Skip to content

Comments

standardize workflows for build-resources v4#213

Merged
docktermj merged 1 commit intomainfrom
skern-workflow-standardize
Feb 17, 2026
Merged

standardize workflows for build-resources v4#213
docktermj merged 1 commit intomainfrom
skern-workflow-standardize

Conversation

@kernelsam
Copy link
Contributor

Summary

  • Rename reusable workflow secret keys for build-resources v4
  • Replace .outputs.job-status with .result
  • Add SLACK_CHANNEL secret to slack notification callers
  • Bump all build-resources workflow refs to @v4
  • Standardize dependabot config (cooldown, groups, assignees)
  • Add kernelsam and cooldown to cspell dictionary

@kernelsam kernelsam requested review from a team as code owners February 16, 2026 22:10
@kernelsam kernelsam self-assigned this Feb 16, 2026
@github-actions
Copy link

🤖 Claude Code Review

PR Code Review Results

Summary

This PR standardizes GitHub Actions workflows to use build-resources@v4 templates. The changes are primarily configuration updates to align with the new workflow standards. Overall quality is good with minor issues.


Code Quality

✅ Code follows our style guide

All YAML files follow proper formatting conventions with consistent quoting and indentation.

✅ No commented-out code

The diff shows commented code was removed (lines 1-2 in .github/dependabot.yml:1-2), which is an improvement.

✅ Meaningful variable names

Variable names remain clear and consistent (e.g., job-status, PROJECT_RW_TOKEN, MEMBERS).

✅ DRY principle followed

The changes standardize repeated patterns across multiple workflow files, improving maintainability.

⚠️ Identify Defects

Potential issue in .github/dependabot.yml:8-9:

cooldown:
  default-days: 21
  exclude:
    - "senzing-factory/*"

The exclude field appears to be incorrectly nested under cooldown. According to Dependabot v2 schema, cooldown only accepts default-days and for, not exclude. This may cause schema validation errors or be silently ignored.

Reference: The cooldown configuration should be:

cooldown:
  default-days: 21

And if exclusions are needed, they would typically be part of groups or a separate configuration.

✅ Project memory consideration

The changes align with the project's build standardization approach mentioned in CLAUDE.md. No local-specific configurations are introduced.


Testing

✅ Unit tests for new functions

N/A - No new functions added (configuration changes only).

✅ Integration tests for new endpoints

N/A - No new endpoints.

✅ Edge cases covered

N/A - Configuration changes.

✅ Test coverage > 80%

No impact on test coverage (configuration changes only).


Documentation

⚠️ Readme updated if needed

No README updates were made. While these are internal workflow changes, consider documenting:

  • The migration to build-resources@v4
  • The new Dependabot grouping strategy
  • The new assignee configuration

Location: Consider adding a note to a workflows/CI documentation section if one exists.

✅ API docs updated

N/A - No API changes.

✅ Inline comments for complex logic

YAML configuration is self-explanatory; no complex logic requiring comments.

❌ CHANGELOG.md updated

Missing: No CHANGELOG.md entry for this significant infrastructure change. Users/maintainers should be aware of:

  • Upgrade to build-resources v4
  • New Dependabot configuration with grouping
  • New secret requirements (SLACK_CHANNEL)

Recommendation: Add a CHANGELOG entry under [Unreleased] section similar to:

### Changed
- Upgraded GitHub Actions workflows to use senzing-factory/build-resources@v4
- Enhanced Dependabot configuration with dependency grouping and assignees
- Standardized workflow secret naming conventions

⚠️ Markdown files should follow CommonMark

No markdown files were modified in this PR. However, several workflow files now reference new secrets that should be documented.


Security

✅ No hardcoded credentials

All sensitive values use ${{ secrets.* }} appropriately.

✅ Input validation implemented

N/A - Configuration changes only.

✅ Proper error handling

Workflow error handling through if: ${{ always() && contains(...) }} is properly implemented.

✅ No sensitive data in logs

No sensitive data exposure risk introduced.

✅ Flag any checked in license files

No .lic files or AQAAAD strings present in the diff.


Specific File Issues

.github/dependabot.yml

  • Line 8-9: Schema validation issue with cooldown.exclude field (see defects section above)
  • Line 4-5: New assignee kernelsam added (reasonable for dependency management)

.github/workflows/*.yaml (all files)

  • Secret naming: Consistent migration from prefixed names (e.g., SENZING_MEMBERSMEMBERS, SENZING_GITHUB_CODEOWNER_PR_RW_TOKENCODEOWNER_PR_RW_TOKEN)
  • New secret required: SLACK_CHANNEL added to multiple workflows (lines vary: add-labels-standardized.yaml:25, add-to-project-garage-dependabot.yaml:24, etc.)
  • API change: Changed from needs.*.outputs.job-status to needs.*.result (correct for GitHub Actions)

.vscode/cspell.json

  • Line 45: Added "kernelsam" to dictionary (matches new assignee in dependabot.yml)

Required Actions Before Merge

  1. CRITICAL: Fix the cooldown.exclude configuration in .github/dependabot.yml:8-9
  2. REQUIRED: Add CHANGELOG.md entry documenting the v4 migration
  3. RECOMMENDED: Document new SLACK_CHANNEL secret requirement
  4. RECOMMENDED: Verify all referenced secrets exist in the repository settings

Optional Improvements

  • Consider adding a comment in .github/dependabot.yml explaining the grouping strategy
  • Document the assignee policy for Dependabot PRs

Automated code review analyzing defects and coding standards

@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from c5a1c89 to 208e145 Compare February 16, 2026 22:32
@kernelsam kernelsam force-pushed the skern-workflow-standardize branch from 208e145 to f20b31d Compare February 16, 2026 22:44
@github-actions
Copy link

🤖 Claude Code Review

I'll conduct a thorough code review of this pull request against the provided checklist.

Code Review for PR: Workflow Updates to v4

Code Quality

✅ Code follows style guide

The changes follow YAML best practices and maintain consistent formatting throughout. All workflow files use proper indentation and structure.

✅ No commented-out code

All commented code has been removed. For example, in .github/dependabot.yml:1-2, the commented documentation link was removed in favor of cleaner YAML.

✅ Meaningful variable names

All variable and parameter names remain clear and descriptive (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL).

✅ DRY principle followed

The changes consolidate workflows by upgrading to v4 of shared workflow templates, reducing duplication across the repository.

✅ No defects identified

The changes are primarily configuration updates:

  • Workflow version bumps from v3 to v4
  • Secret name standardization (e.g., SENZING_GITHUB_PROJECT_RW_TOKENPROJECT_RW_TOKEN)
  • Consistent addition of SLACK_CHANNEL secret across notification workflows
  • Proper use of needs.<job>.result instead of needs.<job>.outputs.job-status

One observation: .github/dependabot.yml:9 adds an exclude pattern, but it excludes senzing-factory/* from the cooldown, then groups those same packages together. This appears intentional for treating senzing-factory updates differently.

✅ Project memory compliance

The changes align with the project structure. No environment-specific configurations were added to .claude/CLAUDE.md.

Testing

⚠️ Unit tests for new functions

N/A - This PR contains only workflow/configuration changes, no functional code changes requiring unit tests.

⚠️ Integration tests for new endpoints

N/A - No new endpoints or functional changes.

⚠️ Edge cases covered

N/A - No functional code changes.

⚠️ Test coverage > 80%

N/A - Configuration-only changes do not affect test coverage.

Documentation

✅ Readme updated if needed

No README updates needed - these are internal CI/CD configuration changes.

✅ API docs updated

N/A - No API changes.

✅ Inline comments for complex logic

The YAML files are self-documenting. The dependabot.yml changes are clear in intent.

❌ CHANGELOG.md updated

Missing: .github/dependabot.yml, multiple workflow files, and .vscode/cspell.json were modified, but there's no CHANGELOG.md update documenting these changes. This should be added to track the workflow version upgrade and secret name standardization.

Recommendation: Add an entry like:

### Changed
- Updated workflow templates from v3 to v4
- Standardized secret names across workflows
- Enhanced dependabot configuration with assignees and grouping

✅ Markdown formatting

All markdown follows CommonMark specification. No markdown files were modified in this PR except for checking the diff format.

Security

✅ No hardcoded credentials

All secrets properly referenced via GitHub secrets mechanism (e.g., ${{ secrets.SLACK_BOT_TOKEN }}).

✅ Input validation implemented

N/A - Configuration changes only.

✅ Proper error handling

The workflows maintain proper failure handling with slack notifications on job failures.

✅ No sensitive data in logs

No logging changes that could expose sensitive data.

✅ No license files flagged

No .lic files or AQAAAD strings detected in the diff.

Summary

Overall Assessment: This is a clean infrastructure update with good consistency improvements.

Required Changes:

  • 📝 Add CHANGELOG.md entry documenting the workflow version upgrade and secret name standardization

Observations:

  • ✅ Consistent upgrade pattern across all workflow files
  • ✅ Secret name standardization improves clarity (shorter, more generic names)
  • ✅ Addition of SLACK_CHANNEL secret ensures proper notification routing
  • ✅ Dependabot assignee addition (.github/dependabot.yml:6) ensures proper ownership
  • ✅ Permission change in .github/workflows/lint-workflows.yaml:18 from read to write for pull-requests is appropriate for the v4 workflow

Files requiring attention:

  • CHANGELOG.md - needs update (not present in diff)

Automated code review analyzing defects and coding standards

@github-actions
Copy link

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@docktermj docktermj merged commit 3590c9f into main Feb 17, 2026
30 checks passed
@docktermj docktermj deleted the skern-workflow-standardize branch February 17, 2026 13:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants