, but the action then dies trying to print the ambiguous candidates with a GitLab-only field name.

This is a shared-library / portfolio-wide failure mode: every devantler-tech repo whose TODOs workflow calls reusable-workflows/.github/workflows/scan-for-todo-comments.yaml → create-issues-from-todos → todo-to-issue-action@v5.1.13 is exposed.

Evidence (observed live)

platform-template TODOs run 26907228942 (push of the auth-proxy TODO-dedup merge platform-template#16, commit 73a12fb) failed with:

Processing issue 1 of 6: 'Remove auth-proxy when Cilium supports native forward auth (...cilium#23797)' @ k8s/.../auth-proxy/config-map.yaml:1
Skipping issue closure due to ambiguous match against multiple existing issues, shown below
Traceback (most recent call last):
  File "/app/main.py", line 169, in <module>
    process_diff(StringIO(last_diff), client, insert_issue_urls)
  File "/app/main.py", line 138, in process_diff
    status_code = client.close_issue(raw_issue)
  File "/app/GitHubClient.py", line 371, in close_issue
    print(f' {x["web_url"]}')
KeyError: 'web_url'

Root cause

GitHubClient.close_issue (upstream alstr/todo-to-issue-action, pinned v5.1.13 / c45b007) takes the ambiguous-match branch when a removed TODO maps to >1 open issue, then prints each candidate with x["web_url"]. GitHub's REST issue object exposes html_url, not web_url (web_url is a GitLab field) → KeyError → non-zero exit → red workflow.

The trigger is duplicate issues with the same title — exactly the state the upstream scanner produces when one TODO is repeated across N files (it opens one issue per occurrence; see the dedup in platform-template#16). When such a TODO is later removed, the close path goes ambiguous and crashes.

Scope / severity

• Self-healing per repo: the failure is bound to the specific diff that removes the TODO(s); the next push runs TODOs with a clean diff and goes green. It does not persistently red a main.
• But it recurs across the portfolio any time a multi-occurrence TODO with duplicate issues is cleaned up, and it produces a noisy, misleading red on main for that commit.
• A version bump does not fix it: upstream v5.1.14 (latest) leaves GitHubClient.py unchanged vs v5.1.13 (confirmed via the v5.1.13...v5.1.14 compare — the file is not in the changeset), so the bug persists in the newest release.

Proposed direction (pick one; sized S–M)

1. Report upstream alstr/todo-to-issue-action (web_url → html_url in the ambiguous-match diagnostic) and re-pin once fixed. Cleanest root-cause path, but gated on upstream cadence.
2. Dedup discipline (mitigation, already proven): keep each repeated TODO once at the source so the close path is never ambiguous (the pattern applied in platform-template#16). Roll the same single-occurrence convention into the template(s) and the platform repo (which still carries the identical 5-file auth-proxy TODO).
3. Harden our wrapper to tolerate a non-zero exit on the close-only path (e.g. only fail the job on creation errors), if scan-for-todo-comments can be made to distinguish them — needs investigation.

Acceptance criteria

• A removed multi-occurrence TODO no longer crashes the TODOs workflow on any consumer repo.
• The chosen mitigation is documented in this action's README / the reusable workflow.

[devantler]

🤖 Generated by the Daily AI Assistant

Progress — option 2 (dedup discipline) applied to platform: platform#1730 dedupes the identical 5-occurrence auth-proxy removal TODO to a single component tracker, removing the latent ambiguous-match trigger from the last consumer that still carried it (the same fix already landed in platform-template#16). Comment-only; both overlays build and ksail workload validate passes.

On option 3 (harden our wrapper): ruled out as a clean fix. create-issues-from-todos is a composite action whose final step uses: the upstream alstr/todo-to-issue-action; composite-action steps do not support continue-on-error, and even if they did, swallowing the step's non-zero exit would also mask genuine creation failures (the close-path crash and creation errors share the one exit code). So we can't selectively tolerate only the close-path KeyError without restructuring or forking upstream.

Remaining root cause (option 1): the upstream web_url→html_url bug in GitHubClient.close_issue is unchanged in latest v5.1.14. The true fix is upstream + re-pin; until then, dedup discipline (now applied across platform + platform-template) keeps consumers off the ambiguous-match path. This issue stays open to track the upstream fix.

[devantler]

🤖 Generated by the Daily AI Assistant

Upstream fix prepared — maintainer one-click to open the PR

Root-caused and fixed at the source per our "contribute upstream, don't fork-and-own" policy. The bug is a single GitLab-vs-GitHub field name in alstr/todo-to-issue-action's GitHubClient.close_issue():

-                                print(f' {x["web_url"]}')
+                                print(f' {x["html_url"]}')

web_url is a GitLab field; GitHub's REST issue objects expose html_url. It's the only web_url reference in the file, so the change is consistent with the surrounding code and behaviour-preserving (ambiguous matches are still skipped — only the crashing diagnostic print is corrected).

Verified live (2026-06-05):

• Bug still present on upstream master (GitHubClient.py:371).
• No existing upstream PR or issue addresses it (searched web_url/html_url/ambiguous/KeyError).
• Fork + fix branch ready: devantler/todo-to-issue-action@fix/ambiguous-match-html-url (commit a72ce6c).

To ship it (one click): open the upstream PR from the prepared branch —
👉 https://github.com/alstr/todo-to-issue-action/compare/master...devantler:todo-to-issue-action:fix/ambiguous-match-html-url?expand=1

(Agent PR-authoring is scoped to devantler-tech repos, so I can't open the cross-org PR myself; the fork/branch/diff are done and waiting.)

After it merges + releases upstream: bump the pin in create-issues-from-todos/action.yaml (currently alstr/todo-to-issue-action@v5.1.13 / c45b007) to the fixed release SHA — that closes this issue portfolio-wide (every repo's TODOs workflow inherits it via reusable-workflows/scan-for-todo-comments.yaml).