standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

I'll perform a code review of this pull request against the Senzing checklist.

Code Review Analysis

Code Quality

✅ Code follows style guide - The YAML changes follow proper formatting and structure consistent with GitHub Actions best practices.

✅ No commented-out code - All removed content is cleanly deleted without leaving commented sections.

✅ Meaningful variable names - Variable names like MEMBERS, PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, and SLACK_CHANNEL are clear and descriptive.

✅ DRY principle followed - Changes standardize secret names across multiple workflows, reducing duplication and inconsistency.

✅ Defects identified - No bugs, logic errors, or security vulnerabilities detected. The changes appear to be a standardization refactor updating:

• Dependency grouping and cooldown configuration
• Secret name normalization (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Changing from needs.<job>.outputs.job-status to needs.<job>.result (correct GitHub Actions syntax)

✅ Project memory - No ./.claude/CLAUDE.md file exists in this repository to consider.

Testing

❌ Unit tests for new functions - No tests included, but this is a workflow configuration change. Testing workflows in CI/CD is typically done through execution, not unit tests.

❌ Integration tests for new endpoints - N/A - no endpoints are being added.

❌ Edge cases covered - N/A for YAML configuration changes.

❌ Test coverage > 80% - N/A for workflow files.

Note: Testing requirements don't apply to GitHub Actions workflow files which are declarative configuration.

Documentation

❌ Readme updated if needed - No README changes included. Consider documenting:

• The new Dependabot cooldown configuration
• The new secret name conventions (this may warrant a migration guide if other repos will follow)

❌ API docs updated - N/A - no API changes.

✅ Inline comments for complex logic - The YAML is self-documenting. The removed comment from .github/dependabot.yml is acceptable as the configuration is straightforward.

❌ CHANGELOG.md updated - No CHANGELOG.md exists in this repository, and none was updated. If this repo maintains a changelog, this PR should be documented.

✅ Markdown files follow CommonMark - .vscode/cspell.json changes are JSON (properly formatted). No markdown files were modified.

Security

✅ No hardcoded credentials - All sensitive values use GitHub secrets appropriately.

✅ Input validation implemented - N/A for workflow configuration.

✅ Proper error handling - The conditional logic for Slack notifications correctly handles failures and cancellations.

✅ No sensitive data in logs - No sensitive information exposed.

✅ No license files (.lic) or AQAAAD strings - None detected in the diff.

---

Summary

Overall Assessment: ✅ APPROVED with minor documentation recommendations

This PR successfully standardizes workflow configurations across the repository by:

1. Adding Dependabot grouping and cooldown features
2. Normalizing secret names for consistency
3. Fixing GitHub Actions syntax (outputs.job-status → result)
4. Adding missing SLACK_CHANNEL secret references
5. Updating workflow references from v3 to v4

Recommendations:

1. Documentation (Minor): Consider adding a brief note in a README or project documentation about:

   • .github/dependabot.yml:6-10 - The new cooldown configuration (21 days default with senzing-factory exclusion)
   • Secret name changes for maintainers of other repositories following this pattern

2. Consistency Check (Info): The cspell.json formatting change (line 14) appears to be an auto-formatter update (array format changed). Ensure your team is aligned on JSON formatting standards.

All critical items pass. The changes are safe to merge.

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

Let me proceed with the review based on the diff and standard best practices:

Code Review Results

✅ Code Quality

✅ Code follows style guide

• YAML formatting is consistent and properly indented
• Secret names have been standardized (e.g., SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Added YAML document separator (---) at the top of .github/dependabot.yml:1

✅ No commented-out code

• The removed comment in .github/dependabot.yml:1-2 is appropriate cleanup

✅ Meaningful variable names

• All variable names are clear and descriptive
• Standardized naming improves consistency

✅ DRY principle followed

• Reusable workflow patterns are consistent across files
• No code duplication introduced

✅ No defects identified

• Logic changes are sound:
  • .outputs.job-status → .result is the correct GitHub Actions syntax for accessing job results
  • Secret parameter names align with the reusable workflow interface
• Edge cases handled appropriately

✅ Project memory compliance

• No .claude/CLAUDE.md file exists, so no project-specific requirements to check

✅ Testing

✅ Changes are configuration-only

• This PR modifies GitHub Actions workflow configurations and Dependabot settings
• No application code changes that would require unit/integration tests
• Workflow validation should occur when workflows execute

⚠️ Documentation

❌ CHANGELOG.md not updated

• No CHANGELOG.md file found in the repository
• Recommendation: If this project maintains a changelog, document these workflow standardization changes

✅ Inline comments appropriate

• Configuration files don't require additional inline comments
• YAML structure is self-documenting

⚠️ Markdown formatting (.vscode/cspell.json)

• Not a markdown file, but JSON formatting changes detected
• Line 14: Changed from multi-line array to single-line: "ignorePaths": [".git/**"]
• This is acceptable JSON formatting

✅ Security

✅ No hardcoded credentials

• All secrets properly referenced via ${{ secrets.* }}

✅ Input validation N/A

• Configuration files don't require input validation

✅ Proper error handling

• Slack notifications correctly triggered on workflow failures via if conditions

✅ No sensitive data in logs

• Secrets properly masked by GitHub Actions

❌ CRITICAL: No license files detected

• No .lic files or AQAAAD strings found in the diff

Key Changes Summary

.github/dependabot.yml (lines 1-17)

• ✅ Added cooldown configuration (21 days default, excluding senzing-factory/*)
• ✅ Added assignee: kernelsam
• ✅ Added grouping for senzing-factory/* updates
• ✅ Improved organization with YAML document separator

Workflow files (multiple)

• ✅ Standardized secret names for consistency with build-resources v4:
  • SENZING_MEMBERS → MEMBERS
  • SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN
  • SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN
• ✅ Fixed job status checks: .outputs.job-status → .result
• ✅ Added SLACK_CHANNEL secret parameter where missing
• ✅ Updated workflow references from @v3 to @v4

.vscode/cspell.json

• ✅ Added new words: cooldown, kernelsam
• ✅ Alphabetically sorted word list
• ✅ Reformatted ignorePaths to single line

Overall Assessment

✅ APPROVED - This PR successfully standardizes GitHub Actions workflows for build-resources v4 compatibility with no critical issues.

Minor recommendation: If a CHANGELOG.md exists or is planned, document these infrastructure updates for maintainability.

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Fail ❌
YAML_PRETTIER	Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

YAML

/github/workspace/.github/dependabot.yml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/dependabot.yml:17:1: [error] too many blank lines (1 > 0) (empty-lines)
/github/workspace/.github/workflows/add-labels-standardized.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-labels-standardized.yaml:22:81: [warning] line too long (104 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage-dependabot.yaml:21:81: [warning] line too long (113 > 80 characters) (line-length)
/github/workspace/.github/workflows/add-to-project-garage.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/add-to-project-garage.yaml:24:81: [warning] line too long (102 > 80 characters) (line-length)
/github/workspace/.github/workflows/dependabot-approve-and-merge.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/lint-workflows.yaml:1:1: [warning] missing document start "---" (document-start)
/github/workspace/.github/workflows/move-pr-to-done-dependabot.yaml:1:1: [warning] missing document start "---" (document-start)

YAML_PRETTIER

Checking formatting...[�[33mwarn�[39m] .github/dependabot.yml
[�[33mwarn�[39m] Code style issues found in the above file. Run Prettier with --write to fix.

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter