standardize workflows for build-resources v4

[kernelsam]

Summary

• Rename reusable workflow secret keys for build-resources v4
• Replace .outputs.job-status with .result
• Add SLACK_CHANNEL secret to slack notification callers
• Bump all build-resources workflow refs to @v4
• Standardize dependabot config (cooldown, groups, assignees)
• Add kernelsam and cooldown to cspell dictionary

[github-actions]

🤖 Claude Code Review

PR Code Review Results

Summary

This PR standardizes GitHub Actions workflows to use build-resources@v4 templates. The changes are primarily configuration updates to align with the new workflow standards. Overall quality is good with minor issues.

---

Code Quality

✅ Code follows our style guide

All YAML files follow proper formatting conventions with consistent quoting and indentation.

✅ No commented-out code

The diff shows commented code was removed (lines 1-2 in .github/dependabot.yml:1-2), which is an improvement.

✅ Meaningful variable names

Variable names remain clear and consistent (e.g., job-status, PROJECT_RW_TOKEN, MEMBERS).

✅ DRY principle followed

The changes standardize repeated patterns across multiple workflow files, improving maintainability.

⚠️ Identify Defects

Potential issue in .github/dependabot.yml:8-9:

cooldown:
  default-days: 21
  exclude:
    - "senzing-factory/*"

The exclude field appears to be incorrectly nested under cooldown. According to Dependabot v2 schema, cooldown only accepts default-days and for, not exclude. This may cause schema validation errors or be silently ignored.

Reference: The cooldown configuration should be:

cooldown:
  default-days: 21

And if exclusions are needed, they would typically be part of groups or a separate configuration.

✅ Project memory consideration

The changes align with the project's build standardization approach mentioned in CLAUDE.md. No local-specific configurations are introduced.

---

Testing

✅ Unit tests for new functions

N/A - No new functions added (configuration changes only).

✅ Integration tests for new endpoints

N/A - No new endpoints.

✅ Edge cases covered

N/A - Configuration changes.

✅ Test coverage > 80%

No impact on test coverage (configuration changes only).

---

Documentation

⚠️ Readme updated if needed

No README updates were made. While these are internal workflow changes, consider documenting:

• The migration to build-resources@v4
• The new Dependabot grouping strategy
• The new assignee configuration

Location: Consider adding a note to a workflows/CI documentation section if one exists.

✅ API docs updated

N/A - No API changes.

✅ Inline comments for complex logic

YAML configuration is self-explanatory; no complex logic requiring comments.

❌ CHANGELOG.md updated

Missing: No CHANGELOG.md entry for this significant infrastructure change. Users/maintainers should be aware of:

• Upgrade to build-resources v4
• New Dependabot configuration with grouping
• New secret requirements (SLACK_CHANNEL)

Recommendation: Add a CHANGELOG entry under [Unreleased] section similar to:

### Changed
- Upgraded GitHub Actions workflows to use senzing-factory/build-resources@v4
- Enhanced Dependabot configuration with dependency grouping and assignees
- Standardized workflow secret naming conventions

⚠️ Markdown files should follow CommonMark

No markdown files were modified in this PR. However, several workflow files now reference new secrets that should be documented.

---

Security

✅ No hardcoded credentials

All sensitive values use ${{ secrets.* }} appropriately.

✅ Input validation implemented

N/A - Configuration changes only.

✅ Proper error handling

Workflow error handling through if: ${{ always() && contains(...) }} is properly implemented.

✅ No sensitive data in logs

No sensitive data exposure risk introduced.

✅ Flag any checked in license files

No .lic files or AQAAAD strings present in the diff.

---

Specific File Issues

.github/dependabot.yml

• Line 8-9: Schema validation issue with cooldown.exclude field (see defects section above)
• Line 4-5: New assignee kernelsam added (reasonable for dependency management)

.github/workflows/*.yaml (all files)

• Secret naming: Consistent migration from prefixed names (e.g., SENZING_MEMBERS → MEMBERS, SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN → CODEOWNER_PR_RW_TOKEN)
• New secret required: SLACK_CHANNEL added to multiple workflows (lines vary: add-labels-standardized.yaml:25, add-to-project-garage-dependabot.yaml:24, etc.)
• API change: Changed from needs.*.outputs.job-status to needs.*.result (correct for GitHub Actions)

.vscode/cspell.json

• Line 45: Added "kernelsam" to dictionary (matches new assignee in dependabot.yml)

---

Required Actions Before Merge

1. CRITICAL: Fix the cooldown.exclude configuration in .github/dependabot.yml:8-9
2. REQUIRED: Add CHANGELOG.md entry documenting the v4 migration
3. RECOMMENDED: Document new SLACK_CHANNEL secret requirement
4. RECOMMENDED: Verify all referenced secrets exist in the repository settings

---

Optional Improvements

• Consider adding a comment in .github/dependabot.yml explaining the grouping strategy
• Document the assignee policy for Dependabot PRs

---

Automated code review analyzing defects and coding standards

[github-actions]

🤖 Claude Code Review

I'll conduct a thorough code review of this pull request against the provided checklist.

Code Review for PR: Workflow Updates to v4

Code Quality

✅ Code follows style guide

The changes follow YAML best practices and maintain consistent formatting throughout. All workflow files use proper indentation and structure.

✅ No commented-out code

All commented code has been removed. For example, in .github/dependabot.yml:1-2, the commented documentation link was removed in favor of cleaner YAML.

✅ Meaningful variable names

All variable and parameter names remain clear and descriptive (e.g., PROJECT_RW_TOKEN, CODEOWNER_PR_RW_TOKEN, SLACK_CHANNEL).

✅ DRY principle followed

The changes consolidate workflows by upgrading to v4 of shared workflow templates, reducing duplication across the repository.

✅ No defects identified

The changes are primarily configuration updates:

• Workflow version bumps from v3 to v4
• Secret name standardization (e.g., SENZING_GITHUB_PROJECT_RW_TOKEN → PROJECT_RW_TOKEN)
• Consistent addition of SLACK_CHANNEL secret across notification workflows
• Proper use of needs.<job>.result instead of needs.<job>.outputs.job-status

One observation: .github/dependabot.yml:9 adds an exclude pattern, but it excludes senzing-factory/* from the cooldown, then groups those same packages together. This appears intentional for treating senzing-factory updates differently.

✅ Project memory compliance

The changes align with the project structure. No environment-specific configurations were added to .claude/CLAUDE.md.

Testing

⚠️ Unit tests for new functions

N/A - This PR contains only workflow/configuration changes, no functional code changes requiring unit tests.

⚠️ Integration tests for new endpoints

N/A - No new endpoints or functional changes.

⚠️ Edge cases covered

N/A - No functional code changes.

⚠️ Test coverage > 80%

N/A - Configuration-only changes do not affect test coverage.

Documentation

✅ Readme updated if needed

No README updates needed - these are internal CI/CD configuration changes.

✅ API docs updated

N/A - No API changes.

✅ Inline comments for complex logic

The YAML files are self-documenting. The dependabot.yml changes are clear in intent.

❌ CHANGELOG.md updated

Missing: .github/dependabot.yml, multiple workflow files, and .vscode/cspell.json were modified, but there's no CHANGELOG.md update documenting these changes. This should be added to track the workflow version upgrade and secret name standardization.

Recommendation: Add an entry like:

### Changed
- Updated workflow templates from v3 to v4
- Standardized secret names across workflows
- Enhanced dependabot configuration with assignees and grouping

✅ Markdown formatting

All markdown follows CommonMark specification. No markdown files were modified in this PR except for checking the diff format.

Security

✅ No hardcoded credentials

All secrets properly referenced via GitHub secrets mechanism (e.g., ${{ secrets.SLACK_BOT_TOKEN }}).

✅ Input validation implemented

N/A - Configuration changes only.

✅ Proper error handling

The workflows maintain proper failure handling with slack notifications on job failures.

✅ No sensitive data in logs

No logging changes that could expose sensitive data.

✅ No license files flagged

No .lic files or AQAAAD strings detected in the diff.

Summary

Overall Assessment: This is a clean infrastructure update with good consistency improvements.

Required Changes:

• 📝 Add CHANGELOG.md entry documenting the workflow version upgrade and secret name standardization

Observations:

• ✅ Consistent upgrade pattern across all workflow files
• ✅ Secret name standardization improves clarity (shorter, more generic names)
• ✅ Addition of SLACK_CHANNEL secret ensures proper notification routing
• ✅ Dependabot assignee addition (.github/dependabot.yml:6) ensures proper ownership
• ✅ Permission change in .github/workflows/lint-workflows.yaml:18 from read to write for pull-requests is appropriate for the v4 workflow

Files requiring attention:

• CHANGELOG.md - needs update (not present in diff)

---

Automated code review analyzing defects and coding standards

[github-actions]

Super-linter summary

Language	Validation result
CHECKOV	Pass ✅
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Pass ✅
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Pass ✅
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Pass ✅
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter